-these were the
- Kerberos Version 5, Release 1.2
+ Kerberos Version 5, Release 1.3.1
Release Notes
-which are be updated for the next release by
The MIT Kerberos Team
Unpacking the Source Distribution
---------------------------------
-The source distribution of Kerberos 5 comes in three gzipped tarfiles,
-krb5-1.2.src.tar.gz, krb5-1.2.doc.tar.gz, and krb5-1.2.crypto.tar.gz.
-The krb5-1.2.doc.tar.gz contains the doc/ directory and this README
-file. The krb5-1.2.src.tar.gz contains the src/ directory and this
-README file, except for the crypto library sources, which are in
-krb5-1.2.crypto.tar.gz.
-
-Instruction on how to extract the entire distribution follow. These
-directions assume that you want to extract into a directory called
-DIST.
+The source distribution of Kerberos 5 comes in a gzipped tarfile,
+krb5-1.3.1.tar.gz. Instructions on how to extract the entire
+distribution follow.
If you have the GNU tar program and gzip installed, you can simply do:
- mkdir DIST
- cd DIST
- gtar zxpf krb5-1.2.src.tar.gz
- gtar zxpf krb5-1.2.crypto.tar.gz
- gtar zxpf krb5-1.2.doc.tar.gz
+ gtar zxpf krb5-1.3.1.tar.gz
If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:
- mkdir DIST
- cd DIST
- gzcat krb5-1.2.src.tar.gz | tar xpf -
- gzcat krb5-1.2.crypto.tar.gz | tar xpf -
- gzcat krb5-1.2.doc.tar.gz | tar xpf -
+ gzcat krb5-1.3.1.tar.gz | tar xpf -
-Both of these methods will extract the sources into DIST/krb5-1.2/src
-and the documentation into DIST/krb5-1.2/doc.
+Both of these methods will extract the sources into krb5-1.3.1/src and
+the documentation into krb5-1.3.1/doc.
Building and Installing Kerberos 5
----------------------------------
compile and install Kerberos V5 on any platform, you may send mail to
krb5-bugs@mit.edu.
+You may view bug reports by visiting
+
+http://krbdev.mit.edu/rt/
+
+and logging in as "guest" with password "guest".
+
+Notes, Major Changes, and Known Bugs for 1.3.1
+----------------------------------------------
+
+* [1681] The incorrect encoding of the ETYPE-INFO2 preauthentication
+ hint is no longer emitted, and the both the incorrect and the
+ correct encodings of ETYPE-INFO2 are now accepted. We STRONGLY
+ encourage deploying krb5-1.3.1 in preference to 1.3, especially on
+ client installations, as the 1.3 release did not conform to the
+ internet-draft for the revised Kerberos protocol in its encoding of
+ ETYPE-INFO2.
+
+* [1683] The non-caching getaddrinfo() API on Mac OS X, which was
+ causing significant slowdowns under some circumstances, has been
+ worked around.
+
+Minor changes in 1.3.1
+----------------------
+
+* [1015] gss_accept_sec_context() now passes correct arguments to
+ TREAD_STR() when reading options beyond the forwarded credential
+ option. Thanks to Emily Ratliff.
+
+* [1365] The GSSAPI initiator credentials are no longer cached inside
+ the GSSAPI library.
+
+* [1651] A buffer overflow in krb_get_admhst() has been fixed.
+
+* [1655] krb5_get_permitted_enctypes() and krb5_set_real_time() are
+ now exported for use by Samba.
+
+* [1656] gss_init_sec_context() no longer leaks credentials under some
+ error conditions.
+
+* [1657] krb_get_lrealm() no longer returns "ATHENA.MIT.EDU"
+ inappropriately.
+
+* [1664] The crypto library no longer has bogus dependencies on
+ com_err.
+
+* [1665] krb5_init_context() no longer multiply registers error tables
+ when called more than once, preventing a memory leak.
+
+* [1666] The GSS_C_NT_* symbols are now exported from gssapi32.dll on
+ Windows.
+
+* [1667] ms2mit now imports any tickets with supported enctypes, and
+ does not import invalid tickets.
+
+* [1677] krb5_gss_register_acceptor_identity() no longer has an
+ off-by-one in its memory allocation.
+
+* [1679] krb5_principal2salt is now exported on all platforms.
+
+* [1684] The file credentials cache is now supported if USE_CCAPI is
+ defined, i.e., for KfM and KfW.
+
+* [1691] Documentation for the obsolete kdc_supported_enctypes config
+ variable has been removed.
+
Notes, Major Changes, and Known Bugs for 1.3
-------------------------------------
+--------------------------------------------
* We now install the compile_et program, so other packages can use the
installed com_err library with their own error tables. (If you use
that will probably frustrate any attempts to run this code under SunOS
4 or other pre-C89 systems.
-* Some new code, bug fixes, and cleanup for IPv6 support. [[TODO:
- Insert list of (non-)supporting programs and libraries here.]]
+* Some new code, bug fixes, and cleanup for IPv6 support. Most of the
+ code should support IPv6 transparently now. The RPC code (and
+ therefore the admin system, which is based on it) does not yet
+ support IPv6. The support for Kerberos 4 may work with IPv6 in very
+ limited ways, if the address checking is turned off. The FTP client
+ and server do not have support for the new protocol messages needed
+ for IPv6 support (RFC 2428).
* We have upgraded to autoconf 2.52 (or later), and the syntax for
specifying certain configuration options have changed. For example,
may be necessary when talking to Microsoft KDCs (domain controllers),
if they issue you tickets with lots of PAC data.
-* If you have versions of the com_err, ss, or Berkeley DB packages
- installed locally, you can use the --with-system-et,
- --with-system-ss, and --with-system-db configure options to use them
- rather than using the versions supplied here. Note that the
- interfaces are assumed to be similar to those we supply; in
+* If you have versions of the com_err or ss installed locally, you can
+ use the --with-system-et and --with-system-ss configure options to
+ use them rather than using the versions supplied here. Note that
+ the interfaces are assumed to be similar to those we supply; in
particular, some older, divergent versions of the com_err library
may not work with the krb5 sources. Many configure-time variables
can be used to help the compiler and linker find the installed
packages; see the build documentation for details.
-Notes, Major Changes, and Known Bugs for 1.2, delete before shipping 1.3
-------------------------------------
-
-* Triple DES support, for session keys as well as user or service
- keys, should be nearly complete in this release. Much of the work
- that has been needed is generic multiple-cryptosystem support, so
- the addition of another cryptosystem should be much easier.
-
- * GSSAPI support for 3DES has been added. An Internet Draft is
- being worked on that will describe how this works; it is not
- currently standardized. Some backwards-compatibility issues in
- this area mean that enabling 3DES support must be done with
- caution; service keys that are used for GSSAPI must not be updated
- to 3DES until the services themselves are upgraded to support 3DES
- under GSSAPI.
-
-* DNS support for locating KDCs is enabled by default. DNS support
- for looking up the realm of a host is compiled in but disabled by
- default (due to some concerns with DNS spoofing).
-
- We recommend that you publish your KDC information through DNS even
- if you intend to rely on config files at your own site; otherwise,
- sites that wish to communicate with you will have to keep their
- config files updated with your information. One of the goals of
- this code is to reduce the client-side configuration maintenance
- requirements as much as is possible, without compromising security.
-
- See the administrator's guide for information on setting up DNS
- information for your realm.
-
- One important effect of this for developers is that on many systems,
- "-lresolv" must be added to the compiler command line when linking
- Kerberos programs.
-
- Configure-time options are available to control the inclusion of the
- DNS code and the setting of the defaults. Entries in krb5.conf will
- also modify the behavior if the code has been compiled in.
-
-* Numerous buffer-overrun problems have been found and fixed. Many of
- these were in locations we don't expect can be exploited in any
- useful way (for example, overrunning a buffer of MAXPATHLEN bytes if
- a compiled-in pathname is too long, in a program that has no special
- privileges). It may be possible to exploit a few of these to
- compromise system security.
-
-* Partial support for IPv6 addresses has been added. It can be
- enabled or disabled at configure time with --enable-ipv6 or
- --disable-ipv6; by default, the configure script will search for
- certain types and macros, and enable the IPv6 code if they're found.
- The IPv6 support at this time mostly consists of including the
- addresses in credentials.
-
-* A protocol change has been made to the "rcmd" suite (rlogin, rsh,
- rcp) to address several security problems described in Kris
- Hildrum's paper presented at NDSS 2000. New command-line options
- have been added to control the selection of protocol, since the
- revised protocol is not compatible with the old one.
-
-* A security problem in login.krb5 has been fixed. This problem was
- only present if the krb4 compatibility code was not compiled in.
-
-* A security problem with ftpd has been fixed. An error in the in the
- yacc grammar permitted potential root access.
-
-* The client programs kinit, klist and kdestroy have been changed to
- incorporate krb4 support. New command-line options control whether
- krb4 behavior, krb5 behavior, or both are used.
-
-* Patches from Frank Cusack for much better hardware preauth support
- have been incorporated.
-
-* Patches from Matt Crawford extend the kadmin ACL syntax so that
- restrictions can be imposed on what certain administrators may do to
- certain accounts.
-
-* A KDC on a host with multiple network addresses will now respond to
- a client from the address that the client used to contact it. The
- means used to implement this will however cause the KDC not to
- listen on network addresses configured after the KDC has started.
-
-Minor changes
--------------
-
-* New software using com_err should use the {add,remove}_error_table
- interface rather than init_XXX_error_table; in fact, the latter
- function in the generate C files will now call add_error_table
- instead of messing with unprotected global variables.
-
- Karl Ramm has offered to look into reconciling the various
- extensions and changes that have been made in different versions of
- the MIT library, and the API used in the Heimdal equivalent. No
- timeline is set for this work.
-
-* Some source files (including some header files we install) now have
- annotations for use with the LCLint package from the University of
- Virginia. LCLint, as of version 2.5q, is not capable of handling
- much of the Kerberos code in its current form, at least not without
- significantly restructuring the Kerberos code, but it has been used
- in limited cases and has uncovered some bugs. We may try adding
- more annotations in the future.
-
-Minor changes for 1.2, delete this section before shipping 1.3
--------------
-
-* The shell code for searching for the Tcl package at configure time
- has been modified. If a tclConfig.sh can be found, the information
- it contains is used, otherwise the old searching method is tried.
- Let us know if this new scheme causes any problems.
-
-* Shared library builds may work on HPUX, Rhapsody/MacOS X, and newer
- Alpha systems now.
-
-* The Windows build will now include kvno and gss-sample.
-
-* The routine krb5_secure_config_files has been disabled. A new
- routine, krb5_init_secure_context, has been added in its place.
-
-* The routine decode_krb5_ticket is now being exported as
- krb5_decode_ticket. Any programs that used the old name (which
- should be few) should be changed to use the new name; we will
- probably eliminate the old name in the future.
-
-* The CCAPI-based credentials cache code has been changed to store the
- local-clock time of issue and expiration rather than the KDC-clock
- times.
-
-* On systems with large numbers of IP addresses, "kinit" should do a
- better job of acquiring those addresses to put in the user's
- credentials.
-
-* Several memory leaks in error cases in the gssrpc code have been
- fixed.
+* The AES cryptosystem has been implemented. However, support in the
+ Kerberos GSSAPI mechanism has not been written (or even fully
+ specified), so it's not fully enabled. See the documentation for
+ details.
+
+Major changes listed by ticket ID
+---------------------------------
+
+* [492] PRNG breakage on 64-bit platforms no longer an issue due to
+ new PRNG implementation.
+
+* [523] Client library is now compatible with the RC4-based
+ cryptosystem used by Windows 2000.
+
+* [709] krb4 long lifetime support has been implemented.
+
+* [880] krb5_gss_register_acceptor_identity() implemented (is called
+ gsskrb5_register_acceptor_identity() by Heimdal).
+
+* [1087] ftpd no longer requires channel bindings, allowing easier use
+ of ftp from behind a NAT.
+
+* [1156, 1209] It is now possible to use the system com_err to build
+ this release.
+
+* [1174] TCP support added to client library.
+
+* [1175] TCP support added to the KDC, but is disabled by default.
+
+* [1176] autoconf-2.5x is now required by the build system.
+
+* [1184] It is now possible to use the system Berkeley/Sleepycat DB
+ library to build this release.
+
+* [1189, 1251] The KfM krb4 library source base has been merged.
+
+* [1190] The default KDC master key type is now triple-DES. KDCs
+ being updated may need their config files updated if they are not
+ already specifying the master key type.
+
+* [1190] The default ticket lifetime and default maximum renewable
+ ticket lifetime have been extended to one day and one week,
+ respectively.
+
+* [1191] A new script, k5srvutil, may be used to manipulate keytabs in
+ ways similar to the krb4 ksrvutil utility.
+
+* [1281] The "fakeka" program, which emulates the AFS kaserver, has
+ been integrated. Thanks to Ken Hornstein.
+
+* [1343] The KDC now defaults to not answering krb4 requests.
+
+* [1344] Addressless tickets are requested by default now.
+
+* [1372] There is no longer a need to create a special keytab for
+ kadmind. The legacy administration daemons "kadmind4" and
+ "v5passwdd" will still require a keytab, though.
+
+* [1377, 1442, 1443] The Microsoft set-password protocol has been
+ implemented. Thanks to Paul Nelson.
+
+* [1385, 1395, 1410] The krb4 protocol vulnerabilities
+ [MITKRB5-SA-2003-004] have been worked around. Note that this will
+ disable krb4 cross-realm functionality, as well as krb4 triple-DES
+ functionality. Please see doc/krb4-xrealm.txt for details of the
+ patch.
-* A bug with login clobbering some internal static storage on AIX has
+* [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have
been fixed.
-* Per-library initialization and cleanup functions have been added,
- for use in configurations that dynamically load and unload these
- libraries.
+* [1397] The krb5_principal buffer bounds problems
+ [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai.
+
+* [1415] Subsession key negotiation has been fixed to allow for
+ server-selected subsession keys in the future.
+
+* [1418, 1429, 1446, 1484, 1486, 1487, 1535, 1621] The AES
+ cryptosystem has been implemented. It is not usable for GSSAPI,
+ though.
+
+* [1491] The client-side functionality of the krb524 library has been
+ moved into the krb5 library.
+
+* [1550] SRV record support exists for Kerberos v4.
+
+* [1551] The heuristic for locating the Kerberos v4 KDC by prepending
+ "kerberos." to the realm name if no config file or DNS information
+ is available has been removed.
+
+* [1568, 1067] A krb524 stub library is built on Windows.
+
+Minor changes listed by ticket ID
+---------------------------------
+
+* [90] default_principal_flags documented.
+
+* [175] Docs refer to appropriate example domains/IPs now.
+
+* [299] kadmin no longer complains about missing kdc.conf parameters
+ when it really means krb5.conf parameters.
+
+* [318] Run-time load path for tcl is set now when linking test
+ programs.
+
+* [443] --includedir honored now.
+
+* [479] unused argument in try_krb4() in login.c deleted.
+
+* [590] The des_read_pw_string() function in libdes425 has been
+ aligned with the original krb4 and CNS APIs.
+
+* [608] login.krb5 handles SIGHUP more sanely now and thus avoids
+ getting the session into a weird state w.r.t. job control.
+
+* [620] krb4 encrypted rcp should work a little better now. Thanks to
+ Greg Hudson.
+
+* [647] libtelnet/kerberos5.c no longer uses internal include files.
+
+* [673] Weird echoing of admin password in kadmin client worked around
+ by not using buffered stdio calls to read passwords.
+
+* [677] The build system has been reworked to allow the user to set
+ CFLAGS, LDFLAGS, CPPFLAGS, etc. reasonably.
+
+* [680] Related to [673], rewrite krb5_prompter_posix() to no longer
+ use longjmp(), thus avoiding some bugs relating to non-restoration
+ of terminal settings.
+
+* [697] login.krb5 no longer zeroes out the terminal window size.
+
+* [710] decomp_ticket() in libkrb4 now looks up the local realm name
+ more correctly. Thanks to Booker Bense.
+
+* [771] .rconf files are excluded from the release now.
+
+* [772] LOG_AUTHPRIV syslog facility is now usable for logging on
+ systems that support it.
+
+* [844] krshd now syslogs using the LOG_AUTH facility.
+
+* [850] Berekely DB build is better integrated into the krb5 library
+ build process.
+
+* [866] lib/krb5/os/localaddr.c and kdc/network.c use a common source
+ for local address enumeration now.
+
+* [882] gss-client now correctly deletes the context on error.
+
+* [919] kdc/network.c problems relating to SIOCGIFCONF have been
+ fixed.
+
+* [922] An overflow in the string-to-time conversion routines has been
+ fixed.
+
+* [933] krb524d now handles single-DES session keys other than of type
+ des-cbc-crc.
+
+* [935] des-cbc-md4 now included in default enctypes.
+
+* [939] A minor grammatical error has been fixed in a telnet client
+ error message.
+
+* [953] des3 no longer failing on Windows due to SHA1 implementation
+ problems.
+
+* [964] kdb_init_hist() no longer fails if master_key_enctype is not
+ in supported_enctypes.
+
+* [970] A minor inconsistency in ccache.tex has been fixed.
+
+* [971] option parsing bugs rendered irrelevant by removal of unused
+ gss mechanism.
+
+* [976] make install mentioned in build documentation.
+
+* [986] Related to [677], problems with the ordering of LDFLAGS
+ initialization rendered irrelevant by use of native autoconf
+ idioms.
+
+* [992] Related to [677], quirks with --with-cc no longer relevant as
+ AC_PROG_CC is used instead now.
+
+* [999] The kdc_default_options configuration variable is now honored.
+ Thanks to Emily Ratliff.
+
+* [1006] Client library, as well as KDC, now perform reasonable
+ sorting of ETYPE-INFO preauthentication data.
-* Many compile-time warnings have been fixed.
+* [1055] NULL pointer dereferences in code calling
+ krb5_change_password() have been fixed.
-* The GSS sample programs have been updated to exercise more of the
- API.
+* [1063] Initial credentials acquisition failures related to client
+ host having a large number of local network interfaces should be
+ fixed now.
-* The telnet server should produce a more meaningful error message if
- authentication is required but not provided.
+* [1064] Incorrect option parsing in the gssapi library is no longer
+ relevant due to removal of the "v2" mechanism.
-* Changes have been made to ksu to make it more difficult to use it to
- leak information the user does not have access to.
+* [1065, 1225] krb5_get_init_creds_password() should properly warn about
+ password expiration.
-* The sample config file information for the CYGNUS.COM realm has been
- updated, and the GNU.ORG realm has been added.
+* [1066] printf() argument mismatches in rpc unit tests fixed.
-* A configure-time option has been added to enable a replay cache in
- the KDC. We recommend its use when hardware preauthentication is
- being used. It is enabled by default, and can be disabled if
- desired with the configure-time option --disable-kdc-replay-cache.
+* [1085] The krb5.conf manpage has been re-synchronized with other
+ documentation.
-* Some new routines have been added to the library and krb5.h.
+* [1102] gssapi_generic.h should now work with C++.
-* A new routine has been added to the prompter interface to allow the
- application to determine which of the strings prompted for is the
- user's password, in case it is needed for other purposes.
+* [1135] The kadm5 ACL system is better documented.
-* The remote kadmin interface has been enhanced to support the
- specification of key/salt types for a principal.
+* [1136] Some documentation for the setup of cross-realm
+ authentication has been added.
-* New keytab entries' key values can now be specified manually with a
- new command in the ktutil program.
+* [1164] krb5_auth_con_gen_addrs() now properly returns errno instead
+ of -1 if getpeername() fails.
-* A longstanding bug where certain krb4 exchanges using the
- compatibility library between systems with different byte orders
- would fail half the time has been fixed.
+* [1173] Address-less forwardable tickets will remain address-less
+ when forwarded.
-* A source file under the GPL has been replaced with an equivalent
- under the BSD license. The file, strftime.c, was part of one of the
- OpenVision admin system applications, and was only used on systems
- that don't have strftime() in their C libraries.
+* [1178, 1228, 1244, 1246, 1249] Test suite has been stabilized
+ somewhat.
-* Many bug reports are still outstanding in our database. We are
- continuing to work on this backlog.
+* [1188] As part of the modernization of our usage of autoconf,
+ AC_CONFIG_FILES is now used instead of passing a list of files to
+ AC_OUTPUT.
+* [1194] configure will no longer recurse out of the top of the source
+ tree when attempting to locate the top of the source tree.
+
+* [1192] Documentation for the krb5 afs functionality of krb524d has
+ been written.
+
+* [1195] Example krb5.conf file modified to include all enctypes
+ supported by the release.
+
+* [1202] The KDC no longer rejects unrecognized flags.
+
+* [1203] krb5_get_init_creds_keytab() no longer does a double-free.
+
+* [1211] The ASN.1 code no longer passes (harmless) uninitialized
+ values around.
+
+* [1212] libkadm5 now allows for persistent exclusive database locks.
+
+* [1217] krb5_read_password() and des_read_password() are now
+ implemented via krb5_prompter_posix().
+
+* [1224] For SAM challenges, omitted optional strings are no longer
+ encoded as zero-length strings.
+
+* [1226] Client-side support for SAM hardware-based preauth
+ implemented.
+
+* [1229] The keytab search logic no longer fails prematurely if an
+ incorrect encryption type is found. Thanks to Wyllys Ingersoll.
+
+* [1232] If the master KDC cannot be resolved, but a slave is
+ reachable, the client library now returns the real error from the
+ slave rather than the resolution failure from the master. Thanks to
+ Ben Cox.
+
+* [1234] Assigned numbers for SAM preauth have been corrected.
+ sam-pk-for-sad implementation has been aligned.
+
+* [1237] Profile-sharing optimizations from KfM have been merged.
+
+* [1240] Windows calling conventions for krb5int_c_combine_keys() have
+ been aligned.
+
+* [1242] Build system incompatibilities with Debian's chimeric
+ autoconf installation have been worked around.
+
+* [1256] Incorrect sizes passed to memset() in combine_keys()
+ operations have been corrected.
+
+* [1260] Client credential lookup now gets new service tickets in
+ preference to attempting to use expired ticketes. Thanks to Ben
+ Cox.
+
+* [1262, 1572] Sequence numbers are now unsigned; negative sequence
+ numbers will be accepted for the purposes of backwards
+ compatibility.
+
+* [1263] A heuristic for matching the incorrectly encoded sequence
+ numbers emitted by Heimdal implementations has been written.
+
+* [1284] kshd accepts connections by IPv6 now.
+
+* [1292] kvno manpage title fixed.
+
+* [1293] Source files no longer explicitly attempt to declare errno.
+
+* [1304] kadmind4 no longer leaves sa_flags uninitialized.
+
+* [1305] Expired tickets now cause KfM to pop up a password dialog.
+
+* [1309] krb5_send_tgs() no longer leaks the storage associated with
+ the TGS-REQ.
+
+* [1310] kadm5_get_either() no longer leaks regexp library memory.
+
+* [1311] Output from krb5-config no longer contains spurious uses of
+ $(PURE).
+
+* [1324] The KDC no longer logs an inappropriate "no matching key"
+ error when an encrypted timestamp preauth password is incorrect.
+
+* [1334] The KDC now returns a clockskew error when the timestamp in
+ the encrypted timestamp preauth is out of bounds, rather than just
+ returning a preauthentcation failure.
+
+* [1342] gawk is no longer required for building kerbsrc.zip for the
+ Windows build.
+
+* [1346] gss_krb5_ccache_name() no longer attempts to return a pointer
+ to freed memory.
+
+* [1351] The filename globbing vulnerability [CERT VU#258721] in the
+ ftp client's handling of filenames beginning with "|" or "-"
+ returned from the "mget" command has been fixed.
+
+* [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately
+ during GSSAPI context establishment.
+
+* [1356] krb5_gss_accept_sec_context() no longer attempts to validate
+ a null credential if one is passed in.
+
+* [1362] The "-a user" option to telnetd now does the right thing.
+ Thanks to Nathan Neulinger.
+
+* [1363] ksu no longer inappropriately syslogs to stderr.
+
+* [1357] krb__get_srvtab_name() no longer leaks memory.
+
+* [1370] GSS_C_NO_CREDENTIAL now accepts any principal in the keytab.
+
+* [1373] Handling of SAM preauth no longer attempts to stuff a size_t
+ into an unsigned int.
+
+* [1387] BIND versions later than 8 now supported.
+
+* [1392] The getaddrinfo() wrapper should work better on AIX.
+
+* [1400] If DO_TIME is not set in the auth_context, and no replay
+ cache is available, no replay cache will be used.
+
+* [1406, 1108] libdb is no longer installed. If you installed
+ krb5-1.3-alpha1, you should ensure that no spurious libdb is left in
+ your install tree.
+
+* [1412] ETYPE_INFO handling no longer goes into an infinite loop.
+
+* [1414] libtelnet is now built using the same library build framework
+ as the rest of the tree.
+
+* [1417] A minor memory leak in krb5_read_password() has been fixed.
+
+* [1419] A memory leak in asn1_decode_kdc_req_body() has been fixed.
+
+* [1435] inet_ntop() is now emulated when needed.
+
+* [1439] krb5_free_pwd_sequences() now correctly frees the entire
+ sequence of elements.
+
+* [1440] errno is no longer explicitly declared.
+
+* [1441] kadmind should now return useful errors if an unrecognized
+ version is received in a changepw request.
+
+* [1454, 1480, 1517, 1525] The etype-info2 preauth type is now
+ supported.
+
+* [1459] (KfM/KLL internal) config file resolution can now be
+ prevented from accessing the user's homedir.
+
+* [1463] Preauth handling in the KDC has been reorganized.
+
+* [1470] Double-free in client-side preauth code fixed.
+
+* [1473] Ticket forwarding when the TGS and the end service have
+ different enctypes should work somewhat better now.
+
+* [1474] ASN.1 testsuite memory management has been cleaned up a
+ little to allow for memory leak checking.
+
+* [1476] Documentation updated to reflect default krb4 mode.
+
+* [1482] RFC-1964 OIDs now provided using the suggested symbolic
+ names.
+
+* [1483, 1528] KRB5_DEPRECATED is now false by default on all
+ platforms.
+
+* [1488] The KDC will now return integrity errors if a decryption
+ error is responsible for preauthentication failure.
+
+* [1492] The autom4te.cache directories are now deleted from the
+ release tarfiles.
+
+* [1501] Writable keytabs are registered by default.
+
+* [1515] The check for cross-realm TGTs no longer reads past the end
+ of an array.
+
+* [1518] The kdc_default_options option is now actually honored.
+
+* [1519] The changepw protocol implementation in kadmind now logs
+ password changes.
+
+* [1520] Documentation of OS-specific build options has been updated.
+
+* [1536] A missing prototype for krb5_db_iterate_ext() has been
+ added.
+
+* [1537] An incorrect path to kdc.conf show in the kdc.conf manpage
+ has been fixed.
+
+* [1540] verify_as_reply() will only check the "renew-till" time
+ against the "till" time if the RENEWABLE is not set in the request.
+
+* [1547] gssftpd no longer uses vfork(), as this was causing problems
+ under RedHat 9.
+
+* [1549] SRV records with a value of "." are now interpreted as a lack
+ of support for the protocol.
+
+* [1553] The undocumented (and confusing!) kdc_supported_enctypes
+ kdc.conf variable is no longer used.
+
+* [1560] Some spurious double-colons in password prompts have been
+ fixed.
+
+* [1571] The test suite tries a little harder to get a root shell.
+
+* [1573] The KfM build process now sets localstatedir=/var/db.
+
+* [1576, 1575] The client library no longer requests RENEWABLE_OK if
+ the renew lifetime is greater than the ticket lifetime.
+
+* [1587] A more standard autoconf test to locate the C compiler allows
+ for gcc to be found by default without additional configuration
+ arguments.
+
+* [1593] Replay cache filenames are now escaped with hyphens, not
+ backslashes.
+
+* [1598] MacOS 9 support removed from in-tree com_err.
+
+* [1602] Fixed a memory leak in make_ap_req_v1(). Thanks to Kent Wu.
+
+* [1604] Fixed a memory leak in krb5_gss_init_sec_context(), and an
+ uninitialized memory reference in kg_unseal_v1(). Thanks to Kent
+ Wu.
+
+* [1607] kerberos-iv SRV records are now documented.
+
+* [1610] Fixed AES credential delegation under GSSAPI.
+
+* [1618] ms2mit no longer inserts local addresses into tickets
+ converted from the MS ccache if they began as addressless tickets.
+
+* [1619] etype_info parser (once again) accepts extra field emitted by
+ Heimdal.
+
+* [1643] Some typos in kdc.conf.M have been fixed.
+
+* [1648] For consistency, leading spaces before preprocessor
+ directives in profile.h have been removed.
Copyright Notice and Legal Administrivia
----------------------------------------
-Copyright (C) 1985-2000 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2003 by the Massachusetts Institute of Technology.
All rights reserved.
as testing to ensure DCE interoperability.
Thanks to Ken Hornstein at NRL for providing many bug fixes and
-suggestions.
+suggestions, and for working on SAM preauthentication.
Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
Thanks to Christopher Thompson and Marcus Watts for discovering the
ftpd security bug.
+Thanks to Paul Nelson of Thursby Software Systems for implementing the
+Microsoft set password protocol.
+
Thanks to the members of the Kerberos V5 development team at MIT, both
-past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, John
-Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam
-Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic,
-Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott McGuire,
-Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris
-Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Brad Thompson,
-Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.
+past and present: Danilo Almeida, Jeffrey Altman, Jay Berkenbilt,
+Richard Basch, Mitch Berger, John Carr, Don Davis, Alexandra Ellwood,
+Nancy Gilman, Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva
+Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, John Kohl,
+Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
+Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
+Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall
+Vale, Tom Yu.
+2003-07-24 Sam Hartman <hartmans@mit.edu>
+
+ * admin.texinfo (realms (kdc.conf)): Remove references to kdc_supported_enctypes
+ (Sample kdc.conf File): Remove kdc_supported_enctypes here too
+
+2003-06-20 Tom Yu <tlyu@mit.edu>
+
+ * build.texinfo (Installing the Binaries): New node; describe
+ basic "make install", along with "DESTDIR=...".
+
+2003-06-19 Tom Yu <tlyu@mit.edu>
+
+ * build.texinfo (HPUX): Fix typo.
+ (Options to Configure): Note that --with-system-db is unsupported,
+ concerning possible lossage with loading dumpfiles.
+
+2003-06-18 Tom Yu <tlyu@mit.edu>
+
+ * dnssrv.texinfo: Add note about _kerberos-iv._udp SRV records.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * definitions.texinfo (DefaultCcacheType, DefaultKDCTimesync,
+ DefaultMasterKeyType, DefaultTktLifetime): Updated for code
+ changes.
+ (DefaultCcacheTypeMac, DefaultKDCTimesyncMac): Deleted.
+
+ * admin.texinfo (libdefaults): Update kdc_timesync and ccache_type
+ descriptions to not separate Mac case.
+
+2003-05-30 Sam Hartman <hartmans@mit.edu>
+
+ * admin.texinfo (Supported Encryption Types): Document AES interop issues.
+
+ * support-enc.texinfo: Add AES enctypes
+
+2003-05-27 Tom Yu <tlyu@mit.edu>
+
+ * admin.texinfo (realms (kdc.conf)): Update to reflect that
+ kadm5.keytab is only used by legacy admin daemons.
+
+ * install.texinfo (Create a kadmind Keytab (optional)): Update to
+ reflect that kadm5.keytab is only used by legacy admin daemons.
+
+ * build.texinfo (HPUX): Make HPUX compiler flags simpler.
+
+2003-05-23 Ken Raeburn <raeburn@mit.edu>
+
+ * build.texinfo (HPUX, Solaris 2.X, Ultrix 4.2/3 [notdef]):
+ Replace descriptions of old --with- options with VAR=.
+ (Solaris 2.X): Suggest that defining _XOPEN_SOURCE and
+ __EXTENSIONS__ might help for 64-bit mode.
+
+2003-05-23 Tom Yu <tlyu@mit.edu>
+
+ * admin.texinfo (appdefaults): Clarify afs_krb5 slightly.
+
+2003-05-22 Sam Hartman <hartmans@mit.edu>
+
+ * admin.texinfo (appdefaults): Describe afs_krb5
+
+ * krb425.texinfo (AFS and the Appdefaults Section): Note about AFS and 2b tokens
+
+2003-05-13 Ken Raeburn <raeburn@mit.edu>
+
+ * definitions.texinfo: Updated DefaultSupportedEnctypes.
+
+2003-05-12 Sam Hartman <hartmans@mit.edu>
+
+ * definitions.texinfo: Default v4 mode is now none
+
+2003-04-18 Ken Raeburn <raeburn@mit.edu>
+
+ * definitions.texinfo (DefaultETypeList,
+ DefaultSupportedEnctypes): Update for AES.
+ * install.texinfo (Client Machine Configuration Files): Fix typo
+ in variable reference.
+
+2003-04-08 Tom Yu <tlyu@mit.edu>
+
+ * krb4-xrealm.txt: New file. Describe the krb4 cross-realm
+ patchkit. Copied from 2003-004-krb4_patchkit.
+
2003-02-04 Sam Hartman <hartmans@mit.edu>
* krb425.texinfo (Upgrading KDCs): Note that -4 needs to be specified
@include support-enc.texinfo
+While aes128-cts and aes256-cts are supported for all Kerberos
+operations, they are not supported by the GSSAPI. AES GSSAPI support
+will be added after the necessary standardization work is
+completed.
+
+By default, AES is enabled on clients and application servers.
+Because of the lack of support for GSSAPI, AES is disabled in the
+default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use
+AES encryption types on their KDCs need to be careful not to give
+GSSAPI services AES keys. If GSSAPI services are given AES keys, then
+services will start to fail in the future when clients supporting AES
+for GSSAPI are deployed before updated servers that support AES for
+GSSAPI. Sites may wish to use AES for user keys and for the ticket
+granting ticket key, although doing so requires specifying what
+encryption types are used as each principal is created. Alternatively
+sites can use the default configuration which will make AES support
+available in clients and servers but not actually use this support
+until a future version of Kerberos adds support to GSSAPI.
+
@node Salts, krb5.conf, Supported Encryption Types, Configuration Files
@section Salts
difference between their time and the time returned by the KDC in the
timestamps in the tickets and use this value to correct for an
inaccurate system clock. This corrective factor is only used by the
-Kerberos library. The default is @value{DefaultKDCTimesyncMac} for
-Macintosh computers and @value{DefaultKDCTimesync} for all other
-platforms.
+Kerberos library. The default is @value{DefaultKDCTimesync}.
@itemx kdc_req_checksum_type
@itemx ap_req_checksum_type
received. DCE and Kerberos can share the cache, but some versions of
DCE do not support the default cache as created by this version of
Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
-DCE 1.1 systems. The default value is @value{DefaultCcacheTypeMac}
-for Macintosh computers and @value{DefaultCcacheType} for other
-platforms.
+DCE 1.1 systems. The default value is @value{DefaultCcacheType}.
@ignore
@itemx tkt_lifetime
that application's man pages. The application defaults specified here
are overridden by those specified in the [realms] section.
+A special application name (afs_krb5) is used by the krb524 service to
+know whether new format AFS tokens based on Kerberos 5 can be used
+rather than the older format which used a converted Kerberos 4 ticket.
+The new format allows for cross-realm authentication without
+introducing a security hole. It is used by default. Older AFS
+servers (before OpenAFS 1.2.8) will not support the new format. If
+servers in your cell do not support the new format, you will need to
+add an @code{afs_krb5} relation to the @code{appdefaults} section.
+The following config file shows how to disable new format AFS tickets
+for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm.
+
+@smallexample
+@group
+[appdefaults]
+ afs_krb5 = @{
+ EXAMPLE.COM = @{
+ afs/afs.example.com = false
+ @}
+ @}
+
+@end group
+@end smallexample
+
+
+
+
+
@node login, realms (krb5.conf), appdefaults, krb5.conf
@subsection [login]
database. The default is @code{@value{DefaultAclFile}}.
@itemx admin_keytab
-(String.) Location of the keytab file that kadmin uses to authenticate
-to the database. The default is
-@code{@value{DefaultAdminKeytab}}.
+(String.) Location of the keytab file that the legacy administration
+daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to
+the database. The default is @code{@value{DefaultAdminKeytab}}.
@itemx database_name
(String.) Location of the Kerberos database for this realm. The
@value{DefaultSupportedEnctypes}. For lists of possible values, see
@ref{Supported Encryption Types} and @ref{Salts}.
-@itemx kdc_supported_enctypes
-Specifies the permitted key/salt combinations of principals for this
-realm. The format is the same as @code{supported_enctypes}.
-
@itemx reject_bad_transit
A boolean value (@code{true}, @code{false}). If set to @code{true}, the
KDC will check the list of transited realms for cross-realm tickets
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
- kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
@}
[logging]
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * krb5.tex: Update subkey-related information to match code.
+
2002-01-15 Sam Hartman <hartmans@mit.edu>
* krb5.tex (subsubsection{Principal access functions}): krb5_princ_realm returns a pointer.
allocated in this function should be freed with a call to
\funcname{krb5_free_keyblock}.
-\begin{funcdecl}{krb5_auth_con_getlocalsubkey}{krb5_error_code}{\funcinout}
+\begin{funcdecl}{krb5_auth_con_getrecvsubkey}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_auth_context}{auth_context}
\funcout
\funcarg{krb5_keyblock **}{keyblock}
\end{funcdecl}
-Retrieves the local_subkey keyblock stored in
+Retrieves the recv\_subkey keyblock stored in
\funcparam{auth_context}. The memory allocated in this function should
be freed with a call to \funcname{krb5_free_keyblock}.
-\begin{funcdecl}{krb5_auth_con_getremotesubkey}{krb5_error_code}{\funcinout}
+\begin{funcdecl}{krb5_auth_con_getsendsubkey}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_auth_context}{auth_context}
\funcout
\funcarg{krb5_keyblock **}{keyblock}
\end{funcdecl}
-Retrieves the remote_subkey keyblock stored in
+Retrieves the send\_subkey keyblock stored in
\funcparam{auth_context}. The memory allocated in this function should
be freed with a call to \funcname{krb5_free_keyblock}.
+\begin{funcdecl}{krb5_auth_con_setrecvsubkey}{krb5_error_code}{\funcinout}
+\funcarg{krb5_context}{context}
+\funcarg{krb5_auth_context}{auth_context}
+\funcout
+\funcarg{krb5_keyblock *}{keyblock}
+\end{funcdecl}
+
+Sets the recv\_subkey keyblock stored in \funcparam{auth_context}.
+
+\begin{funcdecl}{krb5_auth_con_setsendsubkey}{krb5_error_code}{\funcinout}
+\funcarg{krb5_context}{context}
+\funcarg{krb5_auth_context}{auth_context}
+\funcout
+\funcarg{krb5_keyblock *}{keyblock}
+\end{funcdecl}
+
+Sets the send\_subkey keyblock stored in \funcparam{auth_context}.
\begin{funcdecl}{krb5_auth_setcksumtype}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
data in \funcparam{*outbuf} after verifying its integrity.
The keyblock used for verifying the integrity of the message is taken
-from the \funcparam{auth_context} local_subkey, remote_subkey, or
-keyblock. The keyblock is chosen in the above order by the first one
-which is not NULL.
+from the \funcparam{auth_context} recv\_subkey or keyblock. The
+keyblock is chosen in the above order by the first one which is not
+NULL.
The remote_addr and localaddr portions of the \funcparam{*auth_context}
specify the full addresses (host and port) of the sender and receiver,
build Kerberos.
* Unpacking the Sources:: Preparing the source tree.
* Doing the Build:: Compiling Kerberos.
+* Installing the Binaries:: Installing the compiled binaries.
* Testing the Build:: Making sure Kerberos built correctly.
* Options to Configure:: Command-line options to Configure
* osconf.h:: Header file-specific configurations
@menu
* The appl Directory::
-* The clients Directory::
-* The gen-manpages Directory::
-* The include Directory::
+* The clients Directory::
+* The gen-manpages Directory::
+* The include Directory::
* The kadmin Directory::
* The kdc Directory::
* The krb524 Directory::
-* The lib Directory::
-* The prototype Directory::
-* The slave Directory::
+* The lib Directory::
+* The prototype Directory::
+* The slave Directory::
* The util Directory::
@end menu
will get @file{/u1/krb5-@value{RELEASE}/src}, etc.)
-@node Doing the Build, Testing the Build, Unpacking the Sources, Building Kerberos V5
+@node Doing the Build, Installing the Binaries, Unpacking the Sources, Building Kerberos V5
@section Doing the Build
You have a number of different options in how to build Kerberos. If you
from the latest version as distributed and installed by the XConsortium
with X11R6. Either version should be acceptable.
-@node Testing the Build, Options to Configure, Doing the Build, Building Kerberos V5
+@node Installing the Binaries, Testing the Build, Doing the Build, Building Kerberos V5
+@section Installing the Binaries
+
+Once you have built Kerberos, you should install the binaries. You
+can do this by running:
+
+@example
+% make install
+@end example
+
+If you want to install the binaries into a destination directory that
+is not their final destination, which may be convenient if you want to
+build a binary distribution to be deployed on multiple hosts, you may
+use:
+
+@example
+% make install DESTDIR=/path/to/destdir
+@end example
+
+This will install the binaries under @code{DESTDIR/PREFIX}, e.g., the
+user programs will install into @code{DESTDIR/PREFIX/bin}, the
+libraries into @code{DESTDIR/PREFIX/lib}, etc.
+
+Note that if you want to test the build (see @ref{Testing the Build}),
+you usually do not need to do a @code{make install} first.
+
+@node Testing the Build, Options to Configure, Installing the Binaries, Building Kerberos V5
@section Testing the Build
The Kerberos V5 distribution comes with built-in regression tests. To
@item --with-system-db
Use an installed version of the Berkeley DB package, which must
-provide an API compatible with version 1.85.
+provide an API compatible with version 1.85. This option is
+@emph{unsupported} and untested. In particular, we do not know if the
+database-rename code used in the dumpfile load operation will behave
+properly.
If this option is not given, a version supplied with the Kerberos
sources will be built and installed. (We are not updating this
@node HPUX, Solaris versions 2.0 through 2.3, BSDI, OS Incompatibilities
@subsection HPUX
-The native (bundled) compiler for HPUX currently will not work, because
-it is not a full ANSI C compiler. The optional compiler (c89) should
-work as long as you give it the @samp{-D_HPUX_SOURCE} flag
-(i.e. @samp{./configure --with-cc='c89 -D_HPUX_SOURCE'}). This has only
-been tested recently for HPUX 10.20.
+The native (bundled) compiler for HPUX currently will not work,
+because it is not a full ANSI C compiler. The optional ANSI C
+compiler should work as long as you give it the @samp{-Ae} flag
+(i.e. @samp{./configure CC='cc -Ae'}). This is equivalent to
+@samp{./configure CC='c89 -D_HPUX_SOURCE'}, which was the previous
+recommendation. This has only been tested recently for HPUX 10.20.
@node Solaris versions 2.0 through 2.3, Solaris 2.X, HPUX, OS Incompatibilities
@subsection Solaris versions 2.0 through 2.3
libraries. This means that @file{/usr/ucblib} must not be in the
LD_LIBRARY_PATH environment variable when you compile it. Alternatively
you can use the @code{-i} option to @samp{cc}, by using the specifying
-@code{--with-ccopts=-i} option to @samp{configure}.
+@code{CFLAGS=-i} option to @samp{configure}.
+
+If you are compiling for a 64-bit execution environment, you may need
+to configure with the option @code{CFLAGS="-D_XOPEN_SOURCE=500
+-D__EXTENSIONS__"}. This is not well tested; at MIT we work primarily
+with the 32-bit execution environment.
@node SGI Irix 5.X, Ultrix 4.2/3, Solaris 2.X, OS Incompatibilities
@subsection SGI Irix 5.X
On the DEC MIPS platform, using the native compiler, @file{md4.c} and
@file{md5.c} can not be compiled with the optimizer set at level 1.
-That is, you must specify either @samp{--with-ccopts=-O} and
-@samp{--with-ccopts=-g} to configure. If you don't specify either, the
+That is, you must specify either @samp{CFLAGS=-O} and
+@samp{CFLAGS=-g} to configure. If you don't specify either, the
compile will never complete.
The optimizer isn't hung; it just takes an exponentially long time.
the following should be consistent with the variables set in
krb5/src/lib/krb5/krb/init_ctx.c
@end ignore
-@set DefaultETypeList des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4
+@set DefaultETypeList aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4
@comment DEFAULT_ETYPE_LIST
@set DefaultDefaultTgsEnctypes @value{DefaultETypeList}
@set DefaultDefaultTktEnctypes @value{DefaultETypeList}
@comment libdefaults, clockskew
@set DefaultChecksumType RSA MD5
@comment libdefaults, kdc_req_checksum_type, ap_req_checksum_type, safe_checksum_type
-@set DefaultCcacheType 3
+@set DefaultCcacheType 4
@comment DEFAULT_CCACHE_TYPE
-@set DefaultCcacheTypeMac 4
-@comment DEFAULT_CCACHE_TYPE
-@set DefaultTktLifetime 10 hours
+@set DefaultTktLifetime 1 day
@comment libdefaults, tkt_lifetime
-@set DefaultKDCTimesyncMac 1
-@set DefaultKDCTimesync 0
+@comment -- actually, that's not implemented; see
+@comment lib/krb5/krb/get_in_tkt.c, and clients/kinit/kinit.c for krb4
+@comment fallback
+@set DefaultKDCTimesync 1
@comment DEFAULT_KDC_TIMESYNC
@set DefaultKDCDefaultOptions KDC_OPT_RENEWABLE_OK
@comment line 194
the following defaults should be consistent with default variables set
in krb5/src/include/krb5/stock/osconf.h
@end ignore
-@set DefaultMasterKeyType des-cbc-crc
+@set DefaultMasterKeyType des3-cbc-sha1
@comment DEFAULT_KDC_ENCTYPE
@set DefaultKadmindPort 749
@comment DEFAULT_KADM5_PORT
the following defaults should be consistent with the values set in
krb5/src/kdc/kerberos_v4
@end ignore
-@set DefaultV4Mode nopreauth
+@set DefaultV4Mode none
@comment KDC_V4_DEFAULT_MODE
@ignore
This should list port @value{DefaultKpasswdPort} on your master KDC.
It is used when a user changes her password.
+@item _kerberos-iv._udp
+This should refer to your KDCs that serve Kerberos version 4 requests,
+if you have Kerberos v4 enabled.
+
@end table
Be aware, however, that the DNS SRV specification requires that the
* Create the Database::
* Add Administrators to the Acl File::
* Add Administrators to the Kerberos Database::
-* Create a kadmind Keytab::
+* Create a kadmind Keytab (optional)::
* Start the Kerberos Daemons::
@end menu
@include kadm5acl.texinfo
-@node Add Administrators to the Kerberos Database, Create a kadmind Keytab, Add Administrators to the Acl File, Install the Master KDC
+@node Add Administrators to the Kerberos Database, Create a kadmind Keytab (optional), Add Administrators to the Acl File, Install the Master KDC
@subsubsection Add Administrators to the Kerberos Database
Next you need to add administrative principals to the Kerberos database.
-@node Create a kadmind Keytab, Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC
-@subsubsection Create a kadmind Keytab
+@node Create a kadmind Keytab (optional), Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC
+@subsubsection Create a kadmind Keytab (optional)
-The kadmind keytab is the key that kadmind will use to decrypt
-administrators' Kerberos tickets to determine whether or not it should
-give them access to the database. You need to create the kadmin keytab
-with entries for the principals @code{kadmin/admin} and
+The kadmind keytab is the key that the legacy admininstration daemons
+@code{kadmind4} and @code{v5passwdd} will use to decrypt
+administrators' or clients' Kerberos tickets to determine whether or
+not they should have access to the database. You need to create the
+kadmin keytab with entries for the principals @code{kadmin/admin} and
@code{kadmin/changepw}. (These principals are placed in the Kerberos
database automatically when you create it.) To create the kadmin
-keytab, run @code{kadmin.local} and use the @code{ktadd} command, as in
-the following example. (The line beginning with @result{} is a
+keytab, run @code{kadmin.local} and use the @code{ktadd} command, as
+in the following example. (The line beginning with @result{} is a
continuation of the previous line.):
@smallexample
file.
@need 2000
-@node Start the Kerberos Daemons, , Create a kadmind Keytab, Install the Master KDC
+@node Start the Kerberos Daemons, , Create a kadmind Keytab (optional), Install the Master KDC
@subsubsection Start the Kerberos Daemons on the Master KDC
At this point, you are ready to start the Kerberos daemons on the Master
@enumerate
@item
-Create a database keytab. (@xref{Create a kadmind Keytab}.)
+Create a database keytab. (@xref{Create a kadmind Keytab (optional)}.)
@item
Start the @code{kadmind} daemon. (@xref{Start the Kerberos Daemons}.)
kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin
kshell @value{DefaultKshellPort}/tcp cmd # and remote shell
-kerberos-adm @value{DefaultKamdindPort}/tcp # Kerberos 5 admin/changepw
-kerberos-adm @value{DefaultKamdindPort}/udp # Kerberos 5 admin/changepw
+kerberos-adm @value{DefaultKadmindPort}/tcp # Kerberos 5 admin/changepw
+kerberos-adm @value{DefaultKadmindPort}/udp # Kerberos 5 admin/changepw
krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation
@c kpop 1109/tcp # Pop with Kerberos
eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin
--- /dev/null
+The following text was taken from the patchkit disabling cross-realm
+authentication and triple-DES in krb4.
+
+PATCH KIT DESCRIPTION
+=====================
+
+** FLAG DAY REQUIRED **
+
+One of the things we decided to do (and must do for security reasons)
+was drop support for the 3DES krb4 TGTs. Unfortunately the current
+code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new
+code issues only DES TGTs, the old code will not understand its v4
+TGTs if the site has a 3DES key available for the krbtgt principal.
+The new code will understand and accept both DES and 3DES v4 TGTs.
+
+So, the easiest upgrade option is to deploy the code on all KDCs at
+once, being sure to deploy it on the master KDC last. Under this
+scenario, a brief window exists where slaves may be able to issue
+tickets that the master will not understand. However, the slaves will
+understand tickets issued by the master throughout the upgrade.
+
+An alternate and more annoying upgrade strategy exists. At least one
+max TGT life time before the upgrade, the TGT key can be changed to be
+a single-des key. Since we support adding a new TGT key while
+preserving the old one, this does not create an interruption in
+service. Since no 3DES key is available then both the old and new
+code will issue and accept DES v4 TGTs. After the upgrade, the TGT
+key can again be rekeyed to add 3DES keys. This does require two TGT
+key changes and creates a window where DES is used for the v5 TGT, but
+creates no window in which slaves will issue TGTs the master cannot
+accept.
+
+* What the patch does
+=====================
+
+1) Kerberos 4 cross-realm authentication is disabled by default. A
+ "-X" switch is added to both krb524d and krb5kdc to enable v4
+ cross-realm. This switch logs a note that a security hole has been
+ opened in the KDC log. We said while designing the patch, that we
+ were going to try to allow per-realm configuration; because of a
+ design problem in the kadm5 library, we could not do this without
+ bumping the ABI version of that library. We are unwilling to bump
+ an ABI version in a security patch release to get that feature, so
+ the configuration of v4 cross-realm is a global switch.
+
+2) Code responsible for v5 TGTs has been changed to require that the
+ enctype of the ticket service key be the same as the enctype that
+ would currently be issued for that kvno. This means that even if a
+ service has multiple keys, you cannot use a weak key to fake the
+ KDC into accepting tickets for that service. If you have a non-DES
+ TGT key, this separates keys used for v4 and v5. We actually relax
+ this requirement for cross-realm TGT keys (which in the new code
+ are only used for v5) because we cannot guarantee other Kerberos
+ implementations will choose keys the same way.
+
+3) We no longer issue 3DES v4 tickets either in the KDC or krb524d.
+ We add code to accept either DES or 3DES tickets for v4. None of
+ the attacks discovered so far can be implemented given a KDC that
+ accepts but does not issue 3DES tickets, so we believe that leaving
+ this functionality in as compatibility for a version or two is
+ reasonable. Note however that the attacks described do allow
+ successful attackers to print future tickets, so sites probably
+ want to rekey important keys after installing this update. Note
+ also that even if issuance of 3DES v4 tickets has been disabled,
+ outstanding tickets may be used to perform the 3DES cut-and-paste
+ attack.
+
+* Test Cases
+============
+
+This code is difficult to test for two reasons. First, you need a
+cross-realm relationship between two KDCs. Secondly, you need a KDC
+that will issue 3DES v4 tickets even though the code with the patch
+applied can no longer do this.
+
+I propose to meet these requirements by setting up a cross-realm 3DES
+key between a realm I control and the test environment. In order to
+provide concrete examples of what I plan to test with the automated
+tests, I assume a shared key between a realm PREPATCH.KRBTEST.COM and the
+test realm PATCH.
+
+In all of the following tests I assume the following configuration.
+A principal v4test@PREPATCH.KRBTEST.COM exists with known password and
+without requiring preauthentication. The PREPATCH.KRBTEST.COM KDC will
+issue v4 tickets for this principal. A principal test@PATCH exists
+with known password and without requiring preauthentication. A
+principal service@PATCH exists. The TGT for the PATCH realm has a
+3des and des key. The shared TGT keys between PATCH and
+PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and
+support both 3DES and DES keys.
+
+1) Run krb524d and krb5kdc for PATCH with no special options using a
+ krb5.conf without permitted_enctypes (fully permissive).
+
+
+A) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4
+service@PATCH fails with an unknown principal error and logs an error
+about cross-realm being denied to the PATCH KDC log. This confirms
+that v4 cross-realm is not accepted.
+
+B) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init
+-p service@PATCH fails with a prohibited by policy error, but that
+klist -5 includes a ticket for service@PATCH. This confirms that v5
+cross-realm works but the krb524d denies converting such a ticket into
+a cross-realm ticket. Note that the krb524init currently in the
+mainline source tree will not be useful for this test because the
+client denies cross-realm for the simple reason that the v4 ticket
+file format is not flexible enough to support it. The krb524init in
+the 1.2.x release is useful for this test.
+
+
+2) Restart the krb5kdc and krb524d for PATCH with the -X option
+ enabling v4 cross-realm.
+
+A) Confirm that the security warning is written to kdc.log.
+
+B) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4
+service@PATCH works and leaves a service@PATCH ticket in the cache.
+This confirms that v4 cross-realm works in the KDC. It also confirms
+that the KDC can accept 3DES v4 TGTs. The code path for decrypting a
+TGT is the same for the local realm and for foreign realms, so I don't
+see a need to test local 3DES TGTs in an automated manner although I
+did test it manually.
+
+C) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init
+-p service@PATCH works. This confirms that krb524d will issue
+cross-realm tickets. They're completely useless because the v4 ticket
+file can't represent them, but that's not our problem today.
+
+3) Start the kdc and krb524d with a krb5.conf that includes
+ permitted_enctypes only listing des-cbc-crc. Get tickets as
+ test@PATCH. Restart the KDC and confirm that kvno service fails
+ logging an error about permitted enctypes. This confirms that if
+ you manage to obtain a ticket of the wrong enctype it will not be
+ accepted later.
+
+These tests do not check to make sure that 3DES tickets are not
+issued by the v4 code. I'm fairly certain that is true as I've
+physically remove the calls to the routine that generates 3DES tickets
+from the code in both the KDC and krb524d. These tests also do not
+check to make sure that cross-realm TGTs are not required to follow
+the strict enctype policy. I've tested that manually but don't know
+how to test that without significantly complicating the test setup.
@include definitions.texinfo
@set EDITION 1.0
-@set UPDATED October 8, 1996
+@set UPDATED May 22, 2003
@finalout @c don't print black warning boxes
@menu
* libdefaults::
* realms (krb5.conf)::
+* AFS and the Appdefaults Section::
@end menu
@node libdefaults, realms (krb5.conf), krb5.conf, krb5.conf
file. Default is @value{DefaultKrb4Realms}.
@end table
-@node realms (krb5.conf), , libdefaults, krb5.conf
+@node realms (krb5.conf), AFS and the Appdefaults Section, libdefaults, krb5.conf
@subsection [realms]
In the [realms] section, the following Kerberos V4 tags may be used:
@end table
+@node AFS and the Appdefaults Section, , realms (krb5.conf), krb5.conf
+@subsection AFS and the Appdefaults Section
+
+Many Kerberos 4 sites also run the Andrew File System (AFS).
+
+Modern AFS servers (OpenAFS > 1.2.8) support the AFS 2b token format.
+This allows AFS to use Kerberos 5 tickets rather than version 4
+tickets, enabling cross-realm authentication. By default, the
+@file{krb524d} service will issue the new AFS 2b tokens. If you are
+using old AFS servers, you will need to disable these new tokens.
+Please see the documentation of the @code{appdefaults} section of
+@file{krb5.conf} in the Kerberos Administration guide.
+
+
+
@node kdc.conf, , krb5.conf, Configuration Files
@section kdc.conf
triple DES cbc mode with HMAC/sha1
@item des-hmac-sha1
DES with HMAC/sha1
+@item aes256-cts-hmac-sha1-96
+@itemx aes256-cts
+AES-256 CTS mode with 96-bit SHA-1 HMAC
+@item aes128-cts-hmac-sha1-96
+@itemx aes128-cts
+AES-128 CTS mode with 96-bit SHA-1 HMAC
@item arcfour-hmac
@itemx rc4-hmac
@itemx arcfour-hmac-md5
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile.in (KRBHDEP): Add krb524_err header.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * aclocal.m4 (WITH_KRB4): Don't set or substitute KRB524_DEPLIB,
+ KRB524_LIB, KRB524_H_DEP, or KRB524_ERR_H_DEP.
+ * Makefile.in (ETOUT): Update location of krb524_err files.
+ (krb524/krb524_err.h, krb524/krb524_err.c): Delete.
+ ($(INC)krb524_err.h, $(ET)krb524_err.c): New targets.
+
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4: Add -DKRB5_DEPRECATED=1 so stuff in tree builds.
+
+2003-04-24 Ken Raeburn <raeburn@mit.edu>
+
+ * aclocal.m4: Require autoconf 2.52 only.
+
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * aclocal.m4: Require autoconf 2.53.
+ (CONFIG_RULES): Always set AUTOCONFINCFLAGS to --include.
+
+2003-04-10 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4: Revert requrement of autoconf-2.53, since MacOS X
+ doesn't have it.
+
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4 (KRB5_AC_CHOOSE_DB): Set new variable KDB5_DB_LIB to
+ empty if using in-tree db. It is now used to pass -ldb to link
+ commands, if needed, when linking programs with libkdb5. DB_LIB
+ is now only used for programs that explicitly need the actual
+ libdb independently of libkdb5.
+
+ * krb5-config.in: Use $KDB5_DB_LIB instead of "-ldb" for kdb
+ libraries.
+
+2003-03-31 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4: Require autoconf-2.53, since 2.52 generates
+ configure scripts that NetBSD /bin/sh doesn't like.
+
+2003-03-18 Alexandra Ellwood <lxs@mit.edu>
+
+ * aclocal.m4: Define KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9
+ and higher. When bind 9 is present, BIND_8_COMPAT needs to be defined to
+ get bind 8 types.
+
+2003-03-12 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (AWK): Default to awk, not gawk. User can override
+ on make's command line if necessary. Still, only really useful
+ for building kerbsrc.zip, etc.
+
2003-03-05 Ken Raeburn <raeburn@mit.edu>
* Makefile.in (WINMAKEFILES): Add lib\crypto\aes\Makefile.
# Part of building the PC release has to be done on Unix. This includes
# anything the requires awk.
#
-AWK = gawk
+AWK = awk
AH = util/et/et_h.awk
AC = util/et/et_c.awk
INC = include/
PR = util/profile/
ETOUT = \
- krb524\krb524_err.h krb524\krb524_err.c \
$(INC)asn1_err.h $(ET)asn1_err.c \
$(INC)kdb5_err.h $(ET)kdb5_err.c \
$(INC)krb5_err.h $(ET)krb5_err.c \
$(INC)kv5m_err.h $(ET)kv5m_err.c \
+ $(INC)krb524_err.h $(ET)krb524_err.c \
$(INC)/kerberosIV/kadm_err.h lib/krb4/kadm_err.c \
$(INC)/kerberosIV/krb_err.h lib/krb4/krb_err.c \
$(PR)prof_err.h $(PR)prof_err.c \
rm -rf bin
rm -f include/autoconf.h Makefile macsrc* macfile.maclist
-krb524/krb524_err.h: $(AH) krb524/krb524_err.et
- $(AWK) -f $(AH) outfile=$@ krb524/krb524_err.et
-krb524/krb524_err.c: $(AC) krb524/krb524_err.et
- $(AWK) -f $(AC) outfile=$@ krb524/krb524_err.et
-
$(INC)asn1_err.h: $(AH) $(ET)asn1_err.et
$(AWK) -f $(AH) outfile=$@ $(ET)asn1_err.et
$(INC)kdb5_err.h: $(AH) $(ET)kdb5_err.et
$(AWK) -f $(AH) outfile=$@ $(ET)krb5_err.et
$(INC)kv5m_err.h: $(AH) $(ET)kv5m_err.et
$(AWK) -f $(AH) outfile=$@ $(ET)kv5m_err.et
+$(INC)krb524_err.h: $(AH) $(ET)krb524_err.et
+ $(AWK) -f $(AH) outfile=$@ $(ET)krb524_err.et
$(INC)/kerberosIV/kadm_err.h: $(AH) lib/krb4/kadm_err.et
$(AWK) -f $(AH) outfile=$@ lib/krb4/kadm_err.et
$(INC)/kerberosIV/krb_err.h: $(AH) lib/krb4/krb_err.et
$(AWK) -f $(AC) outfile=$@ $(ET)krb5_err.et
$(ET)kv5m_err.c: $(AC) $(ET)kv5m_err.et
$(AWK) -f $(AC) outfile=$@ $(ET)kv5m_err.et
+$(ET)krb524_err.c: $(AC) $(ET)krb524_err.et
+ $(AWK) -f $(AC) outfile=$@ $(ET)krb524_err.et
lib/krb4/kadm_err.c: $(AC) lib/krb4/kadm_err.et
$(AWK) -f $(AC) outfile=$@ lib/krb4/kadm_err.et
lib/krb4/krb_err.c: $(AC) lib/krb4/krb_err.et
lib/krb4/krb_err.et
KRBHDEP = $(INC)krb5.hin $(INC)krb5_err.h $(INC)kdb5_err.h \
- $(INC)kv5m_err.h $(INC)asn1_err.h
+ $(INC)kv5m_err.h $(INC)krb524_err.h $(INC)asn1_err.h
$(INC)krb5.h: $(KRBHDEP)
rm -f $@
KRB5_AC_CHOOSE_DB dnl
dnl allow stuff in tree to access deprecated/private stuff for now
AC_DEFINE([KRB5_PRIVATE], 1, [Define only if building in-tree])
+AC_DEFINE([KRB5_DEPRECATED], 1, [Define only if building in-tree])
AC_C_CONST dnl
WITH_NETLIB dnl
WITH_HESIOD dnl
AUTOCONFFLAGS=
AUTOHEADER=autoheader
AUTOHEADERFLAGS=
-dnl Autoconf 2.54+ use --include, --localdir is obsolete and removed
-ifdef([AC_MSG_FAILURE], AUTOCONFINCFLAGS="--include", dnl
- AUTOCONFINCFLAGS="--localdir")
+ AUTOCONFINCFLAGS="--include"
dnl fi
AC_SUBST(AUTOCONF)
AC_SUBST(AUTOCONFFLAGS)
KRB4_DEPLIB=
KRB4_INCLUDES=
KRB4_LIBPATH=
- KRB524_DEPLIB=
- KRB524_LIB=
KRB_ERR_H_DEP=
- KRB524_H_DEP=
- KRB524_ERR_H_DEP=
krb5_cv_build_krb4_libs=no
krb5_cv_krb4_libdir=
else
KRB4_LIB=-lkrb4
KRB4_INCLUDES='-I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV'
KRB4_LIBPATH=
- KRB524_DEPLIB='$(BUILDTOP)/krb524/libkrb524.a'
- KRB524_LIB='$(BUILDTOP)/krb524/libkrb524.a'
KRB_ERR_H_DEP='$(BUILDTOP)/include/kerberosIV/krb_err.h'
- KRB524_H_DEP='$(BUILDTOP)/include/krb524.h'
- KRB524_ERR_H_DEP='$(BUILDTOP)/include/krb524_err.h'
krb5_cv_build_krb4_libs=yes
krb5_cv_krb4_libdir=
else
KRB4_INCLUDES="-I$withval/include"
KRB4_LIBPATH="-L$withval/lib"
KRB_ERR_H_DEP=
- KRB524_H_DEP=
- KRB524_ERR_H_DEP=
krb5_cv_build_krb4_libs=no
krb5_cv_krb4_libdir="$withval/lib"
fi
AC_SUBST(KRB4_LIBPATH)
AC_SUBST(KRB4_LIB)
AC_SUBST(KRB4_DEPLIB)
-AC_SUBST(KRB524_DEPLIB)
-AC_SUBST(KRB524_LIB)
AC_SUBST(KRB_ERR_H_DEP)
-AC_SUBST(KRB524_H_DEP)
-AC_SUBST(KRB524_ERR_H_DEP)
dnl We always compile the des425 library
DES425_DEPLIB='$(TOPLIBD)/libdes425$(DEPLIBEXT)'
DES425_LIB=-ldes425
else
DB_HEADER_VERSION=redirect
fi
+ KDB5_DB_LIB="$DB_LIB"
else
DB_VERSION=k5
AC_DEFINE(HAVE_BT_RSEQ,1,[Define if bt_rseq is available, for recursive btree traversal.])
DB_HEADER=db.h
DB_HEADER_VERSION=k5
+ # libdb gets sucked into libkdb
+ KDB5_DB_LIB=
+ # needed for a couple of things that need libdb for its own sake
DB_LIB=-ldb
fi
AC_SUBST(DB_VERSION)
AC_SUBST(DB_HEADER)
AC_SUBST(DB_HEADER_VERSION)
AC_SUBST(DB_LIB)
+AC_SUBST(KDB5_DB_LIB)
+])
+dnl
+dnl
+dnl KRB5_AC_NEED_BIND_8_COMPAT --- check to see if we are on a bind 9 system
+dnl
+dnl
+AC_DEFUN(KRB5_AC_NEED_BIND_8_COMPAT,[
+AC_REQUIRE([AC_PROG_CC])dnl
+dnl
+dnl On a bind 9 system, we need to define BIND_8_COMPAT
+dnl
+AC_MSG_CHECKING(for bind 9 or higher)
+AC_CACHE_VAL(krb5_cv_need_bind_8_compat,[
+AC_TRY_COMPILE([#include <arpa/nameser.h>], [HEADER hdr;],
+krb5_cv_need_bind_8_compat=no,
+[AC_TRY_COMPILE([#define BIND_8_COMPAT
+#include <arpa/nameser.h>], [HEADER hdr;],
+krb5_cv_need_bind_8_compat=yes, krb5_cv_need_bind_8_compat=no)])])
+AC_MSG_RESULT($krb5_cv_need_bind_8_compat)
+test $krb5_cv_need_bind_8_compat = yes && AC_DEFINE(BIND_8_COMPAT,1,[Define if OS has bind 9])
])
dnl
+2003-05-23 Ken Raeburn <raeburn@mit.edu>
+
+ * configure.in: Don't use libkrb524.a any more.
+ * login.c: Don't include krb524.h.
+ (try_convert524): Don't call krb524_init_ets.
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * krcp.c (main): Rename getlocalsubkey -> getsendsubkey.
+
+ * krlogin.c (main): Rename getlocalsubkey -> getsendsubkey.
+
+ * krlogind.c (recvauth): Rename getremotesubkey -> getrecvsubkey.
+
+ * krsh.c (main): Rename getlocalsubkey -> getsendsubkey.
+
+ * krshd.c (recvauth): Rename getremotesubkey -> getrecvsubkey.
+
+2003-04-08 Ken Raeburn <raeburn@mit.edu>
+
+ * krshd.c (main): Use LOG_AUTH syslog facility, not LOG_DAEMON,
+ for consistency with krlogind.c.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* compat_recv.c: Only include krb.h if KRB5_KRB4_COMPAT.
$(SRCTOP)/include/socket-utils.h
$(OUTPRE)forward.$(OBJEXT): forward.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h defines.h $(SRCTOP)/include/fake-addrinfo.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h defines.h $(SRCTOP)/include/fake-addrinfo.h
$(OUTPRE)compat_recv.$(OBJEXT): compat_recv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krb.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
defines.h $(SRCTOP)/include/fake-addrinfo.h
$(OUTPRE)login.$(OBJEXT): login.c $(BUILDTOP)/include/libpty.h \
$(SRCTOP)/include/syslog.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krb.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(KRB524_H_DEP) $(KRB524_ERR_H_DEP) loginpaths.h
+ loginpaths.h
$(OUTPRE)krshd.$(OBJEXT): krshd.c $(BUILDTOP)/include/libpty.h \
$(SRCTOP)/include/syslog.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) loginpaths.h $(SRCTOP)/include/kerberosIV/krb.h \
V4RCP=
V4RCPO=
else
- AC_MSG_RESULT(Adding in krb4 support)
- LOGINLIBS="../../krb524/libkrb524.a $LOGINLIBS"
+ AC_MSG_RESULT(Adding in krb4 rcp support)
V4RCP=v4rcp
V4RCPO=v4rcp.o
fi
try_normal(orig_argv); /* doesn't return */
if (!similar) {
- status = krb5_auth_con_getlocalsubkey (bsd_context,
- auth_context,
- &key);
+ status = krb5_auth_con_getsendsubkey (bsd_context,
+ auth_context,
+ &key);
if ((status || !key) && encryptflag)
try_normal(orig_argv);
}
krb5_keyblock *key = &cred->keyblock;
if (kcmd_proto == KCMD_NEW_PROTOCOL) {
- status = krb5_auth_con_getlocalsubkey (bsd_context,
- auth_context,
- &key);
+ status = krb5_auth_con_getsendsubkey (bsd_context,
+ auth_context,
+ &key);
if (status) {
com_err (argv[0], status,
"determining subkey for session");
if (kcmd_proto == KCMD_NEW_PROTOCOL) {
do_inband = 1;
- status = krb5_auth_con_getlocalsubkey (bsd_context, auth_context,
- &key);
+ status = krb5_auth_con_getsendsubkey (bsd_context, auth_context,
+ &key);
if ((status || !key) && encrypt_flag)
try_normal(orig_argv);
}
return status;
key = 0;
- status = krb5_auth_con_getremotesubkey (bsd_context, auth_context, &key);
+ status = krb5_auth_con_getrecvsubkey (bsd_context, auth_context, &key);
if (status)
fatal (netf, "Server can't get session subkey");
if (!key && do_encrypt && kcmd_proto == KCMD_NEW_PROTOCOL)
krb5_keyblock *key = &cred->keyblock;
if (kcmd_proto == KCMD_NEW_PROTOCOL) {
- status = krb5_auth_con_getlocalsubkey (bsd_context, auth_context,
- &key);
+ status = krb5_auth_con_getsendsubkey (bsd_context, auth_context,
+ &key);
if (status) {
com_err (argv[0], status, "determining subkey for session");
exit (1);
#ifndef LOG_ODELAY /* 4.2 syslog */
openlog(progname, LOG_PID);
#else
-#ifndef LOG_DAEMON
-#define LOG_DAEMON 0
+#ifndef LOG_AUTH
+#define LOG_AUTH 0
#endif
- openlog(progname, LOG_PID | LOG_ODELAY, LOG_DAEMON);
+ openlog(progname, LOG_PID | LOG_ODELAY, LOG_AUTH);
#endif /* 4.2 syslog */
#ifdef KERBEROS
{
krb5_keyblock *key;
- status = krb5_auth_con_getremotesubkey (bsd_context, auth_context,
- &key);
+ status = krb5_auth_con_getrecvsubkey (bsd_context, auth_context,
+ &key);
if (status)
fatal (netfd, "Server can't get session subkey");
if (!key && do_encrypt && kcmd_proto == KCMD_NEW_PROTOCOL)
#include <arpa/resolv.h>
#endif /* BIND_HACK */
-#ifdef KRB4_CONVERT
-#include <krb524.h>
-#endif
-
/* Hacks to maintain compatability with Athena libkrb*/
#ifndef HAVE_KRB_SAVE_CREDENTIALS
#define krb_save_credentials save_credentials
CREDENTIALS v4creds;
- /* or do this directly with krb524_convert_creds_kdc */
- krb524_init_ets(kctx);
-
/* If we have forwarded v5 tickets, retrieve the credentials from
* the cache; otherwise, the v5 credentials are in my_creds.
*/
+2003-06-05 Sam Hartman <hartmans@mit.edu>
+
+ * configure.in: Don't check for vfork as we no longer use it
+
+2003-05-23 Ken Raeburn <raeburn@mit.edu>
+
+ * configure.in: Don't use libkrb524.a any more.
+ * ftpd.c: Don't include krb524.h.
+ (main): Don't call krb524_init_ets.
+
2003-01-10 Ken Raeburn <raeburn@mit.edu>
* configure.in: Use V5_AC_OUTPUT_MAKEFILE instead of
AC_CHECK_SIZEOF(short)
AC_CHECK_SIZEOF(int)
AC_CHECK_SIZEOF(long)
-AC_FUNC_VFORK
AC_HEADER_STDARG
AC_CHECK_HEADER(termios.h,[AC_CHECK_FUNC(cfsetispeed,AC_DEFINE(POSIX_TERMIOS))])
AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/select.h sys/sockio.h paths.h)
if test $krb5_cv_shadow_pwd = yes; then
AC_DEFINE(HAVE_SHADOW)
fi
-AC_ARG_WITH([krb4],
-[ --without-krb4 don't include Kerberos V4 backwards compatibility
- --with-krb4 use V4 libraries included with V5 (default)
- --with-krb4=KRB4DIR use preinstalled V4 libraries],
-,
-withval=yes
-)dnl
-if test $withval = no; then
- AC_MSG_RESULT(no krb4 support)
-else
- AC_MSG_RESULT(Adding in krb4 support)
- FTPD_LIBS="../../../krb524/libkrb524.a"
-fi
case $krb5_cv_host in
alpha*-dec-osf*)
AC_CHECK_LIB(security,setluid,
+2003-06-16 Ken Raeburn <raeburn@mit.edu>
+
+ * ftp.c (recvrequest): Add new argument indicating whether "-" and
+ "|..." special treatment should be disabled.
+ * ftp_var.h (recvrequest): Update declaration.
+ * cmds.c (remglob, ls, mls): Pass 0 as the extra argument.
+ (mget): Pass 1.
+ (getit): Pass 1 iff only one filename was supplied.
+
+2003-06-05 Sam Hartman <hartmans@mit.edu>
+
+ * pclose.c (mypopen): use fork not vfork
+
2003-01-09 Ken Raeburn <raeburn@mit.edu>
* ftp.c (hookup, initconn, dataconn): Use socklen_t when passing
}
recvrequest("RETR", argv[2], argv[1], rmode,
- argv[1] != oldargv1 || argv[2] != oldargv2);
+ argv[1] != oldargv1 || argv[2] != oldargv2, loc);
restart_point = 0;
return (0);
}
tp = domap(tp);
}
recvrequest("RETR", tp, cp, "w",
- tp != cp || !interactive);
+ tp != cp || !interactive, 1);
if (!mflag && fromatty) {
ointer = interactive;
interactive = 1;
pswitch(!proxy);
}
for (rmode = "w"; *++argv != NULL; rmode = "a")
- recvrequest ("NLST", temp, *argv, rmode, 0);
+ recvrequest ("NLST", temp, *argv, rmode, 0, 0);
if (doswitch) {
pswitch(!proxy);
}
code = -1;
return;
}
- recvrequest(cmd, argv[2], argv[1], "w", 0);
+ recvrequest(cmd, argv[2], argv[1], "w", 0, 0);
}
/*
(void) setjmp(jabort);
for (i = 1; mflag && i < argc-1; ++i) {
*rmode = (i == 1) ? 'w' : 'a';
- recvrequest(cmd, dest, argv[i], rmode, 0);
+ recvrequest(cmd, dest, argv[i], rmode, 0, 0);
if (!mflag && fromatty) {
ointer = interactive;
interactive = 1;
}
void recvrequest(char *cmd, char *volatile local, char *remote, char *lmode,
- int printnames)
+ int printnames, int fnameonly)
{
FILE *volatile fout, *volatile din = 0, *popen();
int (*volatile closefunc)(), pclose(), fclose();
return;
}
oldintr = signal(SIGINT, abortrecv);
- if (strcmp(local, "-") && *local != '|') {
+ if (fnameonly || (strcmp(local, "-") && *local != '|')) {
if (access(local, 2) < 0) {
char *dir = strrchr(local, '/');
din = dataconn("r");
if (din == NULL)
goto die;
- if (strcmp(local, "-") == 0)
+ if (strcmp(local, "-") == 0 && !fnameonly)
fout = stdout;
- else if (*local == '|') {
+ else if (*local == '|' && !fnameonly) {
#ifdef SIGPIPE
oldintp = signal(SIGPIPE, SIG_IGN);
#endif
/* ftp.c */
void sendrequest (char *, char *, char *, int);
-void recvrequest (char *, char *volatile, char *, char *, int);
+void recvrequest (char *, char *volatile, char *, char *, int, int);
int login (char *);
void setpbsz (unsigned int);
void pswitch (int);
#include <signal.h>
#include <sys/param.h>
#include <sys/wait.h>
-#ifdef HAVE_VFORK_H
-#include <vfork.h>
-#endif
#define sig_t my_sig_t
#define sigtype krb5_sigtype
typedef sigtype (*sig_t)();
return (NULL);
myside = tst(p[WTR], p[RDR]);
hisside = tst(p[RDR], p[WTR]);
- if ((pid = vfork()) == 0) {
+ if ((pid = fork()) == 0) {
/* myside and hisside reverse roles in child */
(void) close(myside);
if (hisside != tst(0, 1)) {
+2003-06-05 Sam Hartman <hartmans@mit.edu>
+
+ * popen.c (ftpd_popen): Use fork not vfork
+
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * ftpd.c: Don't declare errno.
+
2003-01-03 Ken Raeburn <raeburn@mit.edu>
* ftpd.c (auth_data): Kerberos v4 checksum must be a 32-bit
$(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/profile.h $(KRB524_H_DEP) $(KRB524_ERR_H_DEP) \
- $(SRCTOP)/include/socket-utils.h $(BUILDTOP)/include/gssapi/gssapi.h \
+ $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
ftpd_var.h secure.h
$(OUTPRE)ftpcmd.$(OBJEXT): ftpcmd.c $(srcdir)/../arpa/ftp.h \
#ifdef KRB5_KRB4_COMPAT
#include <krb5.h>
#include <krb.h>
-#include <krb524.h>
AUTH_DAT kdata;
KTEXT_ST ticket;
#include "ftpd_var.h"
#include "secure.h"
-extern int errno;
extern char *crypt();
extern char version[];
extern char *home; /* pointer to home directory for glob */
#ifdef GSSAPI
krb5_init_context(&kcontext);
-#ifdef KRB5_KRB4_COMPAT
- krb524_init_ets(kcontext);
-#endif
#endif
while ((c = getopt(argc, argv, option_string)) != -1) {
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#ifdef HAVE_VFORK_H
-#include <vfork.h>
-#endif
#include "ftpd_var.h"
/*
gargv[gargc] = NULL;
iop = NULL;
- switch(pid = vfork()) {
+ switch(pid = fork()) {
case -1: /* error */
(void)close(pdes[0]);
(void)close(pdes[1]);
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * kerberos5.c (kerberos5_send): Rename getlocalsubkey ->
+ getsendsubkey.
+ (kerberos5_is): Rename getremotesubkey -> getrecvsubkey.
+
+2003-04-10 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Use library build framework.
+
+ * configure.in: Add support for library build framework. Remove
+ old explicit checks for ranlib, etc.
+
+2003-04-09 Tom Yu <tlyu@mit.edu>
+
+ * kerberos.c (kerberos4_status): Always copy in username if
+ present. Patch from Nathan Neulinger to make "-a user" work.
+
+ * kerberos5.c (kerberos5_status): Always copy in username if
+ present. Patch from Nathan Neulinger to make "-a user" work.
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * kerberos5.c (kerberos5_is): Check principal name length before
+ examining components.
+
2003-01-07 Ken Raeburn <raeburn@mit.edu>
* Makefile.orig: Deleted.
SETENVSRC=@SETENVSRC@
SETENVOBJ=@SETENVOBJ@
-LIB= libtelnet.a
+LIB=telnet
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../../../appl/telnet/libtelnet
+STOBJLISTS=OBJS.ST
+
SRCS= $(srcdir)/auth.c \
$(srcdir)/encrypt.c \
$(srcdir)/genget.c \
$(srcdir)/strftime.c \
$(srcdir)/strerror.c
-OBJS= auth.o encrypt.o genget.o \
+STLIBOBJS= auth.o encrypt.o genget.o \
misc.o kerberos.o kerberos5.o forward.o spx.o enc_des.o \
$(LIBOBJS) getent.o $(SETENVOBJ)
TELNET_H= $(srcdir)/../arpa/telnet.h
-all:: $(LIB)
-$(LIB): $(OBJS)
- $(RM) $(LIB)
- $(ARADD) $@ $(OBJS)
- $(RANLIB) $@
+all:: all-libs
-clean::
- $(RM) $(LIB)
+clean:: clean-libs clean-libobjs
auth.o: $(TELNET_H)
auth.o: encrypt.h
enc_des.o: key-proto.h
enc_des.o: misc-proto.h
install::
+
+# @lib_frag@
+# @libobj_frag@
+
# +++ Dependency line eater +++
#
# Makefile dependencies follow. This must be the last section in
# the Makefile.in file
#
-$(OUTPRE)auth.$(OBJEXT): auth.c $(srcdir)/../arpa/telnet.h \
+auth.so auth.po $(OUTPRE)auth.$(OBJEXT): auth.c $(srcdir)/../arpa/telnet.h \
encrypt.h enc-proto.h auth.h auth-proto.h misc-proto.h
-$(OUTPRE)encrypt.$(OBJEXT): encrypt.c $(srcdir)/../arpa/telnet.h \
+encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): encrypt.c $(srcdir)/../arpa/telnet.h \
encrypt.h enc-proto.h misc.h misc-proto.h
-$(OUTPRE)genget.$(OBJEXT): genget.c misc.h misc-proto.h
-$(OUTPRE)misc.$(OBJEXT): misc.c misc.h misc-proto.h \
+genget.so genget.po $(OUTPRE)genget.$(OBJEXT): genget.c misc.h misc-proto.h
+misc.so misc.po $(OUTPRE)misc.$(OBJEXT): misc.c misc.h misc-proto.h \
auth.h auth-proto.h encrypt.h enc-proto.h
-$(OUTPRE)kerberos.$(OBJEXT): kerberos.c $(BUILDTOP)/include/krb5.h \
+kerberos.so kerberos.po $(OUTPRE)kerberos.$(OBJEXT): kerberos.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/../arpa/telnet.h $(SRCTOP)/include/kerberosIV/des.h \
$(SRCTOP)/include/kerberosIV/krb.h $(KRB_ERR_H_DEP) \
$(BUILDTOP)/include/profile.h encrypt.h enc-proto.h \
auth.h auth-proto.h misc.h misc-proto.h
-$(OUTPRE)kerberos5.$(OBJEXT): kerberos5.c $(srcdir)/../arpa/telnet.h \
+kerberos5.so kerberos5.po $(OUTPRE)kerberos5.$(OBJEXT): kerberos5.c $(srcdir)/../arpa/telnet.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/syslog.h \
encrypt.h enc-proto.h auth.h auth-proto.h misc.h misc-proto.h \
krb5forw.h
-$(OUTPRE)forward.$(OBJEXT): forward.c $(BUILDTOP)/include/krb5.h \
+forward.so forward.po $(OUTPRE)forward.$(OBJEXT): forward.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) krb5forw.h
-$(OUTPRE)spx.$(OBJEXT): spx.c misc-proto.h
-$(OUTPRE)enc_des.$(OBJEXT): enc_des.c $(BUILDTOP)/include/krb5.h \
+spx.so spx.po $(OUTPRE)spx.$(OBJEXT): spx.c misc-proto.h
+enc_des.so enc_des.po $(OUTPRE)enc_des.$(OBJEXT): enc_des.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/../arpa/telnet.h encrypt.h \
enc-proto.h key-proto.h misc-proto.h
-$(OUTPRE)setenv.$(OBJEXT): setenv.c misc-proto.h
-$(OUTPRE)getent.$(OBJEXT): getent.c gettytab.h
-$(OUTPRE)parsetos.$(OBJEXT): parsetos.c misc-proto.h
-$(OUTPRE)strdup.$(OBJEXT): strdup.c
-$(OUTPRE)strcasecmp.$(OBJEXT): strcasecmp.c
-$(OUTPRE)strchr.$(OBJEXT): strchr.c
-$(OUTPRE)strrchr.$(OBJEXT): strrchr.c
-$(OUTPRE)strftime.$(OBJEXT): strftime.c
-$(OUTPRE)strerror.$(OBJEXT): strerror.c
+setenv.so setenv.po $(OUTPRE)setenv.$(OBJEXT): setenv.c misc-proto.h
+getent.so getent.po $(OUTPRE)getent.$(OBJEXT): getent.c gettytab.h
+parsetos.so parsetos.po $(OUTPRE)parsetos.$(OBJEXT): parsetos.c misc-proto.h
+strdup.so strdup.po $(OUTPRE)strdup.$(OBJEXT): strdup.c
+strcasecmp.so strcasecmp.po $(OUTPRE)strcasecmp.$(OBJEXT): strcasecmp.c
+strchr.so strchr.po $(OUTPRE)strchr.$(OBJEXT): strchr.c
+strrchr.so strrchr.po $(OUTPRE)strrchr.$(OBJEXT): strrchr.c
+strftime.so strftime.po $(OUTPRE)strftime.$(OBJEXT): strftime.c
+strerror.so strerror.po $(OUTPRE)strerror.$(OBJEXT): strerror.c
AC_INIT(auth.c)
CONFIG_RULES
-AC_PROG_ARCHIVE
-AC_PROG_ARCHIVE_ADD
-AC_PROG_RANLIB
AC_REPLACE_FUNCS([strcasecmp strdup setsid strerror strftime getopt herror parsetos])
AC_CHECK_FUNCS(setenv unsetenv getenv gettosbyname cgetent)
AC_CHECK_HEADERS(stdlib.h string.h unistd.h)
AC_MSG_RESULT(Kerberos 4 authentication enabled)
AC_DEFINE(KRB4)
fi
+KRB5_BUILD_LIBRARY_STATIC
+KRB5_BUILD_LIBOBJS
V5_AC_OUTPUT_MAKEFILE
if (level < AUTH_USER)
return(level);
- if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+ /*
+ * Always copy in UserNameRequested if the authentication
+ * is valid, because the higher level routines need it.
+ */
+ if (UserNameRequested) {
/* the name buffer comes from telnetd/telnetd{-ktd}.c */
strncpy(kname, UserNameRequested, 255);
name[255] = '\0';
+ }
+
+ if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
return(AUTH_VALID);
} else
return(AUTH_USER);
&check_data, new_creds, &auth);
#ifdef ENCRYPTION
- krb5_auth_con_getlocalsubkey(telnet_context, auth_context, &newkey);
+ krb5_auth_con_getsendsubkey(telnet_context, auth_context, &newkey);
if (session_key) {
krb5_free_keyblock(telnet_context, session_key);
session_key = 0;
* first component of a service name especially since
* the default is of length 4.
*/
+ if (krb5_princ_size(telnet_context,ticket->server) < 1) {
+ (void) strcpy(errbuf, "malformed service name");
+ goto errout;
+ }
if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) {
char princ[256];
strncpy(princ,
if (name)
free(name);
- krb5_auth_con_getremotesubkey(telnet_context, auth_context,
+ krb5_auth_con_getrecvsubkey(telnet_context, auth_context,
&newkey);
if (session_key) {
krb5_free_keyblock(telnet_context, session_key);
if (level < AUTH_USER)
return(level);
+ /*
+ * Always copy in UserNameRequested if the authentication
+ * is valid, because the higher level routines need it.
+ * the name buffer comes from telnetd/telnetd{-ktd}.c
+ */
+ if (UserNameRequested) {
+ strncpy(name, UserNameRequested, 255);
+ name[255] = '\0';
+ }
+
if (UserNameRequested &&
krb5_kuserok(telnet_context, ticket->enc_part2->client,
UserNameRequested))
{
- /* the name buffer comes from telnetd/telnetd{-ktd}.c */
- strncpy(name, UserNameRequested, 255);
- name[255] = '\0';
return(AUTH_VALID);
} else
return(AUTH_USER);
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * externs.h: Don't declare errno.
+
2003-01-07 Ken Raeburn <raeburn@mit.edu>
* Makefile.orig: Deleted.
#define SUBBUFSIZE 256
-#ifndef CRAY
-extern int errno; /* outside this world */
-#endif /* !CRAY */
-
extern int
autologin, /* Autologin enabled */
skiprc, /* Don't process the ~/.telnetrc file */
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * telnetd.h: Don't declare errno.
+
2003-01-09 Ken Raeburn <raeburn@mit.edu>
* telnetd.c (main): Use socklen_t when passing address to socket
ext.h pathnames.h $(COM_ERR_DEPS) $(BUILDTOP)/include/libpty.h \
$(srcdir)/../libtelnet/auth.h $(srcdir)/../libtelnet/auth-proto.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/krb5/kdb.h
$(OUTPRE)utility.$(OBJEXT): utility.c telnetd.h defs.h \
$(srcdir)/../arpa/telnet.h $(SRCTOP)/include/socket-utils.h \
$(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/syslog.h \
/* other external variables */
extern char **environ;
-extern int errno;
+2003-05-29 Ken Raeburn <raeburn@mit.edu>
+
+ * kinit.c (KRB4_BACKUP_DEFAULT_LIFE_SECS): Update to one day.
+
+2003-05-23 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile.in (kinit): Don't use krb524 library.
+ * kinit.c: Don't include krb524.h.
+ (try_convert524): Don't call krb524_init_ets.
+
2002-11-05 Tom Yu <tlyu@mit.edu>
* kinit.c (k4_kinit): Remove trailing colon, as new implementation
all-windows:: $(OUTPRE)kinit.exe
all-mac::
-kinit: kinit.o $(KRB4COMPAT_DEPLIBS) $(KRB524_DEPLIB)
- $(CC_LINK) -o $@ kinit.o $(KRB524_LIB) $(KRB4COMPAT_LIBS)
+kinit: kinit.o $(KRB4COMPAT_DEPLIBS)
+ $(CC_LINK) -o $@ kinit.o $(KRB4COMPAT_LIBS)
$(OUTPRE)kinit.exe: $(OUTPRE)kinit.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB)
link $(EXE_LINKOPTS) -out:$@ $** advapi32.lib
#endif /* HAVE_UNISTD_H */
#endif /* GETOPT_LONG */
-#ifdef HAVE_KRB524
-#include "krb524.h"
-#endif
-
#ifndef _WIN32
#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
#else
static int authed_k5 = 0;
static int authed_k4 = 0;
-#define KRB4_BACKUP_DEFAULT_LIFE_SECS 10*60*60 /* 10 hours */
+#define KRB4_BACKUP_DEFAULT_LIFE_SECS 24*60*60 /* 1 day */
typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type;
initialized.
*/
- /* or do this directly with krb524_convert_creds_kdc */
- krb524_init_ets(k5->ctx);
-
if ((code = krb5_build_principal(k5->ctx,
&kpcserver,
krb5_princ_realm(k5->ctx, k5->me)->length,
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * heuristic.c (get_closest_principal): Don't try to examine
+ principal name components after the last.
+ * krb_auth_su.c (get_best_principal): Check principal name length
+ before examining components.
+
2002-12-23 Ezra Peisach <epeisach@bu.edu>
* authorization.c, heuristic.c, ksu.h: Use uid_t instead of int in
$(OUTPRE)krb_auth_su.$(OBJEXT): krb_auth_su.c ksu.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/k5-util.h $(SRCTOP)/include/syslog.h
$(OUTPRE)ccache.$(OBJEXT): ccache.c ksu.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-util.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/k5-util.h \
$(SRCTOP)/include/syslog.h $(SRCTOP)/include/krb5/adm_proto.h
$(OUTPRE)authorization.$(OBJEXT): authorization.c ksu.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/k5-util.h $(SRCTOP)/include/syslog.h
$(OUTPRE)main.$(OBJEXT): main.c ksu.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-util.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/k5-util.h \
$(SRCTOP)/include/syslog.h $(SRCTOP)/include/krb5/adm_proto.h
$(OUTPRE)heuristic.$(OBJEXT): heuristic.c ksu.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-util.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/k5-util.h \
$(SRCTOP)/include/syslog.h
$(OUTPRE)xmalloc.$(OBJEXT): xmalloc.c ksu.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-util.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/k5-util.h \
$(SRCTOP)/include/syslog.h
$(OUTPRE)setenv.$(OBJEXT): setenv.c
krb5_data *p2 =
krb5_princ_component(context, temp_client, j);
- if ((p1->length != p2->length) ||
+ if (!p1 || !p2 || (p1->length != p2->length) ||
memcmp(p1->data,p2->data,p1->length)){
got_one = FALSE;
break;
krb5_princ_realm(context, temp_client)->length))){
- if(nelem){
+ if (nelem &&
+ krb5_princ_size(context, *client) > 0 &&
+ krb5_princ_size(context, temp_client) > 0) {
krb5_data *p1 =
krb5_princ_component(context, *client, 0);
krb5_data *p2 =
+2003-06-27 Jen Selby <jenselby@mit.edu>
+
+ * kdc.conf.M: replaced the @LOCALSTATEDIR typos with
+ /usr/local/var
+
+2003-06-20 Tom Yu <tlyu@mit.edu>
+
+ * krb5.conf.M: Sync with doc/krb5conf.texinfo.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * kdc.conf: Delete supported and master key type specs.
+
+ * krb5.conf: Delete Athena KDC specifications. Delete Cygnus
+ realm info. Replace CLUB.CC.CMU.EDU info with ANDREW.CMU.EDU,
+ which has SRV records and thus doesn't need KDC specs. Provide a
+ commented-out example of a [logging] spec. Delete commented-out
+ enctype specs.
+
+ * krb5.conf.M: Remove "kdc =" lines from "realms" section example,
+ and recommend not using it unless DNS info isn't available.
+
+2003-05-29 Ken Raeburn <raeburn@mit.edu>
+
+ * kdc.conf.M (FILES): Refer to correct location for kdc.conf in
+ the default installation path.
+
2002-09-24 Sam Hartman <hartmans@mit.edu>
* krb5.conf: Update enctypes and add club.cc.cmu.edu
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
- master_key_type = des-cbc-crc
- supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
}
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is @LOCALSTATEDIR/krb5kdc/kadm5.acl.
+on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
.IP admin_keytab
This
.B string
Specifies the location of the keytab file that kadmin uses to
authenticate to the database. The default value is
-@LOCALSTATEDIR/krb5kdc/kadm5.keytab.
+/usr/local/var/krb5kdc/kadm5.keytab.
.IP database_name
This
realm names and the [capaths] section of its krb5.conf file
.SH FILES
-/usr/local/lib/krb5kdc/kdc.conf
+/usr/local/var/krb5kdc/kdc.conf
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
[libdefaults]
default_realm = ATHENA.MIT.EDU
-# You don't actually need enctype lines
-# By default all enctypes are allowed.
-# default_tgs_enctypes = des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4
krb4_config = /usr/kerberos/lib/krb.conf
krb4_realms = /usr/kerberos/lib/krb.realms
[realms]
ATHENA.MIT.EDU = {
- kdc = KERBEROS-2.MIT.EDU:88
- kdc = KERBEROS.MIT.EDU
- kdc = KERBEROS-1.MIT.EDU
admin_server = KERBEROS.MIT.EDU
default_domain = MIT.EDU
v4_instance_convert = {
lithium = lithium.lcs.mit.edu
}
}
- CYGNUS.COM = {
- kdc = KERBEROS.CYGNUS.COM
- kdc = KERBEROS-1.CYGNUS.COM
- admin_server = KERBEROS.MIT.EDU
+ ANDREW.CMU.EDU = {
+ admin_server = vice28.fs.andrew.cmu.edu
}
+# use "kdc =" if realm admins haven't put SRV records into DNS
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
admin_server = kerberos.gnu.org
}
-CLUB.CC.CMU.EDU = {
- kdc = kerberos.club.cc.cmu.edu
- kdc = kerberos-1.club.cc.cmu.edu
- admin_server = kerberos-admin.club.cc.cmu.edu
- default_domain = club.cc.cmu.edu
-}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.ucsc.edu = CATS.UCSC.EDU
+[logging]
+# kdc = CONSOLE
is invalid. The default value is 300 seconds, or five minutes.
.IP kdc_timesync
-If the value of this relation is non-zero, the library will compute the
-difference between the system clock and the time returned by the KDC and
-in order to correct for an inaccurate system clock. This corrective
-factor is only used by the Kerberos library.
+If the value of this relation is non-zero (the default), the library
+will compute the difference between the system clock and the time
+returned by the KDC and in order to correct for an inaccurate system
+clock. This corrective factor is only used by the Kerberos library.
.IP kdc_req_checksum_type
For compatability with DCE security servers which do not support the
Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
DCE 1.1 systems.
+.IP krb4_srvtab
+Specifies the location of the Kerberos V4 srvtab file. Default is
+"/etc/srvtab".
+
+.IP krb4_config
+Specifies the location of hte Kerberos V4 configuration file. Default
+is "/etc/krb.conf".
+
+.IP krb4_realms
+Specifies the location of the Kerberos V4 domain/realm translation
+file. Default is "/etc/krb.realms".
+
.IP dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
allow Kerberos to work in a network that uses NATs. The addresses should
be in a comma-separated list.
+.IP udp_preference_limit
+When sending a message to the KDC, the library will try using TCP
+before UDP if the size of the message is above "udp_preference_list".
+If the message is smaller than "udp_preference_list", then UDP will be
+tried before TCP. Regardless of the size, both protocols will be
+tried if the first attempt fails.
+
+.IP verify_ap_req_nofail
+If this flag is set, then an attempt to get initial credentials will
+fail if the client machine does not have a keytab. The default for the
+flag is false.
+
+.IP renew_lifetime
+The value of this tag is the default renewable lifetime for initial
+tickets. The default value for the tag is 0.
+
+.IP noaddresses
+Setting this flag causes the initial Kerberos ticket to be addressless.
+The default for the flag is true.
+
+.IP forwardable
+If this flag is set, initial tickets by default will be forwardable.
+The default value for this flag is false.
+
+.IP proxiable
+If this flag is set, initial tickets by default will be proxiable.
+The default value for this flag is false.
+
.SH APPDEFAULTS SECTION
Each tag in the [appdefaults] section names a Kerberos V5 application
.in +1i
[realms]
ATHENA.MIT.EDU = {
- kdc = KERBEROS.MIT.EDU
- kdc = KERBEROS-1.MIT.EDU:750
- kdc = KERBEROS-2.MIT.EDU:88
admin_server = KERBEROS.MIT.EDU
default_domain = MIT.EDU
v4_instance_convert = {
.IP kdc
The value of this relation is the name of a host running a KDC for that
realm. An optional port number (preceded by a colon) may be appended to
-the hostname.
+the hostname. This tag should generally be used only if the realm
+administrator has not made the information available through DNS.
.IP admin_server
This relation identifies the host where the administration server is
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * win-pre.in (CPPFLAGS): Define KRB5_DEPRECATED=1.
+
+2003-05-23 Ken Raeburn <raeburn@mit.edu>
+
+ * pre.in (KRB524_H_DEP, KRB524_ERR_H_DEP, KRB524_LIB,
+ KRB524_DEPLIB): Deleted.
+
+2003-04-24 Ken Raeburn <raeburn@mit.edu>
+
+ * post.in (configure): Try running autoconf with --include, and if
+ that doesn't work, try --localdir. Don't use AUTOCONFINCFLAGS.
+
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * pre.in (KDB5_DEPLIBS): Don't depend on $(DB_DEPLIB) anymore.
+ (KDB5_DB_LIB): New variable; is empty if not building with system
+ libdb.
+ (KDB5_LIBS): Use $(KDB5_DB_LIB) instead of $(DB_LIB).
+
2003-03-03 Tom Yu <tlyu@mit.edu>
* libobj.in: Change .c.so and .c.po rules to use ALL_CFLAGS.
$(SRCTOP)/aclocal.m4
-$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache
cd $(srcdir)/$(thisconfigdir) && \
- $(AUTOCONF) ${AUTOCONFINCFLAGS}=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS)
+ ($(AUTOCONF) --include=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS) || \
+ $(AUTOCONF) --localdir=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS))
-$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache
RECURSE_TARGETS=all-recurse clean-recurse distclean-recurse install-recurse \
SS_DEPLIB = $(SS_DEPLIB-@SS_VERSION@)
SS_DEPLIB-k5 = $(TOPLIBD)/libss.a
SS_DEPLIB-sys =
-KRB524_DEPLIB = @KRB524_DEPLIB@
PTY_DEPLIB = $(TOPLIBD)/libpty.a
KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB)
KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS)
-KDB5_DEPLIBS = $(KDB5_DEPLIB) $(DB_DEPLIB)
+KDB5_DEPLIBS = $(KDB5_DEPLIB)
GSS_DEPLIBS = $(GSS_DEPLIB)
GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS)
KADM_COMM_DEPLIBS = $(GSSRPC_DEPLIBS) $(KDB5_DEPLIBS) $(GSSRPC_DEPLIBS)
# is compiled.
KRB_ERR_H_DEP = @KRB_ERR_H_DEP@
-KRB524_H_DEP = @KRB524_H_DEP@
-KRB524_ERR_H_DEP= @KRB524_ERR_H_DEP@
# LIBS gets substituted in... e.g. -lnsl -lsocket
SS_LIB-k5 = $(TOPLIBD)/libss.a
KDB5_LIB = -lkdb5
DB_LIB = @DB_LIB@
+KDB5_DB_LIB = @KDB5_DB_LIB@
KRB5_LIB = -lkrb5
K5CRYPTO_LIB = -lk5crypto
# needs fixing if ever used on Mac OS X!
DES425_LIB = @DES425_LIB@
-# KRB524_LIB is $(BUILDTOP)/krb524/libkrb524.a if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-KRB524_LIB = @KRB524_LIB@
-
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(GEN_LIB) $(LIBS)
KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
-KDB5_LIBS = $(KDB5_LIB) $(DB_LIB)
+KDB5_LIBS = $(KDB5_LIB) $(KDB5_DB_LIB)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
GSSRPC_LIBS = -lgssrpc $(GSS_LIBS)
CC=cl
PDB_OPTS=-Fd$(OUTPRE)\ -FD
-CPPFLAGS=-I$(SRCTOP)\include -I$(SRCTOP)\include\krb5 $(DNSFLAGS) -DKRB5_PRIVATE=1 -DWIN32_LEAN_AND_MEAN
+CPPFLAGS=-I$(SRCTOP)\include -I$(SRCTOP)\include\krb5 $(DNSFLAGS) -DKRB5_PRIVATE=1 -DWIN32_LEAN_AND_MEAN -DKRB5_DEPRECATED=1
CCOPTS=-nologo /W3 $(PDB_OPTS) $(DLL_FILE_DEF)
LOPTS=-nologo -incremental:no
+2003-07-31 Jeffrey Altman <jaltman@mit.edu>
+
+ * krb5.hin: krb5_get_host_realm and krb5_free_host_realm should
+ not be labeled as KRB5_PRIVATE. They are required for many
+ applications including OpenAFS and UMich's Kx509. 1.2.8 had them
+ public but the change was never reflected on the trunk.
+
+2003-07-22 Alexandra Ellwood <lxs@mit.edu>
+
+ * fake-addrinfo.h: Don't use broken getaddrinfo on Mac OS X
+
+2003-07-21 Alexandra Ellwood <lxs@mit.edu>
+
+ * krb5_32.def: Export krb5_principal2salt.
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * krb5.hin: Export krb5_get_permitted_enctypes and
+ krb5_set_real_time for Samba.
+
+2003-06-23 Ken Raeburn <raeburn@mit.edu>
+
+ * k5-int.h (struct krb5_cksumtypes): Add new field trunc_size.
+
+2003-06-12 Tom Yu <tlyu@mit.edu>
+
+ * krb5.hin: krb524_init_ets() takes one argument.
+
+2003-06-06 Ken Raeburn <raeburn@mit.edu>
+
+ * k5-int.h (struct srv_dns_entry): Declare.
+ (krb5int_make_srv_query_realm, krb5int_free_srv_dns_data):
+ Declare.
+ (struct _krb5int_access): Add make_srv_query_realm and
+ free_srv_dns_data fields.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * k5-int.h (struct _krb5int_access): Add locate_server back in.
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * k5-int.h (KRB524_SERVICE, KRB524_PORT): Moved here...
+ * krb5.h: ...from here.
+ (krb5_524_convert_creds): Renamed from krb524_convert_creds_kdc,
+ fixed calling convention spec.
+ (krb524_convert_creds_kdc, krb524_init_ets) [KRB5_DEPRECATED]: New
+ macros.
+
+ * Makefile.in (clean-windows): Remove new "timestamp" file when
+ cleaning up.
+
+2003-05-25 Ezra Peisach <epeisach@mit.edu>
+
+ * krb5.hin: Sequence number of krb5_replay_data should be unsigned.
+
+2003-05-23 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile.in (krb5.h): Include krb524_err.h.
+ (krb524_err.h): Depend on rebuild-error-tables like krb5_err.h and
+ friends. Add a null command to cause make to recheck the
+ timestamp on the files possibly updated.
+ (clean-unix): Get rid of it.
+ * k5-int.h (KRb5INT_ACCESS_STRUCT_VERSION): Update to 7.
+ (struct ktext) [!defined(ANAME_SZ)]: Declare forward.
+ (krb5int_access): Delete krb5_locate_kdc, krb5_locate_server,
+ krb5_max_dgram_size and timeout fields. Add krb_life_to_time,
+ krb_time_to_life, and krb524_encode_v4tkt function pointer
+ fields. Reorder fields, and add comments.
+ (krb5int_krb_life_to_time, krb5int_krb_time_to_life,
+ krb5int_encode_v4tkt, krb5int_524_sendto_kdc): Declare.
+ * krb5.hin (KRB524_SERVICE, KRB524_PORT): New macros.
+ (struct credentials): Declare forward.
+ (krb524_convert_creds_kdc): Declare.
+
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * k5-int.h: Add prototype for krb5int_auth_con_chkseqnum.
+
+ * krb5.hin: Default KRB5_DEPRECATED to 0. Default KRB5_PRIVATE to
+ 0 on all platforms.
+
+2003-05-22 Sam Hartman <hartmans@mit.edu>
+
+ * k5-int.h: krb5int_populate_gic_opt returns void
+
+2003-05-19 Sam Hartman <hartmans@mit.edu>
+
+ * k5-int.h: Prototype krb5int_populate_gic_opt
+
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * k5-int.h: Sequence numbers are now unsigned.
+
+ * krb5.hin: Sequence numbers are now unsigned.
+
+2003-05-16 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5.hin (KRB5_KPASSWD_ACCESSDENIED): New macro.
+ (KRB5_KPASSWD_BAD_VERSION, KRB5_KPASSWD_INITIAL_FLAG_NEEDED): New
+ macros.
+
+2003-05-13 Sam Hartman <hartmans@mit.edu>
+
+ * k5-int.h: Add krb5int_copy_data_contents
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * krb5.hin: Add prototype for krb5_c_string_to_key_with_params
+
+ * k5-int.h: Add s2kparams to krb5_gic_get_as_key_fct
+
+2003-05-07 Sam Hartman <hartmans@mit.edu>
+
+ * krb5.hin: Add KRB5_PADATA_ETYPE_INFO2
+
+2003-05-09 Ken Raeburn <raeburn@mit.edu>
+
+ * k5-int.h (struct _krb5_context): New fields conf_tgs_ktypes,
+ conf_tgs_ktypes_count, use_conf_ktypes.
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * krb5.hin: Add krb5_auth_con_getsendsubkey,
+ krb5_auth_con_getrecvsubkey, krb5_auth_con_setsendsubkey,
+ krb5_auth_con_setrecvsubkey. Mark krb5_auth_con_getlocalsubkey
+ and krb5_auth_con_getremotesubkey as deprecated.
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * k5-int.h: Add s2kparams to
+ krb5_etype_info_entry
+ Add encode_etype_info2 and decode_etype_info2
+
+2003-05-02 Ken Raeburn <raeburn@mit.edu>
+
+ * port-sockets.h (inet_ntop) [!_WIN32 && !HAVE_MACSOCK_H]: Define
+ as a macro if not provided by the OS.
+
+2003-04-17 Sam Hartman <hartmans@mit.edu>
+
+ * k5-int.h: Add encode_krb5_setpw_req
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * krb5.hin: Add krb5_set_password
+ Move krb5*_chpw internals to k5int.h
+
+ * k5-int.h: Add prototypes for set-password helper functions
+
+2003-04-07 Ken Raeburn <raeburn@mit.edu>
+
+ * fake-addrinfo.h (getaddrinfo) [NUMERIC_SERVICE_BROKEN]:
+ Overwrite the port number only if a numeric service port was
+ supplied.
+
+2003-04-01 Ken Raeburn <raeburn@mit.edu>
+
+ * fake-addrinfo.h (COPY_FIRST_CANONNAME) [_AIX]: Define.
+ (GET_HOST_BY_NAME) [_AIX]: New version for AIX version of
+ gethostbyname_r.
+ (getaddrinfo) [NUMERIC_SERVICE_BROKEN]: Use "discard" as a dummy
+ service name instead of none at all. Don't check for unsigned
+ value less than zero.
+ (getaddrinfo) [COPY_FIRST_CANONNAME]: Set any ai_canonname fields
+ other than the first one to null.
+
+2003-03-18 Alexandra Ellwood <lxs@mit.edu>
+
+ * configure.in: Use KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9
+ and higher. When bind 9 is present, BIND_8_COMPAT needs to be
+ defined to get bind 8 types.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* krb5.h: Removed enumsalwaysint because there are no typed
cd $(srcdir) && $(AUTOHEADER) --localdir=$(CONFIG_RELTOPDIR) $(AUTOHEADERFLAGS)
touch $(srcdir)/krb5/autoconf.stmp
-krb5.h: krb5/autoconf.h $(srcdir)/krb5.hin krb5_err.h kdb5_err.h kv5m_err.h \
+krb5.h: krb5/autoconf.h $(srcdir)/krb5.hin krb5_err.h kdb5_err.h kv5m_err.h krb524_err.h \
asn1_err.h
echo "/* This file is generated, please don't edit it directly. */" > krb5.h
grep SIZEOF krb5/autoconf.h >> krb5.h
- cat $(srcdir)/krb5.hin krb5_err.h kdb5_err.h kv5m_err.h \
+ cat $(srcdir)/krb5.hin krb5_err.h kdb5_err.h kv5m_err.h krb524_err.h \
asn1_err.h >> krb5.h
#
# Build the error table include files:
-# asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h
+# asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h krb524_err.h
-asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h: rebuild-error-tables
+asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h krb524_err.h: rebuild-error-tables
+ : $@
rebuild-error-tables:
(cd ../lib/krb5/error_tables && $(MAKE) includes)
kdb5_err.h: $(SRCTOP)/lib/krb5/error_tables/kdb5_err.et
krb5_err.h: $(SRCTOP)/lib/krb5/error_tables/krb5_err.et
kv5m_err.h: $(SRCTOP)/lib/krb5/error_tables/kv5m_err.et
+krb524_err.h: $(SRCTOP)/lib/krb5/error_tables/krb524_err.et
clean-unix::
- $(RM) krb5.h krb5_err.h kdb5_err.h kv5m_err.h \
+ $(RM) krb5.h krb5_err.h kdb5_err.h kv5m_err.h krb524_err.h \
asn1_err.h
clean-mac::
fi
dnl
dnl
+KRB5_AC_NEED_BIND_8_COMPAT
+dnl
+dnl
AC_ARG_ENABLE([athena],
[ --enable-athena build with MIT Project Athena configuration],
AC_DEFINE(KRB5_ATHENA_COMPAT,1,[Define if MIT Project Athena default configuration should be used]),)
#include "socket-utils.h"
#ifdef S_SPLINT_S
+/*@-incondefs@*/
extern int
getaddrinfo (/*@in@*/ /*@null@*/ const char *,
/*@in@*/ /*@null@*/ const char *,
/*@requires (maxSet(h)+1) >= hsz /\ (maxSet(s)+1) >= ssz @*/
/* too hard: maxRead(addr) >= (addrsz-1) */
/*@modifies *h, *s@*/;
-extern /*@dependent@*/ char *
-gai_strerror (int code) /*@*/;
+extern /*@dependent@*/ char *gai_strerror (int code) /*@*/;
+/*@=incondefs@*/
#endif
+#if defined (__APPLE__) && defined (__MACH__)
+#undef HAVE_GETADDRINFO
+#endif
+
#if defined (__linux__) || defined (_AIX)
/* See comments below. */
# define WRAP_GETADDRINFO
#ifdef _AIX
# define NUMERIC_SERVICE_BROKEN
+# define COPY_FIRST_CANONNAME
#endif
#define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \
{ (HP) = gethostbyaddr ((ADDR), (ADDRLEN), (FAMILY)); (ERR) = h_errno; }
#else
+#ifdef _AIX /* XXX should have a feature test! */
+#define GET_HOST_BY_NAME(NAME, HP, ERR) \
+ { \
+ struct hostent my_h_ent; \
+ struct hostent_data my_h_ent_data; \
+ (HP) = (gethostbyname_r((NAME), &my_h_ent, &my_h_ent_data) \
+ ? 0 \
+ : &my_h_ent); \
+ (ERR) = h_errno; \
+ }
+/*
+#define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \
+ { \
+ struct hostent my_h_ent; \
+ struct hostent_data my_h_ent_data; \
+ (HP) = (gethostbyaddr_r((ADDR), (ADDRLEN), (FAMILY), &my_h_ent, \
+ &my_h_ent_data) \
+ ? 0 \
+ : &my_h_ent); \
+ (ERR) = my_h_err; \
+ }
+*/
+#else
#ifdef GETHOSTBYNAME_R_RETURNS_INT
#define GET_HOST_BY_NAME(NAME, HP, ERR) \
{ \
my_h_buf, sizeof (my_h_buf), &my_h_err); \
(ERR) = my_h_err; \
}
-#endif
+#endif /* returns int? */
+#endif /* _AIX */
#endif
/* Now do the same for getservby* functions. */
/* AIX 4.3.3 is broken. (Or perhaps out of date?)
If a numeric service is provided, and it doesn't correspond to
- a known service name, an error code (for "host not found") is
- returned. If the port maps to a known service, all is
- well. */
+ a known service name for tcp or udp (as appropriate), an error
+ code (for "host not found") is returned. If the port maps to a
+ known service for both udp and tcp, all is well. */
if (serv && serv[0] && isdigit(serv[0])) {
unsigned long lport;
char *end;
lport = strtoul(serv, &end, 10);
if (!*end) {
- if (lport < 0 || lport > 65535)
+ if (lport > 65535)
return EAI_SOCKTYPE;
service_is_numeric = 1;
service_port = htons(lport);
- serv = 0;
+ serv = "discard"; /* defined for both udp and tcp */
if (hint)
socket_type = hint->ai_socktype;
}
approach: If getaddrinfo sets ai_canonname, we'll replace the
*first* one with allocated storage, and free up that pointer in
freeaddrinfo if it's set; the other ai_canonname fields will be
- left untouched.
+ left untouched. And we'll just pray that the application code
+ won't mess around with the list structure; if we start doing
+ that, we'll have to start replacing and freeing all of the
+ ai_canonname fields.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=133668 .
#endif
return EAI_MEMORY;
}
+ /* Zap the remaining ai_canonname fields glibc fills in, in
+ case the application messes around with the list
+ structure. */
+ while ((ai = ai->ai_next) != NULL)
+ ai->ai_canonname = 0;
}
#endif
#ifdef NUMERIC_SERVICE_BROKEN
- for (ai = *result; ai; ai = ai->ai_next) {
- if (socket_type != 0 && ai->ai_socktype == 0)
- ai->ai_socktype = socket_type;
- switch (ai->ai_family) {
- case AF_INET:
- ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port;
- break;
- case AF_INET6:
- ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port;
- break;
+ if (service_port != 0) {
+ for (ai = *result; ai; ai = ai->ai_next) {
+ if (socket_type != 0 && ai->ai_socktype == 0)
+ /* Is this check actually needed? */
+ ai->ai_socktype = socket_type;
+ switch (ai->ai_family) {
+ case AF_INET:
+ ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port;
+ break;
+ case AF_INET6:
+ ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port;
+ break;
+ }
}
}
#endif
/*
- * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001 by the Massachusetts Institute of Technology,
+ * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003 by the Massachusetts Institute of Technology,
* Cambridge, MA, USA. All Rights Reserved.
*
* This software is being provided to you, the LICENSEE, by the
* A null-terminated array of this structure is returned by the KDC as
* the data part of the ETYPE_INFO preauth type. It informs the
* client which encryption types are supported.
+ * The same data structure is used by both etype-info and etype-info2
+ * but s2kparams must be null when encoding etype-info.
*/
typedef struct _krb5_etype_info_entry {
krb5_magic magic;
krb5_enctype etype;
unsigned int length;
krb5_octet *salt;
+ krb5_data s2kparams;
} krb5_etype_info_entry;
/*
kind of messy, but so is the krb5 api. */
const struct krb5_keyhash_provider *keyhash;
const struct krb5_hash_provider *hash;
+ /* This just gets uglier and uglier. In the key derivation case,
+ we produce an hmac. To make the hmac code work, we can't hack
+ the output size indicated by the hash provider, but we may want
+ a truncated hmac. If we want truncation, this is the number of
+ bytes we truncate to; it should be 0 otherwise. */
+ unsigned int trunc_size;
};
#define KRB5_CKSUMFLAG_DERIVE 0x0001
/*
* End "preauth.h"
*/
+krb5_error_code
+krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
typedef krb5_error_code (*krb5_gic_get_as_key_fct)
(krb5_context,
krb5_prompter_fct,
void *prompter_data,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_keyblock *as_key,
void *gak_data);
int master,
krb5_kdc_rep **as_reply);
+void krb5int_populate_gic_opt (
+ krb5_context, krb5_get_init_creds_opt *,
+ krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types);
+
krb5_error_code krb5_do_preauth
(krb5_context, krb5_kdc_req *,
krb5_pa_data **, krb5_pa_data ***,
- krb5_data *, krb5_enctype *,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_enctype *,
krb5_keyblock *,
krb5_prompter_fct, void *,
krb5_gic_get_as_key_fct, void *);
absolute limit on the UDP packet size. */
int udp_pref_limit;
+ /* This is the tgs_ktypes list as read from the profile, or
+ set to compiled-in defaults. The application code cannot
+ override it. This is used for session keys for
+ intermediate ticket-granting tickets used to acquire the
+ requested ticket (the session key of which may be
+ constrained by tgs_ktypes above). */
+ krb5_enctype *conf_tgs_ktypes;
+ int conf_tgs_ktypes_count;
+ /* Use the _configured version? */
+ krb5_boolean use_conf_ktypes;
+
#ifdef KRB5_DNS_LOOKUP
krb5_boolean profile_in_memory;
#endif /* KRB5_DNS_LOOKUP */
krb5_timestamp timestamp; /* client time, optional */
krb5_int32 usec; /* microsecond portion of time,
optional */
- krb5_int32 seq_number; /* sequence #, optional */
+ krb5_ui_4 seq_number; /* sequence #, optional */
krb5_address *s_address; /* sender address */
krb5_address *r_address; /* recipient address, optional */
krb5_checksum *checksum; /* data integrity checksum */
krb5_data user_data; /* user data */
krb5_timestamp timestamp; /* client time, optional */
krb5_int32 usec; /* microsecond portion of time, opt. */
- krb5_int32 seq_number; /* sequence #, optional */
+ krb5_ui_4 seq_number; /* sequence #, optional */
krb5_address *s_address; /* sender address */
krb5_address *r_address; /* recipient address, optional */
} krb5_priv_enc_part;
krb5_error_code encode_krb5_etype_info
(const krb5_etype_info_entry **, krb5_data **code);
+krb5_error_code encode_krb5_etype_info2
+ (const krb5_etype_info_entry **, krb5_data **code);
krb5_error_code encode_krb5_enc_data
(const krb5_enc_data *, krb5_data **);
krb5_error_code encode_krb5_predicted_sam_response
(const krb5_predicted_sam_response * , krb5_data **);
+krb5_error_code encode_krb5_setpw_req
+(const krb5_principal target, char *password, krb5_data **code);
+
/*************************************************************************
* End of prototypes for krb5_encode.c
*************************************************************************/
krb5_error_code decode_krb5_etype_info
(const krb5_data *output, krb5_etype_info_entry ***rep);
+krb5_error_code decode_krb5_etype_info2
+ (const krb5_data *output, krb5_etype_info_entry ***rep);
+
krb5_error_code decode_krb5_enc_data
(const krb5_data *output, krb5_enc_data **rep);
krb5_error_code krb5_validate_times
(krb5_context,
krb5_ticket_times *);
+krb5_boolean krb5int_auth_con_chkseqnum
+ (krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
/*
* [De]Serialization Handle and operations.
*/
void krb5int_set_prompt_types
(krb5_context, krb5_prompt_type *);
-
+/* set and change password helpers */
+
+krb5_error_code krb5int_mk_chpw_req
+ (krb5_context context, krb5_auth_context auth_context,
+ krb5_data *ap_req, char *passwd, krb5_data *packet);
+krb5_error_code krb5int_rd_chpw_rep
+ (krb5_context context, krb5_auth_context auth_context,
+ krb5_data *packet, int *result_code,
+ krb5_data *result_data);
+krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
+ (krb5_context context, int result_code,
+ char **result_codestr);
+krb5_error_code krb5int_mk_setpw_req
+ (krb5_context context, krb5_auth_context auth_context,
+ krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
+krb5_error_code krb5int_rd_setpw_rep
+ (krb5_context context, krb5_auth_context auth_context,
+ krb5_data *packet, int *result_code,
+ krb5_data *result_data);
+krb5_error_code krb5int_setpw_result_code_string
+ (krb5_context context, int result_code,
+ const char **result_codestr);
+
+struct srv_dns_entry {
+ struct srv_dns_entry *next;
+ int priority;
+ int weight;
+ unsigned short port;
+ char *host;
+};
+krb5_error_code
+krb5int_make_srv_query_realm(const krb5_data *realm,
+ const char *service,
+ const char *protocol,
+ struct srv_dns_entry **answers);
+void krb5int_free_srv_dns_data(struct srv_dns_entry *);
#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
#pragma import reset
/* To keep happy libraries which are (for now) accessing internal stuff */
/* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 6
+#define KRB5INT_ACCESS_STRUCT_VERSION 7
+#ifndef ANAME_SZ
+struct ktext; /* from krb.h, for krb524 support */
+#endif
typedef struct _krb5int_access {
- krb5_error_code (*krb5_locate_kdc) (krb5_context, const krb5_data *,
- struct addrlist *, int, int, int);
- krb5_error_code (*krb5_locate_server) (krb5_context, const krb5_data *,
- struct addrlist *, int,
- const char *, const char *,
- int, int, int, int);
- void (*free_addrlist) (struct addrlist *);
- unsigned int krb5_max_skdc_timeout;
- unsigned int krb5_skdc_timeout_shift;
- unsigned int krb5_skdc_timeout_1;
- unsigned int krb5_max_dgram_size;
+ /* crypto stuff */
const struct krb5_hash_provider *md5_hash_provider;
const struct krb5_enc_provider *arcfour_enc_provider;
krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
const krb5_keyblock *key,
unsigned int icount, const krb5_data *input,
krb5_data *output);
+ /* service location and communication */
+ krb5_error_code (*locate_server) (krb5_context, const krb5_data *,
+ struct addrlist *, int,
+ const char *, const char *,
+ int, int, int, int);
krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
const struct addrlist *, krb5_data *reply,
struct sockaddr *, socklen_t *);
const char *hostname,
int port, int secport,
int socktype, int family);
+ void (*free_addrlist) (struct addrlist *);
+
+ krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
+ const char *service,
+ const char *protocol,
+ struct srv_dns_entry **answers);
+ void (*free_srv_dns_data)(struct srv_dns_entry *);
+
+ /* krb4 compatibility stuff -- may be null if not enabled */
+ krb5_int32 (*krb_life_to_time)(krb5_int32, int);
+ int (*krb_time_to_life)(krb5_int32, krb5_int32);
+ int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
} krb5int_access;
#define KRB5INT_ACCESS_VERSION \
krb5_error_code KRB5_CALLCONV krb5int_accessor
(krb5int_access*, krb5_int32);
+/* Ick -- some krb524 and krb4 support placed in the krb5 library,
+ because AFS (and potentially other applications?) use the krb4
+ object as an opaque token, which (in some implementations) is not
+ in fact a krb4 ticket, so we don't want to drag in the krb4 support
+ just to enable this. */
+
+#define KRB524_SERVICE "krb524"
+#define KRB524_PORT 4444
+
+/* v4lifetime.c */
+extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
+extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
+
+/* conv_creds.c */
+int krb5int_encode_v4tkt
+ (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
+
+/* send524.c */
+int krb5int_524_sendto_kdc
+ (krb5_context context, const krb5_data * message,
+ const krb5_data * realm, krb5_data * reply,
+ struct sockaddr *, socklen_t *);
+
/* temporary -- this should be under lib/krb5/ccache somewhere */
struct _krb5_ccache {
#ifndef KRB5_GENERAL__
#define KRB5_GENERAL__
+/* By default, do not expose deprecated interfaces. */
#ifndef KRB5_DEPRECATED
-#define KRB5_DEPRECATED 1 /* Expose deprecated things for now. */
+#define KRB5_DEPRECATED 0
+#endif
+/* Do not expose private interfaces. Build system will override. */
+#ifndef KRB5_PRIVATE
+#define KRB5_PRIVATE 0
#endif
#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
# if TARGET_RT_MAC_CFM
# error "Use KfM 4.0 SDK headers for CFM compilation."
# endif
-
-# ifndef KRB5_PRIVATE /* Allow e.g. build system to override */
-# define KRB5_PRIVATE 0
-# endif
-#else
-#if defined(_WIN32)
-# ifndef KRB5_PRIVATE
-# define KRB5_PRIVATE 0
-# endif
-#else
-# ifndef KRB5_PRIVATE
-# define KRB5_PRIVATE 1
-# endif
-#endif
#endif
#if defined(_MSDOS) || defined(_WIN32)
(krb5_context context, krb5_enctype enctype,
const krb5_data *string, const krb5_data *salt,
krb5_keyblock *key);
+krb5_error_code KRB5_CALLCONV
+krb5_c_string_to_key_with_params(krb5_context context,
+ krb5_enctype enctype,
+ const krb5_data *string,
+ const krb5_data *salt,
+ const krb5_data *params,
+ krb5_keyblock *key);
krb5_error_code KRB5_CALLCONV
krb5_c_enctype_compare
#define KRB5_PADATA_SAM_RESPONSE 13 /* draft challenge system response */
#define KRB5_PADATA_PK_AS_REQ 14 /* PKINIT */
#define KRB5_PADATA_PK_AS_REP 15 /* PKINIT */
-
+#define KRB5_PADATA_ETYPE_INFO2 19
#define KRB5_PADATA_SAM_CHALLENGE_2 30 /* draft challenge system, updated */
#define KRB5_PADATA_SAM_RESPONSE_2 31 /* draft challenge system, updated */
#define KRB5_KPASSWD_HARDERROR 2
#define KRB5_KPASSWD_AUTHERROR 3
#define KRB5_KPASSWD_SOFTERROR 4
+/* These are Microsoft's extensions in RFC 3244, and it looks like
+ they'll become standardized, possibly with other additions. */
+#define KRB5_KPASSWD_ACCESSDENIED 5 /* unused */
+#define KRB5_KPASSWD_BAD_VERSION 6
+#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 /* unused */
/*
* end "proto.h"
krb5_int32 cusec; /* client usec portion */
krb5_timestamp ctime; /* client sec portion */
krb5_keyblock *subkey; /* true session key, optional */
- krb5_int32 seq_number; /* sequence #, optional */
+ krb5_ui_4 seq_number; /* sequence #, optional */
krb5_authdata **authorization_data; /* New add by Ari, auth data */
} krb5_authenticator;
krb5_timestamp ctime; /* client time, seconds portion */
krb5_int32 cusec; /* client time, microseconds portion */
krb5_keyblock *subkey; /* true session key, optional */
- krb5_int32 seq_number; /* sequence #, optional */
+ krb5_ui_4 seq_number; /* sequence #, optional */
} krb5_ap_rep_enc_part;
typedef struct _krb5_response {
typedef struct krb5_replay_data {
krb5_timestamp timestamp;
krb5_int32 usec;
- krb5_int32 seq;
+ krb5_ui_4 seq;
} krb5_replay_data;
/* flags for krb5_auth_con_genaddrs() */
(krb5_context,
krb5_const_principal,
krb5_enctype **);
+#endif
-krb5_error_code krb5_get_permitted_enctypes
+krb5_error_code KRB5_CALLCONV krb5_get_permitted_enctypes
(krb5_context, krb5_enctype **);
+
+#if KRB5_PRIVATE
void KRB5_CALLCONV krb5_free_ktypes
(krb5_context, krb5_enctype *);
const krb5_keyblock *, krb5_keyblock **);
krb5_error_code krb5_generate_seq_number
(krb5_context,
- const krb5_keyblock *, krb5_int32 *);
+ const krb5_keyblock *, krb5_ui_4 *);
#endif
krb5_error_code KRB5_CALLCONV krb5_get_server_rcache
(krb5_context,
(krb5_context context, krb5_const_principal princ,
char *name, char *inst, char *realm);
-#if KRB5_PRIVATE
-krb5_error_code KRB5_CALLCONV krb5_mk_chpw_req
- (krb5_context context, krb5_auth_context auth_context,
- krb5_data *ap_req, char *passwd, krb5_data *packet);
-krb5_error_code KRB5_CALLCONV krb5_rd_chpw_rep
- (krb5_context context, krb5_auth_context auth_context,
- krb5_data *packet, int *result_code,
- krb5_data *result_data);
-krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
- (krb5_context context, int result_code,
- char **result_codestr);
+struct credentials;
+int KRB5_CALLCONV krb5_524_convert_creds
+ (krb5_context context, krb5_creds *v5creds,
+ struct credentials *v4creds);
+#if KRB5_DEPRECATED
+#define krb524_convert_creds_kdc krb5_524_convert_creds
+#define krb524_init_ets(x) (0)
#endif
/* libkt.spec */
(krb5_context,
krb5_keytab,
krb5_keytab_entry * );
-#if KRB5_PRIVATE
krb5_error_code krb5_principal2salt
(krb5_context,
krb5_const_principal, krb5_data *);
+#if KRB5_PRIVATE
krb5_error_code krb5_principal2salt_norealm
(krb5_context,
krb5_const_principal, krb5_data *);
(krb5_context context, krb5_creds *creds, char *newpw,
int *result_code, krb5_data *result_code_string,
krb5_data *result_string);
+krb5_error_code KRB5_CALLCONV
+krb5_set_password
+ (krb5_context context, krb5_creds *creds, char *newpw, krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string);
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache
+ (krb5_context context, krb5_ccache ccache, char *newpw, krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string);
#if KRB5_PRIVATE
#ifndef macintosh
krb5_auth_context,
krb5_keyblock **);
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey(
+ krb5_context, krb5_auth_context, krb5_keyblock **);
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey(
+ krb5_context, krb5_auth_context, krb5_keyblock **);
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey(
+ krb5_context, krb5_auth_context, krb5_keyblock *);
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_setrecvsubkey(
+ krb5_context, krb5_auth_context, krb5_keyblock *);
+
+#if KRB5_DEPRECATED
krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey
(krb5_context,
krb5_auth_context,
krb5_keyblock **);
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey
+ (krb5_context,
+ krb5_auth_context,
+ krb5_keyblock **);
+#endif
+
#if KRB5_PRIVATE
krb5_error_code KRB5_CALLCONV krb5_auth_con_set_req_cksumtype
(krb5_context,
krb5_auth_context,
krb5_authenticator **);
-krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey
- (krb5_context,
- krb5_auth_context,
- krb5_keyblock **);
-
#define KRB5_REALM_BRANCH_CHAR '.'
/*
krb5_const_principal,
int,
char * );
-#if KRB5_PRIVATE
krb5_error_code KRB5_CALLCONV krb5_get_host_realm
(krb5_context,
const char *,
krb5_error_code KRB5_CALLCONV krb5_free_host_realm
(krb5_context,
char * const * );
+#if KRB5_PRIVATE
krb5_error_code KRB5_CALLCONV krb5_get_realm_domain
(krb5_context,
const char *,
krb5_address *,
krb5_address *,
krb5_address *);
+#endif
-krb5_error_code krb5_set_real_time
+krb5_error_code KRB5_CALLCONV krb5_set_real_time
(krb5_context, krb5_int32, krb5_int32);
+
+#if KRB5_PRIVATE
krb5_error_code krb5_set_debugging_time
(krb5_context, krb5_int32, krb5_int32);
krb5_error_code krb5_use_natural_time
+2003-05-25 Ezra Peisach <epeisach@mit.edu>
+
+ * kdb.h: Add prototype for krb5_db_iterate_ext.
+
2003-03-05 Tom Yu <tlyu@mit.edu>
* kdb_kt.h: Add krb5_ktkdb_set_context. Update prototype of
krb5_error_code (* ) (krb5_pointer,
krb5_db_entry *),
krb5_pointer);
+krb5_error_code krb5_db_iterate_ext (krb5_context,
+ krb5_error_code (* ) (krb5_pointer,
+ krb5_db_entry *),
+ krb5_pointer, int, int);
krb5_error_code krb5_db_verify_master_key (krb5_context, krb5_principal,
krb5_keyblock *);
krb5_error_code krb5_db_store_mkey (krb5_context, char *, krb5_principal,
+2003-05-29 Ken Raeburn <raeburn@mit.edu>
+
+ * osconf.h (DEFAULT_KDC_ENCTYPE): Default to des3 now.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* osconf.h: Added DEFAULT_SECURE_PROFILE_PATH so that KfM will only
#define DEFAULT_KDC_PROFILE "@LOCALSTATEDIR/krb5kdc/kdc.conf"
#define KDC_PROFILE_ENV "KRB5_KDC_PROFILE"
-#define DEFAULT_KDC_ENCTYPE ENCTYPE_DES_CBC_CRC
+#define DEFAULT_KDC_ENCTYPE ENCTYPE_DES3_CBC_SHA1
#define KDCRCACHE "dfl:krb5kdc_rcache"
#define KDC_PORTNAME "kerberos" /* for /etc/services or equiv. */
#define SHUTDOWN_WRITE 1
#define SHUTDOWN_BOTH 2
+#ifndef HAVE_INET_NTOP
+#define inet_ntop(AF,SRC,DST,CNT) \
+ ((AF) == AF_INET \
+ ? ((CNT) < 16 \
+ ? (SOCKET_SET_ERRNO(ENOSPC), NULL) \
+ : (sprintf((DST), "%d.%d.%d.%d", \
+ ((const unsigned char *)(const void *)(SRC))[0] & 0xff, \
+ ((const unsigned char *)(const void *)(SRC))[1] & 0xff, \
+ ((const unsigned char *)(const void *)(SRC))[2] & 0xff, \
+ ((const unsigned char *)(const void *)(SRC))[3] & 0xff), \
+ (DST))) \
+ : (SOCKET_SET_ERRNO(EAFNOSUPPORT), NULL))
+#define HAVE_INET_NTOP
+#endif
+
#endif /* HAVE_MACSOCK_H */
#endif /* _WIN32 */
+2003-05-19 Sam Hartman <hartmans@mit.edu>
+
+ * kadmin.c (kadmin_startup): Don't register writable keytabs as this is always done by the library now.
+
2003-02-07 Tom Yu <tlyu@mit.edu>
* Makefile.in (install): Fix typo in k5srvutil.M install rule.
int argc;
char *argv[];
{
- extern krb5_kt_ops krb5_ktf_writable_ops;
extern char *optarg;
char *princstr = NULL, *keytab_name = NULL, *query = NULL;
char *password = NULL;
}
/* register the WRFILE keytab type and set it as the default */
- if ((retval = krb5_kt_register(context, &krb5_ktf_writable_ops))) {
- com_err(whoami, retval,
- "while registering writable key table functions");
- exit(1);
- }
{
#define DEFAULT_KEYTAB "WRFILE:/etc/krb5.keytab"
/* XXX krb5_defkeyname is an internal library global and
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * kdb5_destroy.c, kdb5_stash.c: Don't declare errno.
+
2003-01-07 Ken Raeburn <raeburn@mit.edu>
* Makefile.ov: Deleted.
#include <kadm5/adb.h>
#include "kdb5_util.h"
-extern int errno;
extern int exit_status;
extern krb5_boolean dbactive;
extern kadm5_config_params global_params;
#include <stdio.h>
#include "kdb5_util.h"
-extern int errno;
-
extern krb5_keyblock master_keyblock;
extern krb5_principal master_princ;
extern kadm5_config_params global_params;
+2003-05-19 Sam Hartman <hartmans@mit.edu>
+
+ * ktutil.c (main): Don't register writable keytab ops as they are
+ registered by the library now
+
2002-11-05 Tom Yu <tlyu@mit.edu>
* ktutil_funcs.c (ktutil_add): Remove trailing colon, as new
#
$(OUTPRE)ktutil.$(OBJEXT): ktutil.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h ktutil.h $(SRCTOP)/include/krb5/adm_proto.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h ktutil.h $(SRCTOP)/include/krb5/adm_proto.h \
$(SS_DEPS)
$(OUTPRE)ktutil_ct.$(OBJEXT): ktutil_ct.c $(SS_DEPS) \
$(COM_ERR_DEPS)
$(OUTPRE)ktutil_funcs.$(OBJEXT): ktutil_funcs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h ktutil.h $(SRCTOP)/include/kerberosIV/krb.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h ktutil.h $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP)
char *argv[];
{
krb5_error_code retval;
- extern krb5_kt_ops krb5_ktf_writable_ops;
int sci_idx;
retval = krb5_init_context(&kcontext);
com_err(argv[0], retval, "while initializing krb5");
exit(1);
}
- retval = krb5_kt_register(kcontext, &krb5_ktf_writable_ops);
- if (retval) {
- com_err(argv[0], retval,
- "while registering writable key table functions");
- exit(1);
- }
sci_idx = ss_create_invocation("ktutil", "5.0", (char *)NULL,
&ktutil_cmds, &retval);
if (retval) {
+2003-05-27 Tom Yu <tlyu@mit.edu>
+
+ * schpw.c (process_chpw_request): Log chpw requests.
+
+2003-05-16 Ken Raeburn <raeburn@mit.edu>
+
+ * schpw.c (process_chpw_request): Return KRB5_KPASSWD_BAD_VERSION
+ if the version number isn't 1.
+
2003-03-07 Tom Yu <tlyu@mit.edu>
* ovsec_kadmd.c (REQUIRED_PARAMS): Remove
#define NEED_SOCKETS
#include "k5-int.h"
#include <kadm5/admin.h>
-
+#include <syslog.h>
+#include <krb5/adm_proto.h> /* krb5_klog_syslog */
#include <stdio.h>
#include <errno.h>
krb5_error krberror;
int numresult;
char strresult[1024];
+ char *clientstr;
ret = 0;
rep->length = 0;
if (vno != 1) {
ret = KRB5KDC_ERR_BAD_PVNO;
- numresult = KRB5_KPASSWD_MALFORMED;
+ numresult = KRB5_KPASSWD_BAD_VERSION;
sprintf(strresult,
"Request contained unknown protocol version number %d", vno);
goto chpwfail;
goto chpwfail;
}
+ ret = krb5_unparse_name(context, ticket->enc_part2->client, &clientstr);
+ if (ret) {
+ numresult = KRB5_KPASSWD_HARDERROR;
+ strcpy(strresult, "Failed unparsing client name for log");
+ goto chpwfail;
+ }
/* change the password */
ptr = (char *) malloc(clear.length+1);
free(ptr);
clear.length = 0;
+ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
+ inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
+ clientstr, ret ? error_message(ret) : "success");
+ krb5_free_unparsed_name(context, clientstr);
+
if (ret) {
if ((ret != KADM5_PASS_Q_TOOSHORT) &&
(ret != KADM5_PASS_REUSE) && (ret != KADM5_PASS_Q_CLASS) &&
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h tcl_kadm5.h
$(OUTPRE)tcl_kadm5.$(OBJEXT): tcl_kadm5.c $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
tcl_kadm5.h
$(OUTPRE)test.$(OBJEXT): test.c tcl_kadm5.h
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h $(SRCTOP)/include/krb5/adm_proto.h \
kadm5_defs.h
$(OUTPRE)srv_net.$(OBJEXT): srv_net.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kadm5_defs.h $(SRCTOP)/include/krb5/adm.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kadm5_defs.h $(SRCTOP)/include/krb5/adm.h
$(OUTPRE)proto_serv.$(OBJEXT): proto_serv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kadm5_defs.h $(SRCTOP)/include/krb5/adm.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kadm5_defs.h $(SRCTOP)/include/krb5/adm.h \
$(SRCTOP)/include/krb5/adm_proto.h
$(OUTPRE)adm_rw.$(OBJEXT): adm_rw.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm_proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm_proto.h
$(OUTPRE)kpasswd.$(OBJEXT): kpasswd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm_defs.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm_defs.h \
$(SRCTOP)/include/krb5/adm.h $(SRCTOP)/include/krb5/adm_proto.h
$(OUTPRE)adm_conn.$(OBJEXT): adm_conn.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm.h \
$(SRCTOP)/include/krb5/adm_proto.h
+2003-06-03 Tom Yu <tlyu@mit.edu>
+
+ * extern.h (master_princ): Remove realm_mkvno, realm_tgskey,
+ realm_tgskvno, realm_kstypes, realm_nkstypes. They're not needed
+ anymore.
+
+ * main.c (finish_realm): Remove references to realm_kstypes,
+ realm_tgskey.
+ (init_realm): Don't bother with realm_kstypes. Don't bother
+ looking up the master kvno. Don't bother caching the TGS key.
+ None of these were being used.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * main.c (init_realm): Use KRB5_KDB_MAX_RLIFE, not
+ KRB5_KDB_MAX_LIFE, as default for realm's max renewable lifetime.
+
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * kdc_preauth.c (_make_etype_info_entry): Add flag to know if we
+ are producing etype_info2 so we know whether filling in s2kparams
+ is allowed. In the etype_info2 case support afs3 salts.
+ (etype_info_helper): Pass in flag
+ (return_etype_info2): And here
+
+2003-05-23 Ezra Peisach <epeisach@mit.edu>
+
+ * kdc_preauth.c (return_etype_info2): After encoding the
+ etype_info2 and copying the pointers to the pa_data, free the
+ krb5_data pointer.
+
+2003-05-22 Sam Hartman <hartmans@mit.edu>
+
+ * kdc_util.c (validate_as_request): Only reject options we
+ understand and believe are inappropriate for AS requests. Per
+ spec, unknown options are ignored.
+
+2003-05-14 Sam Hartman <hartmans@mit.edu>
+
+ * kdc_preauth.c (check_padata): Allow bad_integrity to be returned to a client
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * kdc_preauth.c (return_pw_salt): Don't return pw-salt if the
+ client's enctype list mandates it supports enctype-info2
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * kdc_util.c (kdc_process_tgs_req): Rename getremotesubkey ->
+ getrecvsubkey.
+
+2003-05-07 Sam Hartman <hartmans@mit.edu>
+
+ * kdc_preauth.c (get_etype_info): Patch from Sun to reorganize
+ code and make sure that even for md5 the database order is
+ preserved.
+ (enctype_requires_etype_info_2): new function; determines wether a
+ particular enctype in a client request means that the client is
+ required to support etype_info2 by Kerberos clarifications.
+ (etype_info_helper): Renamed from get_etype_info to abstract out
+ code in common between etype_info and etype_info2
+ (get_enctype_info): Return etype info only if request contains no
+ enctypes that require etype_info2
+ (return_etype_info2): New function.
+
+2003-04-02 Sam Hartman <hartmans@mit.edu>
+
+ * kdc_preauth.c (get_etype_info): Avoid infinite loop if request
+ does not contain des-cbc-crc and database does
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * do_tgs_req.c (process_tgs_req): Check that principal name
+ component 1 is present before examining it.
+ * kdc_util.c (krb5_is_tgs_principal, validate_tgs_request): Check
+ principal name length before examining components.
+
+2003-03-28 Tom Yu <tlyu@mit.edu>
+
+ * kdc_preauth.c (verify_enc_timestamp): Save decryption error, in
+ case we get NO_MATCHING_KEY later. This allows us to log a more
+ sane error if an incorrect password is used for encrypting the
+ enc-timestamp preauth.
+
+2003-03-16 Sam Hartman <hartmans@mit.edu>
+
+ * main.c (initialize_realms): Add support to call
+ enable_v4_crossrealm if the user wants insecure operation
+
+ * kerberos_v4.c: Add enable_v4_crossrealm. By default krb4
+ cross-realm is not allowed as it is insecure. Also, remove
+ support for generating krb4 tickets encrypted in 3DES as they are
+ insecure.
+
+ * kdc_util.h: Define enable_v4_crossrealm, new function to enable
+ secure krb4 cross-realm authentication
+
2003-03-05 Tom Yu <tlyu@mit.edu>
* main.c (init_realm): Update call to krb5_ktdb_resolve().
$(OUTPRE)kdc5_err.$(OBJEXT): kdc5_err.c $(COM_ERR_DEPS)
$(OUTPRE)dispatch.$(OBJEXT): dispatch.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/syslog.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/syslog.h \
kdc_util.h extern.h $(SRCTOP)/include/krb5/adm_proto.h
$(OUTPRE)do_as_req.$(OBJEXT): do_as_req.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/syslog.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/syslog.h \
kdc_util.h policy.h $(SRCTOP)/include/krb5/adm.h $(SRCTOP)/include/krb5/adm_proto.h \
extern.h
$(OUTPRE)do_tgs_req.$(OBJEXT): do_tgs_req.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/syslog.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/syslog.h \
kdc_util.h policy.h extern.h $(SRCTOP)/include/krb5/adm_proto.h
$(OUTPRE)kdc_util.$(OBJEXT): kdc_util.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kdc_util.h extern.h $(SRCTOP)/include/syslog.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kdc_util.h extern.h $(SRCTOP)/include/syslog.h \
$(SRCTOP)/include/krb5/adm.h $(SRCTOP)/include/krb5/adm_proto.h
$(OUTPRE)kdc_preauth.$(OBJEXT): kdc_preauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kdc_util.h extern.h $(SRCTOP)/include/krb5/adm_proto.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kdc_util.h extern.h $(SRCTOP)/include/krb5/adm_proto.h \
$(SRCTOP)/include/syslog.h
$(OUTPRE)logger.$(OBJEXT): $(SRCTOP)/lib/kadm5/logger.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/krb5/adm_proto.h $(SRCTOP)/include/syslog.h
$(OUTPRE)main.$(OBJEXT): main.c $(SRCTOP)/include/syslog.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/krb5/adm.h $(SRCTOP)/include/krb5/adm_proto.h \
kdc_util.h extern.h kdc5_err.h $(SRCTOP)/include/krb5/kdb_kt.h \
$(SRCTOP)/include/kerberosIV/des.h
$(OUTPRE)network.$(OBJEXT): network.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kdc_util.h extern.h kdc5_err.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kdc_util.h extern.h kdc5_err.h \
$(SRCTOP)/include/krb5/adm_proto.h $(SRCTOP)/include/syslog.h \
$(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/cm.h \
$(SRCTOP)/include/foreachaddr.c
$(OUTPRE)policy.$(OBJEXT): policy.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kdc_util.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kdc_util.h
$(OUTPRE)extern.$(OBJEXT): extern.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h extern.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h extern.h
$(OUTPRE)replay.$(OBJEXT): replay.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kdc_util.h extern.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kdc_util.h extern.h
$(OUTPRE)kerberos_v4.$(OBJEXT): kerberos_v4.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kdc_util.h $(SRCTOP)/include/krb5/adm_proto.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kdc_util.h $(SRCTOP)/include/krb5/adm_proto.h \
$(SRCTOP)/include/syslog.h $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(SRCTOP)/include/kerberosIV/klog.h $(SRCTOP)/include/kerberosIV/prot.h \
krb5_data *tgs_1 =
krb5_princ_component(kdc_context, tgs_server, 1);
- if (server_1->length != tgs_1->length ||
+ if (!tgs_1 || server_1->length != tgs_1->length ||
memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
krb5_db_free_principal(kdc_context, &server, nprincs);
find_alternate_tgs(request, &server, &more, &nprincs);
char * realm_mpname; /* Master principal name for realm */
krb5_principal realm_mprinc; /* Master principal for realm */
krb5_keyblock realm_mkey; /* Master key for this realm */
- krb5_kvno realm_mkvno; /* Master key vno for this realm */
/*
* TGS per-realm data.
*/
krb5_principal realm_tgsprinc; /* TGS principal for this realm */
- krb5_keyblock realm_tgskey; /* TGS' key for this realm */
- krb5_kvno realm_tgskvno; /* TGS' key vno for this realm */
/*
* Other per-realm data.
*/
*/
krb5_deltat realm_maxlife; /* Maximum ticket life for realm */
krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */
- void *realm_kstypes; /* Key/Salts supported for realm */
- krb5_int32 realm_nkstypes; /* Number of key/salts */
krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */
} kdc_realm_t;
#define max_renewable_life_for_realm kdc_active_realm->realm_maxrlife
#define master_keyblock kdc_active_realm->realm_mkey
#define master_princ kdc_active_realm->realm_mprinc
-#define tgs_key kdc_active_realm->realm_tgskey
-#define tgs_kvno kdc_active_realm->realm_tgskvno
#define tgs_server_struct *(kdc_active_realm->realm_tgsprinc)
#define tgs_server kdc_active_realm->realm_tgsprinc
#define dbm_db_name kdc_active_realm->realm_dbname
#include "adm_proto.h"
#include <syslog.h>
+#include <assert.h>
+
/* XXX This is ugly and should be in a header file somewhere */
#ifndef KRB5INT_DES_TYPES_DEFINED
#define KRB5INT_DES_TYPES_DEFINED
(krb5_context, krb5_kdc_req *request,
krb5_db_entry *client, krb5_db_entry *server,
krb5_pa_data *data);
+static krb5_error_code
+get_etype_info2(krb5_context context, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *pa_data);
+static krb5_error_code
+return_etype_info2(krb5_context, krb5_pa_data * padata,
+ krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa);
+
static krb5_error_code return_pw_salt
(krb5_context, krb5_pa_data * padata,
krb5_db_entry *client,
0,
0
},
+ {
+ "etype-info2",
+ KRB5_PADATA_ETYPE_INFO2,
+ 0,
+ get_etype_info2,
+ 0,
+ return_etype_info2
+ },
{
"pw-salt",
KRB5_PADATA_PW_SALT,
* to return some preauth system errors back to the client.
*/
switch(retval) {
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_SKEW:
return retval;
default:
return (retval);
}
+static krb5_boolean
+enctype_requires_etype_info_2(krb5_enctype enctype)
+{
+ switch(enctype) {
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES3_CBC_SHA1:
+ case ENCTYPE_DES3_CBC_RAW:
+ case ENCTYPE_ARCFOUR_HMAC:
+ case ENCTYPE_ARCFOUR_HMAC_EXP :
+ case ENCTYPE_LOCAL_DES3_HMAC_SHA1:
+ return 0;
+ default:
+ if (krb5_c_valid_enctype(enctype))
+ return 1;
+ else return 0;
+ }
+}
+
static krb5_boolean
request_contains_enctype (krb5_context context, const krb5_kdc_req *request,
krb5_enctype enctype)
krb5_key_data * client_key;
krb5_int32 start;
krb5_timestamp timenow;
-
+ krb5_error_code decrypt_err;
+
scratch.data = pa->contents;
scratch.length = pa->length;
goto cleanup;
start = 0;
+ decrypt_err = 0;
while (1) {
if ((retval = krb5_dbe_search_enctype(context, client,
&start, enc_data->enctype,
krb5_free_keyblock_contents(context, &key);
if (retval == 0)
break;
+ else
+ decrypt_err = retval;
}
if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
krb5_free_data_contents(context, &enc_ts_data);
if (pa_enc)
free(pa_enc);
+ /*
+ * If we get NO_MATCHING_KEY and decryption previously failed, and
+ * we failed to find any other keys of the correct enctype after
+ * that failed decryption, it probably means that the password was
+ * incorrect.
+ */
+ if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
+ retval = decrypt_err;
return retval;
}
+static krb5_error_code
+_make_etype_info_entry(krb5_context context,
+ krb5_kdc_req *request, krb5_key_data *client_key,
+ krb5_enctype etype, krb5_etype_info_entry **entry,
+ int etype_info2)
+{
+ krb5_data salt;
+ krb5_etype_info_entry * tmp_entry;
+ krb5_error_code retval;
+
+ if ((tmp_entry = malloc(sizeof(krb5_etype_info_entry))) == NULL)
+ return ENOMEM;
+
+ salt.data = 0;
+
+ tmp_entry->magic = KV5M_ETYPE_INFO_ENTRY;
+ tmp_entry->etype = etype;
+ tmp_entry->length = KRB5_ETYPE_NO_SALT;
+ tmp_entry->salt = 0;
+ tmp_entry->s2kparams.data = NULL;
+ tmp_entry->s2kparams.length = 0;
+ retval = get_salt_from_key(context, request->client,
+ client_key, &salt);
+ if (retval)
+ goto fail;
+ if (etype_info2 && client_key->key_data_ver > 1 &&
+ client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_AFS3) {
+ switch (etype) {
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ tmp_entry->s2kparams.data = malloc(1);
+ if (tmp_entry->s2kparams.data == NULL) {
+ retval = ENOMEM;
+ goto fail;
+ }
+ tmp_entry->s2kparams.length = 1;
+ tmp_entry->s2kparams.data[0] = 1;
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (salt.length >= 0) {
+ tmp_entry->length = salt.length;
+ tmp_entry->salt = (unsigned char *) salt.data;
+ salt.data = 0;
+ }
+ *entry = tmp_entry;
+ return 0;
+
+fail:
+ if (tmp_entry) {
+ if (tmp_entry->s2kparams.data)
+ free(tmp_entry->s2kparams.data);
+ free(tmp_entry);
+ }
+ if (salt.data)
+ free(salt.data);
+ return retval;
+}
/*
* This function returns the etype information for a particular
* client, to be passed back in the preauth list in the KRB_ERROR
- * message.
+ * message. It supports generating both etype_info and etype_info2
+ * as most of the work is the same.
*/
static krb5_error_code
-get_etype_info(krb5_context context, krb5_kdc_req *request,
+etype_info_helper(krb5_context context, krb5_kdc_req *request,
krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *pa_data)
+ krb5_pa_data *pa_data, int etype_info2)
{
krb5_etype_info_entry ** entry = 0;
krb5_key_data *client_key;
krb5_error_code retval;
- krb5_data salt;
krb5_data * scratch;
krb5_enctype db_etype;
int i = 0;
int start = 0;
-
- salt.data = 0;
+ int seen_des = 0;
entry = malloc((client->n_key_data * 2 + 1) * sizeof(krb5_etype_info_entry *));
if (entry == NULL)
if (retval)
goto cleanup;
db_etype = client_key->key_data_type[0];
- if (db_etype == ENCTYPE_DES_CBC_MD4 || db_etype == ENCTYPE_DES_CBC_MD5)
- db_etype = ENCTYPE_DES_CBC_CRC;
+ if (db_etype == ENCTYPE_DES_CBC_MD4)
+ db_etype = ENCTYPE_DES_CBC_MD5;
- while (1) {
- if (!request_contains_enctype(context,
- request, db_etype)) {
- if (db_etype == ENCTYPE_DES_CBC_CRC)
- continue;
- else break;
- }
-
- if ((entry[i] = malloc(sizeof(krb5_etype_info_entry))) == NULL) {
- retval = ENOMEM;
+ if (request_contains_enctype(context, request, db_etype)) {
+ assert(etype_info2 ||
+ !enctype_requires_etype_info_2(db_etype));
+ if ((retval = _make_etype_info_entry(context, request, client_key,
+ db_etype, &entry[i], etype_info2)) != 0) {
goto cleanup;
}
entry[i+1] = 0;
- entry[i]->magic = KV5M_ETYPE_INFO_ENTRY;
- entry[i]->etype = db_etype;
- entry[i]->length = KRB5_ETYPE_NO_SALT;
- entry[i]->salt = 0;
- retval = get_salt_from_key(context, request->client,
- client_key, &salt);
- if (retval)
- goto cleanup;
- if (salt.length >= 0 && salt.length != SALT_TYPE_NO_LENGTH) {
- entry[i]->length = salt.length;
- entry[i]->salt = salt.data;
- salt.data = 0;
- }
i++;
- /*
- * If we have a DES_CRC key, it can also be used as a
- * DES_MD5 key.
- */
- if (db_etype == ENCTYPE_DES_CBC_CRC)
+ }
+
+ /*
+ * If there is a des key in the kdb, try the "similar" enctypes,
+ * avoid duplicate entries.
+ */
+ if (!seen_des) {
+ switch (db_etype) {
+ case ENCTYPE_DES_CBC_MD5:
+ db_etype = ENCTYPE_DES_CBC_CRC;
+ break;
+ case ENCTYPE_DES_CBC_CRC:
db_etype = ENCTYPE_DES_CBC_MD5;
- else
break;
+ default:
+ continue;
+
+ }
+ if (request_contains_enctype(context, request, db_etype)) {
+ if ((retval = _make_etype_info_entry(context, request,
+ client_key, db_etype, &entry[i], etype_info2)) != 0) {
+ goto cleanup;
+ }
+ entry[i+1] = 0;
+ i++;
+ }
+ seen_des++;
}
}
- retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry,
+ if (etype_info2)
+ retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry,
+ &scratch);
+ else retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry,
&scratch);
if (retval)
goto cleanup;
- pa_data->contents = scratch->data;
+ pa_data->contents = (unsigned char *)scratch->data;
pa_data->length = scratch->length;
free(scratch);
cleanup:
if (entry)
krb5_free_etype_info(context, entry);
- if (salt.data)
- free(salt.data);
return retval;
}
+static krb5_error_code
+get_etype_info(krb5_context context, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *pa_data)
+{
+ int i;
+ for (i=0; i < request->nktypes; i++) {
+ if (enctype_requires_etype_info_2(request->ktype[i]))
+ return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will
+ * skip this
+ * type*/
+ }
+ return etype_info_helper(context, request, client, server, pa_data, 0);
+}
+
+static krb5_error_code
+get_etype_info2(krb5_context context, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *pa_data)
+{
+ return etype_info_helper( context, request, client, server, pa_data, 1);
+}
+
+static krb5_error_code
+return_etype_info2(krb5_context context, krb5_pa_data * padata,
+ krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa)
+{
+ krb5_error_code retval;
+ krb5_pa_data *tmp_padata;
+ krb5_etype_info_entry **entry = NULL;
+ krb5_data *scratch = NULL;
+ tmp_padata = malloc( sizeof(krb5_pa_data));
+ if (tmp_padata == NULL)
+ return ENOMEM;
+ tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO2;
+ entry = malloc(2 * sizeof(krb5_etype_info_entry *));
+ if (entry == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ entry[0] = NULL;
+ entry[1] = NULL;
+ retval = _make_etype_info_entry(context, request, client_key, client_key->key_data_type[0],
+ entry, 1);
+ if (retval)
+ goto cleanup;
+ retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch);
+ if (retval)
+ goto cleanup;
+ tmp_padata->contents = scratch->data;
+ tmp_padata->length = scratch->length;
+ *send_pa = tmp_padata;
+
+ /* For cleanup - we no longer own the contents of the krb5_data
+ * only to pointer to the krb5_data
+ */
+ scratch->data = 0;
+
+ cleanup:
+ if (entry)
+ krb5_free_etype_info(context, entry);
+ if (retval) {
+ if (tmp_padata)
+ free(tmp_padata);
+ }
+ if (scratch)
+ krb5_free_data(context, scratch);
+ return retval;
+}
+
+
static krb5_error_code
return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
krb5_db_entry *client, krb5_kdc_req *request,
krb5_pa_data * padata;
krb5_data * scratch;
krb5_data salt_data;
+ int i;
+ for (i = 0; i < request->nktypes; i++) {
+ if (enctype_requires_etype_info_2(request->ktype[i]))
+ return 0;
+ }
if (client_key->key_data_ver == 1 ||
client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)
return 0;
*/
krb5_boolean krb5_is_tgs_principal(krb5_principal principal)
{
- if ((krb5_princ_component(kdc_context, principal, 0)->length ==
+ if ((krb5_princ_size(kdc_context, principal) > 0) &&
+ (krb5_princ_component(kdc_context, principal, 0)->length ==
KRB5_TGS_NAME_SIZE) &&
(!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE)))
goto cleanup_auth_context;
}
- if ((retval = krb5_auth_con_getremotesubkey(kdc_context,
- auth_context, subkey)))
+ if ((retval = krb5_auth_con_getrecvsubkey(kdc_context,
+ auth_context, subkey)))
goto cleanup_auth_context;
if ((retval = krb5_auth_con_getauthenticator(kdc_context, auth_context,
* Returns a Kerberos protocol error number, which is _not_ the same
* as a com_err error number!
*/
-#define AS_OPTIONS_HANDLED (KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | \
- KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \
- KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK)
+#define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\
+KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY)
int
validate_as_request(register krb5_kdc_req *request, krb5_db_entry client,
krb5_db_entry server, krb5_timestamp kdc_time,
int errcode;
/*
- * If an illegal option is set, complain.
+ * If an option is set that is only allowed in TGS requests, complain.
*/
- if (request->kdc_options & ~(AS_OPTIONS_HANDLED)) {
+ if (request->kdc_options & AS_INVALID_OPTIONS) {
*status = "INVALID AS OPTIONS";
return KDC_ERR_BADOPTION;
}
return KRB_AP_ERR_NOT_US;
}
/* ...and that the second component matches the server realm... */
- if ((krb5_princ_component(kdc_context, ticket->server, 1)->length !=
+ if ((krb5_princ_size(kdc_context, ticket->server) <= 1) ||
+ (krb5_princ_component(kdc_context, ticket->server, 1)->length !=
krb5_princ_realm(kdc_context, request->server)->length) ||
memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data,
krb5_princ_realm(kdc_context, request->server)->data,
const krb5_fulladdr *,
krb5_data **);
void process_v4_mode (const char *, const char *);
+void enable_v4_crossrealm(char *);
#else
#define process_v4(foo,bar,quux,foobar) KRB5KRB_AP_ERR_BADVERSION
#endif
void kerberos_v4 (struct sockaddr_in *, KTEXT);
void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
-static int set_tgtkey (char *, krb5_kvno);
+static int set_tgtkey (char *, krb5_kvno, krb5_boolean);
/* Attributes converted from V5 to V4 - internal representation */
#define V4_KDB_REQUIRES_PREAUTH 0x1
static const int v4mode_table_nents = sizeof(v4mode_table)/
sizeof(v4mode_table[0]);
+static int allow_v4_crossrealm = 0;
+
void process_v4_mode(const char *program_name, const char *string)
{
int i, found;
return;
}
+void enable_v4_crossrealm ( char *programname) {
+ allow_v4_crossrealm = 1;
+ krb5_klog_syslog(LOG_ERR, "Enabling v4 cross-realm compatibility; this is a known security hole");
+}
+
krb5_error_code
process_v4(const krb5_data *pkt, const krb5_fulladdr *client_fulladdr,
krb5_data **resp)
/* array of name-components + NULL ptr
*/
+/*
+ * Previously this code returned either a v4 key or a v5 key and you
+ * could tell from the enctype of the v5 key whether the v4 key was
+ * useful. Now we return both keys so the code can try both des3 and
+ * des decryption. We fail if the ticket doesn't have a v4 key.
+ * Also, note as a side effect, the v5 key is basically useless in
+ * the client case. It is still returned so the caller can free it.
+ */
static int
kerb_get_principal(char *name, char *inst, /* could have wild cards */
Principal *principal,
return(0);
}
} else {
- /* XXX yes I know this is a hardcoded search order */
- if (krb5_dbe_find_enctype(kdc_context, &entries,
+ if ( krb5_dbe_find_enctype(kdc_context, &entries,
+ ENCTYPE_DES_CBC_CRC,
+ KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
+ krb5_dbe_find_enctype(kdc_context, &entries,
+ ENCTYPE_DES_CBC_CRC,
+ -1, kvno, &pkey)) {
+ lt = klog(L_KRB_PERR,
+ "KDC V4: failed to find key for %s.%s #%d",
+ name, inst, kvno);
+ krb5_db_free_principal(kdc_context, &entries, nprinc);
+ return(0);
+ }
+ }
+
+ if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
+ memcpy( &principal->key_low, k, LONGLEN);
+ memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
+ }
+ memset(k, 0, sizeof k);
+ if (issrv) {
+ krb5_free_keyblock_contents (kdc_context, k5key);
+ if (krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES3_CBC_RAW,
-1, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
-1, kvno, &pkey)) {
lt = klog(L_KRB_PERR,
- "KDC V4: failed to find key for %s.%s #%d",
+ "KDC V4: failed to find key for %s.%s #%d (after having found it once)",
name, inst, kvno);
krb5_db_free_principal(kdc_context, &entries, nprinc);
return(0);
}
- }
+ compat_decrypt_key(pkey, k, k5key, issrv);
+ memset (k, 0, sizeof k);
+ }
+
- if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
- memcpy( &principal->key_low, k, LONGLEN);
- memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
- }
/*
* Convert v5's entries struct to v4's Principal struct:
* v5's time-unit for lifetimes is 1 sec, while v4 uses 5 minutes,
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
/* construct and seal the ticket */
- if (K4KDC_ENCTYPE_OK(k5key.enctype)) {
- krb_create_ticket(tk, k_flags, a_name_data.name,
- a_name_data.instance, local_realm,
- client_host.s_addr, (char *) session_key,
- lifetime, kerb_time.tv_sec,
- s_name_data.name, s_name_data.instance,
- key);
- } else {
- krb_cr_tkt_krb5(tk, k_flags, a_name_data.name,
- a_name_data.instance, local_realm,
- client_host.s_addr, (char *) session_key,
- lifetime, kerb_time.tv_sec,
- s_name_data.name, s_name_data.instance,
- &k5key);
- }
+ /* We always issue des tickets; the 3des tickets are a broken hack*/
+ krb_create_ticket(tk, k_flags, a_name_data.name,
+ a_name_data.instance, local_realm,
+ client_host.s_addr, (char *) session_key,
+ lifetime, kerb_time.tv_sec,
+ s_name_data.name, s_name_data.instance,
+ key);
+
krb5_free_keyblock_contents(kdc_context, &k5key);
memset(key, 0, sizeof(key));
memset(key_s, 0, sizeof(key_s));
strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ);
tktrlm[REALM_SZ-1] = '\0';
kvno = (krb5_kvno)auth->dat[2];
- if (set_tgtkey(tktrlm, kvno)) {
- lt = klog(L_ERR_UNK,
+ if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
+ lt = klog(L_ERR_UNK,
+ "Cross realm ticket from %s denied by policy,", tktrlm);
+ kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ return;
+ }
+ if (set_tgtkey(tktrlm, kvno, 0)) {
+ lt = klog(L_ERR_UNK,
"FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
tktrlm, kvno, inet_ntoa(client_host));
/* no better error code */
}
kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
ad, 0);
+ if (kerno) {
+ if (set_tgtkey(tktrlm, kvno, 1)) {
+ lt = klog(L_ERR_UNK,
+ "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
+ tktrlm, kvno, inet_ntoa(client_host));
+ /* no better error code */
+ kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ return;
+ }
+ kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
+ ad, 0);
+ }
if (kerno) {
klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
des_new_random_key(session_key);
#endif
- if (K4KDC_ENCTYPE_OK(k5key.enctype)) {
- krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
- ad->prealm, client_host.s_addr,
- (char *) session_key, lifetime,
- kerb_time.tv_sec,
- s_name_data.name, s_name_data.instance,
- key);
- } else {
- krb_cr_tkt_krb5(tk, k_flags, ad->pname, ad->pinst,
- ad->prealm, client_host.s_addr,
- (char *) session_key, lifetime,
- kerb_time.tv_sec,
- s_name_data.name, s_name_data.instance,
- &k5key);
- }
+ /* ALways issue des tickets*/
+ krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
+ ad->prealm, client_host.s_addr,
+ (char *) session_key, lifetime,
+ kerb_time.tv_sec,
+ s_name_data.name, s_name_data.instance,
+ key);
krb5_free_keyblock_contents(kdc_context, &k5key);
memset(key, 0, sizeof(key));
memset(key_s, 0, sizeof(key_s));
/* Set the key for krb_rd_req so we can check tgt */
static int
-set_tgtkey(char *r, krb5_kvno kvno)
+set_tgtkey(char *r, krb5_kvno kvno, krb5_boolean use_3des)
{
int n;
static char lastrealm[REALM_SZ] = "";
static int last_kvno = 0;
+ static krb5_boolean last_use_3des = 0;
static int more;
Principal p_st;
Principal *p = &p_st;
krb5_keyblock k5key;
k5key.contents = NULL;
- if (!strcmp(lastrealm, r) && last_kvno == kvno)
+ if (!strcmp(lastrealm, r) && last_kvno == kvno && last_use_3des == use_3des)
return (KSUCCESS);
/* log("Getting key for %s", r); */
return KFAILURE;
}
- if (!K4KDC_ENCTYPE_OK(k5key.enctype)) {
+ if (use_3des&&!K4KDC_ENCTYPE_OK(k5key.enctype)) {
krb_set_key_krb5(kdc_context, &k5key);
strncpy(lastrealm, r, sizeof(lastrealm) - 1);
lastrealm[sizeof(lastrealm) - 1] = '\0';
last_kvno = kvno;
+ last_use_3des = use_3des;
} else {
/* unseal tgt key from master key */
memcpy(key, &p->key_low, 4);
free(rdp->realm_ports);
if (rdp->realm_tcp_ports)
free(rdp->realm_tcp_ports);
- if (rdp->realm_kstypes)
- free(rdp->realm_kstypes);
if (rdp->realm_keytab)
krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
if (rdp->realm_context) {
memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length);
free(rdp->realm_mkey.contents);
}
- if (rdp->realm_tgskey.length && rdp->realm_tgskey.contents) {
- memset(rdp->realm_tgskey.contents, 0, rdp->realm_tgskey.length);
- free(rdp->realm_tgskey.contents);
- }
krb5_db_fini(rdp->realm_context);
if (rdp->realm_tgsprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc);
{
krb5_error_code kret;
krb5_boolean manual;
- krb5_db_entry db_entry;
- int num2get;
- krb5_boolean more;
krb5_realm_params *rparams;
- krb5_key_data *kdata;
- krb5_key_salt_tuple *kslist;
- krb5_int32 nkslist;
- int i;
memset((char *) rdp, 0, sizeof(kdc_realm_t));
if (!realm) {
/* Handle ticket renewable maximum life */
rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ?
- rparams->realm_max_rlife : KRB5_KDB_MAX_LIFE;
-
- /* Handle key/salt list */
- if (rparams && rparams->realm_num_keysalts) {
- rdp->realm_kstypes = rparams->realm_keysalts;
- rdp->realm_nkstypes = rparams->realm_num_keysalts;
- rparams->realm_keysalts = NULL;
- rparams->realm_num_keysalts = 0;
- kslist = (krb5_key_salt_tuple *) rdp->realm_kstypes;
- nkslist = rdp->realm_nkstypes;
- } else {
- /*
- * XXX Initialize default key/salt list.
- */
- if ((kslist = (krb5_key_salt_tuple *)
- malloc(sizeof(krb5_key_salt_tuple)))) {
- kslist->ks_enctype = ENCTYPE_DES_CBC_CRC;
- kslist->ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
- rdp->realm_kstypes = kslist;
- rdp->realm_nkstypes = 1;
- nkslist = 1;
- }
- else {
- com_err(progname, ENOMEM,
- "while setting up key/salt list for realm %s",
- realm);
- exit(1);
- }
- }
+ rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE;
if (rparams)
krb5_free_realm_params(rdp->realm_context, rparams);
goto whoops;
}
- /* Fetch the master key and get its version number */
- num2get = 1;
- kret = krb5_db_get_principal(rdp->realm_context, rdp->realm_mprinc,
- &db_entry, &num2get, &more);
- if (!kret) {
- if (num2get != 1)
- kret = KRB5_KDB_NOMASTERKEY;
- else {
- if (more) {
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- kret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- }
- }
- }
- if (kret) {
- com_err(progname, kret,
- "while fetching master entry for realm %s", realm);
- goto whoops;
- }
-
- /*
- * Get the most recent master key. Search the key list in
- * the order specified by the key/salt list.
- */
- kdata = (krb5_key_data *) NULL;
- for (i=0; i<nkslist; i++) {
- if (!(kret = krb5_dbe_find_enctype(rdp->realm_context,
- &db_entry,
- kslist[i].ks_enctype,
- -1,
- -1,
- &kdata)))
- break;
- }
- if (!kdata) {
- com_err(progname, kret,
- "while finding master key for realm %s",
- realm);
- goto whoops;
- }
- rdp->realm_mkvno = kdata->key_data_kvno;
- krb5_db_free_principal(rdp->realm_context, &db_entry, num2get);
-
if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) {
com_err(progname, kret,
"while setting master key for realm %s", realm);
goto whoops;
}
- /* Get the TGS database entry */
- num2get = 1;
- if (!(kret = krb5_db_get_principal(rdp->realm_context,
- rdp->realm_tgsprinc,
- &db_entry,
- &num2get,
- &more))) {
- if (num2get != 1)
- kret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- else {
- if (more) {
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- kret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- }
- }
- }
- if (kret) {
- com_err(progname, kret,
- "while fetching TGS entry for realm %s", realm);
- goto whoops;
- }
- /*
- * Get the most recent TGS key. Search the key list in
- * the order specified by the key/salt list.
- */
- kdata = (krb5_key_data *) NULL;
- for (i=0; i<nkslist; i++) {
- if (!(kret = krb5_dbe_find_enctype(rdp->realm_context,
- &db_entry,
- kslist[i].ks_enctype,
- -1,
- -1,
- &kdata)))
- break;
- }
- if (!kdata) {
- com_err(progname, kret, "while finding TGS key for realm %s",
- realm);
- goto whoops;
- }
- if (!(kret = krb5_dbekd_decrypt_key_data(rdp->realm_context,
- &rdp->realm_mkey,
- kdata,
- &rdp->realm_tgskey, NULL))){
- rdp->realm_tgskvno = kdata->key_data_kvno;
- }
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- if (kret) {
- com_err(progname, kret,
- "while decrypting TGS key for realm %s", realm);
- goto whoops;
- }
-
if (!rkey_init_done) {
krb5_data seed;
#ifdef KRB5_KRB4_COMPAT
void
usage(char *name)
{
- fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-n]\n", name);
+ fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-X] [-n]\n", name);
return;
}
* Loop through the option list. Each time we encounter a realm name,
* use the previously scanned options to fill in for defaults.
*/
- while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:3")) != -1) {
+ while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:X3")) != -1) {
switch(c) {
case 'r': /* realm name for db */
if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) {
v4mode = strdup(optarg);
#endif
break;
+ case 'X':
+#ifdef KRB5_KRB4_COMPAT
+ enable_v4_crossrealm(argv[0]);
+#endif
+ break;
case '3':
#ifdef ATHENA_DES3_KLUDGE
if (krb5_enctypes_list[krb5_enctypes_length-1].etype
CC_LINK='@CC_LINK@'
KRB4_LIB=@KRB4_LIB@
DES425_LIB=@DES425_LIB@
+KDB5_DB_LIB=@KDB5_DB_LIB@
LDFLAGS='@LDFLAGS@'
RPATH_FLAG='@RPATH_FLAG@'
-e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
if test $library = 'kdb'; then
- lib_flags="$lib_flags -lkdb5 -ldb"
+ lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
fi
if test $library = 'kadm_server'; then
- lib_flags="$lib_flags -lkadm5srv -lkdb5 -ldb"
+ lib_flags="$lib_flags -lkadm5srv -lkdb5 $KDB5_DB_LIB"
library=kadm_common
fi
ChangeLog
Makefile.in
README
-RELEASE_NOTES
configure
configure.in
cnv_tkt_skey.c
-conv_creds.c
conv_princ.c
conv_tkt.c
-encode.c
-getcred.c
-globals.c
k524init.c
-krb524.h
-krb524_err.et
+krb524d.h
krb524_prot
krb524d.c
-misc.c
-sendmsg.c
test.c
Things-to-lose:
+2003-06-12 Tom Yu <tlyu@mit.edu>
+
+ * krb524.c (krb524_convert_creds_kdc, krb524_init_ets): Mark as
+ KRB5_CALLCONV_WRONG.
+ (krb524_init_ets): Takes a krb5_context.
+
+2003-06-09 Tom Yu <tlyu@mit.edu>
+
+ * krb524.c: Fix copyright notice.
+
+2003-06-05 Jeffery Altman <jaltman@mit.edu>
+
+ * Makefile.in: Build krb524.dll on Windows.
+
+ * krb524.c: New file; stub for Windows krb524.dll.
+
+2003-06-05 Ken Raeburn <raeburn@mit.edu>
+
+ * k524init.c (main): Remove debugging printf.
+
+2003-05-29 Alexandra Ellwood <lxs@mit.edu>
+
+ * krb524d.h: removed invalid Mac pragmas
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * k524init.c (main): Call krb5_524_convert_creds instead of
+ krb524_convert_creds_kdc.
+
+ * Makefile.in ($(OUTPRE)k524init.exe): Don't depend on K524DEP.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c, encode.c, globals.c, sendmsg.c: Deleted. Contents
+ added to krb5 library.
+ * getcred.c, misc.c: Deleted.
+ * krb524.h: Library declarations moved to krb5.hin and k5-int.h.
+ Remainder renamed to krb524d.h.
+ * krb524_err.et: Moved to lib/krb5/error_tables.
+ * cnv_tkt_skey.c: Include krb524d.h, not krb524.h.
+ (krb524d_debug): Define new variable. Replace all references to
+ krb524_debug.
+ * conv_princ.c: Don't include krb524.h.
+ * k524init.c: Don't include krb524.h.
+ (main): Don't call krb524_init_ets.
+ * krb524d.c: Include krb524d.h, not krb524.h.
+ (encode_v4tkt): New function pointer variable.
+ (main): Initialize it using krb5int_accessor.
+ * test.c: Don't include krb524.h.
+ (main): Don't set krb524_debug, and don't call krb524_init_ets.
+ * Makefile.in: Don't pull in library makefile fragments.
+ (LIB, LIBMAJOR, LIBMINOR, RELDIR): Deleted.
+ (KRB524_DEPLIB, KRB524_LIB, STOBJLISTS, STLIBOBJS): Deleted.
+ (GENS, KRB524_HDR, KRB524_ERR_HDR): Deleted.
+ (SRCS): Remove deleted/moved files.
+ (all-unix): Don't depend on $(GENS) on includes.
+ (includes, all-windows): Don't depend on headers.
+ ($(KRB524_HDR), $(KRB524_ERR_HDR)): Delete rules.
+ (all-windows): Comment out dependency on $(K524LIB) for now.
+ (CLIENT_OBJS, SERVER_OBJS): New variables.
+ (krb524test, krb524d, k524init): Don't use KRB524_*LIB, just
+ KRB5_*LIB. Use *_OBJS lists.
+ (install-unix, clean-unix, clean-windows): Don't install or clean
+ libs or headers.
+ (krb524_err.c): Target deleted.
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * krb524d.c (do_connection): Use krb5_princ_size rather than
+ direct structure field access.
+
+2003-03-16 Sam Hartman <hartmans@mit.edu>
+
+ * krb524d.c (handle_classic_v4): Do not support 3des enctypes as
+ they are insecure. Also, by default do not allow krb4
+ cross-realm.
+
+ * cnv_tkt_skey.c (krb524_convert_tkt_skey): Don't support 3des tickets
+
+2003-03-12 Ken Raeburn <raeburn@mit.edu>
+
+ * cnv_tkt_skey.c (krb524_convert_tkt_skey): Extract source IP
+ address in its proper size, not as 'long'.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* cnv_tkt_skey.c, conv_creds.c, conv_princ.c, encode.c, sendmsg.c:
Removed Mac-specific includes.
# PERFORMANCE OF THIS SOFTWARE.
#
-##WIN32##!if 0
-LIB=krb524
-##WIN32##!endif
-LIBMAJOR=1
-LIBMINOR=0
-RELDIR=../krb524
-STOBJLISTS=OBJS.ST
-
DEFINES = -DUSE_MASTER -DKRB524_PRIVATE=1
PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
PROG_RPATH=$(KRB5_LIBDIR)
-KRB524_DEPLIB = libkrb524.a
-KRB524_LIB = libkrb524.a
##WIN32##!ifdef USE_ALTERNATE_KRB4_INCLUDES
##WIN32##KRB4_INCLUDES=-I$(USE_ALTERNATE_KRB4_INCLUDES)
# Library sources
SRCS = \
- $(srcdir)/conv_creds.c \
$(srcdir)/conv_princ.c \
$(srcdir)/cnv_tkt_skey.c \
- $(srcdir)/encode.c \
- $(srcdir)/misc.c \
- $(srcdir)/globals.c \
- $(srcdir)/sendmsg.c \
- $(srcdir)/krb524_err.et \
- $(srcdir)/libinit.c
+ $(srcdir)/libinit.c \
+ $(srcdir)/krb524.c
EXTRADEPSRCS = \
$(srcdir)/test.c \
$(srcdir)/k524init.c \
$(srcdir)/krb524d.c
-STLIBOBJS = \
- $(OUTPRE)conv_creds.$(OBJEXT) \
- $(OUTPRE)conv_princ.$(OBJEXT) \
- $(OUTPRE)cnv_tkt_skey.$(OBJEXT) \
- $(OUTPRE)encode.$(OBJEXT) \
- $(OUTPRE)misc.$(OBJEXT) \
- $(OUTPRE)globals.$(OBJEXT) \
- $(OUTPRE)sendmsg.$(OBJEXT) \
- $(OUTPRE)krb524_err.$(OBJEXT) \
- $(OUTPRE)libinit.$(OBJEXT)
-
##WIN32##!ifdef KRB524_STATIC_HACK
##WIN32##LPREFIX=..\lib
##WIN32##K5_GLUE=$(LPREFIX)\$(OUTPRE)k5_glue.obj
##WIN32##K524DEP=$(STLIBOBJS)
##WIN32##!endif
-GENS = krb524_err.c krb524_err.h
-
-KRB524_HDR=$(BUILDTOP)$(S)include$(S)krb524.h
-KRB524_ERR_HDR=$(BUILDTOP)$(S)include$(S)krb524_err.h
-
-all-unix:: $(GENS)
-all-unix:: all-libs
-all-unix:: includes
-
all-unix:: krb524d krb524test k524init
-includes:: $(KRB524_HDR) $(KRB524_ERR_HDR)
-
-$(KRB524_HDR): krb524.h
-##WIN32## $(CP) $? "$@"
-##WIN32##!if 0
-$(KRB524_HDR): krb524.h
- if cmp $(srcdir)/krb524.h \
- $(BUILDTOP)/include/krb524.h >/dev/null 2>&1; then :; \
- else \
- (set -x; $(RM) $(BUILDTOP)/include/krb524.h; \
- $(CP) $(srcdir)/krb524.h \
- $(BUILDTOP)/include/krb524.h) ; \
- fi
-##WIN32##!endif
-
-$(KRB524_ERR_HDR): krb524_err.h
-##WIN32## $(CP) $? "$@"
-##WIN32##!if 0
-$(KRB524_ERR_HDR): krb524_err.h
- if cmp krb524_err.h \
- $(BUILDTOP)/include/krb524_err.h >/dev/null 2>&1; then :; \
- else \
- (set -x; $(RM) $(BUILDTOP)/include/krb524_err.h; \
- $(CP) krb524_err.h \
- $(BUILDTOP)/include/krb524_err.h) ; \
- fi
-##WIN32##!endif
+all-windows:: $(OUTPRE)k524init.exe $(K524LIB)
-all-windows:: $(KRB524_HDR) $(K524LIB) $(OUTPRE)k524init.exe
+krb524test: test.o $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS)
+ $(CC_LINK) -o krb524test test.o $(KRB5_LIB) $(KRB4COMPAT_LIBS)
-krb524test: libkrb524.a test.o $(KRB524_DEPLIB) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o krb524test test.o $(KRB524_LIB) $(KRB4COMPAT_LIBS)
+SERVER_OBJS= krb524d.o cnv_tkt_skey.o conv_princ.o
+CLIENT_OBJS= $(OUTPRE)k524init.$(OBJEXT)
-krb524d: krb524d.o $(KADMSRV_DEPLIBS) $(KRB524_DEPLIB) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o krb524d krb524d.o $(KADMSRV_LIBS) $(KRB524_LIB) $(KRB4COMPAT_LIBS)
+krb524d: $(SERVER_OBJS) $(KADMSRV_DEPLIBS) $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS)
+ $(CC_LINK) -o krb524d $(SERVER_OBJS) $(KADMSRV_LIBS) $(KRB5_LIB) $(KRB4COMPAT_LIBS)
-k524init: k524init.o $(KRB524_DEPLIB) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o k524init k524init.o $(KRB524_LIB) $(KRB4COMPAT_LIBS)
+k524init: $(CLIENT_OBJS) $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS)
+ $(CC_LINK) -o k524init $(CLIENT_OBJS) $(KRB5_LIB) $(KRB4COMPAT_LIBS)
-$(K524LIB): $(STLIBOBJS) $(K4LIB) $(KLIB)
+$(K524LIB): $(OUTPRE)krb524.$(OBJEXT) $(OUTPRE)libinit.$(OBJEXT) $(KLIB) $(CLIB)
link $(DLL_LINKOPTS) -def:$(K524DEF) -out:$*.dll $** $(WINLIBS)
-$(OUTPRE)k524init.exe: $(OUTPRE)k524init.$(OBJEXT) $(K524DEP) $(KLIB) $(K4LIB) $(CLIB) $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib
+$(OUTPRE)k524init.exe: $(OUTPRE)k524init.$(OBJEXT) $(KLIB) $(K4LIB) $(CLIB) $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib
link $(EXE_LINKOPTS) -out:$@ $** $(WINLIBS)
-install-unix:: install-libs
+install-unix::
$(INSTALL_PROGRAM) krb524d $(DESTDIR)$(SERVER_BINDIR)/krb524d
$(INSTALL_PROGRAM) k524init $(DESTDIR)$(CLIENT_BINDIR)/krb524init
-clean-unix:: clean-libs clean-libobjs
- $(RM) $(OBJS) $(GENS) core *~ *.bak #*
+clean-unix::
+ $(RM) $(OBJS) core *~ *.bak #*
$(RM) krb524test krb524d k524init test.o krb524d.o k524init.o
- $(RM) $(BUILDTOP)/include/krb524.h $(BUILDTOP)/include/krb524_err.h
-
-clean-windows::
- $(RM) $(GENS)
-
-krb524_err.c : krb524_err.et
-
-# @libobj_frag@
-# @lib_frag@
# +++ Dependency line eater +++
#
# Makefile dependencies follow. This must be the last section in
# the Makefile.in file
#
-conv_creds.so conv_creds.po $(OUTPRE)conv_creds.$(OBJEXT): conv_creds.c $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/profile.h krb524.h krb524_err.h
-conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(BUILDTOP)/include/krb5.h \
+$(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/profile.h krb524.h krb524_err.h \
- $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h
-cnv_tkt_skey.so cnv_tkt_skey.po $(OUTPRE)cnv_tkt_skey.$(OBJEXT): cnv_tkt_skey.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/profile.h
+$(OUTPRE)cnv_tkt_skey.$(OBJEXT): cnv_tkt_skey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krb.h \
- $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- krb524.h krb524_err.h
-encode.so encode.po $(OUTPRE)encode.$(OBJEXT): encode.c $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
- $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/profile.h krb524.h krb524_err.h \
- $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h
-misc.so misc.po $(OUTPRE)misc.$(OBJEXT): misc.c $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/profile.h krb524.h krb524_err.h \
- $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h
-globals.so globals.po $(OUTPRE)globals.$(OBJEXT): globals.c
-sendmsg.so sendmsg.po $(OUTPRE)sendmsg.$(OBJEXT): sendmsg.c $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \
- $(KRB_ERR_H_DEP) krb524.h krb524_err.h
-libinit.so libinit.po $(OUTPRE)libinit.$(OBJEXT): libinit.c
-test.so test.po $(OUTPRE)test.$(OBJEXT): test.c $(SRCTOP)/include/k5-int.h \
+ krb524d.h
+$(OUTPRE)libinit.$(OBJEXT): libinit.c
+$(OUTPRE)krb524.$(OBJEXT): krb524.c
+$(OUTPRE)test.$(OBJEXT): test.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
- $(SRCTOP)/include/kerberosIV/krb.h $(KRB_ERR_H_DEP) \
- krb524.h krb524_err.h
-k524init.so k524init.po $(OUTPRE)k524init.$(OBJEXT): k524init.c $(BUILDTOP)/include/krb5.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(SRCTOP)/include/kerberosIV/krb.h $(KRB_ERR_H_DEP)
+$(OUTPRE)k524init.$(OBJEXT): k524init.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(BUILDTOP)/include/profile.h krb524.h krb524_err.h \
- $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h
-krb524d.so krb524d.po $(OUTPRE)krb524d.$(OBJEXT): krb524d.c $(BUILDTOP)/include/krb5.h \
+ $(BUILDTOP)/include/profile.h
+$(OUTPRE)krb524d.$(OBJEXT): krb524d.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
$(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
$(SRCTOP)/include/krb5/adm_proto.h $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- krb524.h krb524_err.h
+ krb524d.h
#include <netinet/in.h>
#endif
#include <krb.h>
-#include "krb524.h"
+#include "krb524d.h"
+
+static int krb524d_debug = 0;
static int
krb524int_krb_create_ticket(KTEXT, unsigned int, char *, char *, char *, long,
v5etkt->session->enctype != ENCTYPE_DES_CBC_MD4 &&
v5etkt->session->enctype != ENCTYPE_DES_CBC_MD5) ||
v5etkt->session->length != sizeof(C_Block)) {
- if (krb524_debug)
+ if (krb524d_debug)
fprintf(stderr, "v5 session keyblock type %d length %d != C_Block size %d\n",
v5etkt->session->enctype,
v5etkt->session->length,
give out a v4 ticket with as much of the v5 lifetime is available
"now" instead. */
if ((ret = krb5_timeofday(context, &server_time))) {
- if (krb524_debug)
+ if (krb524d_debug)
fprintf(stderr, "krb5_timeofday failed!\n");
krb5_free_enc_tkt_part(context, v5etkt);
v5tkt->enc_part2 = NULL;
if (v4endtime > v5etkt->times.endtime)
server_time -= v4endtime - v5etkt->times.endtime;
} else {
- if (krb524_debug)
+ if (krb524d_debug)
fprintf(stderr, "v5 ticket time out of bounds\n");
krb5_free_enc_tkt_part(context, v5etkt);
v5tkt->enc_part2 = NULL;
kaddr.contents = (krb5_octet *)&sinp->sin_addr;
if (!krb5_address_search(context, &kaddr, v5etkt->caddrs)) {
- if (krb524_debug)
+ if (krb524d_debug)
fprintf(stderr, "Invalid v5creds address information.\n");
krb5_free_enc_tkt_part(context, v5etkt);
v5tkt->enc_part2 = NULL;
return KRB524_BADADDR;
}
- if (krb524_debug)
+ if (krb524d_debug)
printf("startime = %ld, authtime = %ld, lifetime = %ld\n",
(long) v5etkt->times.starttime,
(long) v5etkt->times.authtime,
pname,
pinst,
prealm,
- *((unsigned long *)kaddr.contents),
+ sinp->sin_addr.s_addr,
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
sname,
sinst,
v4_skey->contents);
- } else {
- /* Force enctype to be raw if using DES3. */
- if (v4_skey->enctype == ENCTYPE_DES3_CBC_SHA1 ||
- v4_skey->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1)
- v4_skey->enctype = ENCTYPE_DES3_CBC_RAW;
- ret = krb524int_krb_cr_tkt_krb5(v4tkt,
- 0, /* flags */
- pname,
- pinst,
- prealm,
- *((unsigned long *)kaddr.contents),
- (char *) v5etkt->session->contents,
- lifetime,
- /* issue_data */
- server_time,
- sname,
- sinst,
- v4_skey);
}
-
+ else abort();
krb5_free_enc_tkt_part(context, v5etkt);
v5tkt->enc_part2 = NULL;
if (ret == KSUCCESS)
+++ /dev/null
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "krb5.h"
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include "port-sockets.h"
-#include "socket-utils.h"
-#include <krb.h>
-#include "krb524.h"
-
-#ifdef USE_CCAPI
-#include <CredentialsCache.h>
-#endif
-
-krb5_error_code krb524_convert_creds_plain
-(krb5_context context, krb5_creds *v5creds,
- CREDENTIALS *v4creds);
-
-krb5_error_code
-krb524_convert_creds_kdc(context, v5creds, v4creds)
- krb5_context context;
- krb5_creds *v5creds;
- CREDENTIALS *v4creds;
-{
- krb5_error_code ret;
- krb5_data reply;
- char *p;
- struct sockaddr_storage ss;
- socklen_t slen = sizeof(ss);
-
- ret = krb524_convert_creds_plain(context, v5creds, v4creds);
- if (ret)
- return ret;
-
- reply.data = NULL;
- ret = krb524_sendto_kdc(context, &v5creds->ticket,
- &v5creds->server->realm, &reply,
- ss2sa(&ss), &slen);
- if (ret)
- return ret;
-
-#if TARGET_OS_MAC
-#ifdef USE_CCAPI
- v4creds->stk_type = cc_v4_stk_des;
-#endif
- if (slen == sizeof(struct sockaddr_in)
- && ss2sa(&ss)->sa_family == AF_INET) {
- v4creds->address = ss2sin(&ss)->sin_addr.s_addr;
- }
- /* Otherwise, leave it set to all-zero. */
-#endif
-
- p = reply.data;
- ret = ntohl(*((krb5_error_code *) p));
- p += sizeof(krb5_int32);
- reply.length -= sizeof(krb5_int32);
- if (ret)
- goto fail;
-
- v4creds->kvno = ntohl(*((krb5_error_code *) p));
- p += sizeof(krb5_int32);
- reply.length -= sizeof(krb5_int32);
- ret = decode_v4tkt(&v4creds->ticket_st, p, &reply.length);
-
-fail:
- if (reply.data)
- free(reply.data);
- reply.data = NULL;
- return ret;
-}
-
-krb5_error_code
-krb524_convert_creds_plain(context, v5creds, v4creds)
- krb5_context context;
- krb5_creds *v5creds;
- CREDENTIALS *v4creds;
-{
- int ret;
- krb5_timestamp endtime;
- char dummy[REALM_SZ];
- memset((char *) v4creds, 0, sizeof(CREDENTIALS));
-
- if ((ret = krb524_convert_princs(context, v5creds->client,
- v5creds->server,
- v4creds->pname, v4creds->pinst,
- dummy, v4creds->service,
- v4creds->instance, v4creds->realm)))
- return ret;
-
- /* Check enctype too */
- if (v5creds->keyblock.length != sizeof(C_Block)) {
- if (krb524_debug)
- fprintf(stderr, "v5 session keyblock length %d != C_Block size %d\n",
- v5creds->keyblock.length,
- (int) sizeof(C_Block));
- return KRB524_BADKEY;
- } else
- memcpy(v4creds->session, (char *) v5creds->keyblock.contents,
- sizeof(C_Block));
-
- /* V4 has no concept of authtime or renew_till, so ignore them */
- v4creds->issue_date = v5creds->times.starttime;
- v4creds->lifetime = krb_time_to_life(v5creds->times.starttime,
- v5creds->times.endtime);
- endtime = krb_life_to_time(v5creds->times.starttime,
- v4creds->lifetime);
- /*
- * Adjust start time backwards to deal with rounding up in
- * krb_time_to_life(), to match code on server side.
- */
- if (endtime > v5creds->times.endtime)
- v4creds->issue_date -= endtime - v5creds->times.endtime;
-
- return 0;
-}
#include "krb5.h"
#include <krb.h>
-#include "krb524.h"
int krb524_convert_princs(context, client, server, pname, pinst, prealm,
sname, sinst, srealm)
+++ /dev/null
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "krb5.h"
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-#include <sys/types.h>
-
-#ifdef _WIN32
-#include "port-sockets.h"
-#else
-#include <sys/time.h>
-#include <sys/signal.h>
-#include <netinet/in.h>
-#endif
-
-#include <krb.h>
-#include "krb524.h"
-
-/*
- * I'm sure that this is reinventing the wheel, but I don't know where
- * the wheel is hidden.
- */
-
-int encode_v4tkt (KTEXT_ST *, char *, unsigned int *),
- encode_ktext (char **, int *, KTEXT_ST *),
- encode_bytes (char **, int *, char *, unsigned int),
- encode_int32 (char **, int *, krb5_int32 *);
-
-int decode_v4tkt (KTEXT_ST *, char *, unsigned int *),
- decode_ktext (char **, int *, KTEXT_ST *),
- decode_bytes (char **, int *, char *, unsigned int),
- decode_int32 (char **, int *, krb5_int32 *);
-
-int encode_bytes(out, outlen, in, len)
- char **out;
- int *outlen;
- char *in;
- unsigned int len;
-{
- if (len > *outlen)
- return KRB524_ENCFULL;
- memcpy(*out, in, len);
- *out += len;
- *outlen -= len;
- return 0;
-}
-
-int encode_int32(out, outlen, v)
- char **out;
- int *outlen;
- krb5_int32 *v;
-{
- krb5_int32 nv; /* Must be 4 bytes */
-
- nv = htonl(*v);
- return encode_bytes(out, outlen, (char *) &nv, sizeof(nv));
-}
-
-int encode_v4tkt(v4tkt, buf, encoded_len)
- KTEXT_ST *v4tkt;
- char *buf;
- unsigned int *encoded_len;
-{
- int buflen, ret;
-
- buflen = *encoded_len;
-
- if ((ret = encode_int32(&buf, &buflen, &v4tkt->length)))
- return ret;
- if ((ret = encode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
- return ret;
- if ((ret = encode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz)))
- return ret;
-
- *encoded_len -= buflen;
- return 0;
-}
-
-/* decode functions */
-
-int decode_bytes(out, outlen, in, len)
- char **out;
- int *outlen;
- char *in;
- unsigned int len;
-{
- if (len > *outlen)
- return KRB524_DECEMPTY;
- memcpy(in, *out, len);
- *out += len;
- *outlen -= len;
- return 0;
-}
-
-int decode_int32(out, outlen, v)
- char **out;
- int *outlen;
- krb5_int32 *v;
-{
- int ret;
- krb5_int32 nv; /* Must be four bytes */
-
- if ((ret = decode_bytes(out, outlen, (char *) &nv, sizeof(nv))))
- return ret;
- *v = ntohl(nv);
- return 0;
-}
-
-int decode_v4tkt(v4tkt, buf, encoded_len)
- KTEXT_ST *v4tkt;
- char *buf;
- unsigned int *encoded_len;
-{
- int buflen, ret;
-
- buflen = *encoded_len;
- if ((ret = decode_int32(&buf, &buflen, &v4tkt->length)))
- return ret;
- if ((ret = decode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
- return ret;
- if ((ret = decode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz)))
- return ret;
- *encoded_len -= buflen;
- return 0;
-}
-
+++ /dev/null
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <stdio.h>
-#include "krb5.h"
-#include <krb.h>
-
-main(argc, argv)
- int argc;
- char **argv;
-{
- krb5_principal client, server;
- krb5_ccache cc;
- krb5_creds v5creds;
- CREDENTIALS v4creds;
- int i, ret;
- krb5_context context;
- krb5_error_code retval;
-
- retval = krb5_init_context(&context);
- if (retval) {
- com_err(argv[0], retval, "while initializing krb5");
- exit(1);
- }
-
- if (ret = krb5_parse_name(argv[1], &client)) {
- com_err("getcred", ret, "parsing client name");
- exit(1);
- }
- if (ret = krb5_parse_name(argv[2], &server)) {
- com_err("getcred", ret, "parsing server name");
- exit(1);
- }
- if (ret = krb5_cc_default(context, &cc)) {
- com_err("getcred", ret, "opening default credentials cache");
- exit(1);
- }
-
- memset((char *) &v5creds, 0, sizeof(v5creds));
- v5creds.client = client;
- v5creds.server = server;
- v5creds.times.endtime = 0;
- v5creds.keyblock.enctype = ENCTYPE_DES_CBC_MD5;
- if (ret = krb5_get_credentials(context, 0, cc, &v5creds)) {
- com_err("getcred", ret, "getting V5 credentials");
- exit(1);
- }
-
- if (ret = krb524_convert_creds_kdc(context, &v5creds, &v4creds)) {
- com_err("getcred", ret, "converting to V4 credentials");
- exit(1);
- }
-
- return 0;
-}
+++ /dev/null
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-int krb524_debug = 0;
#endif
#include <krb.h>
-#include "krb524.h"
extern int optind;
extern char *optarg;
exit(1);
}
- krb524_init_ets(context);
-
if ((code = krb5_cc_default(context, &cc))) {
com_err(prog, code, "opening default credentials cache");
exit(1);
exit(1);
}
- if ((code = krb524_convert_creds_kdc(context, v5creds, &v4creds))) {
+ if ((code = krb5_524_convert_creds(context, v5creds, &v4creds))) {
com_err(prog, code, "converting to V4 credentials");
exit(1);
}
--- /dev/null
+/*
+ * Copyright (C) 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#ifdef _WIN32
+#include "krb5.h"
+
+#ifdef krb524_convert_creds_kdc
+#undef krb524_convert_creds_kdc
+#endif
+#ifdef krb524_init_ets
+#undef krb524_init_ets
+#endif
+
+int KRB5_CALLCONV_WRONG
+krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, struct credentials *v4creds)
+{
+ return(krb5_524_convert_creds(context,v5creds,v4creds));
+}
+
+void KRB5_CALLCONV_WRONG
+krb524_init_ets(krb5_context context)
+{
+ /* no-op */
+}
+#endif /* _WIN32 */
+++ /dev/null
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef KRB524_H
-#define KRB524_H
-
-#define KRB524_SERVICE "krb524"
-#define KRB524_PORT 4444
-
-#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
-# include <TargetConditionals.h>
-# ifndef KRB524_PRIVATE /* Allow e.g. build system to override */
-# define KRB524_PRIVATE 0
-# endif
-#else
-# ifndef KRB524_PRIVATE
-# define KRB524_PRIVATE 1
-# endif
-#endif
-
-#include <krb524_err.h>
-
-#ifndef KRB524INT_BEGIN_DECLS
-#ifdef __cplusplus
-#define KRB524INT_BEGIN_DECLS extern "C" {
-#define KRB524INT_END_DECLS }
-#else
-#define KRB524INT_BEGIN_DECLS
-#define KRB524INT_END_DECLS
-#endif
-#endif
-
-#if TARGET_OS_MAC
-# if defined(__MWERKS__)
-# pragma import on
-# endif
-# pragma options align=mac68k
-#endif
-
-KRB524INT_BEGIN_DECLS
-
-#if KRB524_PRIVATE
-extern int krb524_debug;
-
-struct sockaddr;
-struct sockaddr_in;
-
-int krb524_convert_tkt_skey
- (krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
- krb5_keyblock *v5_skey, krb5_keyblock *v4_skey,
- struct sockaddr_in *saddr);
-
-/* conv_princ.c */
-
-int krb524_convert_princs
- (krb5_context context, krb5_principal client, krb5_principal server,
- char *pname, char *pinst, char *prealm,
- char *sname, char *sinst, char *srealm);
-
-/* conv_creds.c */
-
-int krb524_convert_creds_addr
- (krb5_context context, krb5_creds *v5creds,
- CREDENTIALS *v4creds, struct sockaddr *saddr);
-#endif /* KRB524_PRIVATE */
-
-int krb524_convert_creds_kdc
- (krb5_context context, krb5_creds *v5creds,
- CREDENTIALS *v4creds);
-
-#if KRB524_PRIVATE
-/* conv_tkt.c */
-
-int krb524_convert_tkt
- (krb5_principal server, krb5_data *v5tkt, KTEXT_ST *v4tkt,
- int *kvno, struct sockaddr_in *saddr);
-
-/* encode.c */
-
-int encode_v4tkt
- (KTEXT_ST *v4tkt, char *buf, unsigned int *encoded_len);
-
-int decode_v4tkt
- (KTEXT_ST *v4tkt, char *buf, unsigned int *encoded_len);
-
-
-/* misc.c */
-
-void krb524_init_ets
- (krb5_context context);
-
-/* sendmsg.c */
-
-#include "port-sockets.h"
-#include "socket-utils.h" /* for socklen_t */
-int krb524_sendto_kdc
- (krb5_context context, const krb5_data * message,
- const krb5_data * realm, krb5_data * reply,
- struct sockaddr *, socklen_t *);
-#endif /* KRB524_PRIVATE */
-
-#if TARGET_OS_MAC
-# if defined(__MWERKS__)
-# pragma import reset
-# endif
-# pragma options align=reset
-#endif
-
-KRB524INT_END_DECLS
-
-#endif /* KRB524_H */
#include <netinet/in.h>
#include <krb.h>
-#include "krb524.h"
+#include "krb524d.h"
#if defined(NEED_DAEMON_PROTO)
extern int daemon(int, int);
void *handle = NULL;
int use_keytab, use_master;
+int allow_v4_crossrealm = 0;
char *keytab = NULL;
krb5_keytab kt;
signalled = 1;
}
+int (*encode_v4tkt)(KTEXT, char *, unsigned int *) = 0;
+
int main(argc, argv)
int argc;
char **argv;
exit(1);
}
+ {
+ krb5int_access k5int;
+ retval = krb5int_accessor(&k5int, KRB5INT_ACCESS_VERSION);
+ if (retval != 0) {
+ com_err(whoami, retval,
+ "while accessing krb5 library internal support");
+ exit(1);
+ }
+ encode_v4tkt = k5int.krb524_encode_v4tkt;
+ if (encode_v4tkt == NULL) {
+ com_err(whoami, 0,
+ "krb4 support disabled in krb5 support library");
+ exit(1);
+ }
+ }
+
argv++; argc--;
use_master = use_keytab = nofork = 0;
config_params.mask = 0;
while (argc) {
- if (strncmp(*argv, "-k", 2) == 0)
+ if (strncmp(*argv, "-X", 2) == 0) {
+ allow_v4_crossrealm = 1;
+ }
+ else if (strncmp(*argv, "-k", 2) == 0)
use_keytab = 1;
else if (strncmp(*argv, "-m", 2) == 0)
use_master = 1;
if (debug)
printf("V5 ticket decoded\n");
- if( v5tkt->server->length >= 1
+ if( krb5_princ_size(context, v5tkt->server) >= 1
&&krb5_princ_component(context, v5tkt->server, 0)->length == 3
&&strncmp(krb5_princ_component(context, v5tkt->server, 0)->data,
"afs", 3) == 0) {
&v5_service_key, NULL)))
goto error;
- if ((ret = lookup_service_key(context, v5tkt->server,
- ENCTYPE_DES3_CBC_RAW,
- 0, /* highest kvno */
- &v4_service_key, v4kvno)) &&
- (ret = lookup_service_key(context, v5tkt->server,
- ENCTYPE_LOCAL_DES3_HMAC_SHA1,
- 0,
- &v4_service_key, v4kvno)) &&
- (ret = lookup_service_key(context, v5tkt->server,
- ENCTYPE_DES3_CBC_SHA1,
- 0,
- &v4_service_key, v4kvno)) &&
- (ret = lookup_service_key(context, v5tkt->server,
+ if ( (ret = lookup_service_key(context, v5tkt->server,
ENCTYPE_DES_CBC_CRC,
0,
&v4_service_key, v4kvno)))
if (debug)
printf("service key retrieved\n");
+ if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt))) {
+ goto error;
+ }
- ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
+ if (!(allow_v4_crossrealm || krb5_realm_compare(context, v5tkt->server,
+ v5tkt->enc_part2->client))) {
+ret = KRB5KDC_ERR_POLICY ;
+ goto error;
+ }
+ krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+ v5tkt->enc_part2= NULL;
+
+ ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
&v4_service_key,
(struct sockaddr_in *)saddr);
if (ret)
printf("v4 credentials encoded\n");
error:
+ if (v5tkt->enc_part2)
+ krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+
if(v5_service_key.contents)
krb5_free_keyblock_contents(context, &v5_service_key);
if (v4_service_key.contents)
* PERFORMANCE OF THIS SOFTWARE.
*/
-#include <krb5.h>
-#include <stdio.h>
-#include <sys/types.h>
-
-#ifndef _WIN32
-#include <sys/time.h>
-#include <sys/signal.h>
-#include <netinet/in.h>
+#ifndef KRB524INT_H
+#define KRB524INT_H
+
+#include "port-sockets.h"
+#include "kerberosIV/krb.h"
+
+#ifndef KRB524INT_BEGIN_DECLS
+#ifdef __cplusplus
+#define KRB524INT_BEGIN_DECLS extern "C" {
+#define KRB524INT_END_DECLS }
+#else
+#define KRB524INT_BEGIN_DECLS
+#define KRB524INT_END_DECLS
#endif
+#endif
+
+KRB524INT_BEGIN_DECLS
+
+int krb524_convert_tkt_skey
+ (krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
+ krb5_keyblock *v5_skey, krb5_keyblock *v4_skey,
+ struct sockaddr_in *saddr);
+
+/* conv_princ.c */
+
+int krb524_convert_princs
+ (krb5_context context, krb5_principal client, krb5_principal server,
+ char *pname, char *pinst, char *prealm,
+ char *sname, char *sinst, char *srealm);
-#include <krb.h>
-#include "krb524.h"
+KRB524INT_END_DECLS
-void krb524_init_ets(context)
- krb5_context context;
-{
- initialize_k524_error_table();
-}
+#endif /* KRB524INT_H */
#include <des.h>
#include <krb.h>
-#include "krb524.h"
#include "com_err.h"
#define KEYSIZE 8
krb5_context context;
krb5_error_code retval;
+#if 0
krb524_debug = 1;
+#endif
retval = krb5_init_context(&context);
if (retval) {
exit(1);
}
- krb524_init_ets(context);
-
local = 0;
remote = NULL;
argc--; argv++;
+2003-07-21 Alexandra Ellwood <lxs@mit.edu>
+
+ * krb5_32.def: Export krb5_principal2salt.
+
+2003-07-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * gssapi32.def: Export GSS OID constants
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * krb5_32.def: Export krb5_get_permitted_enctypes and
+ krb5_set_real_time for Samba.
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5_32.def: Add krb5_524_convert_creds.
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_32.def: Add krb5_c_string_to_key_with_params
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * krb5_32.def: Add krb5_auth_con_getrecvsubkey,
+ krb5_auth_con_getsendsubkey, krb5_auth_con_setrecvsubkey,
+ krb5_auth_con_setsendsubkey.
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_32.def: Add krb5_set_password and krb5_set_password_using_ccache
+
2003-02-10 Tom Yu <tlyu@mit.edu>
* Makefile.in (K4LIBS): Revert previous.
+2003-07-13 Kenneth Raeburn <raeburn@mit.edu>
+
+ * pbkdf2.c (foo): Never call com_err.
+
+2003-06-25 Ken Raeburn <raeburn@mit.edu>
+
+ * checksum_length.c (krb5_c_checksum_length): Handle trunc_size.
+
+2003-06-23 Ken Raeburn <raeburn@mit.edu>
+
+ * cksumtypes.c (krb5_cksumtypes_list): Add aes128/256 hmacs, with
+ new trunc_size field.
+
+ * make_checksum.c (krb5_c_make_checksum): If trunc_size is
+ specified, shrink the computed checksum down to the indicated
+ size.
+
+2003-06-05 Sam Hartman <hartmans@mit.edu>
+
+ * string_to_key.c (krb5_c_string_to_key_with_params): Only allow
+ AFS s2k for DES enctypes
+
+2003-05-15 Sam Hartman <hartmans@mit.edu>
+
+ * combine_keys.c (enctype_ok): new function to determine if we support combine_keys for a particular enctype
+
+2003-05-13 Ken Raeburn <raeburn@mit.edu>
+
+ * etypes.c (krb5_enctypes_list): Add names aes128-cts and
+ aes256-cts as aliases.
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * string_to_key.c: Move krb5_c_string_to_key_with_params to krb5.h
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * pbkdf2.c (krb5int_pbkdf2): Provide a temporary buffer for the
+ output from F, if the remaining space in the output buffer isn't
+ big enough. Free the temporary buffers before returning.
+
+ * etypes.c (krb5_enctypes_list): Use krb5int_aes_encrypt_length,
+ and krb5int_aes_dk_encrypt, and krb5int_aes_dk_decrypt for AES.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* prng.c: use Unix randomness sources on Mac OS X.
#
block_size.so block_size.po $(OUTPRE)block_size.$(OBJEXT): block_size.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
checksum_length.so checksum_length.po $(OUTPRE)checksum_length.$(OBJEXT): checksum_length.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
cksumtypes.h
cksumtype_to_string.so cksumtype_to_string.po $(OUTPRE)cksumtype_to_string.$(OBJEXT): cksumtype_to_string.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
cksumtypes.h
cksumtypes.so cksumtypes.po $(OUTPRE)cksumtypes.$(OBJEXT): cksumtypes.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/hash_provider/hash_provider.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/hash_provider/hash_provider.h \
$(srcdir)/keyhash_provider/keyhash_provider.h cksumtypes.h
coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): coll_proof_cksum.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
cksumtypes.h
combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): combine_keys.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h $(srcdir)/dk/dk.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h $(srcdir)/dk/dk.h
crypto_libinit.so crypto_libinit.po $(OUTPRE)crypto_libinit.$(OBJEXT): crypto_libinit.c \
crypto_libinit.h
default_state.so default_state.po $(OUTPRE)default_state.$(OBJEXT): default_state.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
decrypt.so decrypt.po $(OUTPRE)decrypt.$(OBJEXT): decrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
encrypt_length.so encrypt_length.po $(OUTPRE)encrypt_length.$(OBJEXT): encrypt_length.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
etypes.h
enctype_compare.so enctype_compare.po $(OUTPRE)enctype_compare.$(OBJEXT): enctype_compare.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
etypes.h
enctype_to_string.so enctype_to_string.po $(OUTPRE)enctype_to_string.$(OBJEXT): enctype_to_string.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
etypes.h
etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): etypes.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/enc_provider/enc_provider.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/enc_provider/enc_provider.h \
$(srcdir)/hash_provider/hash_provider.h etypes.h $(srcdir)/old/old.h \
$(srcdir)/raw/raw.h $(srcdir)/dk/dk.h $(srcdir)/arcfour/arcfour.h \
$(srcdir)/aes/aes_s2k.h
hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): hmac.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
keyed_cksum.so keyed_cksum.po $(OUTPRE)keyed_cksum.$(OBJEXT): keyed_cksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cksumtypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cksumtypes.h
keyed_checksum_types.so keyed_checksum_types.po $(OUTPRE)keyed_checksum_types.$(OBJEXT): keyed_checksum_types.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
etypes.h cksumtypes.h
make_checksum.so make_checksum.po $(OUTPRE)make_checksum.$(OBJEXT): make_checksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cksumtypes.h etypes.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cksumtypes.h etypes.h \
$(srcdir)/dk/dk.h
make_random_key.so make_random_key.po $(OUTPRE)make_random_key.$(OBJEXT): make_random_key.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
etypes.h
nfold.so nfold.po $(OUTPRE)nfold.$(OBJEXT): nfold.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
old_api_glue.so old_api_glue.po $(OUTPRE)old_api_glue.$(OBJEXT): old_api_glue.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): pbkdf2.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/hash_provider/hash_provider.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/hash_provider/hash_provider.h
prng.so prng.po $(OUTPRE)prng.$(OBJEXT): prng.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/enc_provider/enc_provider.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/enc_provider/enc_provider.h \
$(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ytypes.h \
$(srcdir)/yarrow/yhash.h $(srcdir)/sha1/shs.h $(srcdir)/yarrow/ycipher.h
state.so state.po $(OUTPRE)state.$(OBJEXT): state.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
string_to_cksumtype.so string_to_cksumtype.po $(OUTPRE)string_to_cksumtype.$(OBJEXT): string_to_cksumtype.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
cksumtypes.h
string_to_enctype.so string_to_enctype.po $(OUTPRE)string_to_enctype.$(OBJEXT): string_to_enctype.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
etypes.h
string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): string_to_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
valid_cksumtype.so valid_cksumtype.po $(OUTPRE)valid_cksumtype.$(OBJEXT): valid_cksumtype.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
cksumtypes.h
valid_enctype.so valid_enctype.po $(OUTPRE)valid_enctype.$(OBJEXT): valid_enctype.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
verify_checksum.so verify_checksum.po $(OUTPRE)verify_checksum.$(OBJEXT): verify_checksum.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
cksumtypes.h
t_nfold.so t_nfold.po $(OUTPRE)t_nfold.$(OBJEXT): t_nfold.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
t_encrypt.so t_encrypt.po $(OUTPRE)t_encrypt.$(OBJEXT): t_encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
t_prng.so t_prng.po $(OUTPRE)t_prng.$(OBJEXT): t_prng.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
t_hmac.so t_hmac.po $(OUTPRE)t_hmac.$(OBJEXT): t_hmac.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
t_pkcs5.so t_pkcs5.po $(OUTPRE)t_pkcs5.$(OBJEXT): t_pkcs5.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
t_cts.so t_cts.po $(OUTPRE)t_cts.$(OBJEXT): t_cts.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
vectors.so vectors.po $(OUTPRE)vectors.$(OBJEXT): vectors.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
+2003-05-13 Ken Raeburn <raeburn@mit.edu>
+
+ * aes_s2k.c (DEFAULT_ITERATION_COUNT): New macro; define to 4096.
+ (MAX_ITERATION_COUNT): New macro.
+ (krb5int_aes_string_to_key): Use them.
+
+2003-04-29 Ken Raeburn <raeburn@mit.edu>
+
+ * uitypes.h: Use inttypes.h if HAVE_INTTYPES_H is defined.
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * aes_s2k.c (krb5int_aes_string_to_key): Return an error if the
+ supplied iteration count is really, really large.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* aes_s2k.c, aes_s2k.h: New files.
uitypes.h
aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): aes_s2k.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h aes_s2k.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../dk/dk.h aes_s2k.h
-/* Insert MIT copyright here. */
+/*
+ * lib/crypto/aes/aes_s2k.c
+ *
+ * Copyright 2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * krb5int_aes_string_to_key
+ */
#include "k5-int.h"
#include "dk.h"
#include "aes_s2k.h"
+#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */
+#define MAX_ITERATION_COUNT 0x1000000L
+
krb5_error_code
krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
const krb5_data *string,
return KRB5_ERR_BAD_S2K_PARAMS;
}
} else
- iter_count = 0xb000L;
+ iter_count = DEFAULT_ITERATION_COUNT;
+
+ /* This is not a protocol specification constraint; this is an
+ implementation limit, which should eventually be controlled by
+ a config file. */
+ if (iter_count >= MAX_ITERATION_COUNT)
+ return KRB5_ERR_BAD_S2K_PARAMS;
/*
* Dense key space, no parity bits or anything, so take a shortcut
#endif
#endif
-#if defined HAS_INTTYPES_H
+#if defined HAS_INTTYPES_H || defined HAVE_INTTYPES_H
#include <inttypes.h>
#define s_u32 u
#define s_u64 ull
#
arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): arcfour.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h arcfour-int.h arcfour.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h arcfour-int.h arcfour.h
string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): string_to_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../md4/rsa-md4.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../md4/rsa-md4.h \
arcfour-int.h arcfour.h
if (krb5_cksumtypes_list[i].keyhash)
(*(krb5_cksumtypes_list[i].keyhash->hash_size))(length);
+ else if (krb5_cksumtypes_list[i].trunc_size)
+ *length = krb5_cksumtypes_list[i].trunc_size;
else
(*(krb5_cksumtypes_list[i].hash->hash_size))(length);
ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_hmac_md5,
NULL },
+ { CKSUMTYPE_HMAC_SHA1_96_AES128, KRB5_CKSUMFLAG_DERIVE,
+ "hmac-sha1-96-aes128", "HMAC-SHA1 AES128 key",
+ 0, NULL,
+ &krb5int_hash_sha1, 12 },
+ { CKSUMTYPE_HMAC_SHA1_96_AES256, KRB5_CKSUMFLAG_DERIVE,
+ "hmac-sha1-96-aes256", "HMAC-SHA1 AES256 key",
+ 0, NULL,
+ &krb5int_hash_sha1, 12 },
};
const int krb5_cksumtypes_length =
(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
unsigned char *outdata, const krb5_data *in_constant);
+/*
+ * We only support this combine_keys algorithm for des and 3des keys.
+ * Everything else should use the PRF defined in the crypto framework.
+ * We don't implement that yet.
+ */
+
+static krb5_boolean enctype_ok (krb5_enctype e)
+{
+ switch (e) {
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES3_CBC_SHA1:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
krb5_error_code krb5int_c_combine_keys
(krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, krb5_keyblock *outkey)
{
krb5_keyblock tkey;
krb5_error_code ret;
int i, myalloc = 0;
+ if (!(enctype_ok(key1->enctype)&&enctype_ok(key2->enctype)))
+ return (KRB5_CRYPTO_INTERNAL);
+
if (key1->length != key2->length || key1->enctype != key2->enctype)
return (KRB5_CRYPTO_INTERNAL);
#
crc32.so crc32.po $(OUTPRE)crc32.$(OBJEXT): crc32.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h crc-32.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h crc-32.h
#
afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): afsstring2key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): d3_cbc.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h \
f_tables.h
d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): d3_kysched.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): f_cbc.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h \
f_tables.h
f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): f_cksum.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h \
f_tables.h
f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): f_parity.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): f_sched.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): f_tables.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h \
f_tables.h
key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): key_sched.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): weak_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): string2key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+2003-04-17 Ken Raeburn <raeburn@mit.edu>
+
+ * dk_encrypt.c (krb5int_aes_dk_encrypt): Set output length
+ properly.
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * dk_decrypt.c (krb5_dk_decrypt_maybe_trunc_hmac): Renamed from
+ krb5_dk_decrypt, made static, added extra HMACSIZE argument to
+ indicate size of HMAC. Cast byte values to char to silence
+ compiler warning.
+ (krb5_dk_decrypt): Call it.
+ (krb5int_aes_dk_decrypt): New function.
+ * dk_encrypt.c (krb5_dk_encrypt): Cast byte values to char to
+ silence compiler warning.
+ (krb5int_aes_encrypt_length, trunc_hmac, krb5int_aes_dk_encrypt):
+ New functions.
+ * dk.h (krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt,
+ krb5int_aes_dk_decrypt): Declare.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* stringtokey.c (krb5int_dk_string_to_key): Renamed from
#
checksum.so checksum.po $(OUTPRE)checksum.$(OBJEXT): checksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../etypes.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../etypes.h \
dk.h
dk_decrypt.so dk_decrypt.po $(OUTPRE)dk_decrypt.$(OBJEXT): dk_decrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h dk.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h dk.h
dk_encrypt.so dk_encrypt.po $(OUTPRE)dk_encrypt.$(OBJEXT): dk_encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h dk.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h dk.h
derive.so derive.po $(OUTPRE)derive.$(OBJEXT): derive.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h dk.h $(srcdir)/../etypes.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h dk.h $(srcdir)/../etypes.h
stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): stringtokey.c dk.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
const krb5_data *ivec,
const krb5_data *input, krb5_data *output);
+void krb5int_aes_encrypt_length
+(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ size_t input, size_t *length);
+
+krb5_error_code krb5int_aes_dk_encrypt
+(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output);
+
krb5_error_code krb5_dk_decrypt
(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
const krb5_data *ivec, const krb5_data *input,
krb5_data *arg_output);
+krb5_error_code krb5int_aes_dk_decrypt
+(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *ivec, const krb5_data *input,
+ krb5_data *arg_output);
+
krb5_error_code krb5int_dk_string_to_key
(const struct krb5_enc_provider *enc,
const krb5_data *string, const krb5_data *salt,
#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
+static krb5_error_code
+krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *ivec,
+ const krb5_data *input,
+ krb5_data *output,
+ size_t hmacsize);
+
krb5_error_code
krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
const struct krb5_enc_provider *enc;
const krb5_data *ivec;
const krb5_data *input;
krb5_data *output;
+{
+ return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage,
+ ivec, input, output, 0);
+}
+
+krb5_error_code
+krb5int_aes_dk_decrypt(enc, hash, key, usage, ivec, input, output)
+ const struct krb5_enc_provider *enc;
+ const struct krb5_hash_provider *hash;
+ const krb5_keyblock *key;
+ krb5_keyusage usage;
+ const krb5_data *ivec;
+ const krb5_data *input;
+ krb5_data *output;
+{
+ return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage,
+ ivec, input, output, 96 / 8);
+}
+
+static krb5_error_code
+krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, ivec, input, output,
+ hmacsize)
+ const struct krb5_enc_provider *enc;
+ const struct krb5_hash_provider *hash;
+ const krb5_keyblock *key;
+ krb5_keyusage usage;
+ const krb5_data *ivec;
+ const krb5_data *input;
+ krb5_data *output;
+ size_t hmacsize;
{
krb5_error_code ret;
size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
(*(enc->block_size))(&blocksize);
(*(enc->keysize))(&keybytes, &keylength);
- enclen = input->length - hashsize;
+ if (hmacsize == 0)
+ hmacsize = hashsize;
+ else if (hmacsize > hashsize)
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
+ enclen = input->length - hmacsize;
if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
return(ENOMEM);
d1.data[2] = (usage>>8)&0xff;
d1.data[3] = usage&0xff;
- d1.data[4] = 0xAA;
+ d1.data[4] = (char) 0xAA;
if ((ret = krb5_derive_key(enc, key, &ke, &d1)) != 0)
goto cleanup;
if ((ret = krb5_hmac(hash, &ki, 1, &d2, &d1)) != 0)
goto cleanup;
- if (memcmp(cksum, input->data+enclen, hashsize) != 0) {
+ if (memcmp(cksum, input->data+enclen, hmacsize) != 0) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto cleanup;
}
d1.data[2] = (usage>>8)&0xff;
d1.data[3] = usage&0xff;
- d1.data[4] = 0xAA;
+ d1.data[4] = (char) 0xAA;
if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
goto cleanup;
return(ret);
}
+/* Not necessarily "AES", per se, but "a CBC+CTS mode block cipher
+ with a 96-bit truncated HMAC". */
+void
+krb5int_aes_encrypt_length(enc, hash, inputlen, length)
+ const struct krb5_enc_provider *enc;
+ const struct krb5_hash_provider *hash;
+ size_t inputlen;
+ size_t *length;
+{
+ size_t blocksize, hashsize;
+
+ (*(enc->block_size))(&blocksize);
+ hashsize = 96 / 8;
+
+ /* No roundup, since CTS requires no padding once we've hit the
+ block size. */
+ *length = blocksize+inputlen + hashsize;
+}
+
+static krb5_error_code
+trunc_hmac (const struct krb5_hash_provider *hash,
+ const krb5_keyblock *ki, int num,
+ const krb5_data *input, const krb5_data *output)
+{
+ size_t hashsize;
+ krb5_data tmp;
+ krb5_error_code ret;
+
+ (hash->hash_size)(&hashsize);
+ if (hashsize < output->length)
+ return KRB5_CRYPTO_INTERNAL;
+ tmp.length = hashsize;
+ tmp.data = malloc(hashsize);
+ if (tmp.data == NULL)
+ return errno;
+ ret = krb5_hmac(hash, ki, num, input, &tmp);
+ if (ret == 0)
+ memcpy(output->data, tmp.data, output->length);
+ memset(tmp.data, 0, hashsize);
+ free(tmp.data);
+ return ret;
+}
+
+krb5_error_code
+krb5int_aes_dk_encrypt(enc, hash, key, usage, ivec, input, output)
+ const struct krb5_enc_provider *enc;
+ const struct krb5_hash_provider *hash;
+ const krb5_keyblock *key;
+ krb5_keyusage usage;
+ const krb5_data *ivec;
+ const krb5_data *input;
+ krb5_data *output;
+{
+ size_t blocksize, keybytes, keylength, plainlen, enclen;
+ krb5_error_code ret;
+ unsigned char constantdata[K5CLENGTH];
+ krb5_data d1, d2;
+ unsigned char *plaintext, *kedata, *kidata, *cn;
+ krb5_keyblock ke, ki;
+
+ /* allocate and set up plaintext and to-be-derived keys */
+
+ (*(enc->block_size))(&blocksize);
+ (*(enc->keysize))(&keybytes, &keylength);
+ plainlen = blocksize+input->length;
+
+ krb5int_aes_encrypt_length(enc, hash, input->length, &enclen);
+
+ /* key->length, ivec will be tested in enc->encrypt */
+
+ if (output->length < enclen)
+ return(KRB5_BAD_MSIZE);
+
+ if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
+ return(ENOMEM);
+ if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
+ free(kedata);
+ return(ENOMEM);
+ }
+ if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) {
+ free(kidata);
+ free(kedata);
+ return(ENOMEM);
+ }
+
+ ke.contents = kedata;
+ ke.length = keylength;
+ ki.contents = kidata;
+ ki.length = keylength;
+
+ /* derive the keys */
+
+ d1.data = constantdata;
+ d1.length = K5CLENGTH;
+
+ d1.data[0] = (usage>>24)&0xff;
+ d1.data[1] = (usage>>16)&0xff;
+ d1.data[2] = (usage>>8)&0xff;
+ d1.data[3] = usage&0xff;
+
+ d1.data[4] = (char) 0xAA;
+
+ if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
+ goto cleanup;
+
+ d1.data[4] = 0x55;
+
+ if ((ret = krb5_derive_key(enc, key, &ki, &d1)))
+ goto cleanup;
+
+ /* put together the plaintext */
+
+ d1.length = blocksize;
+ d1.data = plaintext;
+
+ if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
+ goto cleanup;
+
+ memcpy(plaintext+blocksize, input->data, input->length);
+
+ /* Ciphertext stealing; there should be no more. */
+ if (plainlen != blocksize + input->length)
+ abort();
+
+ /* encrypt the plaintext */
+
+ d1.length = plainlen;
+ d1.data = plaintext;
+
+ d2.length = plainlen;
+ d2.data = output->data;
+
+ if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
+ goto cleanup;
+
+ if (ivec != NULL && ivec->length == blocksize)
+ cn = d2.data + d2.length - blocksize;
+ else
+ cn = NULL;
+
+ /* hash the plaintext */
+
+ d2.length = enclen - plainlen;
+ d2.data = output->data+plainlen;
+ if (d2.length != 96 / 8)
+ abort();
+
+ if ((ret = trunc_hmac(hash, &ki, 1, &d1, &d2))) {
+ memset(d2.data, 0, d2.length);
+ goto cleanup;
+ }
+
+ output->length = enclen;
+
+ /* update ivec */
+ if (cn != NULL)
+ memcpy(ivec->data, cn, blocksize);
+
+ /* ret is set correctly by the prior call */
+
+cleanup:
+ memset(kedata, 0, keylength);
+ memset(kidata, 0, keylength);
+ memset(plaintext, 0, plainlen);
+
+ free(plaintext);
+ free(kidata);
+ free(kedata);
+
+ return(ret);
+}
+
#ifdef ATHENA_DES3_KLUDGE
void
krb5_marc_dk_encrypt_length(enc, hash, inputlen, length)
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * aes.c (enc): Replaced function with a macro.
+ (dec): New macro.
+ (krb5int_aes_encrypt): Use enc and dec. Delete unused variable
+ OFFSET.
+ (krb5int_aes_decrypt): Renamed from k5_aes_dencrypt, implemented
+ decryption, made non-static.
+ (krb5int_enc_aes128, krb5int_enc_aes256): Use new name for
+ krb5int_aes_decrypt.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* aes.c (krb5int_aes_init_state): Implement.
#
des.so des.po $(OUTPRE)des.$(OBJEXT): des.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../des/des_int.h \
$(SRCTOP)/include/kerberosIV/des.h enc_provider.h
des3.so des3.po $(OUTPRE)des3.$(OBJEXT): des3.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../des/des_int.h \
$(SRCTOP)/include/kerberosIV/des.h
aes.so aes.po $(OUTPRE)aes.$(OBJEXT): aes.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h enc_provider.h $(srcdir)/../aes/aes.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h enc_provider.h $(srcdir)/../aes/aes.h \
$(srcdir)/../aes/uitypes.h
arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): arcfour.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../arcfour/arcfour-int.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../arcfour/arcfour-int.h \
$(srcdir)/../arcfour/arcfour.h enc_provider.h
}
printf("\n");
}
-static void enc(char *out, const char *in, aes_ctx *ctx)
-{
- if (aes_enc_blk(in, out, ctx) != aes_good)
- abort();
-#if 0
- {
- krb5_data e_in, e_out;
- e_in.data = in;
- e_out.data = out;
- e_in.length = e_out.length = BLOCK_SIZE;
- printf("encrypting [[\n");
- printd("input block", &e_in);
- printd("output block", &e_out);
- printf("]]\n");
- }
-#endif
-}
+#define enc(OUT, IN, CTX) (aes_enc_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort())
+#define dec(OUT, IN, CTX) (aes_dec_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort())
static void xorblock(char *out, const char *in)
{
{
aes_ctx ctx;
unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
- int offset;
int nblocks = 0, blockno;
/* CHECK_SIZES; */
if (nblocks == 1) {
/* XXX Used for DK function. */
- if (aes_enc_blk(input->data, output->data, &ctx) != aes_good)
- abort();
+ enc(output->data, input->data, &ctx);
} else {
int nleft;
/* Set up for next block. */
memcpy(tmp, tmp2, BLOCK_SIZE);
- offset += BLOCK_SIZE;
}
/* Do final CTS step for last two blocks (the second of which
may or may not be incomplete). */
return 0;
}
-static krb5_error_code
-k5_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
+krb5_error_code
+krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output)
{
aes_ctx ctx;
+ unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
+ int nblocks = 0, blockno;
CHECK_SIZES;
if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
abort();
- abort();
+ if (ivec)
+ memcpy(tmp, ivec->data, BLOCK_SIZE);
+ else
+ memset(tmp, 0, BLOCK_SIZE);
+
+ nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ if (nblocks == 1) {
+ if (input->length < BLOCK_SIZE)
+ abort();
+ dec(output->data, input->data, &ctx);
+ } else {
+ int nleft;
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
+ xorblock(tmp2, tmp);
+ memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE);
+ memcpy(tmp, input->data + blockno * BLOCK_SIZE, BLOCK_SIZE);
+ }
+ /* Do last two blocks, the second of which (next-to-last block
+ of plaintext) may be incomplete. */
+ dec(tmp2, input->data + (nblocks - 2) * BLOCK_SIZE, &ctx);
+ /* Set tmp3 to last ciphertext block, padded. */
+ memset(tmp3, 0, sizeof(tmp3));
+ memcpy(tmp3, input->data + (nblocks - 1) * BLOCK_SIZE,
+ input->length - (nblocks - 1) * BLOCK_SIZE);
+ /* Set tmp2 to last (possibly partial) plaintext block, and
+ save it. */
+ xorblock(tmp2, tmp3);
+ memcpy(output->data + (nblocks - 1) * BLOCK_SIZE, tmp2,
+ input->length - (nblocks - 1) * BLOCK_SIZE);
+ /* Maybe keep the trailing part, and copy in the last
+ ciphertext block. */
+ memcpy(tmp2, tmp3, input->length - (nblocks - 1) * BLOCK_SIZE);
+ /* Decrypt, to get next to last plaintext block xor previous
+ ciphertext. */
+ dec(tmp3, tmp2, &ctx);
+ xorblock(tmp3, tmp);
+ memcpy(output->data + (nblocks - 2) * BLOCK_SIZE, tmp3, BLOCK_SIZE);
+ }
return 0;
}
aes_block_size,
aes128_keysize,
krb5int_aes_encrypt,
- k5_aes_decrypt,
+ krb5int_aes_decrypt,
k5_aes_make_key,
krb5int_aes_init_state,
krb5int_default_free_state
aes_block_size,
aes256_keysize,
krb5int_aes_encrypt,
- k5_aes_decrypt,
+ krb5int_aes_decrypt,
k5_aes_make_key,
krb5int_aes_init_state,
krb5int_default_free_state
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
- krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
+ krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
+ krb5int_aes_string_to_key },
+ { ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */
+ "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
+ &krb5int_enc_aes128, &krb5int_hash_sha1,
+ krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
- krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
+ krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
+ krb5int_aes_string_to_key },
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */
+ "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
+ &krb5int_enc_aes256, &krb5int_hash_sha1,
+ krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key },
#ifdef ATHENA_DES3_KLUDGE
#
hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): hash_crc32.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../crc32/crc-32.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../crc32/crc-32.h \
hash_provider.h
hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): hash_md4.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../md4/rsa-md4.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../md4/rsa-md4.h \
hash_provider.h
hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): hash_md5.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../md5/rsa-md5.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../md5/rsa-md5.h \
hash_provider.h
hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): hash_sha1.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../sha1/shs.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../sha1/shs.h \
hash_provider.h
#
descbc.so descbc.po $(OUTPRE)descbc.$(OBJEXT): descbc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../des/des_int.h \
$(SRCTOP)/include/kerberosIV/des.h keyhash_provider.h
k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): k5_md4des.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../des/des_int.h \
$(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../md4/rsa-md4.h \
keyhash_provider.h
k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): k5_md5des.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../des/des_int.h \
$(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../md5/rsa-md5.h \
keyhash_provider.h
hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): hmac_md5.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h keyhash_provider.h $(srcdir)/../arcfour/arcfour-int.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h keyhash_provider.h $(srcdir)/../arcfour/arcfour-int.h \
$(srcdir)/../arcfour/arcfour.h $(srcdir)/../md5/rsa-md5.h \
$(srcdir)/../hash_provider/hash_provider.h
if (!ret) {
cksum->magic = KV5M_CHECKSUM;
cksum->checksum_type = cksumtype;
+ if (krb5_cksumtypes_list[i].trunc_size) {
+ krb5_octet *trunc;
+ cksum->length = krb5_cksumtypes_list[i].trunc_size;
+ trunc = (krb5_octet *) realloc(cksum->contents, cksum->length);
+ if (trunc)
+ cksum->contents = trunc;
+ }
}
cleanup:
#
md4.so md4.po $(OUTPRE)md4.$(OBJEXT): md4.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rsa-md4.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h rsa-md4.h
#
md5.so md5.po $(OUTPRE)md5.$(OBJEXT): md5.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rsa-md5.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h rsa-md5.h
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * des_stringtokey.c (krb5int_des_string_to_key): If param has one
+ byte, treat it as a type. Type 0 is normal, type 1 is AFS
+ string2key.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* des_stringtokey.c (krb5int_des_string_to_key): Renamed from
des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): des_stringtokey.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- old.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
+ old.h $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h
old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): old_decrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h old.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h old.h
old_encrypt.so old_encrypt.po $(OUTPRE)old_encrypt.$(OBJEXT): old_encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h old.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h old.h
#include "k5-int.h"
#include "old.h"
+#include <des_int.h>
/* XXX */
extern krb5_error_code mit_des_string_to_key_int
const krb5_data *parm;
krb5_keyblock *key;
{
- if (parm != NULL)
- return KRB5_ERR_BAD_S2K_PARAMS;
+ int type;
+ if (parm ) {
+ if (parm->length != 1)
+ return KRB5_ERR_BAD_S2K_PARAMS;
+ type = parm->data[0];
+ }
+ else type = 0;
+ switch(type) {
+ case 0:
return(mit_des_string_to_key_int(key, string, salt));
+ case 1:
+ return mit_afs_string_to_key(key, string, salt);
+ default:
+ return KRB5_ERR_BAD_S2K_PARAMS;
+ }
}
{
int l, r, i;
char *utmp1, *utmp2;
+ char utmp3[20]; /* XXX length shouldn't be hardcoded! */
if (output->length == 0 || hlen == 0)
abort();
r = output->length - (l - 1) * hlen;
utmp1 = /*output + dklen; */ malloc(hlen);
+ if (utmp1 == NULL)
+ return errno;
utmp2 = /*utmp1 + hlen; */ malloc(salt->length + 4 + hlen);
+ if (utmp2 == NULL) {
+ free(utmp1);
+ return errno;
+ }
/* Step 3. */
for (i = 1; i <= l; i++) {
int j;
#endif
krb5_error_code err;
+ char *out;
- err = F(output->data + (i-1) * hlen, utmp1, utmp2, prf, hlen,
- pass, salt, count, i);
- if (err)
+ if (i == l)
+ out = utmp3;
+ else
+ out = output->data + (i-1) * hlen;
+ err = F(out, utmp1, utmp2, prf, hlen, pass, salt, count, i);
+ if (err) {
+ free(utmp1);
+ free(utmp2);
return err;
+ }
+ if (i == l)
+ memcpy(output->data + (i-1) * hlen, utmp3,
+ output->length - (i-1) * hlen);
#if 0
printf("after F(%d), @%p:\n", i, output->data);
printf ("\n");
#endif
}
+ free(utmp1);
+ free(utmp2);
return 0;
}
memset(out->data, 0, out->length);
err = hmac1 (&krb5int_hash_sha1, pass, salt, out);
- if (err)
- com_err("foo", err, "computing hmac");
return err;
}
#
raw_decrypt.so raw_decrypt.po $(OUTPRE)raw_decrypt.$(OBJEXT): raw_decrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h raw.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h raw.h
raw_encrypt.so raw_encrypt.po $(OUTPRE)raw_encrypt.$(OBJEXT): raw_encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h raw.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h raw.h
#
shs.so shs.po $(OUTPRE)shs.$(OBJEXT): shs.c shs.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
#include "k5-int.h"
#include "etypes.h"
-/* Eventually this declaration should move to krb5.h. */
krb5_error_code KRB5_CALLCONV
krb5_c_string_to_key_with_params(krb5_context context,
krb5_enctype enctype,
return(KRB5_BAD_ENCTYPE);
enc = krb5_enctypes_list[i].enc;
+/* xxx AFS string2key function is indicated by a special length in
+ * the salt in much of the code. However only the DES enctypes can
+ * deal with this. Using s2kparams would be a much better solution.*/
+ if (salt && salt->length == SALT_TYPE_AFS_LENGTH) {
+ switch (enctype) {
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ break;
+ default:
+ return (KRB5_CRYPTO_INTERNAL);
+ }
+ }
+
(*(enc->keysize))(&keybytes, &keylength);
if ((key->contents = (krb5_octet *) malloc(keylength)) == NULL)
#
yarrow.so yarrow.po $(OUTPRE)yarrow.$(OBJEXT): yarrow.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h yarrow.h ytypes.h yhash.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h yarrow.h ytypes.h yhash.h \
$(srcdir)/../sha1/shs.h ycipher.h ylock.h ystate.h \
yexcep.h
ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): ycipher.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h yarrow.h ytypes.h yhash.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h yarrow.h ytypes.h yhash.h \
$(srcdir)/../sha1/shs.h ycipher.h $(srcdir)/../enc_provider/enc_provider.h
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * quad_cksum.c, t_pcbc.c, t_quad.c, verify.c: Don't declare errno
+ or errmsg.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* mac_des_glue.c, des.c, enc_dec.c, key_sched.c, str_to_key.c:
cksum.so cksum.po $(OUTPRE)cksum.$(OBJEXT): cksum.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
des.so des.po $(OUTPRE)des.$(OBJEXT): des.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
enc_dec.so enc_dec.po $(OUTPRE)enc_dec.$(OBJEXT): enc_dec.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
key_parity.so key_parity.po $(OUTPRE)key_parity.$(OBJEXT): key_parity.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): key_sched.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
new_rnd_key.so new_rnd_key.po $(OUTPRE)new_rnd_key.$(OBJEXT): new_rnd_key.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
pcbc_encrypt.so pcbc_encrypt.po $(OUTPRE)pcbc_encrypt.$(OBJEXT): pcbc_encrypt.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../crypto/des/f_tables.h
quad_cksum.so quad_cksum.po $(OUTPRE)quad_cksum.$(OBJEXT): quad_cksum.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
random_key.so random_key.po $(OUTPRE)random_key.$(OBJEXT): random_key.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
read_passwd.so read_passwd.po $(OUTPRE)read_passwd.$(OBJEXT): read_passwd.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
str_to_key.so str_to_key.po $(OUTPRE)str_to_key.$(OBJEXT): str_to_key.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): unix_time.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
util.so util.po $(OUTPRE)util.$(OBJEXT): util.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../crypto/des/des_int.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/kerberosIV/des.h
weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): weak_key.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(SRCTOP)/include/kerberosIV/des.h
#define vaxtohs(x) two_bytes_vax_to_nets(((const unsigned char *)(x)))
/* Externals */
-extern char *errmsg();
-#ifndef HAVE_ERRNO
-extern int errno;
-#endif
extern int des_debug;
/*** Routines ***************************************************** */
#include "des_int.h"
#include "des.h"
-extern char *errmsg();
-extern int errno;
char *progname;
int des_debug;
#include "des_int.h"
#include "des.h"
-extern char *errmsg();
-extern int errno;
extern unsigned long quad_cksum();
char *progname;
int des_debug;
#include "des_int.h"
#include "des.h"
-extern char *errmsg();
-extern int errno;
char *progname;
int nflag = 2;
int vflag;
+2003-07-17 Tom Yu <tlyu@mit.edu>
+
+ * gss_libinit.c (gssint_initialize_library): Don't call
+ kg_release_defcred(); it doesn't exist any more.
+
2003-03-08 Ken Raeburn <raeburn@mit.edu>
* Makefile.in ($(BUILDTOP)/include/gssapi/gssapi.h,
void gssint_cleanup_library (void)
{
- OM_uint32 min_stat;
assert (initialized);
- (void) kg_release_defcred (&min_stat);
-
#if !USE_BUNDLE_ERROR_STRINGS
remove_error_table(&et_k5g_error_table);
remove_error_table(&et_ggss_error_table);
+2003-07-19 Ezra Peisach <epeisach@mit.edu>
+
+ * acquire_cred.c (krb5_gss_register_acceptor_identity): Allocate
+ enough memory to include the null at the end of the keytab char *.
+
+2003-07-17 Tom Yu <tlyu@mit.edu>
+
+ * gssapiP_krb5.h: Delete kg_release_defcred(); it's no longer
+ used.
+
+ * gssapi_krb5.c: Delete defcred; it's no longer cached.
+ (kg_get_defcred): Don't cache.
+ (kg_release_defcred): Delete; it's no longer used.
+
+ * init_sec_context.c (krb5_gss_init_sec_context): Break into more
+ manageable pieces. Clean up a few error condition memory leaks
+ previously obscured by the sheer size of this function.
+ (setup_enc): New function; used to be part of
+ krb5_gss_init_sec_context() responsible for setting up enctypes,
+ keyblocks, related nastiness.
+ (get_requested_enctypes): New function; used to be part of
+ krb5_gss_init_sec_context() responsible for pruning the krb5
+ library's default enctype list to the limited set of enctypes
+ usable with GSSAPI.
+ (new_connection): New function; used to be part of
+ krb5_gss_init_sec_context() responsible for initial gss_ctx setup
+ and creating the AP-REQ.
+ (mutual_auth): New function; used to be part of
+ krb5_gss_init_sec_context() responsible for reading the AP-REP if
+ mutual auth was requested.
+
+ * inq_cred.c (krb5_gss_inquire_cred): Rearrange due to removal of
+ kg_release_defcred(), particularly to explicitly release the
+ defcred once it's obtained.
+
+ * rel_cred.c (krb5_gss_release_cred): Remove call to
+ kg_release_defcred(), and always succeed in releasing the null
+ credential.
+
+ * set_ccache.c (gss_krb5_ccache_name): Remove call to
+ kg_release_defcred().
+
+2003-07-14 Tom Yu <tlyu@mit.edu>
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Call
+ TREAD_STR with correct arguments. Patch from Emily Ratliff.
+
+2003-07-10 Tom Yu <tlyu@mit.edu>
+
+ * acquire_cred.c (acquire_init_cred): Close the ccache if
+ krb5_cc_set_flags() fails, as krb5int_cc_default succeeds even if
+ the file is not there, but krb5_cc_set_flags will fail in turning
+ off OPENCLOSE mode if the file can't be opened. Thanks to Kent Wu.
+
+2003-06-13 Tom Yu <tlyu@mit.edu>
+
+ * init_sec_context.c (make_ap_req_v1): Free checksum_data if
+ needed, to avoid leaking memory. Found by Kent Wu.
+ (krb5_gss_init_sec_context): Free default_enctypes to avoid
+ leaking returned value from krb5_get_tgs_ktypes.
+
+ * k5unseal.c (kg_unseal_v1): Explicitly set token.value to NULL if
+ token.length == 0, to avoid spurious uninitialized memory
+ references when calling memcpy() with a zero length.
+
+2003-05-13 Tom Yu <tlyu@mit.edu>
+
+ * gssapi_krb5.h: Remove check for GSS_RFC_COMPLIANT_OIDS.
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Rename
+ remote_subkey -> recv_subkey.
+
+ * init_sec_context.c (krb5_gss_init_sec_context): Rename
+ local_subkey -> send_subkey.
+
+2003-03-14 Sam Hartman <hartmans@mit.edu>
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Set
+ prot_ready here
+
+ * init_sec_context.c (krb5_gss_init_sec_context): Set prot_ready
+ after context established
+
+ * gssapiP_krb5.h (KG_IMPLFLAGS): Don't claim prot_ready until the
+ context is established because we don't currently support it.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* disp_status.c, gssapi_krb5.h, gssapiP_krb5.h:
accept_sec_context.so accept_sec_context.po $(OUTPRE)accept_sec_context.$(OBJEXT): accept_sec_context.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
acquire_cred.so acquire_cred.po $(OUTPRE)acquire_cred.$(OBJEXT): acquire_cred.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
add_cred.so add_cred.po $(OUTPRE)add_cred.$(OBJEXT): add_cred.c gssapiP_krb5.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
gssapi_krb5.so gssapi_krb5.po $(OUTPRE)gssapi_krb5.$(OBJEXT): gssapi_krb5.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
import_name.so import_name.po $(OUTPRE)import_name.$(OBJEXT): import_name.c gssapiP_krb5.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
ser_sctx.so ser_sctx.po $(OUTPRE)ser_sctx.$(OBJEXT): ser_sctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
set_ccache.so set_ccache.po $(OUTPRE)set_ccache.$(OBJEXT): set_ccache.c gssapiP_krb5.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
util_crypt.so util_crypt.po $(OUTPRE)util_crypt.$(OBJEXT): util_crypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
util_seed.so util_seed.po $(OUTPRE)util_seed.$(OBJEXT): util_seed.c gssapiP_krb5.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
val_cred.so val_cred.po $(OUTPRE)val_cred.$(OBJEXT): val_cred.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
* By the time krb5_rd_cred is called here (after krb5_rd_req has been
* called in krb5_gss_accept_sec_context), the "keyblock" field of
* auth_context contains a pointer to the session key, and the
- * "remote_subkey" field might contain a session subkey. Either of
- * these (the "remote_subkey" if it isn't NULL, otherwise the
+ * "recv_subkey" field might contain a session subkey. Either of
+ * these (the "recv_subkey" if it isn't NULL, otherwise the
* "keyblock") might have been used to encrypt the encrypted part of
* the KRB_CRED message that contains the forwarded credentials. (The
* Java Crypto and Security Implementation from the DSTC in Australia
i -= 4;
- /* have to use ptr2, since option.data is wrong type and
- macro uses ptr as both lvalue and rvalue */
-
if (i < option.length || option.length < 0) {
code = KG_BAD_LENGTH;
major_status = GSS_S_FAILURE;
goto fail;
}
- TREAD_STR(ptr, ptr2, bigend);
+ /* have to use ptr2, since option.data is wrong type and
+ macro uses ptr as both lvalue and rvalue */
+
+ TREAD_STR(ptr, ptr2, option.length);
option.data = (char *) ptr2;
i -= option.length;
goto fail;
}
- if ((code = krb5_auth_con_getremotesubkey(context, auth_context,
- &ctx->subkey))) {
+ if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
+ &ctx->subkey))) {
major_status = GSS_S_FAILURE;
goto fail;
}
&ctx->seq_send);
/* the reply token hasn't been sent yet, but that's ok. */
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
ctx->established = 1;
token.length = g_token_size((gss_OID) mech_used, ap_rep.length);
free(krb5_gss_keytab);
len = strlen(keytab);
- krb5_gss_keytab = malloc(len);
+ krb5_gss_keytab = malloc(len + 1);
if (krb5_gss_keytab == NULL)
return GSS_S_FAILURE;
flags = 0; /* turns off OPENCLOSE mode */
if ((code = krb5_cc_set_flags(context, ccache, flags))) {
+ (void)krb5_cc_close(context, ccache);
*minor_status = code;
return(GSS_S_CRED_UNAVAIL);
}
#define KG_TOK_DEL_CTX 0x0102
#define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \
- GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG | \
+ GSS_C_TRANS_FLAG | \
((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)))
(OM_uint32 *minor_status,
gss_cred_id_t *cred);
-OM_uint32 kg_release_defcred (OM_uint32 *minor_status);
-
krb5_error_code kg_checksum_channel_bindings
(krb5_context context, gss_channel_bindings_t cb,
krb5_checksum *cksum,
/** default credential support */
-/* default credentials */
-
-static gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
-
/*
* init_sec_context() will explicitly re-acquire default credentials,
* so handling the expiration/invalidation condition here isn't needed.
OM_uint32 *minor_status;
gss_cred_id_t *cred;
{
- if (defcred == GSS_C_NO_CREDENTIAL) {
- OM_uint32 major;
-
- if ((major = krb5_gss_acquire_cred(minor_status,
- (gss_name_t) NULL, GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET, GSS_C_INITIATE,
- &defcred, NULL, NULL)) &&
- GSS_ERROR(major)) {
- defcred = GSS_C_NO_CREDENTIAL;
- return(major);
- }
- }
+ OM_uint32 major;
- *cred = defcred;
+ if ((major = krb5_gss_acquire_cred(minor_status,
+ (gss_name_t) NULL, GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET, GSS_C_INITIATE,
+ cred, NULL, NULL)) && GSS_ERROR(major)) {
+ return(major);
+ }
*minor_status = 0;
return(GSS_S_COMPLETE);
}
-OM_uint32
-kg_release_defcred(minor_status)
- OM_uint32 *minor_status;
-{
- if (defcred == GSS_C_NO_CREDENTIAL) {
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
-
- return(krb5_gss_release_cred(minor_status, &defcred));
-}
-
OM_uint32
kg_get_context(minor_status, context)
OM_uint32 *minor_status;
extern "C" {
#endif /* __cplusplus */
-#if GSS_RFC_COMPLIANT_OIDS
/* Reserved static storage for GSS_oids. See rfc 1964 for more details. */
/* 2.1.1. Kerberos Principal Name Form: */
* generic(1) string_uid_name(3)}. The recommended symbolic name for
* this type is "GSS_KRB5_NT_STRING_UID_NAME". */
-#endif /* GSS_RFC_COMPLIANT_OIDS */
-
extern const gss_OID_desc * const gss_mech_krb5;
extern const gss_OID_desc * const gss_mech_krb5_old;
extern const gss_OID_set_desc * const gss_mech_set_krb5;
code = 0;
cleanup:
+ if (checksum_data && checksum_data->data)
+ krb5_free_data_contents(context, checksum_data);
if (ap_req.data)
krb5_free_data_contents(context, &ap_req);
return (code);
}
-OM_uint32
-krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
- context_handle, target_name, mech_type,
- req_flags, time_req, input_chan_bindings,
- input_token, actual_mech_type, output_token,
- ret_flags, time_rec)
- OM_uint32 *minor_status;
- gss_cred_id_t claimant_cred_handle;
- gss_ctx_id_t *context_handle;
- gss_name_t target_name;
- gss_OID mech_type;
- OM_uint32 req_flags;
- OM_uint32 time_req;
- gss_channel_bindings_t input_chan_bindings;
- gss_buffer_t input_token;
- gss_OID *actual_mech_type;
- gss_buffer_t output_token;
- OM_uint32 *ret_flags;
- OM_uint32 *time_rec;
+/*
+ * get_requested_enctypes
+ *
+ * Filter the krb5 library's default enctype list with the set of
+ * enctypes we support for GSSAPI.
+ */
+static krb5_error_code
+get_requested_enctypes(
+ krb5_context context,
+ krb5_enctype **ret_enctypes)
{
- krb5_context context;
- krb5_gss_cred_id_t cred;
- krb5_creds *k_cred = 0;
+ krb5_error_code code;
+ int i, j, k;
+ int is_duplicate_enctype;
+ int is_wanted_enctype;
static const krb5_enctype wanted_enctypes[] = {
#if 1
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
};
#define N_WANTED_ENCTYPES (sizeof(wanted_enctypes)/sizeof(wanted_enctypes[0]))
- krb5_enctype requested_enctypes[N_WANTED_ENCTYPES + 1];
krb5_enctype *default_enctypes = 0;
- krb5_error_code code;
- krb5_gss_ctx_id_rec *ctx, *ctx_free;
- krb5_timestamp now;
- gss_buffer_desc token;
- int i, j, k, err;
- int default_mech = 0;
- OM_uint32 major_status;
+ krb5_enctype *requested_enctypes;
- if (GSS_ERROR(kg_get_context(minor_status, &context)))
- return(GSS_S_FAILURE);
+ *ret_enctypes = malloc((N_WANTED_ENCTYPES + 1) * sizeof(krb5_enctype));
+ if (*ret_enctypes == NULL)
+ return ENOMEM;
- /* set up return values so they can be "freed" successfully */
+ code = krb5_get_tgs_ktypes (context, 0, &default_enctypes);
+ if (code) {
+ free(*ret_enctypes);
+ *ret_enctypes = NULL;
+ return code;
+ }
+ requested_enctypes = *ret_enctypes;
+
+ /* "i" denotes *next* slot to fill. Don't forget to save room
+ for a trailing zero. */
+ i = 0;
+ for (j = 0;
+ (default_enctypes[j] != 0
+ /* This part should be redundant, but let's be paranoid. */
+ && i < N_WANTED_ENCTYPES);
+ j++) {
+
+ krb5_enctype e = default_enctypes[j];
+
+ /* Is this enctype one of the ones we want for GSSAPI? */
+ is_wanted_enctype = 0;
+ for (k = 0; k < N_WANTED_ENCTYPES; k++) {
+ if (wanted_enctypes[k] == e) {
+ is_wanted_enctype = 1;
+ break;
+ }
+ }
+ /* If unwanted, go to the next one. */
+ if (!is_wanted_enctype)
+ continue;
+
+ /* Is this enctype already in the list of enctypes to
+ request? (Is it a duplicate?) */
+ is_duplicate_enctype = 0;
+ for (k = 0; k < i; k++) {
+ if (requested_enctypes[k] == e) {
+ is_duplicate_enctype = 1;
+ break;
+ }
+ }
+ /* If it is not a duplicate, add it. */
+ if (!is_duplicate_enctype)
+ requested_enctypes[i++] = e;
+ }
+ krb5_free_ktypes(context, default_enctypes);
+ requested_enctypes[i++] = 0;
+ return GSS_S_COMPLETE;
+}
- major_status = GSS_S_FAILURE; /* Default major code */
- output_token->length = 0;
- output_token->value = NULL;
- if (actual_mech_type)
- *actual_mech_type = NULL;
- token.value = 0;
- ctx_free = 0;
+/*
+ * setup_enc
+ *
+ * Fill in the encryption descriptors. Called after AP-REQ is made.
+ */
+static OM_uint32
+setup_enc(
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ krb5_context context)
+{
+ krb5_error_code code;
+ int i;
+
+ switch(ctx->subkey->enctype) {
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_CRC:
+ ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->signalg = SGN_ALG_DES_MAC_MD5;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_DES;
+
+ /* The encryption key is the session key XOR
+ 0xf0f0f0f0f0f0f0f0. */
+ if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
+ goto fail;
- /* verify the credential, or use the default */
- /*SUPPRESS 29*/
- if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
- OM_uint32 major;
+ for (i=0; i<ctx->enc->length; i++)
+ /*SUPPRESS 113*/
+ ctx->enc->contents[i] ^= 0xf0;
- /*
- * Release default cred prior to re-acquiring it, to notice when
- * the ccache has changed.
- */
- major = kg_release_defcred(minor_status);
- if (GSS_ERROR(major))
- return major;
- if ((major = kg_get_defcred(minor_status, &claimant_cred_handle)) &&
- GSS_ERROR(major)) {
- return(major);
+ if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq)))
+ goto fail;
+
+ break;
+
+ case ENCTYPE_DES3_CBC_SHA1:
+ ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
+ ctx->cksum_size = 20;
+ ctx->sealalg = SEAL_ALG_DES3KD;
+
+ code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
+ if (code)
+ goto fail;
+ code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
+ if (code) {
+ krb5_free_keyblock (context, ctx->enc);
+ goto fail;
}
- } else {
- OM_uint32 major;
-
- major = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
- if (GSS_ERROR(major))
- return(major);
+ break;
+ case ENCTYPE_ARCFOUR_HMAC:
+ ctx->signalg = SGN_ALG_HMAC_MD5 ;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
+
+ code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
+ if (code)
+ goto fail;
+ code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
+ if (code) {
+ krb5_free_keyblock (context, ctx->enc);
+ goto fail;
+ }
+ break;
+#if 0
+ case ENCTYPE_DES3_CBC_MD5:
+ enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->signalg = 3;
+ ctx->cksum_size = 16;
+ ctx->sealalg = 1;
+ break;
+#endif
+ default:
+ *minor_status = KRB5_BAD_ENCTYPE;
+ return GSS_S_FAILURE;
}
+fail:
+ *minor_status = code;
+ return GSS_S_FAILURE;
+}
- cred = (krb5_gss_cred_id_t) claimant_cred_handle;
+/*
+ * new_connection
+ *
+ * Do the grunt work of setting up a new context.
+ */
+static OM_uint32
+new_connection(
+ OM_uint32 *minor_status,
+ krb5_gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context,
+ int default_mech)
+{
+ OM_uint32 major_status;
+ krb5_error_code code;
+ krb5_enctype *requested_enctypes;
+ krb5_creds *k_cred;
+ krb5_gss_ctx_id_rec *ctx, *ctx_free;
+ krb5_timestamp now;
+ gss_buffer_desc token;
- /* verify the mech_type */
+ major_status = GSS_S_FAILURE;
+ token.length = 0;
+ token.value = NULL;
- err = 0;
- if (mech_type == GSS_C_NULL_OID) {
- default_mech = 1;
- if (cred->rfc_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- } else if (cred->prerfc_mech) {
- mech_type = (gss_OID) gss_mech_krb5_old;
- } else {
- err = 1;
- }
- } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
- if (!cred->rfc_mech)
- err = 1;
- } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
- if (!cred->prerfc_mech)
- err = 1;
- } else {
- err = 1;
+ /* make sure the cred is usable for init */
+
+ if ((cred->usage != GSS_C_INITIATE) &&
+ (cred->usage != GSS_C_BOTH)) {
+ *minor_status = 0;
+ return(GSS_S_NO_CRED);
}
-
- if (err) {
+
+ /* complain if the input token is non-null */
+
+ if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
*minor_status = 0;
- return(GSS_S_BAD_MECH);
+ return(GSS_S_DEFECTIVE_TOKEN);
}
- /* verify that the target_name is valid and usable */
+ /* create the ctx */
- if (! kg_validate_name(target_name)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
+ == NULL) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
}
- /* is this a new connection or not? */
+ /* fill in the ctx */
+ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
+ ctx_free = ctx;
+ if ((code = krb5_auth_con_init(context, &ctx->auth_context)))
+ goto fail;
+ krb5_auth_con_setflags(context, ctx->auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+ ctx->initiate = 1;
+ ctx->gss_flags = KG_IMPLFLAGS(req_flags);
+ ctx->seed_init = 0;
+ ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
+ ctx->seqstate = 0;
+ ctx->nctypes = 0;
+ ctx->ctypes = 0;
+
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+
+ if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
+ ctx->endtime = 0;
+ } else {
+ ctx->endtime = now + time_req;
+ }
- /*SUPPRESS 29*/
- if (*context_handle == GSS_C_NO_CONTEXT) {
- /* make sure the cred is usable for init */
+ if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
+ goto fail;
+
+ if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
+ &ctx->there)))
+ goto fail;
+
+ code = get_requested_enctypes(context, &requested_enctypes);
+ if (code)
+ goto fail;
+
+ code = get_credentials(context, cred, ctx->there, now,
+ ctx->endtime, requested_enctypes, &k_cred);
+ free(requested_enctypes);
+ if (code)
+ goto fail;
+
+ if (default_mech) {
+ mech_type = (gss_OID) gss_mech_krb5;
+ }
- if ((cred->usage != GSS_C_INITIATE) &&
- (cred->usage != GSS_C_BOTH)) {
- *minor_status = 0;
- return(GSS_S_NO_CRED);
+ if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
+ != GSS_S_COMPLETE) {
+ code = *minor_status;
+ goto fail;
+ }
+ /*
+ * Now try to make it static if at all possible....
+ */
+ ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
+
+ {
+ /* gsskrb5 v1 */
+ if ((code = make_ap_req_v1(context, ctx,
+ cred, k_cred, input_chan_bindings,
+ mech_type, &token))) {
+ if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
+ (code == KG_EMPTY_CCACHE))
+ major_status = GSS_S_NO_CRED;
+ if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
+ major_status = GSS_S_CREDENTIALS_EXPIRED;
+ goto fail;
}
- /* complain if the input token is non-null */
+ krb5_auth_con_getlocalseqnumber(context, ctx->auth_context,
+ &ctx->seq_send);
+ krb5_auth_con_getsendsubkey(context, ctx->auth_context,
+ &ctx->subkey);
+ }
- if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
- }
+ major_status = setup_enc(minor_status, ctx, context);
- /* create the ctx */
+ if (k_cred) {
+ krb5_free_creds(context, k_cred);
+ k_cred = 0;
+ }
+
+ /* at this point, the context is constructed and valid,
+ hence, releaseable */
- if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
- == NULL) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
+ /* intern the context handle */
- /* fill in the ctx */
- memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx_free = ctx;
- if ((code = krb5_auth_con_init(context, &ctx->auth_context)))
- goto fail;
- krb5_auth_con_setflags(context, ctx->auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE);
- ctx->initiate = 1;
- ctx->gss_flags = KG_IMPLFLAGS(req_flags);
- ctx->seed_init = 0;
- ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
- ctx->seqstate = 0;
- ctx->nctypes = 0;
- ctx->ctypes = 0;
+ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
+ code = G_VALIDATE_FAILED;
+ goto fail;
+ }
+ *context_handle = (gss_ctx_id_t) ctx;
+ ctx_free = 0;
+ /* compute time_rec */
+ if (time_rec) {
if ((code = krb5_timeofday(context, &now)))
- goto fail;
+ goto fail;
+ *time_rec = ctx->endtime - now;
+ }
- if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
- ctx->endtime = 0;
- } else {
- ctx->endtime = now + time_req;
- }
+ /* set the other returns */
+ *output_token = token;
- if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
- goto fail;
-
- if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
- &ctx->there)))
- goto fail;
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
- code = krb5_get_tgs_ktypes (context, 0, &default_enctypes);
- if (code)
- goto fail;
- /* "i" denotes *next* slot to fill. Don't forget to save room
- for a trailing zero. */
- i = 0;
- for (j = 0;
- (default_enctypes[j] != 0
- /* This part should be redundant, but let's be paranoid. */
- && i < N_WANTED_ENCTYPES);
- j++) {
-
- int is_duplicate_enctype;
- int is_wanted_enctype;
-
- krb5_enctype e = default_enctypes[j];
-
- /* Is this enctype one of the ones we want for GSSAPI? */
- is_wanted_enctype = 0;
- for (k = 0; k < N_WANTED_ENCTYPES; k++) {
- if (wanted_enctypes[k] == e) {
- is_wanted_enctype = 1;
- break;
- }
- }
- /* If unwanted, go to the next one. */
- if (!is_wanted_enctype)
- continue;
-
- /* Is this enctype already in the list of enctypes to
- request? (Is it a duplicate?) */
- is_duplicate_enctype = 0;
- for (k = 0; k < i; k++) {
- if (requested_enctypes[k] == e) {
- is_duplicate_enctype = 1;
- break;
- }
- }
- /* If it is not a duplicate, add it. */
- if (!is_duplicate_enctype)
- requested_enctypes[i++] = e;
- }
- requested_enctypes[i++] = 0;
+ if (actual_mech_type)
+ *actual_mech_type = mech_type;
- if ((code = get_credentials(context, cred, ctx->there, now,
- ctx->endtime, requested_enctypes, &k_cred)))
- goto fail;
+ /* return successfully */
- if (default_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- }
+ *minor_status = 0;
+ if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
+ ctx->established = 0;
+ return(GSS_S_CONTINUE_NEEDED);
+ } else {
+ ctx->seq_recv = ctx->seq_send;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0);
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
+ ctx->established = 1;
+ return(GSS_S_COMPLETE);
+ }
- if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
- != GSS_S_COMPLETE) {
- code = *minor_status;
- goto fail;
- }
- /*
- * Now try to make it static if at all possible....
- */
- ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
-
- {
- /* gsskrb5 v1 */
- if ((code = make_ap_req_v1(context, ctx,
- cred, k_cred, input_chan_bindings,
- mech_type, &token))) {
- if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
- (code == KG_EMPTY_CCACHE))
- major_status = GSS_S_NO_CRED;
- if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
- major_status = GSS_S_CREDENTIALS_EXPIRED;
- goto fail;
- }
-
- krb5_auth_con_getlocalseqnumber(context, ctx->auth_context,
- &ctx->seq_send);
- krb5_auth_con_getlocalsubkey(context, ctx->auth_context,
- &ctx->subkey);
-
- /* fill in the encryption descriptors */
-
- switch(ctx->subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_CRC:
- ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
- ctx->signalg = SGN_ALG_DES_MAC_MD5;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_DES;
-
- /* The encryption key is the session key XOR
- 0xf0f0f0f0f0f0f0f0. */
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
- goto fail;
-
- for (i=0; i<ctx->enc->length; i++)
- /*SUPPRESS 113*/
- ctx->enc->contents[i] ^= 0xf0;
-
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq)))
- goto fail;
-
- break;
-
- case ENCTYPE_DES3_CBC_SHA1:
- ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
- ctx->cksum_size = 20;
- ctx->sealalg = SEAL_ALG_DES3KD;
-
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
- if (code)
- goto fail;
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
- case ENCTYPE_ARCFOUR_HMAC:
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
-
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
- if (code)
- goto fail;
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
-#if 0
- case ENCTYPE_DES3_CBC_MD5:
- enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = 3;
- ctx->cksum_size = 16;
- ctx->sealalg = 1;
- break;
-#endif
- default:
- *minor_status = KRB5_BAD_ENCTYPE;
- return GSS_S_FAILURE;
- }
+fail:
+ if (ctx_free) {
+ if (ctx_free->auth_context)
+ krb5_auth_con_free(context, ctx_free->auth_context);
+ if (ctx_free->here)
+ krb5_free_principal(context, ctx_free->here);
+ if (ctx_free->there)
+ krb5_free_principal(context, ctx_free->there);
+ if (ctx_free->subkey)
+ krb5_free_keyblock(context, ctx_free->subkey);
+ if (ctx_free->ctypes)
+ krb5_free_cksumtypes(context, ctx_free->ctypes);
+ xfree(ctx_free);
+ } else
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
- }
+ *minor_status = code;
+ return (major_status);
+}
- if (k_cred) {
- krb5_free_creds(context, k_cred);
- k_cred = 0;
- }
-
- /* at this point, the context is constructed and valid,
- hence, releaseable */
+/*
+ * mutual_auth
+ *
+ * Handle the reply from the acceptor, if we're doing mutual auth.
+ */
+static OM_uint32
+mutual_auth(
+ OM_uint32 *minor_status,
+ krb5_gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context)
+{
+ OM_uint32 major_status;
+ unsigned char *ptr;
+ char *sptr;
+ krb5_data ap_rep;
+ krb5_ap_rep_enc_part *ap_rep_data;
+ krb5_timestamp now;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_error *krb_error;
+ krb5_error_code code;
- /* intern the context handle */
+ major_status = GSS_S_FAILURE;
- if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
- code = G_VALIDATE_FAILED;
- goto fail;
- }
- *context_handle = (gss_ctx_id_t) ctx;
- ctx_free = 0;
-
- /* compute time_rec */
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
- *time_rec = ctx->endtime - now;
- }
+ /* validate the context handle */
+ /*SUPPRESS 29*/
+ if (! kg_validate_ctx_id(*context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- /* set the other returns */
- *output_token = token;
+ ctx = (gss_ctx_id_t) *context_handle;
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
+ /* make sure the context is non-established, and that certain
+ arguments are unchanged */
- if (actual_mech_type)
- *actual_mech_type = mech_type;
+ if ((ctx->established) ||
+ ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
+ code = KG_CONTEXT_ESTABLISHED;
+ goto fail;
+ }
- /* return successfully */
+ if (! krb5_principal_compare(context, ctx->there,
+ (krb5_principal) target_name)) {
+ (void)krb5_gss_delete_sec_context(minor_status,
+ context_handle, NULL);
+ code = 0;
+ major_status = GSS_S_BAD_NAME;
+ goto fail;
+ }
- *minor_status = 0;
- if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
- ctx->established = 0;
- return(GSS_S_CONTINUE_NEEDED);
- } else {
- ctx->seq_recv = ctx->seq_send;
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0);
- ctx->established = 1;
- /* fall through to GSS_S_COMPLETE */
- }
- } else {
- unsigned char *ptr;
- char *sptr;
- krb5_data ap_rep;
- krb5_ap_rep_enc_part *ap_rep_data;
- krb5_error *krb_error;
-
- /* validate the context handle */
- /*SUPPRESS 29*/
- if (! kg_validate_ctx_id(*context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /* verify the token and leave the AP_REP message in ap_rep */
- ctx = (gss_ctx_id_t) *context_handle;
+ if (input_token == GSS_C_NO_BUFFER) {
+ (void)krb5_gss_delete_sec_context(minor_status,
+ context_handle, NULL);
+ code = 0;
+ major_status = GSS_S_DEFECTIVE_TOKEN;
+ goto fail;
+ }
- /* make sure the context is non-established, and that certain
- arguments are unchanged */
+ ptr = (unsigned char *) input_token->value;
- if ((ctx->established) ||
- (((gss_cred_id_t) cred) != claimant_cred_handle) ||
- ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
- code = KG_CONTEXT_ESTABLISHED;
- goto fail;
- }
+ if (g_verify_token_header((gss_OID) ctx->mech_used,
+ &(ap_rep.length),
+ &ptr, KG_TOK_CTX_AP_REP,
+ input_token->length)) {
+ if (g_verify_token_header((gss_OID) ctx->mech_used,
+ &(ap_rep.length),
+ &ptr, KG_TOK_CTX_ERROR,
+ input_token->length) == 0) {
+
+ /* Handle a KRB_ERROR message from the server */
- if (! krb5_principal_compare(context, ctx->there,
- (krb5_principal) target_name)) {
- (void)krb5_gss_delete_sec_context(minor_status,
- context_handle, NULL);
- code = 0;
- major_status = GSS_S_BAD_NAME;
+ sptr = (char *) ptr; /* PC compiler bug */
+ TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+
+ code = krb5_rd_error(context, &ap_rep, &krb_error);
+ if (code)
+ goto fail;
+ if (krb_error->error)
+ code = krb_error->error + ERROR_TABLE_BASE_krb5;
+ else
+ code = 0;
+ krb5_free_error(context, krb_error);
goto fail;
+ } else {
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
}
+ }
- /* verify the token and leave the AP_REP message in ap_rep */
+ sptr = (char *) ptr; /* PC compiler bug */
+ TREAD_STR(sptr, ap_rep.data, ap_rep.length);
- if (input_token == GSS_C_NO_BUFFER) {
- (void)krb5_gss_delete_sec_context(minor_status,
- context_handle, NULL);
- code = 0;
- major_status = GSS_S_DEFECTIVE_TOKEN;
+ /* decode the ap_rep */
+ if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
+ &ap_rep_data))) {
+ /*
+ * XXX A hack for backwards compatiblity.
+ * To be removed in 1999 -- proven
+ */
+ krb5_auth_con_setuseruserkey(context, ctx->auth_context,
+ ctx->subkey);
+ if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
+ &ap_rep_data)))
goto fail;
- }
+ }
- ptr = (unsigned char *) input_token->value;
+ /* store away the sequence number */
+ ctx->seq_recv = ap_rep_data->seq_number;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0);
- if ((err = g_verify_token_header((gss_OID) ctx->mech_used,
- &(ap_rep.length),
- &ptr, KG_TOK_CTX_AP_REP,
- input_token->length))) {
- if (g_verify_token_header((gss_OID) ctx->mech_used,
- &(ap_rep.length),
- &ptr, KG_TOK_CTX_ERROR,
- input_token->length) == 0) {
+ /* free the ap_rep_data */
+ krb5_free_ap_rep_enc_part(context, ap_rep_data);
- /* Handle a KRB_ERROR message from the server */
+ /* set established */
+ ctx->established = 1;
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-
- code = krb5_rd_error(context, &ap_rep, &krb_error);
- if (code)
- goto fail;
- if (krb_error->error)
- code = krb_error->error + ERROR_TABLE_BASE_krb5;
- else
- code = 0;
- krb5_free_error(context, krb_error);
- goto fail;
- } else {
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
- }
- }
+ /* set returns */
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-
- /* decode the ap_rep */
- if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
- &ap_rep_data))) {
- /*
- * XXX A hack for backwards compatiblity.
- * To be removed in 1999 -- proven
- */
- krb5_auth_con_setuseruserkey(context, ctx->auth_context,
- ctx->subkey);
- if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
- &ap_rep_data)))
- goto fail;
- }
+ if (time_rec) {
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+ *time_rec = ctx->endtime - now;
+ }
- /* store away the sequence number */
- ctx->seq_recv = ap_rep_data->seq_number;
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0);
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
- /* free the ap_rep_data */
- krb5_free_ap_rep_enc_part(context, ap_rep_data);
+ if (actual_mech_type)
+ *actual_mech_type = mech_type;
- /* set established */
- ctx->established = 1;
+ /* success */
- /* set returns */
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
- *time_rec = ctx->endtime - now;
- }
+fail:
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
+ *minor_status = code;
+ return (major_status);
+}
- if (actual_mech_type)
- *actual_mech_type = mech_type;
+OM_uint32
+krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
+ context_handle, target_name, mech_type,
+ req_flags, time_req, input_chan_bindings,
+ input_token, actual_mech_type, output_token,
+ ret_flags, time_rec)
+ OM_uint32 *minor_status;
+ gss_cred_id_t claimant_cred_handle;
+ gss_ctx_id_t *context_handle;
+ gss_name_t target_name;
+ gss_OID mech_type;
+ OM_uint32 req_flags;
+ OM_uint32 time_req;
+ gss_channel_bindings_t input_chan_bindings;
+ gss_buffer_t input_token;
+ gss_OID *actual_mech_type;
+ gss_buffer_t output_token;
+ OM_uint32 *ret_flags;
+ OM_uint32 *time_rec;
+{
+ krb5_context context;
+ krb5_gss_cred_id_t cred;
+ int err;
+ int default_mech = 0;
+ OM_uint32 major_status;
+ OM_uint32 tmp_min_stat;
+
+ if (GSS_ERROR(kg_get_context(minor_status, &context)))
+ return(GSS_S_FAILURE);
+
+ /* set up return values so they can be "freed" successfully */
+
+ major_status = GSS_S_FAILURE; /* Default major code */
+ output_token->length = 0;
+ output_token->value = NULL;
+ if (actual_mech_type)
+ *actual_mech_type = NULL;
- /* success */
+ /* verify that the target_name is valid and usable */
+ if (! kg_validate_name(target_name)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
+
+ /* verify the credential, or use the default */
+ /*SUPPRESS 29*/
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
+ major_status = kg_get_defcred(minor_status, &cred);
+ if (major_status && GSS_ERROR(major_status)) {
+ return(major_status);
+ }
+ } else {
+ major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
+ if (GSS_ERROR(major_status))
+ return(major_status);
+ cred = (krb5_gss_cred_id_t) claimant_cred_handle;
+ }
+
+ /* verify the mech_type */
+
+ err = 0;
+ if (mech_type == GSS_C_NULL_OID) {
+ default_mech = 1;
+ if (cred->rfc_mech) {
+ mech_type = (gss_OID) gss_mech_krb5;
+ } else if (cred->prerfc_mech) {
+ mech_type = (gss_OID) gss_mech_krb5_old;
+ } else {
+ err = 1;
+ }
+ } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+ if (!cred->rfc_mech)
+ err = 1;
+ } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
+ if (!cred->prerfc_mech)
+ err = 1;
+ } else {
+ err = 1;
+ }
+
+ if (err) {
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t)cred);
*minor_status = 0;
- /* fall through to GSS_S_COMPLETE */
+ return(GSS_S_BAD_MECH);
}
- return(GSS_S_COMPLETE);
+ /* is this a new connection or not? */
-fail:
- if (ctx_free) {
- if (ctx_free->auth_context)
- krb5_auth_con_free(context, ctx_free->auth_context);
- if (ctx_free->here)
- krb5_free_principal(context, ctx_free->here);
- if (ctx_free->there)
- krb5_free_principal(context, ctx_free->there);
- if (ctx_free->subkey)
- krb5_free_keyblock(context, ctx_free->subkey);
- if (ctx_free->ctypes)
- krb5_free_cksumtypes(context, ctx_free->ctypes);
- xfree(ctx_free);
- } else
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ /*SUPPRESS 29*/
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ major_status = new_connection(minor_status, cred, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context, default_mech);
+ } else {
+ major_status = mutual_auth(minor_status, cred, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context);
+ }
- *minor_status = code;
- return (major_status);
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t)cred);
+
+ return(major_status);
}
gss_OID_set mechs;
OM_uint32 ret;
+ ret = GSS_S_FAILURE;
+
if (GSS_ERROR(kg_get_context(minor_status, &context)))
return(GSS_S_FAILURE);
if (cred_handle == GSS_C_NO_CREDENTIAL) {
OM_uint32 major;
- if ((major = kg_get_defcred(minor_status, &cred_handle)) &&
+ if ((major = kg_get_defcred(minor_status, (gss_cred_id_t)&cred)) &&
GSS_ERROR(major)) {
return(major);
}
major = krb5_gss_validate_cred(minor_status, cred_handle);
if (GSS_ERROR(major))
return(major);
+ cred = (krb5_gss_cred_id_t) cred_handle;
}
- cred = (krb5_gss_cred_id_t) cred_handle;
-
if ((code = krb5_timeofday(context, &now))) {
*minor_status = code;
- return(GSS_S_FAILURE);
+ ret = GSS_S_FAILURE;
+ goto fail;
}
if (cred->tgt_expire > 0) {
if (cred->princ &&
(code = krb5_copy_principal(context, cred->princ, &ret_name))) {
*minor_status = code;
- return(GSS_S_FAILURE);
+ ret = GSS_S_FAILURE;
+ goto fail;
}
}
&mechs)))) {
krb5_free_principal(context, ret_name);
/* *minor_status set above */
- return(ret);
+ goto fail;
}
}
if (mechanisms)
*mechanisms = mechs;
+ if (cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t)cred);
+
*minor_status = 0;
return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
+fail:
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ OM_uint32 tmp_min_stat;
+
+ krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t)cred);
+ }
+ return ret;
}
/* V2 interface */
return(GSS_S_FAILURE);
}
memcpy(token.value, plain+conflen, token.length);
+ } else {
+ token.value = NULL;
}
} else if (toktype == KG_TOK_SIGN_MSG) {
token = *message_buffer;
if (GSS_ERROR(kg_get_context(minor_status, &context)))
return(GSS_S_FAILURE);
- if (*cred_handle == GSS_C_NO_CREDENTIAL)
- return(kg_release_defcred(minor_status));
+ if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
+ }
if (! kg_delete_cred_id(*cred_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
{
krb5_context context;
krb5_error_code retval;
- OM_uint32 foo_stat;
static char *oldname = NULL;
const char *tmpname = NULL;
*minor_status = retval;
return GSS_S_FAILURE;
}
- kg_release_defcred(&foo_stat);
return GSS_S_COMPLETE;
}
;
; GSS-API variables
;
- gss_nt_user_name DATA
- gss_nt_machine_uid_name DATA
- gss_nt_string_uid_name DATA
- gss_nt_service_name DATA
+ gss_nt_user_name DATA
+ gss_nt_machine_uid_name DATA
+ gss_nt_string_uid_name DATA
+ gss_nt_service_name DATA
+ GSS_C_NT_USER_NAME DATA
+ GSS_C_NT_MACHINE_UID_NAME DATA
+ GSS_C_NT_STRING_UID_NAME DATA
+ GSS_C_NT_HOSTBASED_SERVICE DATA
+ GSS_C_NT_HOSTBASED_SERVICE_X DATA
+ GSS_C_NT_ANONYMOUS DATA
+ GSS_C_NT_EXPORT_NAME DATA
+2003-06-03 Tom Yu <tlyu@mit.edu>
+
+ * alt_prof.c (krb5_read_realm_params): Don't bother reading in
+ realm_keysalts or realm_num_keysalts, as they're no longer used.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * alt_prof.c (kadm5_get_config_params): Change default max_life to
+ one day.
+
+2003-05-13 Ken Raeburn <raeburn@mit.edu>
+
+ * alt_prof.c (kadm5_get_config_params): Remove aes256 from the
+ default supported enctypes list for now.
+
+2003-04-18 Ken Raeburn <raeburn@mit.edu>
+
+ * alt_prof.c (kadm5_get_config_params): Add aes256 to the default
+ supported enctypes list.
+
2003-01-10 Ken Raeburn <raeburn@mit.edu>
* configure.in: Don't explicitly invoke AC_PROG_ARCHIVE,
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h
misc_free.so misc_free.po $(OUTPRE)misc_free.$(OBJEXT): misc_free.c $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
server_internal.h admin_internal.h adb.h $(DB_DEPS)
kadm_rpc_xdr.so kadm_rpc_xdr.po $(OUTPRE)kadm_rpc_xdr.$(OBJEXT): kadm_rpc_xdr.c $(BUILDTOP)/include/gssrpc/rpc.h \
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
$(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/admin_xdr.h
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
admin_internal.h
alt_prof.so alt_prof.po $(OUTPRE)alt_prof.$(OBJEXT): alt_prof.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
$(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
$(SRCTOP)/include/krb5/adm_proto.h
str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h admin_internal.h $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h admin_internal.h $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
$(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
$(SRCTOP)/include/krb5/adm_proto.h
logger.so logger.po $(OUTPRE)logger.$(OBJEXT): logger.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm_proto.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm_proto.h \
$(SRCTOP)/include/syslog.h
params.max_life = dtvalue;
params.mask |= KADM5_CONFIG_MAX_LIFE;
} else {
- params.max_life = 36000; /* 10 hours */
+ params.max_life = 24 * 60 * 60; /* 1 day */
params.mask |= KADM5_CONFIG_MAX_LIFE;
}
if (aprofile)
krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
if (svalue == NULL)
- svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
+ svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
params.keysalts = NULL;
params.num_keysalts = 0;
krb5_xfree(svalue);
}
- /* Get the value for the supported enctype/salttype matrix */
- /* XXX This is so that the kdc will search a different
- enctype list than kadmind */
- if (!kret) {
- hierarchy[2] = "kdc_supported_enctypes";
- kret = krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
- if (kret) {
- hierarchy[2] = "supported_enctypes";
- kret = krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
- }
- if (!kret) {
- krb5_string_to_keysalts(svalue,
- ", \t", /* Tuple separators */
- ":.-", /* Key/salt separators */
- 0, /* No duplicates */
- &rparams->realm_keysalts,
- &rparams->realm_num_keysalts);
- krb5_xfree(svalue);
- }
- kret = 0;
- }
+ rparams->realm_keysalts = NULL;
+ rparams->realm_num_keysalts = 0;
cleanup:
if (aprofile)
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
$(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
$(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h
client_principal.so client_principal.po $(OUTPRE)client_principal.$(OBJEXT): client_principal.c \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h
client_init.so client_init.po $(OUTPRE)client_init.$(OBJEXT): client_init.c $(COM_ERR_DEPS) \
$(BUILDTOP)/include/krb5.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
$(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h client_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
+2003-06-13 Tom Yu <tlyu@mit.edu>
+
+ * server_kdb.c (kdb_init_hist): Force history principal's key to
+ be of the same enctype as the master key, as searches for it later
+ on explicitly specify the enctype.
+
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables.
+ (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS).
+ (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB).
+
2003-01-12 Ezra Peisach <epeisach@bu.edu>
* svr_iters.c (kadm5_get_either): For POSIX_REGEXPS
LIBMINOR=1
STOBJLISTS=../OBJS.ST OBJS.ST
-SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@)
-SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT)
-SHLIB_DBLIB-sys =
-
SHLIB_EXPDEPS=\
$(TOPLIBD)/libgssrpc$(SHLIBEXT) \
$(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \
- $(TOPLIBD)/libkdb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) \
+ $(TOPLIBD)/libkdb5$(SHLIBEXT) \
$(TOPLIBD)/libkrb5$(SHLIBEXT) \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(COM_ERR_DEPLIB)
-SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(DB_LIB) \
+SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \
-lkrb5 -lk5crypto -lcom_err @GEN_LIB@
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
$(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
$(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
$(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
$(DB_DEPS) $(SRCTOP)/include/krb5/adm_proto.h server_acl.h
server_kdb.so server_kdb.po $(OUTPRE)server_kdb.$(OBJEXT): server_kdb.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
$(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
$(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS)
server_misc.so server_misc.po $(OUTPRE)server_misc.$(OBJEXT): server_misc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/adb.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/types.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/server_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
$(SRCTOP)/include/krb5/adm_proto.h $(SRCTOP)/include/syslog.h \
$(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
$(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
$(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/server_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/adb.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/admin_xdr.h \
$(BUILDTOP)/include/kadm5/kadm_rpc.h
adb_policy.so adb_policy.po $(OUTPRE)adb_policy.$(OBJEXT): adb_policy.c $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
$(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
adb_free.so adb_free.po $(OUTPRE)adb_free.$(OBJEXT): adb_free.c $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
$(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
adb_openclose.so adb_openclose.po $(OUTPRE)adb_openclose.$(OBJEXT): adb_openclose.c $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
$(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
int ret = 0;
char *realm, *hist_name;
krb5_key_data *key_data;
+ krb5_key_salt_tuple ks[1];
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
history principal, anyway. */
hist_kvno = 2;
-
- ret = kadm5_create_principal(handle, &ent,
- (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
- KADM5_ATTRIBUTES),
- "to-be-random");
+ ks[0].ks_enctype = handle->params.enctype;
+ ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
+ ret = kadm5_create_principal_3(handle, &ent,
+ (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
+ KADM5_ATTRIBUTES),
+ 1, ks,
+ "to-be-random");
if (ret)
goto done;
hist_princ = NULL;
- ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL);
+ ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks,
+ NULL, NULL);
hist_princ = ent.principal;
+2003-06-02 Ken Raeburn <raeburn@mit.edu>
+
+ * api.2/init-v2.exp (test117): Update lifetime expected for new
+ defaults.
+
+2003-05-21 Tom Yu <tlyu@mit.edu>
+
+ * api.0/init.exp (test6, test7): Be slightly more lenient about
+ matching password prompt.
+
+ * api.2/init.exp (test6, test7): Be slightly more lenient about
+ matching password prompt.
+
2003-01-07 Ken Raeburn <raeburn@mit.edu>
* Makefile.ov: Deleted.
send "ovsec_kadm_init admin null \$OVSEC_KADM_ADMIN_SERVICE null \$OVSEC_KADM_STRUCT_VERSION \$OVSEC_KADM_API_VERSION_1 server_handle\n"
expect {
- {Enter password:} { }
+ -re "assword\[^\r\n\]*: *" { }
eof {
fail "$test: eof instead of password prompt"
api_exit
send "ovsec_kadm_init admin \"\" \$OVSEC_KADM_ADMIN_SERVICE null \$OVSEC_KADM_STRUCT_VERSION \$OVSEC_KADM_API_VERSION_1 server_handle\n"
expect {
- {Enter password:} { }
+ -re "assword\[^\r\n\]*: *" { }
-re "\n\[^\n\]+key:\[^\n\]*$" { }
eof {
fail "$test: eof instead of password prompt"
}
}
- if {$max_life == 36000} {
+ if {$max_life == 86400} {
pass "$test"
} else {
- fail "$test: max_life $max_life should be 36000"
+ fail "$test: max_life $max_life should be 86400"
}
if {! [cmd {kadm5_destroy $server_handle}]} {
send "kadm5_init admin null \$KADM5_ADMIN_SERVICE null \$KADM5_STRUCT_VERSION \$KADM5_API_VERSION_2 server_handle\n"
expect {
- {Enter password:} { }
+ -re "assword\[^\r\n\]*:" { }
eof {
fail "$test: eof instead of password prompt"
api_exit
send "kadm5_init admin \"\" \$KADM5_ADMIN_SERVICE null \$KADM5_STRUCT_VERSION \$KADM5_API_VERSION_2 server_handle\n"
expect {
- {Enter password:} { }
+ -re "assword\[^\r\n\]*:" { }
-re "key:$" { }
eof {
fail "$test: eof instead of password prompt"
+2003-05-22 Ezra Peisach <epeisach@mit.edu>
+
+ * keytab.c (is_xrealm_tgt): Use strncmp instead of strcmp - as
+ principal and realm name do not need to be null terminated.
+
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables.
+ (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS).
+ (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB).
+ (DBOBJLISTS, STOBJLISTS): Pull in object lists of in-tree libdb so
+ we don't need to install libdb. Don't do this if building with
+ system libdb, though, since we need to explicitly link against the
+ system libdb in that case.
+
+2003-03-18 Tom Yu <tlyu@mit.edu>
+
+ * keytab.c (krb5_ktkdb_get_entry): Do not perform the enctype
+ comparison if the requested enctype is a wildcard.
+
+2003-03-16 Sam Hartman <hartmans@mit.edu>
+
+ * keytab.c (krb5_ktkdb_get_entry): Match only against the first
+ enctype for non-cross-realm tickets so we will only accept
+ tickets that the current configuration would have issued. For
+ cross-realm tickets be liberal and match against the specified
+ enctype.
+
2003-03-05 Tom Yu <tlyu@mit.edu>
* kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather
LIBMINOR=0
RELDIR=kdb
# Depends on libk5crypto and libkrb5
-SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@)
-SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT)
-SHLIB_DBLIB-sys =
SHLIB_EXPDEPS = \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(TOPLIBD)/libkrb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS)
-SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(DB_LIB) $(LIBS)
+ $(TOPLIBD)/libkrb5$(SHLIBEXT)
+SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(KDB5_DB_LIB) $(LIBS)
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
+DBDIR = $(BUILDTOP)/util/db2
+DBOBJLISTS = $(DBOBJLISTS-@DB_VERSION@)
+DBOBJLISTS-sys =
+DBOBJLISTS-k5 = $(DBDIR)/hash/OBJS.ST $(DBDIR)/btree/OBJS.ST \
+ $(DBDIR)/db/OBJS.ST $(DBDIR)/mpool/OBJS.ST $(DBDIR)/recno/OBJS.ST \
+ $(DBDIR)/clib/OBJS.ST
all::
$(srcdir)/setup_mkey.c \
$(srcdir)/store_mkey.c
-STOBJLISTS=OBJS.ST
+STOBJLISTS=OBJS.ST $(DBOBJLISTS)
STLIBOBJS= \
keytab.o \
encrypt_key.o \
#
keytab.so keytab.po $(OUTPRE)keytab.$(OBJEXT): keytab.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/kdb_kt.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/kdb_kt.h
encrypt_key.so encrypt_key.po $(OUTPRE)encrypt_key.$(OBJEXT): encrypt_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
decrypt_key.so decrypt_key.po $(OUTPRE)decrypt_key.$(OBJEXT): decrypt_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
kdb_cpw.so kdb_cpw.po $(OUTPRE)kdb_cpw.$(OBJEXT): kdb_cpw.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm.h
kdb_db2.so kdb_db2.po $(OUTPRE)kdb_db2.$(OBJEXT): kdb_db2.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) kdb_compat.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(DB_DEPS) kdb_compat.h \
kdb_db2.h
kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): kdb_xdr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
verify_mky.so verify_mky.po $(OUTPRE)verify_mky.$(OBJEXT): verify_mky.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
fetch_mkey.so fetch_mkey.po $(OUTPRE)fetch_mkey.$(OBJEXT): fetch_mkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
setup_mkey.so setup_mkey.po $(OUTPRE)setup_mkey.$(OBJEXT): setup_mkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
store_mkey.so store_mkey.po $(OUTPRE)store_mkey.$(OBJEXT): store_mkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
* or implied warranty.
*
*/
+#include <string.h>
#include "k5-int.h"
#include "kdb_kt.h"
+static int
+is_xrealm_tgt(krb5_context, krb5_const_principal);
+
krb5_error_code krb5_ktkdb_close (krb5_context, krb5_keytab);
krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_principal,
krb5_db_entry db_entry;
krb5_boolean more = 0;
int n = 0;
+ int xrealm_tgt = is_xrealm_tgt(context, principal);
+ int similar;
if (ktkdb_ctx)
context = ktkdb_ctx;
if (kerror)
goto error;
+ /* For cross realm tgts, we match whatever enctype is provided;
+ * for other principals, we only match the first enctype that is
+ * found. Since the TGS and AS code do the same thing, then we
+ * will only successfully decrypt tickets we have issued.*/
kerror = krb5_dbe_find_enctype(context, &db_entry,
- enctype, -1, kvno, &key_data);
+ xrealm_tgt?enctype:-1,
+ -1, kvno, &key_data);
if (kerror)
goto error;
+
kerror = krb5_dbekd_decrypt_key_data(context, master_key,
key_data, &entry->key, NULL);
if (kerror)
goto error;
+ if (enctype > 0) {
+ kerror = krb5_c_enctype_compare(context, enctype,
+ entry->key.enctype, &similar);
+ if (kerror)
+ goto error;
+
+ if (!similar) {
+ kerror = KRB5_KDB_NO_PERMITTED_KEY;
+ goto error;
+ }
+ }
/*
* Coerce the enctype of the output keyblock in case we got an
* inexact match on the enctype.
krb5_db_close_database(context);
return(kerror);
}
+
+/*
+ * is_xrealm_tgt: Returns true if the principal is a cross-realm TGT
+ * principal-- a principal with first component krbtgt and second
+ * component not equal to realm.
+ */
+static int
+is_xrealm_tgt(krb5_context context, krb5_const_principal princ)
+{
+ krb5_data *dat;
+ if (krb5_princ_size(context, princ) != 2)
+ return 0;
+ dat = krb5_princ_component(context, princ, 0);
+ if (strncmp("krbtgt", dat->data, dat->length) != 0)
+ return 0;
+ dat = krb5_princ_component(context, princ, 1);
+ if (dat->length != princ->realm.length)
+ return 1;
+ if (strncmp(dat->data, princ->realm.data, dat->length) == 0)
+ return 0;
+ return 1;
+
+}
+
+2003-07-11 Alexandra Ellwood <lxs@mit.edu>
+
+ * RealmsConfig-glue.c: Check for NULL realm argument and n
+ not equal to 1. Fill in realm with an empty string on error
+ in case the caller doesn't check the return value.
+
+2003-07-11 Alexandra Ellwood <lxs@mit.edu>
+
+ * RealmsConfig-glue.c: Don't fail when krb5.conf is valid
+ and krb.conf isn't. Also, don't assert v4 realm is in profile
+ unless that realm is a valid v4 realm.
+
+2003-07-07 Alexandra Ellwood <lxs@mit.edu>
+
+ * RealmsConfig-glue.c: krb_prof_get_nth() no longer assumes that
+ its retlen argument is correct (call strcpy instead of strncpy)
+ because this argument is a guess for some callers
+ (eg: krb_get_admhst())
+
+2003-06-11 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (KRB_ERR_C): New variable; Darwin needs err_txt.o to
+ have a dependency on krb_err.c so that krb_err.c will be generated
+ first.
+
+ * configure.in: Set KRB_ERR_C to krb_err.c on Darwin.
+
+2003-06-09 Ken Raeburn <raeburn@mit.edu>
+
+ * RealmsConfig-glue.c (krb_get_krbhst): Don't fall back to DNS if
+ entries were found in krb.conf, and just not enough to fill the
+ request.
+
+2003-06-06 Ken Raeburn <raeburn@mit.edu>
+
+ * RealmsConfig-glue.c: Include k5-int.h.
+ (dnscache): New variable.
+ (DNS_CACHE_TIMEOUT): New macro.
+ (krb_get_krbhst) [KRB5_DNS_LOOKUP]: If no krb.conf info is found,
+ try DNS SRV records for "kerberos-iv". Cache results in case
+ they're immediately requested again.
+
+2003-06-06 Tom Yu <tlyu@mit.edu>
+
+ * g_cnffile.c (krb__get_srvtabname): Make retname be a static
+ array rather than a static pointer, to avoid callers' possible
+ retention of free()d pointers. Yes, this may cause difficulty
+ with making this function thread-safe.
+
+2003-06-04 Tom Yu <tlyu@mit.edu>
+
+ * password_to_key.c (mit_passwd_to_key, afs_passwd_to_key): Delete
+ spurious space from prompt.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * RealmsConfig-glue.c (get_krbhst_default): Deleted.
+ (krb_get_krbhst): Don't call it.
+
+2003-06-03 Sam Hartman <hartmans@mit.edu>
+
+ * g_pw_in_tkt.c (passwd_to_key): Fix password prompt
+
+ * password_to_key.c (mit_passwd_to_key): Fix password prompt
+ (afs_passwd_to_key): Fix password prompt
+
+ * g_in_tkt.c (krb_get_in_tkt_preauth_creds): Keep copy of
+ ciphertext while trying different keyprocs
+
+2003-06-02 Tom Yu <tlyu@mit.edu>
+
+ * change_password.c (krb_change_password): Explicitly zero the
+ session key. Zero the key derived from the new password.
+
+ * mk_req.c (krb_mk_req): Explicitly zero the session key.
+ (krb_mk_req_creds_prealm): Don't zero the session key, in case the
+ caller wants to make use of it.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * lifetime.c (krb_life_to_time, krb_time_to_life): Rewrite to use
+ support functions in the krb5 library via krb5int_accessor. Moved
+ old implementation into krb5 library.
+
+2003-05-12 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Add setting of KRB_ERR on Windows.
+
+2003-05-11 Sam Hartman <hartmans@mit.edu>
+
+ * Makefile.in: Build krb_err.c when appropriate.
+
+ * configure.in: Set KRB_ERR to be the object file generated by
+ krb_err.c on non-Darwin
+
+ * err_txt.c : Don't include krb_err.c on non-Darwin UNIX. Doing
+ so may break with some compile_et implementations. Also not
+ included on Windows.
+
+2003-05-01 Alexandra Ellwood <lxs@mit.edu>
+ ÊÊ
+ * kadm_stream.c: Fixed vts_long() and vts_short() so they return a
+ pointer to the beginning of the memory they allocate and place
+ their data at the end of the buffer which was passed in.
+
+2003-04-15 Alexandra Ellwood <lxs@mit.edu>
+ ÊÊ
+ * g_ad_tkt.c: accidentally checked a non-space character into
+ the USE_LOGIN_LIBRARY part of get_ad_tkt so it doesn't build
+ on the Mac. Oops.
+
+2003-04-14 Alexandra Ellwood <lxs@mit.edu>
+ ÊÊ
+ * g_ad_tkt.c: Added support for login library to get_ad_tkt.
+ Support is copied from Mac Kerberos4 library and conditionalized
+ for USE_LOGIN_LIBRARY to avoid changing get_ad_tkt's behavior for
+ non-Kerberos Login Library builds.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* CCache-glue.c: Added prototypes for deprecated functions.
SHLIB_RDIRS=$(KRB5_LIBDIR)
EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV
+KRB_ERR=@KRB_ERR@
+##DOS##KRB_ERR=$(OUTPRE)krb_err.$(OBJEXT)
+
+# Name of generated krb_err.c, needed for err_txt.* dependency on Darwin.
+KRB_ERR_C=@KRB_ERR_C@
+##DOS##KRB_ERR_C=
OBJS = \
$(OUTPRE)change_password.$(OBJEXT) \
$(OUTPRE)rd_preauth.$(OBJEXT) \
$(OUTPRE)mk_preauth.$(OBJEXT) \
$(OSOBJS) $(CACHEOBJS) $(SETENVOBJS) $(STRCASEOBJS) $(SHMOBJS) \
- $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS)
+ $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) $(KRB_ERR)
SRCS = \
change_password.c \
# Will be empty on Darwin, krb_err_txt.c elsewhere.
KRB_ERR_TXT=@KRB_ERR_TXT@
##DOS##KRB_ERR_TXT=krb_err_txt.c
-err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_TXT)
+err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_C) $(KRB_ERR_TXT)
depend-dependencies: krb_err.h $(EHDRDIR)$(S)krb_err.h \
kadm_err.h $(EHDRDIR)$(S)kadm_err.h \
err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \
- $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- krb_err.c
+ $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h
lifetime.so lifetime.po $(OUTPRE)lifetime.$(OBJEXT): lifetime.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
g_in_tkt.so g_in_tkt.po $(OUTPRE)g_in_tkt.$(OBJEXT): g_in_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
#include "profile.h"
#include "krb.h"
#include "krb4int.h"
+#include "k5-int.h" /* for accessor, addrlist stuff */
#include "port-sockets.h"
#define KRB5_PRIVATE 1
}
if (result == KSUCCESS) {
/* Return error rather than truncating. */
+ /* Don't strncpy because retlen is a guess for some callers */
if (strlen(value) >= retlen)
result = KFAILURE;
else
- strncpy(ret, value, retlen);
+ strcpy(ret, value);
}
cleanup:
if (name != NULL)
char *realm,
int n)
{
- long profErr = 0;
- char *realmString = NULL;
- char *realmStringV4 = NULL;
- profile_t profile = NULL;
- int result;
- FILE *cnffile = NULL;
- char scratch[SCRATCHSZ];
-
- if (n != 1 || realm == NULL)
- return KFAILURE;
+ int result = KSUCCESS;
+ profile_t profile = NULL;
+ char *profileDefaultRealm = NULL;
+ char **profileV4Realms = NULL;
+ int profileHasDefaultRealm = 0;
+ int profileDefaultRealmIsV4RealmInProfile = 0;
+ char krbConfLocalRealm[REALM_SZ];
+ int krbConfHasLocalRealm = 0;
- result = KFAILURE; /* Start out with failure. */
-
- profErr = krb_get_profile(&profile);
- if (profErr)
- goto cleanup;
+ if ((realm == NULL) || (n != 1)) { result = KFAILURE; }
- profErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION,
- REALMS_V4_DEFAULT_REALM, NULL, NULL,
- &realmString);
- if (profErr || realmString == NULL)
- goto cleanup;
+ if (result == KSUCCESS) {
+ /* Some callers don't check the return value so we initialize
+ * to an empty string in case it never gets filled in. */
+ realm [0] = '\0';
+ }
+
+ if (result == KSUCCESS) {
+ int profileErr = krb_get_profile (&profile);
+
+ if (!profileErr) {
+ /* Get the default realm from the profile */
+ profileErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION,
+ REALMS_V4_DEFAULT_REALM, NULL, NULL,
+ &profileDefaultRealm);
+ if (profileDefaultRealm == NULL) { profileErr = KFAILURE; }
+ }
+
+ if (!profileErr) {
+ /* If there is an equivalent v4 realm to the default realm, use that instead */
+ char *profileV4EquivalentRealm = NULL;
+
+ if (profile_get_string (profile, "realms", profileDefaultRealm, "v4_realm", NULL,
+ &profileV4EquivalentRealm) == 0 &&
+ profileV4EquivalentRealm != NULL) {
+
+ profile_release_string (profileDefaultRealm);
+ profileDefaultRealm = profileV4EquivalentRealm;
+ }
+ }
+
+ if (!profileErr) {
+ if (strlen (profileDefaultRealm) < REALM_SZ) {
+ profileHasDefaultRealm = 1; /* a reasonable default realm */
+ } else {
+ profileErr = KFAILURE;
+ }
+ }
+
+ if (!profileErr) {
+ /* Walk through the v4 realms list looking for the default realm */
+ const char *profileV4RealmsList[] = { REALMS_V4_PROF_REALMS_SECTION, NULL };
+
+ if (profile_get_subsection_names (profile, profileV4RealmsList,
+ &profileV4Realms) == 0 &&
+ profileV4Realms != NULL) {
+
+ char **profileRealm;
+ for (profileRealm = profileV4Realms; *profileRealm != NULL; profileRealm++) {
+ if (strcmp (*profileRealm, profileDefaultRealm) == 0) {
+ /* default realm is a v4 realm */
+ profileDefaultRealmIsV4RealmInProfile = 1;
+ break;
+ }
+ }
+ }
+ }
+ }
+
+ if (result == KSUCCESS) {
+ /* Try to get old-style config file lookup for fallback. */
+ FILE *cnffile = NULL;
+ char scratch[SCRATCHSZ];
+
+ cnffile = krb__get_cnffile();
+ if (cnffile != NULL) {
+ if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) {
+ if (strlen(scratch) < REALM_SZ) {
+ strncpy(krbConfLocalRealm, scratch, REALM_SZ);
+ krbConfHasLocalRealm = 1;
+ }
+ }
+ fclose(cnffile);
+ }
+ }
- if (strlen(realmString) >= REALM_SZ)
- goto cleanup;
- strncpy(realm, realmString, REALM_SZ);
- /*
- * Step 2: the default realm is actually v5 realm, so we have to
- * check for the case where v4 and v5 realms are different.
- */
- profErr = profile_get_string(profile, "realms", realm, "v4_realm",
- NULL, &realmStringV4);
- if (profErr || realmStringV4 == NULL)
- goto cleanup;
+ if (result == KSUCCESS) {
+ /*
+ * We want to favor the profile value over the krb.conf value
+ * but not stop suppporting its use with a v5-only profile.
+ * So we only use the krb.conf realm when the default profile
+ * realm doesn't exist in the v4 realm section of the profile.
+ */
+ if (krbConfHasLocalRealm && !profileDefaultRealmIsV4RealmInProfile) {
+ strncpy (realm, krbConfLocalRealm, REALM_SZ);
+ } else if (profileHasDefaultRealm) {
+ strncpy (realm, profileDefaultRealm, REALM_SZ);
+ } else {
+ result = KFAILURE; /* No default realm */
+ }
+ }
- if (strlen(realmStringV4) >= REALM_SZ)
- goto cleanup;
- strncpy(realm, realmStringV4, REALM_SZ);
- result = KSUCCESS;
-cleanup:
- if (realmString != NULL)
- profile_release_string(realmString);
- if (realmStringV4 != NULL)
- profile_release_string(realmStringV4);
- if (profile != NULL)
- profile_abandon(profile);
+ if (profileDefaultRealm != NULL) { profile_release_string (profileDefaultRealm); }
+ if (profileV4Realms != NULL) { profile_free_list (profileV4Realms); }
+ if (profile != NULL) { profile_abandon (profile); }
- if (result == KSUCCESS)
- return result;
- /*
- * Do old-style config file lookup.
- */
- do {
- cnffile = krb__get_cnffile();
- if (cnffile == NULL)
- break;
- if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) {
- if (strlen(scratch) >= REALM_SZ)
- result = KFAILURE;
- else {
- strncpy(realm, scratch, REALM_SZ);
- result = KSUCCESS;
- }
- }
- fclose(cnffile);
- } while (0);
- if (result == KFAILURE && strlen(KRB_REALM) < REALM_SZ) {
- strncpy(realm, KRB_REALM, REALM_SZ);
- result = KSUCCESS;
- }
return result;
}
REALMS_V4_PROF_KPASSWD_KDC);
}
-static int
-get_krbhst_default(h, r, n)
- char *h;
- char *r;
- int n;
-{
- if (n != 1)
- return KFAILURE;
- if (strlen(KRB_HOST) + 1 + strlen(r) >= MAXHOSTNAMELEN)
- return KFAILURE;
- /* KRB_HOST.REALM (ie. kerberos.CYGNUS.COM) */
- strcpy(h, KRB_HOST);
- strcat(h, ".");
- strcat(h, r);
- return KSUCCESS;
-}
-
/*
* Realm, index -> KDC mapping
*
* kerberos. In the long run, this functionality will be provided by a
* nameserver.
*/
+#ifdef KRB5_DNS_LOOKUP
+static struct {
+ time_t when;
+ char realm[REALM_SZ+1];
+ struct srv_dns_entry *srv;
+} dnscache = { 0, { 0 }, 0 };
+#define DNS_CACHE_TIMEOUT 60 /* seconds */
+#endif
+
int KRB5_CALLCONV
krb_get_krbhst(
char *host,
char linebuf[BUFSIZ];
char tr[SCRATCHSZ];
char scratch[SCRATCHSZ];
+#ifdef KRB5_DNS_LOOKUP
+ time_t now;
+#endif
if (n < 1 || host == NULL || realm == NULL)
return KFAILURE;
+#ifdef KRB5_DNS_LOOKUP
+ /* We'll only have this realm's info in the DNS cache if there is
+ no data in the local config files.
+
+ XXX The files could've been updated in the last few seconds.
+ Do we care? */
+ if (!strncmp(dnscache.realm, realm, REALM_SZ)
+ && (time(&now), abs(dnscache.when - now) < DNS_CACHE_TIMEOUT)) {
+ struct srv_dns_entry *entry;
+
+ get_from_dnscache:
+ /* n starts at 1, addrs indices run 0..naddrs */
+ for (i = 1, entry = dnscache.srv; i < n && entry; i++)
+ entry = entry->next;
+ if (entry == NULL)
+ return KFAILURE;
+ if (strlen(entry->host) + 6 >= MAXHOSTNAMELEN)
+ return KFAILURE;
+ sprintf(host, "%s:%d", entry->host, entry->port);
+ return KSUCCESS;
+ }
+#endif
+
result = krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n,
REALMS_V4_PROF_REALMS_SECTION,
REALMS_V4_PROF_KDC);
i++;
}
fclose(cnffile);
- if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN)
+ if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN) {
strcpy(host, scratch);
- else
- result = KFAILURE;
+ return KSUCCESS;
+ }
+ if (i > 0)
+ /* Found some, but not as many as requested. */
+ return KFAILURE;
} while (0);
- if (result == KFAILURE)
- result = get_krbhst_default(host, realm, n);
- return result;
+#ifdef KRB5_DNS_LOOKUP
+ do {
+ krb5int_access k5;
+ krb5_error_code err;
+ krb5_data realmdat;
+ struct srv_dns_entry *srv;
+
+ err = krb5int_accessor(&k5, KRB5INT_ACCESS_VERSION);
+ if (err)
+ break;
+
+ realmdat.data = realm;
+ realmdat.length = strlen(realm);
+ err = k5.make_srv_query_realm(&realmdat, "_kerberos-iv", "_udp", &srv);
+ if (err)
+ break;
+
+ if (srv == 0)
+ break;
+
+ if (dnscache.srv)
+ k5.free_srv_dns_data(dnscache.srv);
+ dnscache.srv = srv;
+ strncpy(dnscache.realm, realm, REALM_SZ);
+ dnscache.when = now;
+ goto get_from_dnscache;
+ } while (0);
+#endif
+ return KFAILURE;
}
/*
p = key;
KRB4_GET32BE(tempKey, p);
sendSize += vts_long(tempKey, &sendStream, (int)sendSize);
+ tempKey = 0;
if (newPassword) {
sendSize += vts_string(newPassword, &sendStream, (int)sendSize);
kadm_cli_disconn(&client_parm);
cleanup:
+ memset(&client_parm.creds.session, 0, sizeof(client_parm.creds.session));
+ memset(&key, 0, sizeof(key));
return err;
}
case $krb5_cv_host in
powerpc-apple-darwin*)
KRB_ERR_TXT=
+ KRB_ERR=
+ KRB_ERR_C=krb_err.c
;;
*)
+ KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)'
KRB_ERR_TXT=krb_err_txt.c
+ KRB_ERR_C=
;;
esac
AC_SUBST([KRB_ERR_TXT])
+AC_SUBST([KRB_ERR])
+AC_SUBST([KRB_ERR_C])
AC_PROG_AWK
KRB5_BUILD_LIBOBJS
KRB5_BUILD_LIBRARY_WITH_DEPS
* This is gross. We want krb_err_txt to match the contents of the
* com_err error table, but the text is static in krb_err.c. We can't
* alias it by making a pointer to it, either, so we have to suck in
- * another copy of it that is named differently. Also, to avoid
- * multiple registrations of the error table, we want to override
- * initialize_krb_error_table() in case someone decides to call it.
- */
+ * another copy of it that is named differently. */
+#if TARGET_OS_MAC
#undef initialize_krb_error_table
#define initialize_krb_error_table krb4int_init_krb_err_tbl
void krb4int_init_krb_err_tbl(void);
#include "krb_err.c"
#undef initialize_krb_error_table
-#if TARGET_OS_MAC
/*
* Depends on the name of the static table generated by compile_et,
* but since this is only on Darwin, where we will always use a
inited = 1;\
}
-void
-initialize_krb_error_table(void)
-{
- krb4int_et_init();
-}
-
void
krb4int_et_fini(void)
{
size_t snamelen, sinstlen;
kerror = krb_get_tf_realm(TKT_FILE, lrealm);
+#if USE_LOGIN_LIBRARY
+ if (kerror == GC_NOTKT) {
+ /* No tickets... call krb_get_cred (KLL will prompt) and try again. */
+ if ((kerror = krb_get_cred ("krbtgt", realm, realm, &cr)) == KSUCCESS) {
+ /* Now get the realm again. */
+ kerror = krb_get_tf_realm (TKT_FILE, lrealm);
+ }
+ }
+#endif
if (kerror != KSUCCESS)
return kerror;
const char* names[3];
char **full_name = 0, **cpp;
krb5_error_code retval;
- static char *retname;
+ static char retname[MAXPATHLEN];
if (!krb5__krb4_context)
krb5_init_context(&krb5__krb4_context);
retval = profile_get_values(krb5__krb4_context->profile, names,
&full_name);
if (retval == 0 && full_name && full_name[0]) {
- if (retname != NULL)
- free(retname);
- retname = strdup(full_name[0]);
+ retname[0] = '\0';
+ strncat(retname, full_name[0], sizeof(retname));
for (cpp = full_name; *cpp; cpp++)
krb5_xfree(*cpp);
krb5_xfree(full_name);
return retname;
}
}
- if (retname != NULL)
- free(retname);
- retname = strdup(default_srvtabname);
+ retname[0] = '\0';
+ strncat(retname, default_srvtabname, sizeof(retname));
return retname;
}
/* Attempt to decrypt the reply. Loop trying password_to_key algorithms
until we succeed or we get an error other than "bad password" */
do {
+ KTEXT_ST cip_copy_st;
+ memcpy(&cip_copy_st, &cip_st, sizeof(cip_st));
+ cip = &cip_copy_st;
if (decrypt_proc == NULL) {
decrypt_tkt (user, instance, realm, arg, keyprocs[i], &cip);
} else {
kerror = krb_parse_in_tkt_creds(user, instance, realm,
service, sinstance, life, cip, byteorder, creds);
} while ((keyprocs [++i] != NULL) && (kerror == INTK_BADPW));
+ cip = &cip_st;
/* Fill in the local address if the caller wants it */
if (laddrp != NULL) {
if (passwd)
string_to_key(passwd, key);
else {
- des_read_password((des_cblock *)key, "Password: ", 0);
+ des_read_password((des_cblock *)key, "Password", 0);
}
#endif /* NOENCRYPTION */
#endif /* unix */
if (p == NULL)
return -1;
+ *st = p; /* KRB4_PUT32BE will modify p */
+
+ p += loc; /* place bytes at the end */
KRB4_PUT16BE(p, dat);
- *st = p;
+
return 2;
}
if (p == NULL)
return -1;
+ *st = p; /* KRB4_PUT32BE will modify p */
+
+ p += loc; /* place bytes at the end */
KRB4_PUT32BE(p, dat);
- *st = p;
+
return 4;
}
/*
- * Copyright 2000, 2001 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
*/
#include "krb.h"
-
-/*
- * Only lifetime bytes values less than 128 are on a linear scale.
- * The following table contains an exponential scale that covers the
- * lifetime values 128 to 191 inclusive (a total of 64 values).
- * Values greater than 191 get interpreted the same as 191, but they
- * will never be generated by the functions in this file.
- *
- * The ratio is approximately 1.069144898 (actually exactly
- * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30
- * days, and 38400 = 128*5 minutes. This allows a lifetime byte of
- * 191 to correspond to a ticket life of exactly 30 days and a
- * lifetime byte of 128 to correspond to exactly 128*5 minutes, with
- * the other values spread on an exponential curve fit in between
- * them. This table should correspond exactly to the set of extended
- * ticket lifetime values used by AFS and CMU.
- *
- * The following awk script is sufficient to reproduce the table:
- * BEGIN {
- * r = exp(log(2592000/38400)/63);
- * x = 38400;
- * for (i=0;i<64;i++) {
- * printf("%d\n",x+0.5);
- * x *= r;
- * }
- * }
- */
-#ifndef SHORT_LIFETIME
-#define NLIFETIMES 64
-static const KRB4_32 lifetimes[NLIFETIMES] = {
- 38400, 41055, /* 00:10:40:00, 00:11:24:15 */
- 43894, 46929, /* 00:12:11:34, 00:13:02:09 */
- 50174, 53643, /* 00:13:56:14, 00:14:54:03 */
- 57352, 61318, /* 00:15:55:52, 00:17:01:58 */
- 65558, 70091, /* 00:18:12:38, 00:19:28:11 */
- 74937, 80119, /* 00:20:48:57, 00:22:15:19 */
- 85658, 91581, /* 00:23:47:38, 01:01:26:21 */
- 97914, 104684, /* 01:03:11:54, 01:05:04:44 */
- 111922, 119661, /* 01:07:05:22, 01:09:14:21 */
- 127935, 136781, /* 01:11:32:15, 01:13:59:41 */
- 146239, 156350, /* 01:16:37:19, 01:19:25:50 */
- 167161, 178720, /* 01:22:26:01, 02:01:38:40 */
- 191077, 204289, /* 02:05:04:37, 02:08:44:49 */
- 218415, 233517, /* 02:12:40:15, 02:16:51:57 */
- 249664, 266926, /* 02:21:21:04, 03:02:08:46 */
- 285383, 305116, /* 03:07:16:23, 03:12:45:16 */
- 326213, 348769, /* 03:18:36:53, 04:00:52:49 */
- 372885, 398668, /* 04:07:34:45, 04:14:44:28 */
- 426234, 455705, /* 04:22:23:54, 05:06:35:05 */
- 487215, 520904, /* 05:15:20:15, 06:00:41:44 */
- 556921, 595430, /* 06:10:42:01, 06:21:23:50 */
- 636601, 680618, /* 07:08:50:01, 07:21:03:38 */
- 727680, 777995, /* 08:10:08:00, 09:00:06:35 */
- 831789, 889303, /* 09:15:03:09, 10:07:01:43 */
- 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */
- 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */
- 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */
- 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */
- 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */
- 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */
- 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */
- 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */
-};
-#define MINFIXED 0x80
-#define MAXFIXED (MINFIXED + NLIFETIMES - 1)
-#endif /* !SHORT_LIFETIME */
+#include "k5-int.h"
/*
* krb_life_to_time
KRB4_32 KRB5_CALLCONV
krb_life_to_time(KRB4_32 start, int life)
{
- if (life < 0 || life > 255) /* possibly sign botch in caller */
+ krb5int_access k5internals;
+
+ if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION)
+ || k5internals.krb_life_to_time == NULL)
return start;
-#ifndef SHORT_LIFETIME
- if (life < MINFIXED)
- return start + life * 5 * 60;
- if (life > MAXFIXED)
- return start + lifetimes[NLIFETIMES - 1];
- return start + lifetimes[life - MINFIXED];
-#else /* SHORT_LIFETIME */
- return start + life * 5 * 60;
-#endif /* SHORT_LIFETIME */
+ return k5internals.krb_life_to_time(start, life);
}
/*
int KRB5_CALLCONV
krb_time_to_life(KRB4_32 start, KRB4_32 end)
{
- KRB4_32 dt;
-#ifndef SHORT_LIFETIME
- int i;
-#endif
+ krb5int_access k5internals;
- dt = end - start;
- if (dt <= 0)
+ if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION)
+ || k5internals.krb_time_to_life == NULL)
return 0;
-#ifndef SHORT_LIFETIME
- if (dt < lifetimes[0])
- return (dt + 5 * 60 - 1) / (5 * 60);
- /* This depends on the array being ordered. */
- for (i = 0; i < NLIFETIMES; i++) {
- if (lifetimes[i] >= dt)
- return i + MINFIXED;
- }
- return MAXFIXED;
-#else /* SHORT_LIFETIME */
- if (dt > 5 * 60 * 255)
- return 255;
- else
- return (dt + 5 * 60 - 1) / (5 * 60);
-#endif /* SHORT_LIFETIME */
+ return k5internals.krb_time_to_life(start, end);
}
+ 1 + 1 + ticket->length)
|| ticket->length < 0 || ticket->length > 255) {
authent->length = 0;
- memset(creds->session, 0, sizeof(creds->session));
return KFAILURE;
}
myrealmlen = strlen(myrealm) + 1;
if (sizeof(req_id->dat) / 8 < (pnamelen + pinstlen + myrealmlen
+ 4 + 1 + 4 + 7) / 8) {
- memset(creds->session, 0, sizeof(creds->session));
return KFAILURE;
}
(long)req_id->length, key_s, &creds->session, 1);
/* clean up */
memset(key_s, 0, sizeof(key_s));
- memset(creds->session, 0, sizeof(creds->session));
#endif /* NOENCRYPTION */
/* Copy it into the authenticator */
if (retval != KSUCCESS)
return retval;
- return krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm);
+ retval = krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm);
+ memset(&creds.session, 0, sizeof(creds.session));
+ return retval;
}
int KRB5_CALLCONV
des_string_to_key(passwd, key);
} else {
#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY))
- des_read_password((des_cblock *)key, "Password: ", 0);
+ des_read_password((des_cblock *)key, "Password", 0);
#else
return (-1);
#endif
afs_string_to_key(passwd, realm, key);
} else {
#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY))
- des_read_password((des_cblock *)key, "Password: ", 0);
+ des_read_password((des_cblock *)key, "Password", 0);
#else
return (-1);
#endif
# Makefile dependencies follow. This must be the last section in
# the Makefile.in file
#
-krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): krb5_libinit.c $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(BUILDTOP)/include/krb5_err.h $(BUILDTOP)/include/kv5m_err.h \
- $(BUILDTOP)/include/asn1_err.h $(BUILDTOP)/include/kdb5_err.h \
- krb5_libinit.h
+krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): krb5_libinit.c $(COM_ERR_DEPS) \
+ $(BUILDTOP)/include/krb5.h $(BUILDTOP)/include/krb5_err.h \
+ $(BUILDTOP)/include/kv5m_err.h $(BUILDTOP)/include/asn1_err.h \
+ $(BUILDTOP)/include/kdb5_err.h krb5_libinit.h
+2003-07-22 Sam Hartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_etype_info2_entry_1_3): Decoder for
+ the broken 1.3 ASN.1 behavior for etype_info2; see bug 1681.
+
+ * asn1_k_decode.h (asn1_decode_etype_info2): Add v1_3_behavior
+ flag for parsing the broken 1.3 behavior of using an octetString
+ instead of generalString
+
+ * asn1_k_decode.c (asn1_decode_etype_info2_entry): Expect etype_info2 as generalstring not octetstring
+
+2003-06-20 Sam Hartman <hartmans@mit.edu>
+
+ * asn1_k_decode.h (asn1_decode_etype_info2): Prototype. Also
+ deleted prototype for asn1_decode_etype_info_entry as that is not
+ used outside asn1_k_decode.c
+
+ * krb5_decode.c (decode_krb5_etype_info2): Call etype_info2 decoder
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Split out
+ etype_info2 and etype_info decoder so we ignore tag 2 in the
+ heimdal encoder
+ (asn1_decode_etype_info2): new function
+
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Fix logic error
+ that incorrectly set up s2kparams.data
+
+2003-05-20 Ezra Peisach <epeisach@bu.edu>
+
+ * asn1_k_encode.c (asn1_encode_krb_safe_body): Use
+ asn1_encode_unsigned_integer for sequence number.
+
+ * asn1_k_decode.c (asn1_decode_krb_safe_body): Use
+ asn1_decode_seqnum to decode sequence number.
+
+
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * asn1_decode.c (asn1_decode_maybe_unsigned): New function; decode
+ negative 32-bit numbers into positive unsigned numbers for the
+ sake of backwards compatibility with old code.
+
+ * asn1_decode.h: Add prototype for asn1_decode_maybe_unsigned.
+
+ * asn1_k_decode.c (asn1_decode_seqnum): New function; wrapper
+ around asn1_decode_maybe_unsigned.
+
+ * asn1_k_decode.h: Add prototype for asn1_decode_seqnum.
+
+ * krb5_decode.c (decode_krb5_authenticator)
+ (decode_krb5_ap_rep_enc_part, decode_krb5_enc_priv_part): Sequence
+ numbers are now unsigned. Use asn1_decode_seqnum to handle
+ backwards compat with negative sequence numbers.
+
+ * krb5_encode.c (encode_krb5_authenticator)
+ (encode_krb5_ap_rep_enc_part, encode_krb5_enc_priv_part): Sequence
+ numbers are now unsigned.
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_decode.c (decode_krb5_etype_info2): New function; currently
+ the same code as decode_krb5_etype_info. This means that we can
+ manage to accept s2kparams in etype_info which is wrong but
+ probably harmless.
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Add etype_info2
+ support
+
+ * asn1_k_encode.c (asn1_encode_etype_info_entry): Add support for
+ etype-info2
+
+ * krb5_encode.c (encode_krb5_etype_info2): New function
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_encode.c (encode_krb5_setpw_req): new function
+
+2003-04-13 Ezra Peisach <epeisach@mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_kdc_req_body): Fix memory leak if
+ optional server field is lacking,
+
2003-03-11 Ken Raeburn <raeburn@mit.edu>
* asn1_get.c (asn1_get_tag): Deleted.
asn1_decode.so asn1_decode.po $(OUTPRE)asn1_decode.$(OBJEXT): asn1_decode.c asn1_decode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
krbasn1.h asn1buf.h asn1_get.h
asn1_k_decode.so asn1_k_decode.po $(OUTPRE)asn1_k_decode.$(OBJEXT): asn1_k_decode.c asn1_k_decode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
krbasn1.h asn1buf.h asn1_decode.h asn1_get.h asn1_misc.h
asn1_encode.so asn1_encode.po $(OUTPRE)asn1_encode.$(OBJEXT): asn1_encode.c asn1_encode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
krbasn1.h asn1buf.h asn1_make.h
asn1_get.so asn1_get.po $(OUTPRE)asn1_get.$(OBJEXT): asn1_get.c asn1_get.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
krbasn1.h asn1buf.h
asn1_make.so asn1_make.po $(OUTPRE)asn1_make.$(OBJEXT): asn1_make.c asn1_make.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
krbasn1.h asn1buf.h
asn1buf.so asn1buf.po $(OUTPRE)asn1buf.$(OBJEXT): asn1buf.c asn1buf.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h krbasn1.h asn1_get.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1_get.h
krb5_decode.so krb5_decode.po $(OUTPRE)krb5_decode.$(OBJEXT): krb5_decode.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) krbasn1.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
asn1_k_decode.h asn1buf.h asn1_decode.h asn1_get.h
krb5_encode.so krb5_encode.po $(OUTPRE)krb5_encode.$(OBJEXT): krb5_encode.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) asn1_k_encode.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
asn1buf.h krbasn1.h asn1_encode.h asn1_make.h
asn1_k_encode.so asn1_k_encode.po $(OUTPRE)asn1_k_encode.$(OBJEXT): asn1_k_encode.c asn1_k_encode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
asn1buf.h krbasn1.h asn1_make.h asn1_encode.h
asn1_misc.so asn1_misc.po $(OUTPRE)asn1_misc.$(OBJEXT): asn1_misc.c asn1_misc.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
krbasn1.h
/*
* src/lib/krb5/asn.1/asn1_decode.c
*
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
cleanup();
}
+/*
+ * asn1_decode_maybe_unsigned
+ *
+ * This is needed because older releases of MIT krb5 have signed
+ * sequence numbers. We want to accept both signed and unsigned
+ * sequence numbers, in the range -2^31..2^32-1, mapping negative
+ * numbers into their positive equivalents in the same way that C's
+ * normal integer conversions do, i.e., would preserve bits on a
+ * two's-complement architecture.
+ */
+asn1_error_code asn1_decode_maybe_unsigned(asn1buf *buf, unsigned long *val)
+{
+ setup();
+ asn1_octet o;
+ unsigned long n, bitsremain;
+ unsigned int i;
+
+ tag(ASN1_INTEGER);
+ o = 0;
+ n = 0;
+ bitsremain = ~0UL;
+ for (i = 0; i < length; i++) {
+ /* Accounts for u_long width not being a multiple of 8. */
+ if (bitsremain < 0xff) return ASN1_OVERFLOW;
+ retval = asn1buf_remove_octet(buf, &o);
+ if (retval) return retval;
+ if (bitsremain == ~0UL) {
+ if (i == 0)
+ n = (o & 0x80) ? ~0UL : 0UL; /* grab sign bit */
+ /*
+ * Skip leading zero or 0xFF octets to humor non-compliant encoders.
+ */
+ if (n == 0 && o == 0)
+ continue;
+ if (n == ~0UL && o == 0xff)
+ continue;
+ }
+ n = (n << 8) | o;
+ bitsremain >>= 8;
+ }
+ *val = n;
+ cleanup();
+}
+
asn1_error_code asn1_decode_oid(asn1buf *buf, unsigned int *retlen, asn1_octet **val)
{
setup();
(asn1buf *buf, long *val);
asn1_error_code asn1_decode_unsigned_integer
(asn1buf *buf, unsigned long *val);
+asn1_error_code asn1_decode_maybe_unsigned
+ (asn1buf *buf, unsigned long *val);
asn1_error_code asn1_decode_null
(asn1buf *buf);
unsigned_integer_convert(asn1_decode_ui_2,krb5_ui_2)
unsigned_integer_convert(asn1_decode_ui_4,krb5_ui_4)
+asn1_error_code asn1_decode_seqnum(asn1buf *buf, krb5_ui_4 *val)
+{
+ asn1_error_code retval;
+ unsigned long n;
+
+ retval = asn1_decode_maybe_unsigned(buf, &n);
+ if (retval) return retval;
+ *val = (krb5_ui_4)n & 0xffffffff;
+ return 0;
+}
+
asn1_error_code asn1_decode_msgtype(asn1buf *buf, krb5_msgtype *val)
{
asn1_error_code retval;
asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val)
{
setup();
- { begin_structure();
+ {
+ krb5_principal psave;
+ begin_structure();
get_field(val->kdc_options,0,asn1_decode_kdc_options);
if(tagnum == 1){ alloc_field(val->client,krb5_principal_data); }
opt_field(val->client,1,asn1_decode_principal_name,NULL);
if(val->client != NULL){
retval = asn1_krb5_realm_copy(val->client,val->server);
if(retval) return retval; }
+
+ /* If opt_field server is missing, memory reference to server is
+ lost and results in memory leak */
+ psave = val->server;
opt_field(val->server,3,asn1_decode_principal_name,NULL);
+ if(val->server == NULL){
+ if(psave->realm.data) {
+ free(psave->realm.data);
+ psave->realm.data = NULL;
+ psave->realm.length=0;
+ }
+ free(psave);
+ }
opt_field(val->from,4,asn1_decode_kerberos_time,0);
get_field(val->till,5,asn1_decode_kerberos_time);
opt_field(val->rtime,6,asn1_decode_kerberos_time,0);
get_lenfield(val->user_data.length,val->user_data.data,0,asn1_decode_charstring);
opt_field(val->timestamp,1,asn1_decode_kerberos_time,0);
opt_field(val->usec,2,asn1_decode_int32,0);
- opt_field(val->seq_number,3,asn1_decode_int32,0);
+ opt_field(val->seq_number,3,asn1_decode_seqnum,0);
alloc_field(val->s_address,krb5_address);
get_field(*(val->s_address),4,asn1_decode_host_address);
if(tagnum == 5){
decode_array_body(krb5_checksum, asn1_decode_checksum);
}
-asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val)
+static asn1_error_code asn1_decode_etype_info2_entry(asn1buf *buf, krb5_etype_info_entry *val )
+{
+ setup();
+ { begin_structure();
+ get_field(val->etype,0,asn1_decode_enctype);
+ if (tagnum == 1) {
+ get_lenfield(val->length,val->salt,1,asn1_decode_generalstring);
+ } else {
+ val->length = KRB5_ETYPE_NO_SALT;
+ val->salt = 0;
+ }
+ if ( tagnum ==2) {
+ krb5_octet *params ;
+ get_lenfield( val->s2kparams.length, params,
+ 2, asn1_decode_octetstring);
+ val->s2kparams.data = ( char *) params;
+ } else {
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+ }
+ end_structure();
+ val->magic = KV5M_ETYPE_INFO_ENTRY;
+ }
+ cleanup();
+}
+
+static asn1_error_code asn1_decode_etype_info2_entry_1_3(asn1buf *buf, krb5_etype_info_entry *val )
{
setup();
{ begin_structure();
val->length = KRB5_ETYPE_NO_SALT;
val->salt = 0;
}
+ if ( tagnum ==2) {
+ krb5_octet *params ;
+ get_lenfield( val->s2kparams.length, params,
+ 2, asn1_decode_octetstring);
+ val->s2kparams.data = ( char *) params;
+ } else {
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+ }
end_structure();
val->magic = KV5M_ETYPE_INFO_ENTRY;
}
cleanup();
}
-asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val)
+
+static asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val )
+{
+ setup();
+ { begin_structure();
+ get_field(val->etype,0,asn1_decode_enctype);
+ if (tagnum == 1) {
+ get_lenfield(val->length,val->salt,1,asn1_decode_octetstring);
+ } else {
+ val->length = KRB5_ETYPE_NO_SALT;
+ val->salt = 0;
+ }
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+
+ end_structure();
+ val->magic = KV5M_ETYPE_INFO_ENTRY;
+ }
+ cleanup();
+}
+
+asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val )
{
decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info_entry);
}
+asn1_error_code asn1_decode_etype_info2(asn1buf *buf, krb5_etype_info_entry ***val ,
+ krb5_boolean v1_3_behavior)
+{
+ if (v1_3_behavior) {
+ decode_array_body(krb5_etype_info_entry,
+ asn1_decode_etype_info2_entry_1_3);
+ } else {
+ decode_array_body(krb5_etype_info_entry,
+ asn1_decode_etype_info2_entry);
+ }
+}
+
asn1_error_code asn1_decode_passwdsequence(asn1buf *buf, passwd_phrase_element *val)
{
setup();
(asn1buf *buf, krb5_ui_2 *val);
asn1_error_code asn1_decode_ui_4
(asn1buf *buf, krb5_ui_4 *val);
+asn1_error_code asn1_decode_seqnum
+ (asn1buf *buf, krb5_ui_4 *val);
asn1_error_code asn1_decode_kerberos_time
(asn1buf *buf, krb5_timestamp *val);
asn1_error_code asn1_decode_sam_flags
asn1_error_code asn1_decode_etype_info
(asn1buf *buf, krb5_etype_info_entry ***val);
+asn1_error_code asn1_decode_etype_info2
+ (asn1buf *buf, krb5_etype_info_entry ***val, krb5_boolean v1_3_behavior);
#endif
#include "asn1_k_encode.h"
#include "asn1_make.h"
#include "asn1_encode.h"
+#include <assert.h>
/**** asn1 macros ****/
#if 0
asn1_addfield(val->r_address,5,asn1_encode_host_address);
asn1_addfield(val->s_address,4,asn1_encode_host_address);
if(val->seq_number)
- asn1_addfield(val->seq_number,3,asn1_encode_integer);
+ asn1_addfield(val->seq_number,3,asn1_encode_unsigned_integer);
if(val->timestamp){
asn1_addfield(val->usec,2,asn1_encode_integer);
asn1_addfield(val->timestamp,1,asn1_encode_kerberos_time);
asn1_cleanup();
}
-asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val, unsigned int *retlen)
+asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val,
+ unsigned int *retlen, int etype_info2)
{
asn1_setup();
+ assert(val->s2kparams.data == NULL || etype_info2);
if(val == NULL || (val->length > 0 && val->length != KRB5_ETYPE_NO_SALT &&
val->salt == NULL))
return ASN1_MISSING_FIELD;
-
- if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT)
+ if(val->s2kparams.data != NULL)
+ asn1_addlenfield(val->s2kparams.length, val->s2kparams.data, 2,
+ asn1_encode_octetstring);
+ if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT){
+ if (etype_info2)
asn1_addlenfield(val->length,val->salt,1,
- asn1_encode_octetstring);
- asn1_addfield(val->etype,0,asn1_encode_integer);
+ asn1_encode_generalstring)
+ else asn1_addlenfield(val->length,val->salt,1,
+ asn1_encode_octetstring);
+ }
+asn1_addfield(val->etype,0,asn1_encode_integer);
asn1_makeseq();
asn1_cleanup();
}
-asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val, unsigned int *retlen)
+asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val,
+ unsigned int *retlen, int etype_info2)
{
asn1_setup();
int i;
for(i=0; val[i] != NULL; i++); /* get to the end of the array */
for(i--; i>=0; i--){
- retval = asn1_encode_etype_info_entry(buf,val[i],&length);
+ retval = asn1_encode_etype_info_entry(buf,val[i],&length, etype_info2);
if(retval) return retval;
sum += length;
}
asn1_error_code asn1_encode_etype_info_entry
(asn1buf *buf, const krb5_etype_info_entry *val,
- unsigned int *retlen);
+ unsigned int *retlen, int etype_info2);
asn1_error_code asn1_encode_etype_info
(asn1buf *buf, const krb5_etype_info_entry **val,
- unsigned int *retlen);
+ unsigned int *retlen, int etype_info2);
asn1_error_code asn1_encode_passwdsequence
(asn1buf *buf, const passwd_phrase_element *val, unsigned int *retlen);
get_field((*rep)->ctime,5,asn1_decode_kerberos_time);
if(tagnum == 6){ alloc_field((*rep)->subkey,krb5_keyblock); }
opt_field(*((*rep)->subkey),6,asn1_decode_encryption_key);
- opt_field((*rep)->seq_number,7,asn1_decode_int32);
+ opt_field((*rep)->seq_number,7,asn1_decode_seqnum);
opt_field((*rep)->authorization_data,8,asn1_decode_authorization_data);
(*rep)->magic = KV5M_AUTHENTICATOR;
end_structure();
get_field((*rep)->cusec,1,asn1_decode_int32);
if(tagnum == 2){ alloc_field((*rep)->subkey,krb5_keyblock); }
opt_field(*((*rep)->subkey),2,asn1_decode_encryption_key);
- opt_field((*rep)->seq_number,3,asn1_decode_int32);
+ opt_field((*rep)->seq_number,3,asn1_decode_seqnum);
end_structure();
(*rep)->magic = KV5M_AP_REP_ENC_PART;
}
get_lenfield((*rep)->user_data.length,(*rep)->user_data.data,0,asn1_decode_charstring);
opt_field((*rep)->timestamp,1,asn1_decode_kerberos_time);
opt_field((*rep)->usec,2,asn1_decode_int32);
- opt_field((*rep)->seq_number,3,asn1_decode_int32);
+ opt_field((*rep)->seq_number,3,asn1_decode_seqnum);
alloc_field((*rep)->s_address,krb5_address);
get_field(*((*rep)->s_address),4,asn1_decode_host_address);
if(tagnum == 5){ alloc_field((*rep)->r_address,krb5_address); }
cleanup_none(); /* we're not allocating anything here */
}
+krb5_error_code decode_krb5_etype_info2(const krb5_data *code, krb5_etype_info_entry ***rep)
+{
+ setup_buf_only();
+ *rep = 0;
+ retval = asn1_decode_etype_info2(&buf,rep, 0);
+ if (retval == ASN1_BAD_ID) {
+ retval = asn1buf_wrap_data(&buf,code);
+ if(retval) clean_return(retval);
+ retval = asn1_decode_etype_info2(&buf, rep, 1);
+ }
+ if(retval) clean_return(retval);
+ cleanup_none(); /* we're not allocating anything here */
+}
+
+
krb5_error_code decode_krb5_enc_data(const krb5_data *code, krb5_enc_data **rep)
{
setup_buf_only();
/* seq-number[7] INTEGER OPTIONAL */
if(rep->seq_number != 0)
- krb5_addfield(rep->seq_number,7,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,7,asn1_encode_unsigned_integer);
/* subkey[6] EncryptionKey OPTIONAL */
if(rep->subkey != NULL)
#ifdef KRB5_ENCKRB5KDCREPPART_COMPAT
krb5_apptag(26);
#else
+ /* XXX WRONG!!! Should use 25 || 26, not the outer KDC_REP tags! */
if (rep->msg_type == KRB5_AS_REP) { krb5_apptag(ASN1_KRB_AS_REP); }
else if (rep->msg_type == KRB5_TGS_REP) { krb5_apptag(ASN1_KRB_TGS_REP); }
else return KRB5_BADMSGTYPE;
/* seq-number[3] INTEGER OPTIONAL */
if(rep->seq_number)
- krb5_addfield(rep->seq_number,3,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer);
/* subkey[2] EncryptionKey OPTIONAL */
if(rep->subkey != NULL)
/* seq-number[3] INTEGER OPTIONAL */
if(rep->seq_number)
- krb5_addfield(rep->seq_number,3,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer);
/* usec[2] INTEGER OPTIONAL */
if(rep->timestamp){
krb5_error_code encode_krb5_etype_info(const krb5_etype_info_entry **rep, krb5_data **code)
{
krb5_setup();
- retval = asn1_encode_etype_info(buf,rep,&length);
+ retval = asn1_encode_etype_info(buf,rep,&length, 0);
if(retval) return retval;
sum += length;
krb5_cleanup();
}
+krb5_error_code encode_krb5_etype_info2(const krb5_etype_info_entry **rep, krb5_data **code)
+{
+ krb5_setup();
+ retval = asn1_encode_etype_info(buf,rep,&length, 1);
+ if(retval) return retval;
+ sum += length;
+ krb5_cleanup();
+}
+
+
krb5_error_code encode_krb5_enc_data(const krb5_enc_data *rep, krb5_data **code)
{
krb5_setup();
sum += length;
krb5_cleanup();
}
+
+krb5_error_code encode_krb5_setpw_req(const krb5_principal target,
+ char *password, krb5_data **code)
+{
+ /* Macros really want us to have a variable called rep which we do not need*/
+ const char *rep = "dummy string";
+
+ krb5_setup();
+
+ krb5_addfield(target,2,asn1_encode_realm);
+ krb5_addfield(target,1,asn1_encode_principal_name);
+ krb5_addlenfield(strlen(password), password,0,asn1_encode_octetstring);
+ krb5_makeseq();
+
+
+ krb5_cleanup();
+}
+2003-07-22 Sam Hartman <hartmans@mit.edu>
+
+ * ccbase.c: Always register the file credentials cache type. If
+ we do not, then when USE_CCAPI is defined, it will not be
+ available.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* ccdefault.c: Remove Mac header goober and include
#
ccbase.so ccbase.po $(OUTPRE)ccbase.$(OBJEXT): ccbase.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
cccopy.so cccopy.po $(OUTPRE)cccopy.$(OBJEXT): cccopy.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ccdefault.so ccdefault.po $(OUTPRE)ccdefault.$(OBJEXT): ccdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ccdefops.so ccdefops.po $(OUTPRE)ccdefops.$(OBJEXT): ccdefops.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h fcc.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h fcc.h
cc_retr.so cc_retr.po $(OUTPRE)cc_retr.$(OBJEXT): cc_retr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
cc_file.so cc_file.po $(OUTPRE)cc_file.$(OBJEXT): cc_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
cc_memory.so cc_memory.po $(OUTPRE)cc_memory.$(OBJEXT): cc_memory.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ccfns.so ccfns.po $(OUTPRE)ccfns.$(OBJEXT): ccfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ser_cc.so ser_cc.po $(OUTPRE)ser_cc.$(OBJEXT): ser_cc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
#include "k5-int.h"
+#include "fcc.h"
+
struct krb5_cc_typelist
{
krb5_cc_ops *ops;
};
extern const krb5_cc_ops krb5_mcc_ops;
-static struct krb5_cc_typelist cc_entry = { &krb5_mcc_ops, NULL };
+static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, NULL };
+
+static struct krb5_cc_typelist cc_fcc_entry = { &krb5_cc_file_ops,
+ &cc_mcc_entry };
+
-static struct krb5_cc_typelist *cc_typehead = &cc_entry;
+static struct krb5_cc_typelist *cc_typehead = &cc_fcc_entry;
/*
* Register a new credentials cache type
init_ets.c
kdb5_err.et
krb5_err.et
+krb524_err.et
kv5m_err.et
Things-to-lose:
+2003-07-19 Ezra Peisach <epeisach@mit.edu>
+
+ * init_ets.c (krb5_init_ets): Only initialize error tables once -
+ so that init_conext/free_context loops do not result in memory
+ leaks.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5_err.et (KRB5_ERR_NO_SERVICE): New error code.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * krb524_err.et: New file, moved from ../../../krb524. Add new
+ error code KRB524_KRB4_DISABLED.
+ * Makefile.in (STLIBOBJS, HDRS, OBJS, ETSRCS, SRCS, awk-windows):
+ Add it.
+ ($(OUTPRE)krb524_err.$(OBJEXT)): List dependence on .c file.
+ * init_ets.c (krb5_init_ets): Call initialize_k524_error_table.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* krb5_err.et (KRB5_ERR_BAD_S2K_PARAMS): New error code.
EHDRDIR=$(BUILDTOP)$(S)include$(S)krb5
STLIBOBJS= asn1_err.o kdb5_err.o krb5_err.o \
- kv5m_err.o init_ets.o
+ kv5m_err.o krb524_err.o init_ets.o
-HDRS= asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h
+HDRS= asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h krb524_err.h
OBJS= $(OUTPRE)asn1_err.$(OBJEXT) $(OUTPRE)kdb5_err.$(OBJEXT) $(OUTPRE)krb5_err.$(OBJEXT) \
- $(OUTPRE)kv5m_err.$(OBJEXT) $(OUTPRE)init_ets.$(OBJEXT)
-ETSRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c
-SRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c \
+ $(OUTPRE)kv5m_err.$(OBJEXT) $(OUTPRE)krb524_err.$(OBJEXT) \
+ $(OUTPRE)init_ets.$(OBJEXT)
+ETSRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c krb524_err.c
+SRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c krb524_err.c \
$(srcdir)/init_ets.c
##DOS##LIBOBJS = $(OBJS)
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=kdb5_err.h kdb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=krb5_err.h krb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=kv5m_err.h kv5m_err.et
+ $(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=krb524_err.h krb524_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=asn1_err.c asn1_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=kdb5_err.c kdb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=krb5_err.c krb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=kv5m_err.c kv5m_err.et
+ $(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=krb524_err.c krb524_err.et
if exist asn1_err.h copy asn1_err.h "$(EHDRDIR)"
if exist kdb5_err.h copy kdb5_err.h "$(EHDRDIR)"
if exist krb5_err.h copy krb5_err.h "$(EHDRDIR)"
if exist kv5m_err.h copy kv5m_err.h "$(EHDRDIR)"
+ if exist krb524_err.h copy krb524_err.h "$(EHDRDIR)"
#
# dependencies for traditional makes
$(OUTPRE)kdb5_err.$(OBJEXT): kdb5_err.c
$(OUTPRE)krb5_err.$(OBJEXT): krb5_err.c
$(OUTPRE)kv5m_err.$(OBJEXT): kv5m_err.c
+$(OUTPRE)krb524_err.$(OBJEXT): krb524_err.c
clean-unix:: clean-libobjs
$(RM) $(HDRS) $(ETSRCS)
kdb5_err.so kdb5_err.po $(OUTPRE)kdb5_err.$(OBJEXT): kdb5_err.c $(COM_ERR_DEPS)
krb5_err.so krb5_err.po $(OUTPRE)krb5_err.$(OBJEXT): krb5_err.c $(COM_ERR_DEPS)
kv5m_err.so kv5m_err.po $(OUTPRE)kv5m_err.$(OBJEXT): kv5m_err.c $(COM_ERR_DEPS)
+krb524_err.so krb524_err.po $(OUTPRE)krb524_err.$(OBJEXT): krb524_err.c $(COM_ERR_DEPS)
init_ets.so init_ets.po $(OUTPRE)init_ets.$(OBJEXT): init_ets.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
void
krb5_init_ets (krb5_context context)
{
- initialize_krb5_error_table();
- initialize_kv5m_error_table();
- initialize_kdb5_error_table();
- initialize_asn1_error_table();
+ static int inited = 0;
+
+ if (inited == 0) {
+ initialize_krb5_error_table();
+ initialize_kv5m_error_table();
+ initialize_kdb5_error_table();
+ initialize_asn1_error_table();
+ initialize_k524_error_table();
+ inited++;
+ }
}
void
error_code KRB524_ENCFULL, "Encoding too large"
error_code KRB524_DECEMPTY, "Decoding out of data"
error_code KRB524_NOTRESP, "Service not responding"
+error_code KRB524_KRB4_DISABLED, "Kerberos version 4 support is disabled"
end
error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC"
+error_code KRB5_ERR_NO_SERVICE, "service not available"
+
end
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * kt_file.c (krb5_ktfile_get_entry): Check principal name prior to
+ checking enctype. Suggested by Wyllys Ingersoll.
+
+2003-05-19 Sam Hartman <hartmans@mit.edu>
+
+ * ktbase.c: Register writable keytab by default
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * kt_file.c (krb5_ktfileint_internal_read_entry): Use
+ krb5_princ_size instead of direct field access.
+ (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry):
+ Likewise.
+
2003-02-08 Tom Yu <tlyu@mit.edu>
* kt_file.c (krb5_ktfile_get_entry): Fix comment; not going to
#
ktadd.so ktadd.po $(OUTPRE)ktadd.$(OBJEXT): ktadd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ktbase.so ktbase.po $(OUTPRE)ktbase.$(OBJEXT): ktbase.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ktdefault.so ktdefault.po $(OUTPRE)ktdefault.$(OBJEXT): ktdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ktfr_entry.so ktfr_entry.po $(OUTPRE)ktfr_entry.$(OBJEXT): ktfr_entry.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ktremove.so ktremove.po $(OUTPRE)ktremove.$(OBJEXT): ktremove.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ktfns.so ktfns.po $(OUTPRE)ktfns.$(OBJEXT): ktfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
kt_file.so kt_file.po $(OUTPRE)kt_file.$(OBJEXT): kt_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
kt_srvtab.so kt_srvtab.po $(OUTPRE)kt_srvtab.$(OBJEXT): kt_srvtab.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
read_servi.so read_servi.po $(OUTPRE)read_servi.$(OBJEXT): read_servi.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
and copy new_entry there, or free new_entry. Otherwise, it
leaks. */
+ /* if the principal isn't the one requested, free new_entry
+ and continue to the next. */
+
+ if (!krb5_principal_compare(context, principal, new_entry.principal)) {
+ krb5_kt_free_entry(context, &new_entry);
+ continue;
+ }
+
/* if the enctype is not ignored and doesn't match, free new_entry
and continue to the next */
}
- /* if the principal isn't the one requested, free new_entry
- and continue to the next. */
-
- if (!krb5_principal_compare(context, principal, new_entry.principal)) {
- krb5_kt_free_entry(context, &new_entry);
- continue;
- }
-
if (kvno == IGNORE_VNO) {
/* if this is the first match, or if the new vno is
bigger, free the current and keep the new. Otherwise,
return 0;
fail:
- for (i = 0; i < ret_entry->principal->length; i++) {
+ for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) {
princ = krb5_princ_component(context, ret_entry->principal, i);
if (princ->data)
free(princ->data);
}
if (KTVERSION(id) == KRB5_KT_VNO_1) {
- count = (krb5_int16) entry->principal->length + 1;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1;
} else {
- count = htons((u_short) entry->principal->length);
+ count = htons((u_short) krb5_princ_size(context, entry->principal));
}
if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) {
goto abend;
}
- count = (krb5_int16) entry->principal->length;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal);
for (i = 0; i < count; i++) {
princ = krb5_princ_component(context, entry->principal, i);
size = princ->length;
krb5_int32 total_size, i;
krb5_error_code retval = 0;
- count = (krb5_int16) entry->principal->length;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal);
total_size = sizeof(count);
total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16));
#include "k5-int.h"
extern const krb5_kt_ops krb5_ktf_ops;
+extern const krb5_kt_ops krb5_ktf_writable_ops;
extern const krb5_kt_ops krb5_kts_ops;
struct krb5_kt_typelist {
const krb5_kt_ops *ops;
struct krb5_kt_typelist *next;
};
+static struct krb5_kt_typelist krb5_kt_typelist_wrfile = {
+ &krb5_ktf_writable_ops,
+ 0
+};
static struct krb5_kt_typelist krb5_kt_typelist_file = {
&krb5_ktf_ops,
- 0
+ &krb5_kt_typelist_wrfile
};
static struct krb5_kt_typelist krb5_kt_typelist_srvtab = {
&krb5_kts_ops,
cleanup.h
configure
configure.in
+conv_creds.c
conv_princ.c
copy_addrs.c
copy_athctr.c
gen_subkey.c
get_creds.c
get_in_tkt.c
-in_tkt_ktb.c
-in_tkt_pwd.c
in_tkt_sky.c
init_ctx.c
int-proto.h
t_ser.c
tgtname.c
unparse.c
+v4lifetime.c
valid_times.c
walk_rtree.c
+2003-07-22 Sam Hartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * preauth2.c (krb5_do_preauth): Use the etype_info2 decoder for decoding etype_info2
+ (krb5_do_preauth): If an invalid encoding of etype_info or
+ etype_info2 is received, ignore it rather than failing the request
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_ctx.c: Export krb5_get_permitted_enctypes for Samba.
+
+2003-06-27 Tom Yu <tlyu@mit.edu>
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): Pass (void*)keytab,
+ not &keytab, to get_init_creds. Thanks to Herb Lewis.
+
+2003-06-16 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Set use_conf_ktypes to true while getting the TGT key
+
+2003-06-13 Tom Yu <tlyu@mit.edu>
+
+ * rd_rep.c (krb5_rd_rep): Free subkeys before replacing them, if
+ needed. This avoids a memory leak.
+
+2003-06-11 Tom Yu <tlyu@mit.edu>
+
+ * srv_rcache.c (krb5_get_server_rcache): Octal escapes begin with
+ hyphen now, since backslash is a pathname separator on DOS.
+
+2003-06-06 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Mask out renewable_ok if the
+ request is for a renewable ticket with rtime greater than till
+
+2003-06-06 Ezra Peisach <epeisach@mit.edu>
+
+ * mk_req_ext.c (krb5_generate_authenticator): Sequence numbers are
+ unsigned now.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Change hardcoded default
+ ticket lifetime from 10 hours to 24 hours.
+
+ * init_ctx.c (DEFAULT_KDC_TIMESYNC): Define as 1 always.
+ (DEFAULT_CCACHE_TYPE): Define as 4 always.
+
+2003-05-30 Alexandra Ellwood <lxs@mit.edu>
+
+ * get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime
+ of tickets whose request options included KDC_OPT_RENEWABLE_OK
+ if those options did not also include KDC_OPT_RENEWABLE. Otherwise
+ verify_as_reply() will fail for all renewable tickets.
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c: Enable support on Windows always.
+ (krb5_524_convert_creds): Renamed from krb524_convert_creds_kdc.
+ (krb524_convert_creds_kdc, krb524_init_ets) [!_WIN32]: Backwards
+ compatibility functions.
+
+2003-05-27 Sam Hartman <hartmans@mit.edu>
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): as below
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Store client and
+ server principals to avoid memory leak
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c: New file, moved from krb524/conv_creds.c and
+ krb524/encode.c. Rename exported encode routine, make other
+ encode and decode routines static. If KRB5_KRB4_COMPAT is not
+ defined, return an error.
+ * v4lifetime.c: New file, moved from lib/krb4/lifetime.c. Renamed
+ functions, changed interface to use krb5 types.
+ * Makefile.in (STLIBOBJS, OBJS, SRCS): Add them.
+
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Initialize options based on
+ context.kdc_default_options
+
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * gen_seqnum.c (krb5_generate_seq_number): Fix think-o on sequence
+ number mask.
+
+ * auth_con.c (krb5int_auth_con_chkseqnum): New function; implement
+ heuristic for broken Heimdal sequence number encoding.
+ (chk_heimdal_seqnum): Auxiliary function for above.
+
+ * auth_con.h: Add flags for sequence number heuristic.
+
+ * rd_priv.c: Use krb5int_auth_con_chkseqnum.
+
+ * rd_safe.c: Use krb5int_auth_con_chkseqnum.
+
+2003-05-22 Sam Hartman <hartmans@mit.edu>
+
+ * gic_pwd.c (krb5int_populate_gic_opt): returns void
+
+2003-05-21 Tom Yu <tlyu@mit.edu>
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Set pw0.length
+ correctly if a password is passed in.
+
+2003-05-20 Sam Hartman <hartmans@mit.edu>
+
+ * Makefile.in (SRCS): Remove in_ktb.c
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): Move from
+ in_tkt_keytab.c and rewrite to use krb5_get_init_creds
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Moved here from
+ in_tkt_pwd.c so it can share code with
+ krb5_get_init_creds_password. Rewritten to call
+ krb5_get_in_tkt_password
+
+ * Makefile.in (SRCS): Delete in_tkt_pwd.c
+
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * auth_con.h: Sequence numbers are now unsigned.
+
+ * gen_seqnum.c (krb5_generate_seq_number): Constrain initial
+ sequence number space to facilitate backwards compatibility.
+
+2003-05-16 Ken Raeburn <raeburn@mit.edu>
+
+ * chpw.c (krb5int_rd_chpw_rep): Allow new kpasswd error codes up
+ through _INITIAL_FLAG_NEEDED.
+
+2003-05-13 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Try with no specified enctype if
+ forwarding a specific enctype fails. l
+
+ * get_in_tkt.c (krb5_get_init_creds): Free s2kparams
+
+ * preauth2.c (krb5_do_preauth): Fix memory management
+ (pa_salt): Use copy_data_contents
+
+ * copy_data.c (krb5int_copy_data_contents): New function
+
+2003-05-09 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c: Patch from Sun to reorganize code for handling
+ etype_info requests. More efficient and easier to implement etype_info2
+ (krb5_do_preauth): Support enctype_info2
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c: Add s2kparams to the declaration of a preauth
+ function, to every instance of a preauth function and to every
+ call to gak_fct
+
+ * get_in_tkt.c (krb5_get_init_creds): Add s2kparams support
+
+ * gic_keytab.c (krb5_get_as_key_keytab): Add s2kparams
+
+ * gic_pwd.c (krb5_get_as_key_password): Add s2kparams support
+
+2003-05-09 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (init_common): Copy tgs_ktypes array to
+ conf_tgs_ktypes. Clear use_conf_ktypes.
+ (krb5_free_context): Free conf_tgs_ktypes.
+ (krb5_get_tgs_ktypes): Use use_conf_ktypes to choose between
+ tgs_ktypes and conf_tgs_ktypes.
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Set use_conf_ktypes
+ in context to 1 for all operations except the acquisition of the
+ desired service ticket.
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * auth_con.c (krb5_auth_con_setsendsubkey)
+ (krb5_auth_con_setrecvsubkey, krb5_auth_con_getsendsubkey)
+ (krb5_auth_con_getrecvsubkey): New functions. Set or retrieve
+ subkeys from an auth_context.
+ (krb5_auth_con_getlocalsubkey, krb5_auth_con_getremotesubkey):
+ Reimplement in terms of the above.
+
+ * auth_con.h, ser_actx.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey.
+
+ * chpw.c (krb5int_rd_chpw_rep): Save send_subkey prior to rd_rep;
+ use saved send_subkey to smash recv_subkey obtained from rd_rep.
+
+ * mk_req_ext.c (krb5_mk_req_extended): Rename
+ {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if
+ subkey generation is requested.
+
+ * mk_cred.c, mk_priv.c, mk_safe.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Use either send_subkey or keyblock, in that
+ order.
+
+ * rd_cred.c, rd_priv.c, rd_safe.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Use either recv_subkey or keyblock, in that
+ order.
+
+ * rd_rep.c (krb5_rd_rep): Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Set both subkeys if a subkey is present in
+ the AP-REP message.
+
+ * rd_req_dec.c (krb5_rd_req_decoded_opt): Rename
+ {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if
+ a subkey is present in the AP-REQ message.
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * kfree.c (krb5_free_etype_info): Free s2kparams
+
+2003-04-27 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_setpw_result_code_string): Make internal
+
+2003-04-25 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_rd_setpw_rep): Fix error handling; allow
+ krberrors to be read correctly; fix memory alloctaion so that
+ allocated structures are freed.
+
+2003-04-24 Ezra Peisach <epeisach@mit.edu>
+
+ * kfree.c (krb5_free_pwd_sequences): Correction to previous
+ fix. Free contents of krb5_data - not just the pointer.
+
+2003-04-23 Ezra Peisach <epeisach@mit.edu>
+
+ * kfree.c (krb5_free_pwd_sequences): Actually free the entire
+ sequence of passwd_phase_elements and not just the first one.
+
+2003-04-16 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_mk_setpw_req): Use encode_krb5_setpw_req. Fix
+ memory handling to free data that is allocated
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_mk_setpw_req krb5int_rd_setpw_rep): New function
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (DEFAULT_ETYPE_LIST): Add AES with 256 bits at the
+ front of the list. No 128-bit support by defaut.
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name
+ length before examining components.
+
+ * parse.c (krb5_parse_name): Double-check principal name length
+ before filling in components.
+
+ * srv_rcache.c (krb5_get_server_rcache): Check for null pointer
+ supplied in place of name.
+
+ * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer
+ backwards if nothing has been put into the buffer yet.
+
+2003-04-01 Sam Hartman <hartmans@mit.edu>
+
+ * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared,
+ don't set up a replay cache.
+
2003-03-08 Ezra Peisach <epeisach@mit.edu>
* t_kerb.c: Only include krb.h if krb4 support compiled in,
bld_princ.o \
chk_trans.o \
chpw.o \
+ conv_creds.o \
conv_princ.o \
copy_addrs.o \
copy_auth.o \
gic_keytab.o \
gic_opt.o \
gic_pwd.o \
- in_tkt_ktb.o \
- in_tkt_pwd.o \
in_tkt_sky.o \
init_ctx.o \
init_keyblock.o \
str_conv.o \
tgtname.o \
unparse.o \
+ v4lifetime.o \
valid_times.o \
vfy_increds.o \
vic_opt.o \
$(OUTPRE)bld_princ.$(OBJEXT) \
$(OUTPRE)chk_trans.$(OBJEXT) \
$(OUTPRE)chpw.$(OBJEXT) \
+ $(OUTPRE)conv_creds.$(OBJEXT) \
$(OUTPRE)conv_princ.$(OBJEXT) \
$(OUTPRE)copy_addrs.$(OBJEXT) \
$(OUTPRE)copy_auth.$(OBJEXT) \
$(OUTPRE)gic_keytab.$(OBJEXT) \
$(OUTPRE)gic_opt.$(OBJEXT) \
$(OUTPRE)gic_pwd.$(OBJEXT) \
- $(OUTPRE)in_tkt_ktb.$(OBJEXT) \
- $(OUTPRE)in_tkt_pwd.$(OBJEXT) \
$(OUTPRE)in_tkt_sky.$(OBJEXT) \
$(OUTPRE)init_ctx.$(OBJEXT) \
$(OUTPRE)init_keyblock.$(OBJEXT) \
$(OUTPRE)str_conv.$(OBJEXT) \
$(OUTPRE)tgtname.$(OBJEXT) \
$(OUTPRE)unparse.$(OBJEXT) \
+ $(OUTPRE)v4lifetime.$(OBJEXT) \
$(OUTPRE)valid_times.$(OBJEXT) \
$(OUTPRE)vfy_increds.$(OBJEXT) \
$(OUTPRE)vic_opt.$(OBJEXT) \
$(srcdir)/brand.c \
$(srcdir)/chk_trans.c \
$(srcdir)/chpw.c \
+ $(srcdir)/conv_creds.c \
$(srcdir)/conv_princ.c \
$(srcdir)/copy_addrs.c \
$(srcdir)/copy_auth.c \
$(srcdir)/gic_keytab.c \
$(srcdir)/gic_opt.c \
$(srcdir)/gic_pwd.c \
- $(srcdir)/in_tkt_ktb.c \
- $(srcdir)/in_tkt_pwd.c \
$(srcdir)/in_tkt_sky.c \
$(srcdir)/init_ctx.c \
$(srcdir)/init_keyblock.c \
$(srcdir)/str_conv.c \
$(srcdir)/tgtname.c \
$(srcdir)/unparse.c \
+ $(srcdir)/v4lifetime.c \
$(srcdir)/valid_times.c \
$(srcdir)/vfy_increds.c \
$(srcdir)/vic_opt.c \
#
addr_comp.so addr_comp.po $(OUTPRE)addr_comp.$(OBJEXT): addr_comp.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
addr_order.so addr_order.po $(OUTPRE)addr_order.$(OBJEXT): addr_order.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
addr_srch.so addr_srch.po $(OUTPRE)addr_srch.$(OBJEXT): addr_srch.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
appdefault.so appdefault.po $(OUTPRE)appdefault.$(OBJEXT): appdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
auth_con.so auth_con.po $(OUTPRE)auth_con.$(OBJEXT): auth_con.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
bld_pr_ext.so bld_pr_ext.po $(OUTPRE)bld_pr_ext.$(OBJEXT): bld_pr_ext.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
bld_princ.so bld_princ.po $(OUTPRE)bld_princ.$(OBJEXT): bld_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
brand.so brand.po $(OUTPRE)brand.$(OBJEXT): brand.c
chk_trans.so chk_trans.po $(OUTPRE)chk_trans.$(OBJEXT): chk_trans.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
chpw.so chpw.po $(OUTPRE)chpw.$(OBJEXT): chpw.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/krb5_err.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/krb5_err.h \
auth_con.h
+conv_creds.so conv_creds.po $(OUTPRE)conv_creds.$(OBJEXT): conv_creds.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/krb.h \
+ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP)
conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_addrs.so copy_addrs.po $(OUTPRE)copy_addrs.$(OBJEXT): copy_addrs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_auth.so copy_auth.po $(OUTPRE)copy_auth.$(OBJEXT): copy_auth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_athctr.so copy_athctr.po $(OUTPRE)copy_athctr.$(OBJEXT): copy_athctr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_cksum.so copy_cksum.po $(OUTPRE)copy_cksum.$(OBJEXT): copy_cksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_creds.so copy_creds.po $(OUTPRE)copy_creds.$(OBJEXT): copy_creds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_data.so copy_data.po $(OUTPRE)copy_data.$(OBJEXT): copy_data.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_key.so copy_key.po $(OUTPRE)copy_key.$(OBJEXT): copy_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_princ.so copy_princ.po $(OUTPRE)copy_princ.$(OBJEXT): copy_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
copy_tick.so copy_tick.po $(OUTPRE)copy_tick.$(OBJEXT): copy_tick.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
cp_key_cnt.so cp_key_cnt.po $(OUTPRE)cp_key_cnt.$(OBJEXT): cp_key_cnt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
decode_kdc.so decode_kdc.po $(OUTPRE)decode_kdc.$(OBJEXT): decode_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
decrypt_tk.so decrypt_tk.po $(OUTPRE)decrypt_tk.$(OBJEXT): decrypt_tk.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
deltat.so deltat.po $(OUTPRE)deltat.$(OBJEXT): deltat.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
enc_helper.so enc_helper.po $(OUTPRE)enc_helper.$(OBJEXT): enc_helper.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
encode_kdc.so encode_kdc.po $(OUTPRE)encode_kdc.$(OBJEXT): encode_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
encrypt_tk.so encrypt_tk.po $(OUTPRE)encrypt_tk.$(OBJEXT): encrypt_tk.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
free_rtree.so free_rtree.po $(OUTPRE)free_rtree.$(OBJEXT): free_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
fwd_tgt.so fwd_tgt.po $(OUTPRE)fwd_tgt.$(OBJEXT): fwd_tgt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
gc_frm_kdc.so gc_frm_kdc.po $(OUTPRE)gc_frm_kdc.$(OBJEXT): gc_frm_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
gc_via_tkt.so gc_via_tkt.po $(OUTPRE)gc_via_tkt.$(OBJEXT): gc_via_tkt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
gen_seqnum.so gen_seqnum.po $(OUTPRE)gen_seqnum.$(OBJEXT): gen_seqnum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
gen_subkey.so gen_subkey.po $(OUTPRE)gen_subkey.$(OBJEXT): gen_subkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
get_creds.so get_creds.po $(OUTPRE)get_creds.$(OBJEXT): get_creds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
get_in_tkt.so get_in_tkt.po $(OUTPRE)get_in_tkt.$(OBJEXT): get_in_tkt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h $(srcdir)/../os/os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h $(srcdir)/../os/os-proto.h
gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): gic_keytab.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
gic_opt.so gic_opt.po $(OUTPRE)gic_opt.$(OBJEXT): gic_opt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
gic_pwd.so gic_pwd.po $(OUTPRE)gic_pwd.$(OBJEXT): gic_pwd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
-in_tkt_ktb.so in_tkt_ktb.po $(OUTPRE)in_tkt_ktb.$(OBJEXT): in_tkt_ktb.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
-in_tkt_pwd.so in_tkt_pwd.po $(OUTPRE)in_tkt_pwd.$(OBJEXT): in_tkt_pwd.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
in_tkt_sky.so in_tkt_sky.po $(OUTPRE)in_tkt_sky.$(OBJEXT): in_tkt_sky.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
init_ctx.so init_ctx.po $(OUTPRE)init_ctx.$(OBJEXT): init_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h brand.c $(srcdir)/../krb5_libinit.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h brand.c $(srcdir)/../krb5_libinit.h
init_keyblock.so init_keyblock.po $(OUTPRE)init_keyblock.$(OBJEXT): init_keyblock.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
kdc_rep_dc.so kdc_rep_dc.po $(OUTPRE)kdc_rep_dc.$(OBJEXT): kdc_rep_dc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
kfree.so kfree.po $(OUTPRE)kfree.$(OBJEXT): kfree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
mk_cred.so mk_cred.po $(OUTPRE)mk_cred.$(OBJEXT): mk_cred.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cleanup.h auth_con.h
mk_error.so mk_error.po $(OUTPRE)mk_error.$(OBJEXT): mk_error.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): mk_priv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cleanup.h auth_con.h
mk_rep.so mk_rep.po $(OUTPRE)mk_rep.$(OBJEXT): mk_rep.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): mk_req.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
mk_req_ext.so mk_req_ext.po $(OUTPRE)mk_req_ext.$(OBJEXT): mk_req_ext.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): mk_safe.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cleanup.h auth_con.h
parse.so parse.po $(OUTPRE)parse.$(OBJEXT): parse.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
pr_to_salt.so pr_to_salt.po $(OUTPRE)pr_to_salt.$(OBJEXT): pr_to_salt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
preauth.so preauth.po $(OUTPRE)preauth.$(OBJEXT): preauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
preauth2.so preauth2.po $(OUTPRE)preauth2.$(OBJEXT): preauth2.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): princ_comp.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
rd_cred.so rd_cred.po $(OUTPRE)rd_cred.$(OBJEXT): rd_cred.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cleanup.h auth_con.h
rd_error.so rd_error.po $(OUTPRE)rd_error.$(OBJEXT): rd_error.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): rd_priv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cleanup.h auth_con.h
rd_rep.so rd_rep.po $(OUTPRE)rd_rep.$(OBJEXT): rd_rep.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): rd_req.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
rd_req_dec.so rd_req_dec.po $(OUTPRE)rd_req_dec.$(OBJEXT): rd_req_dec.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): rd_safe.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cleanup.h auth_con.h
recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): recvauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): sendauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
send_tgs.so send_tgs.po $(OUTPRE)send_tgs.$(OBJEXT): send_tgs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ser_actx.so ser_actx.po $(OUTPRE)ser_actx.$(OBJEXT): ser_actx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h auth_con.h
ser_adata.so ser_adata.po $(OUTPRE)ser_adata.$(OBJEXT): ser_adata.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
ser_addr.so ser_addr.po $(OUTPRE)ser_addr.$(OBJEXT): ser_addr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
ser_auth.so ser_auth.po $(OUTPRE)ser_auth.$(OBJEXT): ser_auth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
ser_cksum.so ser_cksum.po $(OUTPRE)ser_cksum.$(OBJEXT): ser_cksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
ser_ctx.so ser_ctx.po $(OUTPRE)ser_ctx.$(OBJEXT): ser_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ser_eblk.so ser_eblk.po $(OUTPRE)ser_eblk.$(OBJEXT): ser_eblk.c
ser_key.so ser_key.po $(OUTPRE)ser_key.$(OBJEXT): ser_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
ser_princ.so ser_princ.po $(OUTPRE)ser_princ.$(OBJEXT): ser_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
serialize.so serialize.po $(OUTPRE)serialize.$(OBJEXT): serialize.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
set_realm.so set_realm.po $(OUTPRE)set_realm.$(OBJEXT): set_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
srv_rcache.so srv_rcache.po $(OUTPRE)srv_rcache.$(OBJEXT): srv_rcache.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
tgtname.so tgtname.po $(OUTPRE)tgtname.$(OBJEXT): tgtname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
unparse.so unparse.po $(OUTPRE)unparse.$(OBJEXT): unparse.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
+v4lifetime.so v4lifetime.po $(OUTPRE)v4lifetime.$(OBJEXT): v4lifetime.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
valid_times.so valid_times.po $(OUTPRE)valid_times.$(OBJEXT): valid_times.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
vfy_increds.so vfy_increds.po $(OUTPRE)vfy_increds.$(OBJEXT): vfy_increds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
vic_opt.so vic_opt.po $(OUTPRE)vic_opt.$(OBJEXT): vic_opt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
walk_rtree.so walk_rtree.po $(OUTPRE)walk_rtree.$(OBJEXT): walk_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h int-proto.h
t_walk_rtree.so t_walk_rtree.po $(OUTPRE)t_walk_rtree.$(OBJEXT): t_walk_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
t_kerb.so t_kerb.po $(OUTPRE)t_kerb.$(OBJEXT): t_kerb.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(BUILDTOP)/include/profile.h
t_ser.so t_ser.po $(OUTPRE)t_ser.$(OBJEXT): t_ser.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h auth_con.h
t_deltat.so t_deltat.po $(OUTPRE)t_deltat.$(OBJEXT): t_deltat.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
t_expand.so t_expand.po $(OUTPRE)t_expand.$(OBJEXT): t_expand.c chk_trans.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
#include "k5-int.h"
#include "auth_con.h"
+static krb5_boolean chk_heimdal_seqnum(krb5_ui_4, krb5_ui_4);
+
static krb5_error_code
actx_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **outad)
{
krb5_free_authenticator(context, auth_context->authentp);
if (auth_context->keyblock)
krb5_free_keyblock(context, auth_context->keyblock);
- if (auth_context->local_subkey)
- krb5_free_keyblock(context, auth_context->local_subkey);
- if (auth_context->remote_subkey)
- krb5_free_keyblock(context, auth_context->remote_subkey);
+ if (auth_context->send_subkey)
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ if (auth_context->recv_subkey)
+ krb5_free_keyblock(context, auth_context->recv_subkey);
if (auth_context->rcache)
krb5_rc_close(context, auth_context->rcache);
if (auth_context->permitted_etypes)
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
{
- if (auth_context->local_subkey)
- return krb5_copy_keyblock(context,auth_context->local_subkey,keyblock);
+ return krb5_auth_con_getsendsubkey(context, auth_context, keyblock);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
+{
+ return krb5_auth_con_getrecvsubkey(context, auth_context, keyblock);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
+{
+ if (ac->send_subkey != NULL)
+ krb5_free_keyblock(ctx, ac->send_subkey);
+ ac->send_subkey = NULL;
+ if (keyblock !=NULL)
+ return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey);
+ else
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
+{
+ if (ac->recv_subkey != NULL)
+ krb5_free_keyblock(ctx, ac->recv_subkey);
+ ac->recv_subkey = NULL;
+ if (keyblock != NULL)
+ return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey);
+ else
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
+{
+ if (ac->send_subkey != NULL)
+ return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock);
*keyblock = NULL;
return 0;
}
krb5_error_code KRB5_CALLCONV
-krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
+krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
{
- if (auth_context->remote_subkey)
- return krb5_copy_keyblock(context,auth_context->remote_subkey,keyblock);
+ if (ac->recv_subkey != NULL)
+ return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock);
*keyblock = NULL;
return 0;
}
*data = auth_context->checksum_func_data;
return 0;
}
+
+/*
+ * krb5int_auth_con_chkseqnum
+ *
+ * We use a somewhat complex heuristic for validating received
+ * sequence numbers. We must accommodate both our older
+ * implementation, which sends negative sequence numbers, and the
+ * broken Heimdal implementation (at least as of 0.5.2), which
+ * violates X.690 BER for integer encodings. The requirement of
+ * handling negative sequence numbers removes one of easier means of
+ * detecting a Heimdal implementation, so we resort to this mess
+ * here.
+ *
+ * X.690 BER (and consequently DER, which are the required encoding
+ * rules in RFC1510) encode all integer types as signed integers.
+ * This means that the MSB being set on the first octet of the
+ * contents of the encoding indicates a negative value. Heimdal does
+ * not prepend the required zero octet to unsigned integer encodings
+ * which would otherwise have the MSB of the first octet of their
+ * encodings set.
+ *
+ * Our ASN.1 library implements a special decoder for sequence
+ * numbers, accepting both negative and positive 32-bit numbers but
+ * mapping them both into the space of positive unsigned 32-bit
+ * numbers in the obvious bit-pattern-preserving way. This maintains
+ * compatibility with our older implementations. This also means that
+ * encodings emitted by Heimdal are ambiguous.
+ *
+ * Heimdal counter value received uint32 value
+ *
+ * 0x00000080 0xFFFFFF80
+ * 0x000000FF 0xFFFFFFFF
+ * 0x00008000 0xFFFF8000
+ * 0x0000FFFF 0xFFFFFFFF
+ * 0x00800000 0xFF800000
+ * 0x00FFFFFF 0xFFFFFFFF
+ * 0xFF800000 0xFF800000
+ * 0xFFFFFFFF 0xFFFFFFFF
+ *
+ * We use two auth_context flags, SANE_SEQ and HEIMDAL_SEQ, which are
+ * only set after we can unambiguously determine the sanity of the
+ * sending implementation. Once one of these flags is set, we accept
+ * only the sequence numbers appropriate to the remote implementation
+ * type. We can make the determination in two different ways. The
+ * first is to note the receipt of a "negative" sequence number when a
+ * "positive" one was expected. The second is to note the receipt of
+ * a sequence number that wraps through "zero" in a weird way. The
+ * latter corresponds to the receipt of an initial sequence number in
+ * the ambiguous range.
+ *
+ * There are 2^7 + 2^15 + 2^23 + 2^23 = 16810112 total ambiguous
+ * initial Heimdal counter values, but we receive them as one of 2^23
+ * possible values. There is a ~1/256 chance of a Heimdal
+ * implementation sending an intial sequence number in the ambiguous
+ * range.
+ *
+ * We have to do special treatment when receiving sequence numbers
+ * between 0xFF800000..0xFFFFFFFF, or when wrapping through zero
+ * weirdly (due to ambiguous initial sequence number). If we are
+ * expecting a value corresponding to an ambiguous Heimdal counter
+ * value, and we receive an exact match, we can mark the remote end as
+ * sane.
+ */
+krb5_boolean
+krb5int_auth_con_chkseqnum(
+ krb5_context ctx,
+ krb5_auth_context ac,
+ krb5_ui_4 in_seq)
+{
+ krb5_ui_4 exp_seq;
+
+ exp_seq = ac->remote_seq_number;
+
+ /*
+ * If sender is known to be sane, accept _only_ exact matches.
+ */
+ if (ac->auth_context_flags & KRB5_AUTH_CONN_SANE_SEQ)
+ return in_seq == exp_seq;
+
+ /*
+ * If sender is not known to be sane, first check the ambiguous
+ * range of received values, 0xFF800000..0xFFFFFFFF.
+ */
+ if ((in_seq & 0xFF800000) == 0xFF800000) {
+ /*
+ * If expected sequence number is in the range
+ * 0xFF800000..0xFFFFFFFF, then we can't make any
+ * determinations about the sanity of the sending
+ * implementation.
+ */
+ if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq)
+ return 1;
+ /*
+ * If sender is not known for certain to be a broken Heimdal
+ * implementation, check for exact match.
+ */
+ if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)
+ && in_seq == exp_seq)
+ return 1;
+ /*
+ * Now apply hairy algorithm for matching sequence numbers
+ * sent by broken Heimdal implementations. If it matches, we
+ * know for certain it's a broken Heimdal sender.
+ */
+ if (chk_heimdal_seqnum(exp_seq, in_seq)) {
+ ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ;
+ return 1;
+ }
+ return 0;
+ }
+
+ /*
+ * Received value not in the ambiguous range? If the _expected_
+ * value is in the range of ambiguous Hemidal counter values, and
+ * it matches the received value, sender is known to be sane.
+ */
+ if (in_seq == exp_seq) {
+ if (( exp_seq & 0xFFFFFF80) == 0x00000080
+ || (exp_seq & 0xFFFF8000) == 0x00008000
+ || (exp_seq & 0xFF800000) == 0x00800000)
+ ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ;
+ return 1;
+ }
+
+ /*
+ * Magic wraparound for the case where the intial sequence number
+ * is in the ambiguous range. This means that the sender's
+ * counter is at a different count than ours, so we correct ours,
+ * and mark the sender as being a broken Heimdal implementation.
+ */
+ if (exp_seq == 0
+ && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) {
+ switch (in_seq) {
+ case 0x100:
+ case 0x10000:
+ case 0x1000000:
+ ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ;
+ exp_seq = in_seq;
+ return 1;
+ default:
+ return 0;
+ }
+ }
+ return 0;
+}
+
+static krb5_boolean
+chk_heimdal_seqnum(krb5_ui_4 exp_seq, krb5_ui_4 in_seq)
+{
+ if (( exp_seq & 0xFF800000) == 0x00800000
+ && (in_seq & 0xFF800000) == 0xFF800000
+ && (in_seq & 0x00FFFFFF) == exp_seq)
+ return 1;
+ else if (( exp_seq & 0xFFFF8000) == 0x00008000
+ && (in_seq & 0xFFFF8000) == 0xFFFF8000
+ && (in_seq & 0x0000FFFF) == exp_seq)
+ return 1;
+ else if (( exp_seq & 0xFFFFFF80) == 0x00000080
+ && (in_seq & 0xFFFFFF80) == 0xFFFFFF80
+ && (in_seq & 0x000000FF) == exp_seq)
+ return 1;
+ else
+ return 0;
+}
krb5_address * local_addr;
krb5_address * local_port;
krb5_keyblock * keyblock;
- krb5_keyblock * local_subkey;
- krb5_keyblock * remote_subkey;
+ krb5_keyblock * send_subkey;
+ krb5_keyblock * recv_subkey;
krb5_int32 auth_context_flags;
- krb5_int32 remote_seq_number;
- krb5_int32 local_seq_number;
+ krb5_ui_4 remote_seq_number;
+ krb5_ui_4 local_seq_number;
krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/
krb5_cksumtype req_cksumtype; /* mk_safe, ... */
krb5_cksumtype safe_cksumtype; /* mk_safe, ... */
#define KRB5_AUTH_CONN_INITIALIZED 0x00010000
#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000
#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000
+#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000
+#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000
#endif
+/*
+** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc.
+*/
#include <string.h>
#include "k5-int.h"
#include "krb5_err.h"
#include "auth_con.h"
-krb5_error_code KRB5_CALLCONV
-krb5_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet)
+
+krb5_error_code
+krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet)
{
krb5_error_code ret = 0;
krb5_data clearpw;
return(ret);
}
-krb5_error_code KRB5_CALLCONV
-krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
+krb5_error_code
+krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
{
char *ptr;
int plen, vno;
ap_rep.data = ptr;
ptr += ap_rep.length;
- if ((ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc)))
+ /*
+ * Save send_subkey to later smash recv_subkey.
+ */
+ ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
+ if (ret) {
+ krb5_free_keyblock(context, tmp);
return(ret);
+ }
krb5_free_ap_rep_enc_part(context, ap_rep_enc);
cipherresult.data = ptr;
cipherresult.length = (packet->data + packet->length) - ptr;
- /* XXX there's no api to do this right. The problem is that
- if there's a remote subkey, it will be used. This is
- not what the spec requires */
-
- tmp = auth_context->remote_subkey;
- auth_context->remote_subkey = NULL;
+ /*
+ * Smash recv_subkey to be send_subkey, per spec.
+ */
+ ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp);
+ krb5_free_keyblock(context, tmp);
+ if (ret)
+ return ret;
ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
&replay);
- auth_context->remote_subkey = tmp;
-
if (ret)
return(ret);
} else {
*result_code = (*result_code<<8) | (*ptr++ & 0xff);
if ((*result_code < KRB5_KPASSWD_SUCCESS) ||
- (*result_code > KRB5_KPASSWD_SOFTERROR)) {
+ (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
return(0);
}
+
+krb5_error_code
+krb5int_mk_setpw_req(
+ krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_data *ap_req,
+ krb5_principal targprinc,
+ char *passwd,
+ krb5_data *packet )
+{
+ krb5_error_code ret;
+ krb5_data cipherpw;
+ krb5_data *encoded_setpw;
+
+ char *ptr;
+ int count = 2;
+
+ cipherpw.data = NULL;
+ cipherpw.length = 0;
+
+ if (ret = krb5_auth_con_setflags(context, auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE))
+ return(ret);
+
+ ret = encode_krb5_setpw_req(targprinc, passwd, &encoded_setpw);
+ if (ret) {
+ return ret;
+ }
+
+ if ( (ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) {
+ krb5_free_data( context, encoded_setpw);
+ return(ret);
+ }
+ krb5_free_data( context, encoded_setpw);
+
+
+ packet->length = 6 + ap_req->length + cipherpw.length;
+ packet->data = (char *) malloc(packet->length);
+ if (packet->data == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+ ptr = packet->data;
+/*
+** build the packet -
+*/
+/* put in the length */
+ *ptr++ = (packet->length>>8) & 0xff;
+ *ptr++ = packet->length & 0xff;
+/* put in the version */
+ *ptr++ = (char)0xff;
+ *ptr++ = (char)0x80;
+/* the ap_req length is big endian */
+ *ptr++ = (ap_req->length>>8) & 0xff;
+ *ptr++ = ap_req->length & 0xff;
+/* put in the request data */
+ memcpy(ptr, ap_req->data, ap_req->length);
+ ptr += ap_req->length;
+/*
+** put in the "private" password data -
+*/
+ memcpy(ptr, cipherpw.data, cipherpw.length);
+ ret = 0;
+ cleanup:
+ if (cipherpw.data)
+ krb5_free_data_contents(context, &cipherpw);
+ if ((ret != 0) && packet->data) {
+ free( packet->data);
+ packet->data = NULL;
+ }
+ return ret;
+}
+
+krb5_error_code
+krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet,
+ int *result_code, krb5_data *result_data )
+{
+ char *ptr;
+ unsigned int message_length, version_number;
+ krb5_data ap_rep;
+ krb5_ap_rep_enc_part *ap_rep_enc;
+ krb5_error_code ret;
+ krb5_data cipherresult;
+ krb5_data clearresult;
+ krb5_replay_data replay;
+ krb5_keyblock *tmpkey;
+/*
+** validate the packet length -
+*/
+ if (packet->length < 4)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+
+ ptr = packet->data;
+
+/*
+** see if it is an error
+*/
+ if (krb5_is_krb_error(packet)) {
+ krb5_error *krberror;
+ if (ret = krb5_rd_error(context, packet, &krberror))
+ return(ret);
+ if (krberror->e_data.data == NULL) {
+ ret = ERROR_TABLE_BASE_krb5 + krberror->error;
+ krb5_free_error(context, krberror);
+ return (ret);
+ }
+ clearresult = krberror->e_data;
+ krberror->e_data.data = NULL; /*So we can free it later*/
+ krberror->e_data.length = 0;
+ krb5_free_error(context, krberror);
+
+ } else { /* Not an error*/
+
+/*
+** validate the message length -
+** length is big endian
+*/
+ message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** make sure the message length and packet length agree -
+*/
+ if (message_length != packet->length)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+/*
+** get the version number -
+*/
+ version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** make sure we support the version returned -
+*/
+/*
+** set password version is 0xff80, change password version is 1
+*/
+ if (version_number != 0xff80 && version_number != 1)
+ return(KRB5KDC_ERR_BAD_PVNO);
+/*
+** now fill in ap_rep with the reply -
+*/
+/*
+** get the reply length -
+*/
+ ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** validate ap_rep length agrees with the packet length -
+*/
+ if (ptr + ap_rep.length >= packet->data + packet->length)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+/*
+** if data was returned, set the ap_rep ptr -
+*/
+ if( ap_rep.length ) {
+ ap_rep.data = ptr;
+ ptr += ap_rep.length;
+
+ /*
+ * Save send_subkey to later smash recv_subkey.
+ */
+ ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
+ if (ret) {
+ krb5_free_keyblock(context, tmpkey);
+ return(ret);
+ }
+
+ krb5_free_ap_rep_enc_part(context, ap_rep_enc);
+/*
+** now decrypt the result -
+*/
+ cipherresult.data = ptr;
+ cipherresult.length = (packet->data + packet->length) - ptr;
+
+ /*
+ * Smash recv_subkey to be send_subkey, per spec.
+ */
+ ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey);
+ krb5_free_keyblock(context, tmpkey);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
+ NULL);
+ if (ret)
+ return(ret);
+ } /*We got an ap_rep*/
+ else
+ return (KRB5KRB_AP_ERR_MODIFIED);
+ } /*Response instead of error*/
+
+/*
+** validate the cleartext length
+*/
+ if (clearresult.length < 2) {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+/*
+** now decode the result -
+*/
+ ptr = clearresult.data;
+
+ *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+
+/*
+** result code 5 is access denied
+*/
+ if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5))
+ {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+/*
+** all success replies should be authenticated/encrypted
+*/
+ if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) )
+ {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+
+ if (result_data) {
+ result_data->length = (clearresult.data + clearresult.length) - ptr;
+
+ if (result_data->length)
+ {
+ result_data->data = (char *) malloc(result_data->length);
+ if (result_data->data)
+ memcpy(result_data->data, ptr, result_data->length);
+ }
+ else
+ result_data->data = NULL;
+ }
+ ret = 0;
+
+ cleanup:
+ krb5_free_data_contents(context, &clearresult);
+ return(ret);
+}
+
+krb5_error_code
+krb5int_setpw_result_code_string( krb5_context context, int result_code, const char **code_string )
+{
+ switch (result_code)
+ {
+ case KRB5_KPASSWD_MALFORMED:
+ *code_string = "Malformed request error";
+ break;
+ case KRB5_KPASSWD_HARDERROR:
+ *code_string = "Server error";
+ break;
+ case KRB5_KPASSWD_AUTHERROR:
+ *code_string = "Authentication error";
+ break;
+ case KRB5_KPASSWD_SOFTERROR:
+ *code_string = "Password change rejected";
+ break;
+ case 5: /* access denied */
+ *code_string = "Access denied";
+ break;
+ case 6: /* bad version */
+ *code_string = "Wrong protocol version";
+ break;
+ case 7: /* initial flag is needed */
+ *code_string = "Initial password required";
+ break;
+ case 0:
+ *code_string = "Success";
+ default:
+ *code_string = "Password change failed";
+ break;
+ }
+
+ return(0);
+}
+
--- /dev/null
+/*
+ * Copyright 1994 by OpenVision Technologies, Inc.
+ *
+ * Permission to use, copy, modify, distribute, and sell this software
+ * and its documentation for any purpose is hereby granted without fee,
+ * provided that the above copyright notice appears in all copies and
+ * that both that copyright notice and this permission notice appear in
+ * supporting documentation, and that the name of OpenVision not be used
+ * in advertising or publicity pertaining to distribution of the software
+ * without specific, written prior permission. OpenVision makes no
+ * representations about the suitability of this software for any
+ * purpose. It is provided "as is" without express or implied warranty.
+ *
+ * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
+ * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "k5-int.h"
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include "port-sockets.h"
+#include "socket-utils.h"
+
+#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck */
+#include "kerberosIV/krb.h"
+
+#ifdef USE_CCAPI
+#include <CredentialsCache.h>
+#endif
+
+#define krb524_debug krb5int_krb524_debug
+int krb524_debug = 0;
+
+static krb5_error_code krb524_convert_creds_plain
+(krb5_context context, krb5_creds *v5creds,
+ CREDENTIALS *v4creds);
+
+static int decode_v4tkt
+ (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
+
+krb5_error_code KRB5_CALLCONV
+krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
+ CREDENTIALS *v4creds)
+{
+ krb5_error_code ret;
+ krb5_data reply;
+ char *p;
+ struct sockaddr_storage ss;
+ socklen_t slen = sizeof(ss);
+
+ ret = krb524_convert_creds_plain(context, v5creds, v4creds);
+ if (ret)
+ return ret;
+
+ reply.data = NULL;
+ ret = krb5int_524_sendto_kdc(context, &v5creds->ticket,
+ &v5creds->server->realm, &reply,
+ ss2sa(&ss), &slen);
+ if (ret)
+ return ret;
+
+#if TARGET_OS_MAC
+#ifdef USE_CCAPI
+ v4creds->stk_type = cc_v4_stk_des;
+#endif
+ if (slen == sizeof(struct sockaddr_in)
+ && ss2sa(&ss)->sa_family == AF_INET) {
+ v4creds->address = ss2sin(&ss)->sin_addr.s_addr;
+ }
+ /* Otherwise, leave it set to all-zero. */
+#endif
+
+ p = reply.data;
+ ret = ntohl(*((krb5_error_code *) p));
+ p += sizeof(krb5_int32);
+ reply.length -= sizeof(krb5_int32);
+ if (ret)
+ goto fail;
+
+ v4creds->kvno = ntohl(*((krb5_error_code *) p));
+ p += sizeof(krb5_int32);
+ reply.length -= sizeof(krb5_int32);
+ ret = decode_v4tkt(&v4creds->ticket_st, p, &reply.length);
+
+fail:
+ if (reply.data)
+ free(reply.data);
+ reply.data = NULL;
+ return ret;
+}
+
+static krb5_error_code
+krb524_convert_creds_plain(context, v5creds, v4creds)
+ krb5_context context;
+ krb5_creds *v5creds;
+ CREDENTIALS *v4creds;
+{
+ int ret;
+ krb5_timestamp endtime;
+ char dummy[REALM_SZ];
+ memset((char *) v4creds, 0, sizeof(CREDENTIALS));
+
+ if ((ret = krb5_524_conv_principal(context, v5creds->client,
+ v4creds->pname, v4creds->pinst,
+ dummy)))
+ return ret;
+ if ((ret = krb5_524_conv_principal(context, v5creds->server,
+ v4creds->service, v4creds->instance,
+ v4creds->realm)))
+ return ret;
+
+ /* Check enctype too */
+ if (v5creds->keyblock.length != sizeof(C_Block)) {
+ if (krb524_debug)
+ fprintf(stderr, "v5 session keyblock length %d != C_Block size %d\n",
+ v5creds->keyblock.length,
+ (int) sizeof(C_Block));
+ return KRB524_BADKEY;
+ } else
+ memcpy(v4creds->session, (char *) v5creds->keyblock.contents,
+ sizeof(C_Block));
+
+ /* V4 has no concept of authtime or renew_till, so ignore them */
+ v4creds->issue_date = v5creds->times.starttime;
+ v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime,
+ v5creds->times.endtime);
+ endtime = krb5int_krb_life_to_time(v5creds->times.starttime,
+ v4creds->lifetime);
+ /*
+ * Adjust start time backwards to deal with rounding up in
+ * krb_time_to_life(), to match code on server side.
+ */
+ if (endtime > v5creds->times.endtime)
+ v4creds->issue_date -= endtime - v5creds->times.endtime;
+
+ return 0;
+}
+
+/* this used to be krb524/encode.c, under same copyright as above */
+/*
+ * I'm sure that this is reinventing the wheel, but I don't know where
+ * the wheel is hidden.
+ */
+
+int encode_v4tkt (KTEXT_ST *, char *, unsigned int *);
+static int encode_bytes (char **, int *, char *, unsigned int),
+ encode_int32 (char **, int *, krb5_int32 *);
+
+static int decode_bytes (char **, int *, char *, unsigned int),
+ decode_int32 (char **, int *, krb5_int32 *);
+
+static int encode_bytes(out, outlen, in, len)
+ char **out;
+ int *outlen;
+ char *in;
+ unsigned int len;
+{
+ if (len > *outlen)
+ return KRB524_ENCFULL;
+ memcpy(*out, in, len);
+ *out += len;
+ *outlen -= len;
+ return 0;
+}
+
+static int encode_int32(out, outlen, v)
+ char **out;
+ int *outlen;
+ krb5_int32 *v;
+{
+ krb5_int32 nv; /* Must be 4 bytes */
+
+ nv = htonl(*v);
+ return encode_bytes(out, outlen, (char *) &nv, sizeof(nv));
+}
+
+int krb5int_encode_v4tkt(v4tkt, buf, encoded_len)
+ KTEXT_ST *v4tkt;
+ char *buf;
+ unsigned int *encoded_len;
+{
+ int buflen, ret;
+
+ buflen = *encoded_len;
+
+ if ((ret = encode_int32(&buf, &buflen, &v4tkt->length)))
+ return ret;
+ if ((ret = encode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
+ return ret;
+ if ((ret = encode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz)))
+ return ret;
+
+ *encoded_len -= buflen;
+ return 0;
+}
+
+/* decode functions */
+
+static int decode_bytes(out, outlen, in, len)
+ char **out;
+ int *outlen;
+ char *in;
+ unsigned int len;
+{
+ if (len > *outlen)
+ return KRB524_DECEMPTY;
+ memcpy(in, *out, len);
+ *out += len;
+ *outlen -= len;
+ return 0;
+}
+
+static int decode_int32(out, outlen, v)
+ char **out;
+ int *outlen;
+ krb5_int32 *v;
+{
+ int ret;
+ krb5_int32 nv; /* Must be four bytes */
+
+ if ((ret = decode_bytes(out, outlen, (char *) &nv, sizeof(nv))))
+ return ret;
+ *v = ntohl(nv);
+ return 0;
+}
+
+static int decode_v4tkt(v4tkt, buf, encoded_len)
+ KTEXT_ST *v4tkt;
+ char *buf;
+ unsigned int *encoded_len;
+{
+ int buflen, ret;
+
+ buflen = *encoded_len;
+ if ((ret = decode_int32(&buf, &buflen, &v4tkt->length)))
+ return ret;
+ if ((ret = decode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
+ return ret;
+ if ((ret = decode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz)))
+ return ret;
+ *encoded_len -= buflen;
+ return 0;
+}
+
+#else /* no krb4 compat */
+
+krb5_error_code KRB5_CALLCONV
+krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
+ struct credentials *v4creds)
+{
+ return KRB524_KRB4_DISABLED;
+}
+
+#endif
+
+/* These may be needed for object-level backwards compatibility on Mac
+ OS and UNIX, but Windows should be okay. */
+#ifndef _WIN32
+#undef krb524_convert_creds_kdc
+krb5_error_code KRB5_CALLCONV
+krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds,
+ struct credentials *v4creds)
+{
+ return krb5_524_convert_creds(context, v5creds, v4creds);
+}
+
+#undef krb524_init_ets
+void KRB5_CALLCONV krb524_init_ets ()
+{
+}
+#endif
*outdata = tempdata;
return 0;
}
+
+krb5_error_code
+krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_data *outdata)
+{
+ if (!indata) {
+ return EINVAL;
+ }
+
+
+ outdata->length = indata->length;
+ if (outdata->length) {
+ if (!(outdata->data = malloc(outdata->length))) {
+ krb5_xfree(outdata);
+ return ENOMEM;
+ }
+ memcpy((char *)outdata->data, (char *)indata->data, outdata->length);
+ } else
+ outdata->data = 0;
+ outdata->magic = KV5M_DATA;
+
+ return 0;
+}
int free_rhost = 0;
krb5_enctype enctype = 0;
krb5_keyblock *session_key;
+ krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
memset((char *)&creds, 0, sizeof(creds));
memset((char *)&tgt, 0, sizeof(creds));
goto errout;
/* fetch tgt directly from cache */
+ context->use_conf_ktypes = 1;
retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES,
&creds, &tgt);
+ context->use_conf_ktypes = old_use_conf_ktypes;
if (retval)
goto errout;
kdcoptions &= ~(KDC_OPT_FORWARDABLE);
if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
- addrs, &creds, &pcreds)))
- goto errout;
-
+ addrs, &creds, &pcreds))) {
+ if (enctype) {
+ creds.keyblock.enctype = 0;
+ if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
+ addrs, &creds, &pcreds)))
+ goto errout;
+ }
+ else goto errout;
+ }
retval = krb5_mk_1cred(context, auth_context, pcreds,
&scratch, &replaydata);
krb5_free_creds(context, pcreds);
/*
- * Copyright (c) 1994 by the Massachusetts Institute of Technology.
+ * Copyright (c) 1994,2003 by the Massachusetts Institute of Technology.
* Copyright (c) 1994 CyberSAFE Corporation
* Copyright (c) 1993 Open Computing Security Group
* Copyright (c) 1990,1991 by the Massachusetts Institute of Technology.
krb5_principal *top_server = NULL;
krb5_principal *next_server = NULL;
unsigned int nservers = 0;
+ krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
/* in case we never get a TGT, zero the return */
goto cleanup;
}
+ context->use_conf_ktypes = 1;
if ((retval = krb5_cc_retrieve_cred(context, ccache,
KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
&tgtq, &tgt))) {
krb5_free_cred_contents(context, &tgtq);
memset(&tgtq, 0, sizeof(tgtq));
-#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
tgtq.times = tgt.times;
-#else
- memcpy(&tgtq.times, &tgt.times, sizeof(krb5_ticket_times));
-#endif
-
if ((retval = krb5_copy_principal(context, tgt.client, &tgtq.client)))
goto cleanup;
if ((retval = krb5_copy_principal(context, int_server, &tgtq.server)))
goto cleanup;
tgtq.is_skey = FALSE;
tgtq.ticket_flags = tgt.ticket_flags;
- if ((retval = krb5_get_cred_via_tkt(context, &tgt,
- FLAGS2OPTS(tgtq.ticket_flags),
- tgt.addresses, &tgtq, &tgtr))) {
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgtq.ticket_flags),
+ tgt.addresses, &tgtq, &tgtr);
+ if (retval) {
/*
* couldn't get one so now loop backwards through the realms
goto cleanup;
tgtq.is_skey = FALSE;
tgtq.ticket_flags = tgt.ticket_flags;
- if ((retval = krb5_get_cred_via_tkt(context, &tgt,
- FLAGS2OPTS(tgtq.ticket_flags),
- tgt.addresses,
- &tgtq, &tgtr))) {
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgtq.ticket_flags),
+ tgt.addresses,
+ &tgtq, &tgtr);
+ if (retval)
continue;
- }
/* save tgt in return array */
if ((retval = krb5_copy_creds(context, tgtr,
for (next_server = top_server; *next_server; next_server++) {
krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1);
krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1);
- if (realm_1->length == realm_2->length &&
+ if (realm_1 != NULL &&
+ realm_2 != NULL &&
+ realm_1->length == realm_2->length &&
!memcmp(realm_1->data, realm_2->data, realm_1->length)) {
break;
}
goto cleanup;
}
- retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) |
- kdcopt |
- (in_cred->second_ticket.length ?
- KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ context->use_conf_ktypes = old_use_conf_ktypes;
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgt.ticket_flags) |
+ kdcopt |
+ (in_cred->second_ticket.length ?
+ KDC_OPT_ENC_TKT_IN_SKEY : 0),
tgt.addresses, in_cred, out_cred);
/* cleanup and return */
if (ret_tgts) free(ret_tgts);
krb5_free_cred_contents(context, &tgt);
}
+ context->use_conf_ktypes = old_use_conf_ktypes;
return(retval);
}
#endif
krb5_error_code
-krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_int32 *seqno)
+krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui_4 *seqno)
{
krb5_data seed;
krb5_error_code retval;
seed.length = sizeof(*seqno);
seed.data = (char *) seqno;
- return(krb5_c_random_make_octets(context, &seed));
+ retval = krb5_c_random_make_octets(context, &seed);
+ if (retval)
+ return retval;
+ /*
+ * Work around implementation incompatibilities by not generating
+ * initial sequence numbers greater than 2^30. Previous MIT
+ * implementations use signed sequence numbers, so initial
+ * sequence numbers 2^31 to 2^32-1 inclusive will be rejected.
+ * Letting the maximum initial sequence number be 2^30-1 allows
+ * for about 2^30 messages to be sent before wrapping into
+ * "negative" numbers.
+ */
+ *seqno &= 0x3ffffff;
+ if (*seqno == 0)
+ *seqno = 1;
+ return 0;
}
/*
* lib/krb5/krb/get_in_tkt.c
*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
(request->rtime != 0) &&
(as_reply->enc_part2->times.renew_till > request->rtime))
|| ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
+ !(request->kdc_options & KDC_OPT_RENEWABLE) &&
(as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
(request->till != 0) &&
(as_reply->enc_part2->times.renew_till > request->till))
}
#define MAX_IN_TKT_LOOPS 16
+static krb5_enctype get_in_tkt_enctypes[] = {
+ ENCTYPE_DES3_CBC_SHA1,
+ ENCTYPE_ARCFOUR_HMAC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_MD4,
+ ENCTYPE_DES_CBC_CRC,
+ 0
+};
+
krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt(krb5_context context,
request.from = creds->times.starttime;
request.till = creds->times.endtime;
request.rtime = creds->times.renew_till;
- if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype)))
+
+ request.ktype = malloc (sizeof(get_in_tkt_enctypes));
+ if (request.ktype == NULL) {
+ retval = ENOMEM;
goto cleanup;
+ }
+ memcpy(request.ktype, get_in_tkt_enctypes, sizeof(get_in_tkt_enctypes));
for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++);
if (ktypes) {
int i, req, next = 0;
krb5_deltat renew_life;
int loopcount;
krb5_data salt;
+ krb5_data s2kparams;
krb5_keyblock as_key;
krb5_error *err_reply;
krb5_kdc_rep *local_as_reply;
/* initialize everything which will be freed at cleanup */
+ s2kparams.data = NULL;
+ s2kparams.length = 0;
request.server = NULL;
request.ktype = NULL;
request.addresses = NULL;
/* request.padata is filled in later */
- request.kdc_options = 0;
+ request.kdc_options = context->kdc_default_options;
/* forwardable */
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE))
request.till += options->tkt_life;
else
- request.till += 10*60*60; /* this used to be hardcoded in kinit.c */
+ request.till += 24*60*60; /* this used to be hardcoded in kinit.c */
if (renew_life > 0) {
request.rtime = request.from;
request.rtime += renew_life;
+ if (request.rtime >= request.till)
+ request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
} else {
request.rtime = 0;
}
if ((ret = krb5_do_preauth(context, &request,
padata, &request.padata,
- &salt, &etype, &as_key, prompter,
+ &salt, &s2kparams, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data)))
goto cleanup;
if ((ret = krb5_do_preauth(context, &request,
local_as_reply->padata, &padata,
- &salt, &etype, &as_key, prompter,
+ &salt, &s2kparams, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data)))
goto cleanup;
if ((ret = ((*gak_fct)(context, request.client,
local_as_reply->enc_part.enctype,
- prompter, prompter_data, &salt,
+ prompter, prompter_data, &salt, &s2kparams,
&as_key, gak_data))))
goto cleanup;
if (salt.data &&
(!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT))))
krb5_xfree(salt.data);
+ krb5_free_data_contents(context, &s2kparams);
if (as_reply)
*as_reply = local_as_reply;
else if (local_as_reply)
+/*
+ * lib/krb5/krb/gic_keytab.c
+ *
+ * Copyright (C) 2002, 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
#include "k5-int.h"
static krb5_error_code
krb5_prompter_fct prompter,
void *prompter_data,
krb5_data *salt,
+ krb5_data *params,
krb5_keyblock *as_key,
void *gak_data)
{
return(ret);
}
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ krb5_keytab arg_keytab, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+ krb5_error_code retval;
+ krb5_get_init_creds_opt opt;
+ char * server = NULL;
+ krb5_keytab keytab;
+ krb5_principal client_princ, server_princ;
+
+ krb5int_populate_gic_opt(context, &opt,
+ options, addrs, ktypes,
+ pre_auth_types);
+ if (arg_keytab == NULL) {
+ retval = krb5_kt_default(context, &keytab);
+ if (retval)
+ return retval;
+ }
+ else keytab = arg_keytab;
+
+ retval = krb5_unparse_name( context, creds->server, &server);
+ if (retval)
+ goto cleanup;
+ server_princ = creds->server;
+ client_princ = creds->client;
+ retval = krb5_get_init_creds (context,
+ creds, creds->client,
+ krb5_prompter_posix, NULL,
+ 0, server, &opt,
+ krb5_get_as_key_keytab, (void *)keytab,
+ 0, ret_as_reply);
+ krb5_free_unparsed_name( context, server);
+ if (retval) {
+ goto cleanup;
+ }
+ if (creds->server)
+ krb5_free_principal( context, creds->server);
+ if (creds->client)
+ krb5_free_principal( context, creds->client);
+ creds->client = client_princ;
+ creds->server = server_princ;
+
+ /* store it in the ccache! */
+ if (ccache)
+ if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+ goto cleanup;
+ cleanup: if (arg_keytab == NULL)
+ krb5_kt_close(context, keytab);
+ return retval;
+}
+
krb5_prompter_fct prompter,
void *prompter_data,
krb5_data *salt,
+ krb5_data *params,
krb5_keyblock *as_key,
void *gak_data)
{
return(EIO);
if ((ret = krb5_unparse_name(context, client, &clientstr)))
- return(ret);
+ return(ret);
strcpy(promptstr, "Password for ");
strncat(promptstr, clientstr, sizeof(promptstr)-strlen(promptstr)-1);
defsalt.length = 0;
}
- ret = krb5_c_string_to_key(context, etype, password, salt, as_key);
+ ret = krb5_c_string_to_key_with_params(context, etype, password, salt,
+ params->data?params:NULL, as_key);
if (defsalt.length)
krb5_xfree(defsalt.data);
return(ret);
}
+void krb5int_populate_gic_opt (
+ krb5_context context, krb5_get_init_creds_opt *opt,
+ krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types)
+{
+ int i;
+ krb5_get_init_creds_opt_init(opt);
+ if (addrs)
+ krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs);
+ if (ktypes) {
+ for (i=0; ktypes[i]; i++);
+ if (i)
+ krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i);
+ }
+ if (pre_auth_types) {
+ for (i=0; pre_auth_types[i]; i++);
+ if (i)
+ krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i);
+ }
+ if (options&KDC_OPT_FORWARDABLE)
+ krb5_get_init_creds_opt_set_forwardable(opt, 1);
+ else krb5_get_init_creds_opt_set_forwardable(opt, 0);
+ if (options&KDC_OPT_PROXIABLE)
+ krb5_get_init_creds_opt_set_proxiable(opt, 1);
+ else krb5_get_init_creds_opt_set_proxiable(opt, 0);
+
+
+}
+
+/*
+ Rewrites get_in_tkt in terms of newer get_init_creds API.
+ Attempts to get an initial ticket for creds->client to use server
+ creds->server, (realm is taken from creds->client), with options
+ options, and using creds->times.starttime, creds->times.endtime,
+ creds->times.renew_till as from, till, and rtime.
+ creds->times.renew_till is ignored unless the RENEWABLE option is requested.
+
+ If addrs is non-NULL, it is used for the addresses requested. If it is
+ null, the system standard addresses are used.
+
+ If password is non-NULL, it is converted using the cryptosystem entry
+ point for a string conversion routine, seeded with the client's name.
+ If password is passed as NULL, the password is read from the terminal,
+ and then converted into a key.
+
+ A succesful call will place the ticket in the credentials cache ccache.
+
+ returns system errors, encryption errors
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ const char *password, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+ krb5_error_code retval;
+ krb5_data pw0;
+ char pw0array[1024];
+ krb5_get_init_creds_opt opt;
+ char * server;
+ krb5_principal server_princ, client_princ;
+
+ pw0array[0] = '\0';
+ pw0.data = pw0array;
+ if (password) {
+ pw0.length = strlen(password);
+ if (pw0.length > sizeof(pw0array))
+ return EINVAL;
+ strncpy(pw0.data, password, sizeof(pw0array));
+ if (pw0.length == 0)
+ pw0.length = sizeof(pw0array);
+ } else {
+ pw0.length = sizeof(pw0array);
+ }
+ krb5int_populate_gic_opt(context, &opt,
+ options, addrs, ktypes,
+ pre_auth_types);
+ retval = krb5_unparse_name( context, creds->server, &server);
+ if (retval)
+ return (retval);
+ server_princ = creds->server;
+ client_princ = creds->client;
+ retval = krb5_get_init_creds (context,
+ creds, creds->client,
+ krb5_prompter_posix, NULL,
+ 0, server, &opt,
+ krb5_get_as_key_password, &pw0,
+ 0, ret_as_reply);
+ krb5_free_unparsed_name( context, server);
+ if (retval) {
+ return (retval);
+ }
+ if (creds->server)
+ krb5_free_principal( context, creds->server);
+ if (creds->client)
+ krb5_free_principal( context, creds->client);
+ creds->client = client_princ;
+ creds->server = server_princ;
+ /* store it in the ccache! */
+ if (ccache)
+ if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+ return (retval);
+ return retval;
+ }
+
+++ /dev/null
-/*
- * lib/krb5/krb/in_tkt_ktb.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5_get_in_tkt_with_keytab()
- *
- */
-
-#include "k5-int.h"
-
-struct keytab_keyproc_arg {
- krb5_keytab keytab;
- krb5_principal client;
-};
-
-/*
- * Key-generator for in_tkt_keytab, below.
- * "keyseed" is actually a krb5_keytab, or NULL if we should fetch
- * from system area.
- */
-static krb5_error_code keytab_keyproc
- (krb5_context,
- const krb5_enctype,
- krb5_data *,
- krb5_const_pointer,
- krb5_keyblock **);
-
-static krb5_error_code
-keytab_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
- krb5_const_pointer keyseed, krb5_keyblock **key)
-{
- const struct keytab_keyproc_arg * arg =
- (const struct keytab_keyproc_arg *)keyseed;
- krb5_keyblock *realkey;
- krb5_error_code retval = 0;
- krb5_keytab kt_id;
- krb5_keytab_entry kt_ent;
-
- kt_id = arg->keytab;
-
- if (!krb5_c_valid_enctype(type))
- return KRB5_PROG_ETYPE_NOSUPP;
-
- if (kt_id == NULL)
- /* Fetch from default keytab location */
- if ((retval = krb5_kt_default(context, &kt_id)))
- return retval;
-
-
- if ((retval = krb5_kt_get_entry(context, kt_id, arg->client,
- 0, /* don't have vno available */
- type, &kt_ent)))
- goto cleanup;
-
- if ((retval = krb5_copy_keyblock(context, &kt_ent.key, &realkey))) {
- (void) krb5_kt_free_entry(context, &kt_ent);
- goto cleanup;
- }
-
- (void) krb5_kt_free_entry(context, &kt_ent);
- *key = realkey;
-
-cleanup:
- if (! arg->keytab)
- krb5_kt_close(context, kt_id);
- return retval;
-}
-
-/*
- Similar to krb5_get_in_tkt_with_skey.
-
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime,
- creds->times.renew_till as from, till, and rtime.
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- If addrs is non-NULL, it is used for the addresses requested. If it is
- null, the system standard addresses are used.
-
- A succesful call will place the ticket in the credentials cache ccache.
-
- returns system errors, encryption errors
-
- */
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
- krb5_address *const *addrs, krb5_enctype *ktypes,
- krb5_preauthtype *pre_auth_types,
- krb5_keytab keytab, krb5_ccache ccache,
- krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
-{
- struct keytab_keyproc_arg arg;
-
- arg.keytab = keytab;
- arg.client = creds->client;
-
- return(krb5_get_in_tkt(context, options, addrs, ktypes,
- pre_auth_types,
- keytab_keyproc, (krb5_pointer)&arg,
- krb5_kdc_rep_decrypt_proc, 0, creds,
- ccache, ret_as_reply));
-}
+++ /dev/null
-/*
- * lib/krb5/krb/in_tkt_pwd.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5_get_in_tkt_with_password()
- */
-
-#include "k5-int.h"
-
-extern char *krb5_default_pwd_prompt1;
-
-/*
- * key-producing procedure for use by krb5_get_in_tkt_with_password.
- */
-static krb5_error_code pwd_keyproc
- (krb5_context,
- const krb5_enctype,
- krb5_data *,
- krb5_const_pointer,
- krb5_keyblock **);
-
-static krb5_error_code
-pwd_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
- krb5_const_pointer keyseed, krb5_keyblock **key)
-{
- krb5_error_code retval;
- krb5_data * password;
- unsigned int pwsize;
-
- password = (krb5_data *)keyseed;
-
- if (!password->length) {
- pwsize = BUFSIZ;
- if ((password->data = malloc(pwsize)) == NULL)
- return ENOMEM;
-
- if ((retval = krb5_read_password(context, krb5_default_pwd_prompt1, 0,
- password->data, &pwsize))) {
- return retval;
- }
- password->length = pwsize;
- }
-
- if (!(*key = (krb5_keyblock *)malloc(sizeof(**key))))
- return ENOMEM;
-
- if ((retval = krb5_c_string_to_key(context, type, password, salt, *key)))
- krb5_xfree(*key);
-
- return(retval);
-}
-
-/*
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime,
- creds->times.renew_till as from, till, and rtime.
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- If addrs is non-NULL, it is used for the addresses requested. If it is
- null, the system standard addresses are used.
-
- If password is non-NULL, it is converted using the cryptosystem entry
- point for a string conversion routine, seeded with the client's name.
- If password is passed as NULL, the password is read from the terminal,
- and then converted into a key.
-
- A succesful call will place the ticket in the credentials cache ccache.
-
- returns system errors, encryption errors
- */
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
- krb5_address *const *addrs, krb5_enctype *ktypes,
- krb5_preauthtype *pre_auth_types,
- const char *password, krb5_ccache ccache,
- krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
-{
- krb5_error_code retval;
- krb5_data data;
-
-
- if ((data.data = (char *)password)) {
- data.length = strlen(password);
- } else {
- data.length = 0;
- }
-
- retval = krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types,
- pwd_keyproc, (krb5_pointer) &data,
- krb5_kdc_rep_decrypt_proc, 0,
- creds, ccache, ret_as_reply);
-
- if ((password == NULL) && (data.data)) {
- memset(data.data, 0, strlen(data.data));
- free(data.data);
- }
-
- return retval;
-}
-
/*
* lib/krb5/krb/init_ctx.c
*
- * Copyright 1994,1999,2000, 2002 by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000, 2002, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
them. This'll be fixed, but for better compatibility, let's prefer
des-crc for now. */
#define DEFAULT_ETYPE_LIST \
+ "aes256-cts-hmac-sha1-96 " \
"des3-cbc-sha1 arcfour-hmac-md5 " \
"des-cbc-crc des-cbc-md5 des-cbc-md4 "
+/* Not included:
+ "aes128-cts-hmac-sha1-96 " \
+ */
+
#if (defined(_WIN32))
extern krb5_error_code krb5_vercheck();
extern void krb5_win_ccdll_load(krb5_context context);
if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL)))
goto cleanup;
+ ctx->conf_tgs_ktypes = calloc(ctx->tgs_ktype_count, sizeof(krb5_enctype));
+ if (ctx->conf_tgs_ktypes == NULL && ctx->tgs_ktype_count != 0)
+ goto cleanup;
+ memcpy(ctx->conf_tgs_ktypes, ctx->tgs_ktypes,
+ sizeof(krb5_enctype) * ctx->tgs_ktype_count);
+ ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count;
+
if ((retval = krb5_os_init_context(ctx)))
goto cleanup;
"kdc_default_options", 0,
KDC_OPT_RENEWABLE_OK, &tmp);
ctx->kdc_default_options = tmp;
-#if TARGET_OS_MAC
#define DEFAULT_KDC_TIMESYNC 1
-#else
-#define DEFAULT_KDC_TIMESYNC 0
-#endif
profile_get_integer(ctx->profile, "libdefaults",
"kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
&tmp);
* Note: DCE 1.0.3a only supports a cache type of 1
* DCE 1.1 supports a cache type of 2.
*/
-#if TARGET_OS_MAC
#define DEFAULT_CCACHE_TYPE 4
-#else
-#define DEFAULT_CCACHE_TYPE 3
-#endif
profile_get_integer(ctx->profile, "libdefaults", "ccache_type",
0, DEFAULT_CCACHE_TYPE, &tmp);
ctx->fcc_default_format = tmp + 0x0500;
ctx->scc_default_format = tmp + 0x0500;
ctx->prompt_types = 0;
+ ctx->use_conf_ktypes = 0;
ctx->udp_pref_limit = -1;
*context = ctx;
ctx->tgs_ktypes = 0;
}
+ if (ctx->conf_tgs_ktypes) {
+ free(ctx->conf_tgs_ktypes);
+ ctx->conf_tgs_ktypes = 0;
+ }
+
if (ctx->default_realm) {
free(ctx->default_realm);
ctx->default_realm = 0;
}
static krb5_error_code
-get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, int ctx_count, krb5_enctype *ctx_list)
+get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr,
+ int ctx_count, krb5_enctype *ctx_list)
{
krb5_enctype *old_ktypes;
KRB5_CALLCONV
krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes)
{
- return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
- context->tgs_ktype_count,
- context->tgs_ktypes));
+ if (context->use_conf_ktypes)
+ /* This one is set *only* by reading the config file; it's not
+ set by the application. */
+ return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+ context->conf_tgs_ktypes_count,
+ context->conf_tgs_ktypes));
+ else
+ return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+ context->tgs_ktype_count,
+ context->tgs_ktypes));
}
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes)
{
return(get_profile_etype_list(context, ktypes, "permitted_enctypes",
for(i=0; info[i] != NULL; i++) {
if (info[i]->salt)
free(info[i]->salt);
+ krb5_free_data_contents( context, &info[i]->s2kparams);
free(info[i]);
}
free(info);
void KRB5_CALLCONV
krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val)
{
- if ((*val)->passwd) {
- krb5_xfree((*val)->passwd);
- (*val)->passwd = 0;
- }
- if ((*val)->phrase) {
- krb5_xfree((*val)->phrase);
- (*val)->phrase = 0;
+ register passwd_phrase_element **temp;
+
+ for (temp = val; *temp; temp++) {
+ if ((*temp)->passwd) {
+ krb5_free_data(context, (*temp)->passwd);
+ (*temp)->passwd = 0;
+ }
+ if ((*temp)->phrase) {
+ krb5_free_data(context, (*temp)->phrase);
+ (*temp)->phrase = 0;
+ }
+ krb5_xfree(*temp);
}
+ krb5_xfree(val);
}
memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
memset((char *) &replaydata, 0, sizeof(krb5_replay_data));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
krb5_generate_authenticator (krb5_context,
krb5_authenticator *, krb5_principal,
krb5_checksum *, krb5_keyblock *,
- krb5_int32, krb5_authdata ** );
+ krb5_ui_4, krb5_authdata ** );
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
goto cleanup;
}
- if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) {
+ if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
/* Provide some more fodder for random number code.
This isn't strong cryptographically; the point here is not
to guarantee randomness, but to make it less likely that multiple
(void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock,
- &(*auth_context)->local_subkey)))
+ &(*auth_context)->send_subkey)))
goto cleanup;
+ retval = krb5_copy_keyblock(context, (*auth_context)->send_subkey,
+ &((*auth_context)->recv_subkey));
+ if (retval) {
+ krb5_free_keyblock(context, (*auth_context)->send_subkey);
+ (*auth_context)->send_subkey = NULL;
+ goto cleanup;
+ }
}
if ((retval = krb5_generate_authenticator(context,
(*auth_context)->authentp,
(in_creds)->client, checksump,
- (*auth_context)->local_subkey,
+ (*auth_context)->send_subkey,
(*auth_context)->local_seq_number,
(in_creds)->authdata)))
goto cleanup_cksum;
}
static krb5_error_code
-krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_int32 seq_number, krb5_authdata **authorization)
+krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_ui_4 seq_number, krb5_authdata **authorization)
{
krb5_error_code retval;
memset((char *) &replaydata, 0, sizeof(krb5_replay_data));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
cp++;
size++;
} else if (c == COMPONENT_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
i++;
} else if (c == REALM_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
parsed_realm = cp+1;
} else
if (parsed_realm)
krb5_princ_realm(context, principal)->length = size;
else
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
if (i + 1 != components) {
#if !defined(_WIN32) && !defined(macintosh)
fprintf(stderr,
krb5_kdc_req *request,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
- krb5_data *salt,
+ krb5_data *salt, krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter_fct,
krb5_kdc_req *request,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
- krb5_data *salt,
+ krb5_data *salt, krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
{
krb5_data tmp;
- /* screw the abstraction. If there was a *reasonable* copy_data,
- I'd use it. But I'm inside the library, which is the twilight
- zone of source code, so I can do anything. */
-
+ tmp.data = in_padata->contents;
tmp.length = in_padata->length;
- if (tmp.length) {
- if ((tmp.data = malloc(tmp.length)) == NULL)
- return ENOMEM;
- memcpy(tmp.data, in_padata->contents, tmp.length);
- } else {
- tmp.data = NULL;
- }
-
- *salt = tmp;
-
- /* assume that no other salt was allocated */
+ krb5_free_data_contents(context, salt);
+ krb5int_copy_data_contents(context, &tmp, salt);
+
if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT)
salt->length = SALT_TYPE_AFS_LENGTH;
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
if ((ret = ((*gak_fct)(context, request->client,
*etype ? *etype : request->ktype[0],
prompter, prompter_data,
- salt, as_key, gak_data))))
+ salt, s2kparams, as_key, gak_data))))
return(ret);
}
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
*etype = ENCTYPE_DES_CBC_CRC;
if ((ret = (gak_fct)(context, request->client, *etype, prompter,
- prompter_data, salt, as_key, gak_data)))
+ prompter_data, salt, s2kparams, as_key, gak_data)))
return(ret);
}
sprintf(name, "%.*s",
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
retval = (gak_fct)(context, request->client,
sc2b->sam_etype, prompter,
- prompter_data, salt, as_key, gak_data);
+ prompter_data, salt, s2kparams, as_key, gak_data);
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
krb5_free_sam_challenge_2_body(context, sc2b);
},
};
-static void
-sort_etype_info(krb5_context context, krb5_kdc_req *request,
- krb5_etype_info_entry **etype_info)
-{
-/* Originally adapted from a proposed solution in ticket 1006. This
- * solution is not efficient, but implementing an efficient sort
- * with a comparison function based on order in the kdc request would
- * be difficult.*/
- krb5_etype_info_entry *tmp;
- int i, j, e;
- krb5_boolean similar;
-
- if (etype_info == NULL)
- return;
-
- /* First, move up etype_info_entries whose enctype exactly matches a
- * requested enctype.
- */
- e = 0;
- for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
- {
- if (request->ktype[i] == etype_info[e]->etype)
- {
- e++;
- continue;
- }
- for ( j = e+1 ; etype_info[j] ; j++ )
- if (request->ktype[i] == etype_info[j]->etype)
- break;
- if (etype_info[j] == NULL)
- continue;
-
- tmp = etype_info[j];
- etype_info[j] = etype_info[e];
- etype_info[e] = tmp;
- e++;
- }
-
- /* Then move up etype_info_entries whose enctype is similar to a
- * requested enctype.
- */
- for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
- {
- if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, &similar) != 0)
- continue;
-
- if (similar)
- {
- e++;
- continue;
- }
- for ( j = e+1 ; etype_info[j] ; j++ )
- {
- if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[j]->etype, &similar) != 0)
- continue;
-
- if (similar)
- break;
- }
- if (etype_info[j] == NULL)
- continue;
-
- tmp = etype_info[j];
- etype_info[j] = etype_info[e];
- etype_info[e] = tmp;
- e++;
- }
-}
-
-
krb5_error_code
krb5_do_preauth(krb5_context context,
krb5_kdc_req *request,
krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
- krb5_data *salt, krb5_enctype *etype,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
krb5_gic_get_as_key_fct gak_fct, void *gak_data)
{
int h, i, j, out_pa_list_size;
- krb5_pa_data *out_pa, **out_pa_list;
+ int seen_etype_info2 = 0;
+ krb5_pa_data *out_pa = NULL, **out_pa_list = NULL;
krb5_data scratch;
krb5_etype_info etype_info = NULL;
krb5_error_code ret;
for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) {
realdone = 0;
for (i=0; in_padata[i] && !realdone; i++) {
+ int k, l, etype_found, valid_etype_found;
/*
* This is really gross, but is necessary to prevent
* lossge when talking to a 1.0.x KDC, which returns an
*/
switch (in_padata[i]->pa_type) {
case KRB5_PADATA_ETYPE_INFO:
- if (etype_info)
- continue;
+ case KRB5_PADATA_ETYPE_INFO2:
+ {
+ krb5_preauthtype pa_type = in_padata[i]->pa_type;
+ if (etype_info) {
+ if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2)
+ continue;
+ if (pa_type == KRB5_PADATA_ETYPE_INFO2) {
+ krb5_free_etype_info( context, etype_info);
+ etype_info = NULL;
+ }
+ }
+
scratch.length = in_padata[i]->length;
scratch.data = (char *) in_padata[i]->contents;
- ret = decode_krb5_etype_info(&scratch, &etype_info);
+ if (pa_type == KRB5_PADATA_ETYPE_INFO2) {
+ seen_etype_info2++;
+ ret = decode_krb5_etype_info2(&scratch, &etype_info);
+ }
+ else ret = decode_krb5_etype_info(&scratch, &etype_info);
if (ret) {
- if (out_pa_list) {
- out_pa_list[out_pa_list_size++] = NULL;
- krb5_free_pa_data(context, out_pa_list);
- }
- return ret;
+ ret = 0; /*Ignore error and etype_info element*/
+ krb5_free_etype_info( context, etype_info);
+ etype_info = NULL;
+ continue;
}
if (etype_info[0] == NULL) {
krb5_free_etype_info(context, etype_info);
etype_info = NULL;
break;
}
- sort_etype_info(context, request, etype_info);
- salt->data = (char *) etype_info[0]->salt;
- salt->length = etype_info[0]->length;
- *etype = etype_info[0]->etype;
+ /*
+ * Select first etype in our request which is also in
+ * etype-info (preferring client request ktype order).
+ */
+ for (etype_found = 0, valid_etype_found = 0, k = 0;
+ !etype_found && k < request->nktypes; k++) {
+ for (l = 0; etype_info[l]; l++) {
+ if (etype_info[l]->etype == request->ktype[k]) {
+ etype_found++;
+ break;
+ }
+ /* check if program has support for this etype for more
+ * precise error reporting.
+ */
+ if (valid_enctype(etype_info[l]->etype))
+ valid_etype_found++;
+ }
+ }
+ if (!etype_found) {
+ if (valid_etype_found) {
+ /* supported enctype but not requested */
+ ret = KRB5_CONFIG_ETYPE_NOSUPP;
+ goto cleanup;
+ }
+ else {
+ /* unsupported enctype */
+ ret = KRB5_PROG_ETYPE_NOSUPP;
+ goto cleanup;
+ }
+
+ }
+ scratch.data = (char *) etype_info[l]->salt;
+ scratch.length = etype_info[l]->length;
+ krb5_free_data_contents(context, salt);
+ if (scratch.length == KRB5_ETYPE_NO_SALT)
+ salt->data = NULL;
+ else
+ if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0)
+ goto cleanup;
+ *etype = etype_info[l]->etype;
+ krb5_free_data_contents(context, s2kparams);
+ if ((ret = krb5int_copy_data_contents(context,
+ &etype_info[l]->s2kparams,
+ s2kparams)) != 0)
+ goto cleanup;
#ifdef DEBUG
for (j = 0; etype_info[j]; j++) {
krb5_etype_info_entry *e = etype_info[j];
}
#endif
break;
+ }
case KRB5_PADATA_PW_SALT:
case KRB5_PADATA_AFS3_SALT:
if (etype_info)
if ((ret = ((*pa_types[j].fct)(context, request,
in_padata[i], &out_pa,
- salt, etype, as_key,
+ salt, s2kparams, etype, as_key,
prompter, prompter_data,
gak_fct, gak_data)))) {
- if (out_pa_list) {
- out_pa_list[out_pa_list_size++] = NULL;
- krb5_free_pa_data(context, out_pa_list);
- }
- if (etype_info)
- krb5_free_etype_info(context, etype_info);
- return(ret);
+ goto cleanup;
}
if (out_pa) {
if ((out_pa_list =
(krb5_pa_data **)
malloc(2*sizeof(krb5_pa_data *)))
- == NULL)
- return(ENOMEM);
+ == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
} else {
if ((out_pa_list =
(krb5_pa_data **)
realloc(out_pa_list,
(out_pa_list_size+2)*
sizeof(krb5_pa_data *)))
- == NULL)
- /* XXX this will leak the pointers which
+ == NULL) {
+ /* XXX this will leak the pointers which
have already been allocated. oh well. */
- return(ENOMEM);
+ ret = ENOMEM;
+ goto cleanup;
+ }
}
out_pa_list[out_pa_list_size++] = out_pa;
out_pa_list[out_pa_list_size++] = NULL;
*out_padata = out_pa_list;
-
+ if (etype_info)
+ krb5_free_etype_info(context, etype_info);
+
return(0);
+ cleanup:
+ if (out_pa_list) {
+ out_pa_list[out_pa_list_size++] = NULL;
+ krb5_free_pa_data(context, out_pa_list);
+ }
+ if (etype_info)
+ krb5_free_etype_info(context, etype_info);
+ return (ret);
}
krb5_replay_data replaydata;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
krb5_replay_data replaydata;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
- if (auth_context->remote_seq_number != replaydata.seq) {
+ if (!krb5int_auth_con_chkseqnum(context, auth_context,
+ replaydata.seq)) {
retval = KRB5KRB_AP_ERR_BADORDER;
goto error;
}
/* Set auth subkey */
if ((*repl)->subkey) {
+ if (auth_context->recv_subkey) {
+ krb5_free_keyblock(context, auth_context->recv_subkey);
+ auth_context->recv_subkey = NULL;
+ }
retval = krb5_copy_keyblock(context, (*repl)->subkey,
- &auth_context->remote_subkey);
+ &auth_context->recv_subkey);
+ if (retval)
+ goto clean_scratch;
+ if (auth_context->send_subkey) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ }
+ retval = krb5_copy_keyblock(context, (*repl)->subkey,
+ &auth_context->send_subkey);
+ if (retval) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ }
}
/* Get remote sequence number */
server = request->ticket->server;
}
/* Get an rcache if necessary. */
- if (((*auth_context)->rcache == NULL) && server) {
+ if (((*auth_context)->rcache == NULL)
+ && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
+&& server) {
if ((retval = krb5_get_server_rcache(context,
krb5_princ_component(context,server,0), &(*auth_context)->rcache)))
goto cleanup_auth_context;
if ((*auth_context)->authentp->subkey) {
if ((retval = krb5_copy_keyblock(context,
(*auth_context)->authentp->subkey,
- &((*auth_context)->remote_subkey))))
+ &((*auth_context)->recv_subkey))))
goto cleanup;
+ retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey,
+ &((*auth_context)->send_subkey));
+ if (retval) {
+ krb5_free_keyblock(context, (*auth_context)->recv_subkey);
+ (*auth_context)->recv_subkey = NULL;
+ goto cleanup;
+ }
} else {
- (*auth_context)->remote_subkey = 0;
+ (*auth_context)->recv_subkey = 0;
+ (*auth_context)->send_subkey = 0;
}
if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session,
return KRB5_RC_REQUIRED;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
{
krb5_address * premote_fulladdr = NULL;
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
- if (auth_context->remote_seq_number != replaydata.seq) {
+ if (!krb5int_auth_con_chkseqnum(context, auth_context,
+ replaydata.seq)) {
retval = KRB5KRB_AP_ERR_BADORDER;
goto error;
}
required += sizeof(krb5_int32);
}
- /* Calculate size required by local_subkey, if appropriate */
- if (!kret && auth_context->local_subkey) {
+ /* Calculate size required by send_subkey, if appropriate */
+ if (!kret && auth_context->send_subkey) {
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) auth_context->local_subkey,
+ (krb5_pointer) auth_context->send_subkey,
&required);
if (!kret)
required += sizeof(krb5_int32);
}
- /* Calculate size required by remote_subkey, if appropriate */
- if (!kret && auth_context->remote_subkey) {
+ /* Calculate size required by recv_subkey, if appropriate */
+ if (!kret && auth_context->recv_subkey) {
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) auth_context->remote_subkey,
+ (krb5_pointer) auth_context->recv_subkey,
&required);
if (!kret)
required += sizeof(krb5_int32);
}
/* Now handle subkey, if appropriate */
- if (!kret && auth_context->local_subkey) {
+ if (!kret && auth_context->send_subkey) {
(void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain);
kret = krb5_externalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer)
- auth_context->local_subkey,
+ auth_context->send_subkey,
&bp,
&remain);
}
/* Now handle subkey, if appropriate */
- if (!kret && auth_context->remote_subkey) {
+ if (!kret && auth_context->recv_subkey) {
(void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain);
kret = krb5_externalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer)
- auth_context->remote_subkey,
+ auth_context->recv_subkey,
&bp,
&remain);
}
kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
}
- /* This is the local_subkey */
+ /* This is the send_subkey */
if (!kret && (tag == TOKEN_LSKBLOCK)) {
if (!(kret = krb5_internalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer *)
&auth_context->
- local_subkey,
+ send_subkey,
&bp,
&remain)))
kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
}
- /* This is the remote_subkey */
+ /* This is the recv_subkey */
if (!kret) {
if (tag == TOKEN_RSKBLOCK) {
kret = krb5_internalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer *)
&auth_context->
- remote_subkey,
+ recv_subkey,
&bp,
&remain);
}
unsigned long uid = geteuid();
#endif
+ if (piece == NULL)
+ return ENOMEM;
+
rcache = (krb5_rcache) malloc(sizeof(*rcache));
if (!rcache)
return ENOMEM;
len = piece->length + 3 + 1;
for (i = 0; i < piece->length; i++) {
- if (piece->data[i] == '\\')
+ if (piece->data[i] == '-')
len++;
else if (!isvalidrcname((int) piece->data[i]))
len += 3;
strcpy(cachename, "rc_");
p = 3;
for (i = 0; i < piece->length; i++) {
- if (piece->data[i] == '\\') {
- cachename[p++] = '\\';
- cachename[p++] = '\\';
+ if (piece->data[i] == '-') {
+ cachename[p++] = '-';
+ cachename[p++] = '-';
continue;
}
if (!isvalidrcname((int) piece->data[i])) {
sprintf(tmp, "%03o", piece->data[i]);
- cachename[p++] = '\\';
+ cachename[p++] = '-';
cachename[p++] = tmp[0];
cachename[p++] = tmp[1];
cachename[p++] = tmp[2];
*q++ = COMPONENT_SEP;
}
- q--; /* Back up last component separator */
+ if (i > 0)
+ q--; /* Back up last component separator */
*q++ = REALM_SEP;
cp = krb5_princ_realm(context, principal)->data;
--- /dev/null
+/*
+ * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#include "k5-int.h"
+
+/*
+ * Only lifetime bytes values less than 128 are on a linear scale.
+ * The following table contains an exponential scale that covers the
+ * lifetime values 128 to 191 inclusive (a total of 64 values).
+ * Values greater than 191 get interpreted the same as 191, but they
+ * will never be generated by the functions in this file.
+ *
+ * The ratio is approximately 1.069144898 (actually exactly
+ * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30
+ * days, and 38400 = 128*5 minutes. This allows a lifetime byte of
+ * 191 to correspond to a ticket life of exactly 30 days and a
+ * lifetime byte of 128 to correspond to exactly 128*5 minutes, with
+ * the other values spread on an exponential curve fit in between
+ * them. This table should correspond exactly to the set of extended
+ * ticket lifetime values used by AFS and CMU.
+ *
+ * The following awk script is sufficient to reproduce the table:
+ * BEGIN {
+ * r = exp(log(2592000/38400)/63);
+ * x = 38400;
+ * for (i=0;i<64;i++) {
+ * printf("%d\n",x+0.5);
+ * x *= r;
+ * }
+ * }
+ */
+#ifndef SHORT_LIFETIME
+#define NLIFETIMES 64
+static const krb5_int32 lifetimes[NLIFETIMES] = {
+ 38400, 41055, /* 00:10:40:00, 00:11:24:15 */
+ 43894, 46929, /* 00:12:11:34, 00:13:02:09 */
+ 50174, 53643, /* 00:13:56:14, 00:14:54:03 */
+ 57352, 61318, /* 00:15:55:52, 00:17:01:58 */
+ 65558, 70091, /* 00:18:12:38, 00:19:28:11 */
+ 74937, 80119, /* 00:20:48:57, 00:22:15:19 */
+ 85658, 91581, /* 00:23:47:38, 01:01:26:21 */
+ 97914, 104684, /* 01:03:11:54, 01:05:04:44 */
+ 111922, 119661, /* 01:07:05:22, 01:09:14:21 */
+ 127935, 136781, /* 01:11:32:15, 01:13:59:41 */
+ 146239, 156350, /* 01:16:37:19, 01:19:25:50 */
+ 167161, 178720, /* 01:22:26:01, 02:01:38:40 */
+ 191077, 204289, /* 02:05:04:37, 02:08:44:49 */
+ 218415, 233517, /* 02:12:40:15, 02:16:51:57 */
+ 249664, 266926, /* 02:21:21:04, 03:02:08:46 */
+ 285383, 305116, /* 03:07:16:23, 03:12:45:16 */
+ 326213, 348769, /* 03:18:36:53, 04:00:52:49 */
+ 372885, 398668, /* 04:07:34:45, 04:14:44:28 */
+ 426234, 455705, /* 04:22:23:54, 05:06:35:05 */
+ 487215, 520904, /* 05:15:20:15, 06:00:41:44 */
+ 556921, 595430, /* 06:10:42:01, 06:21:23:50 */
+ 636601, 680618, /* 07:08:50:01, 07:21:03:38 */
+ 727680, 777995, /* 08:10:08:00, 09:00:06:35 */
+ 831789, 889303, /* 09:15:03:09, 10:07:01:43 */
+ 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */
+ 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */
+ 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */
+ 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */
+ 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */
+ 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */
+ 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */
+ 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */
+};
+#define MINFIXED 0x80
+#define MAXFIXED (MINFIXED + NLIFETIMES - 1)
+#endif /* !SHORT_LIFETIME */
+
+/*
+ * krb_life_to_time
+ *
+ * Given a start date and a lifetime byte, compute the expiration
+ * date.
+ */
+krb5_int32
+krb5int_krb_life_to_time(krb5_int32 start, int life)
+{
+ if (life < 0 || life > 255) /* possibly sign botch in caller */
+ return start;
+#ifndef SHORT_LIFETIME
+ if (life < MINFIXED)
+ return start + life * 5 * 60;
+ if (life > MAXFIXED)
+ return start + lifetimes[NLIFETIMES - 1];
+ return start + lifetimes[life - MINFIXED];
+#else /* SHORT_LIFETIME */
+ return start + life * 5 * 60;
+#endif /* SHORT_LIFETIME */
+}
+
+/*
+ * krb_time_to_life
+ *
+ * Given the start date and the end date, compute the lifetime byte.
+ * Round up, since we can adjust the start date backwards if we are
+ * issuing the ticket to cause it to expire at the correct time.
+ */
+int
+krb5int_krb_time_to_life(krb5_int32 start, krb5_int32 end)
+{
+ krb5_int32 dt;
+#ifndef SHORT_LIFETIME
+ int i;
+#endif
+
+ dt = end - start;
+ if (dt <= 0)
+ return 0;
+#ifndef SHORT_LIFETIME
+ if (dt < lifetimes[0])
+ return (dt + 5 * 60 - 1) / (5 * 60);
+ /* This depends on the array being ordered. */
+ for (i = 0; i < NLIFETIMES; i++) {
+ if (lifetimes[i] >= dt)
+ return i + MINFIXED;
+ }
+ return MAXFIXED;
+#else /* SHORT_LIFETIME */
+ if (dt > 5 * 60 * 255)
+ return 255;
+ else
+ return (dt + 5 * 60 - 1) / (5 * 60);
+#endif /* SHORT_LIFETIME */
+}
read_pwd.c
realm_dom.c
ref_std_conf.out
+send524.c
sendto_kdc.c
sn2princ.c
timeofday.c
+2003-07-25 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (krb5_locate_kdc): Always pass 0 to locate_server
+ as the get_masters argument. Instead, if get_masters is set,
+ look up "master_kdc" in the config file instead of "kdc".
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * toffset.c: Export and krb5_set_real_time for Samba.
+
+2003-06-06 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (struct srv_dns_entry): Moved to k5-int.h.
+ (krb5int_make_srv_query_realm): Renamed from make_srv_query_realm.
+ (krb5int_free_srv_dns_data): New function.
+ (krb5_locate_srv_dns_1): Use it.
+
+ * accessor.c (krb5int_accessor): Fill in make_srv_query_realm and
+ free_srv_dns_data fields.
+
+2003-06-05 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (make_srv_query_realm): Punt if strdup fails.
+ Always return what data we can, even if memory allocation or other
+ problems prevent us from returning more.
+ (krb5_locate_srv_dns_1): Always return what data we can. Fix
+ memory leak. Free up temporary storage as quickly as possible,
+ while building up address list to return.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * accessor.c (krb5int_accessor): Initialize restored locate_server
+ field.
+
+ * locate_kdc.c (struct srv_dns_entry): Move to top level.
+ (make_srv_query_realm): Separate from krb5_locate_srv_dns_1; just
+ do query and return results.
+ (krb5_locate_srv_dns_1): Call it, and build addlist entries.
+ Check for one RR with a target of ".", and return an error.
+ (krb5_locate_srv_dns): Deleted.
+
+ * t_locate_kdc.c (main): Call krb5_locate_srv_dns_1.
+
+ * changepw.c (krb5_locate_kpasswd): Check specifically for certain
+ errors before using fallback heuristics.
+
+2003-06-03 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_os_ctx.c: Included header to get __KLAllowHomeDirectoryAccess().
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * send524.c (krb5int_524_sendto_kdc): Enable support on Windows
+ always.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * send524.c: New file, moved from krb524/sendmsg.c. Rename
+ function to have krb5int_ prefix. If KRB5_KRB4_COMPAT not
+ defined, return an error.
+ * accessor.c (krb5int_accessor): Update for deleted and added
+ fields. If KRB5_KRB4_COMPAT is not defined, just use null
+ pointers for the new fields.
+
+2003-05-06 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_os_ctx.c: Added support for KLL's __KLAllowHomeDirectoryAccess()
+ function so that krb4, krb5 and gssapi will not access the user's homedir
+ if the application forbids it.
+
+2003-04-28 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Locate server in realm of
+ creds.server, not in realm of target principal because target
+ principal is null in the changepw case.
+
+2003-04-27 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Call
+ krb5_setpw_result_code_string not krb5_setpw_result_code_string
+
+2003-04-24 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): return error from
+ auth_con_setaddrs not last socket errno if auth_con_setaddrs fails
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Patches from Paul Nelson
+ to implement Microsoft set password protocol
+ (krb5_set_password_using_ccache): Use kadmin/changepw in target realm, not local realm and use a two-component principal
+ (krb5_change_set_password): Find the kpasswd server for the realm
+ of the target principal not the client
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * read_pwd.c (krb5_read_password): Always free temporary storage
+ used for verification version of password.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* c_ustime.c: Removed Mac OS 9 code.
read_pwd.o \
realm_dom.o \
realm_iter.o \
+ send524.o \
sendto_kdc.o \
sn2princ.o \
timeofday.o \
$(OUTPRE)read_pwd.$(OBJEXT) \
$(OUTPRE)realm_dom.$(OBJEXT) \
$(OUTPRE)realm_iter.$(OBJEXT) \
+ $(OUTPRE)send524.$(OBJEXT) \
$(OUTPRE)sendto_kdc.$(OBJEXT) \
$(OUTPRE)sn2princ.$(OBJEXT) \
$(OUTPRE)timeofday.$(OBJEXT) \
$(srcdir)/realm_dom.c \
$(srcdir)/realm_iter.c \
$(srcdir)/port2ip.c \
+ $(srcdir)/send524.c \
$(srcdir)/sendto_kdc.c \
$(srcdir)/sn2princ.c \
$(srcdir)/timeofday.c \
#
accessor.so accessor.po $(OUTPRE)accessor.$(OBJEXT): accessor.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
an_to_ln.so an_to_ln.po $(OUTPRE)an_to_ln.$(OBJEXT): an_to_ln.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
c_ustime.so c_ustime.po $(OUTPRE)c_ustime.$(OBJEXT): c_ustime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
def_realm.so def_realm.po $(OUTPRE)def_realm.$(OBJEXT): def_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
ccdefname.so ccdefname.po $(OUTPRE)ccdefname.$(OBJEXT): ccdefname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
changepw.so changepw.po $(OUTPRE)changepw.$(OBJEXT): changepw.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/kdb.h \
os-proto.h
free_krbhs.so free_krbhs.po $(OUTPRE)free_krbhs.$(OBJEXT): free_krbhs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
free_hstrl.so free_hstrl.po $(OUTPRE)free_hstrl.$(OBJEXT): free_hstrl.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
full_ipadr.so full_ipadr.po $(OUTPRE)full_ipadr.$(OBJEXT): full_ipadr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
get_krbhst.so get_krbhst.po $(OUTPRE)get_krbhst.$(OBJEXT): get_krbhst.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
gen_port.so gen_port.po $(OUTPRE)gen_port.$(OBJEXT): gen_port.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
genaddrs.so genaddrs.po $(OUTPRE)genaddrs.$(OBJEXT): genaddrs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
gen_rname.so gen_rname.po $(OUTPRE)gen_rname.$(OBJEXT): gen_rname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
gmt_mktime.so gmt_mktime.po $(OUTPRE)gmt_mktime.$(OBJEXT): gmt_mktime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
hostaddr.so hostaddr.po $(OUTPRE)hostaddr.$(OBJEXT): hostaddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/fake-addrinfo.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/fake-addrinfo.h
hst_realm.so hst_realm.po $(OUTPRE)hst_realm.$(OBJEXT): hst_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h $(SRCTOP)/include/fake-addrinfo.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h $(SRCTOP)/include/fake-addrinfo.h
init_os_ctx.so init_os_ctx.po $(OUTPRE)init_os_ctx.$(OBJEXT): init_os_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
krbfileio.so krbfileio.po $(OUTPRE)krbfileio.$(OBJEXT): krbfileio.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ktdefname.so ktdefname.po $(OUTPRE)ktdefname.$(OBJEXT): ktdefname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): kuserok.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
mk_faddr.so mk_faddr.po $(OUTPRE)mk_faddr.$(OBJEXT): mk_faddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
localaddr.so localaddr.po $(OUTPRE)localaddr.$(OBJEXT): localaddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/foreachaddr.c
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/foreachaddr.c
locate_kdc.so locate_kdc.po $(OUTPRE)locate_kdc.$(OBJEXT): locate_kdc.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/kdb.h \
os-proto.h
lock_file.so lock_file.po $(OUTPRE)lock_file.$(OBJEXT): lock_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
net_read.so net_read.po $(OUTPRE)net_read.$(OBJEXT): net_read.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
net_write.so net_write.po $(OUTPRE)net_write.$(OBJEXT): net_write.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
osconfig.so osconfig.po $(OUTPRE)osconfig.$(OBJEXT): osconfig.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
prompter.so prompter.po $(OUTPRE)prompter.$(OBJEXT): prompter.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
promptusr.so promptusr.po $(OUTPRE)promptusr.$(OBJEXT): promptusr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
read_msg.so read_msg.po $(OUTPRE)read_msg.$(OBJEXT): read_msg.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
read_pwd.so read_pwd.po $(OUTPRE)read_pwd.$(OBJEXT): read_pwd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
realm_dom.so realm_dom.po $(OUTPRE)realm_dom.$(OBJEXT): realm_dom.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
realm_iter.so realm_iter.po $(OUTPRE)realm_iter.$(OBJEXT): realm_iter.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
port2ip.so port2ip.po $(OUTPRE)port2ip.$(OBJEXT): port2ip.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
+send524.so send524.po $(OUTPRE)send524.$(OBJEXT): send524.c $(SRCTOP)/include/fake-addrinfo.h \
+ $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/kdb.h \
+ os-proto.h
sendto_kdc.so sendto_kdc.po $(OUTPRE)sendto_kdc.$(OBJEXT): sendto_kdc.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/kdb.h \
os-proto.h $(SRCTOP)/include/cm.h
sn2princ.so sn2princ.po $(OUTPRE)sn2princ.$(OBJEXT): sn2princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/fake-addrinfo.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/fake-addrinfo.h
timeofday.so timeofday.po $(OUTPRE)timeofday.$(OBJEXT): timeofday.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
toffset.so toffset.po $(OUTPRE)toffset.$(OBJEXT): toffset.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
unlck_file.so unlck_file.po $(OUTPRE)unlck_file.$(OBJEXT): unlck_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ustime.so ustime.po $(OUTPRE)ustime.$(OBJEXT): ustime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
write_msg.so write_msg.po $(OUTPRE)write_msg.$(OBJEXT): write_msg.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
if (version == KRB5INT_ACCESS_VERSION)
{
krb5int_access internals_temp;
- internals_temp.krb5_locate_server = krb5int_locate_server;
- internals_temp.krb5_locate_kdc = krb5_locate_kdc;
internals_temp.free_addrlist = krb5int_free_addrlist;
- internals_temp.krb5_max_skdc_timeout = krb5_max_skdc_timeout;
- internals_temp.krb5_skdc_timeout_shift = krb5_skdc_timeout_shift;
- internals_temp.krb5_skdc_timeout_1 = krb5_skdc_timeout_1;
- internals_temp.krb5_max_dgram_size = krb5_max_dgram_size;
internals_temp.krb5_hmac = krb5_hmac;
internals_temp.md5_hash_provider = &krb5int_hash_md5;
internals_temp.arcfour_enc_provider = &krb5int_enc_arcfour;
+ internals_temp.locate_server = &krb5int_locate_server;
internals_temp.sendto_udp = &krb5int_sendto;
internals_temp.add_host_to_list = krb5int_add_host_to_list;
+#ifdef KRB5_DNS_LOOKUP
+ internals_temp.make_srv_query_realm = krb5int_make_srv_query_realm;
+ internals_temp.free_srv_dns_data = krb5int_free_srv_dns_data;
+#else
+ internals_temp.make_srv_query_realm = 0;
+ internals_temp.free_srv_dns_data = 0;
+#endif
+#ifdef KRB5_KRB4_COMPAT
+ internals_temp.krb_life_to_time = krb5int_krb_life_to_time;
+ internals_temp.krb_time_to_life = krb5int_krb_time_to_life;
+ internals_temp.krb524_encode_v4tkt = krb5int_encode_v4tkt;
+#else
+ internals_temp.krb_life_to_time = 0;
+ internals_temp.krb_time_to_life = 0;
+ internals_temp.krb524_encode_v4tkt = 0;
+#endif
*internals = internals_temp;
return 0;
}
* or implied warranty.
*
*/
+/*
+ * krb5_set_password - Implements set password per RFC 3244
+ * Added by Paul W. Nelson, Thursby Software Systems, Inc.
+ */
#define NEED_SOCKETS
#include "fake-addrinfo.h"
code = krb5int_locate_server (context, realm, addrlist, 0,
"kpasswd_server", "_kpasswd", 0,
DEFAULT_KPASSWD_PORT, 0, 0);
- if (code) {
+ if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
code = krb5int_locate_server (context, realm, addrlist, 0,
"admin_server", "_kerberos-adm", 1,
DEFAULT_KPASSWD_PORT, 0, 0);
}
+/*
+** The logic for setting and changing a password is mostly the same
+** krb5_change_set_password handles both cases
+** if set_password_for is NULL, then a password change is performed,
+** otherwise, the password is set for the principal indicated in set_password_for
+*/
krb5_error_code KRB5_CALLCONV
-krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string)
+krb5_change_set_password(
+ krb5_context context, krb5_creds *creds, char *newpw, krb5_principal set_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string)
{
krb5_auth_context auth_context;
krb5_data ap_req, chpw_req, chpw_rep;
goto cleanup;
if ((code = krb5_locate_kpasswd(context,
- krb5_princ_realm(context, creds->client),
+ krb5_princ_realm(context, creds->server),
&al)))
goto cleanup;
if ((code = krb5_auth_con_setaddrs(context, auth_context,
&local_kaddr, NULL))) {
- code = SOCKET_ERRNO;
- goto cleanup;
+ goto cleanup;
}
- if ((code = krb5_mk_chpw_req(context, auth_context, &ap_req,
- newpw, &chpw_req)))
+ if( set_password_for )
+ code = krb5int_mk_setpw_req(context, auth_context, &ap_req, set_password_for, newpw, &chpw_req);
+ else
+ code = krb5int_mk_chpw_req(context, auth_context, &ap_req, newpw, &chpw_req);
+ if (code)
{
- code = SOCKET_ERRNO;
goto cleanup;
}
NULL, &remote_kaddr)))
goto cleanup;
- if ((code = krb5_rd_chpw_rep(context, auth_context, &chpw_rep,
- &local_result_code,
- result_string)))
- goto cleanup;
+ if( set_password_for )
+ code = krb5int_rd_setpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string);
+ else
+ code = krb5int_rd_chpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string);
+ if (code)
+ goto cleanup;
if (result_code)
*result_code = local_result_code;
if (result_code_string) {
- if ((code = krb5_chpw_result_code_string(context,
- local_result_code,
- &code_string)))
- goto cleanup;
+ if( set_password_for )
+ code = krb5int_setpw_result_code_string(context, local_result_code, (const char **)&code_string);
+ else
+ code = krb5_chpw_result_code_string(context, local_result_code, &code_string);
+ if(code)
+ goto cleanup;
result_code_string->length = strlen(code_string);
result_code_string->data = malloc(result_code_string->length);
return(code);
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string)
+{
+ return krb5_change_set_password(
+ context, creds, newpw, NULL, result_code, result_code_string, result_string );
+}
+
+/*
+ * krb5_set_password - Implements set password per RFC 3244
+ *
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_set_password(
+ krb5_context context,
+ krb5_creds *creds,
+ char *newpw,
+ krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string
+ )
+{
+ return krb5_change_set_password(
+ context, creds, newpw, change_password_for, result_code, result_code_string, result_string );
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache(
+ krb5_context context,
+ krb5_ccache ccache,
+ char *newpw,
+ krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string
+ )
+{
+ krb5_creds creds;
+ krb5_creds *credsp;
+ krb5_error_code code;
+
+/*
+** get the proper creds for use with krb5_set_password -
+*/
+ memset( &creds, 0, sizeof(creds) );
+/*
+** first get the principal for the password service -
+*/
+ code = krb5_cc_get_principal( context, ccache, &creds.client );
+ if( !code )
+ {
+ code = krb5_build_principal( context, &creds.server,
+ krb5_princ_realm(context, change_password_for)->length,
+ krb5_princ_realm(context, change_password_for)->data,
+ "kadmin", "changepw", NULL );
+ if(!code)
+ {
+ code = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
+ if( ! code )
+ {
+ code = krb5_set_password(context, credsp, newpw, change_password_for,
+ result_code, result_code_string,
+ result_string);
+ krb5_free_creds(context, credsp);
+ }
+ }
+ krb5_free_cred_contents(context, &creds);
+ }
+ return code;
+}
#include "k5-int.h"
#include "os-proto.h"
+#ifdef USE_LOGIN_LIBRARY
+#include "KerberosLoginPrivate.h"
+#endif
+
#if defined(_WIN32)
static krb5_error_code
unsigned int ent_len;
const char *s, *t;
+#ifdef USE_LOGIN_LIBRARY
+ /* If __KLAllowHomeDirectoryAccess() == FALSE, we are probably
+ trying to authenticate to a fileserver for the user's homedir. */
+ if (secure || !__KLAllowHomeDirectoryAccess ()) {
+#else
if (secure) {
- filepath = DEFAULT_SECURE_PROFILE_PATH;
+#endif
+ filepath = DEFAULT_SECURE_PROFILE_PATH;
} else {
filepath = getenv("KRB5_CONFIG");
if (!filepath) filepath = DEFAULT_PROFILE_PATH;
* Lookup a KDC via DNS SRV records
*/
-static krb5_error_code
-krb5_locate_srv_dns_1 (const krb5_data *realm,
- const char *service,
- const char *protocol,
- struct addrlist *addrlist,
- int family)
+void krb5int_free_srv_dns_data (struct srv_dns_entry *p)
+{
+ struct srv_dns_entry *next;
+ while (p) {
+ next = p->next;
+ free(p->host);
+ free(p);
+ p = next;
+ }
+}
+
+/* Do DNS SRV query, return results in *answers.
+
+ Make best effort to return all the data we can. On memory or
+ decoding errors, just return what we've got. Always return 0,
+ currently. */
+#define make_srv_query_realm krb5int_make_srv_query_realm
+
+krb5_error_code
+krb5int_make_srv_query_realm(const krb5_data *realm,
+ const char *service,
+ const char *protocol,
+ struct srv_dns_entry **answers)
{
union {
unsigned char bytes[2048];
int priority, weight, size, len, numanswers, numqueries, rdlen;
unsigned short port;
const int hdrsize = sizeof(HEADER);
- struct srv_dns_entry {
- struct srv_dns_entry *next;
- int priority;
- int weight;
- unsigned short port;
- char *host;
- };
struct srv_dns_entry *head = NULL;
struct srv_dns_entry *srv = NULL, *entry = NULL;
- krb5_error_code code = 0;
/*
* First off, build a query of the form:
*
*/
+ if (memchr(realm->data, 0, realm->length))
+ return 0;
if ( strlen(service) + strlen(protocol) + realm->length + 6
> MAX_DNS_NAMELEN )
- goto out;
+ return 0;
sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length,
realm->data);
the local domain or domain search lists to be expanded. */
h = host + strlen (host);
- if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
+ if ((h[-1] != '.') && ((h - host + 1) < sizeof(host)))
strcpy (h, ".");
#ifdef TEST
srv->weight = weight;
srv->port = port;
srv->host = strdup(host);
+ if (srv->host == NULL) {
+ free(srv);
+ goto out;
+ }
if (head == NULL || head->priority > srv->priority) {
srv->next = head;
INCR_CHECK(p, rdlen);
}
+ out:
+ *answers = head;
+ return 0;
+}
+
+static krb5_error_code
+krb5_locate_srv_dns_1 (const krb5_data *realm,
+ const char *service,
+ const char *protocol,
+ struct addrlist *addrlist,
+ int family)
+{
+ struct srv_dns_entry *head = NULL;
+ struct srv_dns_entry *entry = NULL, *next;
+ krb5_error_code code = 0;
+
+ code = make_srv_query_realm(realm, service, protocol, &head);
+ if (code)
+ return 0;
+
/*
* Okay! Now we've got a linked list of entries sorted by
* priority. Start looking up A records and returning
*/
if (head == NULL)
- goto out;
+ return 0;
+
+ /* Check for the "." case indicating no support. */
+ if (head->next == 0 && head->host[0] == 0) {
+ free(head->host);
+ free(head);
+ return KRB5_ERR_NO_SERVICE;
+ }
#ifdef TEST
fprintf (stderr, "walking answer list:\n");
#endif
- for (entry = head; entry != NULL; entry = entry->next) {
+ for (entry = head; entry != NULL; entry = next) {
#ifdef TEST
fprintf (stderr, "\tport=%d host=%s\n", entry->port, entry->host);
#endif
+ next = entry->next;
code = add_host_to_list (addrlist, entry->host, htons (entry->port), 0,
(strcmp("_tcp", protocol)
? SOCK_DGRAM
: SOCK_STREAM), family);
if (code)
break;
+ if (entry == head) {
+ free(entry->host);
+ free(entry);
+ head = next;
+ entry = 0;
+ }
}
#ifdef TEST
fprintf (stderr, "[end]\n");
#endif
- for (entry = head; entry != NULL; ) {
- free(entry->host);
- entry->host = NULL;
- srv = entry;
- entry = entry->next;
- free(srv);
- srv = NULL;
- }
-
- out:
- if (srv)
- free(srv);
-
+ krb5int_free_srv_dns_data(head);
return code;
}
-
-#ifdef TEST
-static krb5_error_code
-krb5_locate_srv_dns(const krb5_data *realm,
- const char *service, const char *protocol,
- struct addrlist *al)
-{
- return krb5_locate_srv_dns_1 (realm, service, protocol, al, 0);
-}
-#endif
#endif /* KRB5_DNS_LOOKUP */
/*
sec_udpport = 0;
}
- return krb5int_locate_server(context, realm, addrlist, get_masters, "kdc",
+ return krb5int_locate_server(context, realm, addrlist, 0,
+ get_masters ? "master_kdc" : "kdc",
(get_masters
? "_kerberos-master"
: "_kerberos"),
return ENOMEM;
retval = krb5_prompter_posix(NULL,
NULL,NULL, NULL, 1, &k5prompt);
- if (retval) {
- free(verify_data.data);
- } else {
+ if (retval == 0) {
/* compare */
- if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) {
+ if (strncmp(return_pwd, (char *)verify_data.data, *size_return))
retval = KRB5_LIBOS_BADPWDMATCH;
- free(verify_data.data);
- }
}
+ free(verify_data.data);
}
if (!retval)
*size_return = k5prompt.reply->length;
#include <stdlib.h>
#include <string.h>
-#include <krb.h>
-#include "krb524.h"
+#include "os-proto.h"
/*
* krb524_sendto_kdc:
*/
krb5_error_code
-krb524_sendto_kdc (context, message, realm, reply, addr, addrlen)
+krb5int_524_sendto_kdc (context, message, realm, reply, addr, addrlen)
krb5_context context;
const krb5_data * message;
const krb5_data * realm;
struct sockaddr *addr;
socklen_t *addrlen;
{
+#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck! */
int i;
struct addrlist al = ADDRLIST_INIT;
struct servent *serv;
krb5_error_code retval;
- krb5int_access internals;
int port;
- retval = krb5int_accessor(&internals, KRB5INT_ACCESS_VERSION);
- if (retval)
- return retval;
/*
* find KDC location(s) for realm
*/
serv = getservbyname(KRB524_SERVICE, "udp");
port = serv ? serv->s_port : htons (KRB524_PORT);
- retval = internals.krb5_locate_server(context, realm, &al, 0,
- "krb524_server", "_krb524",
- SOCK_DGRAM, port,
- 0, PF_INET);
+ retval = krb5int_locate_server(context, realm, &al, 0,
+ "krb524_server", "_krb524",
+ SOCK_DGRAM, port,
+ 0, PF_INET);
if (retval == KRB5_REALM_CANT_RESOLVE || retval == KRB5_REALM_UNKNOWN) {
/* Fallback heuristic: Assume krb524 port on every KDC might
work. */
- retval = internals.krb5_locate_kdc(context, realm, &al, 0,
- SOCK_DGRAM, PF_INET);
+ retval = krb5_locate_kdc(context, realm, &al, 0, SOCK_DGRAM, PF_INET);
/*
* Bash the ports numbers.
*/
if (al.naddrs == 0)
return KRB5_REALM_UNKNOWN;
- retval = internals.sendto_udp (context, message, &al, reply, addr,
- addrlen);
- internals.free_addrlist (&al);
+ retval = krb5int_sendto (context, message, &al, reply, addr, addrlen);
+ krb5int_free_addrlist (&al);
return retval;
+#else
+ return KRB524_KRB4_DISABLED;
+#endif
}
break;
case LOOKUP_DNS:
- err = krb5_locate_srv_dns (&realm, "_kerberos", "_udp", &al);
+ err = krb5_locate_srv_dns_1 (&realm, "_kerberos", "_udp", &al, 0);
break;
case LOOKUP_WHATEVER:
* between the system time and the "real time" as passed to this
* routine
*/
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_set_real_time(krb5_context context, krb5_int32 seconds, krb5_int32 microseconds)
{
krb5_os_context os_ctx = context->os_context;
#
rc_base.so rc_base.po $(OUTPRE)rc_base.$(OBJEXT): rc_base.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
rc_dfl.so rc_dfl.po $(OUTPRE)rc_dfl.$(OBJEXT): rc_dfl.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rc_dfl.h rc_io.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h rc_dfl.h rc_io.h
rc_io.so rc_io.po $(OUTPRE)rc_io.$(OBJEXT): rc_io.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
rc_dfl.h rc_io.h
rcdef.so rcdef.po $(OUTPRE)rcdef.$(OBJEXT): rcdef.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rc_dfl.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h rc_dfl.h
rc_conv.so rc_conv.po $(OUTPRE)rc_conv.$(OBJEXT): rc_conv.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
ser_rc.so ser_rc.po $(OUTPRE)ser_rc.$(OBJEXT): ser_rc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
rcfns.so rcfns.po $(OUTPRE)rcfns.$(OBJEXT): rcfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
krb5_auth_con_getlocalseqnumber
krb5_auth_con_getlocalsubkey
krb5_auth_con_getrcache ; KRB5_CALLCONV_WRONG
+ krb5_auth_con_getrecvsubkey
krb5_auth_con_getremoteseqnumber
krb5_auth_con_getremotesubkey
+ krb5_auth_con_getsendsubkey
krb5_auth_con_init
krb5_auth_con_initivector ; DEPRECATED
krb5_auth_con_setaddrs ; KRB5_CALLCONV_WRONG
krb5_auth_con_setflags
krb5_auth_con_setports
krb5_auth_con_setrcache
+ krb5_auth_con_setrecvsubkey
+ krb5_auth_con_setsendsubkey
krb5_auth_con_setuseruserkey
krb5_build_principal
krb5_build_principal_ext
krb5_c_random_make_octets
krb5_c_random_seed
krb5_c_string_to_key
+krb5_c_string_to_key_with_params
krb5_c_valid_cksumtype
krb5_c_valid_enctype
krb5_c_verify_checksum
krb5_get_init_creds_opt_set_salt
krb5_get_init_creds_opt_set_tkt_life
krb5_get_init_creds_password
+ krb5_get_permitted_enctypes
krb5_get_prompt_types
krb5_get_renewed_creds
krb5_get_server_rcache
krb5_os_localaddr
krb5_parse_name
krb5_principal_compare
+ krb5_principal2salt
krb5_process_key
krb5_prompter_posix
krb5_random_key
krb5_sendauth
krb5_set_default_realm
krb5_set_default_tgs_enctypes
+krb5_set_password
+krb5_set_password_using_ccache
krb5_set_principal_realm
+ krb5_set_real_time
krb5_sname_to_principal
krb5_string_to_cksumtype
krb5_string_to_deltat
krb5_verify_init_creds_opt_init
krb5_verify_init_creds_opt_set_ap_req_nofail
+ krb5_524_convert_creds
+; Don't add krb524_convert_creds_kdc or krb524_init_ets here;
+; they've never been exported by this library, and are deprecated. -KR
+
krb5int_accessor ; INTERNAL (to end all internals)
; To Add (exported on Mac OS X):
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * bindresvport.c: Include errno.h.
+ (gssrpc_bindresvport): Don't declare errno.
+ * clnt_tcp.c: Don't declare errno.
+ * svc.c: Don't declare errno. Include errno.h.
+
+2003-03-24 Tom Yu <tlyu@mit.edu>
+
+ * xdr_mem.c (xdrmem_create): Perform some additional size checks.
+ (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes): Check x_handy
+ prior to decrementing it.
+
2003-01-12 Ezra Peisach <epeisach@bu.edu>
* svc_auth_gssapi.c (_svcauth_gssapi_unset_names): If invoked more
#include <sys/socket.h>
#include <netinet/in.h>
#include <gssrpc/rpc.h>
+#include <errno.h>
/*
* Bind a socket to a privileged IP port
int res;
static short port;
struct sockaddr_in myaddr;
- extern int errno;
int i;
#define STARTPORT 600
#define MCALL_MSG_SIZE 24
-extern int errno;
-
static enum clnt_stat clnttcp_call(CLIENT *, rpc_u_int32, xdrproc_t, void *,
xdrproc_t, void *, struct timeval);
static void clnttcp_abort(CLIENT *);
#include <gssrpc/pmap_clnt.h>
#include <stdio.h>
#include <string.h>
-
-extern int errno;
+#include <errno.h>
#ifdef FD_SETSIZE
static SVCXPRT **xports;
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>
+#include <limits.h>
static bool_t xdrmem_getlong(XDR *, long *);
static bool_t xdrmem_putlong(XDR *, long *);
xdrs->x_op = op;
xdrs->x_ops = &xdrmem_ops;
xdrs->x_private = xdrs->x_base = addr;
- xdrs->x_handy = size;
+ xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */
}
static void
long *lp;
{
- if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+ if (xdrs->x_handy < sizeof(rpc_int32))
return (FALSE);
+ else
+ xdrs->x_handy -= sizeof(rpc_int32);
*lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private)));
xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32);
return (TRUE);
long *lp;
{
- if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+ if (xdrs->x_handy < sizeof(rpc_int32))
return (FALSE);
+ else
+ xdrs->x_handy -= sizeof(rpc_int32);
*(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp));
xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32);
return (TRUE);
register unsigned int len;
{
- if ((xdrs->x_handy -= len) < 0)
+ if (xdrs->x_handy < len)
return (FALSE);
+ else
+ xdrs->x_handy -= len;
memmove(addr, xdrs->x_private, len);
xdrs->x_private = (char *)xdrs->x_private + len;
return (TRUE);
register unsigned int len;
{
- if ((xdrs->x_handy -= len) < 0)
+ if (xdrs->x_handy < len)
return (FALSE);
+ else
+ xdrs->x_handy -= len;
memmove(xdrs->x_private, addr, len);
xdrs->x_private = (char *)xdrs->x_private + len;
return (TRUE);
{
rpc_int32 *buf = 0;
- if (xdrs->x_handy >= len) {
+ if (len >= 0 && xdrs->x_handy >= len) {
xdrs->x_handy -= len;
buf = (rpc_int32 *) xdrs->x_private;
xdrs->x_private = (char *)xdrs->x_private + len;
#define KRB4_USE_KEYTAB 1
#define KRB5 1
#define KRB524_PRIVATE 1
-#define KRB5_DNS_LOOKUP 0
-#define KRB5_DNS_LOOKUP_KDC 0
+#define KRB5_DNS_LOOKUP 1
+#define KRB5_DNS_LOOKUP_KDC 1
#define KRB5_KRB4_COMPAT 1
#define KRB5_PRIVATE 1
#define krb5_sigtype void
_krb5_c_random_make_octets
_krb5_c_random_seed
#
-# Will be added for 1.3
-# _krb5_c_random_os_entropy
-# _krb5_c_random_add_entropy
-# _krb5_c_init_state
-# _krb5_c_free_state
+# Added for 1.3
+ _krb5_c_random_os_entropy
+ _krb5_c_random_add_entropy
+ _krb5_c_init_state
+ _krb5_c_free_state
#
_krb5_c_string_to_key
+ _krb5_c_string_to_key_with_params
_krb5_c_enctype_compare
_krb5_c_make_checksum
_krb5_c_verify_checksum
_krb5_auth_con_getremotesubkey
_krb5_auth_con_getlocalseqnumber
_krb5_auth_con_getremoteseqnumber
+ _krb5_auth_con_getrecvsubkey
+ _krb5_auth_con_getsendsubkey
+ _krb5_auth_con_setrecvsubkey
+ _krb5_auth_con_setsendsubkey
_krb5_auth_con_setrcache
_krb5_auth_con_getrcache
_krb5_auth_con_getauthenticator
_krb5_verify_init_creds_opt_set_ap_req_nofail
#
_krb5_set_default_tgs_enctypes
+ _krb5_get_permitted_enctypes
#
_krb5_free_tgt_creds
#
_krb5_free_default_realm
#
_krb5_sname_to_principal
- _krb5_principal2salt
+ _krb5_principal2salt
_krb5_change_password
+#
+ _krb5_set_password
+ _krb5_set_password_using_ccache
#
_krb5_get_profile
#
_krb5_kuserok
#
_krb5_get_time_offsets
+ _krb5_set_real_time
#
_krb5_string_to_cksumtype
_krb5_cksumtype_to_string
_krb5_appdefault_boolean
#
_krb524_convert_creds_kdc
+ _krb5_524_convert_creds
#
#
# DEPRECATED:
A12537FE040C080B003D8244,
A1253803040C0D3E003D8244,
A12537EB040C0795003D8244,
- A12537EC040C0795003D8244,
- A12537ED040C0795003D8244,
A12537EE040C0795003D8244,
);
isa = PBXGroup;
path = krb5.h;
refType = 4;
};
- A12537EC040C0795003D8244 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524.h;
- refType = 4;
- };
- A12537ED040C0795003D8244 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524_err.h;
- refType = 4;
- };
A12537EE040C0795003D8244 = {
fileEncoding = 30;
isa = PBXFileReference;
A12537F3040C0795003D8244,
A12537F4040C0795003D8244,
A12537F5040C0795003D8244,
- A12537F6040C0795003D8244,
- A12537F7040C0795003D8244,
A12537F8040C0795003D8244,
A12537F9040C0795003D8244,
);
path = krb5.h;
refType = 4;
};
- A12537F6040C0795003D8244 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524.h;
- refType = 4;
- };
- A12537F7040C0795003D8244 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524_err.h;
- refType = 4;
- };
A12537F8040C0795003D8244 = {
fileEncoding = 30;
isa = PBXFileReference;
settings = {
};
};
+ A16DA36604854EF700120112 = {
+ fileEncoding = 30;
+ isa = PBXFileReference;
+ path = conv_creds.c;
+ refType = 4;
+ };
+ A16DA36704854EF700120112 = {
+ fileEncoding = 30;
+ isa = PBXFileReference;
+ path = v4lifetime.c;
+ refType = 4;
+ };
+ A16DA36804854EF700120112 = {
+ fileRef = A16DA36604854EF700120112;
+ isa = PBXBuildFile;
+ settings = {
+ };
+ };
+ A16DA36904854EF700120112 = {
+ fileRef = A16DA36704854EF700120112;
+ isa = PBXBuildFile;
+ settings = {
+ };
+ };
+ A16DA36A0485503F00120112 = {
+ fileEncoding = 30;
+ isa = PBXFileReference;
+ path = krb524_err.et;
+ refType = 4;
+ };
+ A16DB01304868A7E00120112 = {
+ fileEncoding = 30;
+ isa = PBXFileReference;
+ path = send524.c;
+ refType = 4;
+ };
+ A16DB01404868A7E00120112 = {
+ fileRef = A16DB01304868A7E00120112;
+ isa = PBXBuildFile;
+ settings = {
+ };
+ };
A198BBE10406D04A00120114 = {
children = (
A198BBE60406D04A00120114,
settings = {
};
};
+ A1BBFF1604226DBD00120114 = {
+ fileEncoding = 30;
+ isa = PBXFileReference;
+ path = configure.in;
+ refType = 4;
+ };
A1CA6042040F24850013F915 = {
fileRef = F517325103F1B65901120114;
isa = PBXBuildFile;
F5E59C0F03FD95CF01120114,
F51730DE03F1B65801120114,
A12536B3040BEC05003D8244,
- F517320A03F1B65901120114,
F517322103F1B65901120114,
A198BBE10406D04A00120114,
F51736C803F1B65B01120114,
children = (
F51730E203F1B65801120114,
F51730E303F1B65801120114,
+ A1BBFF1604226DBD00120114,
F51730E503F1B65801120114,
F51730E603F1B65801120114,
F51730E703F1B65801120114,
F51730FF03F1B65801120114,
F517310003F1B65801120114,
F517310103F1B65801120114,
- F517310203F1B65801120114,
F517310303F1B65801120114,
F517310403F1B65801120114,
F517310503F1B65801120114,
F517310603F1B65801120114,
- F517310703F1B65801120114,
F517310803F1B65801120114,
F517310903F1B65801120114,
F517310A03F1B65801120114,
path = adm_proto.h;
refType = 4;
};
- F517310203F1B65801120114 = {
- children = (
- );
- isa = PBXGroup;
- path = asn.1;
- refType = 4;
- };
F517310303F1B65801120114 = {
fileEncoding = 30;
isa = PBXFileReference;
path = kdb_dbc.h;
refType = 4;
};
- F517310703F1B65801120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = kdb_dbm.h;
- refType = 4;
- };
F517310803F1B65801120114 = {
fileEncoding = 30;
isa = PBXFileReference;
path = "win-mac.h";
refType = 4;
};
- F517320A03F1B65901120114 = {
- children = (
- F517320D03F1B65901120114,
- F517320E03F1B65901120114,
- F517320F03F1B65901120114,
- F517321003F1B65901120114,
- F517321103F1B65901120114,
- F517321203F1B65901120114,
- F517321303F1B65901120114,
- F517321403F1B65901120114,
- F517321503F1B65901120114,
- F517321603F1B65901120114,
- F517321703F1B65901120114,
- F517321803F1B65901120114,
- F517321903F1B65901120114,
- F517321A03F1B65901120114,
- F517321B03F1B65901120114,
- F517321C03F1B65901120114,
- F517321D03F1B65901120114,
- F517321E03F1B65901120114,
- F517321F03F1B65901120114,
- F517322003F1B65901120114,
- );
- isa = PBXGroup;
- path = krb524;
- refType = 4;
- };
- F517320D03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = ChangeLog;
- refType = 4;
- };
- F517320E03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = cnv_tkt_skey.c;
- refType = 4;
- };
- F517320F03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = configure.in;
- refType = 4;
- };
- F517321003F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = conv_creds.c;
- refType = 4;
- };
- F517321103F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = conv_princ.c;
- refType = 4;
- };
- F517321203F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = encode.c;
- refType = 4;
- };
- F517321303F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = getcred.c;
- refType = 4;
- };
- F517321403F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = globals.c;
- refType = 4;
- };
- F517321503F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = k524init.c;
- refType = 4;
- };
- F517321603F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524.def;
- refType = 4;
- };
- F517321703F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524.h;
- refType = 4;
- };
- F517321803F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524_err.et;
- refType = 4;
- };
- F517321903F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524_prot;
- refType = 4;
- };
- F517321A03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = krb524d.c;
- refType = 4;
- };
- F517321B03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = libinit.c;
- refType = 4;
- };
- F517321C03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = Makefile.in;
- refType = 4;
- };
- F517321D03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = misc.c;
- refType = 4;
- };
- F517321E03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = README;
- refType = 4;
- };
- F517321F03F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = sendmsg.c;
- refType = 4;
- };
- F517322003F1B65901120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = test.c;
- refType = 4;
- };
F517322103F1B65901120114 = {
children = (
F517322403F1B65901120114,
F51734D203F1B65A01120114,
F51734D303F1B65A01120114,
F51734D403F1B65A01120114,
+ A16DA36A0485503F00120112,
F51734D503F1B65A01120114,
F51734D603F1B65A01120114,
F51734D703F1B65A01120114,
F51734F603F1B65A01120114,
F51734F703F1B65A01120114,
F51734F803F1B65A01120114,
+ A16DA36604854EF700120112,
F51734F903F1B65A01120114,
F51734FA03F1B65A01120114,
F51734FB03F1B65A01120114,
F517351203F1B65A01120114,
F517351303F1B65A01120114,
F517351403F1B65A01120114,
- F517351503F1B65A01120114,
- F517351603F1B65A01120114,
F517351703F1B65A01120114,
F517351803F1B65A01120114,
F517351903F1B65A01120114,
F517354A03F1B65A01120114,
F517354B03F1B65A01120114,
F517354C03F1B65A01120114,
+ A16DA36704854EF700120112,
F517354D03F1B65A01120114,
F517354E03F1B65A01120114,
F517354F03F1B65A01120114,
path = gic_pwd.c;
refType = 4;
};
- F517351503F1B65A01120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = in_tkt_ktb.c;
- refType = 4;
- };
- F517351603F1B65A01120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = in_tkt_pwd.c;
- refType = 4;
- };
F517351703F1B65A01120114 = {
fileEncoding = 30;
isa = PBXFileReference;
F517357C03F1B65A01120114,
F517357D03F1B65A01120114,
F517357E03F1B65A01120114,
+ A16DB01304868A7E00120112,
F517357F03F1B65A01120114,
F517358003F1B65A01120114,
F517358103F1B65A01120114,
settings = {
};
};
- F51738E403F1BA7F01120114 = {
- fileRef = F517310D03F1B65801120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
F51738E503F1BAF701120114 = {
fileRef = F51734DE03F1B65A01120114;
isa = PBXBuildFile;
settings = {
};
};
- F517391603F1BB2901120114 = {
- fileRef = F517351503F1B65A01120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F517391703F1BB2A01120114 = {
- fileRef = F517351603F1B65A01120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
F517391803F1BB2B01120114 = {
fileRef = F517351703F1B65A01120114;
isa = PBXBuildFile;
settings = {
};
};
- F58183510253A2F201120112 = {
- fileRef = F5C2DF200240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F58183520253A2F301120112 = {
- fileRef = F5C2DF210240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
F5C2DF100240F9F601650119 = {
children = (
F5C2DF140240F9F601650119,
path = prof_err.strings;
refType = 4;
};
- F5C2DF2E0240F9F601650119 = {
- fileRef = F5C2DF140240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF2F0240F9F601650119 = {
- fileRef = F5C2DF150240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF340240F9F601650119 = {
- fileRef = F5C2DF1D0240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF350240F9F601650119 = {
- fileRef = F5C2DF1E0240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF380240F9F601650119 = {
- fileRef = F5C2DF230240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF390240F9F601650119 = {
- fileRef = F5C2DF240240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF3A0240F9F601650119 = {
- fileRef = F5C2DF260240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF3B0240F9F601650119 = {
- fileRef = F5C2DF270240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF3E0240F9FC01650119 = {
- fileRef = F5C2DF290240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF3F0240F9FD01650119 = {
- fileRef = F5C2DF2A0240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF420240FA1301650119 = {
- fileRef = F5C2DF1B0240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF430240FA1401650119 = {
- fileRef = F5C2DF1A0240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF440240FA1501650119 = {
- fileRef = F5C2DF180240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5C2DF450240FA1601650119 = {
- fileRef = F5C2DF170240F9F601650119;
- isa = PBXBuildFile;
- settings = {
- };
- };
F5C44E900231BD6801120112 = {
isa = PBXLibraryReference;
path = libGSS.a;
F5C44E920231BD6801120112 = {
buildActionMask = 2147483647;
files = (
- F5C2DF420240FA1301650119,
- F5C2DF440240FA1501650119,
F517395503F1BC9701120114,
F517395A03F1BCAB01120114,
F517397703F1BCCF01120114,
F5C44E9C0231BD6801120112 = {
buildActionMask = 2147483647;
files = (
- F5C2DF430240FA1401650119,
- F5C2DF450240FA1601650119,
F517395403F1BC9601120114,
F517395603F1BCA801120114,
F517395703F1BCA801120114,
F5CFD5CE022D86AD01120112 = {
buildActionMask = 2147483647;
files = (
- F5C2DF3F0240F9FD01650119,
F517399703F1BD1301120114,
F5E266F803F4443301120114,
F5E266F903F4443301120114,
F5CFD5CF022D86AD01120112 = {
buildActionMask = 2147483647;
files = (
- F5C2DF3E0240F9FC01650119,
F517399403F1BD1201120114,
F517399503F1BD1201120114,
F517399603F1BD1301120114,
F5CFD63A022DD45401120112 = {
buildActionMask = 2147483647;
files = (
- F5C2DF2F0240F9F601650119,
- F5C2DF350240F9F601650119,
- F5C2DF390240F9F601650119,
- F5C2DF3B0240F9F601650119,
- F58183520253A2F301120112,
F517388F03F1B8BE01120114,
F51738AA03F1B96401120114,
F51738BE03F1B9B001120114,
F51738DE03F1BA2701120114,
F51738DF03F1BA2701120114,
F51738E303F1BA7501120114,
- F51738E403F1BA7F01120114,
F51738F303F1BB1701120114,
F51738F903F1BB1A01120114,
F517391B03F1BB2D01120114,
F5CFD63B022DD45401120112 = {
buildActionMask = 2147483647;
files = (
- F5C2DF2E0240F9F601650119,
- F5C2DF340240F9F601650119,
- F5C2DF380240F9F601650119,
- F5C2DF3A0240F9F601650119,
- F58183510253A2F201120112,
F517388E03F1B8BD01120114,
F517389003F1B90D01120114,
F517389103F1B90E01120114,
F517391303F1BB2801120114,
F517391403F1BB2801120114,
F517391503F1BB2901120114,
- F517391603F1BB2901120114,
- F517391703F1BB2A01120114,
F517391803F1BB2B01120114,
F517391903F1BB2B01120114,
F517391A03F1BB2C01120114,
F517395103F1BC4E01120114,
F517395203F1BC4E01120114,
F517395303F1BC5101120114,
- F5E2670B03F4730501120114,
- F5E2670C03F4730701120114,
- F5E2670D03F4730901120114,
- F5E2670E03F4730B01120114,
- F5E2670F03F4731401120114,
- F5E2671003F4731B01120114,
- F5E2671103F4732801120114,
- F5E2671203F4732A01120114,
A1CA6042040F24850013F915,
A1CA6043040F24870013F915,
A1CA6044040F24880013F915,
A1CA609D040F25D40013F915,
A1CA609F040F25D70013F915,
A1B21F190417D6BC00120114,
+ A16DA36804854EF700120112,
+ A16DA36904854EF700120112,
+ A16DB01404868A7E00120112,
);
isa = PBXSourcesBuildPhase;
runOnlyForDeploymentPostprocessing = 0;
settings = {
};
};
- F5E2670B03F4730501120114 = {
- fileRef = F517321003F1B65901120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5E2670C03F4730701120114 = {
- fileRef = F517321103F1B65901120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5E2670D03F4730901120114 = {
- fileRef = F517320E03F1B65901120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5E2670E03F4730B01120114 = {
- fileRef = F517321203F1B65901120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5E2670F03F4731401120114 = {
- fileRef = F517321403F1B65901120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5E2671003F4731B01120114 = {
- fileRef = F517321B03F1B65901120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5E2671103F4732801120114 = {
- fileRef = F517321F03F1B65901120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5E2671203F4732A01120114 = {
- fileRef = F517321D03F1B65901120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
F5E2671F03F8200601120114 = {
fileEncoding = 30;
isa = PBXFileReference;
F5E2688003F83E7D01120114 = {
buildActionMask = 2147483647;
files = (
- F5E2689C03F8423F01120114,
);
isa = PBXHeadersBuildPhase;
runOnlyForDeploymentPostprocessing = 0;
F5E2688103F83E7D01120114 = {
buildActionMask = 2147483647;
files = (
- F5E2689B03F8423E01120114,
F5E268A503F8428101120114,
F5E268A603F8428301120114,
F5E268A703F8428401120114,
isa = PBXTargetDependency;
target = F5E2686C03F8336601120114;
};
- F5E2689B03F8423E01120114 = {
- fileRef = F5E2671F03F8200601120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
- F5E2689C03F8423F01120114 = {
- fileRef = F5E2672003F8200601120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
F5E268A503F8428101120114 = {
fileRef = F517345A03F1B65A01120114;
isa = PBXBuildFile;
Intermediates = "$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates" ;
IntermediateErrorTables = "$(Intermediates)/ErrorTables" ;
-compile_et "$(IntermediateErrorTables)/prof_err.h"
+compile_et "$(IntermediateErrorTables)/prof_err.h"
"$(IntermediateErrorTables)/prof_err.c"
"$(IntermediateErrorTables)/prof_err.strings" :
- "$(SRCROOT)/../Sources/util/profile/prof_err.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/util/profile/prof_err.et" ;
-compile_et "$(IntermediateErrorTables)/krb_err.h"
+compile_et "$(IntermediateErrorTables)/krb_err.h"
"$(IntermediateErrorTables)/krb_err.c"
"$(IntermediateErrorTables)/krb_err.strings" :
- "$(SRCROOT)/../Sources/lib/krb4/krb_err.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/krb4/krb_err.et" ;
-compile_et "$(IntermediateErrorTables)/kadm_err.h"
+compile_et "$(IntermediateErrorTables)/kadm_err.h"
"$(IntermediateErrorTables)/kadm_err.c"
"$(IntermediateErrorTables)/kadm_err.strings" :
- "$(SRCROOT)/../Sources/lib/krb4/kadm_err.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/krb4/kadm_err.et" ;
-compile_et "$(IntermediateErrorTables)/krb524_err.h"
+compile_et "$(IntermediateErrorTables)/krb524_err.h"
"$(IntermediateErrorTables)/krb524_err.c"
"$(IntermediateErrorTables)/krb524_err.strings" :
- "$(SRCROOT)/../Sources/krb524/krb524_err.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/krb5/error_tables/krb524_err.et" ;
-compile_et "$(IntermediateErrorTables)/asn1_err.h"
+compile_et "$(IntermediateErrorTables)/asn1_err.h"
"$(IntermediateErrorTables)/asn1_err.c"
"$(IntermediateErrorTables)/asn1_err.strings" :
- "$(SRCROOT)/../Sources/lib/krb5/error_tables/asn1_err.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/krb5/error_tables/asn1_err.et" ;
-compile_et "$(IntermediateErrorTables)/kdb5_err.h"
+compile_et "$(IntermediateErrorTables)/kdb5_err.h"
"$(IntermediateErrorTables)/kdb5_err.c"
"$(IntermediateErrorTables)/kdb5_err.strings" :
- "$(SRCROOT)/../Sources/lib/krb5/error_tables/kdb5_err.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/krb5/error_tables/kdb5_err.et" ;
-compile_et "$(IntermediateErrorTables)/krb5_err.h"
+compile_et "$(IntermediateErrorTables)/krb5_err.h"
"$(IntermediateErrorTables)/krb5_err.c"
"$(IntermediateErrorTables)/krb5_err.strings" :
- "$(SRCROOT)/../Sources/lib/krb5/error_tables/krb5_err.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/krb5/error_tables/krb5_err.et" ;
-compile_et "$(IntermediateErrorTables)/kv5m_err.h"
+compile_et "$(IntermediateErrorTables)/kv5m_err.h"
"$(IntermediateErrorTables)/kv5m_err.c"
"$(IntermediateErrorTables)/kv5m_err.strings" :
- "$(SRCROOT)/../Sources/lib/krb5/error_tables/kv5m_err.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/krb5/error_tables/kv5m_err.et" ;
-compile_et "$(IntermediateErrorTables)/gssapi_err_generic.h"
+compile_et "$(IntermediateErrorTables)/gssapi_err_generic.h"
"$(IntermediateErrorTables)/gssapi_err_generic.c"
"$(IntermediateErrorTables)/gssapi_err_generic.strings" :
- "$(SRCROOT)/../Sources/lib/gssapi/generic/gssapi_err_generic.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/gssapi/generic/gssapi_err_generic.et" ;
-compile_et "$(IntermediateErrorTables)/gssapi_err_krb5.h"
+compile_et "$(IntermediateErrorTables)/gssapi_err_krb5.h"
"$(IntermediateErrorTables)/gssapi_err_krb5.c"
"$(IntermediateErrorTables)/gssapi_err_krb5.strings" :
- "$(SRCROOT)/../Sources/lib/gssapi/krb5/gssapi_err_krb5.et" ;
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/gssapi/krb5/gssapi_err_krb5.et" ;
DEPENDS all : "$(IntermediateErrorTables)/prof_err.h"
"$(IntermediateErrorTables)/prof_err.c"
-e 's:<kerberosIV/krb_err.h>:<Kerberos/krb_err.h>:' \
-e 's:<profile.h>:<Kerberos/profile.h>:' \
-e 's:<krb5.h>:<Kerberos/krb5.h>:' \
- -e 's:<krb524.h>:<Kerberos/krb524.h>:' \
- -e 's:<krb524_err.h>:<Kerberos/krb524_err.h>:' \
-e 's:<gssapi/gssapi.h>:<Kerberos/gssapi.h>:' \
-e 's:<gssapi/gssapi_krb5.h>:<Kerberos/gssapi_krb5.h>:' \
-e 's:<gssapi/gssapi_generic.h>:<Kerberos/gssapi_generic.h>:' \
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/com_err.h" : "$(SRCROOT)/../../KerberosErrors/Headers/Kerberos/com_err.h" ;
CopyHeader "$(IntermediateIncludes)/com_err.h" : "$(SRCROOT)/../../KerberosErrors/Headers/Kerberos/com_err.h" ;
-CopyHeader "$(IntermediateV4Includes)/des.h" : "$(SRCROOT)/../Sources/include/kerberosIV/des.h" ;
+CopyHeader "$(IntermediateV4Includes)/des.h" : "$(SRCROOT)/../../Kerberos5/Sources/include/kerberosIV/des.h" ;
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/des.h" : "$(IntermediateV4Includes)/des.h" ;
-CopyHeader "$(IntermediateV4Includes)/krb.h" : "$(SRCROOT)/../Sources/include/kerberosIV/krb.h" ;
+CopyHeader "$(IntermediateV4Includes)/krb.h" : "$(SRCROOT)/../../Kerberos5/Sources/include/kerberosIV/krb.h" ;
CopyHeader "$(IntermediateV4Includes)/krb_err.h" : "$(IntermediateErrorTables)/krb_err.h" ;
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/krb.h" : "$(IntermediateV4Includes)/krb.h" ;
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/krb_err.h" : "$(IntermediateV4Includes)/krb_err.h" ;
CatHeader "$(IntermediateIncludes)/profile.h" : "__KERBEROSPROFILE__"
- "$(SRCROOT)/../Sources/util/profile/profile.hin"
+ "$(SRCROOT)/../../Kerberos5/Sources/util/profile/profile.hin"
"$(IntermediateErrorTables)/prof_err.h" ;
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/profile.h" : "$(IntermediateIncludes)/profile.h" ;
CatHeader "$(IntermediateIncludes)/krb5.h" : "__KERBEROS5__"
- "$(SRCROOT)/../Sources/include/krb5.hin"
+ "$(SRCROOT)/../../Kerberos5/Sources/include/krb5.hin"
"$(IntermediateErrorTables)/asn1_err.h"
"$(IntermediateErrorTables)/kdb5_err.h"
"$(IntermediateErrorTables)/krb5_err.h"
+ "$(IntermediateErrorTables)/krb524_err.h"
"$(IntermediateErrorTables)/kv5m_err.h" ;
-CopyHeader "$(IntermediateIncludes)/krb524.h" : "$(SRCROOT)/../Sources/krb524/krb524.h" ;
-CopyHeader "$(IntermediateIncludes)/krb524_err.h" : "$(IntermediateErrorTables)/krb524_err.h" ;
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/krb5.h" : "$(IntermediateIncludes)/krb5.h" ;
-MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/krb524.h" : "$(IntermediateIncludes)/krb524.h" ;
-MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/krb524_err.h" : "$(IntermediateIncludes)/krb524_err.h" ;
CatHeader "$(IntermediateGSSIncludes)/gssapi.h" : "__GSSAPI__"
- "$(SRCROOT)/../Sources/lib/gssapi/generic/gssapi.hin"
+ "$(SRCROOT)/../../Kerberos5/Sources/lib/gssapi/generic/gssapi.hin"
"$(IntermediateErrorTables)/gssapi_err_generic.h"
"$(IntermediateErrorTables)/gssapi_err_krb5.h" ;
-CopyHeader "$(IntermediateGSSIncludes)/gssapi_generic.h" : "$(SRCROOT)/../Sources/lib/gssapi/generic/gssapi_generic.h" ;
-CopyHeader "$(IntermediateGSSIncludes)/gssapi_krb5.h" : "$(SRCROOT)/../Sources/lib/gssapi/krb5/gssapi_krb5.h" ;
+CopyHeader "$(IntermediateGSSIncludes)/gssapi_generic.h" : "$(SRCROOT)/../../Kerberos5/Sources/lib/gssapi/generic/gssapi_generic.h" ;
+CopyHeader "$(IntermediateGSSIncludes)/gssapi_krb5.h" : "$(SRCROOT)/../../Kerberos5/Sources/lib/gssapi/krb5/gssapi_krb5.h" ;
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/gssapi.h" : "$(IntermediateGSSIncludes)/gssapi.h" ;
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/gssapi_generic.h" : "$(IntermediateGSSIncludes)/gssapi_generic.h" ;
MakeFrameworkHeader "$(IntermediateFrameworkHeaders)/gssapi_krb5.h" : "$(IntermediateGSSIncludes)/gssapi_krb5.h" ;
"$(IntermediateFrameworkHeaders)/profile.h"
"$(IntermediateIncludes)/krb5.h"
- "$(IntermediateIncludes)/krb524.h"
- "$(IntermediateIncludes)/krb524_err.h"
"$(IntermediateFrameworkHeaders)/krb5.h"
- "$(IntermediateFrameworkHeaders)/krb524.h"
- "$(IntermediateFrameworkHeaders)/krb524_err.h"
"$(IntermediateGSSIncludes)/gssapi.h"
"$(IntermediateGSSIncludes)/gssapi_generic.h"
Intermediates = "$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates" ;
IntermediateBuild = "$(Intermediates)/build" ;
-Sources = "$(SRCROOT)/../Sources" ;
+Sources = "$(SRCROOT)/../../Kerberos5/Sources" ;
Reconf = "$(Sources)/util/reconf" ;
Configure = "$(Sources)/configure" ;
Makefile = "$(IntermediateBuild)/Makefile" ;
+MakeStamp = "$(IntermediateBuild)/make.stamp" ;
+
+if $(KerberosCFLAGS) != "" {
+ KerberosCFLAGS = "CFLAGS=$(CFLAGS) -fno-common -include /usr/include/TargetConditionals.h" ;
+} else {
+ KerberosCFLAGS = "CFLAGS=-fno-common -include /usr/include/TargetConditionals.h" ;
+}
+
+if $(KerberosLDFLAGS) != "" {
+ KerberosLDFLAGS = "LDFLAGS=$(LDFLAGS) -Wl,-search_paths_first" ;
+} else {
+ KerberosLDFLAGS = "LDFLAGS=-Wl,-search_paths_first" ;
+}
#
# Note: in this jam script we have separated the dependency tree from the
actions Configure
{
mkdir -p "$(1:D)"
- cd "$(1:D)" && /bin/sh "$(2)" --prefix=/usr CFLAGS="-fno-common" || rm -f "$(1)"
+ cd "$(1:D)" && /bin/sh "$(2)" --prefix=/usr --localstatedir=/var/db "$(KerberosCFLAGS)" "$(KerberosLDFLAGS)" || rm -f "$(1)"
}
-# Make <stamp file> <build dir> : <makefile>
+# Make <stamp file> : <makefile>
rule Make
{
DEPENDS "$(1)" : "$(2)" ;
cd "$(1:D)" && make && touch "$(1)" && echo "### HAPPINESS ###"
}
-Make "$(IntermediateBuild)/make.stamp" : "$(Makefile)" ;
+# InstallProgram <destination executable> : <source executable>
+rule InstallProgram
+{
+ DEPENDS "$(1)" : "$(2)" ;
+ DEPENDS "$(2)" : "$(MakeStamp)" ;
+ Clean.Remove clean "$(1)" ;
+}
+actions InstallProgram
+{
+ mkdir -p "$(1:D)"
+ /usr/bin/install -c -s "$(2)" "$(1)"
+}
+
+# InstallFile <destination file> : <source file>
+rule InstallFile
+{
+ DEPENDS "$(1)" : "$(2)" ;
+ DEPENDS "$(2)" : "$(MakeStamp)" ;
+ Clean.Remove clean "$(1)" ;
+}
+actions InstallFile
+{
+ mkdir -p "$(1:D)"
+ /usr/bin/install -c -m 644 "$(2)" "$(1)"
+}
+
+Make "$(MakeStamp)" : "$(Makefile)" ;
+
+InstallProgram "$(DSTROOT)/usr/sbin/kadmin" : "$(IntermediateBuild)/kadmin/cli/kadmin" ;
+InstallProgram "$(DSTROOT)/usr/sbin/kadmin.local" : "$(IntermediateBuild)/kadmin/cli/kadmin.local" ;
+InstallProgram "$(DSTROOT)/usr/sbin/kadmind" : "$(IntermediateBuild)/kadmin/server/kadmind" ;
+InstallProgram "$(DSTROOT)/usr/sbin/kadmind4" : "$(IntermediateBuild)/kadmin/v4server/kadmind4" ;
+InstallProgram "$(DSTROOT)/usr/sbin/v5passwdd" : "$(IntermediateBuild)/kadmin/v5passwdd/v5passwdd" ;
+InstallProgram "$(DSTROOT)/usr/sbin/ktutil" : "$(IntermediateBuild)/kadmin/ktutil/ktutil" ;
+InstallProgram "$(DSTROOT)/usr/sbin/kdb5_util" : "$(IntermediateBuild)/kadmin/dbutil/kdb5_util" ;
+InstallProgram "$(DSTROOT)/usr/sbin/kprop" : "$(IntermediateBuild)/slave/kprop" ;
+InstallProgram "$(DSTROOT)/usr/sbin/kpropd" : "$(IntermediateBuild)/slave/kpropd" ;
+InstallProgram "$(DSTROOT)/usr/sbin/krb524d" : "$(IntermediateBuild)/krb524/krb524d" ;
+InstallProgram "$(DSTROOT)/usr/sbin/krb5kdc" : "$(IntermediateBuild)/kdc/krb5kdc" ;
+
+InstallFile "$(DSTROOT)/usr/share/man/man1/kerberos.1" : "$(SRCROOT)/../../Kerberos5/Sources/gen-manpages/kerberos.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man5/kdc.conf.5" : "$(SRCROOT)/../../Kerberos5/Sources/config-files/kdc.conf.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man5/krb5.conf.5" : "$(SRCROOT)/../../Kerberos5/Sources/config-files/krb5.conf.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man8/kadmin.8" : "$(SRCROOT)/../../Kerberos5/Sources/kadmin/cli/kadmin.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man8/kadmin.local.8" : "$(SRCROOT)/../../Kerberos5/Sources/kadmin/cli/kadmin.local.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man8/kadmind.8" : "$(SRCROOT)/../../Kerberos5/Sources/kadmin/server/kadmind.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man8/ktutil.8" : "$(SRCROOT)/../../Kerberos5/Sources/kadmin/ktutil/ktutil.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man8/kdb5_util.8" : "$(SRCROOT)/../../Kerberos5/Sources/kadmin/dbutil/kdb5_util.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man8/kprop.8" : "$(SRCROOT)/../../Kerberos5/Sources/slave/kprop.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man8/kpropd.8" : "$(SRCROOT)/../../Kerberos5/Sources/slave/kpropd.M" ;
+InstallFile "$(DSTROOT)/usr/share/man/man8/krb5kdc.8" : "$(SRCROOT)/../../Kerberos5/Sources/kdc/krb5kdc.M" ;
+
+
+DEPENDS all : "$(MakeStamp)" ;
-DEPENDS all : "$(IntermediateBuild)/make.stamp" ;
-DEPENDS install : all ;
+DEPENDS install : all
+ "$(DSTROOT)/usr/sbin/kadmin"
+ "$(DSTROOT)/usr/sbin/kadmin.local"
+ "$(DSTROOT)/usr/sbin/kadmind"
+ "$(DSTROOT)/usr/sbin/kadmind4"
+ "$(DSTROOT)/usr/sbin/kdb5_util"
+ "$(DSTROOT)/usr/sbin/kprop"
+ "$(DSTROOT)/usr/sbin/kpropd"
+ "$(DSTROOT)/usr/sbin/krb524d"
+ "$(DSTROOT)/usr/sbin/krb5kdc"
+ "$(DSTROOT)/usr/sbin/ktutil"
+ "$(DSTROOT)/usr/sbin/v5passwdd"
+
+ "$(DSTROOT)/usr/share/man/man1/kerberos.1"
+ "$(DSTROOT)/usr/share/man/man5/kdc.conf.5"
+ "$(DSTROOT)/usr/share/man/man5/krb5.conf.5"
+ "$(DSTROOT)/usr/share/man/man8/kadmin.8"
+ "$(DSTROOT)/usr/share/man/man8/kadmin.local.8"
+ "$(DSTROOT)/usr/share/man/man8/kadmind.8"
+ "$(DSTROOT)/usr/share/man/man8/kdb5_util.8"
+ "$(DSTROOT)/usr/share/man/man8/kprop.8"
+ "$(DSTROOT)/usr/share/man/man8/kpropd.8"
+ "$(DSTROOT)/usr/share/man/man8/krb5kdc.8"
+ "$(DSTROOT)/usr/share/man/man8/ktutil.8" ;
+
DEPENDS installhdrs : all ;
#
$(OUTPRE)kprop.$(OBJEXT): kprop.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h kprop.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h kprop.h
$(OUTPRE)kpropd.$(OBJEXT): kpropd.c $(SRCTOP)/include/syslog.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
kprop.h
+2003-06-04 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (kdb_check): Remove uses of "dump -old", etc., since
+ it doesn't work anymore given the new default for triple-DES
+ master keys.
+
2003-01-10 Ken Raeburn <raeburn@mit.edu>
* configure.in: Use V5_AC_OUTPUT_MAKEFILE instead of
$(RUN_SETUP) ../tests/verify/kdb5_verify $(KTEST_OPTS)
$(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump
$(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump
- $(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -old $(TEST_DB).odump
$(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
$(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump
$(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump
cmp $(TEST_DB).sort $(TEST_DB).sort2
cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2
$(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
- $(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -s
- $(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -old $(TEST_DB).odump
- $(RUN_SETUP) ../tests/verify/kdb5_verify $(KTEST_OPTS)
- $(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -old $(TEST_DB).odump2
- sort $(TEST_DB).odump > $(TEST_DB).osort
- sort $(TEST_DB).odump2 > $(TEST_DB).osort2
- cmp $(TEST_DB).osort $(TEST_DB).osort2
- $(RUN_SETUP) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
$(RM) $(TEST_DB)* stash_file
clean::
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * krb5_decode_test.c (main): Add new test cases for sequence
+ number compatibility.
+
+ * utility.c (krb5_data_hex_parse): Rewrite to be more lenient
+ about whitespace.
+
+2003-05-12 Ezra Peisach <epeisach@mit.edu>
+
+ * krb5_decode_test.c: Modify decode_run macro to take a cleanup
+ handler to free allocated memory. Add static handlers to free
+ krb5_alt_method, passwd_phrase_element and krb5_enc_data as the
+ krb5 library does not handle at this time.
+
+ * krb5_encode_test.c: Free krb5_context at end. Utilize the many
+ ktest_empty and detroy functions to cleanup memory.
+
+ * ktest.h, ktest.c: Add many ktest free and empty functions to
+ cleanup allocated structures in tests.
+
+ * utility.c (krb5_data_hex_parse): Free temporary data.
+
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_encode_test.c (main): Add etype_info2 support
+
+ * ktest.c (ktest_make_sample_etype_info): Initialize s2kparams to be null.
+ (ktest_make_sample_etype_info2): New function
+
2002-11-07 Ezra Peisach <epeisach@bu.edu>
* krb5_decode_test.c: Test for sam_challenege without empty
$(OUTPRE)krb5_encode_test.$(OBJEXT): krb5_encode_test.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
utility.h $(SRCTOP)/lib/krb5/asn.1/krbasn1.h $(SRCTOP)/lib/krb5/asn.1/asn1buf.h \
ktest.h debug.h
$(OUTPRE)ktest.$(OBJEXT): ktest.c ktest.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h utility.h $(SRCTOP)/lib/krb5/asn.1/krbasn1.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h utility.h $(SRCTOP)/lib/krb5/asn.1/krbasn1.h \
$(SRCTOP)/lib/krb5/asn.1/asn1buf.h
$(OUTPRE)ktest_equal.$(OBJEXT): ktest_equal.c ktest_equal.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
$(OUTPRE)utility.$(OBJEXT): utility.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) utility.h $(SRCTOP)/lib/krb5/asn.1/krbasn1.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/lib/krb5/asn.1/asn1buf.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/lib/krb5/asn.1/asn1buf.h
$(OUTPRE)trval.$(OBJEXT): trval.c
krb5_context test_context;
int error_count = 0;
+void krb5_ktest_free_alt_method(krb5_context context, krb5_alt_method *val);
+void krb5_ktest_free_pwd_sequence(krb5_context context,
+ passwd_phrase_element *val);
+void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val);
+
int main(argc, argv)
int argc;
char **argv;
exit(1);
}
+
#define setup(type,typestring,constructor)\
type ref, *var;\
retval = constructor(&ref);\
com_err("krb5_decode_test", retval, "while making sample %s", typestring);\
exit(1);\
}
-
-#define decode_run(typestring,description,encoding,decoder,comparator)\
+
+#define decode_run(typestring,description,encoding,decoder,comparator,cleanup)\
retval = krb5_data_hex_parse(&code,encoding);\
if(retval){\
com_err("krb5_decode_test", retval, "while parsing %s", typestring);\
error_count++;\
}\
assert(comparator(&ref,var),typestring);\
- printf("%s\n",description)
+ printf("%s\n",description);\
+ krb5_free_data_contents(test_context, &code);\
+ cleanup(test_context, var);
/****************************************************************/
/* decode_krb5_authenticator */
{
setup(krb5_authenticator,"krb5_authenticator",ktest_make_sample_authenticator);
- decode_run("authenticator","","62 81 A1 30 81 9E A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A7 03 02 01 11 A8 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_authenticator,ktest_equal_authenticator);
+ decode_run("authenticator","","62 81 A1 30 81 9E A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A7 03 02 01 11 A8 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+
+ ref.seq_number = 0xffffff80;
+ decode_run("authenticator","(80 -> seq-number 0xffffff80)",
+ "62 81 A1 30 81 9E"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 03 02 01 80"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+
+ ref.seq_number = 0xffffffff;
+ decode_run("authenticator","(FF -> seq-number 0xffffffff)",
+ "62 81 A1 30 81 9E"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 03 02 01 FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+
+ ref.seq_number = 0xff;
+ decode_run("authenticator","(00FF -> seq-number 0xff)",
+ "62 81 A2 30 81 9F"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 04 02 02 00 FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+
+ ref.seq_number = 0xffffffff;
+ decode_run("authenticator","(00FFFFFFFF -> seq-number 0xffffffff)",
+ "62 81 A5 30 81 A2"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 07 02 05 00 FF FF FF FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+
+ ref.seq_number = 0x7fffffff;
+ decode_run("authenticator","(7FFFFFFF -> seq-number 0x7fffffff)",
+ "62 81 A4 30 81 A1"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 06 02 04 7F FF FF FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+
+ ref.seq_number = 0xffffffff;
+ decode_run("authenticator","(FFFFFFFF -> seq-number 0xffffffff)",
+ "62 81 A4 30 81 A1"
+ " A0 03 02 01 05"
+ " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
+ " A2 1A 30 18"
+ " A0 03 02 01 01"
+ " A1 11 30 0F"
+ " 1B 06 68 66 74 73 61 69"
+ " 1B 05 65 78 74 72 61"
+ " A3 0F 30 0D"
+ " A0 03 02 01 01"
+ " A1 06 04 04 31 32 33 34"
+ " A4 05 02 03 01 E2 40"
+ " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
+ " A6 13 30 11"
+ " A0 03 02 01 01"
+ " A1 0A 04 08 31 32 33 34 35 36 37 38"
+ " A7 06 02 04 FF FF FF FF"
+ " A8 24 30 22"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ " 30 0F"
+ " A0 03 02 01 01"
+ " A1 08 04 06 66 6F 6F 62 61 72"
+ ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
ktest_destroy_checksum(&(ref.checksum));
ktest_destroy_keyblock(&(ref.subkey));
ref.seq_number = 0;
ktest_empty_authorization_data(ref.authorization_data);
- decode_run("authenticator","(optionals empty)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator);
+ decode_run("authenticator","(optionals empty)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
- ktest_destroy_authorization_data(&(ref.authorization_data));
+ ktest_destroy_authorization_data(&(ref.authorization_data));
- decode_run("authenticator","(optionals NULL)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator);
+ decode_run("authenticator","(optionals NULL)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
+
+ ktest_empty_authenticator(&ref);
}
/****************************************************************/
/* decode_krb5_ticket */
{
setup(krb5_ticket,"krb5_ticket",ktest_make_sample_ticket);
- decode_run("ticket","","61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ticket,ktest_equal_ticket);
- decode_run("ticket","(+ trailing [4] INTEGER","61 61 30 5F A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 03 02 01 01",decode_krb5_ticket,ktest_equal_ticket);
+ decode_run("ticket","","61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
+ decode_run("ticket","(+ trailing [4] INTEGER","61 61 30 5F A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 03 02 01 01",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
/*
"61 80 30 80 "
" 00 00 00 00"
"00 00 00 00"
*/
- decode_run("ticket","(indefinite lengths)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00" ,decode_krb5_ticket,ktest_equal_ticket);
+ decode_run("ticket","(indefinite lengths)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00" ,decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
/*
"61 80 30 80 "
" A0 03 02 01 05 "
" A4 03 02 01 01 "
"00 00 00 00"
*/
- decode_run("ticket","(indefinite lengths + trailing [4] INTEGER)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 A4 03 02 01 01 00 00 00 00",decode_krb5_ticket,ktest_equal_ticket);
+ decode_run("ticket","(indefinite lengths + trailing [4] INTEGER)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 A4 03 02 01 01 00 00 00 00",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
+
+ ktest_empty_ticket(&ref);
+
}
/****************************************************************/
/* decode_krb5_encryption_key */
{
setup(krb5_keyblock,"krb5_keyblock",ktest_make_sample_keyblock);
- decode_run("encryption_key","","30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
- decode_run("encryption_key","(+ trailing [2] INTEGER)","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key);
- decode_run("encryption_key","(+ trailing [2] SEQUENCE {[0] INTEGER})","30 1A A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key);
- decode_run("encryption_key","(indefinite lengths)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
- decode_run("encryption_key","(indefinite lengths + trailing [2] INTEGER)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
- decode_run("encryption_key","(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
- decode_run("encryption_key","(indefinite lengths + trailing SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 80 A0 03 02 01 01 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
+
+ decode_run("encryption_key","","30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+
+ decode_run("encryption_key","(+ trailing [2] INTEGER)","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(+ trailing [2] SEQUENCE {[0] INTEGER})","30 1A A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(indefinite lengths)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(indefinite lengths + trailing [2] INTEGER)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+ decode_run("encryption_key","(indefinite lengths + trailing SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 80 A0 03 02 01 01 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
ref.enctype = -1;
- decode_run("encryption_key","(enctype = -1)","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+ decode_run("encryption_key","(enctype = -1)","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
ref.enctype = -255;
- decode_run("encryption_key","(enctype = -255)","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+ decode_run("encryption_key","(enctype = -255)","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
ref.enctype = 255;
- decode_run("encryption_key","(enctype = 255)","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+ decode_run("encryption_key","(enctype = 255)","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
ref.enctype = -2147483648;
- decode_run("encryption_key","(enctype = -2147483648)","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+ decode_run("encryption_key","(enctype = -2147483648)","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
ref.enctype = 2147483647;
- decode_run("encryption_key","(enctype = 2147483647)","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+ decode_run("encryption_key","(enctype = 2147483647)","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
+
+ ktest_empty_keyblock(&ref);
}
/****************************************************************/
/* decode_krb5_enc_tkt_part */
{
setup(krb5_enc_tkt_part,"krb5_enc_tkt_part",ktest_make_sample_enc_tkt_part);
- decode_run("enc_tkt_part","","63 82 01 14 30 82 01 10 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part);
+ decode_run("enc_tkt_part","","63 82 01 14 30 82 01 10 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
/* ref.times.starttime = 0; */
ref.times.starttime = ref.times.authtime;
ktest_destroy_addresses(&(ref.caddrs));
ktest_destroy_authorization_data(&(ref.authorization_data));
- decode_run("enc_tkt_part","(optionals NULL)","63 81 A5 30 81 A2 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL)","63 81 A5 30 81 A2 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part, krb5_free_enc_tkt_part);
- decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 38 bits)","63 81 A6 30 81 A3 A0 08 03 06 02 FE DC BA 98 DC A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 38 bits)","63 81 A6 30 81 A3 A0 08 03 06 02 FE DC BA 98 DC A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
- decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 40 bits)","63 81 A6 30 81 A3 A0 08 03 06 00 FE DC BA 98 DE A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 40 bits)","63 81 A6 30 81 A3 A0 08 03 06 00 FE DC BA 98 DE A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
- decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 29 bits)","63 81 A5 30 81 A2 A0 07 03 05 03 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part);
+ decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 29 bits)","63 81 A5 30 81 A2 A0 07 03 05 03 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
ref.flags &= 0xFFFFFF00;
- decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 24 bits)","63 81 A4 30 81 A1 A0 06 03 04 00 FE DC BA A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part);
-
+ decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 24 bits)","63 81 A4 30 81 A1 A0 06 03 04 00 FE DC BA A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
+
+ ktest_empty_enc_tkt_part(&ref);
}
/****************************************************************/
setup(krb5_enc_kdc_rep_part,"krb5_enc_kdc_rep_part",ktest_make_sample_enc_kdc_rep_part);
#ifdef KRB5_GENEROUS_LR_TYPE
- decode_run("enc_kdc_rep_part","(compat_lr_type)","7A 82 01 10 30 82 01 0C A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part);
+ decode_run("enc_kdc_rep_part","(compat_lr_type)","7A 82 01 10 30 82 01 0C A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
#endif
- decode_run("enc_kdc_rep_part","","7A 82 01 0E 30 82 01 0A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part);
+ decode_run("enc_kdc_rep_part","","7A 82 01 0E 30 82 01 0A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
ref.key_exp = 0;
/* ref.times.starttime = 0;*/
ktest_destroy_addresses(&(ref.caddrs));
#ifdef KRB5_GENEROUS_LR_TYPE
- decode_run("enc_kdc_rep_part","(optionals NULL)(compat lr_type)","7A 81 B4 30 81 B1 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part);
+ decode_run("enc_kdc_rep_part","(optionals NULL)(compat lr_type)","7A 81 B4 30 81 B1 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
#endif
- decode_run("enc_kdc_rep_part","(optionals NULL)","7A 81 B2 30 81 AF A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part);
+ decode_run("enc_kdc_rep_part","(optionals NULL)","7A 81 B2 30 81 AF A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
+
+ ktest_empty_enc_kdc_rep_part(&ref);
}
/****************************************************************/
setup(krb5_kdc_rep,"krb5_kdc_rep",ktest_make_sample_kdc_rep);
ref.msg_type = KRB5_AS_REP;
- decode_run("as_rep","","6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep);
+ decode_run("as_rep","","6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
/*
6B 80 30 80
00 00 00 00
00 00 00 00
*/
- decode_run("as_rep","(indefinite lengths)","6B 80 30 80 A0 03 02 01 05 A1 03 02 01 0B A2 80 30 80 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 00 00 00 00 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A5 80 61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00 00 00 A6 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00",decode_krb5_as_rep,ktest_equal_as_rep);
+ decode_run("as_rep","(indefinite lengths)","6B 80 30 80 A0 03 02 01 05 A1 03 02 01 0B A2 80 30 80 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 00 00 00 00 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A5 80 61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00 00 00 A6 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
ktest_destroy_pa_data_array(&(ref.padata));
- decode_run("as_rep","(optionals NULL)","6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep);
+ decode_run("as_rep","(optionals NULL)","6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
+
+ ktest_empty_kdc_rep(&ref);
}
/****************************************************************/
setup(krb5_kdc_rep,"krb5_kdc_rep",ktest_make_sample_kdc_rep);
ref.msg_type = KRB5_TGS_REP;
- decode_run("tgs_rep","","6D 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0D A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep);
+ decode_run("tgs_rep","","6D 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0D A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep);
ktest_destroy_pa_data_array(&(ref.padata));
- decode_run("tgs_rep","(optionals NULL)","6D 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0D A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep);
+ decode_run("tgs_rep","(optionals NULL)","6D 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0D A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep);
+
+ ktest_empty_kdc_rep(&ref);
}
/****************************************************************/
/* decode_krb5_ap_req */
{
setup(krb5_ap_req,"krb5_ap_req",ktest_make_sample_ap_req);
- decode_run("ap_req","","6E 81 9D 30 81 9A A0 03 02 01 05 A1 03 02 01 0E A2 07 03 05 00 FE DC BA 98 A3 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_req,ktest_equal_ap_req);
+ decode_run("ap_req","","6E 81 9D 30 81 9A A0 03 02 01 05 A1 03 02 01 0E A2 07 03 05 00 FE DC BA 98 A3 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_req,ktest_equal_ap_req,krb5_free_ap_req);
+ ktest_empty_ap_req(&ref);
+
}
/****************************************************************/
/* decode_krb5_ap_rep */
{
setup(krb5_ap_rep,"krb5_ap_rep",ktest_make_sample_ap_rep);
- decode_run("ap_rep","","6F 33 30 31 A0 03 02 01 05 A1 03 02 01 0F A2 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_rep,ktest_equal_ap_rep);
+ decode_run("ap_rep","","6F 33 30 31 A0 03 02 01 05 A1 03 02 01 0F A2 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_rep,ktest_equal_ap_rep,krb5_free_ap_rep);
+ ktest_empty_ap_rep(&ref);
}
/****************************************************************/
{
setup(krb5_ap_rep_enc_part,"krb5_ap_rep_enc_part",ktest_make_sample_ap_rep_enc_part);
- decode_run("ap_rep_enc_part","","7B 36 30 34 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A3 03 02 01 11",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part);
+ decode_run("ap_rep_enc_part","","7B 36 30 34 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A3 03 02 01 11",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
ktest_destroy_keyblock(&(ref.subkey));
ref.seq_number = 0;
- decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part);
+ decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+ ktest_empty_ap_rep_enc_part(&ref);
}
/****************************************************************/
ref.msg_type = KRB5_AS_REQ;
ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("as_req","","6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req);
+ decode_run("as_req","","6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
ktest_destroy_pa_data_array(&(ref.padata));
ktest_destroy_principal(&(ref.client));
ref.rtime = 0;
ktest_destroy_addresses(&(ref.addresses));
ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("as_req","(optionals NULL except second_ticket)","6A 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0A A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req);
+ decode_run("as_req","(optionals NULL except second_ticket)","6A 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0A A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
#ifndef ISODE_SUCKS
ktest_make_sample_principal(&(ref.server));
#endif
ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("as_req","(optionals NULL except server)","6A 69 30 67 A1 03 02 01 05 A2 03 02 01 0A A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_as_req,ktest_equal_as_req);
+ decode_run("as_req","(optionals NULL except server)","6A 69 30 67 A1 03 02 01 05 A2 03 02 01 0A A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
+
+ ktest_empty_kdc_req(&ref);
+
}
+
/****************************************************************/
/* decode_krb5_tgs_req */
ref.msg_type = KRB5_TGS_REQ;
ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("tgs_req","","6C 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0C A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req);
+ decode_run("tgs_req","","6C 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0C A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
ktest_destroy_pa_data_array(&(ref.padata));
ktest_destroy_principal(&(ref.client));
ref.rtime = 0;
ktest_destroy_addresses(&(ref.addresses));
ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("tgs_req","(optionals NULL except second_ticket)","6C 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0C A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req);
+ decode_run("tgs_req","(optionals NULL except second_ticket)","6C 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0C A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
#ifndef ISODE_SUCKS
ktest_make_sample_principal(&(ref.server));
#endif
ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("tgs_req","(optionals NULL except server)","6C 69 30 67 A1 03 02 01 05 A2 03 02 01 0C A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_tgs_req,ktest_equal_tgs_req);
+ decode_run("tgs_req","(optionals NULL except server)","6C 69 30 67 A1 03 02 01 05 A2 03 02 01 0C A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
+
+ ktest_empty_kdc_req(&ref);
}
/****************************************************************/
/* decode_krb5_kdc_req_body */
{
krb5_kdc_req ref, *var;
+ memset(&ref, 0, sizeof(krb5_kdc_req));
retval = ktest_make_sample_kdc_req_body(&ref);
if(retval){
com_err("making sample kdc_req_body",retval,"");
exit(1);
}
ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("kdc_req_body","","30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body);
+ decode_run("kdc_req_body","","30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
ktest_destroy_principal(&(ref.client));
#ifndef ISODE_SUCKS
ref.rtime = 0;
ktest_destroy_addresses(&(ref.addresses));
ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("kdc_req_body","(optionals NULL except second_ticket)","30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body);
+ decode_run("kdc_req_body","(optionals NULL except second_ticket)","30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
#ifndef ISODE_SUCKS
ktest_make_sample_principal(&(ref.server));
#endif
ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("kdc_req_body","(optionals NULL except server)","30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body);
+ decode_run("kdc_req_body","(optionals NULL except server)","30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
ref.nktypes = 0;
free(ref.ktype);
ref.ktype = NULL;
- decode_run("kdc_req_body","(optionals NULL except server; zero-length etypes)","30 53 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 02 30 00",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body);
+ decode_run("kdc_req_body","(optionals NULL except server; zero-length etypes)","30 53 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 02 30 00",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
+
+ ktest_empty_kdc_req(&ref);
}
+
/****************************************************************/
/* decode_krb5_safe */
{
setup(krb5_safe,"krb5_safe",ktest_make_sample_safe);
- decode_run("safe","","74 6E 30 6C A0 03 02 01 05 A1 03 02 01 14 A2 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe);
+ decode_run("safe","","74 6E 30 6C A0 03 02 01 05 A1 03 02 01 14 A2 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe);
ref.timestamp = 0;
ref.usec = 0;
ref.seq_number = 0;
ktest_destroy_address(&(ref.r_address));
- decode_run("safe","(optionals NULL)","74 3E 30 3C A0 03 02 01 05 A1 03 02 01 14 A2 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe);
+ decode_run("safe","(optionals NULL)","74 3E 30 3C A0 03 02 01 05 A1 03 02 01 14 A2 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe);
+
+ ktest_empty_safe(&ref);
}
/****************************************************************/
/* decode_krb5_priv */
{
setup(krb5_priv,"krb5_priv",ktest_make_sample_priv);
- decode_run("priv","","75 33 30 31 A0 03 02 01 05 A1 03 02 01 15 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_priv,ktest_equal_priv);
+ decode_run("priv","","75 33 30 31 A0 03 02 01 05 A1 03 02 01 15 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_priv,ktest_equal_priv,krb5_free_priv);
+ ktest_empty_priv(&ref);
}
/****************************************************************/
/* decode_krb5_enc_priv_part */
{
setup(krb5_priv_enc_part,"krb5_priv_enc_part",ktest_make_sample_priv_enc_part);
- decode_run("enc_priv_part","","7C 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part);
+ decode_run("enc_priv_part","","7C 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part);
ref.timestamp = 0;
ref.usec = 0;
ref.seq_number = 0;
ktest_destroy_address(&(ref.r_address));
- decode_run("enc_priv_part","(optionals NULL)","7C 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part);
+ decode_run("enc_priv_part","(optionals NULL)","7C 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part);
+ ktest_empty_priv_enc_part(&ref);
}
/****************************************************************/
/* decode_krb5_cred */
{
setup(krb5_cred,"krb5_cred",ktest_make_sample_cred);
- decode_run("cred","","76 81 F6 30 81 F3 A0 03 02 01 05 A1 03 02 01 16 A2 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_cred,ktest_equal_cred);
+ decode_run("cred","","76 81 F6 30 81 F3 A0 03 02 01 05 A1 03 02 01 16 A2 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_cred,ktest_equal_cred,krb5_free_cred);
+ ktest_empty_cred(&ref);
}
/****************************************************************/
/* decode_krb5_enc_cred_part */
{
setup(krb5_cred_enc_part,"krb5_cred_enc_part",ktest_make_sample_cred_enc_part);
- decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part);
-
+ decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
+ /* free_cred_enc_part does not free the pointer */
+ krb5_xfree(var);
ktest_destroy_principal(&(ref.ticket_info[0]->client));
ktest_destroy_principal(&(ref.ticket_info[0]->server));
ref.ticket_info[0]->flags = 0;
ref.usec = 0;
ktest_destroy_address(&(ref.s_address));
ktest_destroy_address(&(ref.r_address));
- decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part);
+ decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
+ /* free_cred_enc_part does not free the pointer */
+ krb5_xfree(var);
+
+ ktest_empty_cred_enc_part(&ref);
}
/****************************************************************/
/* decode_krb5_error */
{
setup(krb5_error,"krb5_error",ktest_make_sample_error);
- decode_run("error","","7E 81 BA 30 81 B7 A0 03 02 01 05 A1 03 02 01 1E A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A7 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A8 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 0A 1B 08 6B 72 62 35 64 61 74 61 AC 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_error,ktest_equal_error);
+ decode_run("error","","7E 81 BA 30 81 B7 A0 03 02 01 05 A1 03 02 01 1E A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A7 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A8 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 0A 1B 08 6B 72 62 35 64 61 74 61 AC 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_error,ktest_equal_error,krb5_free_error);
ref.ctime = 0;
ktest_destroy_principal(&(ref.client));
ktest_empty_data(&(ref.text));
ktest_empty_data(&(ref.e_data));
- decode_run("error","(optionals NULL)","7E 60 30 5E A0 03 02 01 05 A1 03 02 01 1E A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_error,ktest_equal_error);
+ decode_run("error","(optionals NULL)","7E 60 30 5E A0 03 02 01 05 A1 03 02 01 1E A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_error,ktest_equal_error,krb5_free_error);
+
+ ktest_empty_error(&ref);
}
/****************************************************************/
retval = decode_krb5_authdata(&code,&var);
if(retval) com_err("decoding authorization_data",retval,"");
assert(ktest_equal_authorization_data(ref,var),"authorization_data\n")
+ krb5_free_data_contents(test_context, &code);
+ krb5_free_authdata(test_context, var);
+ ktest_destroy_authorization_data(&ref);
}
/****************************************************************/
/* decode_pwd_sequence */
{
setup(passwd_phrase_element,"passwd_phrase_element",ktest_make_sample_passwd_phrase_element);
- decode_run("PasswdSequence","","30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_sequence,ktest_equal_passwd_phrase_element);
+ decode_run("PasswdSequence","","30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_sequence,ktest_equal_passwd_phrase_element,krb5_ktest_free_pwd_sequence);
+ ktest_empty_passwd_phrase_element(&ref);
}
/****************************************************************/
/* decode_passwd_data */
{
setup(krb5_pwd_data,"krb5_pwd_data",ktest_make_sample_krb5_pwd_data);
- decode_run("PasswdData","","30 3D A0 03 02 01 02 A1 36 30 34 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_data,ktest_equal_krb5_pwd_data);
+ decode_run("PasswdData","","30 3D A0 03 02 01 02 A1 36 30 34 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_data,ktest_equal_krb5_pwd_data,krb5_free_pwd_data);
+ ktest_empty_pwd_data(&ref);
}
/****************************************************************/
}
retval = decode_krb5_padata_sequence(&code,&var);
if(retval) com_err("decoding padata_sequence",retval,"");
- assert(ktest_equal_sequence_of_pa_data(ref,var),"pa_data\n")
+ assert(ktest_equal_sequence_of_pa_data(ref,var),"pa_data\n");
+ krb5_free_pa_data(test_context, var);
+ krb5_free_data_contents(test_context, &code);
+ ktest_destroy_pa_data_array(&ref);
}
/****************************************************************/
}
retval = decode_krb5_padata_sequence(&code,&var);
if(retval) com_err("decoding padata_sequence (empty)",retval,"");
- assert(ktest_equal_sequence_of_pa_data(ref,var),"pa_data (empty)\n")
+ assert(ktest_equal_sequence_of_pa_data(ref,var),"pa_data (empty)\n");
+ krb5_free_pa_data(test_context, var);
+ krb5_free_data_contents(test_context, &code);
+ ktest_destroy_pa_data_array(&ref);
}
/****************************************************************/
/* decode_pwd_sequence */
{
setup(krb5_alt_method,"krb5_alt_method",ktest_make_sample_alt_method);
- decode_run("alt_method","","30 0F A0 03 02 01 2A A1 08 04 06 73 65 63 72 65 74",decode_krb5_alt_method,ktest_equal_krb5_alt_method);
+ decode_run("alt_method","","30 0F A0 03 02 01 2A A1 08 04 06 73 65 63 72 65 74",decode_krb5_alt_method,ktest_equal_krb5_alt_method,krb5_ktest_free_alt_method);
ref.length = 0;
- decode_run("alt_method (no data)","","30 05 A0 03 02 01 2A",decode_krb5_alt_method,ktest_equal_krb5_alt_method);
-
+ decode_run("alt_method (no data)","","30 05 A0 03 02 01 2A",decode_krb5_alt_method,ktest_equal_krb5_alt_method,krb5_ktest_free_alt_method);
+ ktest_empty_alt_method(&ref);
}
/****************************************************************/
ktest_destroy_etype_info(var);
ktest_destroy_etype_info_entry(ref[2]); ref[2] = 0;
ktest_destroy_etype_info_entry(ref[1]); ref[1] = 0;
+ krb5_free_data_contents(test_context, &code);
retval = krb5_data_hex_parse(&code,"30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30");
if(retval){
ktest_destroy_etype_info(var);
ktest_destroy_etype_info_entry(ref[0]); ref[0] = 0;
+ krb5_free_data_contents(test_context, &code);
retval = krb5_data_hex_parse(&code,"30 00");
if(retval){
}
assert(ktest_equal_etype_info(ref,var),"etype_info (no info)\n");
+ krb5_free_data_contents(test_context, &code);
ktest_destroy_etype_info(var);
ktest_destroy_etype_info(ref);
}
/* decode_pa_enc_ts */
{
setup(krb5_pa_enc_ts,"krb5_pa_enc_ts",ktest_make_sample_pa_enc_ts);
- decode_run("pa_enc_ts","","30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts);
+ decode_run("pa_enc_ts","","30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts);
ref.pausec = 0;
- decode_run("pa_enc_ts (no usec)","","30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts);
+ decode_run("pa_enc_ts (no usec)","","30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts);
}
/****************************************************************/
/* decode_enc_data */
{
setup(krb5_enc_data,"krb5_enc_data",ktest_make_sample_enc_data);
- decode_run("enc_data","","30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data);
+ decode_run("enc_data","","30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data,krb5_ktest_free_enc_data);
+ ktest_destroy_enc_data(&ref);
}
/****************************************************************/
/* decode_sam_challenge */
{
setup(krb5_sam_challenge,"krb5_sam_challenge",ktest_make_sample_sam_challenge);
- decode_run("sam_challenge","","30 78 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A3 02 04 00 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A7 02 04 00 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge);
+ decode_run("sam_challenge","","30 78 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A3 02 04 00 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A7 02 04 00 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge,krb5_free_sam_challenge);
+ ktest_empty_sam_challenge(&ref);
+
}
/****************************************************************/
/* decode_sam_challenge */
{
setup(krb5_sam_challenge,"krb5_sam_challenge - no optionals",ktest_make_sample_sam_challenge);
- decode_run("sam_challenge","","30 70 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge);
+ decode_run("sam_challenge","","30 70 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge,krb5_free_sam_challenge);
+ ktest_empty_sam_challenge(&ref);
}
/****************************************************************/
/* decode_sam_response */
{
setup(krb5_sam_response,"krb5_sam_response",ktest_make_sample_sam_response);
- decode_run("sam_response","","30 6A A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 14 30 12 A0 03 02 01 01 A1 04 02 02 07 96 A2 05 04 03 6B 65 79 A4 1C 30 1A A0 03 02 01 01 A1 04 02 02 0D 36 A2 0D 04 0B 6E 6F 6E 63 65 20 6F 72 20 74 73 A5 05 02 03 54 32 10 A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_sam_response,ktest_equal_sam_response);
+ decode_run("sam_response","","30 6A A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 14 30 12 A0 03 02 01 01 A1 04 02 02 07 96 A2 05 04 03 6B 65 79 A4 1C 30 1A A0 03 02 01 01 A1 04 02 02 0D 36 A2 0D 04 0B 6E 6F 6E 63 65 20 6F 72 20 74 73 A5 05 02 03 54 32 10 A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_sam_response,ktest_equal_sam_response,krb5_free_sam_response);
+
+ ktest_empty_sam_response(&ref);
}
+ krb5_free_context(test_context);
exit(error_count);
return(error_count);
}
+void krb5_ktest_free_alt_method(krb5_context context, krb5_alt_method *val)
+{
+ if (val->data)
+ krb5_xfree(val->data);
+ krb5_xfree(val);
+}
+
+void krb5_ktest_free_pwd_sequence(krb5_context context,
+ passwd_phrase_element *val)
+{
+ krb5_free_data(context, val->passwd);
+ krb5_free_data(context, val->phrase);
+ krb5_xfree(val);
+}
+
+void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val)
+{
+ if(val) {
+ krb5_free_data_contents(context, &(val->ciphertext));
+ free(val);
+ }
+}
ktest_destroy_authorization_data(&(authent.authorization_data));
encode_run(authent,authenticator,"authenticator","(optionals NULL)",encode_krb5_authenticator);
+ ktest_empty_authenticator(&authent);
}
/****************************************************************/
krb5_ticket tkt;
setup(tkt,ticket,"ticket",ktest_make_sample_ticket);
encode_run(tkt,ticket,"ticket","",encode_krb5_ticket);
+ ktest_empty_ticket(&tkt);
}
/****************************************************************/
setup(keyblk,keyblock,"keyblock",ktest_make_sample_keyblock);
current_appl_type = 1005;
encode_run(keyblk,keyblock,"keyblock","",encode_krb5_encryption_key);
+ ktest_empty_keyblock(&keyblk);
}
/****************************************************************/
/* encode_krb5_enc_tkt_part */
{
krb5_ticket tkt;
+ memset(&tkt, 0, sizeof(krb5_ticket));
tkt.enc_part2 = (krb5_enc_tkt_part*)calloc(1,sizeof(krb5_enc_tkt_part));
if(tkt.enc_part2 == NULL) com_err("allocating enc_tkt_part",errno,"");
setup(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part",ktest_make_sample_enc_tkt_part);
ktest_destroy_authorization_data(&(tkt.enc_part2->authorization_data));
encode_run(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part","(optionals NULL)",encode_krb5_enc_tkt_part);
+ ktest_empty_ticket(&tkt);
}
/****************************************************************/
/* encode_krb5_enc_kdc_rep_part */
{
krb5_kdc_rep kdcr;
-
+
+ memset(&kdcr, 0, sizeof(kdcr));
+
kdcr.enc_part2 = (krb5_enc_kdc_rep_part*)
calloc(1,sizeof(krb5_enc_kdc_rep_part));
if(kdcr.enc_part2 == NULL) com_err("allocating enc_kdc_rep_part",errno,"");
ktest_destroy_addresses(&(kdcr.enc_part2->caddrs));
encode_run(*(kdcr.enc_part2),enc_kdc_rep_part,"enc_kdc_rep_part","(optionals NULL)",encode_krb5_enc_kdc_rep_part);
+
+ ktest_empty_kdc_rep(&kdcr);
}
/****************************************************************/
ktest_destroy_pa_data_array(&(kdcr.padata));
encode_run(kdcr,as_rep,"as_rep","(optionals NULL)",encode_krb5_as_rep);
+
+ ktest_empty_kdc_rep(&kdcr);
+
}
/****************************************************************/
ktest_destroy_pa_data_array(&(kdcr.padata));
encode_run(kdcr,tgs_rep,"tgs_rep","(optionals NULL)",encode_krb5_tgs_rep);
+
+ ktest_empty_kdc_rep(&kdcr);
+
}
/****************************************************************/
krb5_ap_req apreq;
setup(apreq,ap_req,"ap_req",ktest_make_sample_ap_req);
encode_run(apreq,ap_req,"ap_req","",encode_krb5_ap_req);
+ ktest_empty_ap_req(&apreq);
}
/****************************************************************/
krb5_ap_rep aprep;
setup(aprep,ap_rep,"ap_rep",ktest_make_sample_ap_rep);
encode_run(aprep,ap_rep,"ap_rep","",encode_krb5_ap_rep);
+ ktest_empty_ap_rep(&aprep);
}
/****************************************************************/
ktest_destroy_keyblock(&(apenc.subkey));
apenc.seq_number = 0;
encode_run(apenc,ap_rep_enc_part,"ap_rep_enc_part","(optionals NULL)",encode_krb5_ap_rep_enc_part);
+ ktest_empty_ap_rep_enc_part(&apenc);
}
/****************************************************************/
#endif
asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
encode_run(asreq,as_req,"as_req","(optionals NULL except server)",encode_krb5_as_req);
+ ktest_empty_kdc_req(&asreq);
}
/****************************************************************/
#endif
tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
encode_run(tgsreq,tgs_req,"tgs_req","(optionals NULL except server)",encode_krb5_tgs_req);
+
+ ktest_empty_kdc_req(&tgsreq);
}
/****************************************************************/
/* encode_krb5_kdc_req_body */
{
krb5_kdc_req kdcrb;
+ memset(&kdcrb, 0, sizeof(kdcrb));
setup(kdcrb,kdc_req_body,"kdc_req_body",ktest_make_sample_kdc_req_body);
kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
current_appl_type = 1007; /* Force interpretation as kdc-req-body */
kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
current_appl_type = 1007; /* Force interpretation as kdc-req-body */
encode_run(kdcrb,kdc_req_body,"kdc_req_body","(optionals NULL except server)",encode_krb5_kdc_req_body);
+
+ ktest_empty_kdc_req(&kdcrb);
}
/****************************************************************/
s.seq_number = 0;
ktest_destroy_address(&(s.r_address));
encode_run(s,safe,"safe","(optionals NULL)",encode_krb5_safe);
+
+ ktest_empty_safe(&s);
}
/****************************************************************/
krb5_priv p;
setup(p,priv,"priv",ktest_make_sample_priv);
encode_run(p,priv,"priv","",encode_krb5_priv);
+ ktest_empty_priv(&p);
}
/****************************************************************/
ep.seq_number = 0;
ktest_destroy_address(&(ep.r_address));
encode_run(ep,enc_priv_part,"enc_priv_part","(optionals NULL)",encode_krb5_enc_priv_part);
+
+ ktest_empty_priv_enc_part(&ep);
}
/****************************************************************/
krb5_cred c;
setup(c,cred,"cred",ktest_make_sample_cred);
encode_run(c,cred,"cred","",encode_krb5_cred);
+ ktest_empty_cred(&c);
}
/****************************************************************/
ktest_destroy_address(&(cep.s_address));
ktest_destroy_address(&(cep.r_address));
encode_run(cep,enc_cred_part,"enc_cred_part","(optionals NULL)",encode_krb5_enc_cred_part);
+
+ ktest_empty_cred_enc_part(&cep);
}
/****************************************************************/
ktest_empty_data(&(kerr.text));
ktest_empty_data(&(kerr.e_data));
encode_run(kerr,error,"error","(optionals NULL)",encode_krb5_error);
+
+ ktest_empty_error(&kerr);
}
/****************************************************************/
}
current_appl_type = 1004; /* Force type to be authdata */
encoder_print_results(code, "authorization_data", "");
+
+ ktest_destroy_authorization_data(&ad);
}
/****************************************************************/
passwd_phrase_element ppe;
setup(ppe,passwd_phrase_element,"PasswdSequence",ktest_make_sample_passwd_phrase_element);
encode_run(ppe,passwd_phrase_element,"pwd_sequence","",encode_krb5_pwd_sequence);
+ ktest_empty_passwd_phrase_element(&ppe);
}
/****************************************************************/
krb5_pwd_data pd;
setup(pd,krb5_pwd_data,"PasswdData",ktest_make_sample_krb5_pwd_data);
encode_run(pd,krb5_pwd_data,"pwd_data","",encode_krb5_pwd_data);
+ ktest_empty_pwd_data(&pd);
}
/****************************************************************/
exit(1);
}
encoder_print_results(code, "padata_sequence", "");
+
+ ktest_destroy_pa_data_array(&pa);
}
/****************************************************************/
exit(1);
}
encoder_print_results(code, "padata_sequence(empty)", "");
+
+ ktest_destroy_pa_data_array(&pa);
}
/****************************************************************/
setup(am,krb5_alt_method,"AltMethod",ktest_make_sample_alt_method);
encode_run(am,krb5_alt_method,"alt_method","",encode_krb5_alt_method);
am.length = 0;
+ if (am.data)
+ free(am.data);
am.data = 0;
encode_run(am,krb5_alt_method,"alt_method (no data)","",
encode_krb5_alt_method);
+ ktest_empty_alt_method(&am);
}
/****************************************************************/
}
encoder_print_results(code, "etype_info (no info)", "");
- free(info);
+ ktest_destroy_etype_info(info);
+ }
+
+ /* encode_etype_info 2*/
+ {
+ krb5_etype_info_entry **info;
+
+ setup(info,krb5_etype_info_entry **,"etype_info2",
+ ktest_make_sample_etype_info2);
+ retval = encode_krb5_etype_info2((const krb5_etype_info_entry **)info,&(code));
+ if(retval) {
+ com_err("encoding etype_info",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "etype_info2", "");
+ ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
+ ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
+
+ retval = encode_krb5_etype_info2((const krb5_etype_info_entry **)info,&(code));
+ if(retval) {
+ com_err("encoding etype_info (only 1)",retval,"");
+ exit(1);
+ }
+ encoder_print_results(code, "etype_info2 (only 1)", "");
+
+ ktest_destroy_etype_info(info);
+/* ktest_destroy_etype_info_entry(info[0]); info[0] = 0;*/
+
}
/****************************************************************/
setup(enc_data,krb5_enc_data,"enc_data",ktest_make_sample_enc_data);
current_appl_type = 1001;
encode_run(enc_data,krb5_enc_data,"enc_data","",encode_krb5_enc_data);
+ ktest_destroy_enc_data(&enc_data);
}
/****************************************************************/
/* encode_krb5_sam_challenge */
ktest_make_sample_sam_challenge);
encode_run(sam_ch,krb5_sam_challenge,"sam_challenge","",
encode_krb5_sam_challenge);
+ ktest_empty_sam_challenge(&sam_ch);
}
/****************************************************************/
/* encode_krb5_sam_response */
ktest_make_sample_sam_response);
encode_run(sam_ch,krb5_sam_response,"sam_response","",
encode_krb5_sam_response);
+ ktest_empty_sam_response(&sam_ch);
}
#if 0
/****************************************************************/
}
#endif
+ krb5_free_context(test_context);
exit(error_count);
return(error_count);
}
if(retval) return retval;
retval = ktest_make_sample_enc_data(&(tkt->enc_part));
if(retval) return retval;
+ tkt->enc_part2 = NULL;
return 0;
}
*lr = (krb5_last_req_entry**)calloc(3,sizeof(krb5_last_req_entry*));
if(*lr == NULL) return ENOMEM;
for(i=0; i<=1; i++){
- (*lr)[i] = (krb5_last_req_entry*)calloc(1,sizeof(krb5_last_req_entry));
- if((*lr)[i] == NULL) return ENOMEM;
retval = ktest_make_sample_last_req_entry(&((*lr)[i]));
if(retval) return retval;
}
krb5_alt_method * p;
{
p->method = 42;
- p->data = (krb5_octet *) "secret";
+ p->data = (krb5_octet *) strdup("secret");
+ if(p->data == NULL) return ENOMEM;
p->length = strlen((char *) p->data);
return 0;
}
if (info[i]->salt == 0)
goto memfail;
strcpy((char *) info[i]->salt, buf);
+ info[i]->s2kparams.data = NULL;
+ info[i]->s2kparams.length = 0;
info[i]->magic = KV5M_ETYPE_INFO_ENTRY;
}
free(info[1]->salt);
return ENOMEM;
}
+
+krb5_error_code ktest_make_sample_etype_info2(p)
+ krb5_etype_info_entry *** p;
+{
+ krb5_etype_info_entry **info;
+ int i;
+ char buf[80];
+
+ info = malloc(sizeof(krb5_etype_info_entry *) * 4);
+ if (!info)
+ return ENOMEM;
+ memset(info, 0, sizeof(krb5_etype_info_entry *) * 4);
+
+ for (i=0; i < 3; i++) {
+ info[i] = malloc(sizeof(krb5_etype_info_entry));
+ if (info[i] == 0)
+ goto memfail;
+ info[i]->etype = i;
+ sprintf(buf, "Morton's #%d", i);
+ info[i]->length = strlen(buf);
+ info[i]->salt = malloc((size_t) (info[i]->length+1));
+ if (info[i]->salt == 0)
+ goto memfail;
+ strcpy((char *) info[i]->salt, buf);
+ sprintf(buf, "s2k: %d", i);
+ info[i]->s2kparams.data = malloc(strlen(buf)+1);
+ if (info[i]->s2kparams.data == NULL)
+ goto memfail;
+ strcpy( info[i]->s2kparams.data, buf);
+ info[i]->s2kparams.length = strlen(buf);
+ info[i]->magic = KV5M_ETYPE_INFO_ENTRY;
+ }
+ free(info[1]->salt);
+ info[1]->length = KRB5_ETYPE_NO_SALT;
+ info[1]->salt = 0;
+ *p = info;
+ return 0;
+memfail:
+ ktest_destroy_etype_info(info);
+ return ENOMEM;
+}
+
+
krb5_error_code ktest_make_sample_pa_enc_ts(pa_enc)
krb5_pa_enc_ts * pa_enc;
{
p->magic = KV5M_SAM_CHALLENGE;
p->sam_type = 42; /* information */
p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
- p->sam_type_name.data = "type name";
+ p->sam_type_name.data = strdup("type name");
+ if (p->sam_type_name.data == NULL) return ENOMEM;
p->sam_type_name.length = strlen(p->sam_type_name.data);
p->sam_track_id.data = 0;
p->sam_track_id.length = 0;
- p->sam_challenge_label.data = "challenge label";
+ p->sam_challenge_label.data = strdup("challenge label");
+ if (p->sam_challenge_label.data == NULL) return ENOMEM;
p->sam_challenge_label.length = strlen(p->sam_challenge_label.data);
- p->sam_challenge.data = "challenge ipse";
+ p->sam_challenge.data = strdup("challenge ipse");
+ if (p->sam_challenge.data == NULL) return ENOMEM;
p->sam_challenge.length = strlen(p->sam_challenge.data);
- p->sam_response_prompt.data = "response_prompt ipse";
+ p->sam_response_prompt.data = strdup("response_prompt ipse");
+ if (p->sam_response_prompt.data == NULL) return ENOMEM;
p->sam_response_prompt.length = strlen(p->sam_response_prompt.data);
p->sam_pk_for_sad.data = 0;
p->sam_pk_for_sad.length = 0;
p->magic = KV5M_SAM_RESPONSE;
p->sam_type = 42; /* information */
p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
- p->sam_track_id.data = "track data";
+ p->sam_track_id.data = strdup("track data");
+ if (p->sam_track_id.data == NULL) return ENOMEM;
p->sam_track_id.length = strlen(p->sam_track_id.data);
- p->sam_enc_key.ciphertext.data = "key";
+ p->sam_enc_key.ciphertext.data = strdup("key");
+ if (p->sam_enc_key.ciphertext.data == NULL) return ENOMEM;
p->sam_enc_key.ciphertext.length = strlen(p->sam_enc_key.ciphertext.data);
p->sam_enc_key.enctype = ENCTYPE_DES_CBC_CRC;
p->sam_enc_key.kvno = 1942;
- p->sam_enc_nonce_or_ts.ciphertext.data = "nonce or ts";
+ p->sam_enc_nonce_or_ts.ciphertext.data = strdup("nonce or ts");
+ if (p->sam_enc_nonce_or_ts.ciphertext.data == NULL) return ENOMEM;
p->sam_enc_nonce_or_ts.ciphertext.length =
strlen(p->sam_enc_nonce_or_ts.ciphertext.data);
p->sam_enc_nonce_or_ts.enctype = ENCTYPE_DES_CBC_CRC;
}
}
+void ktest_empty_keyblock(kb)
+ krb5_keyblock * kb;
+{
+ if (kb != NULL) {
+ if (kb->contents) {
+ free (kb->contents);
+ kb->contents = NULL;
+ }
+ }
+}
+
void ktest_destroy_keyblock(kb)
krb5_keyblock ** kb;
{
{
int i;
- for(i=0; ad[i] != NULL; i++)
- ktest_destroy_authdata(&(ad[i]));
+ if(*ad != NULL) {
+ for(i=0; ad[i] != NULL; i++)
+ ktest_destroy_authdata(&(ad[i]));
+ }
}
void ktest_destroy_authorization_data(ad)
for(i=0; i<(*p)->length; i++)
ktest_empty_data(&(((*p)->data)[i]));
+ ktest_empty_data(&((*p)->realm));
+ free((*p)->data);
free(*p);
*p = NULL;
}
{
ktest_destroy_principal(&((*tkt)->server));
ktest_destroy_enc_data(&((*tkt)->enc_part));
+ /* ktest_empty_enc_tkt_part(((*tkt)->enc_part2));*/
free(*tkt);
*tkt = NULL;
}
+void ktest_empty_ticket(tkt)
+ krb5_ticket * tkt;
+{
+ if(tkt->server)
+ ktest_destroy_principal(&((tkt)->server));
+ ktest_destroy_enc_data(&((tkt)->enc_part));
+ if (tkt->enc_part2) {
+ ktest_destroy_enc_tkt_part(&(tkt->enc_part2));
+ }
+}
+
void ktest_destroy_enc_data(ed)
krb5_enc_data * ed;
{
{
if (i->salt)
free(i->salt);
+ ktest_empty_data(&(i->s2kparams));
free(i);
}
}
+void ktest_empty_kdc_req(kr)
+ krb5_kdc_req *kr;
+{
+ if (kr->padata)
+ ktest_destroy_pa_data_array(&(kr->padata));
+
+ if (kr->client)
+ ktest_destroy_principal(&(kr->client));
+
+ if (kr->server)
+ ktest_destroy_principal(&(kr->server));
+ if (kr->ktype)
+ free(kr->ktype);
+ if (kr->addresses)
+ ktest_destroy_addresses(&(kr->addresses));
+ ktest_destroy_enc_data(&(kr->authorization_data));
+ if (kr->unenc_authdata)
+ ktest_destroy_authorization_data(&(kr->unenc_authdata));
+ if (kr->second_ticket)
+ ktest_destroy_sequence_of_ticket(&(kr->second_ticket));
+
+}
+
+void ktest_empty_kdc_rep(kr)
+ krb5_kdc_rep *kr;
+{
+ if (kr->padata)
+ ktest_destroy_pa_data_array(&(kr->padata));
+
+ if (kr->client)
+ ktest_destroy_principal(&(kr->client));
+
+ if (kr->ticket)
+ ktest_destroy_ticket(&(kr->ticket));
+
+ ktest_destroy_enc_data(&kr->enc_part);
+
+ if (kr->enc_part2) {
+ ktest_empty_enc_kdc_rep_part(kr->enc_part2);
+ free(kr->enc_part2);
+ kr->enc_part2 = NULL;
+ }
+}
+
+
+void ktest_empty_authenticator(a)
+ krb5_authenticator * a;
+{
+
+ if(a->client)
+ ktest_destroy_principal(&(a->client));
+ if(a->checksum)
+ ktest_destroy_checksum(&(a->checksum));
+ if(a->subkey)
+ ktest_destroy_keyblock(&(a->subkey));
+ if(a->authorization_data)
+ ktest_destroy_authorization_data(&(a->authorization_data));
+}
+
+void ktest_empty_enc_tkt_part(etp)
+ krb5_enc_tkt_part * etp;
+{
+
+ if(etp->session)
+ ktest_destroy_keyblock(&(etp->session));
+ if(etp->client)
+ ktest_destroy_principal(&(etp->client));
+ if (etp->caddrs)
+ ktest_destroy_addresses(&(etp->caddrs));
+ if(etp->authorization_data)
+ ktest_destroy_authorization_data(&(etp->authorization_data));
+ ktest_destroy_transited(&(etp->transited));
+}
+
+void ktest_destroy_enc_tkt_part(etp)
+ krb5_enc_tkt_part ** etp;
+{
+ if(*etp) {
+ ktest_empty_enc_tkt_part(*etp);
+ free(*etp);
+ *etp = NULL;
+ }
+}
+
+void ktest_empty_enc_kdc_rep_part(ekr)
+ krb5_enc_kdc_rep_part * ekr;
+{
+
+ if(ekr->session)
+ ktest_destroy_keyblock(&(ekr->session));
+
+ if(ekr->server)
+ ktest_destroy_principal(&(ekr->server));
+
+ if (ekr->caddrs)
+ ktest_destroy_addresses(&(ekr->caddrs));
+ ktest_destroy_last_req(&(ekr->last_req));
+}
+
+
+void ktest_destroy_transited(t)
+ krb5_transited * t;
+{
+ if(t->tr_contents.data)
+ ktest_empty_data(&(t->tr_contents));
+}
+
+
+void ktest_empty_ap_rep(ar)
+ krb5_ap_rep * ar;
+{
+ ktest_destroy_enc_data(&ar->enc_part);
+}
+
+void ktest_empty_ap_req(ar)
+ krb5_ap_req * ar;
+{
+
+ if(ar->ticket)
+ ktest_destroy_ticket(&(ar->ticket));
+ ktest_destroy_enc_data(&(ar->authenticator));
+}
+
+void ktest_empty_cred_enc_part(cep)
+ krb5_cred_enc_part * cep;
+{
+ if (cep->s_address)
+ ktest_destroy_address(&(cep->s_address));
+ if (cep->r_address)
+ ktest_destroy_address(&(cep->r_address));
+ if (cep->ticket_info)
+ ktest_destroy_sequence_of_cred_info(&(cep->ticket_info));
+}
+
+void ktest_destroy_cred_info(ci)
+ krb5_cred_info ** ci;
+{
+ if((*ci)->session)
+ ktest_destroy_keyblock(&((*ci)->session));
+ if((*ci)->client)
+ ktest_destroy_principal(&((*ci)->client));
+ if((*ci)->server)
+ ktest_destroy_principal(&((*ci)->server));
+ if ((*ci)->caddrs)
+ ktest_destroy_addresses(&((*ci)->caddrs));
+ free(*ci);
+ *ci = NULL;
+}
+
+void ktest_destroy_sequence_of_cred_info(soci)
+ krb5_cred_info *** soci;
+{
+ int i;
+
+ for(i=0; (*soci)[i] != NULL; i++)
+ ktest_destroy_cred_info(&((*soci)[i]));
+ free(*soci);
+ *soci = NULL;
+}
+
+
+void ktest_empty_safe(s)
+ krb5_safe * s;
+{
+ ktest_empty_data(&(s->user_data));
+ ktest_destroy_address(&(s->s_address));
+ ktest_destroy_address(&(s->r_address));
+ ktest_destroy_checksum(&(s->checksum));
+}
+
+void ktest_empty_priv_enc_part(pep)
+ krb5_priv_enc_part * pep;
+{
+ ktest_empty_data(&(pep->user_data));
+ ktest_destroy_address(&(pep->s_address));
+ ktest_destroy_address(&(pep->r_address));
+}
+
+void ktest_empty_priv(p)
+ krb5_priv * p;
+{
+ ktest_destroy_enc_data(&(p->enc_part));
+}
+
+void ktest_empty_cred(c)
+ krb5_cred * c;
+{
+
+ ktest_destroy_sequence_of_ticket(&(c->tickets));
+ ktest_destroy_enc_data(&(c->enc_part));
+ /* enc_part2 */
+
+}
+
+void ktest_destroy_last_req(lr)
+ krb5_last_req_entry *** lr;
+{
+ int i;
+
+ if(*lr) {
+ for(i=0; (*lr)[i] != NULL; i++) {
+ free((*lr)[i]);
+ }
+ free(*lr);
+ }
+}
+
+void ktest_empty_error(kerr)
+ krb5_error * kerr;
+{
+ if(kerr->client)
+ ktest_destroy_principal(&(kerr->client));
+ if(kerr->server)
+ ktest_destroy_principal(&(kerr->server));
+ ktest_empty_data(&(kerr->text));
+ ktest_empty_data(&(kerr->e_data));
+}
+
+void ktest_empty_ap_rep_enc_part(arep)
+ krb5_ap_rep_enc_part * arep;
+{
+ ktest_destroy_keyblock(&((arep)->subkey));
+}
+
+void ktest_empty_passwd_phrase_element(ppe)
+ passwd_phrase_element * ppe;
+{
+ ktest_destroy_data(&(ppe->passwd));
+ ktest_destroy_data(&(ppe->phrase));
+}
+
+void ktest_empty_pwd_data(pd)
+ krb5_pwd_data * pd;
+{
+ int i;
+
+ for(i=0; i <= pd->sequence_count; i++){
+ if(pd->element[i]) {
+ ktest_empty_passwd_phrase_element(pd->element[i]);
+ free(pd->element[i]);
+ pd->element[i] = NULL;
+ }
+ }
+ free(pd->element);
+
+}
+
+void ktest_empty_alt_method(am)
+ krb5_alt_method *am;
+{
+ if (am->data) {
+ free(am->data);
+ am->data = NULL;
+ }
+}
+
+void ktest_empty_sam_challenge(p)
+ krb5_sam_challenge * p;
+{
+ ktest_empty_data(&(p->sam_type_name));
+ ktest_empty_data(&(p->sam_track_id));
+ ktest_empty_data(&(p->sam_challenge_label));
+ ktest_empty_data(&(p->sam_challenge));
+ ktest_empty_data(&(p->sam_response_prompt));
+ ktest_empty_data(&(p->sam_pk_for_sad));
+
+ if(p->sam_cksum.contents != NULL) {
+ free(p->sam_cksum.contents);
+ p->sam_cksum.contents = NULL;
+ }
+
+}
+
+void ktest_empty_sam_response(p)
+ krb5_sam_response * p;
+{
+ ktest_empty_data(&(p->sam_track_id));
+ ktest_empty_data(&(p->sam_enc_key.ciphertext));
+ ktest_empty_data(&(p->sam_enc_nonce_or_ts.ciphertext));
+}
krb5_error_code ktest_make_sample_etype_info
(krb5_etype_info_entry *** p);
+krb5_error_code ktest_make_sample_etype_info2
+ (krb5_etype_info_entry *** p);
krb5_error_code ktest_make_sample_pa_enc_ts
(krb5_pa_enc_ts *am);
krb5_error_code ktest_make_sample_sam_challenge
(krb5_principal *p);
void ktest_destroy_checksum
(krb5_checksum **cs);
+void ktest_empty_keyblock
+ (krb5_keyblock *kb);
void ktest_destroy_keyblock
(krb5_keyblock **kb);
void ktest_destroy_authdata
(krb5_ticket ***sot);
void ktest_destroy_ticket
(krb5_ticket **tkt);
+void ktest_empty_ticket
+ (krb5_ticket *tkt);
void ktest_destroy_enc_data
(krb5_enc_data *ed);
-
+void ktest_empty_error
+ (krb5_error * kerr);
void ktest_destroy_etype_info_entry
(krb5_etype_info_entry *i);
void ktest_destroy_etype_info
(krb5_etype_info_entry **info);
+void ktest_empty_kdc_req
+ (krb5_kdc_req *kr);
+void ktest_empty_kdc_rep
+ (krb5_kdc_rep *kr);
+
+void ktest_empty_authenticator
+ (krb5_authenticator *a);
+void ktest_empty_enc_tkt_part
+ (krb5_enc_tkt_part * etp);
+void ktest_destroy_enc_tkt_part
+ (krb5_enc_tkt_part ** etp);
+void ktest_empty_enc_kdc_rep_part
+ (krb5_enc_kdc_rep_part * ekr);
+void ktest_destroy_transited
+ (krb5_transited * t);
+void ktest_empty_ap_rep
+ (krb5_ap_rep * ar);
+void ktest_empty_ap_req
+ (krb5_ap_req * ar);
+void ktest_empty_cred_enc_part
+ (krb5_cred_enc_part * cep);
+void ktest_destroy_cred_info
+ (krb5_cred_info ** ci);
+void ktest_destroy_sequence_of_cred_info
+ (krb5_cred_info *** soci);
+void ktest_empty_safe
+ (krb5_safe * s);
+void ktest_empty_priv
+ (krb5_priv * p);
+void ktest_empty_priv_enc_part
+ (krb5_priv_enc_part * pep);
+void ktest_empty_cred
+ (krb5_cred * c);
+void ktest_destroy_last_req
+ (krb5_last_req_entry *** lr);
+void ktest_empty_ap_rep_enc_part
+ (krb5_ap_rep_enc_part * arep);
+void ktest_empty_passwd_phrase_element
+ (passwd_phrase_element * ppe);
+void ktest_empty_pwd_data
+ (krb5_pwd_data * pd);
+void ktest_empty_alt_method
+ (krb5_alt_method *am);
+void ktest_empty_sam_challenge
+ (krb5_sam_challenge * p);
+void ktest_empty_sam_response
+ (krb5_sam_response * p);
+
extern krb5_context test_context;
extern char *sample_principal_name;
encode_krb5_etype_info: 30 33 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 30 05 A0 03 02 01 01 30 14 A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32
encode_krb5_etype_info (only 1): 30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30
encode_krb5_etype_info (no info): 30 00
+encode_krb5_etype_info2: 30 51 30 1E A0 03 02 01 00 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 30 0F A0 03 02 01 01 A2 08 04 06 73 32 6B 3A 20 31 30 1E A0 03 02 01 02 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 32 A2 08 04 06 73 32 6B 3A 20 32
+encode_krb5_etype_info2 (only 1): 30 20 30 1E A0 03 02 01 00 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30
encode_krb5_pa_enc_ts: 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40
encode_krb5_pa_enc_ts (no usec): 30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
encode_krb5_enc_data: 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
[Sequence/Sequence Of]
+encode_krb5_etype_info2:
+
+[Sequence/Sequence Of]
+. [Sequence/Sequence Of]
+. . [0] [Integer] 0
+. . [1] [General string] "Morton's #0"
+. . [2] [Octet String] "s2k: 0"
+. [Sequence/Sequence Of]
+. . [0] [Integer] 1
+. . [2] [Octet String] "s2k: 1"
+. [Sequence/Sequence Of]
+. . [0] [Integer] 2
+. . [1] [General string] "Morton's #2"
+. . [2] [Octet String] "s2k: 2"
+
+encode_krb5_etype_info2 (only 1):
+
+[Sequence/Sequence Of]
+. [Sequence/Sequence Of]
+. . [0] [Integer] 0
+. . [1] [General string] "Morton's #0"
+. . [2] [Octet String] "s2k: 0"
+
encode_krb5_pa_enc_ts:
[Sequence/Sequence Of]
#include "utility.h"
#include <stdlib.h>
#include <stdio.h>
+#include <ctype.h>
char hexchar (const unsigned int digit);
return 0;
}
-krb5_error_code krb5_data_hex_parse(d, s)
- krb5_data * d;
- const char * s;
+krb5_error_code krb5_data_hex_parse(krb5_data *d, const char *s)
{
- int i, digit;
- char *copy;
- char *pos;
+ int lo;
+ long v;
+ const char *cp;
+ char *dp;
+ char buf[2];
- /*
- * Do a strdup() and use that, because some systems can't handle non
- * writeable strings being passed to sscanf() --proven.
- */
- copy = strdup(s);
- d->data = (char*)calloc((strlen(copy)+1)/3,sizeof(char));
- if(d->data == NULL) return ENOMEM;
- d->length = (strlen(copy)+1)/3;
- for(i=0,pos=(char*)copy; i<d->length; i++,pos+=3){
- if(!sscanf(pos,"%x",&digit)) {
-#ifdef KRB5_USE_ISODE
- return EINVAL;
-#else
+ d->data = calloc((strlen(s) / 2 + 1), 1);
+ if (d->data == NULL)
+ return ENOMEM;
+ d->length = 0;
+ buf[1] = '\0';
+ for (lo = 0, dp = d->data, cp = s; *cp; cp++) {
+ if (*cp < 0)
return ASN1_PARSE_ERROR;
-#endif
+ else if (isspace(*cp))
+ continue;
+ else if (isxdigit(*cp)) {
+ buf[0] = *cp;
+ v = strtol(buf, NULL, 16);
+ } else
+ return ASN1_PARSE_ERROR;
+ if (lo) {
+ *dp++ |= v;
+ lo = 0;
+ } else {
+ *dp = v << 4;
+ lo = 1;
+ }
}
- d->data[i] = (char)digit;
- }
- return 0;
+
+ d->length = dp - d->data;
+ return 0;
}
#if 0
+2003-05-22 Ezra Peisach <epeisach@mit.edu>
+
+ * kdb5_mkdums.c (main): When attempting to register writable
+ keytab, do not fail if error is KRB5_KT_TYPE_EXISTS.
+
2002-08-29 Ken Raeburn <raeburn@mit.edu>
* Makefile.in: Revert $(S)=>/ change, for Windows support.
#
$(OUTPRE)kdb5_mkdums.$(OBJEXT): kdb5_mkdums.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SS_DEPS)
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SS_DEPS)
if ((retval = krb5_kt_register(test_context, &krb5_ktf_writable_ops))) {
- com_err(progname, retval,
+ if (retval != KRB5_KT_TYPE_EXISTS) {
+ com_err(progname, retval,
"while registering writable key table functions");
- exit(1);
+ exit(1);
+ }
}
if (!enctypedone)
+2003-06-05 Ken Raeburn <raeburn@mit.edu>
+
+ * default.exp (setup_root_shell): Check for "not authorized". Map
+ eof to unsupported.
+
+2003-06-04 Tom Yu <tlyu@mit.edu>
+
+ * default.exp (setup_root_shell): Don't try to use the procedure
+ "-" when handling error messages from rlogin.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * default.exp (setup_root_shell): Handle error messages indicating
+ "-x" isn't supported.
+ (start_kerberos_daemons): "cannont" => "cannot".
+
+2003-06-01 Ken Raeburn <raeburn@mit.edu>
+
+ * default.exp: Default RLOGIN_FLAGS to "-x".
+ (start_kerberos_daemons): Watch for "Cannot bind server socket"
+ and log it. Watch for "no sockets set up" and report an error.
+ (setup_root_shell): Watch for "Cannot assign requested address",
+ log it and give up.
+
+2003-05-21 Tom Yu <tlyu@mit.edu>
+
+ * default.exp: Be slightly more lenient about matching password
+ prompts.
+
+2003-05-16 Ken Raeburn <raeburn@mit.edu>
+
+ * default.exp (spawn_xterm): Add KPASSWD and REALMNAME to the list
+ of exported variables.
+
+2003-04-18 Ken Raeburn <raeburn@mit.edu>
+
+ * default.exp: Add passes for testing AES.
+ (start_kerberos_daemons): Add a small delay between starting the
+ "tail -f" processes and appending the markers to their files.
+ (spawn_xterm): Add RLOGIN, RLOGIND, FTP, and FTPD to the list of
+ variables to export to the environment. Check that variables are
+ defined before exporting them.
+
+2003-03-28 Tom Yu <tlyu@mit.edu>
+
+ * default.exp (start_kerberos_daemons): If we get a timeout
+ looking for the mark, log out the last 10 lines of the kdc
+ logfile.
+
+2003-03-26 Tom Yu <tlyu@mit.edu>
+
+ * default.exp (v4kinit): Expect failure when kiniting to a des3
+ TGT, due to fix for MITKRB5-SA-2003-004.
+ (setup_kadmind_srvtab): Remove. It's not needed anymore.
+
+2003-03-14 Ken Raeburn <raeburn@mit.edu>
+
+ * default.exp (setup_root_shell): If we get connection refused
+ messages, followed by no unrecognized errors and then eof, report
+ it as an unsupported test.
+
+2003-03-14 Ken Raeburn <raeburn@mit.edu>
+
+ * default.exp (setup_root_shell): If we get connection refused
+ messages, followed by no unrecognized errors and then eof, report
+ it as an unsupported test.
+
2003-02-04 Tom Yu <tlyu@mit.edu>
* default.exp (start_kerberos_daemons): Use correct argument to
{kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
{dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]}
}
+ {
+ aes
+ des3_krbtgt=0
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal}
+ {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal}
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des-cbc-crc}
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des-cbc-crc}
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des-cbc-crc}
+ {master_key_type=aes256-cts-hmac-sha1-96}
+ {dummy=[verbose -log "AES + DES enctypes"]}
+ }
+ {
+ aes-des3
+ des3_krbtgt=0
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
+ {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+ {master_key_type=aes256-cts-hmac-sha1-96}
+ {dummy=[verbose -log "AES + DES enctypes"]}
+ }
+ {
+ des3-aes
+ des3_krbtgt=1
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
+ {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+ {master_key_type=aes256-cts-hmac-sha1-96}
+ {dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]}
+ }
{
des-v4
des3_krbtgt=0
all-enctypes
des3_krbtgt=1
{supported_enctypes=\
- rijndael256-hmac-sha1:normal rijndael192-hmac-sha1:normal rijndael128-hmac-sha1:normal \
- serpent256-hmac-sha1:normal serpent192-hmac-sha1:norealm serpent128-hmac-sha1:normal \
- twofish256-hmac-sha1:normal twofish192-hmac-sha1:norealm twofish128-hmac-sha1:normal \
+ aes256-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:norealm \
+ aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \
des3-cbc-sha1:normal des3-cbc-sha1:none \
des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \
}
{kdc_supported_enctypes=\
- rijndael256-hmac-sha1:normal rijndael192-hmac-sha1:normal rijndael128-hmac-sha1:normal \
- serpent256-hmac-sha1:normal serpent192-hmac-sha1:norealm serpent128-hmac-sha1:normal \
- twofish256-hmac-sha1:normal twofish192-hmac-sha1:norealm twofish128-hmac-sha1:normal \
des3-cbc-sha1:normal des3-cbc-sha1:none \
des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \
}
{dummy=[verbose -log "DES3 TGT, default enctypes"]}
}
+ # This won't work for anything using GSSAPI until it gets AES support.
{
- aes
+ aes-only
des3_krbtgt=0
- {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal}
- {kdc_supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal}
- {default_tgs_enctypes=rijndael256-hmac-sha1 des-cbc-crc}
- {default_tkt_enctypes=rijndael256-hmac-sha1 des-cbc-crc}
- {dummy=[verbose -log "DES3 TGT, default enctypes"]}
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal}
+ {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal}
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
+ {master_key_type=aes256-cts-hmac-sha1-96}
+ {dummy=[verbose -log "AES only, no DES or DES3 support"]}
}
}
# {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal }
}
if ![info exists RLOGIN_FLAGS] {
- set RLOGIN_FLAGS ""
+ set RLOGIN_FLAGS "-x"
}
# We use a couple of variables to hold shell prompts which may be
puts $conffile " database_name = $tmppwd/db"
puts $conffile " admin_database_name = $tmppwd/adb"
puts $conffile " admin_database_lockfile = $tmppwd/adb.lock"
- puts $conffile " admin_keytab = $tmppwd/admin-keytab"
puts $conffile " key_stash_file = $tmppwd/stash"
puts $conffile " acl_file = $tmppwd/acl"
puts $conffile " kadmind_port = 3750"
}
-# setup_kadmind_srvtab
-# A procedure to build the srvtab for kadmind5 so that kadmin5 and it
-# may successfully communicate.
-# Returns 1 on success, 0 on failure.
-proc setup_kadmind_srvtab { } {
- global REALMNAME
- global KADMIN_LOCAL
- global KEY
- global tmppwd
-
- catch "exec rm -f $tmppwd/admin-keytab"
- envstack_push
- setup_kerberos_env kdc
- spawn $KADMIN_LOCAL -r $REALMNAME
- envstack_pop
- catch expect_after
- expect_after {
- -re "(.*)\r\nkadmin.local: " {
- fail "kadmin.local admin-keytab (unmatched output: $expect_out(1,string)"
- catch "exec rm -f $tmppwd/admin-keytab"
- catch "expect_after"
- return 0
- }
- timeout {
- fail "kadmin.local admin-keytab (timeout)"
- catch "exec rm -f $tmppwd/admin-keytab"
- catch "expect_after"
- return 0
- }
- eof {
- fail "kadmin.local admin-keytab (eof)"
- catch "exec rm -f $tmppwd/admin-keytab"
- catch "expect_after"
- return 0
- }
- }
- expect "kadmin.local: "
- send "xst -k admin-new-srvtab kadmin/admin\r"
- expect "xst -k admin-new-srvtab kadmin/admin\r\n"
- expect -re ".*Entry for principal kadmin/admin.* added to keytab WRFILE:admin-new-srvtab."
- expect "kadmin.local: "
-
- catch "exec mv -f admin-new-srvtab changepw-new-srvtab" exec_output
- if ![string match "" $exec_output] {
- verbose -log "$exec_output"
- perror "can't mv admin-new-srvtab"
- catch expect_after
- return 0
- }
-
- send "xst -k changepw-new-srvtab kadmin/changepw\r"
- expect "xst -k changepw-new-srvtab kadmin/changepw\r\n"
- expect -re ".*Entry for principal kadmin/changepw.* added to keytab WRFILE:changepw-new-srvtab."
- expect "kadmin.local: "
- send "quit\r"
- expect eof
- catch expect_after
- if ![check_exit_status "kadmin.local admin-keytab"] {
- catch "exec rm -f $tmppwd/admin-keytab"
- perror "kadmin.local admin-keytab exited abnormally"
- return 0
- }
-
- catch "exec mv -f changepw-new-srvtab $tmppwd/admin-keytab" exec_output
- if ![string match "" $exec_output] {
- verbose -log "$exec_output"
- perror "can't mv new admin-keytab"
- return 0
- }
-
- # Make the srvtab file globally readable in case we are using a
- # root shell and the srvtab is NFS mounted.
- catch "exec chmod a+r $tmppwd/admin-keytab"
-
- return 1
-}
-
# setup_kerberos_db
# Initialize the Kerberos database. If the argument is non-zero, call
# pass at relevant points. Returns 1 on success, 0 on failure.
}
}
}
- # XXX should deal with envstack inside setup_kadmind_srvtab too
- set ret [setup_kadmind_srvtab]
envstack_pop
- if !$ret {
- return 0
- }
# create the admin database lock file
catch "exec touch $tmppwd/adb.lock"
set tailf_pid [exp_pid]
set markstr "===MARK $tailf_pid [exec date] ==="
+ sleep 2
set f [open $kdc_lfile a]
puts $f $markstr
+ flush $f
close $f
expect {
-ex "$markstr\r\n" { }
-re "\[^\r\n\]*\r\n" { exp_continue }
timeout {
+ verbose -log "tail $kdc_lfile output:"
+ verbose -log [exec tail $kdc_lfile]
if {$standalone} {
verbose -log "tail -f timed out ($timeout sec) looking for mark in kdc log"
fail "krb5kdc"
expect {
-i $tailf_spawn_id
-re "commencing operation\r\n" { }
+ -re "krb5kdc: \[a-zA-Z\]* - Cannot bind server socket to \[ 0-9a-fA-F:.\]*\r\n" {
+ verbose -log "warning: $expect_out(0,string)"
+ exp_continue
+ }
+ "no sockets set up?" {
+ if {$standalone} {
+ verbose -log "krb5kdc startup failed to bind listening sockets"
+ fail "krb5kdc"
+ } else {
+ perror "krb5kdc startup failed to bind listening sockets"
+ }
+ stop_kerberos_daemons
+ exec kill $tailf_pid
+ expect -i $tailf_spawn_id eof
+ wait -i $tailf_spawn_id
+ return 0
+ }
timeout {
if {$standalone} {
verbose -log "krb5kdc startup timed out"
set tailf_pid [exp_pid]
set markstr "===MARK $tailf_pid [exec date] ==="
+ sleep 2
set f [open $kadmind_lfile a]
puts $f $markstr
close $f
expect {
-i $tailf_spawn_id
"Seeding random number" exp_continue
- "cannont initialize network" {
+ "cannot initialize network" {
if {$standalone} {
verbose -log "kadmind failed network init"
fail "kadmind"
break
}
}
- expect "Enter password:"
+ expect -re "assword\[^\r\n\]*: *"
send "adminpass$KEY\r"
expect "Enter password for principal \"$kkey@$REALMNAME\":"
send "$kkey"
break
}
}
- expect "Enter password:"
+ expect -re "assword\[^\r\n\]*: *"
send "adminpass$KEY\r"
expect {
"Principal \"$kkey@$REALMNAME\" created" { }
global REALMNAME
global KINIT
global spawn_id
+ global des3_krbtgt
# Use kinit to get a ticket.
#
}
send "$pass\r"
expect eof
- if ![check_exit_status kinit] {
- return 0
+ if {$des3_krbtgt == 0} {
+ if ![check_exit_status v4kinit] {
+ return 0
+ }
+ } else {
+ # Fail if kinit is successful with a des3 TGT.
+ set status_list [wait -i $spawn_id]
+ set testname v4kinit
+ verbose "wait -i $spawn_id returned $status_list ($testname)"
+ if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } {
+ verbose -log "exit status: $status_list"
+ fail "$testname (exit status)"
+ }
}
-
if {$standalone} {
pass "v4kinit"
}
set rlogin_pid [exp_pid]
set old_timeout $timeout
set timeout 300
+ set got_refused 0
expect {
-re {connect to address [0-9a-fA-F.:]*: Connection refused} {
note $expect_out(buffer)
+ set got_refused 1
exp_continue
}
- -re "word:|erberos rlogin failed|ection refused|ection reset by peer" {
+ -re "word:|erberos rlogin failed|ection refused|ection reset by peer|not authorized" {
note "$testname test requires ability to rlogin as root"
unsupported "$testname"
set timeout $old_timeout
stop_root_shell
return 0
}
+ "Cannot assign requested address" {
+ note "$testname: rlogin as root 'cannot assign requested address'"
+ unsupported "$testname"
+ set timeout $old_timeout
+ stop_root_shell
+ return 0
+ }
+ -re "usage: rlogin|illegal option -- x|invalid option -- x" {
+ note "$testname: rlogin doesn't like command-line flags"
+ unsupported "$testname"
+ set timeout $old_timeout
+ stop_root_shell
+ return 0
+ }
-re "$ROOT_PROMPT" { }
timeout {
perror "timeout from rlogin $hostname -l root"
return 0
}
eof {
- perror "eof from rlogin $hostname -l root"
+ if {$got_refused} {
+ # reported some errors, continued, and failed
+ note "$testname test requires ability to log in as root"
+ unsupported $testname
+ } else {
+ # unknown problem?
+# perror "eof from rlogin $hostname -l root"
+ note "eof (and unrecognized messages?) from rlogin $hostname -l root"
+ note "$testname test requires ability to log in as root"
+ unsupported $testname
+ }
stop_root_shell
set timeout $old_timeout
catch "expect_after"
# helpful sometimes for debugging the test suite
proc spawn_xterm { } {
global env
- foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST} {
+ foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST RLOGIN RLOGIND FTP FTPD KPASSWD REALMNAME} {
global $i
- set env($i) [set $i]
+ if [info exists $i] { set env($i) [set $i] }
}
exec "xterm"
}
+2003-05-21 Tom Yu <tlyu@mit.edu>
+
+ * kadmin.exp: Be slightly more lenient about matching password
+ prompts.
+
+2003-03-26 Tom Yu <tlyu@mit.edu>
+
+ * v4gssftp.exp (v4ftp_test): Return early if $des3_krbtgt set.
+
+ * v4krb524d.exp (doit): Return early if $des3_krbtgt set.
+
+ * v4standalone.exp (check_and_destroy_v4_tix): Return early if
+ $des3_krbtgt set.
+
2003-01-01 Ezra Peisach <epeisach@bu.edu>
* standalone.exp: Only run the keytab to srvtab tests if kerberos 4
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*:" {
send "adminpass$KEY\r"
}
expect "Enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
expect "Principal \"$pname@$REALMNAME\" created." { set good 1 }
return 0
}
}
- expect "Enter password:"
+ expect -re "assword\[^\r\n\]*: *"
send "adminpass$KEY\r"
expect -re "\r.*Principal: $pname@$REALMNAME.*Key: .*Attributes:.*Policy: .*\r"
expect_after
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
# When in doubt, jam one of these in there.
return 0
}
}
- expect "Enter password:"
+ expect -re "assword\[^\r\n\]*: *"
send "adminpass$KEY\r"
# When in doubt, jam one of these in there.
expect "\r"
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
expect -re "\(.*@$REALMNAME\r\n\)*"
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
# expect -re "kadmin: Entry for principal $name/$instance with kvno [0-9], encryption type .* added to keytab WRFILE:$tmppwd/keytab."
# return 0
# }
# }
-# expect "Enter password:" {
+# expect -re "assword\[^\r\n\]*: *" {
# send "adminpass$KEY\r"
# }
# expect "extracted entry $name to key table $instance-new-v4-srvtab"
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
expect "Principal \"$pname@$REALMNAME\" deleted." { set good 1 }
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
expect_after
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
expect_after
return 0
}
}
- expect "Enter password:" {
+ expect -re "assword\[^\r\n\]*: *" {
send "adminpass$KEY\r"
}
expect_after
return 0
}
}
- expect "Enter password:"
+ expect -re "assword\[^\r\n\]*: *"
send "adminpass$KEY\r"
# When in doubt, jam one of these in there.
expect "\r"
return 0
}
}
- expect "Enter password:"
+ expect -re "assword\[^\r\n\]*: *"
send "adminpass$KEY\r"
expect -re "\r.*Policy: $pname.*Number of old keys kept: .*Reference count: .*\r"
expect_after
global tmppwd
global ftp_save_ktname
global ftp_save_ccname
+ global des3_krbtgt
+ if {$des3_krbtgt} {
+ return
+ }
# Start up the kerberos and kadmind daemons and get a srvtab and a
# ticket file.
if {![start_kerberos_daemons 0] \
global KDESTROY
global tmppwd
global REALMNAME
+ global des3_krbtgt
+ if {$des3_krbtgt} {
+ return
+ }
# Start up the kerberos and kadmind daemons.
if ![start_kerberos_daemons 1] {
return
proc check_and_destroy_v4_tix { client server } {
global REALMNAME
+ global des3_krbtgt
+ # Skip this if we're using a des3 TGT, since that's supposed to fail.
+ if {$des3_krbtgt} {
+ return
+ }
# Make sure that klist can see the ticket.
if ![v4klist "$client" "$server" "v4klist"] {
return
#
$(OUTPRE)kdc5_hammer.$(OBJEXT): kdc5_hammer.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
#
$(OUTPRE)kdb5_verify.$(OBJEXT): kdb5_verify.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SS_DEPS)
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SS_DEPS)
+2003-05-23 Ken Raeburn <raeburn@mit.edu>
+
+ * depfix.sed: Don't check for krb524 headers.
+
+2003-05-18 Ken Raeburn <raeburn@mit.edu>
+
+ * depgen.sed: Put print command on separate lines from
+ substitution commands, instead of using s///p form.
+
+2003-05-15 Tom Yu <tlyu@mit.edu>
+
+ * mkrel: Remote autom4te.cache files.
+
+2003-04-24 Ken Raeburn <raeburn@mit.edu>
+
+ * reconf: Restore support for 2.52; reject older versions.
+
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * reconf: Drop support for 2.52 and earlier.
+
+2003-04-10 Tom Yu <tlyu@mit.edu>
+
+ * reconf: Warn if autoconf-2.52 is used, as it generates buggy
+ configure scripts that don't work with BSD /bin/sh, and don't
+ comply with POSIX.2 (no conditions inside "case" statement).
+
2003-02-05 Tom Yu <tlyu@mit.edu>
* mkrel: Exclude .rconf files.
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (install-unix): Delete install-libs. We don't want
+ to install our in-tree libdb.
+
2003-01-10 Ken Raeburn <raeburn@mit.edu>
* configure.in: Don't explicitly invoke AC_PROG_INSTALL.
all-unix:: all-liblinks includes
clean-unix:: clean-liblinks clean-libs clean-includes
-install-unix:: install-libs
includes:: $(HDRS)
+++ /dev/null
-############################################################
-## config/pre.in
-## common prefix for all Makefile.in in the Kerberos V5 tree.
-##
-
-WHAT = unix
-SHELL=/bin/sh
-
-all:: all-$(WHAT)
-
-clean:: clean-$(WHAT)
-
-distclean:: distclean-$(WHAT)
-
-install:: install-$(WHAT)
-
-check:: check-$(WHAT)
-
-install-headers:: install-headers-$(WHAT)
-
-##############################
-# Recursion rule support
-#
-
-# The commands for the recursion targets live in config/post.in.
-#
-# General form of recursion rules:
-#
-# Each recursive target foo-unix has related targets: foo-prerecurse,
-# foo-recurse, and foo-postrecurse
-#
-# The foo-recurse rule is in post.in. It is what actually recursively
-# calls make.
-#
-# foo-recurse depends on foo-prerecurse, so any targets that must be
-# built before descending into subdirectories must be dependencies of
-# foo-prerecurse.
-#
-# foo-postrecurse depends on foo-recurse, but targets that must be
-# built after descending into subdirectories should be have
-# foo-recurse as dependencies in addition to being listed under
-# foo-postrecurse, to avoid ordering issues.
-#
-# The foo-prerecurse, foo-recurse, and foo-postrecurse rules are all
-# single-colon rules, to avoid nasty ordering problems with
-# double-colon rules.
-#
-# e.g.
-# all:: includes foo
-# foo:
-# echo foo
-# includes::
-# echo bar
-# includes::
-# echo baz
-#
-# will result in "bar", "foo", "baz" on AIX, and possibly others.
-all-unix:: all-postrecurse
-all-postrecurse: all-recurse
-all-recurse: all-prerecurse
-
-all-prerecurse:
-all-postrecurse:
-
-clean-unix:: clean-postrecurse
-clean-postrecurse: clean-recurse
-clean-recurse: clean-prerecurse
-
-clean-prerecurse:
-clean-postrecurse:
-
-distclean-unix: distclean-postrecurse
-distclean-postrecurse: distclean-recurse
-distclean-recurse: distclean-prerecurse
-
-distclean-prerecurse:
-distclean-postrecurse:
-
-install-unix:: install-postrecurse
-install-postrecurse: install-recurse
-install-recurse: install-prerecurse
-
-install-prerecurse:
-install-postrecurse:
-
-install-headers-unix:: install-headers-postrecurse
-install-headers-postrecurse: install-headers-recurse
-install-headers-recurse: install-headers-prerecurse
-
-install-headers-prerecurse:
-install-headers-postrecurse:
-
-check-unix:: check-postrecurse
-check-postrecurse: check-recurse
-check-recurse: check-prerecurse
-
-check-prerecurse:
-check-postrecurse:
-
-Makefiles: Makefiles-postrecurse
-Makefiles-postrecurse: Makefiles-recurse
-Makefiles-recurse: Makefiles-prerecurse
-
-Makefiles-prerecurse:
-Makefiles-postrecurse:
-
-#
-# end recursion rule support
-##############################
-
-# Directory syntax:
-#
-# begin relative path
-REL=
-# this is magic... should only be used for preceding a program invocation
-C=./
-# "/" for UNIX, "\" for Windows; *sigh*
-S=/
-
-SUBDIRS = $(LOCAL_SUBDIRS)
-srcdir = .
-SRCTOP = ./$(BUILDTOP)
-
-CONFIG_RELTOPDIR = ../..
-
-ALL_CFLAGS = $(DEFS) $(DEFINES) $(LOCALINCLUDES) $(CPPFLAGS) $(CFLAGS)
-CFLAGS = -g
-CPPFLAGS = -I$(BUILDTOP)/include -I$(SRCTOP)/include -I$(BUILDTOP)/include/krb5 -I$(SRCTOP)/include/krb5 -I/usr/athena/include -DKRB5_KRB4_COMPAT -DKRB5_PRIVATE=1
-DEFS = -DHAVE_CONFIG_H
-CC = /usr/gcc/bin/gcc
-LD = $(PURE) /usr/gcc/bin/gcc
-DEPLIBS = @DEPLIBS@
-LDFLAGS = -L/usr/athena/lib
-LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
-LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
-LDARGS = @LDARGS@
-LIBS = -lsocket -lnsl -lresolv
-SRVLIBS = @SRVLIBS@
-SRVDEPLIBS = @SRVDEPLIBS@
-CLNTLIBS = @CLNTLIBS@
-CLNTDEPLIBS = @CLNTDEPLIBS@
-
-INSTALL=/usr/athena/bin/install -c
-INSTALL_STRIP=
-INSTALL_PROGRAM=${INSTALL} $(INSTALL_STRIP)
-INSTALL_DATA=${INSTALL} -m 644
-INSTALL_SHLIB=$(INSTALL_DATA)
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
-## This is needed because autoconf will sometimes define ${prefix} to be
-## ${prefix}.
-prefix=/usr/local
-INSTALL_PREFIX=$(prefix)
-INSTALL_EXEC_PREFIX=${prefix}
-exec_prefix=${prefix}
-SHLIB_TAIL_COMP=@SHLIB_TAIL_COMP@
-
-KRB5MANROOT = ${prefix}/man
-ADMIN_BINDIR = ${exec_prefix}/sbin
-SERVER_BINDIR = ${exec_prefix}/sbin
-CLIENT_BINDIR =${exec_prefix}/bin
-ADMIN_MANDIR = $(KRB5MANROOT)/man8
-SERVER_MANDIR = $(KRB5MANROOT)/man8
-CLIENT_MANDIR = $(KRB5MANROOT)/man1
-FILE_MANDIR = $(KRB5MANROOT)/man5
-KRB5_LIBDIR = ${exec_prefix}/lib
-KRB5_SHLIBDIR = ${exec_prefix}/lib$(SHLIB_TAIL_COMP)
-KRB5_INCDIR = ${prefix}/include
-KRB5_INCSUBDIRS = \
- $(KRB5_INCDIR)/gssapi \
- $(KRB5_INCDIR)/kerberosIV
-
-#
-# Macros used by the KADM5 (OV-based) unit test system.
-# XXX check which of these are actually used!
-#
-TESTDIR = $(BUILDTOP)/kadmin/testing
-STESTDIR = $(SRCTOP)/kadmin/testing
-COMPARE_DUMP = $(TESTDIR)/scripts/compare_dump.pl
-FIX_CONF_FILES = $(TESTDIR)/scripts/fixup-conf-files.pl
-INITDB = $(STESTDIR)/scripts/init_db
-MAKE_KEYTAB = $(TESTDIR)/scripts/make-host-keytab.pl
-LOCAL_MAKE_KEYTAB= $(TESTDIR)/scripts/make-host-keytab.pl
-RESTORE_FILES = $(STESTDIR)/scripts/restore_files.sh
-SAVE_FILES = $(STESTDIR)/scripts/save_files.sh
-ENV_SETUP = $(TESTDIR)/scripts/env-setup.sh
-CLNTTCL = $(TESTDIR)/util/ovsec_kadm_clnt_tcl
-SRVTCL = $(TESTDIR)/util/ovsec_kadm_srv_tcl
-# Dejagnu variables.
-# We have to set the host with --host so that setup_xfail will work.
-# If we don't set it, then the host type used is "native", which
-# doesn't match "*-*-*".
-host=sparc-sun-solaris2.8
-DEJAFLAGS = $(DEJALFLAGS) $(CLFLAGS) --debug --srcdir $(srcdir) --host \
- $(host)
-RUNTEST = runtest $(DEJAFLAGS)
-
-START_SERVERS = $(STESTDIR)/scripts/start_servers $(TEST_SERVER) $(TEST_PATH)
-START_SERVERS_LOCAL = $(STESTDIR)/scripts/start_servers_local
-
-STOP_SERVERS = $(STESTDIR)/scripts/stop_servers $(TEST_SERVER) $(TEST_PATH)
-STOP_SERVERS_LOCAL = $(STESTDIR)/scripts/stop_servers_local
-#
-# End of macros for the KADM5 unit test system.
-#
-
-transform = s,x,x,
-
-RM = rm -f
-CP = cp
-MV = mv -f
-CHMOD=chmod
-RANLIB = ranlib
-ARCHIVE = @ARCHIVE@
-ARADD = @ARADD@
-LN = ln -s
-AWK = @AWK@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-YACC = @YACC@
-AUTOCONF = autoconf
-AUTOCONFFLAGS =
-AUTOCONFINCFLAGS = --localdir
-AUTOHEADER = autoheader
-AUTOHEADERFLAGS =
-
-HOST_TYPE = @HOST_TYPE@
-SHEXT = @SHEXT@
-STEXT=@STEXT@
-VEXT=@VEXT@
-DO_MAKE_SHLIB = @DO_MAKE_SHLIB@
-SHLIB_STATIC_TARGET=@SHLIB_STATIC_TARGET@
-
-TOPLIBD = $(BUILDTOP)/lib
-
-OBJEXT = o
-LIBEXT = a
-EXEEXT =
-
-#
-# variables for libraries, for use in linking programs
-# -- this may want to get broken out into a separate frag later
-#
-#
-# Note: the following variables must be set in any Makefile.in that
-# uses KRB5_BUILD_PROGRAM
-#
-# PROG_LIBPATH list of dirs, in -Ldir form, to search for libraries at link
-# PROG_RPATH list of dirs, in dir1:dir2 form, for rpath purposes
-#
-# invocation is like:
-# prog: foo.o bar.o $(KRB5_BASE_DEPLIBS)
-# $(CC_LINK) -o $@ foo.o bar.o $(KRB5_BASE_LIBS)
-
-
-CC_LINK=$(PURE) $(CC) $(PROG_LIBPATH) $(LDFLAGS)
-
-# prefix (with no spaces after) for rpath flag to cc
-RPATH_FLAG=-R
-
-# this gets set by configure to either $(STLIBEXT) or $(SHLIBEXT),
-# depending on whether we're building with shared libraries.
-DEPLIBEXT=.a
-
-KADMCLNT_DEPLIB = $(TOPLIBD)/libkadm5clnt$(DEPLIBEXT)
-KADMSRV_DEPLIB = $(TOPLIBD)/libkadm5srv$(DEPLIBEXT)
-KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT)
-DB_DEPLIB = $(DB_DEPLIB-k5)
-DB_DEPLIB-k5 = $(TOPLIBD)/libdb$(DEPLIBEXT)
-DB_DEPLIB-sys =
-GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT)
-GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT)
-KRB4_DEPLIB = $(TOPLIBD)/libkrb4$(DEPLIBEXT) # $(TOPLIBD)/libkrb4$(DEPLIBEXT)
-DES425_DEPLIB = $(TOPLIBD)/libdes425$(DEPLIBEXT) # $(TOPLIBD)/libdes425$(DEPLIBEXT)
-KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT)
-CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT)
-COM_ERR_DEPLIB = $(COM_ERR_DEPLIB-k5)
-COM_ERR_DEPLIB-sys = # empty
-COM_ERR_DEPLIB-k5 = $(TOPLIBD)/libcom_err$(DEPLIBEXT)
-
-# These are forced to use ".a" as an extension because they're never
-# built shared.
-SS_DEPLIB = $(SS_DEPLIB-k5)
-SS_DEPLIB-k5 = $(TOPLIBD)/libss.a
-SS_DEPLIB-sys =
-KRB524_DEPLIB = $(BUILDTOP)/krb524/libkrb524.a
-PTY_DEPLIB = $(TOPLIBD)/libpty.a
-
-KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB)
-KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS)
-KDB5_DEPLIBS = $(KDB5_DEPLIB) $(DB_DEPLIB)
-GSS_DEPLIBS = $(GSS_DEPLIB)
-GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS)
-KADM_COMM_DEPLIBS = $(GSSRPC_DEPLIBS) $(KDB5_DEPLIBS) $(GSSRPC_DEPLIBS)
-KADMSRV_DEPLIBS = $(KADMSRV_DEPLIB) $(KDB5_DEPLIBS) $(KADM_COMM_DEPLIBS)
-KADMCLNT_DEPLIBS = $(KADMCLNT_DEPLIB) $(KADM_COMM_DEPLIBS)
-
-# Header file dependencies we might override.
-# See util/depfix.sed.
-# Also see depend-verify-* in post.in, which wants to confirm that we're using
-# the in-tree versions.
-COM_ERR_VERSION = k5
-COM_ERR_DEPS = $(COM_ERR_DEPS-k5)
-COM_ERR_DEPS-sys =
-COM_ERR_DEPS-k5 = $(BUILDTOP)/include/com_err.h
-SS_VERSION = k5
-SS_DEPS = $(SS_DEPS-k5)
-SS_DEPS-sys =
-SS_DEPS-k5 = $(BUILDTOP)/include/ss/ss.h $(BUILDTOP)/include/ss/ss_err.h
-DB_VERSION = k5
-DB_DEPS = $(DB_DEPS-k5)
-DB_DEPS-sys =
-DB_DEPS-k5 = $(BUILDTOP)/include/db.h $(BUILDTOP)/include/db-config.h
-DB_DEPS-redirect = $(BUILDTOP)/include/db.h
-
-# Header file dependencies that might depend on whether krb4 support
-# is compiled.
-
-KRB_ERR_H_DEP = $(BUILDTOP)/include/kerberosIV/krb_err.h
-KRB524_H_DEP = $(BUILDTOP)/include/krb524.h
-KRB524_ERR_H_DEP= $(BUILDTOP)/include/krb524_err.h
-
-# LIBS gets substituted in... e.g. -lnsl -lsocket
-
-# GEN_LIB is -lgen if needed for regexp
-GEN_LIB =
-
-SS_LIB = $(SS_LIB-k5)
-SS_LIB-sys =
-SS_LIB-k5 = $(TOPLIBD)/libss.a
-KDB5_LIB = -lkdb5
-DB_LIB = -ldb
-
-KRB5_LIB = -lkrb5
-K5CRYPTO_LIB = -lk5crypto
-COM_ERR_LIB = -lcom_err
-GSS_KRB5_LIB = -lgssapi_krb5
-
-# KRB4_LIB is -lkrb4 if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-KRB4_LIB = -lkrb4
-
-# DES425_LIB is -ldes425 if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-DES425_LIB = -ldes425
-
-# KRB524_LIB is $(BUILDTOP)/krb524/libkrb524.a if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-KRB524_LIB = $(BUILDTOP)/krb524/libkrb524.a
-
-# HESIOD_LIBS is -lhesiod...
-HESIOD_LIBS =
-
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(GEN_LIB) $(LIBS)
-KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
-KDB5_LIBS = $(KDB5_LIB) $(DB_LIB)
-GSS_LIBS = $(GSS_KRB5_LIB)
-# needs fixing if ever used on Mac OS X!
-GSSRPC_LIBS = -lgssrpc $(GSS_LIBS)
-KADM_COMM_LIBS = $(GSSRPC_LIBS)
-# need fixing if ever used on Mac OS X!
-KADMSRV_LIBS = -lkadm5srv $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS)
-KADMCLNT_LIBS = -lkadm5clnt $(KADM_COMM_LIBS)
-
-# need fixing if ever used on Mac OS X!
-PTY_LIB = -lpty
-
-#
-# some more stuff for --with-krb4
-KRB4_LIBPATH =
-KRB4_INCLUDES = -I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV
-
-#
-# variables for --with-tcl=
-TCL_LIBS = @TCL_LIBS@
-TCL_LIBPATH = @TCL_LIBPATH@
-TCL_RPATH = @TCL_RPATH@
-TCL_MAYBE_RPATH = @TCL_MAYBE_RPATH@
-TCL_INCLUDES = @TCL_INCLUDES@
-
-# error table rules
-#
-### /* these are invoked as $(...) foo.et, which works, but could be better */
-COMPILE_ET= $(COMPILE_ET-k5)
-COMPILE_ET-sys= compile_et
-COMPILE_ET-k5= $(BUILDTOP)/util/et/compile_et -d $(SRCTOP)/util/et
-
-.SUFFIXES: .h .c .et .ct
-
-# These versions cause both .c and .h files to be generated at once.
-# But GNU make doesn't understand this, and parallel builds can trigger
-# both of them at once, causing them to stomp on each other. The versions
-# below only update one of the files, so compile_et has to get run twice,
-# but it won't break parallel builds.
-#.et.h: ; $(COMPILE_ET) $<
-#.et.c: ; $(COMPILE_ET) $<
-
-.et.h:
- d=ettmp$$$$ ; (cp $< $$d.et && $(COMPILE_ET) $$d.et && mv $$d.h $*.h) ; \
- e=$$? ; rm -f $$d.* ; exit $$e
-
-.et.c:
- d=ettmp$$$$ ; (cp $< $$d.et && $(COMPILE_ET) $$d.et && mv $$d.c $*.c) ; \
- e=$$? ; rm -f $$d.* ; exit $$e
-
-# rule to make object files
-#
-.SUFFIXES: .c .o
-.c.o:
- $(CC) $(ALL_CFLAGS) -c $<
-
-# ss command table rules
-#
-MAKE_COMMANDS= $(MAKE_COMMANDS-k5)
-MAKE_COMMANDS-sys= mk_cmds
-MAKE_COMMANDS-k5= $(BUILDTOP)/util/ss/mk_cmds
-
-.ct.c:
- $(MAKE_COMMANDS) $<
-
-##
-## end of pre.in
-############################################################
-thisconfigdir=./..
-myfulldir=util/db2/test
-mydir=test
-BUILDTOP=$(REL)..$(S)..$(S)..
-
-FCTSH = /usr/bin/sh
-TMPDIR=.
-
-LOCALINCLUDES= -I. -I$(srcdir)/../include -I../include -I$(srcdir)/../mpool \
- -I$(srcdir)/../btree -I$(srcdir)/../hash -I$(srcdir)/../db
-
-PROG_LIBPATH=-L$(TOPLIBD)
-PROG_RPATH=$(KRB5_LIBDIR)
-
-KRB5_RUN_ENV=
-
-all::
-
-dbtest: dbtest.o $(DB_DEPLIB)
- $(CC_LINK) -o $@ dbtest.o $(STRERROR_OBJ) $(DB_LIB)
-
-check:: dbtest
- $(KRB5_RUN_ENV) srcdir=$(srcdir) TMPDIR=$(TMPDIR) $(FCTSH) $(srcdir)/run.test
-
-bttest.o: $(srcdir)/btree.tests/main.c
- $(CC) $(ALL_CFLAGS) -c $(srcdir)/btree.tests/main.c -o $@
-
-bttest: bttest.o $(DB_DEPLIB)
- $(CC_LINK) -o $@ bttest.o $(STRERROR_OBJ) $(DB_LIB)
-
-clean-unix::
- $(RM) dbtest.o dbtest __dbtest
- $(RM) bttest.o bttest
-############################################################
-## config/post.in
-##
-
-# in case there is no default target (very unlikely)
-all::
-
-check-windows::
-
-##############################
-# dependency generation
-#
-
-depend:: depend-postrecurse
-depend-postrecurse: depend-recurse
-depend-recurse: depend-prerecurse
-
-depend-prerecurse:
-depend-postrecurse:
-
-depend-postrecurse: depend-update-makefile
-
-ALL_DEP_SRCS= $(SRCS) $(EXTRADEPSRCS)
-
-# be sure to check ALL_DEP_SRCS against *what it would be if SRCS and
-# EXTRADEPSRCS are both empty*
-.depend-verify-srcdir:
- @if test "$(srcdir)" = "." ; then \
- echo 1>&2 error: cannot build dependencies with srcdir=. ; \
- echo 1>&2 "(can't distinguish generated files from source files)" ; \
- exit 1 ; \
- else \
- if test -r .depend-verify-srcdir; then :; \
- else (set -x; touch .depend-verify-srcdir); fi \
- fi
-.depend-verify-et: depend-verify-et-$(COM_ERR_VERSION)
-depend-verify-et-k5:
- @if test -r .depend-verify-et; then :; \
- else (set -x; touch .depend-verify-et); fi
-depend-verify-et-sys:
- @echo 1>&2 error: cannot build dependencies using system et package
- @exit 1
-.depend-verify-ss: depend-verify-ss-$(SS_VERSION)
-depend-verify-ss-k5:
- @if test -r .depend-verify-ss; then :; \
- else (set -x; touch .depend-verify-ss); fi
-depend-verify-ss-sys:
- @echo 1>&2 error: cannot build dependencies using system ss package
- @exit 1
-.depend-verify-db: depend-verify-db-$(DB_VERSION)
-depend-verify-db-k5:
- @if test -r .depend-verify-db; then :; \
- else (set -x; touch .depend-verify-db); fi
-depend-verify-db-sys:
- @echo 1>&2 error: cannot build dependencies using system db package
- @exit 1
-.depend-verify-gcc: depend-verify-gcc-yes
-depend-verify-gcc-yes:
- @if test -r .depend-verify-gcc; then :; \
- else (set -x; touch .depend-verify-gcc); fi
-depend-verify-gcc-no:
- @echo 1>&2 error: The '"depend"' rules are written for gcc.
- @echo 1>&2 Please use gcc, or update the rules to handle your compiler.
- @exit 1
-
-DEP_CFG_VERIFY = .depend-verify-srcdir \
- .depend-verify-et .depend-verify-ss .depend-verify-db
-DEP_VERIFY = $(DEP_CFG_VERIFY) .depend-verify-gcc
-
-.d: $(ALL_DEP_SRCS) $(DEP_CFG_VERIFY) depend-dependencies
- if test "$(ALL_DEP_SRCS)" != " " ; then \
- $(RM) .dtmp && $(MAKE) .dtmp && mv -f .dtmp .d ; \
- else \
- touch .d ; \
- fi
-
-# These are dependencies of the depend target that do not get fed to
-# the compiler. Examples include generated header files.
-depend-dependencies:
-
-# .dtmp must *always* be out of date so that $? can be used to perform
-# VPATH searches on the sources.
-#
-# NOTE: This will fail when using Make programs whose VPATH support is
-# broken.
-.dtmp: $(ALL_DEP_SRCS)
- $(CC) -M $(ALL_CFLAGS) $? > .dtmp
-
-# Generate a script for dropping in the appropriate make variables, using
-# directory-specific parameters. General substitutions independent of local
-# make variables happen in depfix.sed.
-.depfix2.sed: .depend-verify-gcc Makefile $(SRCTOP)/util/depgen.sed
- x=`$(CC) -print-libgcc-file-name` ; \
- echo '$(SRCTOP)' '$(myfulldir)' '$(srcdir)' '$(BUILDTOP)' "$$x" | sed -f $(SRCTOP)/util/depgen.sed > .depfix2.tmp
- mv -f .depfix2.tmp .depfix2.sed
-
-DEPLIBOBJNAMEFIX = sed -e 's;^\$$(OUTPRE)\([a-zA-Z0-9_\-]*\)\.\$$(OBJEXT):;\1.so \1.po &;'
-
-# NOTE: This will also generate spurious $(OUTPRE) and $(OBJEXT)
-# references in rules for non-library objects in a directory where
-# library objects happen to be built. It's mostly harmless.
-.depend: .d .depfix2.sed $(SRCTOP)/util/depfix.sed
- sed -f .depfix2.sed < .d | sed -f $(SRCTOP)/util/depfix.sed | \
- (if test "x$(STLIBOBJS)" != "x"; then $(DEPLIBOBJNAMEFIX) ; else cat; fi ) \
- > .depend
-
-depend-update-makefile: .depend depend-recurse
- if test -n "$(SRCS)" ; then \
- sed -e '/^# +++ Dependency line eater +++/,$$d' \
- < $(srcdir)/Makefile.in | cat - .depend \
- > $(srcdir)/Makefile.in.new; \
- $(SRCTOP)/config/move-if-changed $(srcdir)/Makefile.in.new $(srcdir)/Makefile.in ; \
- else :; fi
-
-DEPTARGETS = .depend .d .dtmp .depfix2.sed .depfix2.tmp $(DEP_VERIFY)
-
-#
-# end dependency generation
-##############################
-
-clean:: clean-$(WHAT)
-
-clean-unix::
- $(RM) $(OBJS) $(DEPTARGETS)
-
-clean-windows::
- $(RM) *.$(OBJEXT)
- $(RM) msvc.pdb *.err
-
-distclean:: distclean-$(WHAT)
-
-distclean-normal-clean:
- $(MAKE) NORECURSE=true clean
-distclean-prerecurse: distclean-normal-clean
-distclean-nuke-configure-state:
- $(RM) config.log config.cache config.status Makefile
-distclean-postrecurse: distclean-nuke-configure-state
-
-Makefiles-prerecurse: Makefile
-
-# thisconfigdir = relative path from this Makefile to config.status
-# mydir = relative path from config.status to this Makefile
-Makefile: $(srcdir)/Makefile.in $(thisconfigdir)/config.status \
- $(SRCTOP)/config/pre.in $(SRCTOP)/config/post.in
- cd $(thisconfigdir) && $(SHELL) config.status $(mydir)/Makefile
-$(thisconfigdir)/config.status: $(srcdir)/$(thisconfigdir)/configure
- cd $(thisconfigdir) && $(SHELL) config.status --recheck
-$(srcdir)/$(thisconfigdir)/configure: $(srcdir)/$(thisconfigdir)/configure.in \
- $(SRCTOP)/aclocal.m4
- -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache
- cd $(srcdir)/$(thisconfigdir) && \
- $(AUTOCONF) ${AUTOCONFINCFLAGS}=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS)
- -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache
-
-RECURSE_TARGETS=all-recurse clean-recurse distclean-recurse install-recurse \
- check-recurse depend-recurse Makefiles-recurse install-headers-recurse
-
-# MY_SUBDIRS overrides any setting of SUBDIRS generated by the
-# configure script that generated this Makefile. This is needed when
-# the configure script that produced this Makefile creates multiple
-# Makefiles in different directories; the setting of SUBDIRS will be
-# the same in each.
-#
-# LOCAL_SUBDIRS seems to account for the case where the configure
-# script doesn't call any other subsidiary configure scripts, but
-# generates multiple Makefiles.
-$(RECURSE_TARGETS):
- @case "`echo 'x$(MFLAGS)'|sed -e 's/^x//' -e 's/ --.*$$//'`" \
- in *[ik]*) e="status=1" ;; *) e="exit 1";; esac; \
- if test -z "$(MY_SUBDIRS)" ; then \
- do_subdirs="$(SUBDIRS)" ; \
- else \
- do_subdirs="$(MY_SUBDIRS)" ; \
- fi; \
- status=0; \
- if test -n "$$do_subdirs" && test -z "$(NORECURSE)"; then \
- for i in $$do_subdirs ; do \
- if test -d $$i && test -r $$i/Makefile ; then \
- case $$i in .);; *) \
- target=`echo $@|sed s/-recurse//`; \
- echo "making $$target in $(CURRENT_DIR)$$i..."; \
- if (cd $$i ; $(MAKE) \
- CURRENT_DIR=$(CURRENT_DIR)$$i/ $$target) then :; \
- else eval $$e; fi; \
- ;; \
- esac; \
- else \
- echo "Skipping missing directory $(CURRENT_DIR)$$i" ; \
- fi; \
- done; \
- else :; \
- fi;\
- exit $$status
-
-##
-## end of post.in
-############################################################
# Some krb4 dependencies should only be present if building with krb4 enabled
s;\$(BUILDTOP)/include/kerberosIV/krb_err.h ;$(KRB_ERR_H_DEP) ;g
-s;\$(BUILDTOP)/include/krb524.h ;$(KRB524_H_DEP) ;g
-s;\$(BUILDTOP)/include/krb524_err.h ;$(KRB524_ERR_H_DEP) ;g
# now delete trailing whitespace
s; *$;;g
+2003-06-12 Alexandra Ellwood <lxs@mit.edu>
+ * error_table.h, et_c.awk, et_c.pl, et_h.awk, et_c.awk: Removed Mac
+ OS support because it prevents darwin builds from getting com error
+ strings via the initialize_*_error_table function
+
+2003-04-29 Ken Raeburn <raeburn@mit.edu>
+
+ * test_et.c [HAVE_SYS_ERRLIST]: Do declare sys_nerr.
+
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * compile_et.c: Don't declare malloc or errno. Include stdlib.h
+ and errno.h.
+ * test_et.c: Don't declare errno or sys_nerr.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* com_err.c, com_err.h, error_message.c, et_c.awk, et_h.awk:
Removed Mac OS 9-specific code.
#include <sys/file.h>
#include <string.h>
#include <sys/param.h>
+#include <stdlib.h>
+#include <errno.h>
#include "mit-sipb-copyright.h"
#include "compiler.h"
char *table_name = (char *)NULL;
FILE *hfile, *cfile;
-/* C library */
-extern char *malloc();
-extern int errno;
-
/* lex stuff */
extern FILE *yyin;
extern int yylineno;
#include <errno.h>
-#if defined(macintosh)
-#define ET_EBUFSIZ 256
-#else
#define ET_EBUFSIZ 64
-#endif
struct et_list {
/*@dependent@*//*@null@*/ struct et_list *next;
/*@dependent@*//*@null@*/ const struct error_table *table;
};
-#if !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))
+#if !defined(_WIN32)
/*@null@*//*@dependent@*/ extern struct et_list * _et_list;
#endif
print "# include \"win-mac.h\"" > outfile
print "#endif" > outfile
print "" > outfile
- print "#if !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))" > outfile
+ print "#if !defined(_WIN32)" > outfile
print "extern void initialize_" table_name "_error_table (void);" > outfile
print "#endif" > outfile
print "" > outfile
tab_base_low, table_item_count) > outfile
}
print "" > outfile
- print "#if !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))" > outfile
+ print "#if !defined(_WIN32)" > outfile
print "void initialize_" table_name "_error_table (void)" > outfile
print " /*@modifies internalState@*/" > outfile
print "{" > outfile
&Pick('>', $outfile) &&
(print $fh
- '#if !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))');
+ '#if !defined(_WIN32)');
&Pick('>', $outfile) &&
(print $fh 'extern void initialize_' . $table_name .
(print $fh '};');
&Pick('>', $outfile) &&
(print $fh '');
-&Pick('>', $outfile) &&
- (print $fh
-
- '#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))');
-&Pick('>', $outfile) &&
- (print $fh '#include <KerberosComErr/KerberosComErr.h>');
-&Pick('>', $outfile) &&
- (print $fh '#else');
&Pick('>', $outfile) &&
(print $fh '#include <com_err.h>');
-&Pick('>', $outfile) &&
- (print $fh '#endif');
&Pick('>', $outfile) &&
(print $fh '');
if ($tab_base_high == 0) {
&Pick('>', $outfile) &&
(print $fh
- '#if !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))');
+ '#if !defined(_WIN32)');
&Pick('>', $outfile) &&
(print $fh 'void initialize_' . $table_name . '_error_table (void)');
&Pick('>', $outfile) &&
print "" > outfile
print "extern const struct error_table et_" table_name "_error_table;" > outfile
print "" > outfile
- print "#if !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))" > outfile
+ print "#if !defined(_WIN32)" > outfile
print "/* for compatibility with older versions... */" > outfile
print "extern void initialize_" table_name "_error_table () /*@modifies internalState@*/;" > outfile
print "#else" > outfile
(print $fh ' */');
&Pick('>', $outfile) &&
(print $fh '');
- &Pick('>', $outfile) &&
- (print $fh
-
- '#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))');
- &Pick('>', $outfile) &&
- (print $fh '#include <KerberosComErr/KerberosComErr.h>');
- &Pick('>', $outfile) &&
- (print $fh '#else');
&Pick('>', $outfile) &&
(print $fh '#include <com_err.h>');
- &Pick('>', $outfile) &&
- (print $fh '#endif');
&Pick('>', $outfile) &&
(print $fh '');
}
&Pick('>', $outfile) &&
(print $fh
- '#if !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))');
+ '#if !defined(_WIN32)');
&Pick('>', $outfile) &&
(print $fh '/* for compatibility with older versions... */');
&Pick('>', $outfile) &&
#include "test1.h"
#include "test2.h"
-extern int sys_nerr, errno;
-
/* XXX Not part of official public API. */
extern const char *error_table_name (errcode_t);
+#ifdef HAVE_SYS_ERRLIST
+extern int sys_nerr;
+#endif
+
int main()
{
printf("Before initiating error table:\n\n");
find $reldir \( -name TODO -o -name todo -o -name .cvsignore \
-o -name BADSYMS -o -name .Sanitize -o -name .rconf \) -print \
| xargs rm -f
+find $reldir -type d -name autom4te.cache -exec rm -rf {} \;
if test $dodoc = t; then
echo "Building doc..."
+2003-07-03 Alexandra Ellwood <lxs@mit.edu>
+
+ * profile.hin: Remove leading spaces in #define and #include
+ in public headers to support K&R C compilers
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* profile.hin, prof_file.c (profile_flush_file_data): Stop copying
the resource fork. We stopped writing resources to the krb5
# the Makefile.in file
#
prof_tree.so prof_tree.po $(OUTPRE)prof_tree.$(OBJEXT): prof_tree.c prof_int.h \
- $(COM_ERR_DEPS) profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
prof_file.so prof_file.po $(OUTPRE)prof_file.$(OBJEXT): prof_file.c prof_int.h \
- $(COM_ERR_DEPS) profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
prof_parse.so prof_parse.po $(OUTPRE)prof_parse.$(OBJEXT): prof_parse.c prof_int.h \
- $(COM_ERR_DEPS) profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
prof_get.so prof_get.po $(OUTPRE)prof_get.$(OBJEXT): prof_get.c prof_int.h \
- $(COM_ERR_DEPS) profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
prof_set.so prof_set.po $(OUTPRE)prof_set.$(OBJEXT): prof_set.c prof_int.h \
- $(COM_ERR_DEPS) profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
prof_err.so prof_err.po $(OUTPRE)prof_err.$(OBJEXT): prof_err.c $(COM_ERR_DEPS)
prof_init.so prof_init.po $(OUTPRE)prof_init.$(OBJEXT): prof_init.c prof_int.h \
- $(COM_ERR_DEPS) profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
test_parse.so test_parse.po $(OUTPRE)test_parse.$(OBJEXT): test_parse.c prof_int.h \
- $(COM_ERR_DEPS) profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
test_profile.so test_profile.po $(OUTPRE)test_profile.$(OBJEXT): test_profile.c prof_int.h \
- $(COM_ERR_DEPS) profile.h argv_parse.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h argv_parse.h
#endif
#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
- #include <TargetConditionals.h>
- #if TARGET_RT_MAC_CFM
- #error "Use KfM 4.0 SDK headers for CFM compilation."
- #endif
-#endif
-#if TARGET_OS_MAC
- #if defined(__MWERKS__)
- #pragma import on
- #pragma enumsalwaysint on
- #endif
- #pragma options align=mac68k
+# include <TargetConditionals.h>
+# if TARGET_RT_MAC_CFM
+# error "Use KfM 4.0 SDK headers for CFM compilation."
+# endif
#endif
#ifndef KRB5_CALLCONV
extern "C" {
#endif /* __cplusplus */
+#if TARGET_OS_MAC
+# if defined(__MWERKS__)
+# pragma import on
+# endif
+#endif
+
typedef char* profile_filespec_t; /* path as C string */
typedef char* profile_filespec_list_t; /* list of : separated paths, C string */
typedef const char * const_profile_filespec_t; /* path as C string */
const char *new_value);
#if TARGET_OS_MAC
- #if defined(__MWERKS__)
- #pragma enumsalwaysint reset
- #pragma import reset
- #endif
- #pragma options align=reset
+# if defined(__MWERKS__)
+# pragma import reset
+# endif
#endif
#ifdef __cplusplus
esac
done
-# Currently (2000-10-03) we need 2.13 or later.
-# The pattern also recognizes 2.40 and up.
-patb="2.(1[3-9])|([4-9][0-9])"
+# Currently (2003-04-24) we need 2.52 or later.
+patb="2.(1[0-9][0-9])|(5[2-9])|([6-9][0-9])"
# sedcmd1 recognizes the older 2.12 version, and sedcmd2 the newer 2.49
sedcmd1="s,.*version \(.*\)$,\1,"
autoreconfoptions=
autoconfversion=`autoconf --version | sed -e "$sedcmd1" -e "$sedcmd2"`
echo "Using autoconf version $autoconfversion found in your path..."
- # Determine if localdir needs to be relative or absolute
- case "$autoconfversion" in
- 2.1*)
- localdir=.
- ;;
- *)
- localdir=`pwd`
- ;;
- esac
+ localdir=`pwd`
# Determine if we need to patch autoreconf for 2.53
case "$autoconfversion" in
+ 2.52)
+ echo "WARNING: autoconf 2.52 is known to generate buggy configure scripts!"
+ ;;
2.53)
echo "Patching autoreconf"
# Walk the path to find autoreconf
;;
esac
else
- echo "Couldn't find autoconf 2.13 or higher in your path."
+ echo "Couldn't find autoconf 2.52 or higher in your path."
echo " "
echo "Please install or add to your path and re-run ./util/reconf"
exit 1
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * ss.h: Don't declare errno. Include errno.h.
+
2003-02-05 Ken Raeburn <raeburn@mit.edu>
* Makefile.in (std_rqs.c): Depend on ct_c.sed and ct_c.awk.
#ifndef _ss_h
#define _ss_h __FILE__
+#include <errno.h>
#include <ss/ss_err.h>
-extern int errno;
-
#ifdef __STDC__
#define __SS_CONST const
#define __SS_PROTO (int, const char * const *, int, void *)
+2003-07-30 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3.1 final.
+
+2003-07-22 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3.1-beta1.
+
+ * README: Revert previous change, as it was in error; socklen_t
+ was introduced in Aug 2001 Platform SDK, and the actual problem
+ reported was very probably a compilation environment
+ misconfiguration.
+
+2003-07-18 Tom Yu <tlyu@mit.edu>
+
+ * README: Note requirement for Feb 2003 Platform SDK. Thanks to
+ Doug Engert and Rodney Dyer.
+
+2003-07-08 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3 final.
+
+2003-06-27 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-beta5.
+
+2003-06-16 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-beta4.
+
+2003-06-09 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-beta3.
+
+2003-05-27 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-beta2.
+
+2003-05-14 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-beta1.
+
+2003-04-29 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-alpha3.
+
+2003-04-11 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-alpha2.
+
+2003-03-14 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-alpha1.
+
2002-04-10 Danilo Almeida <dalmeida@mit.edu>
* Makefile.in: Build ms2mit.
+2003-07-16 Jeffrey Altman <jaltman@mit.edu>
+
+ * ms2mit.c:
+
+ Functional changes:
+ (1) do not restrict ourselves to DES-CBC-CRC instead support any
+ ticket with an enctype we support. as of this date (rev 1.3)
+ this includes all but RC4-MD4.
+ (2) do not accept invalid tickets
+ (3) when attempting to retrieve tickets do not specify either the
+ enctype or cache options (if possible). doing so will force a
+ TGS request and prevent the results from being stored into the
+ cache.
+ (4) when the LSA cache contains a TGT which has expired Microsoft will
+ not perform a new TGS request until the cache has been purged.
+ Instead the expired ticket continues to be used along with its
+ embedded authorization data. When PURGE_ENABLED is defined, if the
+ tickets are expired, the cache will be purged before requesting
+ new tickets, else we ignore the contents of the cache and force
+ a new TGS request.
+ (5) when the LSA cache is empty do not abort. On XP or 2003, use
+ the SecurityLogonSessionData to determine the Realm (UserDnsDomain
+ in MS-speak) and request an appropriate TGT. On 2000, check the
+ Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN"
+ instead. This will allow ms2mit to be used to repopulate the
+ LSA cache. If the current session is not Kerberos authenticated
+ an appropriate error message will be generated.
+
+ Code changes:
+ (1) several memory leaks plugged
+ (2) several support functions copied from the Leashw32.dll sources
+ (3) get_STRING_from_registry() uses the ANSI versions of the Registry
+ functions and should at a later date be converted to use the
+ Unicode versions.
+
+ Notes: an ms2mit.exe based on the Leash_import() function
+ should be considered. Leash_import() not only imports the TGT from
+ the LSA but also performs the krb524 conversion and AFS token retrieval.
+ Of course, that version of ms2mit.exe could not exist within the krb5
+ source tree.
+
+2003-06-20 Jeffrey Altman <jaltman@mit.edu>
+
+ * ms2mit.c: Windows Credentials are addressless. Do not store the
+ credentials in the MIT cache with addresses since they do not
+ contain addresses in the encrypted portion of the credential.
+ Instead generate a valid empty address list.
+
2002-08-29 Ken Raeburn <raeburn@mit.edu>
- * Makefile.in: Revert $(S)=>/ change, for Windows support.
+ * Makefile.in: Revert $(S)=>/ change, for Windows support.
2002-08-23 Ken Raeburn <raeburn@mit.edu>
- * Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
+ * Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
2001-11-28 Danilo Almeida <dalmeida@mit.edu>
- * ms2mit.c: Make sure we get a des-cbc-crc session key instead of
+ * ms2mit.c: Make sure we get a des-cbc-crc session key instead of
potentially getting whatever happens to be in the cache. Remove
unnecessary static variables. Make function headers use a
consistent format. Rename ShowLastError() to ShowWinError() and
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
******************************************************************/
-
+/*
+ * Copyright (C) 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
#define UNICODE
#define _UNICODE
creds->times.endtime=FileTimeToUnixTime(&msticket->EndTime);
creds->times.renew_till=FileTimeToUnixTime(&msticket->RenewUntil);
- // krb5_cc_store_cred crashes downstream if creds->addresses is NULL.
- // unfortunately, the MS interface doesn't seem to return a list of
- // addresses as part of the credentials information. for now i'll just
- // use krb5_os_localaddr to mock up the address list. is this sufficient?
- krb5_os_localaddr(context, &creds->addresses);
+ /* MS Tickets are addressless. MIT requires an empty address
+ * not a NULL list of addresses.
+ */
+ creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *));
+ memset(creds->addresses, 0, sizeof(krb5_address *));
MSTicketToMITTicket(msticket, context, &creds->ticket);
}
return ERROR_SUCCESS;
}
-BOOL
-GetMSTGT(
- HANDLE LogonHandle,
- ULONG PackageId,
- KERB_EXTERNAL_TICKET **ticket
+static BOOL
+get_STRING_from_registry(
+ HKEY hBaseKey,
+ char * key,
+ char * value,
+ char * outbuf,
+ DWORD outlen
)
{
- //
- // INVARIANTS:
- //
- // (FAILED(Status) || FAILED(SubStatus)) ==> error
- // bIsLsaError ==> LsaCallAuthenticationPackage() error
- //
+ HKEY hKey;
+ DWORD dwCount;
+ LONG rc;
- //
- // NOTE:
- //
- // The updated code leaks memory, but so does the old code. The
- // whole program is full of leaks. Since it's short-lived
- // process, it is ok.
- //
+ if (!outbuf || outlen == 0)
+ return FALSE;
- BOOL bIsLsaError = FALSE;
+ rc = RegOpenKeyExA(hBaseKey, key, 0, KEY_QUERY_VALUE, &hKey);
+ if (rc)
+ return FALSE;
+
+ dwCount = outlen;
+ rc = RegQueryValueExA(hKey, value, 0, 0, (LPBYTE) outbuf, &dwCount);
+ RegCloseKey(hKey);
+
+ return rc?FALSE:TRUE;
+}
+
+static BOOL
+GetSecurityLogonSessionData(PSECURITY_LOGON_SESSION_DATA * ppSessionData)
+{
NTSTATUS Status = 0;
- NTSTATUS SubStatus = 0;
+ HANDLE TokenHandle;
+ TOKEN_STATISTICS Stats;
+ DWORD ReqLen;
+ BOOL Success;
- UNICODE_STRING TargetPrefix;
+ if (!ppSessionData)
+ return FALSE;
+ *ppSessionData = NULL;
- KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
- PKERB_RETRIEVE_TKT_REQUEST pTicketRequest;
- PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
- ULONG RequestSize;
- ULONG ResponseSize;
- USHORT TargetSize;
+ Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle );
+ if ( !Success )
+ return FALSE;
- CacheRequest.MessageType = KerbRetrieveTicketMessage;
- CacheRequest.LogonId.LowPart = 0;
- CacheRequest.LogonId.HighPart = 0;
+ Success = GetTokenInformation( TokenHandle, TokenStatistics, &Stats, sizeof(TOKEN_STATISTICS), &ReqLen );
+ CloseHandle( TokenHandle );
+ if ( !Success )
+ return FALSE;
- pTicketResponse = NULL;
+ Status = LsaGetLogonSessionData( &Stats.AuthenticationId, ppSessionData );
+ if ( FAILED(Status) || !ppSessionData )
+ return FALSE;
- Status = LsaCallAuthenticationPackage(
- LogonHandle,
- PackageId,
- &CacheRequest,
- sizeof(CacheRequest),
- &pTicketResponse,
- &ResponseSize,
- &SubStatus
- );
+ return TRUE;
+}
- if (FAILED(Status) || FAILED(SubStatus))
- {
- bIsLsaError = TRUE;
- goto cleanup;
+//
+// IsKerberosLogon() does not validate whether or not there are valid tickets in the
+// cache. It validates whether or not it is reasonable to assume that if we
+// attempted to retrieve valid tickets we could do so. Microsoft does not
+// automatically renew expired tickets. Therefore, the cache could contain
+// expired or invalid tickets. Microsoft also caches the user's password
+// and will use it to retrieve new TGTs if the cache is empty and tickets
+// are requested.
+
+static BOOL
+IsKerberosLogon(VOID)
+{
+ PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
+ BOOL Success = FALSE;
+
+ if ( GetSecurityLogonSessionData(&pSessionData) ) {
+ if ( pSessionData->AuthenticationPackage.Buffer ) {
+ WCHAR buffer[256];
+ WCHAR *usBuffer;
+ int usLength;
+
+ Success = FALSE;
+ usBuffer = (pSessionData->AuthenticationPackage).Buffer;
+ usLength = (pSessionData->AuthenticationPackage).Length;
+ if (usLength < 256)
+ {
+ lstrcpyn (buffer, usBuffer, usLength);
+ lstrcat (buffer,L"");
+ if ( !lstrcmp(L"Kerberos",buffer) )
+ Success = TRUE;
+ }
+ }
+ LsaFreeReturnBuffer(pSessionData);
}
+ return Success;
+}
- if (pTicketResponse->Ticket.SessionKey.KeyType == KERB_ETYPE_DES_CBC_CRC)
- {
- // all done!
- goto cleanup;
- }
+static NTSTATUS
+ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * outRequest,
+ ULONG * outSize)
+{
+ NTSTATUS Status;
+ UNICODE_STRING TargetPrefix;
+ USHORT TargetSize;
+ ULONG RequestSize;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;
+
+ *outRequest = NULL;
+ *outSize = 0;
//
// Set up the "krbtgt/" target prefix into a UNICODE_STRING so we
TargetPrefix.MaximumLength = TargetPrefix.Length;
//
- // We will need to concatenate the "krbtgt/" prefix and the previous
- // response's target domain into our request's target name.
+ // We will need to concatenate the "krbtgt/" prefix and the
+ // Logon Session's DnsDomainName into our request's target name.
//
// Therefore, first compute the necessary buffer size for that.
//
// Note that we might theoretically have integer overflow.
//
- TargetSize = TargetPrefix.Length +
- pTicketResponse->Ticket.TargetDomainName.Length;
+ TargetSize = TargetPrefix.Length + DomainName.Length;
//
// The ticket request buffer needs to be a single buffer. That buffer
// Allocate the request buffer and make sure it's zero-filled.
//
- pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST)
- LocalAlloc(LMEM_ZEROINIT, RequestSize);
+ pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
if (!pTicketRequest)
- {
- Status = GetLastError();
- goto cleanup;
- }
+ return GetLastError();
//
// Concatenate the target prefix with the previous reponse's
pTicketRequest->TargetName.MaximumLength = TargetSize;
pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
Status = ConcatenateUnicodeStrings(&(pTicketRequest->TargetName),
- TargetPrefix,
- pTicketResponse->Ticket.TargetDomainName);
+ TargetPrefix,
+ DomainName);
assert(SUCCEEDED(Status));
+ *outRequest = pTicketRequest;
+ *outSize = RequestSize;
+ return Status;
+}
+//
+// #define ENABLE_PURGING
+// to allow the purging of expired tickets from LSA cache. This is necessary
+// to force the retrieval of new TGTs. Microsoft does not appear to retrieve
+// new tickets when they expire. Instead they continue to accept the expired
+// tickets. I do not want to enable purging of the LSA cache without testing
+// the side effects in a Windows domain with a machine which has been suspended,
+// removed from the network, and resumed after ticket expiration.
+//
+static BOOL
+GetMSTGT(
+ HANDLE LogonHandle,
+ ULONG PackageId,
+ KERB_EXTERNAL_TICKET **ticket
+ )
+{
//
- // Intialize the requst of the request.
+ // INVARIANTS:
+ //
+ // (FAILED(Status) || FAILED(SubStatus)) ==> error
+ // bIsLsaError ==> LsaCallAuthenticationPackage() error
+ //
+
+ BOOL bIsLsaError = FALSE;
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+
+ KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest;
+ PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
+ ULONG RequestSize;
+ ULONG ResponseSize;
+#ifdef ENABLE_PURGING
+ KERB_PURGE_TKT_CACHE_REQUEST PurgeRequest;
+ int purge_cache = 0;
+#endif /* ENABLE_PURGING */
+ int ignore_cache = 0;
+
+ CacheRequest.MessageType = KerbRetrieveTicketMessage;
+ CacheRequest.LogonId.LowPart = 0;
+ CacheRequest.LogonId.HighPart = 0;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ &CacheRequest,
+ sizeof(CacheRequest),
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if (FAILED(Status))
+ {
+ // if the call to LsaCallAuthenticationPackage failed we cannot
+ // perform any queries most likely because the Kerberos package
+ // is not available or we do not have access
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ if (FAILED(SubStatus)) {
+ PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
+ BOOL Success = FALSE;
+ OSVERSIONINFOEX verinfo;
+ int supported = 0;
+
+ // SubStatus 0x8009030E is not documented. However, it appears
+ // to mean there is no TGT
+ if (SubStatus != 0x8009030E) {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ verinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+ GetVersionEx((OSVERSIONINFO *)&verinfo);
+ supported = (verinfo.dwMajorVersion > 5) ||
+ (verinfo.dwMajorVersion == 5 && verinfo.dwMinorVersion >= 1);
+
+ // If we could not get a TGT from the cache we won't know what the
+ // Kerberos Domain should have been. On Windows XP and 2003 Server
+ // we can extract it from the Security Logon Session Data. However,
+ // the required fields are not supported on Windows 2000. :(
+ if ( supported && GetSecurityLogonSessionData(&pSessionData) ) {
+ if ( pSessionData->DnsDomainName.Buffer ) {
+ Status = ConstructTicketRequest(pSessionData->DnsDomainName,
+ &pTicketRequest, &RequestSize);
+ if ( FAILED(Status) ) {
+ goto cleanup;
+ }
+ } else {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+ LsaFreeReturnBuffer(pSessionData);
+ } else {
+ CHAR UserDnsDomain[256];
+ WCHAR UnicodeUserDnsDomain[256];
+ UNICODE_STRING wrapper;
+ if ( !get_STRING_from_registry(HKEY_CURRENT_USER,
+ "Volatile Environment",
+ "USERDNSDOMAIN",
+ UserDnsDomain,
+ sizeof(UserDnsDomain)
+ ) )
+ {
+ goto cleanup;
+ }
+
+ ANSIToUnicode(UserDnsDomain,UnicodeUserDnsDomain,256);
+ wrapper.Buffer = UnicodeUserDnsDomain;
+ wrapper.Length = wcslen(UnicodeUserDnsDomain) * sizeof(WCHAR);
+ wrapper.MaximumLength = 256;
+
+ Status = ConstructTicketRequest(wrapper,
+ &pTicketRequest, &RequestSize);
+ if ( FAILED(Status) ) {
+ goto cleanup;
+ }
+ }
+ } else {
+#ifdef PURGE_ALL
+ purge_cache = 1;
+#else
+ switch (pTicketResponse->Ticket.SessionKey.KeyType) {
+ case KERB_ETYPE_DES_CBC_CRC:
+ case KERB_ETYPE_DES_CBC_MD4:
+ case KERB_ETYPE_DES_CBC_MD5:
+ case KERB_ETYPE_NULL:
+ case KERB_ETYPE_RC4_HMAC_NT: {
+ FILETIME Now, EndTime, LocalEndTime;
+ GetSystemTimeAsFileTime(&Now);
+ EndTime.dwLowDateTime=pTicketResponse->Ticket.EndTime.LowPart;
+ EndTime.dwHighDateTime=pTicketResponse->Ticket.EndTime.HighPart;
+ FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
+ if (CompareFileTime(&Now, &LocalEndTime) >= 0) {
+#ifdef ENABLE_PURGING
+ purge_cache = 1;
+#else
+ ignore_cache = 1;
+#endif /* ENABLE_PURGING */
+ break;
+ }
+ if (pTicketResponse->Ticket.TicketFlags & KERB_TICKET_FLAGS_invalid) {
+ ignore_cache = 1;
+ break; // invalid, need to attempt a TGT request
+ }
+ goto cleanup; // all done
+ }
+ case KERB_ETYPE_RC4_MD4:
+ default:
+ // not supported
+ ignore_cache = 1;
+ break;
+ }
+#endif /* PURGE_ALL */
+
+ Status = ConstructTicketRequest(pTicketResponse->Ticket.TargetDomainName,
+ &pTicketRequest, &RequestSize);
+ if ( FAILED(Status) ) {
+ goto cleanup;
+ }
+
+ //
+ // Free the previous response buffer so we can get the new response.
+ //
+
+ if ( pTicketResponse ) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
+ LsaFreeReturnBuffer(pTicketResponse);
+ pTicketResponse = NULL;
+ }
+
+#ifdef ENABLE_PURGING
+ if ( purge_cache ) {
+ //
+ // Purge the existing tickets which we cannot use so new ones can
+ // be requested. It is not possible to purge just the TGT. All
+ // service tickets must be purged.
+ //
+ PurgeRequest.MessageType = KerbPurgeTicketCacheMessage;
+ PurgeRequest.LogonId.LowPart = 0;
+ PurgeRequest.LogonId.HighPart = 0;
+ PurgeRequest.ServerName.Buffer = L"";
+ PurgeRequest.ServerName.Length = 0;
+ PurgeRequest.ServerName.MaximumLength = 0;
+ PurgeRequest.RealmName.Buffer = L"";
+ PurgeRequest.RealmName.Length = 0;
+ PurgeRequest.RealmName.MaximumLength = 0;
+ Status = LsaCallAuthenticationPackage(LogonHandle,
+ PackageId,
+ &PurgeRequest,
+ sizeof(PurgeRequest),
+ NULL,
+ NULL,
+ &SubStatus
+ );
+ }
+#endif /* ENABLE_PURGING */
+ }
+
+ //
+ // Intialize the request of the request.
//
pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
pTicketRequest->LogonId.LowPart = 0;
pTicketRequest->LogonId.HighPart = 0;
// Note: pTicketRequest->TargetName set up above
- pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE;
+#ifdef ENABLE_PURGING
+ pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ?
+ KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L);
+#else
+ pTicketRequest->CacheOptions = (ignore_cache ? KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L);
+#endif /* ENABLE_PURGING */
pTicketRequest->TicketFlags = 0L;
- pTicketRequest->EncryptionType = ENCTYPE_DES_CBC_CRC;
+ pTicketRequest->EncryptionType = 0L;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ //
+ // Check to make sure the new tickets we received are of a type we support
+ //
+
+ switch (pTicketResponse->Ticket.SessionKey.KeyType) {
+ case KERB_ETYPE_DES_CBC_CRC:
+ case KERB_ETYPE_DES_CBC_MD4:
+ case KERB_ETYPE_DES_CBC_MD5:
+ case KERB_ETYPE_NULL:
+ case KERB_ETYPE_RC4_HMAC_NT:
+ goto cleanup; // all done
+ case KERB_ETYPE_RC4_MD4:
+ default:
+ // not supported
+ break;
+ }
+
//
- // Free the previous response buffer so we can get the new response.
+ // Try once more but this time specify the Encryption Type
+ // (This will not store the retrieved tickets in the LSA cache)
//
+ pTicketRequest->EncryptionType = ENCTYPE_DES_CBC_CRC;
+ pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE;
- LsaFreeReturnBuffer(pTicketResponse);
- pTicketResponse = NULL;
+ if ( pTicketResponse ) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
+ LsaFreeReturnBuffer(pTicketResponse);
+ pTicketResponse = NULL;
+ }
Status = LsaCallAuthenticationPackage(
LogonHandle,
goto cleanup;
}
- cleanup:
+ cleanup:
+ if ( pTicketRequest )
+ LsaFreeReturnBuffer(pTicketRequest);
+
if (FAILED(Status) || FAILED(SubStatus))
{
if (bIsLsaError)
ShowWinError("GetMSTGT", Status);
}
- if (pTicketResponse)
+ if (pTicketResponse) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
LsaFreeReturnBuffer(pTicketResponse);
-
+ pTicketResponse = NULL;
+ }
return(FALSE);
}
* BEGIN COMMON VERSION INFO for GSS and Kerberos version resources
*/
-#define PRE_RELEASE
+// #define PRE_RELEASE
#ifdef PRE_RELEASE
-#define BETA_STR " beta"
+#define BETA_STR " beta 1"
#define BETA_FLAG VS_FF_PRERELEASE
#else
#define BETA_STR ""
/* we're going to stamp all the DLLs with the same version number */
-#define K5_PRODUCT_VERSION_STRING "1.3 (TEST)" BETA_STR "\0"
-#define K5_PRODUCT_VERSION 1, 3, 0, 0
+#define K5_PRODUCT_VERSION_STRING "1.3.1" BETA_STR "\0"
+#define K5_PRODUCT_VERSION 1, 3, 1, 0
-#define K5_COPYRIGHT "Copyright (C) 1997-2000 by the Massachusetts Institute of Technology\0"
+#define K5_COPYRIGHT "Copyright (C) 1997-2003 by the Massachusetts Institute of Technology\0"
#define K5_COMPANY_NAME "Massachusetts Institute of Technology.\0"
/*