RFC draft protocol changes and related cleanups
authorJohn Kohl <jtkohl@mit.edu>
Fri, 14 Dec 1990 23:52:07 +0000 (23:52 +0000)
committerJohn Kohl <jtkohl@mit.edu>
Fri, 14 Dec 1990 23:52:07 +0000 (23:52 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1554 dc483132-0cff-0310-8789-dd5450dbe970

73 files changed:
src/include/krb5/asn.1/KRB5-types-aux.h
src/include/krb5/asn.1/asn1defs.h
src/include/krb5/asn.1/encode.h
src/include/krb5/encryption.h
src/include/krb5/free.h
src/include/krb5/func-proto.h
src/include/krb5/krb5.h
src/include/krb5/los-proto.h
src/include/krb5/proto.h
src/include/krb5/stock/osconf.h
src/kdc/Imakefile
src/kdc/do_as_req.c
src/kdc/do_tgs_req.c
src/kdc/kdc_util.c
src/lib/crypto/crc32/crc.c
src/lib/crypto/des/des_int.h
src/lib/crypto/des/new_rn_key.c
src/lib/crypto/des/string2key.c
src/lib/crypto/md4/md4glue.c
src/lib/kdb/fetch_mkey.c
src/lib/krb425/get_cred.c
src/lib/krb425/mk_priv.c
src/lib/krb425/mk_safe.c
src/lib/krb425/rd_priv.c
src/lib/krb425/rd_req.c
src/lib/krb425/rd_safe.c
src/lib/krb425/set_key.c
src/lib/krb5/asn.1/Imakefile
src/lib/krb5/asn.1/KRB5-asn.py
src/lib/krb5/asn.1/arep2karep.c
src/lib/krb5/asn.1/auth2kauth.c
src/lib/krb5/asn.1/ekrp2kekrp.c
src/lib/krb5/asn.1/err2kerr.c
src/lib/krb5/asn.1/etpt2ketpt.c
src/lib/krb5/asn.1/karep2arep.c
src/lib/krb5/asn.1/kauth2auth.c
src/lib/krb5/asn.1/kdcr2kkdcr.c
src/lib/krb5/asn.1/kdcr2ktgsr.c
src/lib/krb5/asn.1/kekrp2ekrp.c
src/lib/krb5/asn.1/kerr2err.c
src/lib/krb5/asn.1/ketpt2etpt.c
src/lib/krb5/asn.1/kkdcr2kdcr.c
src/lib/krb5/asn.1/kprep2prep.c
src/lib/krb5/asn.1/ksafe2safe.c
src/lib/krb5/asn.1/ktgrq2tgrq.c
src/lib/krb5/asn.1/ktgsr2kdcr.c
src/lib/krb5/asn.1/prep2kprep.c
src/lib/krb5/asn.1/safe2ksafe.c
src/lib/krb5/asn.1/tgrq2ktgrq.c
src/lib/krb5/free/Imakefile
src/lib/krb5/free/f_authdata.c
src/lib/krb5/free/f_authent.c
src/lib/krb5/free/f_enc_tkt.c
src/lib/krb5/free/f_kdc_rep.c
src/lib/krb5/free/f_kdc_req.c
src/lib/krb5/krb/Imakefile
src/lib/krb5/krb/copy_tick.c
src/lib/krb5/krb/gc_via_tgt.c
src/lib/krb5/krb/get_in_tkt.c
src/lib/krb5/krb/in_tkt_pwd.c
src/lib/krb5/krb/in_tkt_sky.c
src/lib/krb5/krb/mk_priv.c
src/lib/krb5/krb/mk_req.c
src/lib/krb5/krb/mk_req_ext.c
src/lib/krb5/krb/mk_safe.c
src/lib/krb5/krb/pr_to_salt.c
src/lib/krb5/krb/rd_priv.c
src/lib/krb5/krb/rd_req_dec.c
src/lib/krb5/krb/rd_safe.c
src/lib/krb5/krb/send_tgs.c
src/lib/krb5/os/Imakefile
src/lib/krb5/os/ustime.c
src/lib/krb5/rcache/rc_dfl.c

index a2431478fc5cf1fdc538c4b443d5dc3f822147cf..099be13d42b65f63d412154f0b3e83e84ad4f7c0 100644 (file)
@@ -8,23 +8,20 @@
 /* KRB5-types.c */
 int encode_KRB5_Realm P((PE *, int , integer , char *, struct type_KRB5_Realm *));
 int encode_KRB5_PrincipalName P((PE *, int , integer , char *, struct type_KRB5_PrincipalName *));
-int encode_KRB5_MessageType P((PE *, int , integer , char *, struct type_KRB5_MessageType *));
-int encode_KRB5_AddressType P((PE *, int , integer , char *, struct type_KRB5_AddressType *));
 int encode_KRB5_HostAddress P((PE *, int , integer , char *, struct type_KRB5_HostAddress *));
 int encode_KRB5_HostAddresses P((PE *, int , integer , char *, struct type_KRB5_HostAddresses *));
-int encode_KRB5_AdType P((PE *, int , integer , char *, struct type_KRB5_AdType *));
 int encode_KRB5_AuthorizationData P((PE *, int , integer , char *, struct type_KRB5_AuthorizationData *));
 int encode_KRB5_KDCOptions P((PE *, int , integer , char *, struct type_KRB5_KDCOptions *));
-int encode_KRB5_LastReqType P((PE *, int , integer , char *, struct type_KRB5_LastReqType *));
 int encode_KRB5_LastReq P((PE *, int , integer , char *, struct type_KRB5_LastReq *));
 int encode_KRB5_KerberosTime P((PE *, int , integer , char *, struct type_KRB5_KerberosTime *));
 int encode_KRB5_Ticket P((PE *, int , integer , char *, struct type_KRB5_Ticket *));
+int encode_KRB5_TransitedEncoding P((PE *, int , integer , char *, struct type_KRB5_TransitedEncoding *));
 int encode_KRB5_EncTicketPart P((PE *, int , integer , char *, struct type_KRB5_EncTicketPart *));
 int encode_KRB5_Authenticator P((PE *, int , integer , char *, struct type_KRB5_Authenticator *));
-int encode_KRB5_AuthenticatorVersion P((PE *, int , integer , char *, struct type_KRB5_AuthenticatorVersion *));
 int encode_KRB5_TicketFlags P((PE *, int , integer , char *, struct type_KRB5_TicketFlags *));
 int encode_KRB5_AS__REQ P((PE *, int , integer , char *, struct type_KRB5_AS__REQ *));
 int encode_KRB5_TGS__REQ P((PE *, int , integer , char *, struct type_KRB5_TGS__REQ *));
+int encode_KRB5_PA__DATA P((PE *, int , integer , char *, struct type_KRB5_PA__DATA *));
 int encode_KRB5_KDC__REQ__BODY P((PE *, int , integer , char *, struct type_KRB5_KDC__REQ__BODY *));
 int encode_KRB5_AS__REP P((PE *, int , integer , char *, struct type_KRB5_AS__REP *));
 int encode_KRB5_TGS__REP P((PE *, int , integer , char *, struct type_KRB5_TGS__REP *));
@@ -35,34 +32,30 @@ int encode_KRB5_APOptions P((PE *, int , integer , char *, struct type_KRB5_APOp
 int encode_KRB5_AP__REP P((PE *, int , integer , char *, struct type_KRB5_AP__REP *));
 int encode_KRB5_EncAPRepPart P((PE *, int , integer , char *, struct type_KRB5_EncAPRepPart *));
 int encode_KRB5_KRB__SAFE P((PE *, int , integer , char *, struct type_KRB5_KRB__SAFE *));
+int encode_KRB5_KRB__SAFE__BODY P((PE *, int , integer , char *, struct type_KRB5_KRB__SAFE__BODY *));
 int encode_KRB5_KRB__PRIV P((PE *, int , integer , char *, struct type_KRB5_KRB__PRIV *));
 int encode_KRB5_EncKrbPrivPart P((PE *, int , integer , char *, struct type_KRB5_EncKrbPrivPart *));
 int encode_KRB5_KRB__ERROR P((PE *, int , integer , char *, struct type_KRB5_KRB__ERROR *));
 int encode_KRB5_EncryptedData P((PE *, int , integer , char *, struct type_KRB5_EncryptedData *));
-int encode_KRB5_EncryptionType P((PE *, int , integer , char *, struct type_KRB5_EncryptionType *));
 int encode_KRB5_EncryptionKey P((PE *, int , integer , char *, struct type_KRB5_EncryptionKey *));
-int encode_KRB5_KeyType P((PE *, int , integer , char *, struct type_KRB5_KeyType *));
 int encode_KRB5_Checksum P((PE *, int , integer , char *, struct type_KRB5_Checksum *));
-int encode_KRB5_ChecksumType P((PE *, int , integer , char *, struct type_KRB5_ChecksumType *));
+int encode_KRB5_METHOD__DATA P((PE *, int , integer , char *, struct type_KRB5_METHOD__DATA *));
 int decode_KRB5_Realm P((PE , int , integer *, char **, struct type_KRB5_Realm **));
 int decode_KRB5_PrincipalName P((PE , int , integer *, char **, struct type_KRB5_PrincipalName **));
-int decode_KRB5_MessageType P((PE , int , integer *, char **, struct type_KRB5_MessageType **));
-int decode_KRB5_AddressType P((PE , int , integer *, char **, struct type_KRB5_AddressType **));
 int decode_KRB5_HostAddress P((PE , int , integer *, char **, struct type_KRB5_HostAddress **));
 int decode_KRB5_HostAddresses P((PE , int , integer *, char **, struct type_KRB5_HostAddresses **));
-int decode_KRB5_AdType P((PE , int , integer *, char **, struct type_KRB5_AdType **));
 int decode_KRB5_AuthorizationData P((PE , int , integer *, char **, struct type_KRB5_AuthorizationData **));
 int decode_KRB5_KDCOptions P((PE , int , integer *, char **, struct type_KRB5_KDCOptions **));
-int decode_KRB5_LastReqType P((PE , int , integer *, char **, struct type_KRB5_LastReqType **));
 int decode_KRB5_LastReq P((PE , int , integer *, char **, struct type_KRB5_LastReq **));
 int decode_KRB5_KerberosTime P((PE , int , integer *, char **, struct type_KRB5_KerberosTime **));
 int decode_KRB5_Ticket P((PE , int , integer *, char **, struct type_KRB5_Ticket **));
+int decode_KRB5_TransitedEncoding P((PE , int , integer *, char **, struct type_KRB5_TransitedEncoding **));
 int decode_KRB5_EncTicketPart P((PE , int , integer *, char **, struct type_KRB5_EncTicketPart **));
 int decode_KRB5_Authenticator P((PE , int , integer *, char **, struct type_KRB5_Authenticator **));
-int decode_KRB5_AuthenticatorVersion P((PE , int , integer *, char **, struct type_KRB5_AuthenticatorVersion **));
 int decode_KRB5_TicketFlags P((PE , int , integer *, char **, struct type_KRB5_TicketFlags **));
 int decode_KRB5_AS__REQ P((PE , int , integer *, char **, struct type_KRB5_AS__REQ **));
 int decode_KRB5_TGS__REQ P((PE , int , integer *, char **, struct type_KRB5_TGS__REQ **));
+int decode_KRB5_PA__DATA P((PE , int , integer *, char **, struct type_KRB5_PA__DATA **));
 int decode_KRB5_KDC__REQ__BODY P((PE , int , integer *, char **, struct type_KRB5_KDC__REQ__BODY **));
 int decode_KRB5_AS__REP P((PE , int , integer *, char **, struct type_KRB5_AS__REP **));
 int decode_KRB5_TGS__REP P((PE , int , integer *, char **, struct type_KRB5_TGS__REP **));
@@ -73,28 +66,26 @@ int decode_KRB5_APOptions P((PE , int , integer *, char **, struct type_KRB5_APO
 int decode_KRB5_AP__REP P((PE , int , integer *, char **, struct type_KRB5_AP__REP **));
 int decode_KRB5_EncAPRepPart P((PE , int , integer *, char **, struct type_KRB5_EncAPRepPart **));
 int decode_KRB5_KRB__SAFE P((PE , int , integer *, char **, struct type_KRB5_KRB__SAFE **));
+int decode_KRB5_KRB__SAFE__BODY P((PE , int , integer *, char **, struct type_KRB5_KRB__SAFE__BODY **));
 int decode_KRB5_KRB__PRIV P((PE , int , integer *, char **, struct type_KRB5_KRB__PRIV **));
 int decode_KRB5_EncKrbPrivPart P((PE , int , integer *, char **, struct type_KRB5_EncKrbPrivPart **));
 int decode_KRB5_KRB__ERROR P((PE , int , integer *, char **, struct type_KRB5_KRB__ERROR **));
 int decode_KRB5_EncryptedData P((PE , int , integer *, char **, struct type_KRB5_EncryptedData **));
-int decode_KRB5_EncryptionType P((PE , int , integer *, char **, struct type_KRB5_EncryptionType **));
 int decode_KRB5_EncryptionKey P((PE , int , integer *, char **, struct type_KRB5_EncryptionKey **));
-int decode_KRB5_KeyType P((PE , int , integer *, char **, struct type_KRB5_KeyType **));
 int decode_KRB5_Checksum P((PE , int , integer *, char **, struct type_KRB5_Checksum **));
-int decode_KRB5_ChecksumType P((PE , int , integer *, char **, struct type_KRB5_ChecksumType **));
+int decode_KRB5_METHOD__DATA P((PE , int , integer *, char **, struct type_KRB5_METHOD__DATA **));
 int free_KRB5_PrincipalName P((struct type_KRB5_PrincipalName *));
-int free_KRB5_MessageType P((struct type_KRB5_MessageType *));
-int free_KRB5_AddressType P((struct type_KRB5_AddressType *));
 int free_KRB5_HostAddress P((struct type_KRB5_HostAddress *));
 int free_KRB5_HostAddresses P((struct type_KRB5_HostAddresses *));
 int free_KRB5_AuthorizationData P((struct type_KRB5_AuthorizationData *));
 int free_KRB5_LastReq P((struct type_KRB5_LastReq *));
 int free_KRB5_Ticket P((struct type_KRB5_Ticket *));
+int free_KRB5_TransitedEncoding P((struct type_KRB5_TransitedEncoding *));
 int free_KRB5_EncTicketPart P((struct type_KRB5_EncTicketPart *));
 int free_KRB5_Authenticator P((struct type_KRB5_Authenticator *));
-int free_KRB5_AuthenticatorVersion P((struct type_KRB5_AuthenticatorVersion *));
 int free_KRB5_AS__REQ P((struct type_KRB5_AS__REQ *));
 int free_KRB5_TGS__REQ P((struct type_KRB5_TGS__REQ *));
+int free_KRB5_PA__DATA P((struct type_KRB5_PA__DATA *));
 int free_KRB5_KDC__REQ__BODY P((struct type_KRB5_KDC__REQ__BODY *));
 int free_KRB5_AS__REP P((struct type_KRB5_AS__REP *));
 int free_KRB5_TGS__REP P((struct type_KRB5_TGS__REP *));
@@ -104,14 +95,13 @@ int free_KRB5_AP__REQ P((struct type_KRB5_AP__REQ *));
 int free_KRB5_AP__REP P((struct type_KRB5_AP__REP *));
 int free_KRB5_EncAPRepPart P((struct type_KRB5_EncAPRepPart *));
 int free_KRB5_KRB__SAFE P((struct type_KRB5_KRB__SAFE *));
+int free_KRB5_KRB__SAFE__BODY P((struct type_KRB5_KRB__SAFE__BODY *));
 int free_KRB5_KRB__PRIV P((struct type_KRB5_KRB__PRIV *));
 int free_KRB5_EncKrbPrivPart P((struct type_KRB5_EncKrbPrivPart *));
 int free_KRB5_KRB__ERROR P((struct type_KRB5_KRB__ERROR *));
 int free_KRB5_EncryptedData P((struct type_KRB5_EncryptedData *));
-int free_KRB5_EncryptionType P((struct type_KRB5_EncryptionType *));
 int free_KRB5_EncryptionKey P((struct type_KRB5_EncryptionKey *));
-int free_KRB5_KeyType P((struct type_KRB5_KeyType *));
 int free_KRB5_Checksum P((struct type_KRB5_Checksum *));
-int free_KRB5_ChecksumType P((struct type_KRB5_ChecksumType *));
+int free_KRB5_METHOD__DATA P((struct type_KRB5_METHOD__DATA *));
 
 #undef P
index eb7a80b544882e47f1c89a8644f49e668d70f16c..eafe71de3619eecb989fd55f1af3f0dc70e62ca2 100644 (file)
@@ -116,7 +116,7 @@ krb5_kdc_rep *KRB5_KDC__REP2krb5_as_rep
 
 /* kdcr2kkdcr.c */
 krb5_kdc_rep *KRB5_KDC__REP2krb5_kdc_rep
-       PROTOTYPE((const struct type_KRB5_TGS__REP *, krb5_msgtype *, int *));
+       PROTOTYPE((const struct type_KRB5_TGS__REP *, int *));
 
 /* kdcr2ktgsr.c */
 krb5_kdc_rep *KRB5_KDC__REP2krb5_tgs_rep
@@ -220,17 +220,31 @@ struct type_KRB5_TicketFlags *krb5_flags2KRB5_TicketFlags
 krb5_flags KRB5_TicketFlags2krb5_flags
        PROTOTYPE((const struct type_KRB5_TicketFlags *,int *));
 
-#include <krb5/widen.h>
+/* kpadt2padt.c */
+struct type_KRB5_PA__DATA *krb5_pa_data2KRB5_PA__DATA
+    PROTOTYPE((krb5_pa_data **, int *));
 
-/* Only put things which don't have pointers to the narrow types in this
-   section */
+/* ktran2tran.c */
+struct type_KRB5_TransitedEncoding *krb5_transited2KRB5_TransitedEncoding
+    PROTOTYPE((const krb5_transited *, int *));
+
+/* padt2kpadt.c */
+krb5_pa_data **KRB5_PA__DATA2krb5_pa_data
+    PROTOTYPE((struct type_KRB5_PA__DATA *, int *));
+
+/* tran2ktran.c */
+krb5_transited *KRB5_TransitedEncoding2krb5_transited
+    PROTOTYPE((const struct type_KRB5_TransitedEncoding *, int *));
 
 /* kkdcr2kdcr.c */
 struct type_KRB5_TGS__REP *krb5_kdc_rep2KRB5_KDC__REP
-       PROTOTYPE((const krb5_kdc_rep *,
-                  const krb5_msgtype,
-                  int *));
+       PROTOTYPE((const krb5_kdc_rep *, int *));
+
+/* #include <krb5/widen.h> */
+
+/* Only put things which don't have pointers to the narrow types in this
+   section */
 
-#include <krb5/narrow.h>
+/* #include <krb5/narrow.h> */
 
 #endif /* KRB5_ASN1DEFS__ */
index 3ef7e599e01ee9f51774c61fe003ef42d37f498d..3c2f24c551d3c7641b8837e919f29be517dc2767 100644 (file)
@@ -209,6 +209,17 @@ krb5_error_code encode_krb5_as_req
                   (translator_func) KRB5_KRB__ERROR2krb5_error, \
                   (free_func) free_KRB5_KRB__ERROR)
 
+#define encode_krb5_authdata(pauth, output) \
+    krb5_encode_generic((krb5_const_pointer)pauth,  output, \
+                  (encoder_func) encode_KRB5_AuthorizationData, \
+                  (translator_func) krb5_authdata2KRB5_AuthorizationData, \
+                  (free_func) free_KRB5_AuthorizationData)
+#define decode_krb5_authdata(pauth, output) \
+    krb5_decode_generic(pauth, (krb5_pointer *) output, \
+                  (decoder_func) decode_KRB5_AuthorizationData, \
+                  (translator_func) KRB5_AuthorizationData2krb5_authdata, \
+                  (free_func) free_KRB5_AuthorizationData)
+
 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
 /* here we use some knowledge of ASN.1 encodings */
 /* 
index cf6ee739986c11a44ae251ed58f6280db270bfa1..0bdaa5ff66f32f09dd35f6a09eeb08ed49f112ca 100644 (file)
@@ -47,6 +47,8 @@ typedef struct _krb5_enc_data {
     krb5_data ciphertext;
 } krb5_enc_data;
 
+#include <krb5/widen.h>
+
 /* could be used in a table to find an etype and initialize a block */
 typedef struct _krb5_cryptosystem_entry {
     krb5_error_code (*encrypt_func) PROTOTYPE((krb5_const_pointer /* in */,
@@ -65,7 +67,7 @@ typedef struct _krb5_cryptosystem_entry {
     krb5_error_code (*string_to_key) PROTOTYPE((const krb5_keytype,
                                                krb5_keyblock *,
                                                const krb5_data *,
-                                               krb5_const_principal));
+                                               const krb5_data *));
     krb5_error_code  (*init_random_key) PROTOTYPE((const krb5_keyblock *,
                                                   krb5_pointer *));
     krb5_error_code  (*finish_random_key) PROTOTYPE((krb5_pointer *));
@@ -82,6 +84,8 @@ typedef struct _krb5_cryptosystem_entry {
                                            table index) */
 } krb5_cryptosystem_entry;
 
+#include <krb5/narrow.h>
+
 typedef struct _krb5_cs_table_entry {
     krb5_cryptosystem_entry *system;
     krb5_pointer random_sequence;      /* from init_random_key() */
@@ -96,6 +100,8 @@ typedef struct _krb5_checksum_entry {
                                             krb5_checksum * /* out_cksum */));
     int checksum_length;               /* length of stuff returned by
                                           sum_func */
+    unsigned int is_collision_proof:1;
+    unsigned int uses_key:1;
 } krb5_checksum_entry;
 
 /* per Kerberos v5 protocol spec */
@@ -145,6 +151,9 @@ extern int krb5_max_cksum;          /* max entry in array */
 
 #define valid_cksumtype(cktype)     ((cktype <= krb5_max_cksum) && (cktype > 0) && krb5_cksumarray[cktype])
 
+#define is_coll_proof_cksum(cktype) (krb5_cksumarray[cktype]->is_collision_proof)
+#define is_keyed_cksum(cktype) (krb5_cksumarray[cktype]->uses_key)
+
 /* set up *eblockp to use etype */
 #define krb5_use_cstype(eblockp, etype) (eblockp)->crypto_entry = krb5_csarray[(etype)]->system
 
index af248262463444fddccd399996dbb70151e8fd75..6a7f9b5eed25d337a71ff8989b1553e80488e229 100644 (file)
@@ -21,6 +21,4 @@
 
 #define krb5_free_data(val) { xfree((val)->data); xfree(val);}
 
-#define krb5_free_ap_rep_enc_part xfree
-
 #endif /* KRB5_FREE__ */
index ee6173a49a25b5c56085231a7a12a3ba8eeb52bf..ca83d2f1502c6c2d7ab5d9d1a4a3a8899bceeda9 100644 (file)
@@ -53,6 +53,8 @@ krb5_error_code krb5_mk_req_extended
                   const krb5_checksum *,
                   const krb5_ticket_times *,
                   const krb5_flags,
+                  krb5_int32,
+                  krb5_keyblock *,
                   krb5_ccache,
                   krb5_creds *,
                   krb5_authenticator *,
@@ -79,14 +81,16 @@ krb5_error_code krb5_rd_error
 krb5_error_code krb5_rd_safe
        PROTOTYPE((const krb5_data *,
                   const krb5_keyblock *,
-                  const krb5_fulladdr *,
-                  const krb5_fulladdr *,
+                  const krb5_address *,
+                  const krb5_address *,
+                  krb5_int32, krb5_int32,
                   krb5_data * ));
 krb5_error_code krb5_rd_priv
        PROTOTYPE((const krb5_data *,
                   const krb5_keyblock *,
-                  const krb5_fulladdr *,
-                  const krb5_fulladdr *,
+                  const krb5_address *,
+                  const krb5_address *,
+                  krb5_int32, krb5_int32,
                   krb5_pointer,
                   krb5_data * ));
 krb5_error_code krb5_parse_name
@@ -157,6 +161,8 @@ krb5_error_code krb5_kt_remove_entry
 krb5_error_code krb5_kt_add_entry
        PROTOTYPE((krb5_keytab,
                   krb5_keytab_entry * ));
+krb5_error_code krb5_principal2salt
+       PROTOTYPE((krb5_const_principal, krb5_data *));
 
 /* librc.spec--see rcache.h */
 
@@ -220,7 +226,10 @@ void krb5_free_checksum
        PROTOTYPE((krb5_checksum *));
 void krb5_free_keyblock
        PROTOTYPE((krb5_keyblock *));
-
+void krb5_free_pa_data
+       PROTOTYPE((krb5_pa_data **));
+void krb5_free_ap_rep_enc_part
+       PROTOTYPE((krb5_ap_rep_enc_part *));
 
 #include <krb5/widen.h>
 
@@ -242,6 +251,7 @@ krb5_error_code krb5_send_tgs
                   krb5_const_principal,
                   krb5_address * const *,
                   krb5_authdata * const *,
+                  krb5_pa_data * const *,
                   const krb5_data *,
                   krb5_creds *,
                   krb5_response * ));
@@ -252,8 +262,9 @@ krb5_error_code krb5_get_in_tkt
                   const krb5_enctype,
                   const krb5_keytype,
                   krb5_error_code (* )(const krb5_keytype,
-                                       krb5_keyblock **,
-                                       krb5_const_pointer ),
+                                        krb5_keyblock **,
+                                        krb5_const_pointer,
+                                        krb5_pa_data **),
                   krb5_const_pointer,
                   krb5_error_code (* )(const krb5_keyblock *,
                                        krb5_const_pointer,
@@ -317,15 +328,17 @@ krb5_error_code krb5_mk_safe
        PROTOTYPE((const krb5_data *,
                   const krb5_cksumtype ,
                   const krb5_keyblock *,
-                  const krb5_fulladdr *,
-                  const krb5_fulladdr *,
+                  const krb5_address *,
+                  const krb5_address *,
+                  krb5_int32, krb5_int32,
                   krb5_data * ));
 krb5_error_code krb5_mk_priv
        PROTOTYPE((const krb5_data *,
                   const krb5_enctype,
                   const krb5_keyblock *,
-                  const krb5_fulladdr *,
-                  const krb5_fulladdr *,
+                  const krb5_address *,
+                  const krb5_address *,
+                  krb5_int32, krb5_int32,
                   krb5_pointer,
                   krb5_data * ));
 krb5_error_code krb5_cc_register
index e51d742c3b51e774042bd5fb7fd721f6c4e05764..de19ffd3bfea16ab9a8048db2c19f5c3fcc0042a 100644 (file)
@@ -36,7 +36,8 @@
 typedef struct _krb5_ticket_times {
     krb5_timestamp authtime; /* XXX ? should ktime in KDC_REP == authtime
                                in ticket? otherwise client can't get this */ 
-    krb5_timestamp starttime;
+    krb5_timestamp starttime;          /* optional in ticket, if not present,
+                                          use authtime */
     krb5_timestamp endtime;
     krb5_timestamp renew_till;
 } krb5_ticket_times;
@@ -48,12 +49,18 @@ typedef struct _krb5_authdata {
     krb5_octet *contents;
 } krb5_authdata;
 
+/* structure for transited encoding */
+typedef struct _krb5_transited {
+    krb5_octet tr_type;
+    krb5_data tr_contents;
+} krb5_transited;
+
 typedef struct _krb5_enc_tkt_part {
     /* to-be-encrypted portion */
     krb5_flags flags;                  /* flags */
     krb5_keyblock *session;            /* session key: includes keytype */
     krb5_principal client;             /* client name/realm */
-    krb5_data transited;               /* list of transited realms */
+    krb5_transited transited;          /* list of transited realms */
     krb5_ticket_times times;           /* auth, start, end, renew_till */
     krb5_address **caddrs;             /* array of ptrs to addresses */
     krb5_authdata **authorization_data;        /* auth data */
@@ -71,9 +78,11 @@ typedef struct _krb5_ticket {
 /* the unencrypted version */
 typedef struct _krb5_authenticator {
     krb5_principal client;             /* client name/realm */
-    krb5_checksum *checksum;           /* checksum, includes type */
-    krb5_ui_2 cmsec;                   /* client msec portion */
+    krb5_checksum *checksum;           /* checksum, includes type, optional */
+    krb5_int32 cusec;                  /* client usec portion */
     krb5_timestamp ctime;              /* client sec portion */
+    krb5_keyblock *subkey;             /* true session key, optional */
+    krb5_int32 seq_number;             /* sequence #, optional */
 } krb5_authenticator;
 
 typedef struct _krb5_tkt_authent {
@@ -105,10 +114,16 @@ typedef struct _krb5_last_req_entry {
     krb5_timestamp value;
 } krb5_last_req_entry;
 
+/* pre-authentication data */
+typedef struct _krb5_pa_data {
+    krb5_ui_2  pa_type;
+    int length;
+    krb5_octet *contents;
+} krb5_pa_data;
+
 typedef struct _krb5_kdc_req {
     krb5_msgtype msg_type;             /* AS_REQ or TGS_REQ? */
-    krb5_octet padata_type;
-    krb5_data padata;                  /* e.g. encoded AP_REQ */
+    krb5_pa_data **padata;             /* e.g. encoded AP_REQ */
     /* real body */
     krb5_flags kdc_options;            /* requested options */
     krb5_principal client;             /* includes realm; optional */
@@ -117,11 +132,13 @@ typedef struct _krb5_kdc_req {
     krb5_timestamp from;               /* requested starttime */
     krb5_timestamp till;               /* requested endtime */
     krb5_timestamp rtime;              /* (optional) requested renew_till */
-    krb5_timestamp ctime;              /* client's time */
     krb5_int32 nonce;                  /* nonce to match request/response */
-    krb5_enctype etype;                        /* requested encryption type */
-    krb5_address **addresses;          /* requested addresses */
-    krb5_authdata **authorization_data;        /* auth data; OPTIONAL */
+    int netypes;                       /* # of etypes, must be positive */
+    krb5_enctype *etype;               /* requested encryption type(s) */
+    krb5_address **addresses;          /* requested addresses, optional */
+    krb5_enc_data authorization_data;  /* encrypted auth data; OPTIONAL */
+    krb5_authdata **unenc_authdata;    /* unencrypted auth data,
+                                          if available */
     krb5_ticket **second_ticket;       /* second ticket array; OPTIONAL */
 } krb5_kdc_req;
 
@@ -134,11 +151,14 @@ typedef struct _krb5_enc_kdc_rep_part {
     krb5_flags flags;                  /* ticket flags */
     krb5_ticket_times times;           /* lifetime info */
     krb5_principal server;             /* server's principal identifier */
-    krb5_address **caddrs;             /* array of ptrs to addresses */
+    krb5_address **caddrs;             /* array of ptrs to addresses,
+                                          optional */
 } krb5_enc_kdc_rep_part;
 
 typedef struct _krb5_kdc_rep {
     /* cleartext part: */
+    krb5_msgtype msg_type;             /* AS_REP or KDC_REP? */
+    krb5_pa_data **padata;             /* preauthentication data from KDC */
     krb5_principal client;             /* client's principal identifier */
     krb5_ticket *ticket;               /* ticket */
     krb5_enc_data enc_part;            /* encryption type, kvno, encrypted
@@ -150,8 +170,8 @@ typedef struct _krb5_kdc_rep {
 typedef struct _krb5_error {
     /* some of these may be meaningless in certain contexts */
     krb5_timestamp ctime;              /* client sec portion; optional */
-    krb5_ui_2 cmsec;                   /* client msec portion; optional */
-    krb5_ui_2 smsec;                   /* server msec portion */
+    krb5_int32 cusec;                  /* client usec portion; optional */
+    krb5_int32 susec;                  /* server usec portion */
     krb5_timestamp stime;              /* server sec portion */
     krb5_ui_4 error;                   /* error code (protocol error #'s) */
     krb5_principal client;             /* client's principal identifier;
@@ -173,7 +193,9 @@ typedef struct _krb5_ap_rep {
 
 typedef struct _krb5_ap_rep_enc_part {
     krb5_timestamp ctime;              /* client time, seconds portion */
-    krb5_ui_2 cmsec;                   /* client time, milliseconds portion */
+    krb5_int32 cusec;                  /* client time, microseconds portion */
+    krb5_keyblock *subkey;             /* true session key, optional */
+    krb5_int32 seq_number;             /* sequence #, optional */
 } krb5_ap_rep_enc_part;
 
 typedef struct _krb5_response {
@@ -183,10 +205,12 @@ typedef struct _krb5_response {
 
 typedef struct _krb5_safe {
     krb5_data user_data;               /* user data */
-    krb5_timestamp timestamp;          /* client time */
-    krb5_ui_2 msec;                    /* millisecond portion of time */
+    krb5_timestamp timestamp;          /* client time, optional */
+    krb5_int32 usec;                   /* microsecond portion of time,
+                                          optional */
+    krb5_int32 seq_number;             /* sequence #, optional */
     krb5_address *s_address;           /* sender address */
-    krb5_address *r_address;           /* recipient address */
+    krb5_address *r_address;           /* recipient address, optional */
     krb5_checksum *checksum;           /* data integrity checksum */
 } krb5_safe;
 
@@ -196,13 +220,15 @@ typedef struct _krb5_priv {
 
 typedef struct _krb5_priv_enc_part {
     krb5_data user_data;               /* user data */
-    krb5_timestamp timestamp;          /* client time */
-    krb5_ui_2 msec;                    /* millisecond portion of time */
+    krb5_timestamp timestamp;          /* client time, optional */
+    krb5_int32 usec;                   /* microsecond portion of time, opt. */
+    krb5_int32 seq_number;             /* sequence #, optional */
     krb5_address *s_address;           /* sender address */
-    krb5_address *r_address;           /* recipient address */
+    krb5_address *r_address;           /* recipient address, optional */
 } krb5_priv_enc_part;
 
 /* these need to be here so the typedefs are available for the prototypes */
+#include <krb5/safepriv.h>
 #include <krb5/ccache.h>
 #include <krb5/rcache.h>
 #include <krb5/keytab.h>
index 6cf09508c3adef5db865e10ee1ba6bfade876fbd..c85c7fc66e183871b0231a857f0a6f8f3dfb99d4 100644 (file)
@@ -33,9 +33,9 @@ krb5_error_code krb5_unlock_file
                   char * ));
 krb5_error_code krb5_timeofday
        PROTOTYPE((krb5_int32 * ));
-krb5_error_code krb5_ms_timeofday
+krb5_error_code krb5_us_timeofday
        PROTOTYPE((krb5_int32 *,
-                  krb5_ui_2 * ));
+                  krb5_int32 * ));
 int krb5_net_read
        PROTOTYPE((int ,
                   char *,
index 1599b56525a72514c058b3bb796d76e53559ecd4..5b9e5a41e756fffc273cb6e7b2515911186494fd 100644 (file)
 #define        KRB5_ERROR      ((krb5_msgtype)30) /* Error response */
 
 /* PADATA types */
-#define        KRB5_PADATA_AP_REQ      ((krb5_octet)1)
+#define        KRB5_PADATA_AP_REQ      1
+#define        KRB5_PADATA_TGS_REQ     KRB5_PADATA_AP_REQ
+#define KRB5_PADATA_ENC_TIMESTAMPS     2
+#define        KRB5_PADATA_PW_SALT     3
+
+/* Transited encoding types */
+#define        KRB5_DOMAIN_X500_COMPRESS       1
+
+/* alternate authentication types */
+#define        KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE     64
+
+/* authorization data types */
+#define        KRB5_AUTHDATA_OSF_DCE   64
 
 #endif /* KRB5_PROTO__ */
index 1e915040baad02bd5dec2a10410e0135034943f2..79d5f50a0470f276cdd8d579bfb4ad509217b95e 100644 (file)
@@ -44,7 +44,7 @@
 #define        DEFAULT_KDC_ETYPE       ETYPE_DES_CBC_CRC
 #define        DEFAULT_KDC_KEYTYPE     KEYTYPE_DES
 
-#define KDC_PORTNAME   "kerberos5"     /* for /etc/services or equiv. */
+#define KDC_PORTNAME   "kerberos     /* for /etc/services or equiv. */
 
 #define MAX_DGRAM_SIZE 4096
 #define MAX_SKDC_TIMEOUT 30
index a8f6f217f54c91d3a36de5fa4a0c7161018ae12f..047c96e7537e59ed4a9342f6d0b01826d6cd4543 100644 (file)
@@ -8,7 +8,7 @@
 #  <krb5/copyright.h>.
 # 
 DEFINES = -DBACKWARD_COMPAT
-INCLUDES = $(KRB4INCLUDES) -I$(TOP)/include/stdc-incl
+INCLUDES = $(KRB4INCLUDES)
 SRCS= \
        kdc5_err.c \
        dispatch.c \
index a6a376da1748ec3f2323eb0fb28835253b3986b1..ec573cf9c2530fc9f5791adca8250e1536e1f936 100644 (file)
@@ -66,6 +66,8 @@ krb5_data **response;                 /* filled in with a response packet */
     krb5_timestamp kdc_time;
     krb5_keyblock *session_key;
     krb5_keyblock encrypting_key;
+    krb5_enctype useetype;
+    register int i;
 
     krb5_timestamp until, rtime;
     char *cname = 0, *sname = 0, *fromstring = 0;
@@ -130,14 +132,18 @@ krb5_data **response;                     /* filled in with a response packet */
        return(retval);
     }
 
-    if (!valid_etype(request->etype)) {
+    for (i = 0; i < request->netypes; i++)
+       if (valid_etype(request->etype[i]))
+           break;
+    if (i == request->netypes) {
        /* unsupported etype */
 
        cleanup();
        return(prepare_error_as(request, KDC_ERR_ETYPE_NOSUPP, response));
     }
+    useetype = request->etype[i];
 
-    if (retval = (*(krb5_csarray[request->etype]->system->random_key))(krb5_csarray[request->etype]->random_sequence, &session_key)) {
+    if (retval = (*(krb5_csarray[useetype]->system->random_key))(krb5_csarray[useetype]->random_sequence, &session_key)) {
        /* random key failed */
        cleanup();
        return(retval);
@@ -153,7 +159,7 @@ krb5_data **response;                       /* filled in with a response packet */
 
 
     ticket_reply.server = request->server;
-    ticket_reply.enc_part.etype = request->etype;
+    ticket_reply.enc_part.etype = useetype;
     ticket_reply.enc_part.kvno = server.kvno;
 
     enc_tkt_reply.flags = 0;
@@ -182,7 +188,9 @@ krb5_data **response;                       /* filled in with a response packet */
 
     enc_tkt_reply.session = session_key;
     enc_tkt_reply.client = request->client;
-    enc_tkt_reply.transited = empty_string; /* equivalent of "" */
+    enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
+    enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
+
     enc_tkt_reply.times.authtime = kdc_time;
 
     if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
@@ -227,6 +235,11 @@ krb5_data **response;                      /* filled in with a response packet */
     } else
        enc_tkt_reply.times.renew_till = 0; /* XXX */
 
+    /* starttime is optional, and treated as authtime if not present.
+       so we can nuke it if it matches */
+    if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
+       enc_tkt_reply.times.starttime = 0;
+
     enc_tkt_reply.caddrs = request->addresses;
     enc_tkt_reply.authorization_data = 0; /* XXX? */
 
@@ -259,9 +272,14 @@ krb5_data **response;                      /* filled in with a response packet */
                   free(ticket_reply.enc_part.ciphertext.data);}
 
     /* Start assembling the response */
+    reply.msg_type = KRB5_AS_REP;
+
+    reply.padata = 0;
+    /* XXX put in padata salting stuff here*/
+
     reply.client = request->client;
     /* XXX need separate etypes for ticket encryption and kdc_rep encryption */
-    reply.enc_part.etype = request->etype;
+    reply.enc_part.etype = useetype;
     reply.enc_part.kvno = client.kvno;
     reply.ticket = &ticket_reply;
 
@@ -309,10 +327,10 @@ krb5_data **response;
     krb5_error_code retval;
     krb5_data *scratch;
 
-    errpkt.ctime = request->ctime;
-    errpkt.cmsec = 0;
+    errpkt.ctime = request->nonce;
+    errpkt.cusec = 0;
 
-    if (retval = krb5_ms_timeofday(&errpkt.stime, &errpkt.smsec))
+    if (retval = krb5_us_timeofday(&errpkt.stime, &errpkt.susec))
        return(retval);
     errpkt.error = error;
     errpkt.server = request->server;
index 06e9a74daaf76831e7dcba5f06cdbef902c4b87c..b66675bdf274fc07b4f899db8759f8b0ea89481d 100644 (file)
@@ -55,18 +55,20 @@ krb5_data **response;                       /* filled in with a response packet */
     krb5_ticket ticket_reply, *header_ticket;
     int st_idx = 0;
     krb5_enc_tkt_part enc_tkt_reply;
-    krb5_data enc_tkt_transited;
+    krb5_transited enc_tkt_transited;
+    int newtransited = 0;
     krb5_error_code retval;
     int nprincs;
     krb5_boolean more;
     krb5_timestamp kdc_time;
     krb5_keyblock *session_key;
-    int newtransited = 0;
     krb5_timestamp until, rtime;
     krb5_keyblock encrypting_key;
     char *cname = 0, *sname = 0, *fromstring = 0;
     krb5_last_req_entry *nolrarray[1];
     krb5_address *noaddrarray[1];
+    krb5_enctype useetype;
+    register int i;
 
     if ((retval = kdc_process_tgs_req(request, from, &header_ticket))) {
        if (!header_ticket || !header_ticket->enc_part2)
@@ -130,14 +132,19 @@ krb5_data **response;                     /* filled in with a response packet */
                                 response));
     }
 
-#define cleanup() { krb5_free_ticket(header_ticket); krb5_db_free_principal(&server, 1);}
+#define tkt_cleanup() {krb5_free_ticket(header_ticket); }
+#define cleanup() { krb5_db_free_principal(&server, 1);}
 
     if (retval = krb5_timeofday(&kdc_time)) {
+       tkt_cleanup();
        cleanup();
        return(retval);
     }
     
-    if (!valid_etype(request->etype)) {
+    for (i = 0; i < request->netypes; i++)
+       if (valid_etype(request->etype[i]))
+           break;
+    if (i == request->netypes) {
        /* unsupported etype */
 
        cleanup();
@@ -145,6 +152,7 @@ krb5_data **response;                       /* filled in with a response packet */
                                 header_ticket,
                                 KDC_ERR_ETYPE_NOSUPP, response));
     }
+    useetype = request->etype[i];
 
     if (isflagset(request->kdc_options, KDC_OPT_REUSE_SKEY)) {
        /* decrypt second ticket, and examine */
@@ -165,23 +173,23 @@ krb5_data **response;                     /* filled in with a response packet */
        session_key = request->second_ticket[st_idx]->enc_part2->session;
        st_idx++;
     } else {
-       if (retval = (*(krb5_csarray[request->etype]->system->random_key))(krb5_csarray[request->etype]->random_sequence, &session_key)) {
+       if (retval = (*(krb5_csarray[useetype]->system->random_key))(krb5_csarray[useetype]->random_sequence, &session_key)) {
            /* random key failed */
+           tkt_cleanup();
            cleanup();
            return(retval);
        }
     }
 
 #undef cleanup
-#define cleanup() { krb5_free_ticket(header_ticket); \
-                  krb5_db_free_principal(&server, 1); \
+#define cleanup() { krb5_db_free_principal(&server, 1); \
                   memset((char *)session_key->contents, 0, \
                          session_key->length); \
                   free((char *)session_key->contents); \
                   session_key->contents = 0; }
 
     ticket_reply.server = request->server; /* XXX careful for realm... */
-    ticket_reply.enc_part.etype = request->etype;
+    ticket_reply.enc_part.etype = useetype;
     ticket_reply.enc_part.kvno = server.kvno;
 
     enc_tkt_reply.flags = 0;
@@ -333,21 +341,83 @@ krb5_data **response;                     /* filled in with a response packet */
        enc_tkt_reply.times.renew_till = 0; /* XXX */
     }
 
+    /* starttime is optional, and treated as authtime if not present.
+       so we can nuke it if it matches */
+    if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
+       enc_tkt_reply.times.starttime = 0;
+
     /* assemble any authorization data */
-    if (request->authorization_data) {
+    if (request->authorization_data.ciphertext.data) {
+       krb5_encrypt_block eblock;
+       krb5_data scratch;
+
+       /* decrypt the authdata in the request */
+       if (!valid_etype(request->authorization_data.etype)) {
+           cleanup();
+           return prepare_error_tgs(request, header_ticket,
+                                    KDC_ERR_ETYPE_NOSUPP, response);
+       }
+       /* put together an eblock for this encryption */
+
+       krb5_use_cstype(&eblock, request->authorization_data.etype);
+
+       scratch.length = request->authorization_data.ciphertext.length;
+       if (!(scratch.data =
+             malloc(request->authorization_data.ciphertext.length))) {
+           tkt_cleanup();
+           cleanup();
+           return(ENOMEM);
+       }
+       /* do any necessary key pre-processing */
+       if (retval = krb5_process_key(&eblock,
+                                     header_ticket->enc_part2->session)) {
+           free(scratch.data);
+           tkt_cleanup();
+           cleanup();
+           return(retval);
+       }
+
+       /* call the encryption routine */
+       if (retval = krb5_decrypt((krb5_pointer) request->authorization_data.ciphertext.data,
+                                 (krb5_pointer) scratch.data,
+                                 scratch.length, &eblock, 0)) {
+           (void) krb5_finish_key(&eblock);
+           free(scratch.data);
+           tkt_cleanup();
+           cleanup();
+           return retval;
+       }
+       if (retval = krb5_finish_key(&eblock)) {
+           free(scratch.data);
+           tkt_cleanup();
+           cleanup();
+           return retval;
+       }
+       /* scratch now has the authorization data, so we decode it */
+       retval = decode_krb5_authdata(&scratch, request->unenc_authdata);
+       free(scratch.data);
+       if (retval) {
+           tkt_cleanup();
+           cleanup();
+           return retval;
+       }
+
        if (retval =
-           concat_authorization_data(request->authorization_data,
+           concat_authorization_data(request->unenc_authdata,
                                      header_ticket->enc_part2->authorization_data, 
                                      &enc_tkt_reply.authorization_data)) {
+           tkt_cleanup();
            cleanup();
            return retval;
        }
     } else
        enc_tkt_reply.authorization_data =
            header_ticket->enc_part2->authorization_data;
+
     enc_tkt_reply.session = session_key;
     enc_tkt_reply.client = header_ticket->enc_part2->client;
-    enc_tkt_reply.transited = empty_string; /* equivalent of "" */
+    enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
+    enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
 
     /* realm compare is like strcmp, but knows how to deal with these args */
     if (realm_compare(realm_of_tgt(header_ticket),
@@ -356,28 +426,35 @@ krb5_data **response;                     /* filled in with a response packet */
        enc_tkt_reply.transited = header_ticket->enc_part2->transited;
     } else {
        /* assemble new transited field into allocated storage */
-       enc_tkt_transited.data = 0;
-       enc_tkt_transited.length = 0;
+       if (header_ticket->enc_part2->transited.tr_type !=
+           KRB5_DOMAIN_X500_COMPRESS) {
+           tkt_cleanup();
+           cleanup();
+           return KRB5KDC_ERR_TRTYPE_NOSUPP;
+       }
+       enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
+       enc_tkt_transited.tr_contents.data = 0;
+       enc_tkt_transited.tr_contents.length = 0;
        enc_tkt_reply.transited = enc_tkt_transited;
        if (retval =
-           add_to_transited(&header_ticket->enc_part2->transited,
-                              &enc_tkt_reply.transited,
+           add_to_transited(&header_ticket->enc_part2->transited.tr_contents,
+                              &enc_tkt_reply.transited.tr_contents,
                               header_ticket->server,
                               enc_tkt_reply.client,
                               request->server)) {
+           tkt_cleanup();
            cleanup();
            return retval;
        }
        newtransited = 1;
     }
 #undef cleanup
-#define cleanup() { krb5_free_ticket(header_ticket); \
-                  krb5_db_free_principal(&server, 1); \
+#define cleanup() { krb5_db_free_principal(&server, 1); \
                   memset((char *)session_key->contents, 0, \
                          session_key->length); \
                   free((char *)session_key->contents); \
                   session_key->contents = 0; \
-                  if (newtransited) free(enc_tkt_reply.transited.data);}
+                  if (newtransited) free(enc_tkt_reply.transited.tr_contents.data);}
 
     ticket_reply.enc_part2 = &enc_tkt_reply;
 
@@ -391,6 +468,7 @@ krb5_data **response;                       /* filled in with a response packet */
            }
        if (retval = krb5_encrypt_tkt_part(request->second_ticket[st_idx]->enc_part2->session,
                                           &ticket_reply)) {
+           tkt_cleanup();
            cleanup();
            return retval;
        }
@@ -399,6 +477,7 @@ krb5_data **response;                       /* filled in with a response packet */
        /* convert server.key into a real key (it may be encrypted
           in the database) */
        if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &encrypting_key)) {
+           tkt_cleanup();
            cleanup();
            return retval;
        }
@@ -409,27 +488,30 @@ krb5_data **response;                     /* filled in with a response packet */
        free((char *)encrypting_key.contents);
 
        if (retval) {
+           tkt_cleanup();
            cleanup();
            return retval;
        }
     }
 
     if (newtransited)
-       free(enc_tkt_reply.transited.data);
+       free(enc_tkt_reply.transited.tr_contents.data);
     krb5_db_free_principal(&server, 1);
 
 #undef cleanup
 
     /* Start assembling the response */
+    reply.msg_type = KRB5_TGS_REP;
+    reply.padata = 0;          /* always */
     reply.client = header_ticket->enc_part2->client;
-    reply.enc_part.etype = request->etype;
+    reply.enc_part.etype = useetype;
     reply.enc_part.kvno = 0;           /* We are using the session key */
     reply.ticket = &ticket_reply;
 
     reply_encpart.session = session_key;
     reply_encpart.nonce = request->nonce;
 
-    /* copy the time fields EXCEPT for authtime; it's location
+    /* copy the time fields EXCEPT for authtime; its location
        is used for ktime */
     reply_encpart.times = enc_tkt_reply.times;
     reply_encpart.times.authtime = kdc_time;
@@ -446,6 +528,7 @@ krb5_data **response;                       /* filled in with a response packet */
                                 &reply, response);
     memset((char *)session_key->contents, 0, session_key->length);
     free((char *)session_key->contents);
+    tkt_cleanup();
     session_key->contents = 0;
     return retval;
 }
@@ -461,10 +544,10 @@ krb5_data **response;
     krb5_error_code retval;
     krb5_data *scratch;
 
-    errpkt.ctime = request->ctime;
-    errpkt.cmsec = 0;
+    errpkt.ctime = request->nonce;
+    errpkt.cusec = 0;
 
-    if (retval = krb5_ms_timeofday(&errpkt.stime, &errpkt.smsec)) {
+    if (retval = krb5_us_timeofday(&errpkt.stime, &errpkt.susec)) {
        krb5_free_ticket(ticket);
        return(retval);
     }
index 39f06145b321fa34b060532264cab1aec7c0169c..fc4b117091ff67c937de24a83dad8276c78bde5c 100644 (file)
@@ -132,12 +132,22 @@ krb5_ticket **ticket;
     struct kparg who;
     krb5_error_code retval;
     krb5_checksum our_cksum;
-    krb5_data *scratch;
+    krb5_data *scratch, scratch2;
+    krb5_pa_data **tmppa;
 
-    if (request->padata_type != KRB5_PADATA_AP_REQ)
+    if (!request->padata)
        return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+    for (tmppa = request->padata; *tmppa; tmppa++) {
+       if ((*tmppa)->pa_type == KRB5_PADATA_AP_REQ)
+           break;
+    }
+    if (!*tmppa)                       /* cannot find any AP_REQ */
+       return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+
+    scratch2.length = (*tmppa)->length;
+    scratch2.data = (char *)(*tmppa)->contents;
 
-    if (retval = decode_krb5_ap_req(&request->padata, &apreq))
+    if (retval = decode_krb5_ap_req(&scratch2, &apreq))
        return retval;
 
 #define cleanup_apreq() {krb5_free_ap_req(apreq); *ticket = 0;}
@@ -163,7 +173,8 @@ krb5_ticket **ticket;
        return KRB5KDC_ERR_POLICY;
     }
 
-    /* XXX perhaps we should optimize the case of the TGS ? */
+    /* XXX perhaps we should optimize the case of the TGS, by having
+       the key always hanging around? */
 
     nprincs = 1;
     if (retval = krb5_db_get_principal(apreq->ticket->server,
index be63e006676ee475c641184ac2a8c4280b1b4075..d55301927f7dec931a3628e11bbc0c72ee9024ad 100644 (file)
@@ -149,13 +149,6 @@ krb5_checksum *outcksum;
     register int idx;
     int i;
 
-    data = (u_char *)seed;
-    for (i=0; i<seed_length;i++) {
-       idx = (data[i] ^ c);
-       idx &= 0xff;
-       c >>= 8;
-       c ^= crc_table[idx];
-    }
     data = (u_char *)in;
     for (i=0; i<in_length;i++) {
        idx = (data[i] ^ c);
@@ -177,4 +170,6 @@ krb5_checksum *outcksum;
 krb5_checksum_entry crc32_cksumtable_entry = {
     crc32_sum_func,
     CRC32_CKSUM_LENGTH, /* CRC-32 is 4 octets */
+    0,                                 /* not collision proof */
+    0,                                 /* doesn't use key */
 };
index 09fb53a7fefbaca6be2ff0c0352b3008e8461324..911ca2957639012645cfa81717cd4ba74fb0a397 100644 (file)
@@ -160,7 +160,7 @@ extern krb5_error_code mit_des_random_key
 /* string2key.c */
 extern krb5_error_code mit_des_string_to_key
     PROTOTYPE((const krb5_keytype, krb5_keyblock *, const krb5_data *,
-              krb5_const_principal ));
+              const krb5_data *));
 
 /* weak_key.c */
 extern int mit_des_is_weak_key PROTOTYPE((mit_des_cblock ));
index 3e72740a3c7ea2ed3d6ce4aa70a9df91d82030da..e0fd7b9af414fedeb5cfea371417274e5242d7ae 100644 (file)
@@ -78,7 +78,6 @@ void mit_des_init_random_number_generator(key,p_seed)
        krb5_int32 seconds;
        krb5_int32 microseconds;
     } timenow;
-    krb5_ui_2 msec;
     mit_des_cblock new_key;
 
     krb5_address **addrs;
@@ -120,8 +119,8 @@ void mit_des_init_random_number_generator(key,p_seed)
      * use a time stamp to ensure that a server started later does not reuse
      * an old stream:
      */
-    (void) krb5_ms_timeofday(&timenow.seconds, &msec); /* XXX return value */
-    timenow.microseconds = msec * 1000;
+    (void) krb5_us_timeofday(&timenow.seconds,
+                            &timenow.microseconds); /* XXX return value */
     mit_des_set_sequence_number((unsigned char *)&timenow, p_seed);
 
     /*
index d505aeddae13d1c4bf9cccee37bd70772b42b096..d21443ab4e0d5123c543a91e7ea5dbbb8127faf9 100644 (file)
@@ -34,7 +34,7 @@ extern int des_debug;
        It is the responsibility of the caller to release this storage
        when the generated key no longer needed.
 
-       The routine may use "princ" to seed or alter the conversion
+       The routine may use "salt" to seed or alter the conversion
        algorithm.
 
        If the particular function called does not know how to make a
@@ -46,11 +46,11 @@ extern int des_debug;
 krb5_error_code mit_des_string_to_key (DECLARG(const krb5_keytype, keytype),
                                       DECLARG(krb5_keyblock *,keyblock),
                                       DECLARG(const krb5_data *,data),
-                                      DECLARG(krb5_const_principal, princ))
+                                      DECLARG(const krb5_data *, salt))
 OLDDECLARG(const krb5_keytype, keytype)
 OLDDECLARG(krb5_keyblock *,keyblock)
 OLDDECLARG(const krb5_data *,data)
-OLDDECLARG(krb5_const_principal, princ)
+OLDDECLARG(const krb5_data *, salt)
 {
     char copystr[512];
 
@@ -81,15 +81,13 @@ OLDDECLARG(krb5_const_principal, princ)
     keyblock->length = sizeof(mit_des_cblock);
     key = keyblock->contents;
 
+    /* XXX todo: make it work in face of embedded NUL's */
     memset(copystr, 0, sizeof(copystr));
     j = min(data->length, 511);
     (void) strncpy(copystr, data->data, j);
-    if ( princ != 0 )
-       for (i=0; princ[i] != 0 && j < 511; i++) {
-           (void) strncpy(copystr+j, princ[i]->data, 
-                          min(princ[i]->length, 511-j));
-           j += min(princ[i]->length, 511-j);
-       }
+    if (salt) {
+       strncpy (copystr + j, salt->data, min(salt->length, 511-j));
+    }
 
     /* convert copystr to des key */
     forward = 1;
index 5104d50d2e8dafa4500411f0d024e7f370e860a5..51f2a297727ca5c0d79b6d309a55e56ef0c3ed99 100644 (file)
@@ -58,4 +58,6 @@ krb5_checksum *outcksum;
 krb5_checksum_entry crc32_cksumtable_entry = {
     md4_sum_func,
     RSA_MD4_CKSUM_LENGTH, /* CRC-32 is 4 octets */
+    1,                                 /* is collision proof */
+    0,                                 /* doesn't use key */
 };
index fa14564f1b4a3a25de45bdbbb738ccd108b5fe8a..ec0bb27082e7208bcad73bd7e50ac185d58bbd14 100644 (file)
@@ -67,6 +67,8 @@ OLDDECLARG(krb5_keyblock *,key)
 
 
     if (fromkeyboard) {
+       krb5_data scratch;
+
        if (retval = krb5_read_password(krb5_mkey_pwd_prompt1,
                                        twice ? krb5_mkey_pwd_prompt2 : 0,
                                        password,
@@ -75,7 +77,10 @@ OLDDECLARG(krb5_keyblock *,key)
 
        pwd.data = password;
        pwd.length = size;
-       retval = krb5_string_to_key(eblock, key->keytype, key, &pwd, mname);
+       if (retval = krb5_principal2salt(mname, &scratch))
+           return retval;
+       retval = krb5_string_to_key(eblock, key->keytype, key, &pwd, &scratch);
+       xfree(scratch.data);
        memset(password, 0, sizeof(password)); /* erase it */
        return retval;
 
index 03fef28df1988c93094b5fa5d72d987a743888db..a97209e967c54d1c0e6cc3ace105ee5dd63b874b 100644 (file)
@@ -86,12 +86,13 @@ CREDENTIALS *c;
        set_string(c->instance, REALM_SZ, creds.server[2]);
 
        c->ticket_st.length = creds.ticket.length;
-       memcpy(c->ticket_st.dat,
-              creds.ticket.data,
+       memcpy((char *)c->ticket_st.dat,
+              (char *)creds.ticket.data,
               min(c->ticket_st.length, MAX_KTXT_LEN));
        c->ticket_st.mbz = 0;
 
-       memcpy((char*)c->session, creds.keyblock.contents, sizeof(C_Block));
+       memcpy((char*)c->session, (char *)creds.keyblock.contents,
+              sizeof(C_Block));
 
        c->issue_date = creds.times.starttime;
        c->lifetime = creds.times.endtime;
index 84372c8a3f94b2b0cdef0827faec63cf81a07755..d360056f828dd70d9ed1712c58e06c5c8743ef54 100644 (file)
@@ -31,8 +31,6 @@ struct sockaddr_in *receiver;
        krb5_data inbuf;
        krb5_data out5;
        krb5_keyblock keyb;
-       krb5_fulladdr sfaddr;
-       krb5_fulladdr rfaddr;
        krb5_address saddr;
        krb5_address raddr;
        krb5_error_code r;
@@ -53,19 +51,15 @@ struct sockaddr_in *receiver;
        memcpy(sa, (char *)&sender->sin_addr, 4);
        memcpy(ra, (char *)&receiver->sin_addr, 4);
 
-       sfaddr.address = &saddr;
-       sfaddr.port = sender->sin_port;
-
-       rfaddr.address = &raddr;
-       rfaddr.port = receiver->sin_port;
-
        inbuf.data = (char *)in;
        inbuf.length = in_length;
 
        if (r = krb5_mk_priv(&inbuf,
                             KEYTYPE_DES,
                             &keyb,
-                            &sfaddr, &rfaddr,
+                            &saddr, &raddr,
+                            0,         /* no sequence number */
+                            0,         /* default flags (none) */
                             0, &out5)) {
 #ifdef EBUG
                ERROR(r);
@@ -73,7 +67,7 @@ struct sockaddr_in *receiver;
                return(-1);
        }
 
-       memcpy(out, out5.data, out5.length);
+       memcpy((char *)out, out5.data, out5.length);
        free(out5.data);
        return(out5.length);
 }
index 77eeca79bd65c978ca2dbbd97e81b52215dbd514..28d6407cdc1aed0f28b65267014143e4fe8ddee3 100644 (file)
@@ -30,8 +30,6 @@ struct sockaddr_in *receiver;
        krb5_data inbuf;
        krb5_data out5;
        krb5_keyblock keyb;
-       krb5_fulladdr sfaddr;
-       krb5_fulladdr rfaddr;
        krb5_address saddr;
        krb5_address raddr;
        krb5_error_code r;
@@ -52,19 +50,15 @@ struct sockaddr_in *receiver;
        memcpy(sa, (char *)&sender->sin_addr, 4);
        memcpy(ra, (char *)&receiver->sin_addr, 4);
 
-       sfaddr.address = &saddr;
-       sfaddr.port = sender->sin_port;
-
-       rfaddr.address = &raddr;
-       rfaddr.port = receiver->sin_port;
-
        inbuf.data = (char *)in;
        inbuf.length = in_length;
 
        if (r = krb5_mk_safe(&inbuf,
                             CKSUMTYPE_CRC32,
                             &keyb,
-                            &sfaddr, &rfaddr,
+                            &saddr, &raddr,
+                            0,         /* no sequence number */
+                            0,         /* default flags (none) */
                             &out5)) {
 #ifdef EBUG
                ERROR(r);
@@ -72,7 +66,7 @@ struct sockaddr_in *receiver;
                return(-1);
        }
 
-       memcpy(out, out5.data, out5.length);
+       memcpy((char *)out, out5.data, out5.length);
        free(out5.data);
        return(out5.length);
 }
index 0b4af57f5e353314f81b273db826e778215cad08..7aef5f69a9bc2efdfd38ba2f8c78c7f7c2f57f7c 100644 (file)
@@ -31,8 +31,6 @@ MSG_DAT *msg;
        krb5_data inbuf;
        krb5_data out;
        krb5_keyblock keyb;
-       krb5_fulladdr sfaddr;
-       krb5_fulladdr rfaddr;
        krb5_address saddr;
        krb5_address raddr;
        krb5_error_code r;
@@ -53,16 +51,10 @@ MSG_DAT *msg;
        memcpy(sa, (char *)&sender->sin_addr, 4);
        memcpy(ra, (char *)&receiver->sin_addr, 4);
 
-       sfaddr.address = &saddr;
-       sfaddr.port = sender->sin_port;
-
-       rfaddr.address = &raddr;
-       rfaddr.port = receiver->sin_port;
-
        inbuf.data = (char *)in;
        inbuf.length = in_length;
 
-       if (r = krb5_rd_priv(&inbuf, &keyb, &sfaddr, &rfaddr, 0, &out)) {
+       if (r = krb5_rd_priv(&inbuf, &keyb, &saddr, &raddr, 0, 0, 0, &out)) {
 #ifdef EBUG
                ERROR(r)
 #endif
index 05b949ded8e1cb8af2cbf80458b2243b4384264f..f34156bb454683689eefba7db78148014dcd8feb 100644 (file)
@@ -144,7 +144,7 @@ char *fn;
                goto out;
        } else
                memcpy((char*)ad->session,
-                      authd.ticket->enc_part2->session->contents,
+                      (char*)authd.ticket->enc_part2->session->contents,
                       sizeof(C_Block));
 
        ad->life = authd.ticket->enc_part2->times.endtime;
@@ -155,14 +155,14 @@ char *fn;
                r = KFAILURE;
                goto out;
        } else
-               memcpy((char *)&ad->address + sizeof(ad->address) - 4,
-                      authd.ticket->enc_part2->caddrs[0]->contents, 4);
+               memcpy((char*)&ad->address + sizeof(ad->address) - 4,
+                      (char*)authd.ticket->enc_part2->caddrs[0]->contents, 4);
 
        if (authd.ticket->enc_part2->authorization_data &&
            authd.ticket->enc_part2->authorization_data[0]) {
                ad->reply.length = authd.ticket->enc_part2->authorization_data[0]->length;
-               memcpy(ad->reply.dat,
-                      authd.ticket->enc_part2->authorization_data[0]->contents,
+               memcpy((char*)ad->reply.dat,
+                      (char*)authd.ticket->enc_part2->authorization_data[0]->contents,
                       min(ad->reply.length, MAX_KTXT_LEN));
                ad->reply.mbz = 0;
        }
index 9b50aabeb05afd020b285a7ecafebd865626efb0..394a11b4f630d57547f1ca0c9f9d03056f3269dc 100644 (file)
@@ -30,8 +30,6 @@ MSG_DAT *msg;
        krb5_data inbuf;
        krb5_data out;
        krb5_keyblock keyb;
-       krb5_fulladdr sfaddr;
-       krb5_fulladdr rfaddr;
        krb5_address saddr;
        krb5_address raddr;
        krb5_error_code r;
@@ -52,16 +50,10 @@ MSG_DAT *msg;
        memcpy(sa, (char *)&sender->sin_addr, 4);
        memcpy(ra, (char *)&receiver->sin_addr, 4);
 
-       sfaddr.address = &saddr;
-       sfaddr.port = sender->sin_port;
-
-       rfaddr.address = &raddr;
-       rfaddr.port = receiver->sin_port;
-
        inbuf.data = (char *)in;
        inbuf.length = in_length;
 
-       if (r = krb5_rd_safe(&inbuf, &keyb, &sfaddr, &rfaddr, &out)) {
+       if (r = krb5_rd_safe(&inbuf, &keyb, &saddr, &raddr, 0, 0, &out)) {
 #ifdef EBUG
                ERROR(r)
 #endif
index 4589f7b8d1b0f9125f3b15a95ab0944407e3c33e..a25d1a03531b66d909a4388e817c285e296e8027 100644 (file)
@@ -36,7 +36,7 @@ int cvt;
                }
                keyblock.length = 8;
                keyblock.keytype = KEYTYPE_DES;
-               memcpy(keyblock.contents, key, 8);
+               memcpy((char *)keyblock.contents, (char *)key, 8);
        }
        return(KSUCCESS);
 }
index 4c60c288e7bd3d08c16c1a7c168426c6efd22c33..8e6df2199ef7087a752051742ab3bcfbffb8bb7c 100644 (file)
@@ -54,19 +54,23 @@ SRCS= \
        kkdcr2kdcr.c    \
        kkey2enck.c     \
        klsrq2lsrq.c    \
+       kpadt2padt.c    \
        kprep2prep.c    \
        kprin2prin.c    \
        kpriv2priv.c    \
        ksafe2safe.c    \
+       ktran2tran.c    \
        ktgrq2tgrq.c    \
        ktgsr2kdcr.c    \
        ktkt2tkt.c      \
        lsrq2klsrq.c    \
+       padt2kpadt.c    \
        prep2kprep.c    \
        prin2kprin.c    \
        priv2kpriv.c    \
        qbuf2data.c     \
        safe2ksafe.c    \
+       tran2ktran.c    \
        tgrq2ktgrq.c    \
        tkt2ktkt.c      \
        u2gen.c
@@ -113,19 +117,23 @@ OBJS= \
        kkdcr2kdcr.o    \
        kkey2enck.o     \
        klsrq2lsrq.o    \
+       kpadt2padt.o    \
        kprep2prep.o    \
        kprin2prin.o    \
        kpriv2priv.o    \
        ksafe2safe.o    \
+       ktran2tran.o    \
        ktgrq2tgrq.o    \
        ktgsr2kdcr.o    \
        ktkt2tkt.o      \
        lsrq2klsrq.o    \
+       padt2kpadt.o    \
        prep2kprep.o    \
        prin2kprin.o    \
        priv2kpriv.o    \
        qbuf2data.o     \
        safe2ksafe.o    \
+       tran2ktran.o    \
        tgrq2ktgrq.o    \
        tkt2ktkt.o      \
        u2gen.o
index 93ebaa7638364a189f5f8a13be4c570872c10674..c0fc1a4f91d47c7b6ad34afca0914fa6fe3e0a2c 100644 (file)
@@ -18,52 +18,19 @@ BEGIN
 Realm ::= GeneralString
 PrincipalName ::= SEQUENCE OF GeneralString
 
--- Message types from protocol spec
-
--- Some predefined integer values for certain types of fields
-MessageType ::=        INTEGER {
-       ticket(1), -- XXX RFC draft 3 uses illegal leading capitals
-       authenticator(2),
-       asReq(10),
-       asRep(11),
-       tgsReq(12),
-       tgsRep(13),
-       apReq(14),
-       apRep(15),
-       safe(20),
-       priv(21),
-       error(30)
-}
-
-AddressType ::= INTEGER {
-       internet(2),
-       chaosnet(5),
-       iso(7),
-       xns(6),
-       appletalk-ddp(16)
-}
-
--- XXX missing from RFC Draft 3
 HostAddress ::= SEQUENCE  {
-       addr-type[0]                    INTEGER, -- AddressType
+       addr-type[0]                    INTEGER,
        address[1]                      OCTET STRING
 }
 
 HostAddresses ::=      SEQUENCE OF SEQUENCE {
-       addr-type[0]    INTEGER, -- AddressType
+       addr-type[0]    INTEGER,
        address[1]      OCTET STRING
 }
 
-AdType ::=     BIT STRING -- { - - AuthorizationData Type
---     reserved(0),
---     external(1),
---     registered(2),
---     field-type(3-15) - - XXX
---}
-
 AuthorizationData ::=  SEQUENCE OF SEQUENCE {
-       ad-type[0]      INTEGER, -- XXX RFC says AdType, should be a 16-bit integer
-       ad-data[1]      GeneralString
+       ad-type[0]      INTEGER,
+       ad-data[1]      OCTET STRING
 }
 
 KDCOptions ::= BIT STRING {
@@ -77,22 +44,15 @@ KDCOptions ::= BIT STRING {
        unused7(7),
        renewable(8),
        unused9(9),
-       duplicate-skey(10),
        renewable-ok(27),
        enc-tkt-in-skey(28),
-       reuse-skey(29),
        renew(30),
        validate(31)
 }
 
-LastReqType ::=        BIT STRING --{
---     this-server-only(0),
---     interpretation(1-7) - - XXX
---}
-
 LastReq ::=    SEQUENCE OF SEQUENCE {
-       lr-type[0]      INTEGER, -- LastReqType
-       lr-value[1]     KerberosTime -- XXX RFC draft 3 has trailing ,
+       lr-type[0]      INTEGER,
+       lr-value[1]     KerberosTime
 }
 
 KerberosTime ::=       GeneralizedTime -- Specifying UTC time zone (Z)
@@ -104,16 +64,20 @@ Ticket ::= [APPLICATION 1] SEQUENCE {
        enc-part[3]     EncryptedData   -- EncTicketPart
 }
 
+TransitedEncoding ::= SEQUENCE {
+       tr-type[0]      INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS
+       contents[1]     OCTET STRING
+}
+
 -- Encrypted part of ticket
--- XXX needs an [APPLICATION x]
-EncTicketPart ::=      SEQUENCE {
+EncTicketPart ::=      [APPLICATION 3] SEQUENCE {
        flags[0]        TicketFlags,
        key[1]          EncryptionKey,
        crealm[2]       Realm,
        cname[3]        PrincipalName,
-       transited[4]    GeneralString,
+       transited[4]    TransitedEncoding,
        authtime[5]     KerberosTime,
-       starttime[6]    KerberosTime,
+       starttime[6]    KerberosTime OPTIONAL,
        endtime[7]      KerberosTime,
        renew-till[8]   KerberosTime OPTIONAL,
        caddr[9]        HostAddresses,
@@ -122,17 +86,16 @@ EncTicketPart ::=  SEQUENCE {
 
 -- Unencrypted authenticator
 Authenticator ::=      [APPLICATION 2] SEQUENCE  {
-       authenticator-vno[0]    AuthenticatorVersion,
+       authenticator-vno[0]    INTEGER,
        crealm[1]       Realm,
        cname[2]        PrincipalName,
-       cksum[3]        Checksum,
-       cmsec[4]        INTEGER,
-       ctime[5]        KerberosTime
+       cksum[3]        Checksum OPTIONAL,
+       cusec[4]        INTEGER,
+       ctime[5]        KerberosTime,
+       subkey[6]       EncryptionKey OPTIONAL,
+       seq-number[7]   INTEGER OPTIONAL
 }
 
-AuthenticatorVersion ::= INTEGER {krb5(5)}
-
--- XXX missing from RFC Draft 3
 TicketFlags ::= BIT STRING {
        reserved(0),
        forwardable(1),
@@ -143,31 +106,31 @@ TicketFlags ::= BIT STRING {
        postdated(6),
        invalid(7),
        renewable(8),
-       initial(9),
-       duplicate-skey(10)
+       initial(9)
 }
 
--- XXX RFC Draft 3 needs "ClientName" changed to "PrincipalName"
 -- the following two sequences MUST be the same except for the
 -- APPLICATION identifier
 AS-REQ ::= [APPLICATION 10] SEQUENCE {
        pvno[1] INTEGER,
        msg-type[2]     INTEGER,
-       padata-type[3]  INTEGER,
-       padata[4]       OCTET STRING OPTIONAL, -- encoded AP-REQ XXX optional
-       req-body[5]     KDC-REQ-BODY
+       padata[3]       PA-DATA OPTIONAL,
+       req-body[4]     KDC-REQ-BODY
 }
 TGS-REQ ::= [APPLICATION 12] SEQUENCE {
        pvno[1] INTEGER,
        msg-type[2]     INTEGER,
-       padata-type[3]  INTEGER,
-       padata[4]       OCTET STRING, -- encoded AP-REQ
-       req-body[5]     KDC-REQ-BODY
+       padata[3]       PA-DATA OPTIONAL, -- encoded AP-REQ, not optional
+       req-body[4]     KDC-REQ-BODY
 }
 -- the preceding two sequences MUST be the same except for the
 -- APPLICATION identifier
 
--- XXX this needs to feed back into the draft.
+PA-DATA ::=    SEQUENCE OF SEQUENCE {
+       padata-type[1]  INTEGER,
+       pa-data[2]      OCTET STRING -- might be encoded AP-REQ
+}
+
 KDC-REQ-BODY ::=       SEQUENCE {
         kdc-options[0] KDCOptions,
         cname[1]       PrincipalName OPTIONAL, -- Used only in AS-REQ
@@ -176,31 +139,32 @@ KDC-REQ-BODY ::=  SEQUENCE {
         from[4]        KerberosTime OPTIONAL,
         till[5]        KerberosTime,
         rtime[6]       KerberosTime OPTIONAL,
-        ctime[7]       KerberosTime,
-        nonce[8]       INTEGER,
-        etype[9]       INTEGER, -- EncryptionType
-        addresses[10]  HostAddresses OPTIONAL,
-        authorization-data[11] AuthorizationData OPTIONAL,
-        additional-tickets[12] SEQUENCE OF Ticket OPTIONAL
+        nonce[7]       INTEGER,
+        etype[8]       SEQUENCE OF INTEGER, -- EncryptionType, in preference order
+        addresses[9]   HostAddresses OPTIONAL,
+        authorization-data[10] EncryptedData OPTIONAL, -- AuthorizationData
+        additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
 }
 
 -- the following two sequences MUST be the same except for the
 -- APPLICATION identifier
 AS-REP ::= [APPLICATION 11] SEQUENCE {
        pvno[0]                         INTEGER,
-       msg-type[1]                     INTEGER, -- MessageType
-       crealm[2]                       Realm,
-       cname[3]                        PrincipalName,
-       ticket[4]                       Ticket,         -- Ticket
-       enc-part[5]                     EncryptedData   -- EncKDCRepPart
+       msg-type[1]                     INTEGER,
+       padata[2]                       PA-DATA OPTIONAL,
+       crealm[3]                       Realm,
+       cname[4]                        PrincipalName,
+       ticket[5]                       Ticket,         -- Ticket
+       enc-part[6]                     EncryptedData   -- EncKDCRepPart
 }
 TGS-REP ::= [APPLICATION 13] SEQUENCE {
        pvno[0]                         INTEGER,
-       msg-type[1]                     INTEGER, -- MessageType
-       crealm[2]                       Realm,
-       cname[3]                        PrincipalName,
-       ticket[4]                       Ticket,         -- Ticket
-       enc-part[5]                     EncryptedData   -- EncKDCRepPart
+       msg-type[1]                     INTEGER,
+       padata[2]                       PA-DATA OPTIONAL,
+       crealm[3]                       Realm,
+       cname[4]                        PrincipalName,
+       ticket[5]                       Ticket,         -- Ticket
+       enc-part[6]                     EncryptedData   -- EncKDCRepPart
 }
 -- the preceding two sequences MUST be the same except for the
 -- APPLICATION identifier
@@ -217,9 +181,9 @@ EncASRepPart ::=    [APPLICATION 25] SEQUENCE {
        starttime[6]    KerberosTime OPTIONAL,
        endtime[7]      KerberosTime,
        renew-till[8]   KerberosTime OPTIONAL,
-       realm[9]        Realm, -- XXX should be srealm
+       srealm[9]       Realm,
        sname[10]       PrincipalName,
-       caddr[11]       HostAddresses
+       caddr[11]       HostAddresses OPTIONAL
 }
 EncTGSRepPart ::=      [APPLICATION 26] SEQUENCE {
        key[0]  EncryptionKey,
@@ -231,9 +195,9 @@ EncTGSRepPart ::=   [APPLICATION 26] SEQUENCE {
        starttime[6]    KerberosTime OPTIONAL,
        endtime[7]      KerberosTime,
        renew-till[8]   KerberosTime OPTIONAL,
-       realm[9]        Realm, -- XXX should be srealm
+       srealm[9]       Realm,
        sname[10]       PrincipalName,
-       caddr[11]       HostAddresses
+       caddr[11]       HostAddresses OPTIONAL
 }
 -- the preceding two sequences MUST be the same except for the
 -- APPLICATION identifier
@@ -246,7 +210,6 @@ AP-REQ ::= [APPLICATION 14] SEQUENCE {
        authenticator[4]                EncryptedData   -- Authenticator
 }
 
--- XXX These appear twice in the draft 3 RFC
 APOptions ::= BIT STRING {
        reserved(0),
        use-session-key(1),
@@ -261,18 +224,25 @@ AP-REP ::= [APPLICATION 15] SEQUENCE {
 
 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
        ctime[0]                        KerberosTime,
-       cmsec[1]                        INTEGER
+       cusec[1]                        INTEGER,
+       subkey[2]                       EncryptionKey OPTIONAL,
+       seq-number[3]                   INTEGER OPTIONAL
 }
 
 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
        pvno[0]                         INTEGER,
        msg-type[1]                     INTEGER,
-       user-data[2]                    OCTET STRING,
-       timestamp[3]                    KerberosTime,
-       msec[4]                         INTEGER,
-       s-address[5]                    HostAddress,    -- sender's addr
-       r-address[6]                    HostAddress,    -- recip's addr
-       cksum[7]                        Checksum                        
+       safe-body[2]                    KRB-SAFE-BODY,
+       cksum[3]                        Checksum                        
+}
+
+KRB-SAFE-BODY ::=      SEQUENCE {
+       user-data[0]                    OCTET STRING,
+       timestamp[1]                    KerberosTime OPTIONAL,
+       usec[2]                         INTEGER OPTIONAL,
+       seq-number[3]                   INTEGER OPTIONAL,
+       s-address[4]                    HostAddress,    -- sender's addr
+       r-address[5]                    HostAddress OPTIONAL -- recip's addr
 }
 
 KRB-PRIV ::=   [APPLICATION 21] SEQUENCE {
@@ -283,25 +253,26 @@ KRB-PRIV ::=      [APPLICATION 21] SEQUENCE {
 
 EncKrbPrivPart ::=     [APPLICATION 28] SEQUENCE {
        user-data[0]    OCTET STRING,
-       timestamp[1]    KerberosTime,
-       msec[2]         INTEGER,
-       s-address[3]    HostAddress,    -- sender's addr
-       r-address[4]    HostAddress     -- recip's addr
+       timestamp[1]    KerberosTime OPTIONAL,
+       usec[2]         INTEGER OPTIONAL,
+       seq-number[3]   INTEGER OPTIONAL,
+       s-address[4]    HostAddress,    -- sender's addr
+       r-address[5]    HostAddress OPTIONAL    -- recip's addr
 }
 
 KRB-ERROR ::=  [APPLICATION 30] SEQUENCE {
        pvno[0]         INTEGER,
        msg-type[1]     INTEGER,
        ctime[2]        KerberosTime OPTIONAL,
-       cmsec[3]        INTEGER OPTIONAL,
+       cusec[3]        INTEGER OPTIONAL,
        stime[4]        KerberosTime,
-       smsec[5]        INTEGER,
+       susec[5]        INTEGER,
        error-code[6]   INTEGER,
        crealm[7]       Realm OPTIONAL,
        cname[8]        PrincipalName OPTIONAL,
        realm[9]        Realm, -- Correct realm
        sname[10]       PrincipalName, -- Correct name
-       e-text[11]      GeneralString OPTIONAL, -- XXX should be optional
+       e-text[11]      GeneralString OPTIONAL,
        e-data[12]      OCTET STRING OPTIONAL
 }
 
@@ -311,34 +282,18 @@ EncryptedData ::= SEQUENCE {
        cipher[2]       OCTET STRING -- CipherText
 }
 
-EncryptionType ::=     INTEGER {
-       null(0),
-       des-cbc-crc(1),
-       lucifer-cbc-crc(2)
-}
-
 EncryptionKey ::= SEQUENCE {
-       keytype[0]                      INTEGER, -- KeyType
+       keytype[0]                      INTEGER,
        keyvalue[1]                     OCTET STRING
 }
 
-KeyType ::=    INTEGER {
-       null(0),
-       des(1),
-       lucifer(2)
-}
-
 Checksum ::= SEQUENCE {
-       cksumtype[0]                    INTEGER, -- ChecksumType
+       cksumtype[0]                    INTEGER,
        checksum[1]                     OCTET STRING
 }
 
-ChecksumType ::=       INTEGER {
-       crc32(1),
-       rsa-md4(2),
-       rsa-md4-des(3),
-       snefru(4),
-       des-mac(5)
+METHOD-DATA ::= SEQUENCE {
+       method-type[0]  INTEGER,
+       method-data[1]  OCTET STRING OPTIONAL
 }
-
 END
index e37e0e6eea0ff63659aceca06dad73177d2736f2..6f659a4ae0b8c88aceec28a6a51359386bae9c22 100644 (file)
@@ -39,15 +39,25 @@ register int *error;
        *error = ENOMEM;
        return(0);
     }
-    /* xbzero not needed, since structure is simple */
-    /* xbzero(retval, sizeof(*retval)); */
+    xbzero(retval, sizeof(*retval));
 
     retval->ctime = gentime2unix(val->ctime, error);
     if (*error) {
        xfree(retval);
        return(0);
     }  
-    retval->cmsec = val->cmsec;
+    retval->cusec = val->cusec;
+
+    if (val->subkey) {
+       retval->subkey = KRB5_EncryptionKey2krb5_keyblock(val->subkey,
+                                                         error);
+       if (!retval->subkey) {
+           krb5_free_ap_rep_enc_part(retval);
+           return 0;
+       }
+    }
+    if (val->optionals & opt_KRB5_EncAPRepPart_seq__number)
+       retval->seq_number = val->seq__number;
 
     return(retval);
 }
index 56a8b63fd5a7efa98ef1ed95374a136291927560..40a3421622ffa05700be9d6594e7fdca3bfda697 100644 (file)
@@ -49,17 +49,21 @@ register int *error;
        xfree(retval);
        return(0);
     }
-
-    retval->checksum = KRB5_Checksum2krb5_checksum(val->cksum, error);
-    if (!retval->checksum) {
-       krb5_free_authenticator(retval);
-       return(0);
+    if (val->cksum) {
+       retval->checksum = KRB5_Checksum2krb5_checksum(val->cksum, error);
+       if (!retval->checksum) {
+           krb5_free_authenticator(retval);
+           return(0);
+       }
     }
-    retval->cmsec = val->cmsec;
+    retval->cusec = val->cusec;
     retval->ctime = gentime2unix(val->ctime, error);
     if (*error) {
        krb5_free_authenticator(retval);
        return(0);
     }
+    if (val->optionals & opt_KRB5_Authenticator_seq__number) {
+       retval->seq_number = val->seq__number;
+    }
     return(retval);
 }
index 0e41b7ce7503177863602a33ee1f0d366804c62c..7c1f05497690ac04097b571307f9c75494e3c138 100644 (file)
@@ -84,14 +84,16 @@ register int *error;
        }
     }
     retval->server = KRB5_PrincipalName2krb5_principal(val->sname,
-                                                      val->realm,
+                                                      val->srealm,
                                                       error);
     if (!retval->server) {
        goto errout;
     }
-    retval->caddrs = KRB5_HostAddresses2krb5_address(val->caddr, error);
-    if (!retval->caddrs) {
-       goto errout;
+    if (val->caddr) {
+       retval->caddrs = KRB5_HostAddresses2krb5_address(val->caddr, error);
+       if (!retval->caddrs) {
+           goto errout;
+       }
     }
     return(retval);
 }
index f25f65ed53a7da7835c3e53e8b3556f52744c805..f8fc9421b704b2eee4852a0376189b8cd6bfd0c0 100644 (file)
@@ -51,16 +51,16 @@ register int *error;
            return(0);
        }       
     }
-    if (val->optionals & opt_KRB5_KRB__ERROR_cmsec)
-       retval->cmsec = val->cmsec;
+    if (val->optionals & opt_KRB5_KRB__ERROR_cusec)
+       retval->cusec = val->cusec;
     else
-       retval->cmsec = 0;
+       retval->cusec = 0;
 
     retval->stime = gentime2unix(val->stime, error);
     if (*error) {
        goto errout;
     }  
-    retval->smsec = val->smsec;
+    retval->susec = val->susec;
     retval->error = val->error__code;
     if (val->crealm && val->cname) {
        retval->client = KRB5_PrincipalName2krb5_principal(val->cname,
index 3b23cdba34e3fe3c1bf8a064c196ec3994bd3bd7..6a9ca034c408660e99a413b5ccc7cba628fb20f1 100644 (file)
@@ -33,7 +33,7 @@ const register struct type_KRB5_EncTicketPart *val;
 register int *error;
 {
     register krb5_enc_tkt_part *retval;
-    krb5_data *temp;
+    krb5_transited *temp;
 
     retval = (krb5_enc_tkt_part *)xmalloc(sizeof(*retval));
     if (!retval) {
@@ -61,7 +61,8 @@ register int *error;
     if (!retval->client) {
        goto errout;
     }
-    temp = qbuf2krb5_data(val->transited, error);
+
+    temp = KRB5_TransitedEncoding2krb5_transited(val->transited, error);
     if (temp) {
        retval->transited = *temp;
        xfree(temp);
@@ -73,10 +74,12 @@ register int *error;
     if (*error) {
        goto errout;
     }  
-    retval->times.starttime = gentime2unix(val->starttime, error);
-    if (*error) {
-       goto errout;
-    }  
+    if (val->starttime) {
+       retval->times.starttime = gentime2unix(val->starttime, error);
+       if (*error) {
+           goto errout;
+       }       
+    }
     retval->times.endtime = gentime2unix(val->endtime, error);
     if (*error) {
        goto errout;
index 2d29c351d0cffee2260687e9d8eb373f5b57990a..d5b8f7ed702642d20666f0b3224392afbfc8086f 100644 (file)
@@ -47,6 +47,17 @@ register int *error;
        return(0);
     }
 
-    retval->cmsec = val->cmsec;
+    retval->cusec = val->cusec;
+    if (val->subkey) {
+       retval->subkey = krb5_keyblock2KRB5_EncryptionKey(val->subkey, error);
+       if (!retval->subkey) {
+           free_KRB5_EncAPRepPart(retval);
+           return 0;
+       }
+    }
+    if (val->seq_number) {
+       retval->seq__number = val->seq_number;
+       retval->optionals |= opt_KRB5_EncAPRepPart_seq__number;
+    }
     return(retval);
 }
index 7bd499a8be493481c5a804e9803ad4666730da42..56e1ba608197edb911ea35eea89d72318a2ee75d 100644 (file)
@@ -41,32 +41,32 @@ register int *error;
     }
 
     xbzero(retval, sizeof(*retval));
-    retval->authenticator__vno = (struct type_KRB5_AuthenticatorVersion *)
-       xmalloc(sizeof(*retval->authenticator__vno));
-    if (!retval->authenticator__vno) {
+    retval->authenticator__vno = KRB5_PVNO;
+    retval->crealm = krb5_data2qbuf(val->client[0]);
+    if (!retval->crealm) {
        *error = ENOMEM;
     errout:
        free_KRB5_Authenticator(retval);
        return(0);
     }
-    retval->authenticator__vno->parm = KRB5_PVNO;
-    retval->crealm = krb5_data2qbuf(val->client[0]);
-    if (!retval->crealm) {
-       *error = ENOMEM;
-       goto errout;
-    }
     retval->cname = krb5_principal2KRB5_PrincipalName(val->client, error);
     if (!retval->cname) {
        goto errout;
     }
-    retval->cksum = krb5_checksum2KRB5_Checksum(val->checksum, error);
-    if (!retval->cksum) {
-       goto errout;
+    if (val->checksum) {
+       retval->cksum = krb5_checksum2KRB5_Checksum(val->checksum, error);
+       if (!retval->cksum) {
+           goto errout;
+       }
     }
-    retval->cmsec = val->cmsec;
+    retval->cusec = val->cusec;
     retval->ctime = unix2gentime(val->ctime, error);
     if (!retval->ctime) {
        goto errout;
     }
+    if (val->seq_number) {
+       retval->seq__number = val->seq_number;
+       retval->optionals |= opt_KRB5_Authenticator_seq__number;
+    }
     return(retval);
 }
index 79d98762c6d3f5d369dcec48af4ab3a519a3a40b..cb36e086ce4f355e50fb6803c9402a1f408f8ac9 100644 (file)
@@ -28,9 +28,8 @@ static char rcsid_kdcr2kkdcr_c[] =
 /* ISODE defines max(a,b) */
 
 krb5_kdc_rep *
-KRB5_KDC__REP2krb5_kdc_rep(val, type, error)
+KRB5_KDC__REP2krb5_kdc_rep(val, error)
 const register struct type_KRB5_TGS__REP *val;
-krb5_msgtype *type;
 register int *error;
 {
     register krb5_kdc_rep *retval;
@@ -43,8 +42,16 @@ register int *error;
     }
     xbzero(retval, sizeof(*retval));
 
-    *type = val->msg__type;
+    retval->msg_type = val->msg__type;
 
+    if (val->padata) {
+       retval->padata = KRB5_PA__DATA2krb5_pa_data(val->padata, error);
+       if (*error) {
+           xfree(retval);
+           return 0;
+
+       }
+    }
     retval->client = KRB5_PrincipalName2krb5_principal(val->cname,
                                                       val->crealm,
                                                       error);
index 7d3a241df1228093367779a71c5dd9b1252912ab..bf62e0048eb611a06a24e72b9e52c961b4b8b2c0 100644 (file)
@@ -32,14 +32,5 @@ KRB5_KDC__REP2krb5_tgs_rep(val, error)
 const register struct type_KRB5_TGS__REP *val;
 register int *error;
 {
-    krb5_msgtype type;
-    register krb5_kdc_rep *retval;
-
-    retval = KRB5_KDC__REP2krb5_kdc_rep(val, &type, error);
-    if (retval && (type != KRB5_TGS_REP)) {
-       krb5_free_kdc_rep(retval);
-       *error = ISODE_50_LOCAL_ERR_BADMSGTYPE;
-       return 0;
-    }
-    return retval;
+    return KRB5_KDC__REP2krb5_kdc_rep(val, error);
 }
index 23152c34ac311618f6c261d97728923d28513c88..2824a97f4a41f2b572e6e0df44d32bb80c5d6cff 100644 (file)
@@ -83,8 +83,8 @@ register int *error;
            goto errout;
        }
     }
-    retval->realm = krb5_data2qbuf(val->server[0]);
-    if (!retval->realm) {
+    retval->srealm = krb5_data2qbuf(val->server[0]);
+    if (!retval->srealm) {
        *error = ENOMEM;
        goto errout;
     }
@@ -92,9 +92,11 @@ register int *error;
     if (!retval->sname) {
        goto errout;
     }
-    retval->caddr = krb5_address2KRB5_HostAddresses(val->caddrs, error);
-    if (!retval->caddr) {
-       goto errout;
+    if (val->caddrs) {
+       retval->caddr = krb5_address2KRB5_HostAddresses(val->caddrs, error);
+       if (!retval->caddr) {
+           goto errout;
+       }
     }
     return(retval);
 }
index 61acab2d7aefe678c99368b2cd4df5bf9f86a4a3..4d0e4553d107a3b59fcf36e0d8e42ed77edbaa4b 100644 (file)
@@ -51,9 +51,9 @@ register int *error;
            return(0);
        }
     }
-    if (val->cmsec) {
-       retval->cmsec = val->cmsec;
-       retval->optionals = opt_KRB5_KRB__ERROR_cmsec;
+    if (val->cusec) {
+       retval->cusec = val->cusec;
+       retval->optionals = opt_KRB5_KRB__ERROR_cusec;
     }
 
     retval->stime = unix2gentime(val->stime, error);
@@ -62,7 +62,7 @@ register int *error;
        free_KRB5_KRB__ERROR(retval);
        return(0);
     }
-    retval->smsec = val->smsec;
+    retval->susec = val->susec;
     retval->error__code = val->error;
 
     if (val->client) {
index bfcd1e898f74f594421b2344895eb7528b800bf8..bbf48752c728bdb70890452a6784f1cc87bf13b6 100644 (file)
@@ -62,18 +62,20 @@ register int *error;
     if (!retval->cname) {
        goto errout;
     }
-    retval->transited = krb5_data2qbuf(&(val->transited));
+    retval->transited =
+       krb5_transited2KRB5_TransitedEncoding(&(val->transited), error);
     if (!retval->transited) {
-       *error = ENOMEM;
        goto errout;
     }
     retval->authtime = unix2gentime(val->times.authtime, error);
     if (!retval->authtime) {
        goto errout;
     }
-    retval->starttime = unix2gentime(val->times.starttime, error);
-    if (!retval->starttime) {
-       goto errout;
+    if (val->times.starttime) {
+       retval->starttime = unix2gentime(val->times.starttime, error);
+       if (!retval->starttime) {
+           goto errout;
+       }
     }
     retval->endtime = unix2gentime(val->times.endtime, error);
     if (!retval->endtime) {
index 2ce84e42eca0760d46ed07dfd5a30a76a21a9f1e..9a5c66b39fed2911d94ddd4caa0a5bc9989cb349 100644 (file)
@@ -28,10 +28,8 @@ static char rcsid_kkdcr2kdcr_c[] =
 
 struct type_KRB5_TGS__REP *
 krb5_kdc_rep2KRB5_KDC__REP(DECLARG(const register krb5_kdc_rep *,val),
-                          DECLARG(const krb5_msgtype, type),
                           DECLARG(register int *,error))
 OLDDECLARG(const register krb5_kdc_rep *,val)
-OLDDECLARG(const krb5_msgtype, type)
 OLDDECLARG(register int *,error)
 {
     register struct type_KRB5_TGS__REP *retval;
@@ -44,7 +42,14 @@ OLDDECLARG(register int *,error)
     xbzero(retval, sizeof(*retval));
 
     retval->pvno = KRB5_PVNO;
-    retval->msg__type = type;
+    retval->msg__type = val->msg_type;
+
+    if (val->padata) {
+       retval->padata = krb5_pa_data2KRB5_PA__DATA(val->padata, error);
+       if (*error) {
+           goto errout;
+       }
+    }
 
     retval->crealm = krb5_data2qbuf(val->client[0]);
     if (!retval->crealm) {
index c7894e8abeab11bc817e16a571c9a4bb7359da10..d43c913be4d5876100b9d183e31ed300a7f530a4 100644 (file)
@@ -47,20 +47,29 @@ register int *error;
        *error = ENOMEM;
        return(0);
     }
-    retval->timestamp = unix2gentime(val->timestamp, error);
-    if (!retval->timestamp) {
-    errout:
-       free_KRB5_EncKrbPrivPart(retval);
-       return(0);
+    if (val->timestamp) {
+       retval->timestamp = unix2gentime(val->timestamp, error);
+       if (!retval->timestamp) {
+       errout:
+           free_KRB5_EncKrbPrivPart(retval);
+           return(0);
+       }
+       retval->usec = val->usec;
+       retval->optionals |= opt_KRB5_EncKrbPrivPart_usec;
     }
-    retval->msec = val->msec;
     retval->s__address = krb5_addr2KRB5_HostAddress(val->s_address, error);
     if (!retval->s__address) {
        goto errout;
     }
-    retval->r__address = krb5_addr2KRB5_HostAddress(val->r_address, error);
-    if (!retval->r__address) {
-       goto errout;
+    if (val->r_address) {
+       retval->r__address = krb5_addr2KRB5_HostAddress(val->r_address, error);
+       if (!retval->r__address) {
+           goto errout;
+       }
+    }
+    if (val->seq_number) {
+       retval->seq__number = val->seq_number;
+       retval->optionals |= opt_KRB5_EncKrbPrivPart_seq__number;
     }
     return(retval);
 }
index 8412847d2fd1702238fe2d0c9fe9d1fb2df449b7..4fe6b8a21412dab52a2cee1c0fb59b55dfb42e3b 100644 (file)
@@ -33,7 +33,8 @@ const register krb5_safe *val;
 register int *error;
 {
     register struct type_KRB5_KRB__SAFE *retval;
+    register struct type_KRB5_KRB__SAFE__BODY *rv2;
+
     retval = (struct type_KRB5_KRB__SAFE *)xmalloc(sizeof(*retval));
     if (!retval) {
        *error = ENOMEM;
@@ -41,33 +42,50 @@ register int *error;
     }
     xbzero(retval, sizeof(*retval));
 
+    rv2 = (struct type_KRB5_KRB__SAFE__BODY *)xmalloc(sizeof(*rv2));
+    if (!rv2) {
+       xfree(retval);
+       *error = ENOMEM;
+       return(0);
+    }
+
     retval->pvno = KRB5_PVNO;
     retval->msg__type = KRB5_SAFE;
+    retval->safe__body = rv2;
 
-    retval->user__data = krb5_data2qbuf(&(val->user_data));
-    if (!retval->user__data) {
+    rv2->user__data = krb5_data2qbuf(&(val->user_data));
+    if (!rv2->user__data) {
        xfree(retval);
        *error = ENOMEM;
        return(0);
     }
-    retval->timestamp = unix2gentime(val->timestamp, error);
-    if (!retval->timestamp) {
-    errout:
-       free_KRB5_KRB__SAFE(retval);
-       return(0);
+    if (val->timestamp) {
+       rv2->timestamp = unix2gentime(val->timestamp, error);
+       if (!rv2->timestamp) {
+       errout:
+           free_KRB5_KRB__SAFE(retval);
+           return(0);
+       }
+       rv2->usec = val->usec;
+       rv2->optionals |= opt_KRB5_KRB__SAFE__BODY_usec;
     }
-    retval->msec = val->msec;
-    retval->s__address = krb5_addr2KRB5_HostAddress(val->s_address, error);
-    if (!retval->s__address) {
+    rv2->s__address = krb5_addr2KRB5_HostAddress(val->s_address, error);
+    if (!rv2->s__address) {
        goto errout;
     }
-    retval->r__address = krb5_addr2KRB5_HostAddress(val->r_address, error);
-    if (!retval->r__address) {
-       goto errout;
+    if (val->r_address) {
+       rv2->r__address = krb5_addr2KRB5_HostAddress(val->r_address, error);
+       if (!rv2->r__address) {
+           goto errout;
+       }
     }
     retval->cksum = krb5_checksum2KRB5_Checksum(val->checksum, error);
     if (!retval->cksum) {
        goto errout;
     }
+    if (val->seq_number) {
+       rv2->seq__number = val->seq_number;
+       rv2->optionals |= opt_KRB5_KRB__SAFE__BODY_seq__number;
+    }
     return(retval);
 }
index c971c7834df576aa885d76797e129bbe594ecdc9..348074b6ce6a3b2075fbb6aea7a38b1534eef0b5 100644 (file)
@@ -33,7 +33,7 @@ const register krb5_kdc_req *val;
 register int *error;
 {
     register struct type_KRB5_KDC__REQ__BODY *retval;
-    
+
     retval = (struct type_KRB5_KDC__REQ__BODY *)xmalloc(sizeof(*retval));
     if (!retval) {
        *error = ENOMEM;
@@ -80,12 +80,22 @@ register int *error;
            goto errout;
        }
     }
-    retval->ctime = unix2gentime(val->ctime, error);
-    if (!retval->ctime) {
+    retval->nonce = val->nonce;
+    retval->etype = (struct element_KRB5_8 *)malloc(sizeof(*retval->etype)+
+                                                   max(0,val->netypes-1)*sizeof(integer));
+    if (!retval->etype)
        goto errout;
+    
+#if 0
+    for (i = 0; i < val->netypes; i++) {
+       retval->etype->element_KRB5_9[i] = val->etype[i];
     }
-    retval->nonce = val->nonce;
-    retval->etype = val->etype;
+    retval->etype->nelem = val->netypes;
+#else
+    /* XXX !@#*)@# busted ASN.1 compiler */
+    retval->etype->element_KRB5_9 = val->etype[0];
+    retval->etype->nelem = 1;
+#endif
  
     if (val->addresses) {
        retval->addresses =
@@ -94,22 +104,22 @@ register int *error;
            goto errout;
        }
     }
-    if (val->authorization_data) {
+    if (val->authorization_data.ciphertext.data) {
        retval->authorization__data =
-           krb5_authdata2KRB5_AuthorizationData(val->authorization_data,
+           krb5_enc_data2KRB5_EncryptedData(&(val->authorization_data),
                                                 error);
        if (!retval->authorization__data)
            goto errout;
     }
     if (val->second_ticket) {
-       struct element_KRB5_6 *adtk;
+       struct element_KRB5_10 *adtk;
        krb5_ticket * const *temp;
        register int i;
 
        /* count elements */
        for (i = 0, temp = val->second_ticket; *temp; temp++,i++);
 
-       adtk = (struct element_KRB5_6 *)xmalloc(sizeof(*adtk) +
+       adtk = (struct element_KRB5_10 *)xmalloc(sizeof(*adtk) +
                                                max(0,i-1)*sizeof(adtk->Ticket));
        if (!adtk) {
            *error = ENOMEM;
@@ -131,8 +141,8 @@ register int *error;
        }
        retval->additional__tickets = adtk;
     } else {
-       struct element_KRB5_6 *adtk;
-       adtk = (struct element_KRB5_6 *)xmalloc(sizeof(*adtk));
+       struct element_KRB5_10 *adtk;
+       adtk = (struct element_KRB5_10 *)xmalloc(sizeof(*adtk));
        if (!adtk) {
            *error = ENOMEM;
            goto errout;
@@ -160,16 +170,16 @@ register int *error;
     xbzero(retval, sizeof(*retval));
     retval->pvno = KRB5_PVNO;
     retval->msg__type = val->msg_type;
-    retval->padata__type = val->padata_type;
-    retval->padata = krb5_data2qbuf(&(val->padata));
-    if (!retval->padata) {
-       xfree(retval);
-       *error = ENOMEM;
-       return(0);
+    if (val->padata) {
+       retval->padata = krb5_pa_data2KRB5_PA__DATA(val->padata, error);
+       if (*error) {
+           xfree(retval);
+           return 0;
+       }
     }
     retval->req__body = krb5_kdc_req2KRB5_KDC__REQ__BODY(val, error);
     if (!retval->req__body) {
-       xfree(retval);
+       free_KRB5_TGS__REQ(retval);
        return(0);
     }
     return(retval);
index 1365fb89e02a9b1f70581131ebfd2c9d52cefe91..8f60549448d888e7d9667939af7a9d2f8bd3f899 100644 (file)
@@ -33,5 +33,5 @@ const register krb5_kdc_rep *val;
 register int *error;
 {
     return (struct type_KRB5_TGS__REP *)
-       krb5_kdc_rep2KRB5_KDC__REP(val, KRB5_TGS_REP, error);
+       krb5_kdc_rep2KRB5_KDC__REP(val, error);
 }
index d3c0333380b21d83ad99e1f33180742d303ce7f1..8360b70e36c0f8ba9f0d3ff11ac198c8b6e6f673 100644 (file)
@@ -50,20 +50,33 @@ register int *error;
        xfree(retval);
        return(0);
     }
-    retval->timestamp = gentime2unix(val->timestamp, error);
-    if (*error) {
-    errout:
-       krb5_free_priv_enc_part(retval);
-       return(0);
+    if (val->timestamp) {
+       if (!(val->optionals & opt_KRB5_EncKrbPrivPart_usec)) {
+           /* must have usec if we have timestamp */
+           *error = ISODE_50_LOCAL_ERR_BADCOMBO;
+           goto errout;
+       }
+
+       retval->timestamp = gentime2unix(val->timestamp, error);
+       if (*error) {
+       errout:
+           krb5_free_priv_enc_part(retval);
+           return(0);
+       }
+       retval->usec = val->usec;
     }
-    retval->msec = val->msec;
     retval->s_address = KRB5_HostAddress2krb5_addr(val->s__address, error);
     if (!retval->s_address) {
        goto errout;
     }
-    retval->r_address = KRB5_HostAddress2krb5_addr(val->r__address, error);
-    if (!retval->r_address) {
-       goto errout;
+    if (val->r__address) {
+       retval->r_address = KRB5_HostAddress2krb5_addr(val->r__address, error);
+       if (!retval->r_address) {
+           goto errout;
+       }
+    }
+    if (val->optionals & opt_KRB5_EncKrbPrivPart_seq__number) {
+       retval->seq_number = val->seq__number;
     }
     return(retval);
 }
index 106685223ce79708db72057f5009c9386fe8a42b..05919e45ce67be481e123ffd8238b9b939d699f7 100644 (file)
@@ -42,7 +42,7 @@ register int *error;
     }
     xbzero(retval, sizeof(*retval));
 
-    temp = qbuf2krb5_data(val->user__data, error);
+    temp = qbuf2krb5_data(val->safe__body->user__data, error);
     if (temp) {
        retval->user_data = *temp;
        xfree(temp);
@@ -50,24 +50,39 @@ register int *error;
        xfree(retval);
        return(0);
     }
-    retval->timestamp = gentime2unix(val->timestamp, error);
-    if (*error) {
-    errout:
-       krb5_free_safe(retval);
-       return(0);
+    if (val->safe__body->timestamp) {
+       if (!(val->safe__body->optionals & opt_KRB5_KRB__SAFE__BODY_usec)) {
+           /* must have usec if we have timestamp */
+           *error = ISODE_50_LOCAL_ERR_BADCOMBO;
+           goto errout;
+       }
+       retval->timestamp = gentime2unix(val->safe__body->timestamp, error);
+       if (*error) {
+       errout:
+           krb5_free_safe(retval);
+           return(0);
+       }
+       retval->usec = val->safe__body->usec;
     }
-    retval->msec = val->msec;
-    retval->s_address = KRB5_HostAddress2krb5_addr(val->s__address, error);
+    retval->s_address = KRB5_HostAddress2krb5_addr(val->safe__body->s__address,
+                                                  error);
     if (!retval->s_address) {
        goto errout;
     }
-    retval->r_address = KRB5_HostAddress2krb5_addr(val->r__address, error);
-    if (!retval->r_address) {
-       goto errout;
+    if (val->safe__body->r__address) {
+       retval->r_address =
+           KRB5_HostAddress2krb5_addr(val->safe__body->r__address, error);
+       if (!retval->r_address) {
+           goto errout;
+       }
     }
-    retval->checksum = KRB5_Checksum2krb5_checksum(val->cksum, error);
+    retval->checksum = KRB5_Checksum2krb5_checksum(val->cksum,
+                                                  error);
     if (!retval->checksum) {
        goto errout;
     }
+    if (val->safe__body->optionals & opt_KRB5_KRB__SAFE__BODY_seq__number) {
+       retval->seq_number = val->safe__body->seq__number;
+    }
     return(retval);
 }
index 8721145aabed23e6cbced226dc3a02e420e6e0ed..e6fcb10d22fae5ecac695c12d79eed382fe2d6a1 100644 (file)
@@ -26,6 +26,9 @@ static char rcsid_tgrq2ktgrq_c[] =
 #include <krb5/ext-proto.h>
 
 /* ISODE defines max(a,b) */
+#ifndef min
+#define min(a,b) ((a) < (b) ? (a) : (b))
+#endif
 
 krb5_kdc_req *
 KRB5_KDC__REQ__BODY2krb5_kdc_req(val, error)
@@ -33,6 +36,7 @@ const register struct type_KRB5_KDC__REQ__BODY *val;
 register int *error;
 {
     register krb5_kdc_req *retval;
+    krb5_enc_data *temp;
 
     retval = (krb5_kdc_req *)xmalloc(sizeof(*retval));
     if (!retval) {
@@ -74,14 +78,21 @@ register int *error;
            goto errout;
        }
     }
-    retval->ctime = gentime2unix(val->ctime, error);
-    if (*error) {
-       goto errout;
-    }
     retval->nonce = val->nonce;
 
-    retval->etype = val->etype;
-
+    retval->etype = (krb5_enctype *) xmalloc(sizeof(*(retval->etype))*min(1,val->etype->nelem));
+    if (!retval->etype)
+       goto errout;
+#if 0
+    for (i = 0; i < val->etype->nelem; i++) {
+       retval->etype[i] = val->etype->element_KRB5_9[i];
+    }
+    val->netypes = val->etype->nelem;
+#else
+    /* XXX @#$#@ broken ASN.1 compiler */
+    retval->etype[0] = val->etype->element_KRB5_9;
+    retval->netypes = 1;
+#endif
 
     if (val->addresses) {
        retval->addresses =
@@ -91,16 +102,17 @@ register int *error;
        }
     }
     if (val->authorization__data) {
-       retval->authorization_data =
-           KRB5_AuthorizationData2krb5_authdata(val->
-                                                authorization__data,
-                                                error);
-       if (*error)
+       temp = KRB5_EncryptedData2krb5_enc_data(val->authorization__data,
+                                               error);
+       if (temp) {
+           retval->authorization_data = *temp;
+           xfree(temp);
+       } else
            goto errout;
     }
     if (val->additional__tickets) {
        register krb5_ticket **aticks;
-        register struct element_KRB5_6 *tptr;
+        register struct element_KRB5_10 *tptr;
        register int i;
 
        tptr = val->additional__tickets;
@@ -128,19 +140,14 @@ const register struct type_KRB5_TGS__REQ *val;
 register int *error;
 {
     register krb5_kdc_req *retval;
-    krb5_data *temp;
 
     if (!(retval = KRB5_KDC__REQ__BODY2krb5_kdc_req(val->req__body, error)))
        return retval;
 
     retval->msg_type = val->msg__type;
-    retval->padata_type = val->padata__type;
     if (val->padata) {
-       temp = qbuf2krb5_data(val->padata, error);
-       if (temp) {
-           retval->padata = *temp;
-           xfree(temp);
-       } else {
+       retval->padata = KRB5_PA__DATA2krb5_pa_data(val->padata, error);
+       if (!retval->padata) {
            krb5_free_kdc_req(retval);
            return(0);
        }
index 7780d7fefea622bca8530dab124c374ce5add93e..d0ecd37749636a41eb1ce6e457b51c67a573caac 100644 (file)
@@ -14,6 +14,7 @@ OBJS= \
        f_address.o     \
        f_ap_rep.o      \
        f_ap_req.o      \
+       f_arep_enc.o    \
        f_authdata.o    \
        f_authent.o     \
        f_cksum.o       \
@@ -26,6 +27,7 @@ OBJS= \
        f_kdc_req.o     \
        f_keyblock.o    \
        f_last_req.o    \
+       f_padata.o      \
        f_princ.o       \
        f_priv.o        \
        f_priv_enc.o    \
@@ -37,6 +39,7 @@ OBJS= \
 SRCS=  \
        f_addr.c        \
        f_address.c     \
+       f_arep_enc.c    \
        f_ap_rep.c      \
        f_ap_req.c      \
        f_authdata.c    \
@@ -51,6 +54,7 @@ SRCS= \
        f_kdc_req.c     \
        f_keyblock.c    \
        f_last_req.c    \
+       f_padata.c      \
        f_princ.c       \
        f_priv.c        \
        f_priv_enc.c    \
index c5d26d0366f3720fba3f7ac794b446568894a0e4..59d90f045b698fcdaff8757313d1442b69e085d4 100644 (file)
@@ -25,8 +25,11 @@ krb5_authdata **val;
 {
     register krb5_authdata **temp;
 
-    for (temp = val; *temp; temp++)
+    for (temp = val; *temp; temp++) {
+       if ((*temp)->contents)
+           xfree((*temp)->contents);
        xfree(*temp);
+    }
     xfree(val);
     return;
 }
index 029c1b7630eaf648a80b73636328ddafada9def2..19b21583eed99d9252b0fab398a22c16544153b4 100644 (file)
@@ -27,6 +27,8 @@ krb5_authenticator *val;
        xfree(val->checksum);
     if (val->client)
        krb5_free_principal(val->client);
+    if (val->subkey)
+       krb5_free_keyblock(val->subkey);
     xfree(val);
     return;
 }
index 66a1dfde8ee2dcc73f8e683b428ff6e70fd57a8b..2b042b61d7a8164eff85eaa66a3132b1b89d4076 100644 (file)
@@ -27,8 +27,8 @@ krb5_enc_tkt_part *val;
        krb5_free_keyblock(val->session);
     if (val->client)
        krb5_free_principal(val->client);
-    if (val->transited.data)
-       xfree(val->transited.data);
+    if (val->transited.tr_contents.data)
+       xfree(val->transited.tr_contents.data);
     if (val->caddrs)
        krb5_free_address(val->caddrs);
     if (val->authorization_data)
index 398d31ede1b418e83a2f5801e22e8453b7838027..f22b29b8b2ebbe4453306f4297c7becdcade01ab 100644 (file)
@@ -23,6 +23,8 @@ void
 krb5_free_kdc_rep(val)
 krb5_kdc_rep *val;
 {
+    if (val->padata)
+       krb5_free_pa_data(val->padata);
     if (val->client)
        krb5_free_principal(val->client);
     if (val->ticket)
index 62f43eacd3fd35140df500b40c7edce275651833..69a8aff6a70314b44fb580f3968e7f96072a1936 100644 (file)
@@ -23,16 +23,18 @@ void
 krb5_free_kdc_req(val)
 krb5_kdc_req *val;
 {
-    if (val->padata.data)
-       xfree(val->padata.data);
+    if (val->padata)
+       krb5_free_pa_data(val->padata);
     if (val->client)
        krb5_free_principal(val->client);
     if (val->server)
        krb5_free_principal(val->server);
     if (val->addresses)
        krb5_free_address(val->addresses);
-    if (val->authorization_data)
-       krb5_free_authdata(val->authorization_data);
+    if (val->authorization_data.ciphertext.data)
+       xfree(val->authorization_data.ciphertext.data);
+    if (val->unenc_authdata)
+       krb5_free_authdata(val->unenc_authdata);
     if (val->second_ticket)
        krb5_free_tickets(val->second_ticket);
     xfree(val);
index f2f8555b94df05fc08e77b4633b739b3ec48a607..885bead9bf14f4a8315634bc6ba2df5c2cc7632b 100644 (file)
@@ -40,6 +40,7 @@ OBJS= addr_comp.o     \
        mk_req_ext.o    \
        mk_safe.o       \
        parse.o         \
+       pr_to_salt.o    \
        princ_comp.o    \
        rd_error.o      \
        rd_priv.o       \
@@ -84,6 +85,7 @@ SRCS= addr_comp.c     \
        mk_req_ext.c    \
        mk_safe.c       \
        parse.c         \
+       pr_to_salt.c    \
        princ_comp.c    \
        rd_error.c      \
        rd_priv.c       \
@@ -98,3 +100,4 @@ SRCS=        addr_comp.c     \
        walk_rtree.c
 
 OtherdirLibraryTarget($(TOP)/lib,krb5,$(OBJS))
+INCLUDES=-I../../include
index c66d082b709d537d2a900652515f9ffddfcc4d38..ec6a9d4ec542df25fab2a83c3684da461f02920d 100644 (file)
@@ -27,7 +27,6 @@ krb5_enc_tkt_part **partto;
 {
     krb5_error_code retval;
     krb5_enc_tkt_part *tempto;
-    krb5_data *scratch;
 
     if (!(tempto = (krb5_enc_tkt_part *)malloc(sizeof(*tempto))))
        return ENOMEM;
@@ -48,16 +47,20 @@ krb5_enc_tkt_part **partto;
        xfree(tempto);
        return retval;
     }
-    if (retval = krb5_copy_data(&partfrom->transited, &scratch)) {
+    tempto->transited = partfrom->transited;
+    tempto->transited.tr_contents.data =
+       malloc(sizeof(partfrom->transited.tr_contents.length));
+    if (!tempto->transited.tr_contents.data) {
        krb5_free_principal(tempto->client);
        krb5_free_keyblock(tempto->session);
        xfree(tempto);
        return retval;
     }
-    tempto->transited = *scratch;
-    xfree(scratch);
+    memcpy((char *)tempto->transited.tr_contents.data,
+          (char *)partfrom->transited.tr_contents.data,
+          partfrom->transited.tr_contents.length);
     if (retval = krb5_copy_addresses(partfrom->caddrs, &tempto->caddrs)) {
-       xfree(tempto->transited.data);
+       xfree(tempto->transited.tr_contents.data);
        krb5_free_principal(tempto->client);
        krb5_free_keyblock(tempto->session);
        xfree(tempto);
@@ -67,7 +70,7 @@ krb5_enc_tkt_part **partto;
        if (retval = krb5_copy_authdata(partfrom->authorization_data,
                                        &tempto->authorization_data)) {
            krb5_free_address(tempto->caddrs);
-           xfree(tempto->transited.data);
+           xfree(tempto->transited.tr_contents.data);
            krb5_free_principal(tempto->client);
            krb5_free_keyblock(tempto->session);
            xfree(tempto);
index b05c6fd4949645fbd5464c76cbfd50177a9af401..99efd791f185179c12467adefe70dd2710321a98 100644 (file)
@@ -66,6 +66,7 @@ OLDDECLARG(krb5_creds *, cred)
                               cred->server,
                               tgt->addresses,
                               cred->authdata,
+                              0,               /* no padata */
                               0,               /* no second ticket */
                               tgt, &tgsrep))
        return retval;
@@ -116,6 +117,12 @@ OLDDECLARG(krb5_creds *, cred)
              dec_rep->enc_part2->session->length);\
                  krb5_free_kdc_rep(dec_rep); }
 
+    if (dec_rep->msg_type != KRB5_TGS_REP) {
+       retval = KRB5KRB_AP_ERR_MSG_TYPE;
+       cleanup();
+       return retval;
+    }
+    
     /* now it's decrypted and ready for prime time */
 
     if (!krb5_principal_compare(dec_rep->client, tgt->client)) {
index e690f3650cb4ce7a3dee8fe6a5b4e241ae16021d..4571f669f8eccdd1ac543fcd5bb8d381378e9ae2 100644 (file)
@@ -52,7 +52,7 @@ static char rcsid_get_in_tkt_c[] =
 
 
 extern krb5_deltat krb5_clockskew;
-#define in_clock_skew(date) (abs((date)-request.ctime) < krb5_clockskew)
+#define in_clock_skew(date) (abs((date)-request.nonce) < krb5_clockskew)
 
 /* some typedef's for the function args to make things look a bit cleaner */
 
@@ -60,7 +60,8 @@ extern krb5_deltat krb5_clockskew;
 #include <krb5/widen.h>
 typedef krb5_error_code (*git_key_proc) PROTOTYPE((const krb5_keytype,
                                                   krb5_keyblock **,
-                                                  krb5_const_pointer ));
+                                                  krb5_const_pointer,
+                                                  krb5_pa_data **));
 #include <krb5/narrow.h>
 
 typedef krb5_error_code (*git_decrypt_proc) PROTOTYPE((const krb5_keyblock *,
@@ -95,13 +96,13 @@ OLDDECLARG(krb5_ccache, ccache)
     krb5_data *packet;
     krb5_data reply;
     krb5_keyblock *decrypt_key;
+    krb5_enctype etypes[1];
+    krb5_timestamp time_now;
 
     request.msg_type = KRB5_AS_REQ;
 
     /* AS_REQ has no pre-authentication. */
-    request.padata_type = 0;
-    request.padata.data = 0;
-    request.padata.length = 0;
+    request.padata = 0;
 
     request.kdc_options = options;
     request.client = creds->client;
@@ -110,14 +111,20 @@ OLDDECLARG(krb5_ccache, ccache)
     request.from = creds->times.starttime;
     request.till = creds->times.endtime;
     request.rtime = creds->times.renew_till;
-    if (retval = krb5_timeofday(&request.ctime))
+    if (retval = krb5_timeofday(&time_now))
        return(retval);
+
     /* XXX we know they are the same size... */
-    request.nonce = (krb5_int32) request.ctime;
-    request.etype = etype;
+    request.nonce = (krb5_int32) time_now;
+
+    etypes[0] = etype;
+    request.etype = etypes;
+    request.netypes = 1;
     request.addresses = (krb5_address **) addrs;
     request.second_ticket = 0;
-    request.authorization_data = 0;
+    request.authorization_data.ciphertext.length = 0;
+    request.authorization_data.ciphertext.data = 0;
+    request.unenc_authdata = 0;
 
     /* encode & send to KDC */
     if (retval = encode_krb5_as_req(&request, &packet))
@@ -129,14 +136,12 @@ OLDDECLARG(krb5_ccache, ccache)
 
     /* now decode the reply...could be error or as_rep */
 
-    if (!krb5_is_as_rep(&reply) && !krb5_is_krb_error(&reply))
-           return KRB5KRB_AP_ERR_MSG_TYPE;
-    if (retval = decode_krb5_as_rep(&reply, &as_reply)) {
-       if (decode_krb5_error(&reply, &err_reply))
-           return retval;              /* some other reply--??? */
+    if (krb5_is_krb_error(&reply)) {
+       if (retval = decode_krb5_error(&reply, &err_reply))
+            return retval;              /* some other reply--??? */
        /* it was an error */
 
-       if ((err_reply->ctime != request.ctime) ||
+       if ((err_reply->ctime != request.nonce) ||
            !krb5_principal_compare(err_reply->server, request.server) ||
            !krb5_principal_compare(err_reply->client, request.client))
            retval = KRB5_KDCREP_MODIFIED;
@@ -149,10 +154,19 @@ OLDDECLARG(krb5_ccache, ccache)
        return retval;
     }
 
+    if (!krb5_is_as_rep(&reply))
+       return KRB5KRB_AP_ERR_MSG_TYPE;
+    if (retval = decode_krb5_as_rep(&reply, &as_reply))
+       return retval;          /* some other reply--??? */
+
+    if (as_reply->msg_type != KRB5_AS_REP)
+        return KRB5KRB_AP_ERR_MSG_TYPE;
+
     /* it was a kdc_rep--decrypt & check */
 
     /* generate the key */
-    if (retval = (*key_proc)(keytype, &decrypt_key, keyseed)) {
+    if (retval = (*key_proc)(keytype, &decrypt_key, keyseed,
+                            as_reply->padata)) {
        krb5_free_kdc_rep(as_reply);
        return retval;
     }
@@ -166,6 +180,9 @@ OLDDECLARG(krb5_ccache, ccache)
     }
 
     /* check the contents for sanity: */
+    if (!as_reply->enc_part2->times.starttime)
+       as_reply->enc_part2->times.starttime =
+           as_reply->enc_part2->times.authtime;
     if (!krb5_principal_compare(as_reply->client, request.client)
        || !krb5_principal_compare(as_reply->enc_part2->server, request.server)
        || !krb5_principal_compare(as_reply->ticket->server, request.server)
index 8c610e937f6e39205bd9eaafe238e0e52e1e3c71..78b9ed6dc5dea02d47e8ae85cc7dfa015c62654d 100644 (file)
@@ -34,42 +34,74 @@ extern char *krb5_default_pwd_prompt1;
 static krb5_error_code
 pwd_keyproc(DECLARG(const krb5_keytype, type),
            DECLARG(krb5_keyblock **, key),
-           DECLARG(krb5_const_pointer, keyseed))
+            DECLARG(krb5_const_pointer, keyseed),
+            DECLARG(krb5_pa_data **,padata))
 OLDDECLARG(const krb5_keytype, type)
 OLDDECLARG(krb5_keyblock **, key)
 OLDDECLARG(krb5_const_pointer, keyseed)
+OLDDECLARG(krb5_pa_data **,padata)
 {
+    krb5_data salt;
     krb5_error_code retval;
-    struct pwd_keyproc_arg *arg, arg2;
+    const struct pwd_keyproc_arg *arg;
+    struct pwd_keyproc_arg arg2;
     char pwdbuf[BUFSIZ];
     int pwsize = sizeof(pwdbuf);
+    char f_salt = 0, use_salt = 0;
 
     if (!valid_keytype(type))
        return KRB5_PROG_KEYTYPE_NOSUPP;
 
-    arg = (struct pwd_keyproc_arg *)keyseed;
+    if (padata) {
+        krb5_pa_data **ptr;
+
+        for (ptr = padata; *ptr; ptr++)
+        {
+            if ((*ptr)->pa_type == KRB5_PADATA_PW_SALT)
+            {
+                /* use KDC-supplied salt, instead of default */
+                salt.length = (*ptr)->length;
+                salt.data = (char *)(*ptr)->contents;
+               use_salt = 1;
+                break;
+            }
+        }
+    }
+    arg = (const struct pwd_keyproc_arg *)keyseed;
+    if (!use_salt) {
+       /* need to use flattened principal */
+       if (retval = krb5_principal2salt(arg->who, &salt))
+           return(retval);
+       f_salt = 1;
+    }
+
     if (!arg->password.length) {
        if (retval = krb5_read_password(krb5_default_pwd_prompt1,
                                        0,
-                                       pwdbuf, &pwsize))
+                                       pwdbuf, &pwsize)) {
+           if (f_salt) xfree(salt.data);
            return retval;
+       }
        arg2 = *arg;
+        arg2.password.length = pwsize;
+        arg2.password.data = pwdbuf;
        arg = &arg2;
-       arg->password.length = pwsize;
-       arg->password.data = pwdbuf;
     }
     *key = (krb5_keyblock *)malloc(sizeof(**key));
-    if (!*key)
+    if (!*key) {
+       if (f_salt) xfree(salt.data);
        return ENOMEM;
-    
+    }    
     if (retval = (*krb5_keytype_array[type]->system->
                  string_to_key)(type,
                                 *key,
                                 &arg->password,
-                                arg->who)) {
+                                 &salt)) {
        free((char *) *key);
+       if (f_salt) xfree(salt.data);
        return(retval);
     }
+    if (f_salt) xfree(salt.data);
     return 0;
 }
 
index 136188d7eeedbac2ec4d9373efe785198f1a53fd..904ef6201b3f7b543e6ae1972677d06223893caf 100644 (file)
@@ -22,7 +22,7 @@ static char rcsid_in_tkt_skey_c [] =
 #include <krb5/ext-proto.h>
 
 struct skey_keyproc_arg {
-    krb5_keyblock *key;
+    const krb5_keyblock *key;
     krb5_principal server;             /* it's a pointer, really! */
 };
 
@@ -34,10 +34,12 @@ struct skey_keyproc_arg {
 static krb5_error_code
 skey_keyproc(DECLARG(const krb5_keytype, type),
             DECLARG(krb5_keyblock **, key),
-            DECLARG(krb5_const_pointer, keyseed))
+            DECLARG(krb5_const_pointer, keyseed),
+            DECLARG(krb5_pa_data **, padata))
 OLDDECLARG(const krb5_keytype, type)
 OLDDECLARG(krb5_keyblock **, key)
 OLDDECLARG(krb5_const_pointer, keyseed)
+OLDDECLARG(krb5_pa_data **,padata)
 {
     krb5_keyblock *realkey;
     const struct skey_keyproc_arg *arg;
@@ -129,7 +131,7 @@ OLDDECLARG(krb5_creds *, creds)
     krb5_keytype keytype;
 
     if (key) {
-       arg.key = (krb5_keyblock *)key;
+       arg.key = key;
        arg.server = 0;
        keytype = key->keytype;
     } else {
index 5a89400b76598e30b3b70eee2f35732a58e768c0..483b1007b5cedcbcad623a78c26864808bac584e 100644 (file)
@@ -42,15 +42,19 @@ krb5_error_code
 krb5_mk_priv(DECLARG(const krb5_data *, userdata),
             DECLARG(const krb5_enctype, etype),
             DECLARG(const krb5_keyblock *, key),
-            DECLARG(const krb5_fulladdr *, sender_addr),
-            DECLARG(const krb5_fulladdr *, recv_addr),
+            DECLARG(const krb5_address *, sender_addr),
+            DECLARG(const krb5_address *, recv_addr),
+            DECLARG(krb5_int32, seq_number),
+            DECLARG(krb5_int32, priv_flags),
             DECLARG(krb5_pointer, i_vector),
             DECLARG(krb5_data *, outbuf))
 OLDDECLARG(const krb5_data *, userdata)
 OLDDECLARG(const krb5_enctype, etype)
 OLDDECLARG(const krb5_keyblock *, key)
-OLDDECLARG(const krb5_fulladdr *, sender_addr)
-OLDDECLARG(const krb5_fulladdr *, recv_addr)
+OLDDECLARG(const krb5_address *, sender_addr)
+OLDDECLARG(const krb5_address *, recv_addr)
+OLDDECLARG(krb5_int32, seq_number)
+OLDDECLARG(krb5_int32, priv_flags)
 OLDDECLARG(krb5_pointer, i_vector)
 OLDDECLARG(krb5_data *, outbuf)
 {
@@ -66,19 +70,21 @@ OLDDECLARG(krb5_data *, outbuf)
     privmsg.enc_part.kvno = 0; /* XXX allow user-set? */
 
     privmsg_enc_part.user_data = *userdata;
-    privmsg_enc_part.s_address = sender_addr->address;
-    privmsg_enc_part.r_address = recv_addr->address;
-
-    if (retval = krb5_ms_timeofday(&privmsg_enc_part.timestamp,
-                                  &privmsg_enc_part.msec))
-       return retval;
-
-    if (krb5_fulladdr_order(sender_addr, recv_addr) > 0)
-       privmsg_enc_part.msec =
-           (privmsg_enc_part.msec & MSEC_VAL_MASK) | MSEC_DIRBIT;
+    privmsg_enc_part.s_address = (krb5_address *)sender_addr;
+    if (recv_addr)
+       privmsg_enc_part.r_address = (krb5_address *)recv_addr;
     else
-       /* this should be a no-op, but just to be sure... */
-       privmsg_enc_part.msec = privmsg_enc_part.msec & MSEC_VAL_MASK;
+       privmsg_enc_part.r_address = 0;
+
+    if (!(priv_flags & KRB5_PRIV_NOTIME)) {
+       if (retval = krb5_us_timeofday(&privmsg_enc_part.timestamp,
+                                      &privmsg_enc_part.usec))
+           return retval;
+    }
+    if (priv_flags & KRB5_PRIV_DOSEQUENCE) {
+       privmsg_enc_part.seq_number = seq_number;
+    } else
+       privmsg_enc_part.seq_number = 0;
 
     /* start by encoding to-be-encrypted part of the message */
 
index c539d64724cddf71a435faa0a6785944a448fb48..24e5bc78f76843e218a371bdf391c8441b7f5bf3 100644 (file)
@@ -73,6 +73,8 @@ krb5_data *outbuf;
                                  checksum,
                                  &creds.times,
                                  krb5_kdc_default_options,
+                                 0,    /* no sequence number */
+                                 0,    /* no sub-key */
                                  ccache,
                                  &creds,
                                  0,    /* We don't need the authenticator */
index 1041fdcc20cdd1d7f4e2899eedc9f05d924b425f..6a5ce9c3844fd28b8d86f8262c8a1f01abf6fd1a 100644 (file)
@@ -58,15 +58,19 @@ static char rcsid_mk_req_ext_c[] =
 */
 static krb5_error_code generate_authenticator PROTOTYPE((krb5_authenticator *,
                                                         const krb5_creds *,
-                                                        const krb5_checksum *));
+                                                        const krb5_checksum *,
+                                                        krb5_keyblock *,
+                                                        krb5_int32 ));
 
 krb5_error_code
-krb5_mk_req_extended(ap_req_options, checksum, times, kdc_options, ccache,
-                    creds, authentp, outbuf)
+krb5_mk_req_extended(ap_req_options, checksum, times, kdc_options,
+                    sequence, newkey, ccache, creds, authentp, outbuf)
 const krb5_flags ap_req_options;
 const krb5_checksum *checksum;
 const krb5_ticket_times *times;
 const krb5_flags kdc_options;
+krb5_int32 sequence;
+krb5_keyblock *newkey;
 krb5_ccache ccache;
 krb5_creds *creds;
 krb5_authenticator *authentp;
@@ -107,7 +111,8 @@ krb5_data *outbuf;
        return(retval);
 
 #define cleanup_ticket() krb5_free_ticket(request.ticket)
-    if (retval = generate_authenticator(&authent, creds, checksum)) {
+    if (retval = generate_authenticator(&authent, creds, checksum, newkey,
+                                       sequence)) {
        cleanup_ticket();
        return retval;
     }
@@ -203,13 +208,17 @@ request.authenticator.ciphertext.data = 0;}
 }
 
 static krb5_error_code
-generate_authenticator(authent, creds, cksum)
+generate_authenticator(authent, creds, cksum, key, seq_number)
 krb5_authenticator *authent;
 const krb5_creds *creds;
 const krb5_checksum *cksum;
+krb5_keyblock *key;
+krb5_int32 seq_number;
 {
     authent->client = creds->client;
     authent->checksum = (krb5_checksum *)cksum;
+    authent->subkey = key;
+    authent->seq_number = seq_number;
 
-    return(krb5_ms_timeofday(&authent->ctime, &authent->cmsec));
+    return(krb5_us_timeofday(&authent->ctime, &authent->cusec));
 }
index 975d0cb8f74fd27e1e655387e689e4295da9b0a5..12fb9638efacf112a8d1770cc5e8c0af718856b8 100644 (file)
@@ -41,14 +41,18 @@ krb5_error_code
 krb5_mk_safe(DECLARG(const krb5_data *, userdata),
             DECLARG(const krb5_cksumtype, sumtype),
             DECLARG(const krb5_keyblock *, key),
-            DECLARG(const krb5_fulladdr *, sender_addr),
-            DECLARG(const krb5_fulladdr *, recv_addr),
+            DECLARG(const krb5_address *, sender_addr),
+            DECLARG(const krb5_address *, recv_addr),
+            DECLARG(krb5_int32, seq_number),
+            DECLARG(krb5_int32, safe_flags),
             DECLARG(krb5_data *, outbuf))
 OLDDECLARG(const krb5_data *, userdata)
 OLDDECLARG(const krb5_cksumtype, sumtype)
 OLDDECLARG(const krb5_keyblock *, key)
-OLDDECLARG(const krb5_fulladdr *, sender_addr)
-OLDDECLARG(const krb5_fulladdr *, recv_addr)
+OLDDECLARG(const krb5_address *, sender_addr)
+OLDDECLARG(const krb5_address *, recv_addr)
+OLDDECLARG(krb5_int32, seq_number)
+OLDDECLARG(krb5_int32, safe_flags)
 OLDDECLARG(krb5_data *, outbuf)
 {
     krb5_error_code retval;
@@ -59,20 +63,25 @@ OLDDECLARG(krb5_data *, outbuf)
 
     if (!valid_cksumtype(sumtype))
        return KRB5_PROG_SUMTYPE_NOSUPP;
+    if (!is_coll_proof_cksum(sumtype) || !is_keyed_cksum(sumtype))
+       return KRB5KRB_AP_ERR_INAPP_CKSUM;
 
     safemsg.user_data = *userdata;
-    safemsg.s_address = sender_addr->address;
-    safemsg.r_address = recv_addr->address;
-
-    if (retval = krb5_ms_timeofday(&safemsg.timestamp, &safemsg.msec))
-       return retval;
-
-    if (krb5_fulladdr_order(sender_addr, recv_addr) > 0)
-       safemsg.msec = (safemsg.msec & MSEC_VAL_MASK) | MSEC_DIRBIT;
+    safemsg.s_address = (krb5_address *)sender_addr;
+    if (recv_addr)
+       safemsg.r_address = (krb5_address *)recv_addr;
     else
-       /* this should be a no-op, but just to be sure... */
-       safemsg.msec = safemsg.msec & MSEC_VAL_MASK;
+       safemsg.r_address = 0;
 
+    if (!(safe_flags & KRB5_SAFE_NOTIME)) {
+       if (retval = krb5_us_timeofday(&safemsg.timestamp, &safemsg.usec))
+           return retval;
+    }
+    if (safe_flags & KRB5_SAFE_DOSEQUENCE) {
+       safemsg.seq_number = seq_number;
+     } else
+        safemsg.seq_number = 0;
+    
     /* to do the checksum stuff, we need to encode the message with a
        zero-length zero-type checksum, then checksum the encoding, then
        re-encode with the 
index 40602026b0e02239413771016819cc3e9019c277..74013fbe7b88dbc77898d8e1bc709141b8fd81ba 100644 (file)
@@ -30,7 +30,7 @@ krb5_const_principal pr;
 krb5_data *ret;
 {
     int size, offset;
-    krb5_data **prp;
+    krb5_data * const * prp;
     
 
     if (pr == 0) {
index 8cc22dfe1aaf94ed4517b7ea8a733b290f2e1c8c..78607bfcdb97096aee8316ad258de74145c35202 100644 (file)
@@ -49,14 +49,18 @@ Returns system errors, integrity errors.
 krb5_error_code
 krb5_rd_priv(DECLARG(const krb5_data *, inbuf),
             DECLARG(const krb5_keyblock *, key),
-            DECLARG(const krb5_fulladdr *, sender_addr),
-            DECLARG(const krb5_fulladdr *, recv_addr),
+            DECLARG(const krb5_address *, sender_addr),
+            DECLARG(const krb5_address *, recv_addr),
+            DECLARG(krb5_int32, seq_number),
+            DECLARG(krb5_int32, priv_flags),
             DECLARG(krb5_pointer, i_vector),
             DECLARG(krb5_data *, outbuf))
 OLDDECLARG(const krb5_data *, inbuf)
 OLDDECLARG(const krb5_keyblock *, key)
-OLDDECLARG(const krb5_fulladdr *, sender_addr)
-OLDDECLARG(const krb5_fulladdr *, recv_addr)
+OLDDECLARG(const krb5_address *, sender_addr)
+OLDDECLARG(const krb5_address *, recv_addr)
+OLDDECLARG(krb5_int32, seq_number)
+OLDDECLARG(krb5_int32, priv_flags)
 OLDDECLARG(krb5_pointer, i_vector)
 OLDDECLARG(krb5_data *, outbuf)
 {
@@ -66,7 +70,6 @@ OLDDECLARG(krb5_data *, outbuf)
     krb5_priv_enc_part *privmsg_enc_part;
     krb5_data scratch;
     krb5_timestamp currenttime;
-    krb5_ui_2 computed_direction;
 
     if (!krb5_is_krb_priv(inbuf))
        return KRB5KRB_AP_ERR_MSG_TYPE;
@@ -142,25 +145,28 @@ OLDDECLARG(krb5_data *, outbuf)
 #define cleanup_data() {(void)memset(privmsg_enc_part->user_data.data,0,privmsg_enc_part->user_data.length); (void)xfree(privmsg_enc_part->user_data.data);}
 #define cleanup_mesg() {(void)xfree(privmsg_enc_part);}
 
-    if (retval = krb5_timeofday(&currenttime)) {
-       cleanup_data();
-       cleanup_mesg();
-       return retval;
-    }
-    if (!in_clock_skew(privmsg_enc_part->timestamp)) {
-       cleanup_data();
-       cleanup_mesg();  
-       return KRB5KRB_AP_ERR_SKEW;
+    if (!(priv_flags & KRB5_PRIV_NOTIME)) {
+       if (retval = krb5_timeofday(&currenttime)) {
+           cleanup_data();
+           cleanup_mesg();
+           return retval;
+       }
+       if (!in_clock_skew(privmsg_enc_part->timestamp)) {
+           cleanup_data();
+           cleanup_mesg();  
+           return KRB5KRB_AP_ERR_SKEW;
+       }
+       /* replay detection goes here... XXX */
     }
 
-    /* 
-     * check with the replay cache should be inserted here !!!! 
-     */
-
+    if (priv_flags & KRB5_PRIV_DOSEQUENCE)
+       if (privmsg_enc_part->seq_number != seq_number) {
+           cleanup_data();
+           cleanup_mesg();
+           return KRB5KRB_AP_ERR_BADSEQ;
+       }
 
-    if (sender_addr) {
-       krb5_fulladdr temp_sender;
-       krb5_fulladdr temp_recip;
+    if (privmsg_enc_part->r_address) {
        krb5_address **our_addrs;
        
        if (retval = krb5_os_localaddr(&our_addrs)) {
@@ -175,21 +181,8 @@ OLDDECLARG(krb5_data *, outbuf)
            return KRB5KRB_AP_ERR_BADADDR;
        }
        krb5_free_address(our_addrs);
-
-       temp_recip = *recv_addr;
-       temp_recip.address = privmsg_enc_part->r_address;
-
-       temp_sender = *sender_addr;
-       temp_sender.address = privmsg_enc_part->s_address;
-
-       computed_direction = ((krb5_fulladdr_order(&temp_sender, &temp_recip) >
-                              0) ? MSEC_DIRBIT : 0); 
-       if (computed_direction != (privmsg_enc_part->msec & MSEC_DIRBIT)) {
-           cleanup_data();
-           cleanup_mesg();
-           return KRB5KRB_AP_ERR_BADDIRECTION;
-       }
     }
+    /* XXX check sender's address */
 
     /* everything is ok - return data to the user */
 
index cce02cbc16e4913ef97d5b298322141802cb680b..0028ca7dd71f615d6853002c9b39f71b9742d96f 100644 (file)
@@ -81,11 +81,10 @@ krb5_tkt_authent *tktauthent;
     krb5_error_code retval;
     krb5_keyblock *tkt_key;
     krb5_keyblock tkt_key_real;
-    krb5_timestamp currenttime;
+    krb5_timestamp currenttime, starttime;
 
 
-    if ((server != NULL) &&
-       (!krb5_principal_compare(server, req->ticket->server)))
+    if (server && !krb5_principal_compare(server, req->ticket->server))
        return KRB5KRB_AP_WRONG_PRINC;
 
     /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
@@ -162,7 +161,14 @@ krb5_tkt_authent *tktauthent;
        return retval;
     }
     tktauthent->ticket = 0;
-    if (req->ticket->enc_part2->times.starttime - currenttime > krb5_clockskew) {
+
+    /* if starttime is not in ticket, then treat it as authtime */
+    if (req->ticket->enc_part2->times.starttime != 0)
+       starttime = req->ticket->enc_part2->times.starttime;
+    else
+       starttime = req->ticket->enc_part2->times.authtime;
+
+    if (starttime - currenttime > krb5_clockskew) {
        clean_authenticator();
        return KRB5KRB_AP_ERR_TKT_NYV;  /* ticket not yet valid */
     }  
index cd194e5cc8519dbeca4bd39c74e2c203858abfec..b6ab7ddf46c8b90800edf76039cdeabc2960c8ab 100644 (file)
@@ -38,16 +38,17 @@ extern krb5_deltat krb5_clockskew;
  returns system errors, integrity errors
  */
 krb5_error_code
-krb5_rd_safe(inbuf, key, sender_addr, recv_addr, outbuf)
+krb5_rd_safe(inbuf, key, sender_addr, recv_addr, seq_number, safe_flags, outbuf)
 const krb5_data *inbuf;
 const krb5_keyblock *key;
-const krb5_fulladdr *sender_addr;
-const krb5_fulladdr *recv_addr;
+const krb5_address *sender_addr;
+const krb5_address *recv_addr;
+krb5_int32 seq_number;
+krb5_int32 safe_flags;
 krb5_data *outbuf;
 {
     krb5_error_code retval;
     krb5_safe *message;
-    krb5_ui_2 computed_direction;
     krb5_checksum our_cksum, *his_cksum;
     krb5_octet zero_octet = 0;
     krb5_data *scratch;
@@ -63,22 +64,30 @@ krb5_data *outbuf;
 
     if (!valid_cksumtype(message->checksum->checksum_type))
        return KRB5_PROG_SUMTYPE_NOSUPP;
+    if (!is_coll_proof_cksum(message->checksum->checksum_type) ||
+       !is_keyed_cksum(message->checksum->checksum_type))
+       return KRB5KRB_AP_ERR_INAPP_CKSUM;
 
     if (retval = krb5_timeofday(&currenttime)) {
        cleanup();
        return retval;
     }
-    /* in_clock_skew #defined above */
-    if (!in_clock_skew(message->timestamp)) {
-       cleanup();
-       return KRB5KRB_AP_ERR_SKEW;
+    if (!(safe_flags & KRB5_SAFE_NOTIME)) {
+       /* in_clock_skew #defined above */
+       if (!in_clock_skew(message->timestamp)) {
+           cleanup();
+           return KRB5KRB_AP_ERR_SKEW;
+       }
+       /* replay detection goes here... XXX */
     }
 
-    /* replay detection goes here... XXX */
+    if (safe_flags & KRB5_SAFE_DOSEQUENCE)
+       if (message->seq_number != seq_number) {
+           cleanup();
+           return KRB5KRB_AP_ERR_BADSEQ;
+       }
 
-    if (sender_addr) {
-       krb5_fulladdr temp_sender;
-       krb5_fulladdr temp_recip;
+    if (message->r_address) {
        krb5_address **our_addrs;
        
        if (retval = krb5_os_localaddr(&our_addrs)) {
@@ -91,21 +100,10 @@ krb5_data *outbuf;
            return KRB5KRB_AP_ERR_BADADDR;
        }
        krb5_free_address(our_addrs);
-
-       temp_recip = *recv_addr;
-       temp_recip.address = message->r_address;
-
-       temp_sender = *sender_addr;
-       temp_sender.address = message->s_address;
-
-       computed_direction = ((krb5_fulladdr_order(&temp_sender, &temp_recip) >
-                              0) ? MSEC_DIRBIT : 0); 
-       if (computed_direction != (message->msec & MSEC_DIRBIT)) {
-           cleanup();
-           return KRB5KRB_AP_ERR_BADDIRECTION;
-       }
     }
 
+    /* XXX check sender's address */
+
     /* verify the checksum */
     /* to do the checksum stuff, we need to re-encode the message with a
        zero-length zero-type checksum, then checksum the encoding, and verify.
index 9e8d159836418e862423faf24fe0406300f14c6c..164c677dee7d533407d46288f7961d34bc678aef 100644 (file)
@@ -24,7 +24,7 @@ static char rcsid_send_tgs_c[] =
  Sends a request to the TGS and waits for a response.
  options is used for the options in the KRB_TGS_REQ.
  timestruct values are used for from, till, rtime " " "
- etype is used for etype " " "
+ etype is used for etype " " ", and to encrypt the authorization data, if present
  sumtype is used for the checksum in the AP_REQ in the KRB_TGS_REQ
  sname is used for sname " " "
  addrs, if non-NULL, is used for addresses " " "
@@ -47,6 +47,7 @@ krb5_send_tgs(DECLARG(const krb5_flags, kdcoptions),
              DECLARG(krb5_const_principal, sname),
              DECLARG(krb5_address * const *, addrs),
              DECLARG(krb5_authdata * const *,authorization_data),
+             DECLARG(krb5_pa_data * const *, padata),
              DECLARG(const krb5_data *,second_ticket),
              DECLARG(krb5_creds *,usecred),
              DECLARG(krb5_response *,rep))
@@ -57,6 +58,7 @@ OLDDECLARG(const krb5_cksumtype, sumtype)
 OLDDECLARG(krb5_const_principal, sname)
 OLDDECLARG(krb5_address * const *, addrs)
 OLDDECLARG(krb5_authdata * const *,authorization_data)
+OLDDECLARG(krb5_pa_data * const *, padata)
 OLDDECLARG(const krb5_data *,second_ticket)
 OLDDECLARG(krb5_creds *,usecred)
 OLDDECLARG(krb5_response *,rep)
@@ -64,9 +66,16 @@ OLDDECLARG(krb5_response *,rep)
     krb5_error_code retval;
     krb5_kdc_req tgsreq;
     krb5_checksum ap_checksum;
-    krb5_data *scratch;
+    krb5_data *scratch, scratch2;
     krb5_ticket *sec_ticket = 0;
     krb5_ticket *sec_ticket_arr[2];
+    krb5_enctype etypes[1];
+    krb5_timestamp time_now;
+    krb5_pa_data **combined_padata;
+    krb5_pa_data ap_req_padata;
+
+    if (!valid_etype(etype))
+       return KRB5_PROG_ETYPE_NOSUPP;
 
     memset((char *)&tgsreq, 0, sizeof(tgsreq));
 
@@ -76,17 +85,73 @@ OLDDECLARG(krb5_response *,rep)
     tgsreq.from = timestruct->starttime;
     tgsreq.till = timestruct->endtime;
     tgsreq.rtime = timestruct->renew_till;
-    if (retval = krb5_timeofday(&tgsreq.ctime))
+    if (retval = krb5_timeofday(&time_now))
        return(retval);
     /* XXX we know they are the same size... */
-    tgsreq.nonce = (krb5_int32) tgsreq.ctime;
+    tgsreq.nonce = (krb5_int32) time_now;
+
+    etypes[0] = etype;
+    tgsreq.etype = etypes;
+    tgsreq.netypes = 1;
 
-    tgsreq.etype = etype;
     tgsreq.addresses = (krb5_address **) addrs;
-    tgsreq.authorization_data = (krb5_authdata **)authorization_data;
+
+    if (authorization_data) {
+       /* need to encrypt it in the request */
+
+       krb5_encrypt_block eblock;
+
+       if (retval = encode_krb5_authdata(authorization_data, &scratch))
+           return(retval);
+       krb5_use_cstype(&eblock, etype);
+       tgsreq.authorization_data.ciphertext.length =
+           krb5_encrypt_size(scratch->length,
+                             eblock.crypto_entry);
+       /* add padding area, and zero it */
+       if (!(scratch->data = realloc(scratch->data,
+                                     tgsreq.authorization_data.ciphertext.length))) {
+           /* may destroy scratch->data */
+           xfree(scratch);
+           return ENOMEM;
+       }
+       memset(scratch->data + scratch->length, 0,
+              tgsreq.authorization_data.ciphertext.length - scratch->length);
+       if (!(tgsreq.authorization_data.ciphertext.data =
+             malloc(tgsreq.authorization_data.ciphertext.length))) {
+           krb5_free_data(scratch);
+           return ENOMEM;
+       }
+       if (retval = krb5_process_key(&eblock, &usecred->keyblock)) {
+           krb5_free_data(scratch);
+           return retval;
+       }
+       /* call the encryption routine */
+       if (retval = krb5_encrypt((krb5_pointer) scratch->data,
+                                 (krb5_pointer) tgsreq.authorization_data.ciphertext.data,
+                                 scratch->length, &eblock, 0)) {
+           (void) krb5_finish_key(&eblock);
+           xfree(tgsreq.authorization_data.ciphertext.data);
+           krb5_free_data(scratch);
+           return retval;
+       }           
+       krb5_free_data(scratch);
+       if (retval = krb5_finish_key(&eblock)) {
+           xfree(tgsreq.authorization_data.ciphertext.data);
+           return retval;
+       }
+    }
+#define cleanup_authdata() { if (tgsreq.authorization_data.ciphertext.data) {\
+       (void) memset(tgsreq.authorization_data.ciphertext.data, 0,\
+             tgsreq.authorization_data.ciphertext.length); \
+           xfree(tgsreq.authorization_data.ciphertext.data);}}
+
+
+
     if (second_ticket) {
-       if (retval = decode_krb5_ticket(second_ticket, &sec_ticket))
+       if (retval = decode_krb5_ticket(second_ticket, &sec_ticket)) {
+           cleanup_authdata();
            return retval;
+       }
        sec_ticket_arr[0] = sec_ticket;
        sec_ticket_arr[1] = 0;
        tgsreq.second_ticket = sec_ticket_arr;
@@ -100,6 +165,7 @@ OLDDECLARG(krb5_response *,rep)
     if (retval) {
        if (sec_ticket)
            krb5_free_ticket(sec_ticket);
+       cleanup_authdata();
        return(retval);
     }
 
@@ -108,6 +174,7 @@ OLDDECLARG(krb5_response *,rep)
        if (sec_ticket)
            krb5_free_ticket(sec_ticket);
        krb5_free_data(scratch);
+       cleanup_authdata();
        return ENOMEM;
     }
 
@@ -121,6 +188,7 @@ OLDDECLARG(krb5_response *,rep)
            krb5_free_ticket(sec_ticket);
        xfree(ap_checksum.contents);
        krb5_free_data(scratch);
+       cleanup_authdata();
        return retval;
     }
     /* done with body */
@@ -130,8 +198,6 @@ OLDDECLARG(krb5_response *,rep)
                   if (sec_ticket) krb5_free_ticket(sec_ticket);}
     /* attach ap_req to the tgsreq */
 
-    tgsreq.padata_type = KRB5_PADATA_AP_REQ;
-
     /*
      * Get an ap_req.
      */
@@ -139,25 +205,62 @@ OLDDECLARG(krb5_response *,rep)
                                       &ap_checksum,
                                       0, /* don't need times */
                                       0L, /* don't need kdc_options for this */
+                                      0, /* no initial sequence */
+                                      0, /* no new key */
                                       0, /* no ccache--already have creds */
                                       usecred,
                                       0, /* don't need authenticator */
-                                      &tgsreq.padata)) {
+                                      &scratch2)) {
        cleanup();
+       cleanup_authdata();
        return retval;
     }
 
+    ap_req_padata.pa_type = KRB5_PADATA_AP_REQ;
+    ap_req_padata.length = scratch2.length;
+    ap_req_padata.contents = (krb5_octet *)scratch2.data;
+
+    /* combine in any other supplied padata */
+    if (padata) {
+       krb5_pa_data * const * counter;
+       register int i = 0;
+       for (counter = padata; *counter; counter++, i++);
+       combined_padata = (krb5_pa_data **)malloc(i+2);
+       if (!combined_padata) {
+           cleanup();
+           cleanup_authdata();
+           return ENOMEM;
+       }
+       combined_padata[0] = &ap_req_padata;
+       for (i = 1, counter = padata; *counter; counter++, i++)
+           combined_padata[i] = (krb5_pa_data *) *counter;
+       combined_padata[i] = 0;
+    } else {
+       combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata));
+       if (!combined_padata) {
+           cleanup();
+           cleanup_authdata();
+           return ENOMEM;
+       }
+       combined_padata[0] = &ap_req_padata;
+       combined_padata[1] = 0;
+    }
+    tgsreq.padata = combined_padata;
 
     /* the TGS_REQ is assembled in tgsreq, so encode it */
     if (retval = encode_krb5_tgs_req(&tgsreq, &scratch)) {
        cleanup();
+       cleanup_authdata();
+       xfree(combined_padata);
        return(retval);
     }
     if (sec_ticket)
        krb5_free_ticket(sec_ticket);
+    cleanup_authdata();
+    xfree(combined_padata);
+#undef cleanup_authdata
 #undef cleanup
-#define cleanup() {(void) free(tgsreq.padata.data); \
-                  xfree(ap_checksum.contents);}
+#define cleanup() {xfree(ap_checksum.contents);}
 
     /* now send request & get response from KDC */
     retval = krb5_sendto_kdc(scratch, krb5_princ_realm(sname),
index 17d11d0d55992b70a76c7e34af51ad8f680205dc..00ec030383a2b4ef6c07083fc3e923b31ff4dad1 100644 (file)
@@ -22,7 +22,6 @@ OBJS= \
        localaddr.o     \
        locate_kdc.o    \
        lock_file.o     \
-       mstime.o        \
        net_read.o      \
        net_write.o     \
        osconfig.o      \
@@ -30,7 +29,8 @@ OBJS= \
        read_pwd.o      \
        sendto_kdc.o    \
        timeofday.o     \
-       unlck_file.o
+       unlck_file.o    \
+       ustime.o
 
 SRCS= \
        an_to_ln.c      \
@@ -45,7 +45,6 @@ SRCS= \
        localaddr.c     \
        locate_kdc.c    \
        lock_file.c     \
-       mstime.c        \
        net_read.c      \
        net_write.c     \
        osconfig.c      \
@@ -53,6 +52,8 @@ SRCS= \
        rnd_confoun.c   \
        sendto_kdc.c    \
        timeofday.c     \
-       unlck_file.c
+       unlck_file.c    \
+       ustime.c
+
 
 NormalLibraryTarget(os,${OBJS})
index 7d48d4a570374c62aeb4446cbeb039623e787651..974e942cc0f603dbe96485181ae0c098ca6f0ce2 100644 (file)
@@ -25,9 +25,8 @@ static char rcsid_mstime_c[] =
 extern int errno;
 
 krb5_error_code
-krb5_ms_timeofday(seconds, milliseconds)
-register krb5_int32 *seconds;
-register krb5_ui_2 *milliseconds;
+krb5_us_timeofday(seconds, microseconds)
+register krb5_int32 *seconds, *microseconds;
 {
     struct timeval tv;
 
@@ -36,6 +35,6 @@ register krb5_ui_2 *milliseconds;
        return (krb5_error_code) errno;
     }
     *seconds = tv.tv_sec;
-    *milliseconds = tv.tv_usec / 1000;
+    *microseconds = tv.tv_usec;
     return 0;
 }
index d418892c854f7b2b0a9bc5b9d5689b0332be4da7..e4022a68d4fccf45fa506e590b7003c383da407f 100644 (file)
@@ -73,7 +73,7 @@ struct auth_replay
  {
   char *server; /* null-terminated */
   char *client; /* null-terminated */
-  krb5_ui_2 cmsec;
+  krb5_int32 cusec;
   krb5_timestamp ctime;
  }
 ;
@@ -82,7 +82,7 @@ static int hash(rep, hsize)
 struct auth_replay *rep;
 int hsize;
 {
- return (((rep->cmsec + rep->ctime + *rep->server + *rep->client)
+ return (((rep->cusec + rep->ctime + *rep->server + *rep->client)
         % hsize) + hsize) % hsize;
  /* We take this opportunity to once again complain about C's idiotic %. */
 }
@@ -92,7 +92,7 @@ krb5_tkt_authent *auth;
 struct auth_replay *rep;
 {
  krb5_error_code retval;
- rep->cmsec = auth->authenticator->cmsec;
+ rep->cusec = auth->authenticator->cusec;
  rep->ctime = auth->authenticator->ctime;
  if (retval = krb5_unparse_name(auth->ticket->server,&rep->server))
    return retval; /* shouldn't happen */
@@ -114,7 +114,7 @@ struct auth_replay *old;
 struct auth_replay *new;
 krb5_deltat t;
 {
- if ((old->cmsec == new->cmsec) && /* most likely to distinguish */
+ if ((old->cusec == new->cusec) && /* most likely to distinguish */
      (old->ctime == new->ctime) &&
      (strcmp(old->client,new->client) == 0) &&
      (strcmp(old->server,new->server) == 0)) /* always true */
@@ -332,7 +332,7 @@ krb5_rcache id;
      case KRB5_RC_IO_EOF: FREE3; goto end_loop;
      case 0: break; default: FREE3; return KRB5_RC_IO; break;
     }
-   switch(krb5_rc_io_read(&t->d,(krb5_pointer) &rep->cmsec,sizeof(rep->cmsec))) 
+   switch(krb5_rc_io_read(&t->d,(krb5_pointer) &rep->cusec,sizeof(rep->cusec))) 
     {
      case KRB5_RC_IO_EOF: FREE3; goto end_loop;
      case 0: break; default: FREE3; return KRB5_RC_IO; break;
@@ -386,7 +386,7 @@ krb5_tkt_authent *auth;
    return KRB5_RC_IO;
  if (krb5_rc_io_write(&t->d,(krb5_pointer) rep->server,i))
    return KRB5_RC_IO;
- if (krb5_rc_io_write(&t->d,(krb5_pointer) &rep->cmsec,sizeof(rep->cmsec)))
+ if (krb5_rc_io_write(&t->d,(krb5_pointer) &rep->cusec,sizeof(rep->cusec)))
    return KRB5_RC_IO;
  if (krb5_rc_io_write(&t->d,(krb5_pointer) &rep->ctime,sizeof(rep->ctime)))
    return KRB5_RC_IO;
@@ -461,7 +461,7 @@ krb5_rcache id;
      return KRB5_RC_IO;
    if (krb5_rc_io_write(&tmp,(krb5_pointer) q->rep.server,i))
      return KRB5_RC_IO;
-   if (krb5_rc_io_write(&tmp,(krb5_pointer) &q->rep.cmsec,sizeof(q->rep.cmsec)))
+   if (krb5_rc_io_write(&tmp,(krb5_pointer) &q->rep.cusec,sizeof(q->rep.cusec)))
      return KRB5_RC_IO;
    if (krb5_rc_io_write(&tmp,(krb5_pointer) &q->rep.ctime,sizeof(q->rep.ctime)))
      return KRB5_RC_IO;