From 02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Sat, 31 Oct 2009 00:48:38 +0000 Subject: [PATCH] make mark-cstyle make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/bsd/defines.h | 12 +- src/appl/bsd/forward.c | 14 +- src/appl/bsd/kcmd.c | 56 +- src/appl/bsd/krcp.c | 124 +- src/appl/bsd/krlogin.c | 140 +- src/appl/bsd/krlogind.c | 164 +- src/appl/bsd/krsh.c | 30 +- src/appl/bsd/krshd.c | 210 +- src/appl/bsd/login.c | 38 +- src/appl/bsd/loginpaths.h | 2 +- src/appl/bsd/rpaths.h | 1 - src/appl/gss-sample/gss-client.c | 14 +- src/appl/gss-sample/gss-misc.c | 8 +- src/appl/gss-sample/gss-misc.h | 4 +- src/appl/gss-sample/gss-server.c | 10 +- src/appl/gssftp/ftp/cmds.c | 18 +- src/appl/gssftp/ftp/cmdtab.c | 1 - src/appl/gssftp/ftp/ftp.c | 62 +- src/appl/gssftp/ftp/glob.c | 6 +- src/appl/gssftp/ftp/main.c | 4 +- src/appl/gssftp/ftp/ruserpass.c | 6 +- src/appl/gssftp/ftp/secure.c | 24 +- src/appl/gssftp/ftpd/ftpd.c | 51 +- src/appl/gssftp/ftpd/ftpd_var.h | 4 +- src/appl/libpty/cleanup.c | 8 +- src/appl/libpty/dump-utmp.c | 2 +- src/appl/libpty/getpty.c | 8 +- src/appl/libpty/init.c | 8 +- src/appl/libpty/init_slave.c | 10 +- src/appl/libpty/libpty.h | 4 +- src/appl/libpty/logwtmp.c | 4 +- src/appl/libpty/open_ctty.c | 4 +- src/appl/libpty/open_slave.c | 4 +- src/appl/libpty/pty-int.h | 6 +- src/appl/libpty/pty_paranoia.c | 2 +- src/appl/libpty/sane_hostname.c | 4 +- src/appl/libpty/update_utmp.c | 8 +- src/appl/libpty/update_wtmp.c | 4 +- src/appl/libpty/vhangup.c | 6 +- src/appl/libpty/void_assoc.c | 4 +- src/appl/sample/sample.h | 4 +- src/appl/sample/sclient/sclient.c | 14 +- src/appl/sample/sserver/sserver.c | 16 +- src/appl/simple/client/sim_client.c | 26 +- src/appl/simple/server/sim_server.c | 18 +- src/appl/simple/simple.h | 4 +- src/appl/telnet/libtelnet/auth-proto.h | 2 +- src/appl/telnet/libtelnet/auth.c | 8 +- src/appl/telnet/libtelnet/enc_des.c | 18 +- src/appl/telnet/libtelnet/encrypt.c | 14 +- src/appl/telnet/libtelnet/forward.c | 10 +- src/appl/telnet/libtelnet/kerberos5.c | 52 +- src/appl/telnet/libtelnet/krb5forw.h | 5 +- src/appl/telnet/libtelnet/mem.c | 2 +- src/appl/telnet/libtelnet/parsetos.c | 1 - src/appl/telnet/libtelnet/setenv.c | 2 +- src/appl/telnet/telnet/authenc.c | 2 +- src/appl/telnet/telnet/commands.c | 10 +- src/appl/telnet/telnet/externs.h | 6 +- src/appl/telnet/telnet/main.c | 10 +- src/appl/telnet/telnet/sys_bsd.c | 2 +- src/appl/telnet/telnet/telnet.c | 20 +- src/appl/telnet/telnet/utilities.c | 4 +- src/appl/telnet/telnetd/pathnames.h | 2 +- src/appl/telnet/telnetd/slc.c | 14 +- src/appl/telnet/telnetd/state.c | 4 +- src/appl/telnet/telnetd/sys_term.c | 27 +- src/appl/telnet/telnetd/telnetd-ktd.c | 10 +- src/appl/telnet/telnetd/telnetd.c | 18 +- src/appl/telnet/telnetd/telnetd.h | 1 - src/appl/telnet/telnetd/termio-tn.c | 2 +- src/appl/telnet/telnetd/termstat.c | 14 +- src/appl/telnet/telnetd/utility.c | 16 +- src/appl/user_user/client.c | 45 +- src/appl/user_user/server.c | 26 +- src/ccapi/common/cci_array_internal.c | 111 +- src/ccapi/common/cci_cred_union.c | 462 +- src/ccapi/common/cci_debugging.c | 14 +- src/ccapi/common/cci_debugging.h | 6 +- src/ccapi/common/cci_identifier.c | 106 +- src/ccapi/common/cci_message.c | 76 +- src/ccapi/common/cci_message.h | 4 +- src/ccapi/common/cci_types.h | 26 +- src/ccapi/common/mac/cci_os_identifier.c | 25 +- src/ccapi/common/win/OldCC/ccutils.c | 8 +- src/ccapi/common/win/cci_os_debugging.c | 2 +- src/ccapi/common/win/tls.c | 14 +- src/ccapi/common/win/tls.h | 2 +- src/ccapi/common/win/win-utils.c | 6 +- src/ccapi/lib/ccapi_ccache.c | 264 +- src/ccapi/lib/ccapi_ccache_iterator.c | 94 +- src/ccapi/lib/ccapi_context.c | 295 +- src/ccapi/lib/ccapi_context.h | 8 +- src/ccapi/lib/ccapi_context_change_time.c | 64 +- src/ccapi/lib/ccapi_credentials.c | 58 +- src/ccapi/lib/ccapi_credentials_iterator.c | 82 +- src/ccapi/lib/ccapi_ipc.c | 22 +- src/ccapi/lib/ccapi_string.c | 46 +- src/ccapi/lib/ccapi_v2.c | 454 +- src/ccapi/lib/mac/ccapi_vector.c | 26 +- src/ccapi/lib/mac/ccapi_vector.h | 26 +- src/ccapi/lib/win/OldCC/ccapi.h | 64 +- src/ccapi/lib/win/ccs_reply_proc.c | 2 +- src/ccapi/lib/win/dllmain.h | 4 +- src/ccapi/server/ccs_array.c | 12 +- src/ccapi/server/ccs_cache_collection.c | 450 +- src/ccapi/server/ccs_cache_collection.h | 2 +- src/ccapi/server/ccs_callback.c | 92 +- src/ccapi/server/ccs_ccache.c | 485 +- src/ccapi/server/ccs_ccache.h | 2 +- src/ccapi/server/ccs_ccache_iterator.c | 53 +- src/ccapi/server/ccs_client.c | 94 +- src/ccapi/server/ccs_credentials.c | 50 +- src/ccapi/server/ccs_credentials_iterator.c | 49 +- src/ccapi/server/ccs_list.c | 16 +- src/ccapi/server/ccs_list_internal.c | 303 +- src/ccapi/server/ccs_lock.c | 110 +- src/ccapi/server/ccs_lock_state.c | 238 +- src/ccapi/server/ccs_lock_state.h | 6 +- src/ccapi/server/ccs_pipe.c | 2 +- src/ccapi/server/ccs_server.c | 148 +- src/ccapi/server/mac/ccs_os_notify.c | 28 +- src/ccapi/server/mac/ccs_os_pipe.c | 17 +- src/ccapi/server/mac/ccs_os_server.c | 16 +- src/ccapi/server/win/ccs_os_pipe.c | 5 +- src/ccapi/server/win/ccs_request_proc.c | 8 +- src/ccapi/server/win/ccs_win_pipe.c | 6 +- src/ccapi/server/win/ccs_win_pipe.h | 16 +- src/ccapi/server/win/workitem.h | 6 +- src/ccapi/test/main.c | 22 +- src/ccapi/test/pingtest.c | 10 +- src/ccapi/test/simple_lock_test.c | 12 +- src/ccapi/test/test_cc_ccache_compare.c | 2 +- src/ccapi/test/test_cc_ccache_destroy.c | 2 +- .../test/test_cc_ccache_get_change_time.c | 3 +- .../test_cc_ccache_get_credentials_version.c | 3 +- .../test/test_cc_ccache_get_kdc_time_offset.c | 3 +- .../test_cc_ccache_get_last_default_time.c | 3 +- src/ccapi/test/test_cc_ccache_get_name.c | 3 +- src/ccapi/test/test_cc_ccache_get_principal.c | 3 +- src/ccapi/test/test_cc_ccache_iterator_next.c | 3 +- src/ccapi/test/test_cc_ccache_move.c | 3 +- .../test_cc_ccache_new_credentials_iterator.c | 3 +- src/ccapi/test/test_cc_ccache_release.c | 3 +- .../test/test_cc_ccache_remove_credentials.c | 3 +- src/ccapi/test/test_cc_ccache_set_default.c | 3 +- .../test/test_cc_ccache_set_kdc_time_offset.c | 3 +- src/ccapi/test/test_cc_ccache_set_principal.c | 3 +- .../test/test_cc_ccache_store_credentials.c | 3 +- src/ccapi/test/test_cc_close.c | 2 +- src/ccapi/test/test_cc_context_compare.c | 3 +- .../test/test_cc_context_create_ccache.c | 3 +- .../test_cc_context_create_default_ccache.c | 3 +- .../test/test_cc_context_create_new_ccache.c | 3 +- .../test/test_cc_context_get_change_time.c | 3 +- .../test_cc_context_get_default_ccache_name.c | 3 +- .../test_cc_context_new_ccache_iterator.c | 3 +- src/ccapi/test/test_cc_context_open_ccache.c | 3 +- .../test_cc_context_open_default_ccache.c | 3 +- src/ccapi/test/test_cc_context_release.c | 2 +- src/ccapi/test/test_cc_create.c | 2 +- .../test/test_cc_credentials_iterator_next.c | 2 +- src/ccapi/test/test_cc_destroy.c | 2 +- src/ccapi/test/test_cc_get_NC_info.c | 2 +- src/ccapi/test/test_cc_get_change_time.c | 2 +- src/ccapi/test/test_cc_get_cred_version.c | 2 +- src/ccapi/test/test_cc_get_name.c | 2 +- src/ccapi/test/test_cc_get_principal.c | 2 +- src/ccapi/test/test_cc_initialize.c | 2 +- src/ccapi/test/test_cc_open.c | 2 +- src/ccapi/test/test_cc_remove_cred.c | 2 +- src/ccapi/test/test_cc_seq_fetch_NCs_begin.c | 2 +- src/ccapi/test/test_cc_seq_fetch_NCs_next.c | 2 +- .../test/test_cc_seq_fetch_creds_begin.c | 2 +- src/ccapi/test/test_cc_seq_fetch_creds_next.c | 2 +- src/ccapi/test/test_cc_set_principal.c | 2 +- src/ccapi/test/test_cc_shutdown.c | 2 +- src/ccapi/test/test_cc_store.c | 2 +- src/ccapi/test/test_ccapi_ccache.c | 989 ++-- src/ccapi/test/test_ccapi_check.c | 10 +- src/ccapi/test/test_ccapi_check.h | 12 +- src/ccapi/test/test_ccapi_constants.c | 14 +- src/ccapi/test/test_ccapi_context.c | 544 +- src/ccapi/test/test_ccapi_globals.c | 18 +- src/ccapi/test/test_ccapi_iterators.c | 68 +- src/ccapi/test/test_ccapi_log.c | 4 +- src/ccapi/test/test_ccapi_util.c | 34 +- src/ccapi/test/test_ccapi_v2.c | 907 ++-- src/ccapi/test/test_ccapi_v2.h | 22 +- src/ccapi/test/test_constants.c | 2 +- src/clients/kcpytkt/kcpytkt.c | 129 +- src/clients/kdeltkt/kdeltkt.c | 127 +- src/clients/kdestroy/kdestroy.c | 101 +- src/clients/kinit/kinit.c | 653 +-- src/clients/klist/klist.c | 749 +-- src/clients/kpasswd/kpasswd.c | 237 +- src/clients/kpasswd/ksetpwd.c | 493 +- src/clients/ksu/authorization.c | 539 +- src/clients/ksu/ccache.c | 857 ++-- src/clients/ksu/heuristic.c | 617 +-- src/clients/ksu/krb_auth_su.c | 515 +- src/clients/ksu/ksu.h | 145 +- src/clients/ksu/main.c | 1245 ++--- src/clients/ksu/setenv.c | 161 +- src/clients/ksu/xmalloc.c | 21 +- src/clients/kvno/kvno.c | 395 +- src/include/CredentialsCache.h | 820 +-- src/include/CredentialsCache2.h | 66 +- src/include/adm_proto.h | 4 +- src/include/cm.h | 4 +- src/include/copyright.h | 54 +- src/include/fake-addrinfo.h | 56 +- src/include/foreachaddr.h | 4 +- src/include/gssapi.h | 2 +- src/include/gssrpc/auth.h | 16 +- src/include/gssrpc/auth_gss.h | 12 +- src/include/gssrpc/auth_gssapi.h | 6 +- src/include/gssrpc/auth_unix.h | 14 +- src/include/gssrpc/clnt.h | 26 +- src/include/gssrpc/netdb.h | 8 +- src/include/gssrpc/pmap_clnt.h | 22 +- src/include/gssrpc/pmap_prot.h | 10 +- src/include/gssrpc/pmap_rmt.h | 10 +- src/include/gssrpc/rename.h | 2 +- src/include/gssrpc/rpc.h | 6 +- src/include/gssrpc/rpc_msg.h | 10 +- src/include/gssrpc/svc.h | 22 +- src/include/gssrpc/svc_auth.h | 12 +- src/include/gssrpc/types.hin | 12 +- src/include/gssrpc/xdr.h | 10 +- src/include/k5-err.h | 4 +- src/include/k5-gmt_mktime.h | 4 +- src/include/k5-int-pkinit.h | 6 +- src/include/k5-int.h | 172 +- src/include/k5-ipc_stream.h | 24 +- src/include/k5-platform.h | 4 +- src/include/k5-plugin.h | 68 +- src/include/k5-thread.h | 4 +- src/include/k5-unicode.h | 54 +- src/include/k5-utf8.h | 54 +- src/include/k5-util.h | 54 +- src/include/kdb.h | 128 +- src/include/kdb_kt.h | 4 +- src/include/kim/kim.h | 62 +- src/include/kim/kim_ccache.h | 346 +- src/include/kim/kim_credential.h | 282 +- src/include/kim/kim_identity.h | 88 +- src/include/kim/kim_library.h | 2 +- src/include/kim/kim_options.h | 132 +- src/include/kim/kim_preferences.h | 118 +- src/include/kim/kim_selection_hints.h | 212 +- src/include/kim/kim_string.h | 34 +- src/include/kim/kim_types.h | 8 +- src/include/kim/kim_ui_plugin.h | 58 +- src/include/krb5/krb5.hin | 86 +- src/include/krb5/locate_plugin.h | 4 +- src/include/krb5/preauth_plugin.h | 2 +- src/include/krb54proto.h | 3 +- src/include/osconf.hin | 4 +- src/include/pkinit_apple_utils.h | 14 +- src/include/pkinit_asn1.h | 44 +- src/include/pkinit_cert_store.h | 42 +- src/include/pkinit_client.h | 22 +- src/include/pkinit_cms.h | 42 +- src/include/socket-utils.h | 54 +- src/include/spnego-asn1.h | 6 +- src/include/win-mac.h | 12 +- src/kadmin/cli/kadmin.c | 44 +- src/kadmin/cli/kadmin.h | 8 +- src/kadmin/cli/keytab.c | 12 +- src/kadmin/cli/keytab_local.c | 1 + src/kadmin/cli/ss_wrapper.c | 18 +- src/kadmin/dbutil/dump.c | 4003 +++++++-------- src/kadmin/dbutil/kadm5_create.c | 383 +- src/kadmin/dbutil/kdb5_create.c | 387 +- src/kadmin/dbutil/kdb5_destroy.c | 61 +- src/kadmin/dbutil/kdb5_mkey.c | 154 +- src/kadmin/dbutil/kdb5_stash.c | 131 +- src/kadmin/dbutil/kdb5_util.c | 593 +-- src/kadmin/dbutil/kdb5_util.h | 36 +- src/kadmin/dbutil/nstrtok.h | 2 +- src/kadmin/dbutil/ovload.c | 247 +- src/kadmin/dbutil/string_table.c | 41 +- src/kadmin/dbutil/string_table.h | 17 +- src/kadmin/dbutil/strtok.c | 108 +- src/kadmin/ktutil/ktutil.c | 219 +- src/kadmin/ktutil/ktutil.h | 27 +- src/kadmin/ktutil/ktutil_funcs.c | 265 +- src/kadmin/server/kadm_rpc_svc.c | 28 +- src/kadmin/server/misc.c | 241 +- src/kadmin/server/misc.h | 63 +- src/kadmin/server/network.c | 1799 +++---- src/kadmin/server/ovsec_kadmd.c | 1342 ++--- src/kadmin/server/schpw.c | 431 +- src/kadmin/server/server_stubs.c | 1645 +++--- src/kadmin/testing/util/bsddb_dump.c | 85 +- src/kadmin/testing/util/tcl_kadm5.c | 4397 +++++++++-------- src/kadmin/testing/util/tcl_kadm5.h | 2 +- src/kadmin/testing/util/tcl_krb5_hash.c | 172 +- src/kadmin/testing/util/test.c | 11 +- src/kdc/dispatch.c | 89 +- src/kdc/do_as_req.c | 557 +-- src/kdc/do_tgs_req.c | 297 +- src/kdc/extern.c | 19 +- src/kdc/extern.h | 85 +- src/kdc/fast_util.c | 455 +- src/kdc/kdc_authdata.c | 628 +-- src/kdc/kdc_preauth.c | 3547 ++++++------- src/kdc/kdc_util.c | 2508 +++++----- src/kdc/kdc_util.h | 357 +- src/kdc/main.c | 715 ++- src/kdc/network.c | 1507 +++--- src/kdc/pkinit_apple_server.c | 187 +- src/kdc/pkinit_server.h | 81 +- src/kdc/policy.c | 88 +- src/kdc/policy.h | 7 +- src/kdc/replay.c | 119 +- src/kdc/rtest.c | 117 +- src/kim/agent/mac/AuthenticationController.h | 26 +- src/kim/agent/mac/BadgedImageView.h | 2 +- src/kim/agent/mac/IPCClient.h | 10 +- src/kim/agent/mac/Identities.h | 2 +- src/kim/agent/mac/KIMUtilities.h | 2 +- src/kim/agent/mac/KerberosAgentController.h | 2 +- src/kim/agent/mac/KerberosAgentListener.h | 16 +- src/kim/agent/mac/KerberosFormatters.h | 8 +- src/kim/agent/mac/PopupButton.h | 2 +- src/kim/agent/mac/SelectIdentityController.h | 14 +- src/kim/agent/mac/ServerDemux.h | 16 +- src/kim/lib/kim_ccache.c | 603 ++- src/kim/lib/kim_credential.c | 750 +-- src/kim/lib/kim_debug.c | 30 +- src/kim/lib/kim_debug_private.h | 12 +- src/kim/lib/kim_error_message.c | 77 +- src/kim/lib/kim_error_private.h | 6 +- src/kim/lib/kim_identity.c | 348 +- src/kim/lib/kim_library.c | 112 +- src/kim/lib/kim_library_private.h | 2 +- src/kim/lib/kim_options.c | 260 +- src/kim/lib/kim_preferences.c | 429 +- src/kim/lib/kim_preferences_private.h | 20 +- src/kim/lib/kim_selection_hints.c | 369 +- src/kim/lib/kim_string.c | 66 +- src/kim/lib/kim_string_private.h | 10 +- src/kim/lib/kim_ui.c | 230 +- src/kim/lib/kim_ui_cli.c | 222 +- src/kim/lib/kim_ui_cli_private.h | 4 +- src/kim/lib/kim_ui_gui_private.h | 4 +- src/kim/lib/kim_ui_plugin.c | 126 +- src/kim/lib/kim_ui_plugin_private.h | 4 +- src/kim/lib/mac/KerberosLogin.c | 608 +-- src/kim/lib/mac/KerberosLogin.h | 54 +- src/kim/lib/mac/KerberosLoginPrivate.h | 9 +- src/kim/lib/mac/kim_os_debug.c | 2 +- src/kim/lib/mac/kim_os_identity.c | 154 +- src/kim/lib/mac/kim_os_library.c | 110 +- src/kim/lib/mac/kim_os_preferences.c | 615 ++- src/kim/lib/mac/kim_os_selection_hints.c | 251 +- src/kim/lib/mac/kim_os_string.c | 112 +- src/kim/lib/mac/kim_os_ui_gui.c | 212 +- src/kim/test/main.c | 42 +- src/kim/test/test_kim_common.c | 48 +- src/kim/test/test_kim_common.h | 6 +- src/kim/test/test_kim_identity.c | 362 +- src/kim/test/test_kim_preferences.c | 624 +-- src/kim/test/test_kim_selection_hints.c | 92 +- src/kim/test/test_kll.c | 179 +- src/kim/test/test_kll_terminal.c | 20 +- src/kim/test/test_ui_plugin.c | 162 +- src/lib/apputils/daemon.c | 2 +- src/lib/crypto/builtin/aes/aes.h | 16 +- src/lib/crypto/builtin/aes/aes_s2k.c | 4 +- src/lib/crypto/builtin/aes/aescpp.h | 19 +- src/lib/crypto/builtin/aes/aescrypp.c | 74 +- src/lib/crypto/builtin/aes/aescrypt.c | 70 +- src/lib/crypto/builtin/aes/aeskey.c | 78 +- src/lib/crypto/builtin/aes/aeskeypp.c | 58 +- src/lib/crypto/builtin/aes/aesopt.h | 182 +- src/lib/crypto/builtin/aes/aestab.c | 38 +- src/lib/crypto/builtin/aes/uitypes.h | 12 +- src/lib/crypto/builtin/arcfour/arcfour.c | 1 - src/lib/crypto/builtin/arcfour/arcfour_aead.c | 7 +- src/lib/crypto/builtin/arcfour/arcfour_s2k.c | 4 +- src/lib/crypto/builtin/des/afsstring2key.c | 80 +- src/lib/crypto/builtin/des/d3_aead.c | 2 +- src/lib/crypto/builtin/des/d3_cbc.c | 2 +- src/lib/crypto/builtin/des/d3_kysched.c | 2 +- src/lib/crypto/builtin/des/des_int.h | 18 +- src/lib/crypto/builtin/des/destest.c | 28 +- src/lib/crypto/builtin/des/f_aead.c | 2 +- src/lib/crypto/builtin/des/f_parity.c | 11 +- src/lib/crypto/builtin/des/f_sched.c | 2 +- src/lib/crypto/builtin/des/key_sched.c | 4 +- src/lib/crypto/builtin/des/string2key.c | 4 +- src/lib/crypto/builtin/des/t_verify.c | 26 +- src/lib/crypto/builtin/des/weak_key.c | 4 +- src/lib/crypto/builtin/enc_provider/aes.c | 1 - src/lib/crypto/builtin/enc_provider/des.c | 8 +- src/lib/crypto/builtin/enc_provider/des3.c | 9 +- .../builtin/enc_provider/enc_provider.h | 9 +- src/lib/crypto/builtin/enc_provider/rc4.c | 15 +- .../crypto/builtin/hash_provider/hash_crc32.c | 10 +- .../crypto/builtin/hash_provider/hash_md4.c | 8 +- .../crypto/builtin/hash_provider/hash_md5.c | 8 +- .../builtin/hash_provider/hash_provider.h | 8 +- .../crypto/builtin/hash_provider/hash_sha1.c | 8 +- src/lib/crypto/builtin/hmac.c | 10 +- src/lib/crypto/builtin/md4/rsa-md4.h | 4 +- src/lib/crypto/builtin/md5/md5.c | 2 +- src/lib/crypto/builtin/pbkdf2.c | 4 +- src/lib/crypto/builtin/sha1/t_shs3.c | 2 +- src/lib/crypto/builtin/t_cf2.c | 6 +- src/lib/crypto/crypto_tests/aes-test.c | 4 +- src/lib/crypto/crypto_tests/t_crc.c | 2 +- src/lib/crypto/crypto_tests/t_cts.c | 4 +- src/lib/crypto/crypto_tests/t_encrypt.c | 12 +- src/lib/crypto/crypto_tests/t_hmac.c | 8 +- src/lib/crypto/crypto_tests/t_kperf.c | 2 +- src/lib/crypto/crypto_tests/t_mddriver.c | 10 +- src/lib/crypto/crypto_tests/t_nfold.c | 6 +- src/lib/crypto/crypto_tests/t_pkcs5.c | 4 +- src/lib/crypto/crypto_tests/t_prf.c | 8 +- src/lib/crypto/crypto_tests/t_prng.c | 4 +- src/lib/crypto/crypto_tests/vectors.c | 4 +- src/lib/crypto/crypto_tests/ytest.c | 54 +- src/lib/crypto/krb/aead.c | 7 +- src/lib/crypto/krb/aead.h | 2 +- src/lib/crypto/krb/block_size.c | 8 +- src/lib/crypto/krb/cf2.c | 10 +- src/lib/crypto/krb/checksum_length.c | 9 +- src/lib/crypto/krb/cksumtype_to_string.c | 8 +- src/lib/crypto/krb/cksumtypes.c | 16 +- src/lib/crypto/krb/cksumtypes.h | 8 +- src/lib/crypto/krb/coll_proof_cksum.c | 8 +- src/lib/crypto/krb/combine_keys.c | 3 +- src/lib/crypto/krb/crc32/crc-32.h | 12 +- src/lib/crypto/krb/crc32/crc32.c | 4 +- src/lib/crypto/krb/crypto_length.c | 3 +- src/lib/crypto/krb/decrypt.c | 8 +- src/lib/crypto/krb/decrypt_iov.c | 2 +- src/lib/crypto/krb/default_state.c | 7 +- src/lib/crypto/krb/dk/checksum.c | 12 +- src/lib/crypto/krb/dk/derive.c | 8 +- src/lib/crypto/krb/dk/dk.h | 8 +- src/lib/crypto/krb/dk/dk_decrypt.c | 8 +- src/lib/crypto/krb/dk/dk_encrypt.c | 9 +- src/lib/crypto/krb/dk/stringtokey.c | 8 +- src/lib/crypto/krb/enc_provider/aes.c | 1 - src/lib/crypto/krb/enc_provider/des.c | 8 +- src/lib/crypto/krb/enc_provider/des3.c | 9 +- .../crypto/krb/enc_provider/enc_provider.h | 9 +- src/lib/crypto/krb/enc_provider/rc4.c | 15 +- src/lib/crypto/krb/encrypt.c | 8 +- src/lib/crypto/krb/encrypt_iov.c | 2 +- src/lib/crypto/krb/encrypt_length.c | 8 +- src/lib/crypto/krb/enctype_compare.c | 8 +- src/lib/crypto/krb/enctype_to_string.c | 8 +- src/lib/crypto/krb/etypes.c | 12 +- src/lib/crypto/krb/etypes.h | 8 +- src/lib/crypto/krb/key.c | 4 +- src/lib/crypto/krb/keyblocks.c | 12 +- src/lib/crypto/krb/keyed_checksum_types.c | 8 +- src/lib/crypto/krb/keyed_cksum.c | 8 +- src/lib/crypto/krb/keyhash_provider/descbc.c | 14 +- .../crypto/krb/keyhash_provider/hmac_md5.c | 6 +- .../crypto/krb/keyhash_provider/k5_md4des.c | 8 +- .../crypto/krb/keyhash_provider/k5_md5des.c | 10 +- .../krb/keyhash_provider/keyhash_provider.h | 8 +- .../crypto/krb/keyhash_provider/md5_hmac.c | 5 +- src/lib/crypto/krb/keylengths.c | 4 +- src/lib/crypto/krb/make_checksum.c | 8 +- src/lib/crypto/krb/make_checksum_iov.c | 2 +- src/lib/crypto/krb/make_random_key.c | 8 +- src/lib/crypto/krb/mandatory_sumtype.c | 2 +- src/lib/crypto/krb/nfold.c | 9 +- src/lib/crypto/krb/old/des_stringtokey.c | 8 +- src/lib/crypto/krb/old/old.h | 8 +- src/lib/crypto/krb/old/old_decrypt.c | 8 +- src/lib/crypto/krb/old/old_encrypt.c | 8 +- src/lib/crypto/krb/old_api_glue.c | 10 +- src/lib/crypto/krb/prf.c | 6 +- src/lib/crypto/krb/prf/des_prf.c | 6 +- src/lib/crypto/krb/prf/dk_prf.c | 8 +- src/lib/crypto/krb/prf/prf_int.h | 4 +- src/lib/crypto/krb/prf/rc4_prf.c | 4 +- src/lib/crypto/krb/prng.c | 6 +- src/lib/crypto/krb/rand2key/aes_rand2key.c | 1 - src/lib/crypto/krb/rand2key/des3_rand2key.c | 1 - src/lib/crypto/krb/rand2key/des_rand2key.c | 2 - src/lib/crypto/krb/rand2key/rand2key.h | 3 - src/lib/crypto/krb/rand2key/rc4_rand2key.c | 1 - src/lib/crypto/krb/random_to_key.c | 4 +- src/lib/crypto/krb/raw/raw.h | 9 +- src/lib/crypto/krb/raw/raw_aead.c | 2 +- src/lib/crypto/krb/raw/raw_decrypt.c | 8 +- src/lib/crypto/krb/raw/raw_encrypt.c | 8 +- src/lib/crypto/krb/state.c | 6 +- src/lib/crypto/krb/string_to_cksumtype.c | 8 +- src/lib/crypto/krb/string_to_enctype.c | 8 +- src/lib/crypto/krb/string_to_key.c | 8 +- src/lib/crypto/krb/valid_cksumtype.c | 8 +- src/lib/crypto/krb/valid_enctype.c | 8 +- src/lib/crypto/krb/verify_checksum.c | 8 +- src/lib/crypto/krb/verify_checksum_iov.c | 2 +- src/lib/crypto/krb/yarrow/yarrow.c | 82 +- src/lib/crypto/krb/yarrow/yarrow.h | 4 +- src/lib/crypto/krb/yarrow/ycipher.c | 6 +- src/lib/crypto/krb/yarrow/ycipher.h | 2 +- src/lib/crypto/krb/yarrow/yexcep.h | 22 +- src/lib/crypto/krb/yarrow/ytypes.h | 2 +- src/lib/crypto/openssl/aes/aes_s2k.c | 4 +- src/lib/crypto/openssl/arcfour/arcfour-int.h | 4 +- src/lib/crypto/openssl/arcfour/arcfour.c | 3 +- src/lib/crypto/openssl/arcfour/arcfour_aead.c | 7 +- src/lib/crypto/openssl/arcfour/arcfour_s2k.c | 4 +- src/lib/crypto/openssl/des/des_int.h | 16 +- src/lib/crypto/openssl/des/des_oldapis.c | 3 +- src/lib/crypto/openssl/des/f_parity.c | 1 - src/lib/crypto/openssl/des/string2key.c | 3 +- src/lib/crypto/openssl/des/weak_key.c | 7 +- src/lib/crypto/openssl/enc_provider/aes.c | 5 +- src/lib/crypto/openssl/enc_provider/des.c | 1 - src/lib/crypto/openssl/enc_provider/des3.c | 1 - .../openssl/enc_provider/enc_provider.h | 1 - src/lib/crypto/openssl/enc_provider/rc4.c | 9 +- .../crypto/openssl/hash_provider/hash_crc32.c | 2 +- .../crypto/openssl/hash_provider/hash_md4.c | 8 +- .../crypto/openssl/hash_provider/hash_md5.c | 8 +- .../openssl/hash_provider/hash_provider.h | 8 +- .../crypto/openssl/hash_provider/hash_sha1.c | 9 +- src/lib/crypto/openssl/hmac.c | 2 +- src/lib/crypto/openssl/md4/md4.c | 1 - src/lib/crypto/openssl/md4/rsa-md4.h | 4 +- src/lib/crypto/openssl/md5/md5.c | 3 +- src/lib/crypto/openssl/pbkdf2.c | 9 +- src/lib/crypto/openssl/sha1/shs.c | 2 - src/lib/crypto/openssl/yhash.h | 3 +- src/lib/glue4.c | 2 +- src/lib/gssapi/generic/gssapi_generic.c | 1 - src/lib/gssapi/generic/oid_ops.c | 3 +- src/lib/gssapi/generic/util_buffer_set.c | 1 - src/lib/gssapi/krb5/acquire_cred.c | 1 - src/lib/gssapi/krb5/inq_context.c | 1 - src/lib/gssapi/krb5/krb5_gss_glue.c | 1 - src/lib/gssapi/krb5/naming_exts.c | 1 - src/lib/gssapi/krb5/s4u_gss_glue.c | 1 - src/lib/gssapi/krb5/seal.c | 1 - src/lib/gssapi/krb5/unseal.c | 1 - .../gssapi/mechglue/g_accept_sec_context.c | 21 +- src/lib/gssapi/mechglue/g_buffer_set.c | 1 - src/lib/gssapi/mechglue/g_compare_name.c | 14 +- src/lib/gssapi/mechglue/g_context_time.c | 10 +- src/lib/gssapi/mechglue/g_del_name_attr.c | 1 - .../gssapi/mechglue/g_delete_sec_context.c | 10 +- src/lib/gssapi/mechglue/g_dsp_status.c | 4 +- src/lib/gssapi/mechglue/g_exp_sec_context.c | 10 +- src/lib/gssapi/mechglue/g_export_name.c | 1 - src/lib/gssapi/mechglue/g_export_name_comp.c | 1 - src/lib/gssapi/mechglue/g_get_name_attr.c | 1 - src/lib/gssapi/mechglue/g_glue.c | 23 +- src/lib/gssapi/mechglue/g_imp_name.c | 5 +- src/lib/gssapi/mechglue/g_imp_sec_context.c | 10 +- src/lib/gssapi/mechglue/g_init_sec_context.c | 18 +- src/lib/gssapi/mechglue/g_initialize.c | 8 +- src/lib/gssapi/mechglue/g_inq_context.c | 9 +- src/lib/gssapi/mechglue/g_inq_context_oid.c | 1 - src/lib/gssapi/mechglue/g_inq_cred.c | 31 +- src/lib/gssapi/mechglue/g_inq_cred_oid.c | 7 +- src/lib/gssapi/mechglue/g_inq_name.c | 1 - src/lib/gssapi/mechglue/g_inq_names.c | 10 +- src/lib/gssapi/mechglue/g_map_name_to_any.c | 1 - src/lib/gssapi/mechglue/g_mech_invoke.c | 1 - src/lib/gssapi/mechglue/g_mechname.c | 5 +- src/lib/gssapi/mechglue/g_oid_ops.c | 1 - src/lib/gssapi/mechglue/g_process_context.c | 10 +- src/lib/gssapi/mechglue/g_rel_buffer.c | 4 +- src/lib/gssapi/mechglue/g_rel_cred.c | 16 +- src/lib/gssapi/mechglue/g_rel_name.c | 10 +- src/lib/gssapi/mechglue/g_rel_name_mapping.c | 1 - src/lib/gssapi/mechglue/g_rel_oid_set.c | 4 +- src/lib/gssapi/mechglue/g_seal.c | 14 +- .../gssapi/mechglue/g_set_context_option.c | 1 - src/lib/gssapi/mechglue/g_set_cred_option.c | 1 - src/lib/gssapi/mechglue/g_set_name_attr.c | 1 - src/lib/gssapi/mechglue/g_sign.c | 5 +- src/lib/gssapi/mechglue/g_unseal.c | 4 +- src/lib/gssapi/mechglue/g_unwrap_aead.c | 9 +- src/lib/gssapi/mechglue/g_unwrap_iov.c | 13 +- src/lib/gssapi/mechglue/g_userok.c | 1 - src/lib/gssapi/mechglue/g_verify.c | 4 +- src/lib/gssapi/mechglue/g_wrap_aead.c | 8 +- src/lib/gssapi/mechglue/g_wrap_iov.c | 21 +- src/lib/gssapi/mechglue/gssd_pname_to_uid.c | 7 +- src/lib/gssapi/mechglue/mechglue.h | 4 +- src/lib/gssapi/mechglue/mglueP.h | 4 +- src/lib/gssapi/spnego/spnego_mech.c | 10 +- src/lib/kadm5/admin.h | 597 +-- src/lib/kadm5/admin_internal.h | 73 +- src/lib/kadm5/admin_xdr.h | 2 +- src/lib/kadm5/alt_prof.c | 396 +- src/lib/kadm5/chpass_util.c | 385 +- src/lib/kadm5/clnt/client_handle.c | 5 +- src/lib/kadm5/clnt/client_init.c | 1307 ++--- src/lib/kadm5/clnt/client_internal.h | 57 +- src/lib/kadm5/clnt/client_principal.c | 303 +- src/lib/kadm5/clnt/client_rpc.c | 421 +- src/lib/kadm5/clnt/clnt_chpass_util.c | 19 +- src/lib/kadm5/clnt/clnt_policy.c | 73 +- src/lib/kadm5/clnt/clnt_privs.c | 19 +- src/lib/kadm5/kadm_rpc_xdr.c | 30 +- src/lib/kadm5/logger.c | 1299 ++--- src/lib/kadm5/misc_free.c | 85 +- src/lib/kadm5/server_internal.h | 149 +- src/lib/kadm5/srv/adb_xdr.c | 74 +- src/lib/kadm5/srv/server_acl.c | 1055 ++-- src/lib/kadm5/srv/server_acl.h | 129 +- src/lib/kadm5/srv/server_dict.c | 159 +- src/lib/kadm5/srv/server_handle.c | 5 +- src/lib/kadm5/srv/server_init.c | 405 +- src/lib/kadm5/srv/server_kdb.c | 314 +- src/lib/kadm5/srv/server_misc.c | 222 +- src/lib/kadm5/srv/svr_chpass_util.c | 19 +- src/lib/kadm5/srv/svr_iters.c | 332 +- src/lib/kadm5/srv/svr_policy.c | 299 +- src/lib/kadm5/srv/svr_principal.c | 2261 ++++----- src/lib/kadm5/str_conv.c | 495 +- src/lib/kadm5/unit-test/destroy-test.c | 62 +- src/lib/kadm5/unit-test/handle-test.c | 129 +- src/lib/kadm5/unit-test/init-test.c | 49 +- src/lib/kadm5/unit-test/iter-test.c | 88 +- src/lib/kadm5/unit-test/lock-test.c | 167 +- src/lib/kadm5/unit-test/randkey-test.c | 54 +- src/lib/kadm5/unit-test/setkey-test.c | 387 +- src/lib/kdb/decrypt_key.c | 125 +- src/lib/kdb/encrypt_key.c | 85 +- src/lib/kdb/iprop_xdr.c | 447 +- src/lib/kdb/kdb5.c | 997 ++-- src/lib/kdb/kdb5.h | 1 + src/lib/kdb/kdb5int.h | 11 +- src/lib/kdb/kdb_convert.c | 1503 +++--- src/lib/kdb/kdb_cpw.c | 775 ++- src/lib/kdb/kdb_default.c | 291 +- src/lib/kdb/kdb_log.c | 975 ++-- src/lib/kdb/keytab.c | 158 +- src/lib/krb5/asn.1/asn1_k_decode.c | 2 +- src/lib/krb5/asn.1/asn1_k_decode.h | 8 +- src/lib/krb5/asn.1/krb5_decode.c | 2 +- src/lib/krb5/asn.1/krb5_encode.c | 1 - src/lib/krb5/ccache/cc-int.h | 15 +- src/lib/krb5/ccache/cc_file.c | 2701 +++++----- src/lib/krb5/ccache/cc_keyring.c | 827 ++-- src/lib/krb5/ccache/cc_memory.c | 411 +- src/lib/krb5/ccache/cc_mslsa.c | 903 ++-- src/lib/krb5/ccache/cc_retr.c | 321 +- src/lib/krb5/ccache/ccapi/stdcc.c | 1662 +++---- src/lib/krb5/ccache/ccapi/stdcc.h | 177 +- src/lib/krb5/ccache/ccapi/stdcc_util.c | 665 +-- src/lib/krb5/ccache/ccapi/stdcc_util.h | 15 +- src/lib/krb5/ccache/ccapi/winccld.c | 71 +- src/lib/krb5/ccache/ccapi/winccld.h | 41 +- src/lib/krb5/ccache/ccbase.c | 229 +- src/lib/krb5/ccache/cccopy.c | 31 +- src/lib/krb5/ccache/cccursor.c | 193 +- src/lib/krb5/ccache/ccdefault.c | 63 +- src/lib/krb5/ccache/ccdefops.c | 7 +- src/lib/krb5/ccache/ccfns.c | 30 +- src/lib/krb5/ccache/fcc.h | 5 +- src/lib/krb5/ccache/scc.h | 51 +- src/lib/krb5/ccache/ser_cc.c | 183 +- src/lib/krb5/ccache/t_cc.c | 607 +-- src/lib/krb5/ccache/t_cccursor.c | 109 +- src/lib/krb5/ccache/t_memory.c | 144 +- src/lib/krb5/ccache/t_stdio.c | 167 +- src/lib/krb5/error_tables/init_ets.c | 17 +- src/lib/krb5/keytab/kt-int.h | 5 +- src/lib/krb5/keytab/kt_file.c | 1412 +++--- src/lib/krb5/keytab/kt_memory.c | 488 +- src/lib/krb5/keytab/kt_srvtab.c | 250 +- src/lib/krb5/keytab/ktadd.c | 10 +- src/lib/krb5/keytab/ktbase.c | 110 +- src/lib/krb5/keytab/ktdefault.c | 8 +- src/lib/krb5/keytab/ktfns.c | 38 +- src/lib/krb5/keytab/ktfr_entry.c | 16 +- src/lib/krb5/keytab/ktremove.c | 12 +- src/lib/krb5/keytab/read_servi.c | 44 +- src/lib/krb5/keytab/t_keytab.c | 725 +-- src/lib/krb5/krb/addr_comp.c | 15 +- src/lib/krb5/krb/addr_order.c | 21 +- src/lib/krb5/krb/addr_srch.c | 17 +- src/lib/krb5/krb/appdefault.c | 259 +- src/lib/krb5/krb/auth_con.c | 336 +- src/lib/krb5/krb/auth_con.h | 41 +- src/lib/krb5/krb/authdata.c | 13 +- src/lib/krb5/krb/authdata.h | 12 +- src/lib/krb5/krb/bld_pr_ext.c | 37 +- src/lib/krb5/krb/bld_princ.c | 95 +- src/lib/krb5/krb/brand.c | 3 +- src/lib/krb5/krb/chk_trans.c | 427 +- src/lib/krb5/krb/chpw.c | 528 +- src/lib/krb5/krb/cleanup.h | 35 +- src/lib/krb5/krb/conv_creds.c | 11 +- src/lib/krb5/krb/conv_princ.c | 427 +- src/lib/krb5/krb/copy_addrs.c | 54 +- src/lib/krb5/krb/copy_athctr.c | 62 +- src/lib/krb5/krb/copy_auth.c | 226 +- src/lib/krb5/krb/copy_cksum.c | 11 +- src/lib/krb5/krb/copy_creds.c | 43 +- src/lib/krb5/krb/copy_data.c | 39 +- src/lib/krb5/krb/copy_key.c | 5 +- src/lib/krb5/krb/copy_princ.c | 37 +- src/lib/krb5/krb/copy_tick.c | 95 +- src/lib/krb5/krb/cp_key_cnt.c | 5 +- src/lib/krb5/krb/decode_kdc.c | 40 +- src/lib/krb5/krb/decrypt_tk.c | 31 +- src/lib/krb5/krb/deltat.c | 16 +- src/lib/krb5/krb/enc_helper.c | 31 +- src/lib/krb5/krb/encode_kdc.c | 75 +- src/lib/krb5/krb/encrypt_tk.c | 27 +- src/lib/krb5/krb/fast.c | 458 +- src/lib/krb5/krb/fast.h | 29 +- src/lib/krb5/krb/free_rtree.c | 11 +- src/lib/krb5/krb/fwd_tgt.c | 191 +- src/lib/krb5/krb/gc_frm_kdc.c | 903 ++-- src/lib/krb5/krb/gc_via_tkt.c | 559 +-- src/lib/krb5/krb/gen_seqnum.c | 11 +- src/lib/krb5/krb/gen_subkey.c | 21 +- src/lib/krb5/krb/get_creds.c | 314 +- src/lib/krb5/krb/get_in_tkt.c | 1687 +++---- src/lib/krb5/krb/gic_keytab.c | 194 +- src/lib/krb5/krb/gic_opt.c | 251 +- src/lib/krb5/krb/gic_pwd.c | 810 +-- src/lib/krb5/krb/in_tkt_sky.c | 79 +- src/lib/krb5/krb/init_ctx.c | 507 +- src/lib/krb5/krb/init_keyblock.c | 15 +- src/lib/krb5/krb/int-proto.h | 60 +- src/lib/krb5/krb/kdc_rep_dc.c | 23 +- src/lib/krb5/krb/kerrs.c | 57 +- src/lib/krb5/krb/kfree.c | 354 +- src/lib/krb5/krb/mk_cred.c | 182 +- src/lib/krb5/krb/mk_error.c | 19 +- src/lib/krb5/krb/mk_priv.c | 236 +- src/lib/krb5/krb/mk_rep.c | 81 +- src/lib/krb5/krb/mk_req.c | 57 +- src/lib/krb5/krb/mk_req_ext.c | 402 +- src/lib/krb5/krb/mk_safe.c | 272 +- src/lib/krb5/krb/pac.c | 954 ++-- src/lib/krb5/krb/parse.c | 525 +- src/lib/krb5/krb/pkinit_apple_asn1.c | 701 +-- src/lib/krb5/krb/pkinit_apple_cert_store.c | 401 +- src/lib/krb5/krb/pkinit_apple_client.c | 227 +- src/lib/krb5/krb/pkinit_apple_cms.c | 623 +-- src/lib/krb5/krb/pkinit_apple_utils.c | 221 +- src/lib/krb5/krb/pr_to_salt.c | 33 +- src/lib/krb5/krb/preauth.c | 56 +- src/lib/krb5/krb/preauth2.c | 2569 +++++----- src/lib/krb5/krb/princ_comp.c | 104 +- src/lib/krb5/krb/rd_cred.c | 134 +- src/lib/krb5/krb/rd_error.c | 12 +- src/lib/krb5/krb/rd_priv.c | 294 +- src/lib/krb5/krb/rd_rep.c | 105 +- src/lib/krb5/krb/rd_req.c | 44 +- src/lib/krb5/krb/rd_req_dec.c | 786 +-- src/lib/krb5/krb/rd_safe.c | 284 +- src/lib/krb5/krb/recvauth.c | 297 +- src/lib/krb5/krb/s4u_creds.c | 6 +- src/lib/krb5/krb/send_tgs.c | 172 +- src/lib/krb5/krb/sendauth.c | 2 +- src/lib/krb5/krb/ser_actx.c | 889 ++-- src/lib/krb5/krb/ser_adata.c | 187 +- src/lib/krb5/krb/ser_addr.c | 209 +- src/lib/krb5/krb/ser_auth.c | 495 +- src/lib/krb5/krb/ser_cksum.c | 189 +- src/lib/krb5/krb/ser_ctx.c | 40 +- src/lib/krb5/krb/ser_eblk.c | 287 +- src/lib/krb5/krb/ser_key.c | 187 +- src/lib/krb5/krb/ser_princ.c | 119 +- src/lib/krb5/krb/serialize.c | 211 +- src/lib/krb5/krb/set_realm.c | 31 +- src/lib/krb5/krb/srv_dec_tkt.c | 122 +- src/lib/krb5/krb/srv_rcache.c | 37 +- src/lib/krb5/krb/str_conv.c | 219 +- src/lib/krb5/krb/strptime.c | 4 +- src/lib/krb5/krb/t_ad_fx_armor.c | 17 +- src/lib/krb5/krb/t_authdata.c | 43 +- src/lib/krb5/krb/t_deltat.c | 215 +- src/lib/krb5/krb/t_etypes.c | 3 +- src/lib/krb5/krb/t_expand.c | 1 + src/lib/krb5/krb/t_kerb.c | 253 +- src/lib/krb5/krb/t_pac.c | 96 +- src/lib/krb5/krb/t_princ.c | 8 +- src/lib/krb5/krb/t_ser.c | 955 ++-- src/lib/krb5/krb/t_walk_rtree.c | 92 +- src/lib/krb5/krb/tgtname.c | 11 +- src/lib/krb5/krb/unparse.c | 298 +- src/lib/krb5/krb/valid_times.c | 36 +- src/lib/krb5/krb/vfy_increds.c | 415 +- src/lib/krb5/krb/vic_opt.c | 7 +- src/lib/krb5/krb/walk_rtree.c | 221 +- src/lib/krb5/krb5_libinit.c | 13 +- src/lib/krb5/krb5_libinit.h | 1 + src/lib/krb5/os/accessor.c | 155 +- src/lib/krb5/os/an_to_ln.c | 922 ++-- src/lib/krb5/os/c_ustime.c | 37 +- src/lib/krb5/os/ccdefname.c | 279 +- src/lib/krb5/os/changepw.c | 447 +- src/lib/krb5/os/def_realm.c | 48 +- src/lib/krb5/os/dnsglue.c | 163 +- src/lib/krb5/os/dnsglue.h | 29 +- src/lib/krb5/os/dnssrv.c | 153 +- src/lib/krb5/os/free_hstrl.c | 9 +- src/lib/krb5/os/free_krbhs.c | 13 +- src/lib/krb5/os/full_ipadr.c | 15 +- src/lib/krb5/os/gen_port.c | 9 +- src/lib/krb5/os/gen_rname.c | 11 +- src/lib/krb5/os/genaddrs.c | 107 +- src/lib/krb5/os/get_krbhst.c | 65 +- src/lib/krb5/os/hostaddr.c | 120 +- src/lib/krb5/os/hst_realm.c | 309 +- src/lib/krb5/os/init_os_ctx.c | 51 +- src/lib/krb5/os/krbfileio.c | 10 +- src/lib/krb5/os/ktdefname.c | 52 +- src/lib/krb5/os/kuserok.c | 83 +- src/lib/krb5/os/localaddr.c | 1377 +++--- src/lib/krb5/os/locate_kdc.c | 707 +-- src/lib/krb5/os/lock_file.c | 53 +- src/lib/krb5/os/mk_faddr.c | 13 +- src/lib/krb5/os/net_read.c | 39 +- src/lib/krb5/os/net_write.c | 53 +- src/lib/krb5/os/os-proto.h | 29 +- src/lib/krb5/os/osconfig.c | 6 +- src/lib/krb5/os/port2ip.c | 19 +- src/lib/krb5/os/prompter.c | 313 +- src/lib/krb5/os/read_msg.c | 57 +- src/lib/krb5/os/read_pwd.c | 201 +- src/lib/krb5/os/realm_dom.c | 7 +- src/lib/krb5/os/realm_iter.c | 13 +- src/lib/krb5/os/sendto_kdc.c | 1373 ++--- src/lib/krb5/os/sn2princ.c | 202 +- src/lib/krb5/os/t_an_to_ln.c | 53 +- src/lib/krb5/os/t_gifconf.c | 81 +- src/lib/krb5/os/t_locate_kdc.c | 87 +- src/lib/krb5/os/t_realm_iter.c | 29 +- src/lib/krb5/os/t_std_conf.c | 377 +- src/lib/krb5/os/thread_safe.c | 5 +- src/lib/krb5/os/timeofday.c | 17 +- src/lib/krb5/os/toffset.c | 21 +- src/lib/krb5/os/unlck_file.c | 5 +- src/lib/krb5/os/ustime.c | 35 +- src/lib/krb5/os/write_msg.c | 49 +- src/lib/krb5/posix/syslog.c | 3 +- src/lib/krb5/rcache/rc-int.h | 22 +- src/lib/krb5/rcache/rc_base.c | 2 +- src/lib/krb5/rcache/rc_base.h | 2 +- src/lib/krb5/rcache/rc_conv.c | 2 +- src/lib/krb5/rcache/rc_dfl.c | 2 +- src/lib/krb5/rcache/rc_dfl.h | 56 +- src/lib/krb5/rcache/rc_io.c | 14 +- src/lib/krb5/rcache/rc_io.h | 74 +- src/lib/krb5/rcache/rc_none.c | 2 +- src/lib/krb5/rcache/rcdef.c | 2 +- src/lib/krb5/rcache/rcfns.c | 2 +- src/lib/krb5/rcache/ser_rc.c | 8 +- src/lib/krb5/rcache/t_replay.c | 2 +- src/lib/krb5/unicode/ucdata/ucdata.c | 10 +- src/lib/krb5/unicode/ucdata/ucdata.h | 8 +- src/lib/krb5/unicode/ucdata/ucgendat.c | 20 +- src/lib/krb5/unicode/ucdata/uctable.h | 1 - src/lib/krb5/unicode/ucstr.c | 14 +- src/lib/krb5/unicode/utbm/utbmstub.c | 2 +- src/lib/rpc/auth_gss.c | 96 +- src/lib/rpc/auth_gssapi.c | 180 +- src/lib/rpc/auth_gssapi_misc.c | 66 +- src/lib/rpc/auth_none.c | 20 +- src/lib/rpc/auth_unix.c | 16 +- src/lib/rpc/authgss_prot.c | 36 +- src/lib/rpc/authunix_prot.c | 11 +- src/lib/rpc/bindresvport.c | 10 +- src/lib/rpc/clnt_generic.c | 16 +- src/lib/rpc/clnt_perror.c | 54 +- src/lib/rpc/clnt_raw.c | 16 +- src/lib/rpc/clnt_simple.c | 18 +- src/lib/rpc/clnt_tcp.c | 16 +- src/lib/rpc/clnt_udp.c | 40 +- src/lib/rpc/dyn.c | 46 +- src/lib/rpc/dyn.h | 2 +- src/lib/rpc/dynP.h | 2 +- src/lib/rpc/dyntest.c | 18 +- src/lib/rpc/get_myaddress.c | 14 +- src/lib/rpc/getrpcent.c | 10 +- src/lib/rpc/getrpcport.c | 10 +- src/lib/rpc/gssrpcint.h | 4 +- src/lib/rpc/pmap_clnt.c | 10 +- src/lib/rpc/pmap_getmaps.c | 10 +- src/lib/rpc/pmap_getport.c | 10 +- src/lib/rpc/pmap_prot.c | 14 +- src/lib/rpc/pmap_prot2.c | 22 +- src/lib/rpc/pmap_rmt.c | 21 +- src/lib/rpc/rpc_callmsg.c | 15 +- src/lib/rpc/rpc_commondata.c | 10 +- src/lib/rpc/rpc_dtablesize.c | 18 +- src/lib/rpc/rpc_prot.c | 18 +- src/lib/rpc/svc.c | 56 +- src/lib/rpc/svc_auth.c | 14 +- src/lib/rpc/svc_auth_gss.c | 76 +- src/lib/rpc/svc_auth_gssapi.c | 120 +- src/lib/rpc/svc_auth_none.c | 4 +- src/lib/rpc/svc_auth_unix.c | 14 +- src/lib/rpc/svc_raw.c | 14 +- src/lib/rpc/svc_run.c | 10 +- src/lib/rpc/svc_simple.c | 17 +- src/lib/rpc/svc_tcp.c | 23 +- src/lib/rpc/svc_udp.c | 41 +- src/lib/rpc/unit-test/client.c | 19 +- src/lib/rpc/unit-test/server.c | 24 +- src/lib/rpc/xdr.c | 24 +- src/lib/rpc/xdr_alloc.c | 12 +- src/lib/rpc/xdr_array.c | 17 +- src/lib/rpc/xdr_float.c | 10 +- src/lib/rpc/xdr_mem.c | 12 +- src/lib/rpc/xdr_rec.c | 28 +- src/lib/rpc/xdr_reference.c | 10 +- src/lib/rpc/xdr_sizeof.c | 10 +- src/lib/rpc/xdr_stdio.c | 16 +- src/lib/win_glue.c | 18 +- src/patchlevel.h | 2 +- src/plugins/authdata/greet/greet_auth.c | 4 +- .../authdata/greet_server/greet_auth.c | 4 +- src/plugins/kdb/db2/adb_openclose.c | 28 +- src/plugins/kdb/db2/adb_policy.c | 34 +- src/plugins/kdb/db2/db2_exp.c | 8 +- src/plugins/kdb/db2/kdb_db2.c | 3 +- src/plugins/kdb/db2/kdb_db2.h | 54 +- src/plugins/kdb/db2/kdb_ext.c | 1 - src/plugins/kdb/db2/kdb_xdr.c | 58 +- src/plugins/kdb/db2/libdb2/btree/bt_delete.c | 8 +- src/plugins/kdb/db2/libdb2/btree/bt_open.c | 2 +- src/plugins/kdb/db2/libdb2/btree/bt_seq.c | 4 +- src/plugins/kdb/db2/libdb2/hash/hash.c | 16 +- src/plugins/kdb/db2/libdb2/hash/hash.h | 2 +- src/plugins/kdb/db2/libdb2/hash/hash_bigkey.c | 2 +- src/plugins/kdb/db2/libdb2/hash/hash_page.c | 28 +- src/plugins/kdb/db2/libdb2/hash/page.h | 4 +- src/plugins/kdb/db2/libdb2/include/db-queue.h | 2 +- src/plugins/kdb/db2/libdb2/include/db.hin | 2 +- src/plugins/kdb/db2/libdb2/mpool/mpool.c | 10 +- src/plugins/kdb/db2/libdb2/recno/rec_put.c | 2 +- src/plugins/kdb/db2/libdb2/recno/rec_search.c | 2 +- src/plugins/kdb/db2/libdb2/recno/rec_seq.c | 2 +- src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c | 14 +- .../kdb/db2/libdb2/test/btree.tests/main.c | 2 +- src/plugins/kdb/db2/libdb2/test/dbtest.c | 16 +- .../kdb/db2/libdb2/test/hash1.tests/driver2.c | 3 - .../kdb/db2/libdb2/test/hash1.tests/tcreat3.c | 2 +- .../kdb/db2/libdb2/test/hash1.tests/tdel.c | 4 +- .../kdb/db2/libdb2/test/hash1.tests/thash4.c | 10 +- .../kdb/db2/libdb2/test/hash1.tests/tseq.c | 2 +- .../kdb/db2/libdb2/test/hash2.tests/bigtest.c | 11 +- .../db2/libdb2/test/hash2.tests/passtest.c | 26 +- .../libdb2/test/hash2.tests/passwd/genpass.c | 3 +- src/plugins/kdb/db2/lockout.c | 1 - src/plugins/kdb/db2/pol_xdr.c | 14 +- src/plugins/kdb/db2/policy_db.h | 2 +- src/plugins/kdb/hdb/hdb.h | 54 +- src/plugins/kdb/hdb/kdb_hdb.c | 3 +- src/plugins/kdb/hdb/kdb_hdb.h | 1 - src/plugins/kdb/hdb/kdb_marshal.c | 3 +- src/plugins/kdb/hdb/kdb_windc.c | 3 +- src/plugins/kdb/hdb/windc_plugin.h | 57 +- .../kdb/ldap/ldap_util/kdb5_ldap_list.c | 1 - .../kdb/ldap/ldap_util/kdb5_ldap_list.h | 27 +- .../kdb/ldap/ldap_util/kdb5_ldap_policy.c | 10 +- .../kdb/ldap/ldap_util/kdb5_ldap_realm.c | 12 +- .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 2 +- .../kdb/ldap/ldap_util/kdb5_ldap_services.h | 1 - .../kdb/ldap/ldap_util/kdb5_ldap_util.h | 4 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c | 1 - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 4 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 16 +- .../kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 4 +- .../kdb/ldap/libkdb_ldap/ldap_create.c | 4 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c | 2 +- .../kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c | 1 - .../kdb/ldap/libkdb_ldap/ldap_handle.c | 1 - .../kdb/ldap/libkdb_ldap/ldap_handle.h | 2 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h | 10 +- .../kdb/ldap/libkdb_ldap/ldap_principal.c | 6 +- .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 27 +- .../kdb/ldap/libkdb_ldap/ldap_pwd_policy.h | 4 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 12 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h | 6 +- .../ldap/libkdb_ldap/ldap_service_rights.c | 14 +- .../kdb/ldap/libkdb_ldap/ldap_service_stash.h | 5 +- .../kdb/ldap/libkdb_ldap/ldap_services.h | 2 +- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h | 2 +- src/plugins/locate/python/py-locate.c | 2 +- .../preauth/cksum_body/cksum_body_main.c | 2 +- .../encrypted_challenge_main.c | 29 +- src/plugins/preauth/fast_factor.h | 2 +- src/plugins/preauth/pkinit/pkinit.h | 12 +- src/plugins/preauth/pkinit/pkinit_clnt.c | 20 +- src/plugins/preauth/pkinit/pkinit_crypto.h | 24 +- .../preauth/pkinit/pkinit_crypto_openssl.c | 90 +- src/plugins/preauth/pkinit/pkinit_identity.c | 5 +- src/plugins/preauth/pkinit/pkinit_matching.c | 10 +- src/plugins/preauth/pkinit/pkinit_srv.c | 44 +- src/prototype/getopt.c | 24 +- src/slave/kprop.c | 70 +- src/slave/kprop.h | 4 +- src/slave/kpropd.c | 66 +- src/tests/asn.1/krb5_decode_leak.c | 78 +- src/tests/asn.1/krb5_decode_test.c | 88 +- src/tests/asn.1/krb5_encode_test.c | 98 +- src/tests/asn.1/ktest.c | 28 +- src/tests/asn.1/t_trval.c | 12 +- src/tests/asn.1/trval.c | 89 +- src/tests/asn.1/utility.c | 4 +- src/tests/create/kdb5_mkdums.c | 35 +- src/tests/dejagnu/t_inetd.c | 9 +- src/tests/dump.c | 6 +- src/tests/gss-threads/gss-client.c | 34 +- src/tests/gss-threads/gss-misc.c | 36 +- src/tests/gss-threads/gss-misc.h | 4 +- src/tests/gss-threads/gss-server.c | 34 +- src/tests/gssapi/t_imp_name.c | 17 +- src/tests/gssapi/t_namingexts.c | 1 - src/tests/gssapi/t_s4u.c | 1 - src/tests/hammer/kdc5_hammer.c | 46 +- src/tests/misc/test_getsockname.c | 12 +- src/tests/misc/test_nfold.c | 8 +- src/tests/resolve/addrinfo-test.c | 6 +- src/tests/resolve/resolve.c | 26 +- src/tests/test1.c | 20 +- src/tests/threads/gss-perf.c | 2 +- src/tests/threads/t_rcache.c | 6 +- src/tests/verify/kdb5_verify.c | 35 +- src/util/et/com_err.c | 4 +- src/util/et/com_err.h | 2 +- src/util/et/error_message.c | 4 +- src/util/et/et_name.c | 2 +- src/util/et/init_et.c | 10 +- src/util/et/mit-sipb-copyright.h | 1 - src/util/exitsleep.c | 2 +- src/util/mac/k5_mig_client.c | 256 +- src/util/mac/k5_mig_server.c | 210 +- src/util/mac/k5_mig_server.h | 4 +- src/util/mac/k5_mig_types.h | 14 +- src/util/profile/argv_parse.c | 4 +- src/util/profile/argv_parse.h | 6 +- src/util/profile/prof_FSp_glue.c | 16 +- src/util/profile/prof_file.c | 8 +- src/util/profile/prof_get.c | 30 +- src/util/profile/prof_init.c | 33 +- src/util/profile/prof_int.h | 10 +- src/util/profile/prof_parse.c | 8 +- src/util/profile/prof_set.c | 37 +- src/util/profile/prof_tree.c | 28 +- src/util/profile/profile.hin | 10 +- src/util/profile/profile_tcl.c | 187 +- src/util/profile/test_parse.c | 6 +- src/util/profile/test_profile.c | 12 +- src/util/ss/copyright.h | 1 - src/util/ss/error.c | 4 +- src/util/ss/invocation.c | 2 +- src/util/ss/list_rqs.c | 2 +- src/util/ss/listen.c | 6 +- src/util/ss/mit-sipb-copyright.h | 1 - src/util/ss/pager.c | 4 +- src/util/ss/parse.c | 2 +- src/util/support/cache-addrinfo.h | 54 +- src/util/support/errors.c | 14 +- src/util/support/fake-addrinfo.c | 56 +- src/util/support/init-addrinfo.c | 54 +- src/util/support/ipc_stream.c | 182 +- src/util/support/plugins.c | 164 +- src/util/support/printf.c | 4 +- src/util/support/supp-int.h | 4 +- src/util/support/threads.c | 14 +- src/util/support/utf8.c | 6 +- src/util/support/utf8_conv.c | 25 +- src/util/windows/getopt_long.c | 8 +- src/wconfig.c | 14 +- src/windows/cns/cns.c | 58 +- src/windows/cns/cns_reg.c | 6 +- src/windows/cns/debug.c | 3 +- src/windows/cns/kpasswd.c | 2 +- src/windows/cns/krbini.h | 2 +- src/windows/cns/options.c | 4 +- src/windows/cns/tktlist.c | 40 +- src/windows/cns/tktlist.h | 4 +- src/windows/gina/ginastub.c | 17 +- src/windows/gss/gss-client.c | 44 +- src/windows/gss/gss-misc.c | 41 +- src/windows/gss/gss-misc.h | 4 +- src/windows/gss/gss.c | 44 +- src/windows/gss/gss.h | 14 +- src/windows/gss/resource.h | 2 +- .../identity/config/netidmgr_intver.h.in | 3 +- .../identity/config/netidmgr_version.h.in | 1 - src/windows/identity/doc/cred_aquisition.h | 2 +- src/windows/identity/doc/cred_data_types.h | 2 +- src/windows/identity/doc/main_page.h | 6 +- src/windows/identity/doc/plugin_framework.h | 2 +- src/windows/identity/doc/plugin_locale.h | 4 +- src/windows/identity/doc/plugin_main.h | 2 - src/windows/identity/doc/ui_context.h | 2 +- src/windows/identity/include/khdefs.h | 6 +- src/windows/identity/include/kherror.h | 2 +- src/windows/identity/include/khmsgtypes.h | 14 +- src/windows/identity/kconfig/api.c | 196 +- src/windows/identity/kconfig/kconfig.h | 118 +- src/windows/identity/kconfig/registry.c | 1 - src/windows/identity/kconfig/test/utiltest.c | 2 +- src/windows/identity/kcreddb/attrib.c | 110 +- src/windows/identity/kcreddb/buf.c | 23 +- src/windows/identity/kcreddb/credential.c | 90 +- src/windows/identity/kcreddb/credset.c | 96 +- src/windows/identity/kcreddb/credtype.c | 24 +- src/windows/identity/kcreddb/credtype.h | 2 +- src/windows/identity/kcreddb/identity.c | 146 +- src/windows/identity/kcreddb/kcreddb.h | 472 +- src/windows/identity/kcreddb/langres.h | 2 +- src/windows/identity/kcreddb/resource.h | 2 +- src/windows/identity/kcreddb/type.c | 108 +- src/windows/identity/kcreddb/type.h | 56 +- src/windows/identity/kherr/kherr.c | 33 +- src/windows/identity/kherr/kherr.h | 36 +- src/windows/identity/kmm/kmm.h | 84 +- src/windows/identity/kmm/kmm_module.c | 46 +- src/windows/identity/kmm/kmm_plugin.c | 33 +- src/windows/identity/kmm/kmm_reg.c | 38 +- src/windows/identity/kmm/kmm_registrar.c | 44 +- src/windows/identity/kmm/kmminternal.h | 26 +- src/windows/identity/kmm/kmmmain.c | 11 +- src/windows/identity/kmm/kplugin.h | 2 +- src/windows/identity/kmq/consumer.c | 16 +- src/windows/identity/kmq/init.c | 4 +- src/windows/identity/kmq/kmq.h | 100 +- src/windows/identity/kmq/kmqinternal.h | 8 +- src/windows/identity/kmq/msgtype.c | 8 +- src/windows/identity/kmq/publisher.c | 111 +- src/windows/identity/nidmgrdll/dllmain.c | 2 +- .../identity/plugins/common/dynimport.c | 12 +- .../identity/plugins/common/krb5common.c | 68 +- .../identity/plugins/common/krb5common.h | 6 +- .../identity/plugins/krb4/errorfuncs.c | 11 +- .../identity/plugins/krb4/errorfuncs.h | 2 +- .../identity/plugins/krb4/krb4configdlg.c | 14 +- src/windows/identity/plugins/krb4/krb4funcs.c | 76 +- src/windows/identity/plugins/krb4/krb4funcs.h | 6 +- .../identity/plugins/krb4/krb4newcreds.c | 4 +- .../identity/plugins/krb4/krb4plugin.c | 32 +- src/windows/identity/plugins/krb4/krbcred.h | 4 +- src/windows/identity/plugins/krb4/langres.h | 2 +- src/windows/identity/plugins/krb5/datarep.c | 13 +- .../identity/plugins/krb5/errorfuncs.c | 14 +- .../identity/plugins/krb5/errorfuncs.h | 8 +- .../identity/plugins/krb5/krb5configcc.c | 8 +- .../identity/plugins/krb5/krb5configdlg.c | 42 +- .../identity/plugins/krb5/krb5configid.c | 2 +- .../identity/plugins/krb5/krb5configids.c | 7 +- src/windows/identity/plugins/krb5/krb5funcs.c | 124 +- src/windows/identity/plugins/krb5/krb5funcs.h | 20 +- .../identity/plugins/krb5/krb5identpro.c | 44 +- src/windows/identity/plugins/krb5/krb5main.c | 10 +- .../identity/plugins/krb5/krb5newcreds.c | 186 +- .../identity/plugins/krb5/krb5plugin.c | 18 +- src/windows/identity/plugins/krb5/krb5props.c | 15 +- src/windows/identity/plugins/krb5/krbcred.h | 32 +- src/windows/identity/plugins/krb5/langres.h | 2 +- .../sample/templates/credprov/langres.h | 2 +- .../sample/templates/credprov/proppage.c | 1 - src/windows/identity/ui/aboutwnd.c | 2 +- src/windows/identity/ui/addrchange.c | 2 +- src/windows/identity/ui/cfg_general_wnd.c | 2 +- src/windows/identity/ui/cfg_identities_wnd.c | 34 +- src/windows/identity/ui/cfg_notif_wnd.c | 18 +- src/windows/identity/ui/cfg_plugins_wnd.c | 10 +- src/windows/identity/ui/configwnd.c | 26 +- src/windows/identity/ui/configwnd.h | 2 +- src/windows/identity/ui/credfuncs.c | 66 +- src/windows/identity/ui/credfuncs.h | 20 +- src/windows/identity/ui/credwnd.c | 300 +- src/windows/identity/ui/debugfuncs.c | 2 +- src/windows/identity/ui/htwnd.c | 24 +- src/windows/identity/ui/main.c | 16 +- src/windows/identity/ui/mainmenu.c | 86 +- src/windows/identity/ui/mainwnd.c | 88 +- src/windows/identity/ui/mainwnd.h | 2 +- src/windows/identity/ui/newcredwnd.c | 146 +- src/windows/identity/ui/notifier.c | 53 +- src/windows/identity/ui/notifier.h | 8 +- src/windows/identity/ui/passwnd.c | 16 +- src/windows/identity/ui/propertywnd.c | 12 +- src/windows/identity/ui/reqdaemon.c | 6 +- src/windows/identity/ui/resource.h | 2 +- src/windows/identity/ui/statusbar.c | 6 +- src/windows/identity/ui/timer.c | 46 +- src/windows/identity/ui/timer.h | 2 +- src/windows/identity/ui/toolbar.c | 78 +- src/windows/identity/uilib/action.c | 58 +- src/windows/identity/uilib/alert.c | 64 +- src/windows/identity/uilib/configui.c | 36 +- src/windows/identity/uilib/creddlg.c | 112 +- src/windows/identity/uilib/intalert.h | 6 +- src/windows/identity/uilib/khaction.h | 32 +- src/windows/identity/uilib/khactiondef.h | 2 +- src/windows/identity/uilib/khalerts.h | 62 +- src/windows/identity/uilib/khconfigui.h | 16 +- src/windows/identity/uilib/khhtlink.h | 4 +- src/windows/identity/uilib/khnewcred.h | 92 +- src/windows/identity/uilib/khprops.h | 18 +- src/windows/identity/uilib/khremote.h | 4 +- src/windows/identity/uilib/khrescache.h | 28 +- src/windows/identity/uilib/khtracker.h | 2 +- src/windows/identity/uilib/propsheet.c | 20 +- src/windows/identity/uilib/rescache.c | 62 +- src/windows/identity/uilib/trackerwnd.c | 39 +- src/windows/identity/uilib/uibind.c | 3 - src/windows/identity/util/hashtable.c | 8 +- src/windows/identity/util/hashtable.h | 4 +- src/windows/identity/util/mstring.c | 44 +- src/windows/identity/util/mstring.h | 46 +- src/windows/identity/util/perfstat.c | 2 +- src/windows/identity/util/sync.c | 4 +- src/windows/kfwlogon/kfwcommon.c | 86 +- src/windows/kfwlogon/kfwcpcc.c | 2 - src/windows/kfwlogon/kfwlogon.c | 82 +- src/windows/kfwlogon/kfwlogon.h | 4 +- src/windows/lib/cacheapi.h | 98 +- src/windows/lib/registry.c | 4 +- src/windows/lib/vardlg.c | 6 +- src/windows/ms2mit/mit2ms.c | 6 +- src/windows/ms2mit/ms2mit.c | 8 +- src/windows/ntsecapitest.c | 4 +- src/windows/winlevel.h | 6 +- src/windows/wintel/auth.c | 46 +- src/windows/wintel/edit.c | 58 +- src/windows/wintel/emul.c | 230 +- src/windows/wintel/enc_des.c | 6 +- src/windows/wintel/encrypt.c | 20 +- src/windows/wintel/font.c | 10 +- src/windows/wintel/intern.c | 44 +- src/windows/wintel/k5stream.c | 21 +- src/windows/wintel/negotiat.c | 46 +- src/windows/wintel/resource.h | 2 +- src/windows/wintel/screen.c | 44 +- src/windows/wintel/screen.h | 6 +- src/windows/wintel/telnet.c | 190 +- src/windows/wintel/telopts.h | 8 +- 1249 files changed, 66004 insertions(+), 66050 deletions(-) diff --git a/src/appl/bsd/defines.h b/src/appl/bsd/defines.h index d04182bb9..b565cd87d 100644 --- a/src/appl/bsd/defines.h +++ b/src/appl/bsd/defines.h @@ -48,7 +48,7 @@ extern void rcmd_stream_init_normal(void); extern char *strsave(const char *sp); #endif -krb5_error_code rd_and_store_for_creds(krb5_context context, +krb5_error_code rd_and_store_for_creds(krb5_context context, krb5_auth_context auth_context, krb5_data *inbuf, krb5_ticket *ticket, krb5_ccache *ccache); @@ -65,20 +65,20 @@ extern int setenv(char *, char *, int); #ifdef KRB_DEFS krb5_error_code krb5_compat_recvauth(krb5_context, krb5_auth_context *, - krb5_pointer, char *, krb5_principal, + krb5_pointer, char *, krb5_principal, krb5_int32, krb5_keytab, krb5_int32, char *, char *, - struct sockaddr_in *, + struct sockaddr_in *, struct sockaddr_in *, char *, - krb5_ticket **, krb5_int32 *, + krb5_ticket **, krb5_int32 *, AUTH_DAT **, Key_schedule, char *); krb5_error_code krb5_compat_recvauth_version(krb5_context, krb5_auth_context *, - krb5_pointer, krb5_principal, krb5_int32, + krb5_pointer, krb5_principal, krb5_int32, krb5_keytab, krb5_int32, char *, char *, struct sockaddr_in *, struct sockaddr_in *, - char *, krb5_ticket **, krb5_int32*, + char *, krb5_ticket **, krb5_int32*, AUTH_DAT **, Key_schedule, krb5_data *); #endif diff --git a/src/appl/bsd/forward.c b/src/appl/bsd/forward.c index 1ac2a2a2e..ad0680cd7 100644 --- a/src/appl/bsd/forward.c +++ b/src/appl/bsd/forward.c @@ -45,19 +45,19 @@ rd_and_store_for_creds(context, auth_context, inbuf, ticket, ccache) *ccache = NULL; retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL); - if (retval) + if (retval) return(retval); - /* Set the KRB5CCNAME ENV variable to keep sessions - * seperate. Use the process id of this process which is + /* Set the KRB5CCNAME ENV variable to keep sessions + * seperate. Use the process id of this process which is * the rlogind or rshd. Set the environment variable as well. */ - + snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_p%ld", (long) getpid()); setenv("KRB5CCNAME", ccname, 1); - + retval = krb5_cc_resolve(context, ccname, ccache); - if (retval) + if (retval) goto cleanup; retval = krb5_cc_initialize(context, *ccache, ticket->enc_part2->client); @@ -65,7 +65,7 @@ rd_and_store_for_creds(context, auth_context, inbuf, ticket, ccache) goto cleanup; retval = krb5_cc_store_cred(context, *ccache, *creds); - if (retval) + if (retval) goto cleanup; cleanup: diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c index 16c8e0438..276c7038f 100644 --- a/src/appl/bsd/kcmd.c +++ b/src/appl/bsd/kcmd.c @@ -21,14 +21,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -39,14 +39,14 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ /* derived from @(#)rcmd.c 5.17 (Berkeley) 6/27/88 */ - + #ifdef HAVE_UNISTD_H #include #endif @@ -63,7 +63,7 @@ #define _TYPES_ #endif #include - + #ifndef MAXPATHLEN #define MAXPATHLEN 1024 #endif @@ -80,7 +80,7 @@ #define sigmask(m) (1 << ((m)-1)) #endif #endif - + #ifndef roundup #define roundup(x,y) ((((x)+(y)-1)/(y))*(y)) #endif @@ -110,7 +110,7 @@ char *default_service = "host"; * Note that the encrypted rlogin packets take the form of a four-byte * length followed by encrypted data. On writing the data out, a significant * performance penalty is suffered (at least one RTT per character, two if we - * are waiting for a shell to echo) by writing the data separately from the + * are waiting for a shell to echo) by writing the data separately from the * length. So, unlike the input buffer, which just contains the output * data, the output buffer represents the entire packet. */ @@ -132,7 +132,7 @@ static char storage[2*RCMD_BUFSIZ]; /* storage for the decryption */ static size_t nstored = 0; static char *store_ptr = storage; static int twrite(int, char *, size_t, int); -static int v5_des_read(int, char *, size_t, int), +static int v5_des_read(int, char *, size_t, int), v5_des_write(int, char *, size_t, int); static int do_lencheck; @@ -405,9 +405,9 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, } cksumdat.data = cksumbuf; cksumdat.length = strlen(cksumbuf); - + block_urgent(&oldmask); - + if (!laddr) laddr = &local_laddr; if (kcmd_connect(&s, &addrfamily, &sockin, *ahost, &host_save, rport, 0, laddr) == -1) { restore_sigs(&oldmask); @@ -416,7 +416,7 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, *ahost = host_save; /* If no service is given set to the default service */ if (!service) service = default_service; - + if (!(get_cred = (krb5_creds *)calloc(1, sizeof(krb5_creds)))) { fprintf(stderr,"kcmd: no memory\n"); return(-1); @@ -433,7 +433,7 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, status = krb5_set_principal_realm(bsd_context, get_cred->server, realm); if (status) { - fprintf(stderr, "kcmd: krb5_set_principal_realm failed %s\n", + fprintf(stderr, "kcmd: krb5_set_principal_realm failed %s\n", error_message(status)); return(-1); } @@ -470,12 +470,12 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, authopts &= (~OPTS_FORWARD_CREDS); authopts &= (~OPTS_FORWARDABLE_CREDS); - if (krb5_auth_con_init(bsd_context, &auth_context)) + if (krb5_auth_con_init(bsd_context, &auth_context)) goto bad2; if (krb5_auth_con_set_req_cksumtype(bsd_context, auth_context, CKSUMTYPE_RSA_MD5) !=0 ) goto bad2; - if (krb5_auth_con_setflags(bsd_context, auth_context, + if (krb5_auth_con_setflags(bsd_context, auth_context, KRB5_AUTH_CONTEXT_RET_TIME)) goto bad2; @@ -523,7 +523,7 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, if (!suppress_err) { fprintf(stderr, "Server returned error code %d (%s)\n", error->error, - error_message(ERROR_TABLE_BASE_krb5 + + error_message(ERROR_TABLE_BASE_krb5 + (int) error->error)); if (error->text.length) { fprintf(stderr, "Error text sent from server: %s\n", @@ -533,17 +533,17 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, krb5_free_error(bsd_context, error); error = 0; } - } + } if (status) goto bad2; if (rep_ret && server_seqno) { *server_seqno = rep_ret->seq_number; krb5_free_ap_rep_enc_part(bsd_context, rep_ret); } - + (void) write(s, remuser, strlen(remuser)+1); (void) write(s, cmd, strlen(cmd)+1); (void) write(s, locuser, strlen(locuser)+1); - + if (options & OPTS_FORWARD_CREDS) { /* Forward credentials */ status = krb5_fwd_tgt_creds(bsd_context, auth_context, host_save, @@ -589,13 +589,13 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, restore_sigs(&oldmask); *sock = s; *protonump = protonum; - + /* pass back credentials if wanted */ if (cred) krb5_copy_creds(bsd_context, ret_cred, cred); krb5_free_creds(bsd_context, ret_cred); if (authconp) *authconp = auth_context; - + return (0); bad2: if (lport) @@ -723,7 +723,7 @@ void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client, use_ivecs = 1; switch (in_keyblock->enctype) { - /* + /* * For the DES-based enctypes and the 3DES enctype we want to use * a non-zero IV because that's what we did. In the future we * use different keyusage for each channel and direction and a fresh @@ -733,7 +733,7 @@ void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client, case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES3_CBC_SHA1: - + status = krb5_c_block_size(bsd_context, keyblock->enctype, &blocksize); if (status) { @@ -829,7 +829,7 @@ static int v5_des_read(fd, buf, len, secondary) krb5_error_code ret; krb5_data plain; krb5_enc_data cipher; - + if (nstored >= len) { memcpy(buf, store_ptr, len); store_ptr += len; @@ -991,7 +991,7 @@ strsave(sp) const char *sp; { register char *ret; - + if((ret = strdup(sp)) == NULL) { fprintf(stderr, "no memory for saving args\n"); exit(1); @@ -1002,7 +1002,7 @@ strsave(sp) /* Server side authentication, etc */ -int princ_maps_to_lname(principal, luser) +int princ_maps_to_lname(principal, luser) krb5_principal principal; char *luser; { @@ -1020,7 +1020,7 @@ int default_realm(principal) { char *def_realm; int retval; - + if ((retval = krb5_get_default_realm(bsd_context, &def_realm))) { return 0; } @@ -1029,7 +1029,7 @@ int default_realm(principal) def_realm)) { free(def_realm); return 0; - } + } free(def_realm); return 1; } diff --git a/src/appl/bsd/krcp.c b/src/appl/bsd/krcp.c index eed615ffa..0d9089a47 100644 --- a/src/appl/bsd/krcp.c +++ b/src/appl/bsd/krcp.c @@ -47,9 +47,9 @@ char copyright[] = #include #include #include - + #include - + #include #include #include @@ -71,7 +71,7 @@ char copyright[] = #include "defines.h" #define RCP_BUFSIZ 4096 - + int sock; char *krb_realm = NULL; char *krb_cache = NULL; @@ -86,9 +86,9 @@ char *strsave(); #endif int rcmd_stream_write(), rcmd_stream_read(); void usage(void), sink(int, char **), - source(int, char **), rsource(char *, struct stat *), verifydir(char *), + source(int, char **), rsource(char *, struct stat *), verifydir(char *), answer_auth(char *, char *); -int response(void), hosteq(char *, char *), okname(char *), +int response(void), hosteq(char *, char *), okname(char *), susystem(char *); int encryptflag = 0; @@ -118,7 +118,7 @@ struct buffer { struct buffer *allocbuf(struct buffer *, int, int); #define NULLBUF (struct buffer *) 0 - + void error (char *fmt, ...) #if !defined (__cplusplus) && (__GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)) __attribute__ ((__format__ (__printf__, 1, 2))) @@ -143,7 +143,7 @@ int main(argc, argv) #endif #ifdef KERBEROS krb5_flags authopts; - krb5_error_code status; + krb5_error_code status; int euid; char **orig_argv = save_argv(argc, argv); krb5_auth_context auth_context; @@ -161,19 +161,19 @@ int main(argc, argv) fprintf(stderr, "who are you?\n"); exit(1); } - + for (argc--, argv++; argc > 0 && **argv == '-'; argc--, argv++) { (*argv)++; while (**argv) switch (*(*argv)++) { - + case 'r': iamrecursive++; break; - + case 'p': /* preserve mtimes and atimes */ pflag++; break; - + case 'D': argc--, argv++; if (argc == 0) @@ -191,7 +191,7 @@ int main(argc, argv) break; case 'k': /* Change kerberos realm */ argc--, argv++; - if (argc == 0) + if (argc == 0) usage(); if(!(krb_realm = strdup(*argv))){ fprintf(stderr, "rcp: Cannot malloc.\n"); @@ -200,7 +200,7 @@ int main(argc, argv) goto next_arg; case 'c': /* Change default ccache file */ argc--, argv++; - if (argc == 0) + if (argc == 0) usage(); if(!(krb_cache = strdup(*argv))){ fprintf(stderr, "rcp: Cannot malloc.\n"); @@ -209,7 +209,7 @@ int main(argc, argv) goto next_arg; case 'C': /* Change default config file */ argc--, argv++; - if (argc == 0) + if (argc == 0) usage(); if(!(krb_config = strdup(*argv))){ fprintf(stderr, "rcp: Cannot malloc.\n"); @@ -229,7 +229,7 @@ int main(argc, argv) case 'd': targetshouldbedirectory = 1; break; - + case 'f': /* "from" */ iamremote = 1; rcmd_stream_init_normal(); @@ -241,7 +241,7 @@ int main(argc, argv) (void) response(); source(--argc, ++argv); exit(errs); - + case 't': /* "to" */ iamremote = 1; rcmd_stream_init_normal(); @@ -252,13 +252,13 @@ int main(argc, argv) sink(--argc, ++argv); exit(errs); - + default: usage(); } next_arg: ; } - + if (argc < 2) usage(); if (argc > 2) @@ -272,7 +272,7 @@ int main(argc, argv) #else sp = getservbyname("shell", "tcp"); #endif /* KERBEROS */ - + if (sp == NULL) { #ifdef KERBEROS fprintf(stderr, "rcp: kshell/tcp: unknown service\n"); @@ -289,7 +289,7 @@ int main(argc, argv) if (asprintf(&cmd, "%srcp %s%s%s%s%s%s%s%s%s", encryptflag ? "-x " : "", - iamrecursive ? " -r" : "", pflag ? " -p" : "", + iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : "", krb_realm != NULL ? " -k " : "", krb_realm != NULL ? krb_realm : "", @@ -303,10 +303,10 @@ int main(argc, argv) #else /* !KERBEROS */ (void) snprintf(cmd, sizeof(cmdbuf), "rcp%s%s%s", - iamrecursive ? " -r" : "", pflag ? " -p" : "", + iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); #endif /* KERBEROS */ - + #ifdef POSIX_SIGNALS (void) sigemptyset(&sa.sa_mask); sa.sa_flags = 0; @@ -316,19 +316,19 @@ int main(argc, argv) (void) signal(SIGPIPE, lostconn); #endif targ = colon(argv[argc - 1]); - + /* Check if target machine is the current machine. */ - + gethostname(curhost, sizeof(curhost)); if (targ) { /* ... to remote */ *targ++ = 0; if (hosteq(argv[argc - 1], curhost)) { - + /* If so, pretend there wasn't even one given * check for an argument of just "host:", it * should become "." */ - + if (*targ == 0) { targ = "."; argv[argc - 1] = targ; @@ -407,7 +407,7 @@ int main(argc, argv) 0, "host", krb_realm, - &cred, + &cred, 0, /* No seq # */ 0, /* No server seq # */ (struct sockaddr_in *) 0, @@ -469,9 +469,9 @@ int main(argc, argv) if (src) { *src++ = 0; if (hosteq(argv[i], curhost)) { - + /* If so, pretend src machine never given */ - + if (*src == 0) { error("rcp: no path given in arg: %s:\n", argv[i]); @@ -518,7 +518,7 @@ int main(argc, argv) 0, "host", krb_realm, - &cred, + &cred, 0, /* No seq # */ 0, /* No server seq # */ (struct sockaddr_in *) 0, @@ -553,8 +553,8 @@ int main(argc, argv) rcmd_stream_init_krb5(key, encryptflag, 0, 1, kcmd_proto); } - rem = sock; - + rem = sock; + euid = geteuid(); if (euid == 0) { if (setuid(0)) { @@ -611,7 +611,7 @@ void verifydir(cp) char *cp; { struct stat stb; - + if (stat(cp, &stb) >= 0) { if ((stb.st_mode & S_IFMT) == S_IFDIR) return; @@ -626,7 +626,7 @@ void verifydir(cp) char *colon(cp) char *cp; { - + while (*cp) { if (*cp == ':') return (cp); @@ -644,7 +644,7 @@ int okname(cp0) { register char *cp = cp0; register int c; - + do { c = *cp; if (c & 0200) @@ -671,7 +671,7 @@ int susystem(s) #else register krb5_sigtype (bsd_context, *istat)(), (*qstat)(); #endif - + if ((pid = vfork()) == 0) { execl("/bin/sh", "sh", "-c", s, (char *)0); _exit(127); @@ -687,7 +687,7 @@ int susystem(s) istat = signal(SIGINT, SIG_IGN); qstat = signal(SIGQUIT, SIG_IGN); #endif - + #ifdef HAVE_WAITPID w = waitpid(pid, &status, 0); #else @@ -699,11 +699,11 @@ int susystem(s) #ifdef POSIX_SIGNALS (void) sigaction(SIGINT, &isa, (struct sigaction *)0); (void) sigaction(SIGQUIT, &qsa, (struct sigaction *)0); -#else +#else (void) signal(SIGINT, istat); (void) signal(SIGQUIT, qstat); #endif - + return (status); } @@ -719,7 +719,7 @@ void source(argc, argv) unsigned int amt; off_t i; char buf[RCP_BUFSIZ]; - + for (x = 0; x < argc; x++) { name = argv[x]; if ((f = open(name, 0)) < 0) { @@ -729,10 +729,10 @@ void source(argc, argv) if (fstat(f, &stb) < 0) goto notreg; switch (stb.st_mode&S_IFMT) { - + case S_IFREG: break; - + case S_IFDIR: if (iamrecursive) { (void) close(f); @@ -814,7 +814,7 @@ void rsource(name, statp) #endif char buf[RCP_BUFSIZ]; char *bufv[1]; - + if (d == 0) { error("rcp: %s: %s\n", name, error_message(errno)); return; @@ -866,10 +866,10 @@ int response() if (rcmd_stream_read(rem, &resp, 1, 0) != 1) lostconn(0); switch (resp) { - + case 0: /* ok */ return (0); - + default: *cp++ = resp; /* fall into... */ @@ -947,7 +947,7 @@ void sink(argc, argv) #define atime tv[0] #define mtime tv[1] #define SCREWUP(str) { whopp = str; goto screwup; } - + if (!pflag) (void) umask(mask); if (argc != 1) { @@ -985,7 +985,7 @@ void sink(argc, argv) ga(); return; } - + #define getnum(t) (t) = 0; while (isdigit((int) *cp)) (t) = (t) * 10 + (*cp++ - '0'); if (*cp == 'T') { setimes++; @@ -1123,7 +1123,7 @@ void sink(argc, argv) if (utimes(nambuf, tv) < 0) error("rcp: can't set times on %s: %s\n", nambuf, error_message(errno)); - } + } if (wrerr) error("rcp: %s: %s\n", nambuf, error_message(errno)); else @@ -1142,7 +1142,7 @@ struct buffer *allocbuf(bp, fd, blksize) { struct stat stb; int size; - + if (fstat(fd, &stb) < 0) { error("rcp: fstat: %s\n", error_message(errno)); return (NULLBUF); @@ -1212,21 +1212,21 @@ int hosteq(h1, h2) { struct hostent *h_ptr; char hname1[256]; - + if (forcenet) return(0); /* get the official names for the two hosts */ - + if ((h_ptr = gethostbyname(h1)) == NULL) return(0); strncpy(hname1, h_ptr->h_name, sizeof (hname1)); hname1[sizeof (hname1) - 1] = '\0'; if ((h_ptr = gethostbyname(h2)) == NULL) return(0); - + /*return if they are equal (strcmp returns 0 for equal - I return 1) */ - + return(!strcmp(hname1, h_ptr->h_name)); } @@ -1259,7 +1259,7 @@ char **save_argv(argc, argv) char **argv; { register int i; - + char **local_argv = (char **)calloc((unsigned) argc+1, (unsigned) sizeof(char *)); /* allocate an extra pointer, so that it is initialized to NULL @@ -1292,7 +1292,7 @@ void krb5_ccache cc; krb5_error_code status; krb5_auth_context auth_context = NULL; - + if (config_file) { const char * filenames[2]; filenames[1] = NULL; @@ -1300,17 +1300,17 @@ void if ((status = krb5_set_config_files(bsd_context, filenames))) exit(1); } - + memset (&creds, 0, sizeof(creds)); if ((status = krb5_read_message(bsd_context, (krb5_pointer)&rem, &pname_data))) exit(1); - + if ((status = krb5_read_message(bsd_context, (krb5_pointer) &rem, &creds.second_ticket))) exit(1); - + if (ccache_file == NULL) { if ((status = krb5_cc_default(bsd_context, &cc))) exit(1); @@ -1328,7 +1328,7 @@ void krb5_free_data_contents(bsd_context, &pname_data); - if ((status = krb5_get_credentials(bsd_context, KRB5_GC_USER_USER, cc, + if ((status = krb5_get_credentials(bsd_context, KRB5_GC_USER_USER, cc, &creds, &new_creds))) exit(1); @@ -1336,16 +1336,16 @@ void AP_OPTS_USE_SESSION_KEY, NULL, new_creds, &msg))) exit(1); - + if ((status = krb5_write_message(bsd_context, (krb5_pointer) &rem, &msg))) { krb5_free_data_contents(bsd_context, &msg); exit(1); } - + rcmd_stream_init_krb5(&new_creds->keyblock, encryptflag, 0, 0, KCMD_OLD_PROTOCOL); - + /* cleanup */ krb5_free_cred_contents(bsd_context, &creds); krb5_free_creds(bsd_context, new_creds); diff --git a/src/appl/bsd/krlogin.c b/src/appl/bsd/krlogin.c index 0272b44aa..0a00e37e3 100644 --- a/src/appl/bsd/krlogin.c +++ b/src/appl/bsd/krlogin.c @@ -21,14 +21,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -39,7 +39,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -53,11 +53,11 @@ char copyright[] = /* based on @(#)rlogin.c 5.12 (Berkeley) 9/19/88 */ - + /* * rlogin - remote login */ - + #ifdef HAVE_UNISTD_H #include #endif @@ -86,7 +86,7 @@ char copyright[] = #include #include #include - + #ifdef HAVE_SYS_FILIO_H /* Solaris needs for FIONREAD */ #include @@ -158,7 +158,7 @@ char copyright[] = #include #include #include "defines.h" - + #define RLOGIN_BUFSIZ 5120 void try_normal(); @@ -319,7 +319,7 @@ struct winsize *wp; if ((error = ioctl(0, TIOCGSIZE, &ts)) != 0) return (error); #endif - + wp->ws_row = ts.ts_lines; wp->ws_col = ts.ts_cols; wp->ws_xpixel = 0; @@ -535,12 +535,12 @@ main(argc, argv) #ifdef KERBEROS /* * if there is an entry in /etc/services for Kerberos login, - * attempt to login with Kerberos. + * attempt to login with Kerberos. * If we fail at any step, use the standard rlogin */ if (encrypt_flag) sp = getservbyname("eklogin","tcp"); - else + else sp = getservbyname("klogin","tcp"); if (sp == 0) { sp = &defaultservent; /* ANL */ @@ -590,7 +590,7 @@ main(argc, argv) } #endif (void) get_window_size(0, &winsize); - + #ifdef POSIX_TERMIOS tcgetattr(0, &defmodes); tcgetattr(0, &ixon_state); @@ -610,7 +610,7 @@ main(argc, argv) sa.sa_flags = 0; sa.sa_handler = lostpeer; (void) sigaction(SIGPIPE, &sa, (struct sigaction *)0); - + (void) sigemptyset(&urgmask); (void) sigaddset(&urgmask, SIGUSR1); oldmask = &omask; @@ -667,9 +667,9 @@ main(argc, argv) rcmd_stream_init_krb5(key, encrypt_flag, 1, 1, kcmd_proto); } - + rem = sock; - + #else rem = rcmd(&host, port, null_local_username ? "" : pwd->pw_name, @@ -678,7 +678,7 @@ main(argc, argv) if (rem < 0) exit(1); - + if (options & SO_DEBUG && setsockopt(rem, SOL_SOCKET, SO_DEBUG, (char*)&on, sizeof (on)) < 0) perror("rlogin: setsockopt (SO_DEBUG)"); @@ -711,12 +711,12 @@ static int confirm_death () char input; int answer; if (!confirm) return (1); /* no confirm, just die */ - + if (gethostname (hostname, sizeof(hostname)-1) != 0) strlcpy (hostname, "???", sizeof(hostname)); else hostname[sizeof(hostname)-1] = '\0'; - + fprintf (stderr, "\r\nKill session on %s from %s (y/n)? ", host, hostname); fflush (stderr); @@ -800,7 +800,7 @@ static void doit(oldmask) #else struct sgttyb sb; #endif - + (void) ioctl(0, TIOCGETP, (char *)&sb); defflags = sb.sg_flags; #ifdef USE_TERMIO @@ -857,13 +857,13 @@ static void doit(oldmask) prf("\007Connection closed."); exit(3); } - + #ifdef POSIX_SIGNALS /* "sa" has already been initialized above. */ sa.sa_handler = writeroob; (void) sigaction(SIGUSR1, &sa, (struct sigaction *)0); - + sigprocmask(SIG_SETMASK, oldmask, (sigset_t*)0); sa.sa_handler = catchild; @@ -893,7 +893,7 @@ setsignal(sig, act) #ifdef POSIX_SIGNALS sigset_t omask, igmask; struct sigaction sa; - + sigemptyset(&igmask); sigaddset(&igmask, sig); sigprocmask(SIG_BLOCK, &igmask, &omask); @@ -904,7 +904,7 @@ setsignal(sig, act) int omask = sigblock(sigmask(sig)); #endif #endif /* POSIX_SIGNALS */ - + #ifdef POSIX_SIGNALS (void) sigaction(sig, (struct sigaction *)0, &sa); if (sa.sa_handler != SIG_IGN) { @@ -914,7 +914,7 @@ setsignal(sig, act) (void) sigaction(sig, &sa, (struct sigaction *)0); } sigprocmask(SIG_SETMASK, &omask, (sigset_t*)0); -#else +#else if (signal(sig, act) == SIG_IGN) (void) signal(sig, SIG_IGN); #ifndef sgi @@ -935,7 +935,7 @@ done(status) #ifndef HAVE_WAITPID pid_t w; #endif - + mode(0); if (child > 0) { /* make sure catchild does not snap it up */ @@ -947,7 +947,7 @@ done(status) #else (void) signal(SIGCHLD, SIG_DFL); #endif - + if (kill(child, SIGKILL) >= 0) { #ifdef HAVE_WAITPID (void) waitpid(child, 0, 0); @@ -976,7 +976,7 @@ int signo; #ifdef POSIX_SIGNALS struct sigaction sa; #endif - + if (dosigwinch == 0) { sendwindow(); #ifdef POSIX_SIGNALS @@ -1003,7 +1003,7 @@ int signo; union wait status; #endif int pid; - + again: #ifdef HAVE_WAITPID pid = waitpid(-1, &status, WNOHANG|WUNTRACED); @@ -1041,10 +1041,10 @@ static void writer() was encountered */ char c; -#ifdef ultrix +#ifdef ultrix fd_set waitread; register n; - + /* we need to wait until the reader() has set up the terminal, else the read() below may block and not unblock when the terminal state is reset. @@ -1067,11 +1067,11 @@ static void writer() /* This loop works as follows. Call read_wrapper to get data until we would block or until we read a cmdchar at the beginning of a line. - If got_esc is false, we just send everything we got back. If got_esc - is true, we send everything except the cmdchar at the end and look at + If got_esc is false, we just send everything we got back. If got_esc + is true, we send everything except the cmdchar at the end and look at the next char. If its a "." we break out of the loop and terminate. If its ^Z or ^Y we call stop with the value of the char and continue. - If its none of those, we send the cmdchar and then send the char we + If its none of those, we send the cmdchar and then send the char we just read, unless that char is also the cmdchar (in which case we are only supposed to send one of them). When this loop ends, so does the program. @@ -1081,12 +1081,12 @@ static void writer() /* read until we would block or we get a cmdchar */ n_read = read_wrapper(0,buf,sizeof(buf),&got_esc); - + /* if read returns an error or 0 bytes, just quit */ if (n_read <= 0) { break; } - + if (!got_esc) { if (rcmd_stream_write(rem, buf, (unsigned) n_read, 0) == 0) { prf("line gone"); @@ -1108,22 +1108,22 @@ static void writer() } #ifdef POSIX_TERMIOS - if (c == '.' || c == deftty.c_cc[VEOF]) + if (c == '.' || c == deftty.c_cc[VEOF]) #else - if (c == '.' || c == deftc.t_eofc) + if (c == '.' || c == deftc.t_eofc) #endif { if (confirm_death()) { echo(c); - break; + break; } } #ifdef POSIX_TERMIOS if ( ( - (c == deftty.c_cc[VSUSP]) + (c == deftty.c_cc[VSUSP]) #ifdef VDSUSP - || (c == deftty.c_cc[VDSUSP]) + || (c == deftty.c_cc[VDSUSP]) #endif ) && !no_local_escape) { @@ -1142,7 +1142,7 @@ static void writer() #endif /*TIOCGLTC*/ #endif - + if (c != cmdchar) { rcmd_stream_write(rem, &cmdchar, 1, 0); } @@ -1160,15 +1160,15 @@ static void writer() copy more than size bytes. In addition, if it encounters a cmdchar at the beginning of a line, it will copy everything up to and including the cmdchar, but nothing after that. In this instance *esc_char is set - to true and any remaining data is buffered and copied on a subsequent + to true and any remaining data is buffered and copied on a subsequent call. Otherwise, *esc_char will be set to false and the minimum of size, 1024, and the number of bytes that can be read without blocking will - be copied. In all cases, a non-negative return value indicates the number + be copied. In all cases, a non-negative return value indicates the number of bytes actually copied and a return value of -1 indicates that there - was a read error (other than EINTR) and errno is set appropriately. + was a read error (other than EINTR) and errno is set appropriately. */ -static int read_wrapper(fd,buf,size,got_esc) +static int read_wrapper(fd,buf,size,got_esc) int fd; char *buf; int size; @@ -1201,7 +1201,7 @@ static int read_wrapper(fd,buf,size,got_esc) */ while (data_start+return_length < data_end && return_length < size) { - + c = *(data_start+return_length); return_length++; @@ -1215,14 +1215,14 @@ static int read_wrapper(fd,buf,size,got_esc) bol = (c == deftty.c_cc[VKILL] || c == deftty.c_cc[VINTR] || c == '\r' || c == '\n'); - + #else /* !POSIX_TERMIOS */ bol = c == defkill || c == deftc.t_eofc || c == deftc.t_intrc || c == defltc.t_suspc || c == '\r' || c == '\n'; #endif } - + memcpy(buf, data_start, return_length); data_start = data_start + return_length; return return_length; @@ -1233,7 +1233,7 @@ static void echo(c) { char buf[8]; register char *p = buf; - + c &= 0177; *p++ = cmdchar; if (c < ' ') { @@ -1257,7 +1257,7 @@ static void stop(cmdc) #ifdef POSIX_SIGNALS struct sigaction sa; #endif - + mode(0); #ifdef POSIX_SIGNALS @@ -1268,7 +1268,7 @@ static void stop(cmdc) #else (void) signal(SIGCHLD, SIG_IGN); #endif - + #ifdef POSIX_TERMIOS (void) kill(cmdc == deftty.c_cc[VSUSP] ? 0 : getpid(), SIGTSTP); #else @@ -1282,7 +1282,7 @@ static void stop(cmdc) #else (void) signal(SIGCHLD, catchild); #endif - + mode(1); sigwinch(SIGWINCH); /* check for size changes */ } @@ -1294,7 +1294,7 @@ krb5_sigtype int signo; { struct winsize ws; - + if (dosigwinch && get_window_size(0, &ws) == 0 && memcmp(&winsize, &ws, sizeof (ws))) { winsize = ws; @@ -1311,7 +1311,7 @@ static void sendwindow() { char obuf[4 + sizeof (struct winsize)]; struct winsize *wp = (struct winsize *)(void *)(obuf+4); - + obuf[0] = 0377; obuf[1] = 0377; obuf[2] = 's'; @@ -1424,7 +1424,7 @@ void oob() int atmark, n; mark = 0; - + recv(rem, &mark, 1, MSG_OOB); if (server_message(mark)) { @@ -1445,7 +1445,7 @@ void oob() /* two control messages are defined: a double flag byte of 'o' indicates a one-byte message which is - identical to what was once carried out of band. + identical to what was once carried out of band. a double flag byte of 'q' indicates a zero-byte message. This message is interpreted as two \377 data bytes. This is just a @@ -1471,9 +1471,9 @@ static int control(cp, n) } /* - * reader: read from remote: line -> 1 + * reader: read from remote: line -> 1 */ -static int +static int reader(oldmask) #ifdef POSIX_SIGNALS sigset_t *oldmask; @@ -1495,10 +1495,10 @@ reader(oldmask) sa.sa_handler = SIG_IGN; (void) sigaction(SIGTTOU, &sa, (struct sigaction *)0); -#else +#else (void) signal(SIGTTOU, SIG_IGN); #endif - + ppid = getppid(); FD_ZERO(&readset); FD_ZERO(&excset); @@ -1606,7 +1606,7 @@ int f; /* there's a POSIX way of doing this, but do we need it general? */ newtty.c_cc[VLNEXT] = _POSIX_VDISABLE; #endif - + newtty.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN); newtty.c_iflag &= ~(ISTRIP|INLCR|ICRNL); @@ -1648,10 +1648,10 @@ int f; int lflags; (void) ioctl(0, TIOCLGET, (char *)&lflags); #endif - + (void) ioctl(0, TIOCGETP, (char *)&sb); switch (f) { - + case 0: #ifdef USE_TERMIO /* @@ -1674,7 +1674,7 @@ int f; #endif ltc = &defltc; break; - + case 1: #ifdef USE_TERMIO /* @@ -1722,10 +1722,10 @@ int f; tc = ¬c; sb.sg_flags &= ~defflags; #endif /* USE_TERMIO */ - + ltc = &noltc; break; - + default: return; } @@ -1758,7 +1758,7 @@ void try_normal(argv) #ifdef POSIX_SIGNALS sigset_t mask; #endif - + #ifndef KRB5_ATHENA_COMPAT if (encrypt_flag) exit(1); @@ -1766,7 +1766,7 @@ void try_normal(argv) fprintf(stderr,"trying normal rlogin (%s)\n", UCB_RLOGIN); fflush(stderr); - + nhost = strrchr(argv[0], '/'); if (nhost) nhost++; @@ -1774,7 +1774,7 @@ void try_normal(argv) nhost = argv[0]; if (!strcmp(nhost, "rlogin") || !strcmp(nhost, "rsh")) argv[0] = UCB_RLOGIN; - + #ifdef POSIX_SIGNALS sigemptyset(&mask); sigprocmask(SIG_SETMASK, &mask, NULL); @@ -1801,7 +1801,7 @@ krb5_sigtype lostpeer(signo) #else (void) signal(SIGPIPE, SIG_IGN); #endif - + prf("\007Connection closed."); done(1); } diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index 09aeaad21..cc7acad64 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -21,14 +21,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -39,7 +39,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -52,7 +52,7 @@ char copyright[] = #endif /* not lint */ /* based on @(#)rlogind.c 5.17 (Berkeley) 8/31/88 */ - + /* * remote login server: * remuser\0 @@ -60,45 +60,45 @@ char copyright[] = * terminal info\0 * data */ - + /* - * This is the rlogin daemon. The very basic protocol for checking + * This is the rlogin daemon. The very basic protocol for checking * authentication and authorization is: * 1) Check authentication. - * 2) Check authorization via the access-control files: + * 2) Check authorization via the access-control files: * ~/.k5login (using krb5_kuserok) and/or * 3) Prompt for password if any checks fail, or if so configured. - * Allow login if all goes well either by calling the accompanying - * login.krb5 or /bin/login, according to the definition of + * Allow login if all goes well either by calling the accompanying + * login.krb5 or /bin/login, according to the definition of * DO_NOT_USE_K_LOGIN.l - * - * The configuration is done either by command-line arguments passed by + * + * The configuration is done either by command-line arguments passed by * inetd, or by the name of the daemon. If command-line arguments are * present, they take priority. The options are: * -k means trust krb5 * -p and -P means prompt for password. - * If the -P option is passed, then the password is verified in + * If the -P option is passed, then the password is verified in * addition to all other checks. If -p is not passed with -k or -r, * and both checks fail, then login permission is denied. * - -e means use encryption. * - * If no command-line arguments are present, then the presence of the - * letters kKrRexpP in the program-name before "logind" determine the + * If no command-line arguments are present, then the presence of the + * letters kKrRexpP in the program-name before "logind" determine the * behaviour of the program exactly as with the command-line arguments. * * If the ruserok check is to be used, then the client should connect * from a privileged port, else deny permission. - */ - + */ + /* DEFINES: * KERBEROS - Define this if application is to be kerberised. * CRYPT - Define this if encryption is to be an option. * DO_NOT_USE_K_LOGIN - Define this if you want to use /bin/login - * instead of the accompanying login.krb5. + * instead of the accompanying login.krb5. * LOG_ALL_LOGINS - Define this if you want to log all logins. * LOG_OTHER_USERS - Define this if you want to log all principals * that do not map onto the local user. - * LOG_REMOTE_REALM - Define this if you want to log all principals from + * LOG_REMOTE_REALM - Define this if you want to log all principals from * remote realms. * Note: Root logins are always logged. */ @@ -139,14 +139,14 @@ char copyright[] = #include #include #include - + #ifdef HAVE_SYS_LABEL_H /* only SunOS 4? */ #include #include #include #endif - + #include #if defined(hpux) || defined(__hpux) @@ -219,7 +219,7 @@ struct winsize { unsigned short ws_xpixel, ws_ypixel; }; #endif /* NO_WINSIZE */ - + #ifndef roundup #define roundup(x,y) ((((x)+(y)-1)/(y))*(y)) #endif @@ -227,7 +227,7 @@ struct winsize { #include "fake-addrinfo.h" #ifdef KERBEROS - + #include "k5-int.h" #include #ifdef HAVE_UTMP_H @@ -240,7 +240,7 @@ int non_privileged = 0; /* set when connection is seen to be from */ #include "com_err.h" #include "defines.h" - + #define SECURE_MESSAGE "This rlogin session is encrypting all data transmissions.\r\n" krb5_authenticator *kdata; @@ -338,21 +338,21 @@ int main(argc, argv) #ifdef KERBEROS krb5_error_code status; #endif - + progname = *argv; - + pty_init(); - + #ifndef LOG_NDELAY #define LOG_NDELAY 0 #endif - + #ifndef LOG_AUTH /* 4.2 syslog */ openlog(progname, LOG_PID | LOG_NDELAY); #else openlog(progname, LOG_PID | LOG_NDELAY, LOG_AUTH); #endif /* 4.2 syslog */ - + #ifdef KERBEROS status = krb5_init_context(&bsd_context); if (status) { @@ -361,7 +361,7 @@ int main(argc, argv) exit(1); } #endif - + /* Analyse parameters. */ opterr = 0; while ((ch = getopt(argc, argv, ARGSTR)) != -1) @@ -369,7 +369,7 @@ int main(argc, argv) #ifdef KERBEROS case 'k': break; - + case '5': break; case 'c': @@ -378,7 +378,7 @@ int main(argc, argv) case 'i': checksum_ignored = 1; break; - + #ifdef CRYPT case 'x': /* Use encryption. */ case 'X': @@ -442,7 +442,7 @@ int main(argc, argv) } argc -= optind; argv += optind; - + fromlen = sizeof (from); if (debug_port || do_fork) { @@ -582,10 +582,10 @@ void doit(f, fromp) syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation."); fatal(f, "Configuration error: mutually exclusive options specified"); } - + alarm(60); read(f, &c, 1); - + if (c != 0){ exit(1); } @@ -594,7 +594,7 @@ void doit(f, fromp) /* Initialize syncpipe */ if (pipe( syncpipe ) < 0 ) fatalperror ( f , ""); - + #ifdef POSIX_SIGNALS /* Initialize "sa" structure. */ @@ -608,7 +608,7 @@ void doit(f, fromp) fatal(f, gai_strerror(retval)); strncpy(rhost_addra, hname, sizeof(rhost_addra)); rhost_addra[sizeof (rhost_addra) -1] = '\0'; - + retval = getnameinfo(fromp, socklen(fromp), hname, sizeof(hname), 0, 0, 0); if (retval) fatal(f, gai_strerror(retval)); @@ -620,16 +620,16 @@ void doit(f, fromp) /* Not a real problem, we just haven't bothered to update the port number checking code to handle ipv6. */ fatal(f, "Permission denied - Malformed from address\n"); - + if (fromp->sin_port >= IPPORT_RESERVED || fromp->sin_port < IPPORT_RESERVED/2) fatal(f, "Permission denied - Connection from bad port"); #endif /* KERBEROS */ - + /* Set global netf to f now : we may need to drop everything in do_krb_login. */ netf = f; - + #if defined(KERBEROS) /* All validation, and authorization goes through do_krb_login() */ do_krb_login(rhost_addra, rhost_name); @@ -639,18 +639,18 @@ void doit(f, fromp) getstr(f, term, sizeof(term), "Terminal type"); rcmd_stream_init_normal(); #endif - + write(f, "", 1); if ((retval = pty_getpty(&p,line, sizeof(line)))) { com_err(progname, retval, "while getting master pty"); exit(2); } - + Pfd = p; #ifdef TIOCSWINSZ (void) ioctl(p, TIOCSWINSZ, &win); #endif - + #ifdef POSIX_SIGNALS sa.sa_handler = cleanup; (void) sigaction(SIGCHLD, &sa, (struct sigaction *)0); @@ -672,7 +672,7 @@ void doit(f, fromp) fatal(f, error_message(retval)); exit(1); } - + #if defined(POSIX_TERMIOS) && !defined(ultrix) tcgetattr(t,&new_termio); @@ -697,7 +697,7 @@ void doit(f, fromp) #endif /* POSIX_TERMIOS */ pid = 0; /*reset pid incase exec fails*/ - + /* ** signal the parent that we have turned off echo ** on the slave side of the pty ... he's waiting @@ -709,16 +709,16 @@ void doit(f, fromp) (void) write(syncpipe[1], &c, 1); (void) close(syncpipe[1]); (void) close(syncpipe[0]); - + close(f), close(p); dup2(t, 0), dup2(t, 1), dup2(t, 2); if (t > 2) close(t); - + #if defined(sysvimp) setcompat (COMPAT_CLRPGROUP | (getcompat() & ~COMPAT_BSDTTY)); #endif - + /* Log access to account */ pwd = (struct passwd *) getpwnam(lusername); if (pwd && (pwd->pw_uid == 0)) { @@ -727,7 +727,7 @@ void doit(f, fromp) krusername ? krusername : "", rusername, rhost_addra, rhost_name); else - syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s))", + syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s))", krusername ? krusername : "", rusername, rhost_addra, rhost_name); } @@ -736,8 +736,8 @@ void doit(f, fromp) /* Log if principal is from a remote realm */ else if (client && !default_realm(client)) #endif /* LOG_REMOTE_REALM */ - -#if defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS) + +#if defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS) /* Log if principal name does not map to local username */ else if (client && !princ_maps_to_lname(client, lusername)) #endif /* LOG_OTHER_USERS */ @@ -753,11 +753,11 @@ void doit(f, fromp) "login by %s (%s@%s (%s)) as %s forcing password access", krusername ? krusername : "", rusername, rhost_addra, rhost_name, lusername); - else + else syslog(LOG_NOTICE, "login by %s (%s@%s (%s)) as %s", krusername ? krusername : "", rusername, - rhost_addra, rhost_name, lusername); + rhost_addra, rhost_name, lusername); } #endif /* LOG_REMOTE_REALM || LOG_OTHER_USERS || LOG_ALL_LOGINS */ #endif /* KERBEROS */ @@ -771,8 +771,8 @@ void doit(f, fromp) #endif #ifdef USE_LOGIN_F -/* use the vendors login, which has -p and -f. Tested on - * AIX 4.1.4 and HPUX 10 +/* use the vendors login, which has -p and -f. Tested on + * AIX 4.1.4 and HPUX 10 */ { char *cp; @@ -807,7 +807,7 @@ void doit(f, fromp) ** turning off echo on the slave side ... ** The master blocks here until it reads a byte. */ - + (void) close(syncpipe[1]); if (read(syncpipe[0], &c, 1) != 1) { /* @@ -818,8 +818,8 @@ void doit(f, fromp) } close(syncpipe[0]); - -#if defined(KERBEROS) + +#if defined(KERBEROS) if (do_encrypt) { if (rcmd_stream_write(f, SECURE_MESSAGE, sizeof(SECURE_MESSAGE), 0) < 0){ snprintf(buferror, sizeof(buferror), @@ -827,7 +827,7 @@ void doit(f, fromp) fatal(p,buferror); } } - else + else /* * if encrypting, don't turn on NBIO, else the read/write routines * will fail to work properly @@ -846,7 +846,7 @@ void doit(f, fromp) signal(SIGTSTP, SIG_IGN); #endif - + #if !defined(USE_LOGIN_F) /* Pass down rusername and lusername to login. */ (void) write(p, rusername, strlen(rusername) +1); @@ -877,7 +877,7 @@ unsigned char oobdata[] = {TIOCPKT_WINDOW}; char oobdata[] = {0}; #endif -static +static void sendoob(fd, byte) int fd; char *byte; @@ -915,7 +915,7 @@ static int control(pty, cp, n) { struct winsize w; int pgrp, got_pgrp; - + if (n < (int) 4+sizeof (w) || cp[2] != 's' || cp[3] != 's') return (0); #ifdef TIOCSWINSZ @@ -956,11 +956,11 @@ void protocol(f, p) register int tiocpkt_on = 0; int on = 1; #endif - + #if defined(TIOCPKT) && !(defined(__svr4__) || defined(HAVE_STREAMS)) \ || defined(solaris20) /* if system has TIOCPKT, try to turn it on. Some drivers - * may not support it. Save flag for later. + * may not support it. Save flag for later. */ if ( ioctl(p, TIOCPKT, &on) < 0) tiocpkt_on = 0; @@ -1016,11 +1016,11 @@ void protocol(f, p) register unsigned char *cp; int n; size_t left; - + if (fcc <= 0) break; fbp = fibuf; - + for (cp = fibuf; cp < fibuf+fcc-1; cp++) { if (cp[0] == magic[0] && cp[1] == magic[1]) { @@ -1037,7 +1037,7 @@ void protocol(f, p) } } } - + if (FD_ISSET(p, &obits) && fcc > 0) { cc = write(p, fbp, fcc); if (cc > 0) { @@ -1045,7 +1045,7 @@ void protocol(f, p) fbp += cc; } } - + if (FD_ISSET(p, &ibits)) { pcc = read(p, pibuf, sizeof (pibuf)); pbp = pibuf; @@ -1134,7 +1134,7 @@ void fatal(f, msg) #ifdef POSIX_SIGNALS struct sigaction sa; #endif - + buf[0] = '\01'; /* error indicator */ (void) snprintf(buf + 1, sizeof(buf) - 1, "%s: %s.\r\n", progname, msg); if ((f == netf) && (pid > 0)) @@ -1169,7 +1169,7 @@ void fatalperror(f, msg) const char *msg; { char buf[512]; - + (void) snprintf(buf, sizeof(buf), "%s: %s", msg, error_message(errno)); fatal(f, buf); } @@ -1199,10 +1199,10 @@ do_krb_login(host_addr, hostname) fatal(netf, "Kerberos authentication failed"); return; } - + /* OK we have authenticated this user - now check authorization. */ /* The Kerberos authenticated programs must use krb5_kuserok or kuserok*/ - + /* krb5_kuserok returns 1 if OK */ if (!client || !krb5_kuserok(bsd_context, client, lusername)) { if (asprintf(&msg_fail, @@ -1216,7 +1216,7 @@ do_krb_login(host_addr, hostname) if (checksum_required && !valid_checksum) { syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected."); - + fatal(netf, "You are using an old Kerberos5 without initial connection support; only newer clients are authorized."); } } @@ -1231,9 +1231,9 @@ void getstr(fd, buf, cnt, err) int cnt; char *err; { - + char c; - + do { if (read(fd, &c, 1) != 1) { exit(1); @@ -1251,10 +1251,10 @@ void getstr(fd, buf, cnt, err) void usage() { #ifdef KERBEROS - syslog(LOG_ERR, + syslog(LOG_ERR, "usage: klogind [-ePf] [-D port] [-w[ip|maxhostlen[,[no]striplocal]]] or [r/R][k/K][x/e][p/P]logind"); #else - syslog(LOG_ERR, + syslog(LOG_ERR, "usage: rlogind [-rPf] [-D port] or [r/R][p/P]logind"); #endif } @@ -1290,7 +1290,7 @@ recvauth(valid_checksum) if (getsockname(netf, (struct sockaddr *)&laddr, &len)) { exit(1); } - + len = sizeof(peersin); if (getpeername(netf, (struct sockaddr *)&peersin, &len)) { syslog(LOG_ERR, "get peer name failed %d", netf); @@ -1299,7 +1299,7 @@ recvauth(valid_checksum) if ((status = krb5_auth_con_init(bsd_context, &auth_context))) return status; - + /* Only need remote address for rd_cred() to verify client */ if ((status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf, KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR))) @@ -1387,7 +1387,7 @@ recvauth(valid_checksum) krb5_free_authenticator(bsd_context, authenticator); } - if ((status = krb5_copy_principal(bsd_context, ticket->enc_part2->client, + if ((status = krb5_copy_principal(bsd_context, ticket->enc_part2->client, &client))) return status; @@ -1415,12 +1415,12 @@ recvauth(valid_checksum) if ((status = krb5_unparse_name(bsd_context, client, &krusername))) return status; - + if ((status = krb5_read_message(bsd_context, (krb5_pointer)&netf, &inbuf))) fatal(netf, "Error reading message"); if ((inbuf.length) && /* Forwarding being done, read creds */ - (status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf, + (status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf, ticket, &ccache))) { fatal(netf, "Can't get forwarded credentials"); } diff --git a/src/appl/bsd/krsh.c b/src/appl/bsd/krsh.c index 1999bb5e1..028d3dd62 100644 --- a/src/appl/bsd/krsh.c +++ b/src/appl/bsd/krsh.c @@ -73,7 +73,7 @@ char copyright[] = #define SECURE_MESSAGE "This rsh session is encrypting input/output data transmissions.\r\n" int error(); - + int options; int rfd2; int nflag; @@ -104,11 +104,11 @@ void try_normal(char **); #define RLOGIN_PROGRAM UCB_RLOGIN #endif /* KERBEROS */ #endif /* !RLOGIN_PROGRAM */ - + #ifndef POSIX_SIGNALS #define mask(s) (1 << ((s) - 1)) #endif /* POSIX_SIGNALS */ - + int main(argc, argv0) int argc; @@ -142,12 +142,12 @@ main(argc, argv0) memset(&defaultservent, 0, sizeof(struct servent)); if (strrchr(argv[0], '/')) - argv[0] = strrchr(argv[0], '/')+1; + argv[0] = strrchr(argv[0], '/')+1; if ( argc < 2 ) goto usage; argc--; argv++; - + another: if (argc > 0 && host == 0 && strncmp(*argv, "-", 1)) { host = *argv; @@ -316,14 +316,14 @@ main(argc, argv0) if(debug_port == 0) { #ifdef KERBEROS sp = getservbyname("kshell", "tcp"); -#else +#else sp = getservbyname("shell", "tcp"); #endif /* KERBEROS */ if (sp == 0) { #ifdef KERBEROS sp = &defaultservent; sp->s_port = htons(544); -#else +#else fprintf(stderr, "rsh: shell/tcp: unknown service\n"); exit(1); #endif /* KERBEROS */ @@ -345,7 +345,7 @@ main(argc, argv0) if (fflag || Fflag) authopts |= OPTS_FORWARD_CREDS; if (Fflag) - authopts |= OPTS_FORWARDABLE_CREDS; + authopts |= OPTS_FORWARDABLE_CREDS; #ifdef HAVE_ISATTY suppress = !isatty(fileno(stderr)); #endif @@ -391,7 +391,7 @@ main(argc, argv0) write(2,SECURE_MESSAGE, strlen(SECURE_MESSAGE)); } #endif - + #else /* !KERBEROS */ rem = rcmd(&host, debug_port, pwd->pw_name, user ? user : pwd->pw_name, args, &rfd2); @@ -461,7 +461,7 @@ main(argc, argv0) char *bp; int wc; fd_set rembits; - + (void) close(rfd2); reread: errno = 0; @@ -493,7 +493,7 @@ main(argc, argv0) goto rewrite; done: (void) shutdown(rem, 1); -#ifdef KERBEROS +#ifdef KERBEROS krb5_free_context(bsd_context); #endif exit(0); @@ -538,7 +538,7 @@ main(argc, argv0) } while (FD_ISSET(rem, &readfrom) || FD_ISSET(rfd2, &readfrom)); if (nflag == 0) (void) kill(pid, SIGKILL); -#ifdef KERBEROS +#ifdef KERBEROS krb5_free_context(bsd_context); #endif exit(0); @@ -565,7 +565,7 @@ void try_normal(argv) char **argv; { char *host; - + #ifndef KRB5_ATHENA_COMPAT if (encrypt_flag) exit(1); @@ -581,10 +581,10 @@ void try_normal(argv) host++; else host = argv[0]; - + if (!strcmp(host, "rsh")) argv++; - + fprintf(stderr,"trying normal rsh (%s)\n", UCB_RSH); fflush(stderr); diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 59a088ef1..d491e6e35 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -34,35 +34,35 @@ char copyright[] = * command\0 * data */ - + /* - * This is the rshell daemon. The very basic protocol for checking + * This is the rshell daemon. The very basic protocol for checking * authentication and authorization is: * 1) Check authentication. * 2) Check authorization via the access-control files: * ~/.k5login (using krb5_kuserok) - * Execute command if configured authoriztion checks pass, else deny + * Execute command if configured authoriztion checks pass, else deny * permission. */ - + /* DEFINES: * KERBEROS - Define this if application is to be kerberised. * LOG_ALL_LOGINS - Define this if you want to log all logins. * LOG_OTHER_USERS - Define this if you want to log all principals that do * not map onto the local user. - * LOG_REMOTE_REALM - Define this if you want to log all principals from + * LOG_REMOTE_REALM - Define this if you want to log all principals from * remote realms. * LOG_CMD - Define this if you want to log not only the user but also the * command executed. This only decides the type of information - * logged. Whether or not to log is still decided by the above + * logged. Whether or not to log is still decided by the above * three DEFINES. * Note: Root account access is always logged. */ - -#define SERVE_NON_KRB + +#define SERVE_NON_KRB #define LOG_REMOTE_REALM #define LOG_CMD - + #ifdef HAVE_UNISTD_H #include #endif @@ -86,10 +86,10 @@ char copyright[] = #ifdef HAVE_SYS_SELECT_H #include #endif - + #include #include - + #include #include #include @@ -98,7 +98,7 @@ char copyright[] = #include #include #include - + #ifdef HAVE_SYS_LABEL_H /* only SunOS 4? */ #include @@ -126,13 +126,13 @@ char copyright[] = #include #include #endif /* CRAY */ - + #include #ifdef POSIX_TERMIOS #include #endif - + #ifdef HAVE_SYS_FILIO_H /* get FIONBIO from sys/filio.h, so what if it is a compatibility feature */ #include @@ -194,12 +194,12 @@ static krb5_error_code recvauth(int netfd, struct sockaddr *peersin, #else /* !KERBEROS */ #define ARGSTR "RD:?" - + #endif /* KERBEROS */ static int accept_a_connection (int debug_port, struct sockaddr *from, socklen_t *fromlenp); - + #ifndef HAVE_KILLPG #define killpg(pid, sig) kill(-(pid), (sig)) #endif @@ -226,7 +226,7 @@ void error (char *fmt, ...) #endif ; -void usage(void), getstr(int, char *, int, char *), +void usage(void), getstr(int, char *, int, char *), doit(int, struct sockaddr *); #ifndef HAVE_INITGROUPS @@ -263,10 +263,10 @@ int main(argc, argv) #ifdef CRAY secflag = sysconf(_SC_CRAY_SECURE_SYS); #endif - + progname = strrchr (*argv, '/'); progname = progname ? progname + 1 : *argv; - + #ifndef LOG_ODELAY /* 4.2 syslog */ openlog(progname, LOG_PID); #else @@ -275,7 +275,7 @@ int main(argc, argv) #endif openlog(progname, LOG_PID | LOG_ODELAY, LOG_AUTH); #endif /* 4.2 syslog */ - + #ifdef KERBEROS status = krb5_init_context(&bsd_context); if (status) { @@ -284,7 +284,7 @@ int main(argc, argv) exit(1); } #endif - + /* Analyze parameters. */ opterr = 0; while ((ch = getopt(argc, argv, ARGSTR)) != -1) @@ -292,7 +292,7 @@ int main(argc, argv) #ifdef KERBEROS case 'k': break; - + case '5': break; case 'c': @@ -301,7 +301,7 @@ int main(argc, argv) case 'i': checksum_ignored = 1; break; - + case 'e': require_encrypt = 1; break; @@ -332,7 +332,7 @@ int main(argc, argv) if(!save_env[num_env++]) { com_err(progname, ENOMEM, "in saving environment"); exit(2); - } + } } else { fprintf(stderr, "%s: Only %d -L arguments allowed\n", progname, MAXENV); @@ -376,10 +376,10 @@ int main(argc, argv) usage(); exit(1); } - + argc -= optind; argv += optind; - + fromlen = sizeof (from); if (debug_port) @@ -454,16 +454,16 @@ char local_port[64+NI_MAXSERV]; /* = "KRB5LOCALPORT=" */ /* The following include extra space for TZ and MAXENV pointers... */ #define COMMONVARS homedir, shell, 0/*path*/, username, term #ifdef CRAY -char *envinit[] = +char *envinit[] = {COMMONVARS, "TZ=GMT0", tmpdir, SAVEENVPAD, KRBPAD, ADDRPAD, 0}; #define TMPDIRENV 6 char *getenv(); #else /* CRAY */ #ifdef KERBEROS -char *envinit[] = +char *envinit[] = {COMMONVARS, 0/*tz*/, SAVEENVPAD, KRBPAD, ADDRPAD, 0}; #else /* KERBEROS */ -char *envinit[] = +char *envinit[] = {COMMONVARS, 0/*tz*/, SAVEENVPAD, ADDRPAD, 0}; #endif /* KERBEROS */ #endif /* CRAY */ @@ -486,7 +486,7 @@ int maxlogs; #define NCARGS 1024 #endif -#define NMAX 16 +#define NMAX 16 int pid; char locuser[NMAX+1]; @@ -518,7 +518,7 @@ ignore_signals() signal(SIGTERM, SIG_IGN); signal(SIGPIPE, SIG_IGN); signal(SIGHUP, SIG_IGN); - + killpg(pid, SIGTERM); #endif } @@ -529,7 +529,7 @@ cleanup(signumber) { ignore_signals(); wait(0); - + pty_logwtmp(ttyn,"",""); syslog(LOG_INFO ,"Daemon terminated via signal %d.", signumber); if (ccache) @@ -569,7 +569,7 @@ void doit(f, fromp) int packet_level; /* Packet classification level */ long packet_compart; /* Packet compartments */ #endif /* CRAY */ - + int s = -1; char hostname[NI_MAXHOST]; char *sane_host; @@ -599,8 +599,8 @@ void doit(f, fromp) #endif #endif #endif /* IP_TOS */ - - { + + { socklen_t sin_len = sizeof (localaddr); if (getsockname(f, (struct sockaddr*)&localaddr, &sin_len) < 0) { perror("getsockname"); @@ -649,9 +649,9 @@ void doit(f, fromp) } } #endif /* KERBEROS */ - + #ifdef CRAY - + /* If this is a secure system then get the packet classification of f. ( Note IP_SECURITY is checked in get_packet_classification: if it's not set then the user's (root) default @@ -680,10 +680,10 @@ void doit(f, fromp) exit(1); } } - + } #endif /* CRAY */ - + (void) alarm(60); port = 0; for (;;) { @@ -772,7 +772,7 @@ void doit(f, fromp) getstr(f, cmdbuf, sizeof(cmdbuf), "command"); rcmd_stream_init_normal(); #endif /* KERBEROS */ - + #ifdef CRAY paddr = inet_addr(inet_ntoa(fromp->sin_addr)); if(secflag){ @@ -788,7 +788,7 @@ void doit(f, fromp) } } #endif /* CRAY */ - + pwd = getpwnam(locuser); if (pwd == (struct passwd *) 0 ) { syslog(LOG_ERR , @@ -798,9 +798,9 @@ void doit(f, fromp) error("Login incorrect.\n"); exit(1); } - + #ifdef CRAY - /* Setup job entry, and validate udb entry. + /* Setup job entry, and validate udb entry. ( against packet level also ) */ if ((jid = setjob(pwd->pw_uid, 0)) < 0) { error("Unable to create new job.\n"); @@ -836,7 +836,7 @@ void doit(f, fromp) } #ifndef NO_UDB (void)getsysudb(); - + if ((ue = getudbnam(pwd->pw_name)) == (struct udb *)NULL) { error("Unable to fetch account id.\n"); exit(1); @@ -883,7 +883,7 @@ void doit(f, fromp) open so close it here. */ #endif /* !NO_UDB */ #endif /*CRAY*/ - + /* Setup wtmp entry : we do it here so that if this is a CRAY the Process Id is correct and we have not lost our trusted privileges. */ @@ -898,13 +898,13 @@ void doit(f, fromp) else { pty_logwtmp(ttyn,locuser,sane_host); } - + #ifdef CRAY - + /* If we are a secure system then we need to get rid of our trusted facility, so that MAC on the chdir we work. Before we do this make an entry into wtmp, and any other audit recording. */ - + if (secflag) { if (getusrv(&usrv)){ syslog(LOG_ERR,"Cannot getusrv"); @@ -922,10 +922,10 @@ void doit(f, fromp) error("Permission denied.\n"); goto signout_please; } - + loglogin(sane_host, SLG_OKLOG, ue->ue_logfails,ue); - - /* Setup usrv structure with user udb info and + + /* Setup usrv structure with user udb info and packet_level and packet_compart. */ usrv.sv_actlvl = packet_level; usrv.sv_actcmp = packet_compart; /*Note get_packet_level sets @@ -938,7 +938,7 @@ void doit(f, fromp) usrv.sv_valcat = ue->ue_valcat; usrv.sv_savcmp = 0; usrv.sv_savlvl = 0; - + /* * Set user values to workstation boundaries */ @@ -948,12 +948,12 @@ void doit(f, fromp) #ifdef MAX #undef MAX #endif - + #define MIN(a,b) ((a) < (b) ? (a) : (b)) #define MAX(a,b) ((a) > (b) ? (a) : (b)) - + nal_error = 0; - + if (nal.na_sort) { if ((ue->ue_minlvl > nal.na_smax) || (ue->ue_maxlvl < nal.na_smin)) @@ -961,14 +961,14 @@ void doit(f, fromp) else { usrv.sv_minlvl=MAX(ue->ue_minlvl, nal.na_smin); usrv.sv_maxlvl=MIN(ue->ue_maxlvl, nal.na_smax); - + #ifndef IP_SECURITY if (usrv.sv_actlvl < usrv.sv_minlvl) usrv.sv_actlvl = usrv.sv_minlvl; if (usrv.sv_actlvl > usrv.sv_maxlvl) usrv.sv_actlvl = usrv.sv_maxlvl; - + #else /*IP_SECURITY*/ if (usrv.sv_actlvl < usrv.sv_minlvl) nal_error++; @@ -976,7 +976,7 @@ void doit(f, fromp) nal_error++; if (usrv.sv_actlvl != ue->ue_deflvl) nal_error++; - + usrv.sv_valcmp = ue->ue_comparts & nal.na_scmp; usrv.sv_actcmp &= nal.na_scmp; #endif /*IP_SECURITY*/ @@ -1016,7 +1016,7 @@ void doit(f, fromp) #undef MAX /* Before the setusrv is done then do a sethost for paddr */ sethost(paddr); - + if (setusrv(&usrv) == -1) { loglogin(sane_host, SLG_LVERR, ue->ue_logfails,ue); error("Permission denied.\n"); @@ -1026,10 +1026,10 @@ void doit(f, fromp) error("Getusrv Permission denied.\n"); goto signout_please; } - + } #endif /*CRAY*/ - + if (chdir(pwd->pw_dir) < 0) { if(chdir("/") < 0) { error("No remote directory.\n"); @@ -1066,17 +1066,17 @@ void doit(f, fromp) error("You must use encryption.\n"); goto signout_please; } - + if (pwd->pw_uid && !access(NOLOGIN, F_OK)) { error("Logins currently disabled.\n"); goto signout_please; } - + /* Log access to account */ pwd = (struct passwd *) getpwnam(locuser); if (pwd && (pwd->pw_uid == 0)) { #ifdef LOG_CMD - syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s (%s)) as ROOT", + syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s (%s)) as ROOT", cmdbuf, kremuser, remuser, hostaddra, hostname); #else syslog(LOG_NOTICE ,"Access as ROOT by principal %s (%s@%s (%s))", @@ -1087,20 +1087,20 @@ void doit(f, fromp) /* Log if principal is from a remote realm */ else if (client && !default_realm(client)) #endif - -#if defined(KERBEROS) && defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS) + +#if defined(KERBEROS) && defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS) /* Log if principal name does not map to local username */ else if (client && !princ_maps_to_lname(client, locuser)) #endif /* LOG_OTHER_USERS */ - + #ifdef LOG_ALL_LOGINS /* Log everything */ - else -#endif - + else +#endif + #if defined(LOG_REMOTE_REALM) || defined(LOG_OTHER_USERS) || defined(LOG_ALL_LOGINS) { #ifdef LOG_CMD - syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s (%s)) as local user %s", + syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s (%s)) as local user %s", cmdbuf, kremuser, remuser, hostaddra, hostname, locuser); #else syslog(LOG_NOTICE ,"Access as %s by principal %s (%s@%s (%s))", @@ -1108,9 +1108,9 @@ void doit(f, fromp) #endif } #endif - + (void) write(2, "", 1); - + if (port||do_encrypt) { if (port&&(pipe(pv) < 0)) { error("Can't make pipe.\n"); @@ -1139,7 +1139,7 @@ void doit(f, fromp) (void)sigaction(SIGHUP, &sa, (struct sigaction *)0); sa.sa_handler = SIG_IGN; - /* SIGPIPE is a crutch that we don't need if we check + /* SIGPIPE is a crutch that we don't need if we check the exit status of write. */ (void)sigaction(SIGPIPE, &sa, (struct sigaction *)0); (void)sigaction(SIGCHLD, &sa, (struct sigaction *)0); @@ -1148,20 +1148,20 @@ void doit(f, fromp) signal(SIGQUIT, cleanup); signal(SIGTERM, cleanup); signal(SIGHUP, cleanup); - /* SIGPIPE is a crutch that we don't need if we check + /* SIGPIPE is a crutch that we don't need if we check the exit status of write. */ signal(SIGPIPE, SIG_IGN); signal(SIGCHLD,SIG_IGN); #endif - + (void) close(0); (void) close(1); (void) close(2); if(port) (void) close(pv[1]); (void) close(pw[1]); (void) close(px[0]); - - - + + + FD_ZERO(&readfrom); FD_SET(f, &readfrom); maxfd = f; @@ -1176,7 +1176,7 @@ void doit(f, fromp) FD_SET(pw[0], &readfrom); if (pw[0] > maxfd) maxfd = pw[0]; - + /* read from f, write to px[1] -- child stdin */ /* read from s, signal child */ /* read from pv[0], write to s -- child stderr */ @@ -1246,7 +1246,7 @@ void doit(f, fromp) (void) close(px[1]); FD_CLR(f, &readfrom); } else if (wcc != cc) { - syslog(LOG_INFO, "only wrote %d/%d to child", + syslog(LOG_INFO, "only wrote %d/%d to child", wcc, cc); } } @@ -1293,14 +1293,14 @@ void doit(f, fromp) if(port) (void) close(pv[1]); } - - /* We are simply execing a program over rshd : log entry into wtmp, + + /* We are simply execing a program over rshd : log entry into wtmp, as kexe(pid), then finish out the session right after that. Syslog should have the information as to what was exec'd */ else { pty_logwtmp(ttyn,"",""); } - + if (*pwd->pw_shell == '\0') pwd->pw_shell = "/bin/sh"; (void) close(f); @@ -1317,7 +1317,7 @@ void doit(f, fromp) #ifdef HAVE_SETLUID /* * If we're on a system which keeps track of login uids, then - * set the login uid. + * set the login uid. */ if (setluid((uid_t) pwd->pw_uid) < 0) { perror("setluid"); @@ -1404,7 +1404,7 @@ void doit(f, fromp) char *buf2; if(getenv(save_env[cnt])) { - if (asprintf(&buf2, "%s=%s", save_env[cnt], + if (asprintf(&buf2, "%s=%s", save_env[cnt], getenv(save_env[cnt])) >= 0) { for (i = 0; envinit[i]; i++); envinit[i] = buf2; @@ -1415,7 +1415,7 @@ void doit(f, fromp) /* XXX - If we do anything else, make sure there is space in the array. */ environ = envinit; - + #ifdef KERBEROS /* To make Kerberos rcp work correctly, we must ensure that we invoke Kerberos rcp on this end, not normal rcp, even if the @@ -1453,7 +1453,7 @@ void doit(f, fromp) cp++; else cp = pwd->pw_shell; - + if (do_encrypt && !strncmp(cmdbuf, "-x ", 3)) { execl(pwd->pw_shell, cp, "-c", (char *)cmdbuf + 3, (char *)NULL); } @@ -1463,7 +1463,7 @@ void doit(f, fromp) perror(pwd->pw_shell); perror(cp); exit(1); - + signout_please: if (ccache) krb5_cc_destroy(bsd_context, ccache); @@ -1485,7 +1485,7 @@ error(fmt, va_alist) { va_list ap; char buf[RCMD_BUFSIZ], *cp = buf; - + #ifdef HAVE_STDARG_H va_start(ap, fmt); #else @@ -1508,7 +1508,7 @@ void getstr(fd, buf, cnt, err) char *err; { char c; - + do { if (read(fd, &c, 1) != 1) exit(1); @@ -1526,11 +1526,11 @@ char *makejtmp(uid, gid, jid) { register char *endc, *tdp = &tmpdir[strlen(tmpdir)]; register int i; - + snprintf(tdp, sizeof(tmpdir) - (tdp - tmpdir), "%s/jtmp.%06d", JTMPDIR, jid); endc = &tmpdir[strlen(tmpdir)]; - + endc[1] = '\0'; for (i = 0; i < 26; i++) { endc[0] = 'a' + i; @@ -1595,7 +1595,7 @@ static int get_packet_classification(fd,useruid,level,comp) struct udb *udb; int retval; int sockoptlen; - + retval = 0; getsysudb (); udb = getudbuid ((int) useruid); @@ -1631,8 +1631,8 @@ static int get_packet_classification(fd,useruid,level,comp) } #endif /* IP_SECURITY */ - - + + /* * Make a security log entry for the login attempt. @@ -1655,7 +1655,7 @@ loglogin(host, flag, failures, ue) char urec[sizeof(struct slghdr) + sizeof(struct slglogin)]; struct slghdr *uhdr = (struct slghdr *)urec; struct slglogin *ulogin=(struct slglogin *)&urec[sizeof(struct slghdr)]; - + strncpy(ulogin->sl_line, ttyn, sizeof(ulogin->sl_line)); strncpy(ulogin->sl_host, host, sizeof(ulogin->sl_host)); ulogin->sl_failures = failures; @@ -1671,7 +1671,7 @@ loglogin(host, flag, failures, ue) /* uhdr->sl_scls = ue->ue_defcls; enable for integrity policy */ uhdr->sl_olvl = 0; uhdr->sl_len = sizeof(urec); - + #ifdef CRAY2 slgentry(SLG_LOGN, (word *)urec); #else /* ! CRAY2 */ @@ -1681,7 +1681,7 @@ loglogin(host, flag, failures, ue) } #endif /* CRAY */ - + void usage() @@ -1728,7 +1728,7 @@ recvauth(netfd, peersin, valid_checksum) if (getsockname(netfd, (struct sockaddr *)&laddr, &len)) { exit(1); } - + #ifdef unicos61 #define SIZEOF_INADDR SIZEOF_in_addr #else @@ -1784,7 +1784,7 @@ recvauth(netfd, peersin, valid_checksum) getstr(netfd, cmdbuf, sizeof(cmdbuf), "command"); /* Must be V5 */ - + kcmd_proto = KCMD_UNKNOWN_PROTOCOL; if (version.length != 9) fatal (netfd, "bad application version length"); @@ -1795,17 +1795,17 @@ recvauth(netfd, peersin, valid_checksum) getstr(netfd, remuser, sizeof(locuser), "remuser"); - if ((status = krb5_unparse_name(bsd_context, ticket->enc_part2->client, + if ((status = krb5_unparse_name(bsd_context, ticket->enc_part2->client, &kremuser))) return status; - - if ((status = krb5_copy_principal(bsd_context, ticket->enc_part2->client, + + if ((status = krb5_copy_principal(bsd_context, ticket->enc_part2->client, &client))) return status; if ((status = krb5_auth_con_getauthenticator(bsd_context, auth_context, &authenticator))) return status; - + if (authenticator->checksum && !checksum_ignored) { struct sockaddr_storage adr; unsigned int adr_length = sizeof(adr); diff --git a/src/appl/bsd/login.c b/src/appl/bsd/login.c index 57680ad3c..fc6198c14 100644 --- a/src/appl/bsd/login.c +++ b/src/appl/bsd/login.c @@ -352,7 +352,7 @@ static void login_get_kconf(k) kconf_names[0] = "login"; kconf_names[1] = login_conf_set[i].flagname; kconf_names[2] = 0; - retval = profile_get_values(k->profile, + retval = profile_get_values(k->profile, kconf_names, &kconf_val); if (retval) { /* ignore most (all?) errors */ @@ -445,7 +445,7 @@ void k_init (ttyn) { #ifdef KRB5_GET_TICKETS krb5_error_code retval; - + retval = krb5_init_secure_context(&kcontext); if (retval) { com_err("login", retval, "while initializing krb5"); @@ -482,7 +482,7 @@ static int k5_get_password (user_pwstring, pwsize) unsigned int pwsize; { krb5_error_code code; - char prompt[255]; + char prompt[255]; snprintf(prompt, sizeof(prompt), "Password for %s", username); /* reduce opportunities to be swapped out */ @@ -521,7 +521,7 @@ static int try_krb5 (me_p, pass) if (code) { if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) fprintf (stderr, - "%s: Kerberos password incorrect\n", + "%s: Kerberos password incorrect\n", username); else com_err ("login", code, @@ -749,8 +749,8 @@ int main(argc, argv) /* * -p is used by getty to tell login not to destroy the environment * -r is used by rlogind to cause the autologin protocol; - * -f is used to skip a second login authentication - * -F is used to skip a second login authentication, allows login as root + * -f is used to skip a second login authentication + * -F is used to skip a second login authentication, allows login as root * -e is used to skip a second login authentication, but allows * login as root. * -h is used by other servers to pass the name of the @@ -835,11 +835,11 @@ int main(argc, argv) /* Only do this we we're not using POSIX_TERMIOS */ (void)ioctl(0, TIOCLSET, (char *)&ioctlval); #endif - + #ifdef TIOCNXCL (void)ioctl(0, TIOCNXCL, (char *)0); #endif - + ioctlval = fcntl(0, F_GETFL); #ifdef O_NONBLOCK ioctlval &= ~O_NONBLOCK; @@ -861,7 +861,7 @@ int main(argc, argv) term[sizeof(term) - 1] = '\0'; } } - + term_init (rflag || kflag || Kflag || eflag); for (cnt = getdtablesize(); cnt > 2; cnt--) @@ -877,7 +877,7 @@ int main(argc, argv) else tty = ttyn; -#ifndef LOG_ODELAY /* 4.2 syslog ... */ +#ifndef LOG_ODELAY /* 4.2 syslog ... */ openlog("login", 0); #else openlog("login", LOG_ODELAY, LOG_AUTH); @@ -1106,7 +1106,7 @@ int main(argc, argv) controlling tty, which is the case (under SunOS at least.) */ { - int pid = getpid(); + int pid = getpid(); struct sigaction sa2, osa; /* this will set the PGID to the PID. */ @@ -1251,14 +1251,14 @@ int main(argc, argv) #ifdef KRB5_GET_TICKETS if (got_v5_tickets) { - /* set up credential cache -- obeying KRB5_ENV_CCNAME + /* set up credential cache -- obeying KRB5_ENV_CCNAME set earlier */ /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */ if ((retval = krb5_cc_default(kcontext, &ccache))) { com_err(argv[0], retval, "while getting default ccache"); } else if ((retval = krb5_cc_initialize(kcontext, ccache, me))) { com_err(argv[0], retval, "when initializing cache"); - } else if ((retval = krb5_cc_store_cred(kcontext, ccache, + } else if ((retval = krb5_cc_store_cred(kcontext, ccache, &my_creds))) { com_err(argv[0], retval, "while storing credentials"); } else if (xtra_creds && @@ -1279,7 +1279,7 @@ int main(argc, argv) syslog(LOG_ERR, "%s while re-storing V5 credentials as user", error_message(retval)); - + } krb5_free_cred_contents(kcontext, &save_v5creds); } @@ -1672,7 +1672,7 @@ void dolastlog(hostname, quiet, tty) printf("Last login: %.*s ", 24-5, (char *)ctime(&lltime)); if (*ll.ll_host != '\0') - printf("from %.*s\n", (int) sizeof(ll.ll_host), + printf("from %.*s\n", (int) sizeof(ll.ll_host), ll.ll_host); else printf("on %.*s\n", (int) sizeof(ll.ll_line), ll.ll_line); @@ -1790,7 +1790,7 @@ dofork() int syncpipe[2]; char c; int n; - + #ifdef _IBMR2 update_ref_count(1); #endif @@ -1826,7 +1826,7 @@ dofork() /* Setup stuff? This would be things we could do in parallel with login */ (void) chdir("/"); /* Let's not keep the fs busy... */ - + /* If we're the parent, watch the child until it dies */ while (1) { @@ -1849,7 +1849,7 @@ dofork() if (pid == child) break; } - + /* Cleanup stuff */ /* Run destroy_tickets to destroy tickets */ (void) destroy_tickets(); /* If this fails, we lose quietly */ @@ -1873,7 +1873,7 @@ char *strsave(sp) char *sp; { register char *ret; - + if ((ret = strdup(sp)) == NULL) { fprintf(stderr, "no memory for saving args\n"); exit(1); diff --git a/src/appl/bsd/loginpaths.h b/src/appl/bsd/loginpaths.h index 0f2580bb9..8124e1abe 100644 --- a/src/appl/bsd/loginpaths.h +++ b/src/appl/bsd/loginpaths.h @@ -34,7 +34,7 @@ #endif #ifdef _IBMR2 -/* 3.2.0 */ +/* 3.2.0 */ #define LPATH "/usr/bin:/usr/ucb:/usr/bin/X11" #define RPATH "/usr/bin:/usr/ucb:/usr/bin/X11" #endif diff --git a/src/appl/bsd/rpaths.h b/src/appl/bsd/rpaths.h index 4925ea33a..b3946772c 100644 --- a/src/appl/bsd/rpaths.h +++ b/src/appl/bsd/rpaths.h @@ -28,4 +28,3 @@ #undef UCB_RSH #define UCB_RSH "/usr/bin/remsh" #endif - diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c index f84d3c66b..3f861687f 100644 --- a/src/appl/gss-sample/gss-client.c +++ b/src/appl/gss-sample/gss-client.c @@ -1,6 +1,6 @@ /* * Copyright 1994 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +10,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,7 +27,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -149,13 +149,13 @@ connect_to_server(host, port) * Returns: 0 on success, -1 on failure * * Effects: - * + * * service_name is imported as a GSS-API name and a GSS-API context is * established with the corresponding service; the service should be * listening on the TCP connection s. The default GSS-API mechanism * is used, and mutual authentication and replay detection are * requested. - * + * * If successful, the context handle is returned in context. If * unsuccessful, the GSS-API error messages are displayed on stderr * and -1 is returned. @@ -209,7 +209,7 @@ client_establish_context(s, service_name, gss_flags, auth_flag, * transmitted to the server; every received token is stored in * recv_tok, which token_ptr is then set to, to be processed by * the next call to gss_init_sec_context. - * + * * GSS-API guarantees that send_tok's length will be non-zero * if and only if the server is expecting another token from us, * and that gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if @@ -338,7 +338,7 @@ read_file(file_name, in_buf) * Returns: 0 on success, -1 on failure * * Effects: - * + * * call_server opens a TCP connection to and establishes a * GSS-API context with service_name over the connection. It then * seals msg in a GSS-API token with gss_wrap, sends it to the server, diff --git a/src/appl/gss-sample/gss-misc.c b/src/appl/gss-sample/gss-misc.c index cfaa0f8bd..3abb0ce1a 100644 --- a/src/appl/gss-sample/gss-misc.c +++ b/src/appl/gss-sample/gss-misc.c @@ -1,6 +1,6 @@ /* * Copyright 1994 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +10,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,7 +27,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -223,7 +223,7 @@ send_token(s, flags, tok) * Returns: 0 on success, -1 on failure * * Effects: - * + * * recv_token reads the token flags (a single byte, even though * they're stored into an integer, then reads the token length (as a * network long), allocates memory to hold the data, and then reads diff --git a/src/appl/gss-sample/gss-misc.h b/src/appl/gss-sample/gss-misc.h index 35b3b7390..77d8190f9 100644 --- a/src/appl/gss-sample/gss-misc.h +++ b/src/appl/gss-sample/gss-misc.h @@ -1,6 +1,6 @@ /* * Copyright 1994 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +10,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c index 488f14ccc..158414d4f 100644 --- a/src/appl/gss-sample/gss-server.c +++ b/src/appl/gss-sample/gss-server.c @@ -1,6 +1,6 @@ /* * Copyright 1994 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +10,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,7 +27,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -390,7 +390,7 @@ test_import_export_context(context) * service_name (r) the ASCII name of the GSS-API service to * establish a context as * export (r) whether to test context exporting - * + * * Returns: -1 on error * * Effects: @@ -624,7 +624,7 @@ worker_bee(void *param) struct _work_plan *work = (struct _work_plan *) param; /* this return value is not checked, because there's - * not really anything to do if it fails + * not really anything to do if it fails */ sign_server(work->s, work->server_creds, work->export); closesocket(work->s); diff --git a/src/appl/gssftp/ftp/cmds.c b/src/appl/gssftp/ftp/cmds.c index 0e06a8d56..8bfd552f7 100644 --- a/src/appl/gssftp/ftp/cmds.c +++ b/src/appl/gssftp/ftp/cmds.c @@ -112,7 +112,7 @@ static char *domap (char *); * * Returns false if no new arguments have been added. */ -int +int another(pargc, pargv, prompt) int *pargc; char ***pargv; @@ -260,7 +260,7 @@ void setpeer(argc, argv) unix_proxy = 0; else unix_server = 0; - if (overbose && + if (overbose && !strncmp(reply_string, "215 TOPS20", 10)) printf( "Remember to set tenex mode when transfering binary files from this machine.\n"); @@ -355,7 +355,7 @@ void setclevel(argc, argv) if (!strcmp(p->p_name, "clear")) { comret = command("CCC"); if (comret == COMPLETE) - clevel = PROT_C; + clevel = PROT_C; return; } clevel = p->p_level; @@ -1180,7 +1180,7 @@ void status(argc, argv) } printf("Hash mark printing: %s; Use of PORT cmds: %s\n", onoff(hash), onoff(sendport)); - printf("Verbose: %s; Bell: %s; Prompting: %s; Globbing: %s\n", + printf("Verbose: %s; Bell: %s; Prompting: %s; Globbing: %s\n", onoff(verbose), onoff(bell), onoff(interactive), onoff(doglob)); if (macnum > 0) { @@ -1275,7 +1275,7 @@ void setprompt() /*VARARGS*/ void setglob() { - + doglob = !doglob; printf("Globbing %s.\n", onoff(doglob)); code = doglob; @@ -1601,7 +1601,7 @@ void shell(argc, argv) { int pid; sig_t old1, old2; - char shellnam[40], *shellprog, *namep; + char shellnam[40], *shellprog, *namep; #ifdef WAIT_USES_INT int w_status; #else @@ -1910,7 +1910,7 @@ void disconnect() return; (void) command("QUIT"); if (cout) { - (void) FCLOSE_SOCKET(cout); + (void) FCLOSE_SOCKET(cout); cout = NULL; } connected = 0; @@ -2237,7 +2237,7 @@ domap(name) break; case '[': LOOP: - if (*++cp2 == '$' && isdigit((int) *(cp2+1))) { + if (*++cp2 == '$' && isdigit((int) *(cp2+1))) { if (*++cp2 == '0') { char *cp3 = name; @@ -2256,7 +2256,7 @@ LOOP: } } else { - while (*cp2 && *cp2 != ',' && + while (*cp2 && *cp2 != ',' && *cp2 != ']') { if (*cp2 == '\\') { cp2++; diff --git a/src/appl/gssftp/ftp/cmdtab.c b/src/appl/gssftp/ftp/cmdtab.c index cfa11e371..76fdb46c1 100644 --- a/src/appl/gssftp/ftp/cmdtab.c +++ b/src/appl/gssftp/ftp/cmdtab.c @@ -206,4 +206,3 @@ struct cmd cmdtab[] = { }; int NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1; - diff --git a/src/appl/gssftp/ftp/ftp.c b/src/appl/gssftp/ftp/ftp.c index 79d844b4d..6d20fbffd 100644 --- a/src/appl/gssftp/ftp/ftp.c +++ b/src/appl/gssftp/ftp/ftp.c @@ -33,14 +33,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -51,7 +51,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -139,7 +139,7 @@ char *auth_type; /* Authentication succeeded? If so, what type? */ unsigned int maxbuf, actualbuf; unsigned char *ucbuf; - + #define DEFINITIONS #include "ftp_var.h" #include "secure.h" @@ -234,7 +234,7 @@ hookup(char* host, int port) PERROR_SOCKET((char *) 0); hp->h_addr_list++; memcpy(&hisctladdr.sin_addr, - hp->h_addr_list[0], + hp->h_addr_list[0], sizeof(hisctladdr.sin_addr)); fprintf(stdout, "Trying %s...\n", inet_ntoa(hisctladdr.sin_addr)); @@ -448,12 +448,12 @@ static int secure_command(char* cmd) "gss_seal ENC didn't complete": "gss_seal MIC didn't complete"); } else if ((clevel == PROT_P) && !conf_state) { - fprintf(stderr, + fprintf(stderr, "GSSAPI didn't encrypt message"); } else { if (debug) fprintf(stderr, "sealed (%s) %lu bytes\n", - clevel==PROT_P?"ENC":"MIC", + clevel==PROT_P?"ENC":"MIC", (unsigned long) out_buf.length); length=out_buf.length; memcpy(out, out_buf.value, out_buf.length); @@ -469,7 +469,7 @@ static int secure_command(char* cmd) return(0); } fprintf(cout, "%s %s", clevel == PROT_P ? "ENC" : "MIC", in); - if(debug) + if(debug) fprintf(stderr, "secure_command(%s)\nencoding %d bytes %s %s\n", cmd, length, clevel==PROT_P ? "ENC" : "MIC", in); } else fputs(cmd, cout); @@ -492,7 +492,7 @@ int command(char *fmt, ...) va_start(ap, fmt); if (strncmp("PASS ", fmt, 5) == 0) printf("PASS XXXX"); - else + else vfprintf(stdout, fmt, ap); va_end(ap); printf("\n"); @@ -662,7 +662,7 @@ int getreply(int expecteof) else { int len; kerror = radix_encode((unsigned char *)obuf, - (unsigned char *)ibuf, + (unsigned char *)ibuf, &len, 1); if (kerror) { printf("Can't base 64 decode reply %d (%s)\n\"%s\"\n", @@ -678,20 +678,20 @@ int getreply(int expecteof) xmit_buf.length = len; /* decrypt/verify the message */ conf_state = safe; - maj_stat = gss_unseal(&min_stat, gcontext, - &xmit_buf, &msg_buf, + maj_stat = gss_unseal(&min_stat, gcontext, + &xmit_buf, &msg_buf, &conf_state, NULL); if (maj_stat != GSS_S_COMPLETE) { - user_gss_error(maj_stat, min_stat, + user_gss_error(maj_stat, min_stat, "failed unsealing reply"); n = '5'; } else { if(msg_buf.length < sizeof(ibuf) - 2 - 1) { - memcpy(ibuf, msg_buf.value, + memcpy(ibuf, msg_buf.value, msg_buf.length); memcpy(&ibuf[msg_buf.length], "\r\n", 3); } else { - user_gss_error(maj_stat, min_stat, + user_gss_error(maj_stat, min_stat, "reply was too long"); } gss_release_buffer(&min_stat,&msg_buf); @@ -838,7 +838,7 @@ void sendrequest(char *cmd, char *local, char *remote, int printnames) fin = fopen(local, "rt"); #else /* !_WIN32 */ fin = fopen(local, "r"); -#endif /* !_WIN32 */ +#endif /* !_WIN32 */ if (fin == NULL) { fprintf(stderr, "local: %s: %s\n", local, strerror(errno)); @@ -927,7 +927,7 @@ void sendrequest(char *cmd, char *local, char *remote, int printnames) while ((c = read(fileno(fin), buf, sizeof (buf))) > 0) { bytes += c; for (bufp = buf; c > 0; c -= d, bufp += d) - if ((d = secure_write(fileno(dout), bufp, + if ((d = secure_write(fileno(dout), bufp, (unsigned int) c)) <= 0) break; if (hash) { @@ -937,7 +937,7 @@ void sendrequest(char *cmd, char *local, char *remote, int printnames) } (void) fflush(stdout); } - if (d <= 0 ) + if (d <= 0 ) break; } if (hash && bytes > 0) { @@ -950,7 +950,7 @@ void sendrequest(char *cmd, char *local, char *remote, int printnames) fprintf(stderr, "local: %s: %s\n", local, strerror(errno)); if (d < 0 || (d = secure_flush(fileno(dout))) < 0) { - if (d == -1 && errno != EPIPE) + if (d == -1 && errno != EPIPE) perror("netout"); bytes = -1; } @@ -975,7 +975,7 @@ void sendrequest(char *cmd, char *local, char *remote, int printnames) /* if (c == '\r') { */ /* (void) putc('\0', dout); this violates rfc */ /* bytes++; */ - /* } */ + /* } */ } if (hash) { if (bytes < hashbytes) @@ -1444,7 +1444,7 @@ static int initconn() noport: data_addr = myctladdr; if (sendport) - data_addr.sin_port = 0; /* let system pick one */ + data_addr.sin_port = 0; /* let system pick one */ if (data != INVALID_SOCKET) (void) closesocket(data); data = socket(AF_INET, SOCK_STREAM, 0); @@ -1918,7 +1918,7 @@ int do_auth() char stbuf[FTP_BUFSIZ]; int comcode, trial; struct gss_channel_bindings_struct chan; - chan.initiator_addrtype = GSS_C_AF_INET; /* OM_uint32 */ + chan.initiator_addrtype = GSS_C_AF_INET; /* OM_uint32 */ chan.initiator_address.length = 4; chan.initiator_address.value = &myctladdr.sin_addr.s_addr; chan.acceptor_addrtype = GSS_C_AF_INET; /* OM_uint32 */ @@ -1929,9 +1929,9 @@ int do_auth() if (verbose) printf("GSSAPI accepted as authentication type\n"); - + /* blob from gss-client */ - + for (trial = 0; trial < n_gss_trials; trial++) { /* ftp@hostname first, the host@hostname */ /* the V5 GSSAPI binding canonicalizes this for us... */ @@ -1944,7 +1944,7 @@ int do_auth() send_tok.length = strlen(stbuf) + 1; maj_stat = gss_import_name(&min_stat, &send_tok, gss_nt_service_name, &target_name); - + if (maj_stat != GSS_S_COMPLETE) { user_gss_error(maj_stat, min_stat, "parsing name"); secure_error("name parsed <%s>\n", stbuf); @@ -1953,7 +1953,7 @@ int do_auth() token_ptr = GSS_C_NO_BUFFER; gcontext = GSS_C_NO_CONTEXT; /* structure copy */ - + do { if (debug) fprintf(stderr, "calling gss_init_sec_context\n"); @@ -1964,7 +1964,7 @@ int do_auth() target_name, (gss_OID_desc *)gss_trials[trial].mech_type, GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | - (forward ? GSS_C_DELEG_FLAG : + (forward ? GSS_C_DELEG_FLAG : (unsigned) 0), 0, &chan, /* channel bindings */ @@ -1973,7 +1973,7 @@ int do_auth() &send_tok, NULL, /* ignore ret_flags */ NULL); /* ignore time_rec */ - + if (maj_stat!=GSS_S_COMPLETE && maj_stat!=GSS_S_CONTINUE_NEEDED){ if (trial == n_gss_trials-1) @@ -1981,7 +1981,7 @@ int do_auth() /* could just be that we missed on the service name */ goto outer_loop; } - + if (send_tok.length != 0) { int len = send_tok.length; reply_parse = "ADAT="; /* for command() later */ @@ -2105,7 +2105,7 @@ static void abort_remote(FILE *din) (void) secure_command("ABOR"); FD_ZERO(&mask); FD_SET(SOCKETNO(fileno(cin)), &mask); - if (din) { + if (din) { FD_SET(SOCKETNO(fileno(din)), &mask); } if ((nfnd = empty(&mask, 10)) <= 0) { diff --git a/src/appl/gssftp/ftp/glob.c b/src/appl/gssftp/ftp/glob.c index bbbcb4457..3d62284ba 100644 --- a/src/appl/gssftp/ftp/glob.c +++ b/src/appl/gssftp/ftp/glob.c @@ -86,12 +86,12 @@ char *home; static char *strspl (char *, char *), *strend (char *); char **copyblk (char **); -static void acollect (char *), addpath (int), - collect (char *), expand (char *), +static void acollect (char *), addpath (int), + collect (char *), expand (char *), Gcat (char *, char *); static void ginit (char **), matchdir (char *), rscan (char **, int (*f)()), sort (void); -static int amatch (char *, char *), +static int amatch (char *, char *), execbrc (char *, char *), match (char *, char *); static int digit (int), letter (int), any (int, char *); diff --git a/src/appl/gssftp/ftp/main.c b/src/appl/gssftp/ftp/main.c index 6ec5ee1a8..48302cd51 100644 --- a/src/appl/gssftp/ftp/main.c +++ b/src/appl/gssftp/ftp/main.c @@ -92,7 +92,7 @@ static void cmdscanner (int); static char *slurpstring (void); -int +int main(argc, argv) volatile int argc; char **volatile argv; @@ -285,7 +285,7 @@ tail(filename) char *filename; { register char *s; - + while (*filename) { s = strrchr(filename, '/'); if (s == NULL) diff --git a/src/appl/gssftp/ftp/ruserpass.c b/src/appl/gssftp/ftp/ruserpass.c index 6e603e459..03fbc7916 100644 --- a/src/appl/gssftp/ftp/ruserpass.c +++ b/src/appl/gssftp/ftp/ruserpass.c @@ -124,7 +124,7 @@ token() return (ID); } -int +int ruserpass(host, aname, apass, aacct) char *host, **aname, **apass, **aacct; { @@ -160,7 +160,7 @@ next: continue; /* * Allow match either for user's input host name - * or official hostname. Also allow match of + * or official hostname. Also allow match of * incompletely-specified host in local domain. */ if (strcasecmp(host, tokval) == 0) @@ -186,7 +186,7 @@ next: case LOGIN: if (token()) { - if (*aname == 0) { + if (*aname == 0) { *aname = strdup(tokval); } else { if (strcmp(*aname, tokval)) diff --git a/src/appl/gssftp/ftp/secure.c b/src/appl/gssftp/ftp/secure.c index 3ed15ee97..584660460 100644 --- a/src/appl/gssftp/ftp/secure.c +++ b/src/appl/gssftp/ftp/secure.c @@ -68,9 +68,9 @@ extern unsigned int maxbuf; /* maximum output buffer size */ extern unsigned char *ucbuf; /* cleartext buffer */ static unsigned int nout; /* number of chars in ucbuf, * pointer into ucbuf */ -static unsigned int smaxbuf; /* Internal saved value of maxbuf +static unsigned int smaxbuf; /* Internal saved value of maxbuf in case changes on us */ -static unsigned int smaxqueue; /* Maximum allowed to queue before +static unsigned int smaxqueue; /* Maximum allowed to queue before flush buffer. < smaxbuf by fudgefactor */ /* perhaps use these in general, certainly use them for GSSAPI */ @@ -114,7 +114,7 @@ looping_read(fd, buf, len) if (errno == EINTR) continue; return(cc); /* errno is already set */ - } + } else if (cc == 0) { return(len2); } else { @@ -131,9 +131,9 @@ looping_read(fd, buf, len) #define ERR -2 -/* +/* * Given maxbuf as a buffer size, determine how much can we - * really transfer given the overhead of different algorithms + * really transfer given the overhead of different algorithms * * Sets smaxbuf and smaxqueue */ @@ -147,12 +147,12 @@ static int secure_determine_constants() if (strcmp(auth_type, "GSSAPI") == 0) { OM_uint32 maj_stat, min_stat, mlen; OM_uint32 msize = maxbuf; - maj_stat = gss_wrap_size_limit(&min_stat, gcontext, + maj_stat = gss_wrap_size_limit(&min_stat, gcontext, (dlevel == PROT_P), GSS_C_QOP_DEFAULT, msize, &mlen); if (maj_stat != GSS_S_COMPLETE) { - secure_gss_error(maj_stat, min_stat, + secure_gss_error(maj_stat, min_stat, "GSSAPI fudge determination"); /* Return error how? */ return ERR; @@ -160,7 +160,7 @@ static int secure_determine_constants() smaxqueue = mlen; } #endif - + return 0; } @@ -223,7 +223,7 @@ FILE *stream; * -1 on error (errno set) * -2 on security error */ -int +int secure_write(fd, buf, nbyte) int fd; unsigned char *buf; @@ -264,7 +264,7 @@ unsigned int nbyte; gss_buffer_desc in_buf, out_buf; OM_uint32 maj_stat, min_stat; int conf_state; - + in_buf.value = buf; in_buf.length = nbyte; maj_stat = gss_seal(&min_stat, gcontext, @@ -326,7 +326,7 @@ int fd; return(ERR); } if ((length = (u_long) ntohl(length)) > MAX) { - secure_error("Length (%d) of PROT buffer > PBSZ=%u", + secure_error("Length (%d) of PROT buffer > PBSZ=%u", length, MAX); return(ERR); } @@ -350,7 +350,7 @@ int fd; maj_stat = gss_unseal(&min_stat, gcontext, &xmit_buf, &msg_buf, &conf_state, NULL); if (maj_stat != GSS_S_COMPLETE) { - secure_gss_error(maj_stat, min_stat, + secure_gss_error(maj_stat, min_stat, (dlevel == PROT_P)? "failed unsealing ENC message": "failed unsealing MIC message"); diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c index ad3c4201a..7958facfe 100644 --- a/src/appl/gssftp/ftpd/ftpd.c +++ b/src/appl/gssftp/ftpd/ftpd.c @@ -67,7 +67,7 @@ static char sccsid[] = "@(#)ftpd.c 5.40 (Berkeley) 7/2/91"; #ifdef HAVE_SHADOW #include #endif -#include +#include #include #ifndef POSIX_SETJMP #undef sigjmp_buf @@ -224,11 +224,11 @@ int swaitmax = SWAITMAX; int swaitint = SWAITINT; void lostconn(int), myoob(int); -FILE *getdatasock(char *); +FILE *getdatasock(char *); #if defined(__STDC__) -/* +/* * The following prototypes must be ANSI for systems for which - * sizeof(off_t) > sizeof(int) to prevent stack overflow problems + * sizeof(off_t) > sizeof(int) to prevent stack overflow problems */ FILE *dataconn(char *name, off_t size, char *mymode); void send_data(FILE *instr, FILE *outstr, off_t blksize); @@ -740,7 +740,7 @@ user(name) } snprintf(buf, sizeof(buf), "GSSAPI user %s is%s authorized as %s", - (char *) client_name.value, + (char *) client_name.value, authorized ? "" : " not", name); } @@ -800,7 +800,7 @@ checkuser(name) return (1); if (strncmp(line, name, strlen(name)) == 0) { int i = strlen(name) + 1; - + /* Make sure foo doesn't match foobar */ if (line[i] == '\0' || !isspace((int) line[i])) continue; @@ -838,7 +838,7 @@ restricted_user(name) * Terminate login as previous user, if any, resetting state; * used when USER command is given or login fails. */ -static void +static void end_login() { @@ -891,7 +891,7 @@ char *name, *passwd; my_creds.server = server; if (krb5_timeofday(kcontext, &now)) goto nuke_ccache; - my_creds.times.starttime = 0; /* start timer when + my_creds.times.starttime = 0; /* start timer when request gets to KDC */ my_creds.times.endtime = now + 60 * 60 * 10; my_creds.times.renew_till = 0; @@ -933,7 +933,7 @@ pass(passwd) if (logged_in || askpasswd == 0) { reply(503, "Login with USER first."); return; - } + } if (!guest) { /* "ftp" is only account allowed no password */ @@ -1125,7 +1125,7 @@ retrieve(cmd, name) } if (c == '\n') i++; - } + } } else if (lseek(fileno(fin), restart_point, L_SET) < 0) { perror_reply(550, name); goto done; @@ -1184,7 +1184,7 @@ store_file(name, fmode, unique) } if (c == '\n') i++; - } + } /* * We must do this seek to "current" position * because we are changing from reading to @@ -1694,7 +1694,7 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5) gss_buffer_desc in_buf, out_buf; OM_uint32 maj_stat, min_stat; int conf_state; - + in_buf.value = in; in_buf.length = strlen(in); maj_stat = gss_seal(&min_stat, gcontext, @@ -1717,7 +1717,7 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5) secure_error("GSSAPI didn't encrypt message"); #endif /* 0 */ } else { - memcpy(out, out_buf.value, + memcpy(out, out_buf.value, length=out_buf.length); gss_release_buffer(&min_stat, &out_buf); } @@ -1992,10 +1992,10 @@ myoob(sig) if (strcmp(cp, "STAT") == 0) { if (file_size != (off_t) -1) reply(213, "Status: %lu of %lu bytes transferred", - (unsigned long) byte_count, + (unsigned long) byte_count, (unsigned long) file_size); else - reply(213, "Status: %lu bytes transferred", + reply(213, "Status: %lu bytes transferred", (unsigned long) byte_count); } } @@ -2196,7 +2196,7 @@ char *adata; name_buf.length = strlen(name_buf.value) + 1; if (debug) syslog(LOG_INFO, "importing <%s>", service_name); - stat_maj = gss_import_name(&stat_min, &name_buf, + stat_maj = gss_import_name(&stat_min, &name_buf, gss_nt_service_name, &server_name); if (stat_maj != GSS_S_COMPLETE) { @@ -2205,7 +2205,7 @@ char *adata; syslog(LOG_ERR, "gssapi error importing name"); return 0; } - + acquire_maj = gss_acquire_cred(&acquire_min, server_name, 0, GSS_C_NULL_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); @@ -2271,7 +2271,7 @@ char *adata; } rad_len = out_tok.length; - kerror = radix_encode(out_tok.value, gbuf, + kerror = radix_encode(out_tok.value, gbuf, &rad_len, 0); out_tok.length = rad_len; if (kerror) { @@ -2301,7 +2301,7 @@ char *adata; &client_name, &mechid); if (stat_maj != GSS_S_COMPLETE) { /* "If the server rejects the security data (if - a checksum fails, for instance), it should + a checksum fails, for instance), it should respond with reply code 535." */ reply_gss_error(535, stat_maj, stat_min, "extracting GSSAPI identity name"); @@ -2335,7 +2335,7 @@ char *adata; else reply(235, "GSSAPI Authentication succeeded"); } - + return(1); } else if (accept_maj == GSS_S_CONTINUE_NEEDED) { /* If the server accepts the security data, and @@ -2348,10 +2348,10 @@ char *adata; (void) gss_release_cred(&stat_min, &deleg_creds); return(0); } else { - /* "If the server rejects the security data (if - a checksum fails, for instance), it should + /* "If the server rejects the security data (if + a checksum fails, for instance), it should respond with reply code 535." */ - reply_gss_error(535, stat_maj, stat_min, + reply_gss_error(535, stat_maj, stat_min, "GSSAPI failed processing ADAT"); syslog(LOG_ERR, "GSSAPI failed processing ADAT"); (void) gss_release_cred(&stat_min, &server_creds); @@ -2676,12 +2676,12 @@ ftpd_gss_userok(gclient_name, name) { int retval = -1; krb5_principal p; - + if (krb5_parse_name(kcontext, gclient_name->value, &p) != 0) return -1; if (krb5_kuserok(kcontext, p, name)) retval = 0; - else + else retval = 1; krb5_free_principal(kcontext, p); return retval; @@ -2723,4 +2723,3 @@ cleanup: #endif /* GSSAPI */ - diff --git a/src/appl/gssftp/ftpd/ftpd_var.h b/src/appl/gssftp/ftpd/ftpd_var.h index 8d833e4ec..ea0ebe398 100644 --- a/src/appl/gssftp/ftpd/ftpd_var.h +++ b/src/appl/gssftp/ftpd/ftpd_var.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Prototypes for various functions in the ftpd sources. */ diff --git a/src/appl/libpty/cleanup.c b/src/appl/libpty/cleanup.c index 57cc796ac..2622d1920 100644 --- a/src/appl/libpty/cleanup.c +++ b/src/appl/libpty/cleanup.c @@ -3,7 +3,7 @@ * * (C)Copyright 1995, 1996 by the Massachusetts Institute of Technology. * - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -17,7 +17,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" @@ -35,10 +35,10 @@ long pty_cleanup (char *slave, #ifdef VHANG_LAST int retval, fd; #endif - + if (update_utmp) pty_update_utmp(PTY_DEAD_PROCESS, pid, "", slave, (char *)0, PTY_UTMP_USERNAME_VALID); - + (void)chmod(slave, 0666); (void)chown(slave, 0, 0); #ifdef HAVE_REVOKE diff --git a/src/appl/libpty/dump-utmp.c b/src/appl/libpty/dump-utmp.c index d4c303fb3..de3a7467e 100644 --- a/src/appl/libpty/dump-utmp.c +++ b/src/appl/libpty/dump-utmp.c @@ -277,5 +277,5 @@ main(int argc, char **argv) #endif } } - exit(0); + exit(0); } diff --git a/src/appl/libpty/getpty.c b/src/appl/libpty/getpty.c index e5bf2854b..f262e61df 100644 --- a/src/appl/libpty/getpty.c +++ b/src/appl/libpty/getpty.c @@ -3,7 +3,7 @@ * * Copyright 1995, 1996 by the Massachusetts Institute of Technology. * - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -17,7 +17,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" @@ -67,7 +67,7 @@ ptyint_getpty_ext(int *fd, char *slave, int slavelength, int do_grantpt) } return 0; #else /*HAVE__GETPTY*/ - + *fd = open("/dev/ptym/clone", O_RDWR|O_NDELAY); /* HPUX*/ #ifdef HAVE_STREAMS if (*fd < 0) *fd = open("/dev/ptmx",O_RDWR|O_NDELAY); /*Solaris*/ @@ -81,7 +81,7 @@ ptyint_getpty_ext(int *fd, char *slave, int slavelength, int do_grantpt) if (do_grantpt) if (grantpt(*fd) || unlockpt(*fd)) return PTY_GETPTY_STREAMS; #endif - + #ifdef HAVE_PTSNAME p = ptsname(*fd); #else diff --git a/src/appl/libpty/init.c b/src/appl/libpty/init.c index b48a1f8a7..0b7038b0a 100644 --- a/src/appl/libpty/init.c +++ b/src/appl/libpty/init.c @@ -1,11 +1,11 @@ /* * pty_init: Initialize internal state of pty. - * + * * Currently initializes error tables. - * + * * Copyright 1995 by the Massachusetts Institute of Technology. * - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -19,7 +19,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" diff --git a/src/appl/libpty/init_slave.c b/src/appl/libpty/init_slave.c index ce7507645..760d5acda 100644 --- a/src/appl/libpty/init_slave.c +++ b/src/appl/libpty/init_slave.c @@ -2,7 +2,7 @@ * pty_init_slave: open slave side of terminal, clearing for use. * * Copyright 1995, 1996 by the Massachusetts Institute of Technology. - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -16,7 +16,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" @@ -41,7 +41,7 @@ static char *push_list[] = { 0}; #endif /*HAVE_STREAMS but not HAVE_LINE_PUSH*/ - + long pty_initialize_slave (int fd) { @@ -51,7 +51,7 @@ long pty_initialize_slave (int fd) struct sgttyb b; #endif /* POSIX_TERMIOS */ int pid; - + #ifdef HAVE_STREAMS #ifdef HAVE_LINE_PUSH while (ioctl (fd, I_POP, 0) == 0); /*Clear out any old lined's*/ @@ -87,7 +87,7 @@ long pty_initialize_slave (int fd) ioctl(fd, TIOCSPGRP, &pid); #endif - + #if defined(POSIX_TERMIOS) && !defined(ultrix) tcsetpgrp(fd, pid); tcgetattr(fd,&new_termio); diff --git a/src/appl/libpty/libpty.h b/src/appl/libpty/libpty.h index d95c8fe08..13cc5ecce 100644 --- a/src/appl/libpty/libpty.h +++ b/src/appl/libpty/libpty.h @@ -3,7 +3,7 @@ * * Copyright 1995 by the Massachusetts Institute of Technology. * - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -17,7 +17,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #ifndef __LIBPTY_H__ diff --git a/src/appl/libpty/logwtmp.c b/src/appl/libpty/logwtmp.c index 03cfab48f..2417fb4ce 100644 --- a/src/appl/libpty/logwtmp.c +++ b/src/appl/libpty/logwtmp.c @@ -2,7 +2,7 @@ * pty_logwtmp: Implement the logwtmp function if not present. * * Copyright 1995, 2001 by the Massachusetts Institute of Technology. - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -16,7 +16,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" diff --git a/src/appl/libpty/open_ctty.c b/src/appl/libpty/open_ctty.c index 5a1730b31..9d6fb0d95 100644 --- a/src/appl/libpty/open_ctty.c +++ b/src/appl/libpty/open_ctty.c @@ -16,14 +16,14 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" #include "libpty.h" #include "pty-int.h" -/* +/* * This function will be called twice. The first time it will acquire * a controlling terminal from which to vhangup() or revoke() (see * comments in open_slave.c); the second time, it will be to open the diff --git a/src/appl/libpty/open_slave.c b/src/appl/libpty/open_slave.c index 5bab6bc36..97f20fe3b 100644 --- a/src/appl/libpty/open_slave.c +++ b/src/appl/libpty/open_slave.c @@ -4,7 +4,7 @@ * Copyright 1995, 1996, 2001 by the Massachusetts Institute of * Technology. * - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -18,7 +18,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" diff --git a/src/appl/libpty/pty-int.h b/src/appl/libpty/pty-int.h index b94a65c0e..3e7274fa0 100644 --- a/src/appl/libpty/pty-int.h +++ b/src/appl/libpty/pty-int.h @@ -49,14 +49,14 @@ #include #include #include - + #ifdef HAVE_SYS_LABEL_H /* only SunOS 4? */ #include #include #include #endif - + #include #ifdef hpux @@ -80,7 +80,7 @@ #else #include #endif - + #include "port-sockets.h" #include #include diff --git a/src/appl/libpty/pty_paranoia.c b/src/appl/libpty/pty_paranoia.c index 466a65888..18ef6e3c9 100644 --- a/src/appl/libpty/pty_paranoia.c +++ b/src/appl/libpty/pty_paranoia.c @@ -1,6 +1,6 @@ /* * Copyright 2001 by the Massachusetts Institute of Technology. - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all diff --git a/src/appl/libpty/sane_hostname.c b/src/appl/libpty/sane_hostname.c index 8ef6de875..46ac842ee 100644 --- a/src/appl/libpty/sane_hostname.c +++ b/src/appl/libpty/sane_hostname.c @@ -1,7 +1,7 @@ /* * pty_make_sane_hostname: Make a sane hostname from an IP address. * This returns allocated memory! - * + * * Copyright 1999, 2000, 2001 by the Massachusetts Institute of * Technology. * @@ -18,7 +18,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" #include "pty-int.h" diff --git a/src/appl/libpty/update_utmp.c b/src/appl/libpty/update_utmp.c index 292a1675b..bec57fa31 100644 --- a/src/appl/libpty/update_utmp.c +++ b/src/appl/libpty/update_utmp.c @@ -1,8 +1,8 @@ /* * pty_update_utmp: Update or create a utmp entry - * + * * Copyright 1995, 2001 by the Massachusetts Institute of Technology. - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -257,7 +257,7 @@ * In addition to other HP-UX issues, 11.23 includes yet another utmp * management interface in utmps.h. This interface updates a umtpd * daemon which then manages local files. Directly accessing the files - * through the existing, yet deprecated, utmp.h interface results in + * through the existing, yet deprecated, utmp.h interface results in * nothing. * * Irix 6.x: @@ -333,7 +333,7 @@ /* * The following grossness exists to avoid duplicating lots of code * between the cases where we have an old-style sysV utmp and where we - * have a modern (Unix98 or XPG4) utmpx, or the new (hp-ux 11.23) utmps. + * have a modern (Unix98 or XPG4) utmpx, or the new (hp-ux 11.23) utmps. * See the above history rant for further explanation. */ #if defined(HAVE_SETUTXENT) || defined(HAVE_SETUTENT) || defined(HAVE_SETUTSENT) diff --git a/src/appl/libpty/update_wtmp.c b/src/appl/libpty/update_wtmp.c index 988bae61a..12a2720bb 100644 --- a/src/appl/libpty/update_wtmp.c +++ b/src/appl/libpty/update_wtmp.c @@ -2,7 +2,7 @@ * ptyint_update_wtmp: Update wtmp. * * Copyright 1995, 2001 by the Massachusetts Institute of Technology. - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -16,7 +16,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" diff --git a/src/appl/libpty/vhangup.c b/src/appl/libpty/vhangup.c index 292437142..a54250028 100644 --- a/src/appl/libpty/vhangup.c +++ b/src/appl/libpty/vhangup.c @@ -3,7 +3,7 @@ * * Copyright 1995 by the Massachusetts Institute of Technology. * - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -17,7 +17,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" @@ -32,7 +32,7 @@ void ptyint_vhangup(void) /* Initialize "sa" structure. */ (void) sigemptyset(&sa.sa_mask); sa.sa_flags = 0; - + #endif #ifdef POSIX_SIGNALS diff --git a/src/appl/libpty/void_assoc.c b/src/appl/libpty/void_assoc.c index a39c9c723..91825893e 100644 --- a/src/appl/libpty/void_assoc.c +++ b/src/appl/libpty/void_assoc.c @@ -3,7 +3,7 @@ * * Copyright 1995, 1996 by the Massachusetts Institute of Technology. * - * + * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby * granted, provided that the above copyright notice appear in all @@ -17,7 +17,7 @@ * M.I.T. makes no representations about the suitability * of this software for any purpose. It is provided "as is" without * express or implied warranty. - * + * */ #include "com_err.h" diff --git a/src/appl/sample/sample.h b/src/appl/sample/sample.h index 6c81d9351..e61a2f3e0 100644 --- a/src/appl/sample/sample.h +++ b/src/appl/sample/sample.h @@ -7,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +21,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Common definitions for the sample client/server. */ diff --git a/src/appl/sample/sclient/sclient.c b/src/appl/sample/sclient/sclient.c index bd9c4e889..2f9b47933 100644 --- a/src/appl/sample/sclient/sclient.c +++ b/src/appl/sample/sclient/sclient.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Sample Kerberos v5 client. * @@ -70,12 +70,12 @@ net_read(fd, buf, len) if (cc < 0) { if (SOCKET_ERRNO == SOCKET_EINTR) continue; - + /* XXX this interface sucks! */ - errno = SOCKET_ERRNO; - + errno = SOCKET_ERRNO; + return(cc); /* errno is already set */ - } + } else if (cc == 0) { return(len2); } else { @@ -209,7 +209,7 @@ main(int argc, char *argv[]) ccdef, &err_ret, &rep_ret, NULL); krb5_free_principal(context, server); /* finished using it */ - krb5_free_principal(context, client); + krb5_free_principal(context, client); krb5_cc_close(context, ccdef); if (auth_context) krb5_auth_con_free(context, auth_context); diff --git a/src/appl/sample/sserver/sserver.c b/src/appl/sample/sserver/sserver.c index 39710fb2b..0ad9c07a4 100644 --- a/src/appl/sample/sserver/sserver.c +++ b/src/appl/sample/sserver/sserver.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Sample Kerberos v5 server. * @@ -69,7 +69,7 @@ usage(name) { fprintf(stderr, "usage: %s [-p port] [-s service] [-S keytab]\n", name); -} +} int main(argc, argv) @@ -110,7 +110,7 @@ main(argc, argv) /* * Parse command line arguments - * + * */ opterr = 0; while ((ch = getopt(argc, argv, "p:S:s:")) != -1) @@ -144,17 +144,17 @@ main(argc, argv) port = atoi(argv[1]); } - retval = krb5_sname_to_principal(context, NULL, service, + retval = krb5_sname_to_principal(context, NULL, service, KRB5_NT_SRV_HST, &server); if (retval) { syslog(LOG_ERR, "while generating service name (%s): %s", service, error_message(retval)); exit(1); } - + /* * If user specified a port, then listen on that port; otherwise, - * assume we've been started out of inetd. + * assume we've been started out of inetd. */ if (port) { @@ -200,7 +200,7 @@ main(argc, argv) } retval = krb5_recvauth(context, &auth_context, (krb5_pointer)&sock, - SAMPLE_VERSION, server, + SAMPLE_VERSION, server, 0, /* no flags */ keytab, /* default keytab is NULL */ &ticket); diff --git a/src/appl/simple/client/sim_client.c b/src/appl/simple/client/sim_client.c index 3cb71df52..4f5e40309 100644 --- a/src/appl/simple/client/sim_client.c +++ b/src/appl/simple/client/sim_client.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Simple UDP-based sample client program. For demonstration. * This program performs no useful function. @@ -61,7 +61,7 @@ usage(name) char *name; { fprintf(stderr, "usage: %s [-p port] [-h host] [-m message] [-s service] [host]\n", name); -} +} int main(argc, argv) @@ -83,7 +83,7 @@ main(argc, argv) extern int opterr, optind; extern char * optarg; int ch; - + short port = 0; char *message = MSG; char *hostname = 0; @@ -110,7 +110,7 @@ main(argc, argv) /* * Parse command line arguments - * + * */ opterr = 0; while ((ch = getopt(argc, argv, "p:m:h:s:")) != -1) @@ -200,14 +200,14 @@ main(argc, argv) } memcpy(&c_sock.sin_addr, host->h_addr, sizeof(c_sock.sin_addr)); #endif - + /* Bind it to set the address; kernel will fill in port # */ if (bind(sock, (struct sockaddr *)&c_sock, sizeof(c_sock)) < 0) { com_err(progname, errno, "while binding datagram socket"); exit(1); } - + /* PREPARE KRB_AP_REQ MESSAGE */ inbuf.data = hostname; @@ -234,8 +234,8 @@ main(argc, argv) exit(1); } /* Send authentication info to server */ - if ((i = send(sock, (char *)packet.data, (unsigned) packet.length, - flags)) < 0) + if ((i = send(sock, (char *)packet.data, (unsigned) packet.length, + flags)) < 0) com_err(progname, errno, "while sending KRB_AP_REQ message"); printf("Sent authentication data: %d bytes\n", i); krb5_free_data_contents(context, &packet); @@ -275,7 +275,7 @@ main(argc, argv) com_err(progname, retval, "while generating port address"); exit(1); } - + if ((retval = krb5_gen_replay_name(context,portlocal_addr, "_sim_clt",&cp))) { com_err(progname, retval, "while generating replay cache name"); @@ -303,7 +303,7 @@ main(argc, argv) } /* Send it */ - if ((i = send(sock, (char *)packet.data, (unsigned) packet.length, + if ((i = send(sock, (char *)packet.data, (unsigned) packet.length, flags)) < 0) com_err(progname, errno, "while sending SAFE message"); printf("Sent checksummed message: %d bytes\n", i); @@ -319,7 +319,7 @@ main(argc, argv) } /* Send it */ - if ((i = send(sock, (char *)packet.data, (unsigned) packet.length, + if ((i = send(sock, (char *)packet.data, (unsigned) packet.length, flags)) < 0) com_err(progname, errno, "while sending PRIV message"); printf("Sent encrypted message: %d bytes\n", i); @@ -333,6 +333,6 @@ main(argc, argv) krb5_auth_con_setrcache(context, auth_context, NULL); krb5_auth_con_free(context, auth_context); krb5_free_context(context); - + exit(0); } diff --git a/src/appl/simple/server/sim_server.c b/src/appl/simple/server/sim_server.c index bfe2f756b..c82c6f374 100644 --- a/src/appl/simple/server/sim_server.c +++ b/src/appl/simple/server/sim_server.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Usage: * sample_server servername @@ -57,7 +57,7 @@ usage(name) char *name; { fprintf(stderr, "usage: %s [-p port] [-s service] [-S keytab]\n", name); -} +} int main(argc, argv) @@ -99,7 +99,7 @@ char *argv[]; /* * Parse command line arguments - * + * */ opterr = 0; while ((ch = getopt(argc, argv, "p:s:S:")) != -1) @@ -125,7 +125,7 @@ char *argv[]; break; } - if ((retval = krb5_sname_to_principal(context, NULL, service, + if ((retval = krb5_sname_to_principal(context, NULL, service, KRB5_NT_SRV_HST, &sprinc))) { com_err(PROGNAME, retval, "while generating service name %s", service); exit(1); @@ -145,7 +145,7 @@ char *argv[]; } else { s_sock.sin_port = htons(port); } - + if (gethostname(full_hname, sizeof(full_hname)) < 0) { perror("gethostname"); exit(1); @@ -192,7 +192,7 @@ char *argv[]; packet.data = (krb5_pointer) pktbuf; /* Check authentication info */ - if ((retval = krb5_rd_req(context, &auth_context, &packet, + if ((retval = krb5_rd_req(context, &auth_context, &packet, sprinc, keytab, NULL, &ticket))) { com_err(PROGNAME, retval, "while reading request"); exit(1); @@ -263,13 +263,13 @@ char *argv[]; packet.length = i; packet.data = (krb5_pointer) pktbuf; - + if ((retval = krb5_rd_priv(context, auth_context, &packet, &message, NULL))) { com_err(PROGNAME, retval, "while verifying PRIV message"); exit(1); } - printf("Decrypted message is: '%.*s'\n", (int) message.length, + printf("Decrypted message is: '%.*s'\n", (int) message.length, message.data); krb5_auth_con_free(context, auth_context); diff --git a/src/appl/simple/simple.h b/src/appl/simple/simple.h index f230592e6..bbee79425 100644 --- a/src/appl/simple/simple.h +++ b/src/appl/simple/simple.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Common definitions for the simple UDP-based Kerberos-mediated * server & client applications. diff --git a/src/appl/telnet/libtelnet/auth-proto.h b/src/appl/telnet/libtelnet/auth-proto.h index faf806fad..c0d666d11 100644 --- a/src/appl/telnet/libtelnet/auth-proto.h +++ b/src/appl/telnet/libtelnet/auth-proto.h @@ -40,7 +40,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/appl/telnet/libtelnet/auth.c b/src/appl/telnet/libtelnet/auth.c index aed688799..a8801960f 100644 --- a/src/appl/telnet/libtelnet/auth.c +++ b/src/appl/telnet/libtelnet/auth.c @@ -36,7 +36,7 @@ /* * Copyright (C) 1990 by the Massachusetts Institute of Technology * - * Export of this software from the United States of America may + * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. @@ -126,7 +126,7 @@ Authenticator authenticators[] = { kerberos5_reply, kerberos5_status, kerberos5_printsub }, -#endif +#endif { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, kerberos5_init, kerberos5_send, @@ -399,7 +399,7 @@ void auth_send_retry() static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_IS, AUTHTYPE_NULL, 0, IAC, SE }; - + if (Server) { if (auth_debug_mode) { printf(">>>%s: auth_send_retry called!\r\n", Name); @@ -445,7 +445,7 @@ void auth_send_retry() * We requested strong authentication, however no mechanisms worked. * Therefore, exit on client end. */ - printf("Unable to securely authenticate user ... exit\n"); + printf("Unable to securely authenticate user ... exit\n"); exit(0); #endif /* KANNAN */ } diff --git a/src/appl/telnet/libtelnet/enc_des.c b/src/appl/telnet/libtelnet/enc_des.c index 6dd48b696..9c20eb0d9 100644 --- a/src/appl/telnet/libtelnet/enc_des.c +++ b/src/appl/telnet/libtelnet/enc_des.c @@ -33,14 +33,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -51,7 +51,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -149,7 +149,7 @@ int fb64_reply (unsigned char *, int, struct fb *); static void fb64_session (Session_Key *, int, struct fb *); void fb64_stream_key (Block, struct stinfo *); int fb64_keyid (int, unsigned char *, int *, struct fb *); -void fb64_printsub (unsigned char *, int, unsigned char *, int, +void fb64_printsub (unsigned char *, int, unsigned char *, int, unsigned char *); static void ecb_encrypt(stp, in, out) @@ -160,7 +160,7 @@ static void ecb_encrypt(stp, in, out) krb5_error_code code; krb5_data din; krb5_enc_data dout; - + din.length = 8; din.data = in; @@ -634,7 +634,7 @@ fb64_stream_key(key, stp) * INPUT --(--------->(+)+---> DATA * | | * +-------------+ - * + * * * Given: * iV: Initial vector, 64 bits (8 bytes) long. @@ -695,7 +695,7 @@ cfb64_decrypt(data) ecb_encrypt(stp, stp->str_output, b); memcpy(stp->str_feed, b, sizeof(Block)); stp->str_index = 1; /* Next time will be 1 */ - idx = 0; /* But now use 0 */ + idx = 0; /* But now use 0 */ } /* On decryption we store (data) which is cypher. */ @@ -768,7 +768,7 @@ ofb64_decrypt(data) ecb_encrypt(stp, stp->str_feed, b); memcpy(stp->str_feed, b, sizeof(Block)); stp->str_index = 1; /* Next time will be 1 */ - idx = 0; /* But now use 0 */ + idx = 0; /* But now use 0 */ } return(data ^ stp->str_feed[idx]); diff --git a/src/appl/telnet/libtelnet/encrypt.c b/src/appl/telnet/libtelnet/encrypt.c index 6317eceb3..19e855d3c 100644 --- a/src/appl/telnet/libtelnet/encrypt.c +++ b/src/appl/telnet/libtelnet/encrypt.c @@ -108,7 +108,7 @@ static long remote_supports_decrypt = 0; static Encryptions encryptions[] = { #ifdef DES_ENCRYPTION { "DES_CFB64", ENCTYPE_DES_CFB64, - cfb64_encrypt, + cfb64_encrypt, cfb64_decrypt, cfb64_init, cfb64_start, @@ -118,7 +118,7 @@ static Encryptions encryptions[] = { cfb64_keyid, cfb64_printsub }, { "DES_OFB64", ENCTYPE_DES_OFB64, - ofb64_encrypt, + ofb64_encrypt, ofb64_decrypt, ofb64_init, ofb64_start, @@ -563,7 +563,7 @@ encrypt_is(data, cnt) } else { ret = (*ep->is)(data, cnt); if (encrypt_debug_mode) - printf("(*ep->is)(%lx, %d) returned %s(%d)\n", + printf("(*ep->is)(%lx, %d) returned %s(%d)\n", (unsigned long) data, cnt, (ret < 0) ? "FAIL " : (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); @@ -713,7 +713,7 @@ encrypt_request_end() * Called when ENCRYPT REQUEST-START is received. If we receive * this before a type is picked, then that indicates that the * other side wants us to start encrypting data as soon as we - * can. + * can. */ void encrypt_request_start(data, cnt) @@ -731,7 +731,7 @@ encrypt_request_start(data, cnt) static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT }; static void encrypt_keyid (struct key_info *kp, unsigned char *, unsigned int); - + void encrypt_enc_keyid(keyid, len) unsigned char *keyid; int len; @@ -769,7 +769,7 @@ static void encrypt_keyid(kp, keyid, len) if (ep->keyid) (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen); - } else if ((len != kp->keylen) || + } else if ((len != kp->keylen) || (memcmp(keyid, kp->keyid, len) != 0)) { /* * Length or contents are different @@ -858,7 +858,7 @@ encrypt_start_output(type) i = (*ep->start)(DIR_ENCRYPT, Server); if (encrypt_debug_mode) { printf(">>>%s: Encrypt start: %s (%d) %s\r\n", - Name, + Name, (i < 0) ? "failed" : "initial negotiation in progress", i, ENCTYPE_NAME(type)); diff --git a/src/appl/telnet/libtelnet/forward.c b/src/appl/telnet/libtelnet/forward.c index 98dcb7897..98afb395d 100644 --- a/src/appl/telnet/libtelnet/forward.c +++ b/src/appl/telnet/libtelnet/forward.c @@ -21,7 +21,7 @@ /* General-purpose forwarding routines. These routines may be put into */ -/* libkrb5.a to allow widespread use */ +/* libkrb5.a to allow widespread use */ #if defined(KERBEROS) || defined(KRB5) #include @@ -29,12 +29,12 @@ #ifdef HAVE_UNISTD_H #include #endif - + #include "krb5.h" #include #include "krb5forw.h" - + #if defined(NEED_SETENV) || defined(NEED_SETENV_PROTO) extern int setenv(char *, char *, int); #endif @@ -63,11 +63,11 @@ rd_and_store_for_creds(context, auth_context, inbuf, ticket) if ((retval = krb5_cc_resolve(context, ccname, &ccache))) goto cleanup; - if ((retval = krb5_cc_initialize(context, ccache, + if ((retval = krb5_cc_initialize(context, ccache, ticket->enc_part2->client))) goto cleanup; - if ((retval = krb5_cc_store_cred(context, ccache, *creds))) + if ((retval = krb5_cc_store_cred(context, ccache, *creds))) goto cleanup; cleanup: diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c index 77a1b5a6d..bc3cecf87 100644 --- a/src/appl/telnet/libtelnet/kerberos5.c +++ b/src/appl/telnet/libtelnet/kerberos5.c @@ -83,7 +83,7 @@ extern char *malloc(); #else #include #endif - + #include "encrypt.h" #include "auth.h" #include "misc.h" @@ -182,7 +182,7 @@ kerberos5_init(ap, server) int server; { krb5_error_code retval; - + if (server) str_data[3] = TELQUAL_REPLY; else @@ -201,7 +201,7 @@ kerberos5_cleanup() krb5_error_code retval; krb5_ccache ccache; char *ccname; - + if (telnet_context == 0) return; @@ -306,7 +306,7 @@ kerberos5_send(ap) #ifdef ENCRYPTION ap_opts |= AP_OPTS_USE_SUBKEY; #endif /* ENCRYPTION */ - + if (auth_context) { krb5_auth_con_free(telnet_context, auth_context); auth_context = 0; @@ -318,10 +318,10 @@ kerberos5_send(ap) } return(0); } - + krb5_auth_con_setflags(telnet_context, auth_context, KRB5_AUTH_CONTEXT_RET_TIME); - + type_check[0] = ap->type; type_check[1] = ap->way; check_data.magic = KV5M_DATA; @@ -366,7 +366,7 @@ kerberos5_send(ap) return(0); } - if (!auth_sendname((unsigned char *) UserNameRequested, + if (!auth_sendname((unsigned char *) UserNameRequested, (int) strlen(UserNameRequested))) { if (auth_debug_mode) printf("telnet: Not enough room for user name\r\n"); @@ -415,7 +415,7 @@ kerberos5_is(ap, data, cnt) r = krb5_auth_con_init(telnet_context, &auth_context); if (!r) { krb5_rcache rcache; - + r = krb5_auth_con_getrcache(telnet_context, auth_context, &rcache); if (!r && !rcache) { @@ -434,7 +434,7 @@ kerberos5_is(ap, data, cnt) auth_context, rcache); } if (!r && telnet_srvtab) - r = krb5_kt_resolve(telnet_context, + r = krb5_kt_resolve(telnet_context, telnet_srvtab, &keytabid); if (!r) r = krb5_rd_req(telnet_context, &auth_context, &auth, @@ -458,10 +458,10 @@ kerberos5_is(ap, data, cnt) } if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) { char princ[256]; - strncpy(princ, + strncpy(princ, krb5_princ_component(telnet_context, ticket->server,0)->data, krb5_princ_component(telnet_context, ticket->server,0)->length); - princ[krb5_princ_component(telnet_context, + princ[krb5_princ_component(telnet_context, ticket->server,0)->length] = '\0'; if (strcmp("host", princ)) { if(strlen(princ) < sizeof(errbuf) - 39) { @@ -543,8 +543,8 @@ kerberos5_is(ap, data, cnt) } Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); - } - if (krb5_unparse_name(telnet_context, + } + if (krb5_unparse_name(telnet_context, ticket->enc_part2 ->client, &name)) name = 0; @@ -555,7 +555,7 @@ kerberos5_is(ap, data, cnt) name ? name : ""); } auth_finished(ap, AUTH_USER); - + if (name) free(name); krb5_auth_con_getrecvsubkey(telnet_context, auth_context, @@ -572,7 +572,7 @@ kerberos5_is(ap, data, cnt) ticket->enc_part2->session, &session_key); } - + #ifdef ENCRYPTION skey.type = SK_DES; skey.length = 8; @@ -584,8 +584,8 @@ kerberos5_is(ap, data, cnt) case KRB_FORWARD: inbuf.length = cnt; inbuf.data = (char *)data; - if ((r = krb5_auth_con_genaddrs(telnet_context, auth_context, - net, KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR)) || + if ((r = krb5_auth_con_genaddrs(telnet_context, auth_context, + net, KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR)) || (r = rd_and_store_for_creds(telnet_context, auth_context, &inbuf, ticket))) { @@ -599,7 +599,7 @@ kerberos5_is(ap, data, cnt) printf( "telnetd: Could not read forwarded credentials\r\n"); } - else + else Data(ap, KRB_FORWARD_ACCEPT, 0, 0); if (auth_debug_mode) printf("telnetd: Forwarded credentials obtained\r\n"); @@ -613,7 +613,7 @@ kerberos5_is(ap, data, cnt) break; } return; - + errout: { char eerrbuf[329]; @@ -745,7 +745,7 @@ kerberos5_status(ap, name, level) } if (UserNameRequested && - krb5_kuserok(telnet_context, ticket->enc_part2->client, + krb5_kuserok(telnet_context, ticket->enc_part2->client, UserNameRequested)) { return(AUTH_VALID); @@ -839,14 +839,14 @@ kerberos5_forward(ap) forw_creds.data = 0; if ((r = krb5_cc_default(telnet_context, &ccache))) { - if (auth_debug_mode) + if (auth_debug_mode) printf("Kerberos V5: could not get default ccache - %s\r\n", error_message(r)); return; } if ((r = krb5_cc_get_principal(telnet_context, ccache, &client))) { - if (auth_debug_mode) + if (auth_debug_mode) printf("Kerberos V5: could not get default principal - %s\r\n", error_message(r)); goto cleanup; @@ -854,7 +854,7 @@ kerberos5_forward(ap) if ((r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host", KRB5_NT_SRV_HST, &server))) { - if (auth_debug_mode) + if (auth_debug_mode) printf("Kerberos V5: could not make server principal - %s\r\n", error_message(r)); goto cleanup; @@ -872,12 +872,12 @@ kerberos5_forward(ap) server, ccache, forward_flags & OPTS_FORWARDABLE_CREDS, &forw_creds))) { - if (auth_debug_mode) + if (auth_debug_mode) printf("Kerberos V5: error getting forwarded creds - %s\r\n", error_message(r)); goto cleanup; } - + /* Send forwarded credentials */ if (!Data(ap, KRB_FORWARD, forw_creds.data, forw_creds.length)) { if (auth_debug_mode) @@ -886,7 +886,7 @@ kerberos5_forward(ap) if (auth_debug_mode) printf("Forwarded local Kerberos V5 credentials to server\r\n"); } - + cleanup: if (client) krb5_free_principal(telnet_context, client); diff --git a/src/appl/telnet/libtelnet/krb5forw.h b/src/appl/telnet/libtelnet/krb5forw.h index 1fb757ddf..4984d35b8 100644 --- a/src/appl/telnet/libtelnet/krb5forw.h +++ b/src/appl/telnet/libtelnet/krb5forw.h @@ -1,4 +1,3 @@ -extern krb5_error_code -rd_and_store_for_creds(krb5_context, krb5_auth_context, krb5_data *, +extern krb5_error_code +rd_and_store_for_creds(krb5_context, krb5_auth_context, krb5_data *, krb5_ticket *); - diff --git a/src/appl/telnet/libtelnet/mem.c b/src/appl/telnet/libtelnet/mem.c index 5a2ced8d5..4a1239dac 100644 --- a/src/appl/telnet/libtelnet/mem.c +++ b/src/appl/telnet/libtelnet/mem.c @@ -141,7 +141,7 @@ memset(dst0, c0, length) * * but we use a minimum of 3 here since the overhead of the code * to do word writes is substantial. - */ + */ if (length < 3 * wsize) { while (length != 0) { *dst++ = VAL; diff --git a/src/appl/telnet/libtelnet/parsetos.c b/src/appl/telnet/libtelnet/parsetos.c index 303d7c3e5..92a3afc9f 100644 --- a/src/appl/telnet/libtelnet/parsetos.c +++ b/src/appl/telnet/libtelnet/parsetos.c @@ -1,4 +1,3 @@ - /* * The routine parsetos() for UNICOS 6.0/6.1, as well as more traditional * Unix systems. This is part of UNICOS 7.0 and later. diff --git a/src/appl/telnet/libtelnet/setenv.c b/src/appl/telnet/libtelnet/setenv.c index 941b816ca..a917af1cf 100644 --- a/src/appl/telnet/libtelnet/setenv.c +++ b/src/appl/telnet/libtelnet/setenv.c @@ -44,7 +44,7 @@ #include "misc-proto.h" -static char *__findenv (const char *, int *); +static char *__findenv (const char *, int *); /* * setenv -- diff --git a/src/appl/telnet/telnet/authenc.c b/src/appl/telnet/telnet/authenc.c index aa4459f27..ee312df3a 100644 --- a/src/appl/telnet/telnet/authenc.c +++ b/src/appl/telnet/telnet/authenc.c @@ -78,7 +78,7 @@ telnet_spin() scheduler_lockout_tty = 1; Scheduler(0); scheduler_lockout_tty = 0; - + return 0; } diff --git a/src/appl/telnet/telnet/commands.c b/src/appl/telnet/telnet/commands.c index a029e6381..6af6c5b4a 100644 --- a/src/appl/telnet/telnet/commands.c +++ b/src/appl/telnet/telnet/commands.c @@ -282,7 +282,7 @@ control(c) * the "send" command. * */ - + struct sendlist { char *name; /* How user refers to it (case independent) */ char *help; /* Help information (0 ==> no help) */ @@ -1931,7 +1931,7 @@ env_is_exported(var) return ep->export; return 0; } - + #if defined(OLD_ENVIRON) && defined(ENV_HACK) void env_varval(what) @@ -2398,7 +2398,7 @@ status(argc, argv) * Function that gets called when SIGINFO is received. */ #if defined(CRAY) || (defined(USE_TERMIO) && !defined(SYSV_TERMIO)) -void +void ayt_status() { (void) call(status, "status", "notmuch", 0); @@ -3047,10 +3047,10 @@ cmdrc(m1, m2) * *cpp: If *cpp was equal to NULL, it will be filled * in with a pointer to our static area that has * the option filled in. This will be 32bit aligned. - * + * * *lenp: This will be filled in with how long the option * pointed to by *cpp is. - * + * */ static unsigned long sourceroute(arg, cpp, lenp) diff --git a/src/appl/telnet/telnet/externs.h b/src/appl/telnet/telnet/externs.h index 3d098adff..192663ab2 100644 --- a/src/appl/telnet/telnet/externs.h +++ b/src/appl/telnet/telnet/externs.h @@ -296,7 +296,7 @@ extern void lm_mode (unsigned char *, int, int); extern void - ExitString (char *, int), + ExitString (char *, int), Exit (int), SetForExit (void), EmptyTerminal (void), @@ -313,7 +313,7 @@ extern void slc_end_reply (void); extern int - quit (int, char *[]), + quit (int, char *[]), ttyflush (int), rlogin_susp (void), tn (int, char **), @@ -325,7 +325,7 @@ extern int slc_update (void), Scheduler (int), SetSockOpt (int, int, int, int), - stilloob (void), + stilloob (void), telrcv (void), telnet_spin (void), TerminalWrite (unsigned char *, int), diff --git a/src/appl/telnet/telnet/main.c b/src/appl/telnet/telnet/main.c index c1dc2049a..e0bdb1856 100644 --- a/src/appl/telnet/telnet/main.c +++ b/src/appl/telnet/telnet/main.c @@ -71,7 +71,7 @@ tninit() init_terminal(); init_network(); - + init_telnet(); init_sys(); @@ -206,7 +206,7 @@ main(argc, argv) case 'f': #if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD) if (forward_flags & OPTS_FORWARD_CREDS) { - fprintf(stderr, + fprintf(stderr, "%s: Only one of -f and -F allowed.\n", prompt); usage(); @@ -214,14 +214,14 @@ main(argc, argv) forward_flags |= OPTS_FORWARD_CREDS; #else fprintf(stderr, - "%s: Warning: -f ignored, no Kerberos V5 support.\n", + "%s: Warning: -f ignored, no Kerberos V5 support.\n", prompt); #endif break; case 'F': #if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD) if (forward_flags & OPTS_FORWARD_CREDS) { - fprintf(stderr, + fprintf(stderr, "%s: Only one of -f and -F allowed.\n", prompt); usage(); @@ -230,7 +230,7 @@ main(argc, argv) forward_flags |= OPTS_FORWARDABLE_CREDS; #else fprintf(stderr, - "%s: Warning: -F ignored, no Kerberos V5 support.\n", + "%s: Warning: -F ignored, no Kerberos V5 support.\n", prompt); #endif break; diff --git a/src/appl/telnet/telnet/sys_bsd.c b/src/appl/telnet/telnet/sys_bsd.c index 89f9d4b5a..07def19fd 100644 --- a/src/appl/telnet/telnet/sys_bsd.c +++ b/src/appl/telnet/telnet/sys_bsd.c @@ -987,7 +987,7 @@ process_rings(netin, netout, netex, ttyin, ttyout, poll) if (netout) { FD_SET(net, &obits); - } + } if (ttyout) { FD_SET(tout, &obits); } diff --git a/src/appl/telnet/telnet/telnet.c b/src/appl/telnet/telnet/telnet.c index be00687e7..0d05b8f64 100644 --- a/src/appl/telnet/telnet/telnet.c +++ b/src/appl/telnet/telnet/telnet.c @@ -75,7 +75,7 @@ #include #endif -#if defined(AUTHENTICATION) || defined(ENCRYPTION) +#if defined(AUTHENTICATION) || defined(ENCRYPTION) #include #endif /* defined(AUTHENTICATION) || defined(ENCRYPTION) */ @@ -207,7 +207,7 @@ init_telnet() ClearArray(options); connected = In3270 = ISend = localflow = donebinarytoggle = 0; -#if defined(AUTHENTICATION) || defined(ENCRYPTION) +#if defined(AUTHENTICATION) || defined(ENCRYPTION) auth_encrypt_connect(connected); #endif /* defined(AUTHENTICATION) || defined(ENCRYPTION) */ restartany = -1; @@ -697,8 +697,8 @@ mklist(buf, name) */ if (n || (cp - cp2 > 41)) ; - else if (name && (strncasecmp(name, cp2, - (unsigned) (cp-cp2)) + else if (name && (strncasecmp(name, cp2, + (unsigned) (cp-cp2)) == 0)) *argv = cp2; else if (is_unique(cp2, argv+1, argvp)) @@ -724,7 +724,7 @@ mklist(buf, name) else if (islower((unsigned char) c)) *cp = toupper((unsigned char) c); } - + /* * Check for an old V6 2 character name. If the second * name points to the beginning of the buffer, and is @@ -1874,7 +1874,7 @@ telrcv() case TS_IAC: process_iac: switch (c) { - + case WILL: telrcv_state = TS_WILL; continue; @@ -2292,10 +2292,10 @@ telnet(user) char *user; { int printed_encrypt = 0; - + sys_telnet_init(); -#if defined(AUTHENTICATION) || defined(ENCRYPTION) +#if defined(AUTHENTICATION) || defined(ENCRYPTION) { static char local_host[256] = { 0 }; @@ -2339,7 +2339,7 @@ telnet(user) /* * Note: we assume a tie to the authentication option here. This * is necessary so that authentication fails, we don't spin - * forever. + * forever. */ if (wantencryption) { extern int auth_has_failed; @@ -2373,7 +2373,7 @@ telnet(user) printed_encrypt = 1; printf("Waiting for encryption to be negotiated...\n"); /* - * Turn on MODE_TRAPSIG and then turn off localchars + * Turn on MODE_TRAPSIG and then turn off localchars * so that ^C will cause telnet to exit. */ TerminalNewMode(getconnmode()|MODE_TRAPSIG); diff --git a/src/appl/telnet/telnet/utilities.c b/src/appl/telnet/telnet/utilities.c index 4a076e530..dc9f3bc69 100644 --- a/src/appl/telnet/telnet/utilities.c +++ b/src/appl/telnet/telnet/utilities.c @@ -606,7 +606,7 @@ printsub(direction, pointer, length) break; } break; - + case LM_SLC: fprintf(NetTrace, "SLC"); for (i = 2; i < length - 2; i += 3) { @@ -738,7 +738,7 @@ printsub(direction, pointer, length) fprintf(NetTrace, "\n"); break; - + default: fprintf(NetTrace, " %d", pointer[i]); break; diff --git a/src/appl/telnet/telnetd/pathnames.h b/src/appl/telnet/telnetd/pathnames.h index c8b0806e7..4e14a88b4 100644 --- a/src/appl/telnet/telnetd/pathnames.h +++ b/src/appl/telnet/telnetd/pathnames.h @@ -42,7 +42,7 @@ # endif #else - + # define _PATH_TTY "/dev/tty" # ifndef _PATH_LOGIN # define _PATH_LOGIN "/bin/login" diff --git a/src/appl/telnet/telnetd/slc.c b/src/appl/telnet/telnetd/slc.c index 8f32f433a..d5e2713a4 100644 --- a/src/appl/telnet/telnetd/slc.c +++ b/src/appl/telnet/telnetd/slc.c @@ -107,10 +107,10 @@ get_slc_defaults() init_termbuf(); for (i = 1; i <= NSLC; i++) { - slctab[i].defset.flag = + slctab[i].defset.flag = spcset(i, &slctab[i].defset.val, &slctab[i].sptr); - slctab[i].current.flag = SLC_NOSUPPORT; - slctab[i].current.val = 0; + slctab[i].current.flag = SLC_NOSUPPORT; + slctab[i].current.val = 0; } } /* end of get_slc_defaults */ @@ -285,7 +285,7 @@ change_slc(func, flag, val) register cc_t val; { register int hislevel, mylevel; - + hislevel = flag & SLC_LEVELBITS; mylevel = slctab[func].defset.flag & SLC_LEVELBITS; /* @@ -344,7 +344,7 @@ change_slc(func, flag, val) * request as he asks. * * If our level is DEFAULT, then just ack whatever was - * sent. + * sent. * * If he can't change and we can't change, * then degenerate to NOSUPPORT. @@ -371,7 +371,7 @@ change_slc(func, flag, val) slctab[func].defset.val; val = slctab[func].current.val; } - + } add_slc(func, flag, val); } @@ -422,7 +422,7 @@ check_slc() slctab[i].current.val); } } - + } /* check_slc */ /* diff --git a/src/appl/telnet/telnetd/state.c b/src/appl/telnet/telnetd/state.c index 4693fc912..17d6fb6e8 100644 --- a/src/appl/telnet/telnetd/state.c +++ b/src/appl/telnet/telnetd/state.c @@ -403,7 +403,7 @@ gotiac: switch (c) { * All state defaults are negative, and resp defaults to 0. * * When initiating a request to change state to new_state: - * + * * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) { * do nothing; * } else { @@ -1121,7 +1121,7 @@ suboption() break; sb_auth_complete(); - + settimer(tspeedsubopt); if (SB_EOF() || SB_GET() != TELQUAL_IS) diff --git a/src/appl/telnet/telnetd/sys_term.c b/src/appl/telnet/telnetd/sys_term.c index a0a0ee503..1535ac838 100644 --- a/src/appl/telnet/telnetd/sys_term.c +++ b/src/appl/telnet/telnetd/sys_term.c @@ -72,7 +72,7 @@ char utmpf[] = _PATH_UTMP; #else char utmpf[] = "/etc/utmp"; #endif - + # ifdef CRAY #include #include @@ -96,7 +96,7 @@ extern struct sysv sysv; #ifdef STREAMSPTY #ifdef HAVE_SAC_H -#include +#include #endif #include #endif @@ -115,7 +115,7 @@ extern struct sysv sysv; #ifdef HAVE_SYS_TTY_H #include #endif - + #ifdef t_erase #undef t_erase #undef t_kill @@ -1076,9 +1076,9 @@ startslave(host, autologin, autoname) register int n; #endif /* NEWINIT */ - if ( pipe(syncpipe) < 0 ) + if ( pipe(syncpipe) < 0 ) fatal(net, "failed getting synchronization pipe"); - + #if defined(AUTHENTICATION) if (!autoname || !autoname[0]) autologin = 0; @@ -1110,9 +1110,9 @@ startslave(host, autologin, autoname) } close(syncpipe[0]); - + } else { - + pty_update_utmp (PTY_LOGIN_PROCESS, getpid(), "LOGIN", line, host, PTY_TTYSLOT_USABLE); getptyslave(); @@ -1121,7 +1121,7 @@ startslave(host, autologin, autoname) write(syncpipe[1],"y",1); close(syncpipe[0]); close(syncpipe[1]); - + start_login(host, autologin, autoname); /*NOTREACHED*/ } @@ -1275,7 +1275,7 @@ start_login(host, autologin, name) if (bftpd) { argv = addarg(argv, "-e"); argv = addarg(argv, BFTPPATH); - } else + } else #endif #if defined (SecurID) /* @@ -1431,7 +1431,7 @@ start_login(host, autologin, name) /* * This code returns a pointer to the first element of the array and * expects the same to be called with. - * Therefore the -1 reference is legal. + * Therefore the -1 reference is legal. */ static char ** @@ -1483,12 +1483,7 @@ cleanup(sig) #ifdef KRB5 kerberos5_cleanup(); #endif - + (void) shutdown(net, 2); exit(1); } - - - - - diff --git a/src/appl/telnet/telnetd/telnetd-ktd.c b/src/appl/telnet/telnetd/telnetd-ktd.c index 5a340bd7f..86a594c6e 100644 --- a/src/appl/telnet/telnetd/telnetd-ktd.c +++ b/src/appl/telnet/telnetd/telnetd-ktd.c @@ -390,7 +390,7 @@ main(argc, argv) secflag = sysconf(_SC_CRAY_SECURE_SYS); /* - * Get socket's security label + * Get socket's security label */ if (secflag) { int sz = sizeof(ss); @@ -704,13 +704,13 @@ doit(who) */ if ( (retval = pty_getpty(&pty, line, sizeof(line)) < 0 ) { com_err(retval, "telnetd", ""); - + if (pty < 0) fatal(net, "All network ports in use"); #if defined(_SC_CRAY_SECURE_SYS) /* - * set ttyp line security label + * set ttyp line security label */ if (secflag) { extern char *myline; @@ -1278,7 +1278,7 @@ telnet(f, p, host) } cleanup(0); } /* end of telnet */ - + #ifndef TCSIG # ifdef TIOCSIG # define TCSIG TIOCSIG @@ -1354,7 +1354,7 @@ int readstream(p, ibuf, bufsize) tp = (struct termio *) (ibuf+1 + sizeof(struct iocblk)); vstop = tp->c_cc[VSTOP]; vstart = tp->c_cc[VSTART]; - ixon = tp->c_iflag & IXON; + ixon = tp->c_iflag & IXON; break; default: errno = EAGAIN; diff --git a/src/appl/telnet/telnetd/telnetd.c b/src/appl/telnet/telnetd/telnetd.c index 8ee129ec3..86280f3dc 100644 --- a/src/appl/telnet/telnetd/telnetd.c +++ b/src/appl/telnet/telnetd/telnetd.c @@ -199,7 +199,7 @@ get_default_IM() { struct utsname name; static char banner[1024]; - + if (uname(&name) < 0) snprintf(banner, sizeof(banner), "\r\nError getting hostname: %s\r\n", @@ -399,7 +399,7 @@ main(argc, argv) { extern krb5_context telnet_context; krb5_error_code retval; - + if (telnet_context == 0) { retval = krb5_init_context(&telnet_context); if (retval) { @@ -640,7 +640,7 @@ main(argc, argv) #endif /* defined(IPPROTO_IP) && defined(IP_TOS) */ net = 0; doit((struct sockaddr *)&from); - + /* NOTREACHED */ return 0; } /* end of main */ @@ -765,7 +765,7 @@ getterminaltype(name) } if (must_encrypt || auth_must_encrypt()) { time_t timeout = time(0) + 60; - + if (my_state_is_dont(TELOPT_ENCRYPT) || my_state_is_wont(TELOPT_ENCRYPT) || his_state_is_wont(TELOPT_AUTHENTICATION)) @@ -956,7 +956,7 @@ static void doit(who) * Find an available pty to use. */ pty_init(); - + if ((retval = pty_getpty(&pty, line, 17)) != 0) { fatal(net, error_message(retval)); @@ -964,7 +964,7 @@ static void doit(who) #if defined(_SC_CRAY_SECURE_SYS) /* - * set ttyp line security label + * set ttyp line security label */ if (secflag) { char slave_dev[16]; @@ -1549,7 +1549,7 @@ telnet(f, p, host) (void) signal(SIGCHLD, SIG_DFL); cleanup(0); } /* end of telnet */ - + #ifndef TCSIG # ifdef TIOCSIG # define TCSIG TIOCSIG @@ -1608,9 +1608,9 @@ int readstream(p, ibuf, bufsize) case M_IOCTL: ip = (struct iocblk *) (ibuf+1); - if (readstream_termio(ip->ioc_cmd, ibuf, + if (readstream_termio(ip->ioc_cmd, ibuf, &vstop, &vstart, &ixon)) { - if (readstream_termios(ip->ioc_cmd, ibuf, + if (readstream_termios(ip->ioc_cmd, ibuf, &vstop, &vstart, &ixon)) { errno = EAGAIN; return(-1); diff --git a/src/appl/telnet/telnetd/telnetd.h b/src/appl/telnet/telnetd/telnetd.h index f21f617e5..48980c5b6 100644 --- a/src/appl/telnet/telnetd/telnetd.h +++ b/src/appl/telnet/telnetd/telnetd.h @@ -45,4 +45,3 @@ /* other external variables */ extern char **environ; - diff --git a/src/appl/telnet/telnetd/termio-tn.c b/src/appl/telnet/telnetd/termio-tn.c index 7447f1eec..8f27d59d3 100644 --- a/src/appl/telnet/telnetd/termio-tn.c +++ b/src/appl/telnet/telnetd/termio-tn.c @@ -25,7 +25,7 @@ int readstream_termio(cmd, ibuf, vstop, vstart, ixon) *vstop = tp->c_cc[VSTOP]; *vstart = tp->c_cc[VSTART]; #endif - *ixon = tp->c_iflag & IXON; + *ixon = tp->c_iflag & IXON; return 0; } return -1; diff --git a/src/appl/telnet/telnetd/termstat.c b/src/appl/telnet/telnetd/termstat.c index fa7803dfe..d62071997 100644 --- a/src/appl/telnet/telnetd/termstat.c +++ b/src/appl/telnet/telnetd/termstat.c @@ -316,7 +316,7 @@ localstat() IAC, SE); editmode = useeditmode; } - + /* * Check for changes to special characters in use. @@ -416,7 +416,7 @@ clientstat(code, parm1, parm2) uselinemode = 1; } } - + /* * Quit now if we can't do it. */ @@ -456,7 +456,7 @@ clientstat(code, parm1, parm2) send_will(TELOPT_ECHO, 1); } break; - + case LM_MODE: { register int ack, changed; @@ -504,7 +504,7 @@ clientstat(code, parm1, parm2) useeditmode|MODE_ACK, IAC, SE); } - + editmode = useeditmode; } @@ -538,9 +538,9 @@ clientstat(code, parm1, parm2) (void) ioctl(pty, TIOCSWINSZ, (char *)&ws); } #endif /* TIOCSWINSZ */ - + break; - + case TELOPT_TSPEED: { def_tspeed = parm1; @@ -605,7 +605,7 @@ _termstat() * * Some things should not be done until after the login process has started * and all the pty modes are set to what they are supposed to be. This - * function is called when the pty state has been processed for the first time. + * function is called when the pty state has been processed for the first time. * It calls other functions that do things that were deferred in each module. */ void diff --git a/src/appl/telnet/telnetd/utility.c b/src/appl/telnet/telnetd/utility.c index 4a4c1308e..7e53c486c 100644 --- a/src/appl/telnet/telnetd/utility.c +++ b/src/appl/telnet/telnetd/utility.c @@ -90,7 +90,7 @@ read_again: } } /* end of ttloop */ -/* +/* * ttsuck - This is a horrible kludge to deal with a bug in * HostExplorer. HostExplorer thinks it knows how to do krb5 auth, but * it doesn't really. So if you offer it krb5 as an auth choice before @@ -872,7 +872,7 @@ printsub(direction, pointer, length) break; } break; - + case LM_SLC: netputs("SLC"); for (i = 2; i < length - 2; i += 3) { @@ -1010,7 +1010,7 @@ do { \ netputs("\r\n"); break; - + default: netprintf(" %d", pointer[i]); break; @@ -1103,7 +1103,7 @@ do { \ #if defined(AUTHENTICATION) case TELOPT_AUTHENTICATION: netputs("AUTHENTICATION"); - + if (length < 2) { netputs(" (empty suboption??\?)"); break; @@ -1127,7 +1127,7 @@ do { \ netputs(((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ? "|ENCRYPT" : ""); - auth_printsub(&pointer[1], length - 1, (unsigned char *)buf, + auth_printsub(&pointer[1], length - 1, (unsigned char *)buf, sizeof(buf)); netputs(buf); break; @@ -1215,7 +1215,7 @@ do { \ netprintf("%d (unknown)", pointer[2]); netputs(" "); - encrypt_printsub(&pointer[1], length - 1, + encrypt_printsub(&pointer[1], length - 1, (unsigned char *) buf, sizeof(buf)); netputs(buf); break; @@ -1283,7 +1283,7 @@ printdata(tag, ptr, cnt) netputs(": "); for (i = 0; i < 20 && cnt; i++) { netprintf(nfrontp, "%02x", *ptr); - nfrontp += strlen(nfrontp); + nfrontp += strlen(nfrontp); if (isprint((int) *ptr)) { xbuf[i] = *ptr; } else { @@ -1298,6 +1298,6 @@ printdata(tag, ptr, cnt) netputs(" "); netputs(xbuf); netputs("\r\n"); - } + } } #endif /* DIAGNOSTICS */ diff --git a/src/appl/user_user/client.c b/src/appl/user_user/client.c index 6edf0ffff..a2f8e7f72 100644 --- a/src/appl/user_user/client.c +++ b/src/appl/user_user/client.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Other end of user-user client/server pair. */ @@ -82,11 +82,11 @@ char *argv[]; } if ((host = gethostbyname (argv[1])) == NULL) { - fprintf (stderr, "uu-client: can't get address of host \"%s\".\n", + fprintf (stderr, "uu-client: can't get address of host \"%s\".\n", argv[1]); return 3; } - + if (host->h_addrtype != AF_INET) { fprintf (stderr, "uu-client: bad address type %d for \"%s\".\n", host->h_addrtype, argv[1]); @@ -103,13 +103,13 @@ char *argv[]; cli_net_addr.sin_family = AF_INET; cli_net_addr.sin_port = 0; cli_net_addr.sin_addr.s_addr = 0; - if (bind (s, (struct sockaddr *)&cli_net_addr, + if (bind (s, (struct sockaddr *)&cli_net_addr, sizeof (cli_net_addr)) < 0) { com_err ("uu-client", errno, "binding socket"); return 4; } } - + serv_net_addr.sin_family = AF_INET; serv_net_addr.sin_port = port; @@ -120,10 +120,10 @@ char *argv[]; return 5; } - memcpy (&serv_net_addr.sin_addr, host->h_addr_list[i++], + memcpy (&serv_net_addr.sin_addr, host->h_addr_list[i++], sizeof(serv_net_addr.sin_addr)); - if (connect(s, (struct sockaddr *)&serv_net_addr, + if (connect(s, (struct sockaddr *)&serv_net_addr, sizeof (serv_net_addr)) == 0) break; com_err ("uu-client", errno, "connecting to \"%s\" (%s).", @@ -146,12 +146,12 @@ char *argv[]; com_err("uu-client", retval, "getting principal name"); return 6; } - + retval = krb5_unparse_name(context, creds.client, &princ); if (retval) { com_err("uu-client", retval, "printing principal name"); return 7; - } + } else fprintf(stderr, "uu-client: client principal is \"%s\".\n", princ); @@ -161,7 +161,7 @@ char *argv[]; return 7; } - retval = + retval = krb5_build_principal_ext(context, &creds.server, krb5_princ_realm(context, creds.client)->length, krb5_princ_realm(context, creds.client)->data, @@ -173,9 +173,9 @@ char *argv[]; com_err("uu-client", retval, "setting up tgt server name"); return 7; } - + /* Get TGT from credentials cache */ - retval = krb5_get_credentials(context, KRB5_GC_CACHED, cc, + retval = krb5_get_credentials(context, KRB5_GC_CACHED, cc, &creds, &new_creds); if (retval) { com_err("uu-client", retval, "getting TGT"); @@ -193,9 +193,9 @@ char *argv[]; com_err("uu-client", retval, "sending principal name to server"); return 8; } - + free(princ); - + retval = krb5_write_message(context, (krb5_pointer) &s, &new_creds->ticket); if (retval) { com_err("uu-client", retval, "sending ticket to server"); @@ -213,8 +213,8 @@ char *argv[]; com_err("uu-client", retval, "initializing the auth_context"); return 9; } - - retval = + + retval = krb5_auth_con_genaddrs(context, auth_context, s, KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR | KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR); @@ -229,14 +229,14 @@ char *argv[]; com_err("uu-client", retval, "initializing the auth_context flags"); return 9; } - - retval = krb5_auth_con_setuseruserkey(context, auth_context, + + retval = krb5_auth_con_setuseruserkey(context, auth_context, &new_creds->keyblock); if (retval) { com_err("uu-client", retval, "setting useruserkey for authcontext"); return 9; } - + #if 1 /* read the ap_req to get the session key */ retval = krb5_rd_req(context, &auth_context, &reply, @@ -246,7 +246,7 @@ char *argv[]; retval = krb5_recvauth(context, &auth_context, (krb5_pointer)&s, "???", 0, /* server */, 0, NULL, &ticket); #endif - + if (retval) { com_err("uu-client", retval, "reading AP_REQ from server"); return 9; @@ -265,7 +265,7 @@ char *argv[]; com_err("uu-client", retval, "reading reply from server"); return 9; } - + retval = krb5_rd_safe(context, auth_context, &reply, &msg, NULL); if (retval) { com_err("uu-client", retval, "decoding reply from server"); @@ -275,4 +275,3 @@ char *argv[]; printf ("uu-client: server says \"%s\".\n", msg.data); return 0; } - diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c index 40243fed0..8a66bbdc0 100644 --- a/src/appl/user_user/server.c +++ b/src/appl/user_user/server.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * One end of the user-user client-server pair. */ @@ -75,12 +75,12 @@ char *argv[]; int acc; struct servent *sp; socklen_t namelen = sizeof(f_inaddr); - + if ((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0) { com_err("uu-server", errno, "creating socket"); exit(3); } - + l_inaddr.sin_family = AF_INET; l_inaddr.sin_addr.s_addr = 0; if (!(sp = getservbyname("uu-sample", "tcp"))) { @@ -145,7 +145,7 @@ char *argv[]; printf ("uu-server: client ticket is %d bytes.\n", creds.second_ticket.length); - retval = krb5_get_credentials(context, KRB5_GC_USER_USER, cc, + retval = krb5_get_credentials(context, KRB5_GC_USER_USER, cc, &creds, &new_creds); if (retval) { com_err("uu-server", retval, "getting user-user ticket"); @@ -182,8 +182,8 @@ char *argv[]; com_err("uu-server", retval, "initializing the auth_context flags"); return 8; } - - retval = + + retval = krb5_auth_con_genaddrs(context, auth_context, sock, KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR | KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR); @@ -191,10 +191,10 @@ char *argv[]; com_err("uu-server", retval, "generating addrs for auth_context"); return 9; } - + #if 1 - retval = krb5_mk_req_extended(context, &auth_context, - AP_OPTS_USE_SESSION_KEY, + retval = krb5_mk_req_extended(context, &auth_context, + AP_OPTS_USE_SESSION_KEY, NULL, new_creds, &msg); if (retval) { com_err("uu-server", retval, "making AP_REQ"); @@ -208,12 +208,12 @@ char *argv[]; #endif if (retval) goto cl_short_wrt; - + free(msg.data); - + msgtext.length = 32; msgtext.data = "Hello, other end of connection."; - + retval = krb5_mk_safe(context, auth_context, &msgtext, &msg, NULL); if (retval) { com_err("uu-server", retval, "encoding message to client"); diff --git a/src/ccapi/common/cci_array_internal.c b/src/ccapi/common/cci_array_internal.c index b5a0f693b..6e8bf2163 100644 --- a/src/ccapi/common/cci_array_internal.c +++ b/src/ccapi/common/cci_array_internal.c @@ -37,7 +37,7 @@ struct cci_array_d { cci_array_object_t *objects; cc_uint64 count; cc_uint64 max_count; - + cci_array_object_release_t object_release; }; @@ -52,19 +52,19 @@ static cc_int32 cci_array_resize (cci_array_t io_array, { cc_int32 err = ccNoError; cc_uint64 new_max_count = 0; - + if (!io_array) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cc_uint64 old_max_count = io_array->max_count; new_max_count = io_array->max_count; - + if (in_new_count > old_max_count) { /* Expand the array */ while (in_new_count > new_max_count) { new_max_count += CCI_ARRAY_COUNT_INCREMENT; } - + } else if ((in_new_count + CCI_ARRAY_COUNT_INCREMENT) < old_max_count) { /* Shrink the array, but never drop below CC_ARRAY_COUNT_INCREMENT */ while ((in_new_count + CCI_ARRAY_COUNT_INCREMENT) < new_max_count && @@ -73,24 +73,24 @@ static cc_int32 cci_array_resize (cci_array_t io_array, } } } - + if (!err && io_array->max_count != new_max_count) { cci_array_object_t *objects = io_array->objects; - + if (!objects) { objects = malloc (new_max_count * sizeof (*objects)); } else { objects = realloc (objects, new_max_count * sizeof (*objects)); } if (!objects) { err = cci_check_error (ccErrNoMem); } - + if (!err) { io_array->objects = objects; io_array->max_count = new_max_count; - } + } } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -104,27 +104,27 @@ cc_int32 cci_array_new (cci_array_t *out_array, { cc_int32 err = ccNoError; cci_array_t array = NULL; - + if (!out_array) { err = cci_check_error (ccErrBadParam); } - + if (!err) { array = malloc (sizeof (*array)); - if (array) { + if (array) { *array = cci_array_initializer; array->object_release = in_array_object_release; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { *out_array = array; array = NULL; } - + cci_array_release (array); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -132,10 +132,10 @@ cc_int32 cci_array_new (cci_array_t *out_array, cc_int32 cci_array_release (cci_array_t io_array) { cc_int32 err = ccNoError; - + if (!err && io_array) { cc_uint64 i; - + if (io_array->object_release) { for (i = 0; i < io_array->count; i++) { io_array->object_release (io_array->objects[i]); @@ -144,8 +144,8 @@ cc_int32 cci_array_release (cci_array_t io_array) free (io_array->objects); free (io_array); } - - return err; + + return err; } /* ------------------------------------------------------------------------ */ @@ -166,9 +166,9 @@ cci_array_object_t cci_array_object_at_index (cci_array_t io_array, if (!io_array) { cci_debug_printf ("%s() got NULL array", __FUNCTION__); } else { - cci_debug_printf ("%s() got bad index %lld (count = %lld)", __FUNCTION__, + cci_debug_printf ("%s() got bad index %lld (count = %lld)", __FUNCTION__, in_position, io_array->count); - } + } return NULL; } } @@ -176,7 +176,7 @@ cci_array_object_t cci_array_object_at_index (cci_array_t io_array, #ifdef TARGET_OS_MAC #pragma mark - #endif - + /* ------------------------------------------------------------------------ */ cc_int32 cci_array_insert (cci_array_t io_array, @@ -184,34 +184,34 @@ cc_int32 cci_array_insert (cci_array_t io_array, cc_uint64 in_position) { cc_int32 err = ccNoError; - + if (!io_array ) { err = cci_check_error (ccErrBadParam); } if (!in_object) { err = cci_check_error (ccErrBadParam); } - + if (!err) { /* Don't try to insert past the end and don't overflow the array */ if (in_position > io_array->count || io_array->count == UINT64_MAX) { err = cci_check_error (ccErrBadParam); } } - + if (!err) { err = cci_array_resize (io_array, io_array->count + 1); } - + if (!err) { cc_uint64 move_count = io_array->count - in_position; - + if (move_count > 0) { memmove (&io_array->objects[in_position + 1], &io_array->objects[in_position], move_count * sizeof (*io_array->objects)); } - + io_array->objects[in_position] = in_object; io_array->count++; } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -220,29 +220,29 @@ cc_int32 cci_array_remove (cci_array_t io_array, cc_uint64 in_position) { cc_int32 err = ccNoError; - + if (!io_array) { err = cci_check_error (ccErrBadParam); } - + if (!err && in_position >= io_array->count) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cc_uint64 move_count = io_array->count - in_position - 1; cci_array_object_t object = io_array->objects[in_position]; - + if (move_count > 0) { memmove (&io_array->objects[in_position], &io_array->objects[in_position + 1], move_count * sizeof (*io_array->objects)); } io_array->count--; - + if (io_array->object_release) { io_array->object_release (object); } - + cci_array_resize (io_array, io_array->count); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -253,14 +253,14 @@ cc_int32 cci_array_move (cci_array_t io_array, cc_uint64 *out_real_new_position) { cc_int32 err = ccNoError; - + if (!io_array ) { err = cci_check_error (ccErrBadParam); } if (!out_real_new_position) { err = cci_check_error (ccErrBadParam); } - + if (!err && in_position >= io_array->count) { err = cci_check_error (ccErrBadParam); } - + if (!err && in_new_position > io_array->count) { err = cci_check_error (ccErrBadParam); } @@ -269,7 +269,7 @@ cc_int32 cci_array_move (cci_array_t io_array, cc_uint64 move_to = 0; cc_uint64 move_count = 0; cc_uint64 real_new_position = 0; - + if (in_position < in_new_position) { /* shift right, making an empty space so the * actual new position is one less in_new_position */ @@ -277,30 +277,30 @@ cc_int32 cci_array_move (cci_array_t io_array, move_to = in_position; move_count = in_new_position - in_position - 1; real_new_position = in_new_position - 1; - + } else if (in_position > in_new_position) { /* shift left */ move_from = in_new_position; move_to = in_new_position + 1; - move_count = in_position - in_new_position; + move_count = in_position - in_new_position; real_new_position = in_new_position; - + } else { real_new_position = in_new_position; } - + if (move_count > 0) { cci_array_object_t object = io_array->objects[in_position]; - - memmove (&io_array->objects[move_to], &io_array->objects[move_from], + + memmove (&io_array->objects[move_to], &io_array->objects[move_from], move_count * sizeof (*io_array->objects)); io_array->objects[real_new_position] = object; } - + *out_real_new_position = real_new_position; } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -311,4 +311,3 @@ cc_int32 cci_array_push_front (cci_array_t io_array, cc_uint64 real_new_position = 0; return cci_array_move (io_array, in_position, 0, &real_new_position); } - diff --git a/src/ccapi/common/cci_cred_union.c b/src/ccapi/common/cci_cred_union.c index 94aebddf2..a2f8ca877 100644 --- a/src/ccapi/common/cci_cred_union.c +++ b/src/ccapi/common/cci_cred_union.c @@ -35,14 +35,14 @@ static cc_uint32 cci_credentials_v4_release (cc_credentials_v4_t *io_v4creds) { cc_int32 err = ccNoError; - + if (!io_v4creds) { err = ccErrBadParam; } - + if (!err) { memset (io_v4creds, 0, sizeof (*io_v4creds)); free (io_v4creds); } - + return err; } @@ -53,78 +53,78 @@ static cc_uint32 cci_credentials_v4_read (cc_credentials_v4_t **out_v4creds, { cc_int32 err = ccNoError; cc_credentials_v4_t *v4creds = NULL; - + if (!io_stream ) { err = cci_check_error (ccErrBadParam); } if (!out_v4creds) { err = cci_check_error (ccErrBadParam); } - + if (!err) { v4creds = malloc (sizeof (*v4creds)); if (!v4creds) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->version); } - + if (!err) { err = krb5int_ipc_stream_read (io_stream, v4creds->principal, cc_v4_name_size); } - + if (!err) { err = krb5int_ipc_stream_read (io_stream, v4creds->principal_instance, cc_v4_instance_size); } - + if (!err) { err = krb5int_ipc_stream_read (io_stream, v4creds->service, cc_v4_name_size); } - + if (!err) { err = krb5int_ipc_stream_read (io_stream, v4creds->service_instance, cc_v4_instance_size); } - + if (!err) { err = krb5int_ipc_stream_read (io_stream, v4creds->realm, cc_v4_realm_size); } - + if (!err) { err = krb5int_ipc_stream_read (io_stream, v4creds->session_key, cc_v4_key_size); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->kvno); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->string_to_key_type); } - + if (!err) { err = krb5int_ipc_stream_read_time (io_stream, &v4creds->issue_date); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->lifetime); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->address); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->ticket_size); } - + if (!err) { err = krb5int_ipc_stream_read (io_stream, v4creds->ticket, cc_v4_ticket_size); } - + if (!err) { *out_v4creds = v4creds; v4creds = NULL; } - + free (v4creds); - + return cci_check_error (err); } @@ -134,66 +134,66 @@ static cc_uint32 cci_credentials_v4_write (cc_credentials_v4_t *in_v4creds, k5_ipc_stream io_stream) { cc_int32 err = ccNoError; - + if (!io_stream ) { err = cci_check_error (ccErrBadParam); } if (!in_v4creds) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->version); } - + if (!err) { err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal, cc_v4_name_size); } - + if (!err) { err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal_instance, cc_v4_instance_size); } - + if (!err) { err = krb5int_ipc_stream_write (io_stream, in_v4creds->service, cc_v4_name_size); } - + if (!err) { err = krb5int_ipc_stream_write (io_stream, in_v4creds->service_instance, cc_v4_instance_size); } - + if (!err) { err = krb5int_ipc_stream_write (io_stream, in_v4creds->realm, cc_v4_realm_size); } - + if (!err) { err = krb5int_ipc_stream_write (io_stream, in_v4creds->session_key, cc_v4_key_size); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->kvno); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->string_to_key_type); } - + if (!err) { err = krb5int_ipc_stream_write_time (io_stream, in_v4creds->issue_date); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->lifetime); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->address); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->ticket_size); } - + if (!err) { err = krb5int_ipc_stream_write (io_stream, in_v4creds->ticket, cc_v4_ticket_size); } - + return cci_check_error (err); } @@ -206,16 +206,16 @@ static cc_uint32 cci_credentials_v4_write (cc_credentials_v4_t *in_v4creds, static cc_uint32 cci_cc_data_contents_release (cc_data *io_ccdata) { cc_int32 err = ccNoError; - + if (!io_ccdata && io_ccdata->data) { err = ccErrBadParam; } - + if (!err) { if (io_ccdata->length) { memset (io_ccdata->data, 0, io_ccdata->length); } free (io_ccdata->data); } - + return err; } @@ -224,14 +224,14 @@ static cc_uint32 cci_cc_data_contents_release (cc_data *io_ccdata) static cc_uint32 cci_cc_data_release (cc_data *io_ccdata) { cc_int32 err = ccNoError; - + if (!io_ccdata) { err = ccErrBadParam; } - + if (!err) { cci_cc_data_contents_release (io_ccdata); free (io_ccdata); } - + return err; } @@ -244,18 +244,18 @@ static cc_uint32 cci_cc_data_read (cc_data *io_ccdata, cc_uint32 type = 0; cc_uint32 length = 0; char *data = NULL; - + if (!io_stream) { err = cci_check_error (ccErrBadParam); } if (!io_ccdata) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (io_stream, &type); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (io_stream, &length); } - + if (!err && length > 0) { data = malloc (length); if (!data) { err = cci_check_error (ccErrNoMem); } @@ -264,16 +264,16 @@ static cc_uint32 cci_cc_data_read (cc_data *io_ccdata, err = krb5int_ipc_stream_read (io_stream, data, length); } } - + if (!err) { io_ccdata->type = type; io_ccdata->length = length; io_ccdata->data = data; data = NULL; } - + free (data); - + return cci_check_error (err); } @@ -283,22 +283,22 @@ static cc_uint32 cci_cc_data_write (cc_data *in_ccdata, k5_ipc_stream io_stream) { cc_int32 err = ccNoError; - + if (!io_stream) { err = cci_check_error (ccErrBadParam); } if (!in_ccdata) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (io_stream, in_ccdata->type); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (io_stream, in_ccdata->length); } - + if (!err && in_ccdata->length > 0) { err = krb5int_ipc_stream_write (io_stream, in_ccdata->data, in_ccdata->length); } - + return cci_check_error (err); } @@ -311,18 +311,18 @@ static cc_uint32 cci_cc_data_write (cc_data *in_ccdata, static cc_uint32 cci_cc_data_array_release (cc_data **io_ccdata_array) { cc_int32 err = ccNoError; - + if (!io_ccdata_array) { err = ccErrBadParam; } - + if (!err) { cc_uint32 i; - + for (i = 0; io_ccdata_array && io_ccdata_array[i]; i++) { cci_cc_data_release (io_ccdata_array[i]); } - free (io_ccdata_array); + free (io_ccdata_array); } - + return err; } @@ -335,41 +335,41 @@ static cc_uint32 cci_cc_data_array_read (cc_data ***io_ccdata_array, cc_uint32 count = 0; cc_data **array = NULL; cc_uint32 i; - + if (!io_stream ) { err = cci_check_error (ccErrBadParam); } if (!io_ccdata_array) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (io_stream, &count); } - + if (!err && count > 0) { array = malloc ((count + 1) * sizeof (*array)); - if (array) { + if (array) { for (i = 0; i <= count; i++) { array[i] = NULL; } } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { for (i = 0; !err && i < count; i++) { array[i] = malloc (sizeof (cc_data)); if (!array[i]) { err = cci_check_error (ccErrNoMem); } - + if (!err) { err = cci_cc_data_read (array[i], io_stream); } } } - + if (!err) { *io_ccdata_array = array; array = NULL; } - + cci_cc_data_array_release (array); - + return cci_check_error (err); } @@ -380,24 +380,24 @@ static cc_uint32 cci_cc_data_array_write (cc_data **in_ccdata_array, { cc_int32 err = ccNoError; cc_uint32 count = 0; - + if (!io_stream) { err = cci_check_error (ccErrBadParam); } /* in_ccdata_array may be NULL */ - + if (!err) { for (count = 0; in_ccdata_array && in_ccdata_array[count]; count++); - + err = krb5int_ipc_stream_write_uint32 (io_stream, count); } - + if (!err) { cc_uint32 i; - + for (i = 0; !err && i < count; i++) { err = cci_cc_data_write (in_ccdata_array[i], io_stream); - } + } } - + return cci_check_error (err); } @@ -411,7 +411,7 @@ cc_credentials_v5_t cci_credentials_v5_initializer = { NULL, NULL, { 0, 0, NULL }, - 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, NULL, { 0, 0, NULL }, { 0, 0, NULL }, @@ -423,9 +423,9 @@ cc_credentials_v5_t cci_credentials_v5_initializer = { static cc_uint32 cci_credentials_v5_release (cc_credentials_v5_t *io_v5creds) { cc_int32 err = ccNoError; - + if (!io_v5creds) { err = ccErrBadParam; } - + if (!err) { free (io_v5creds->client); free (io_v5creds->server); @@ -434,9 +434,9 @@ static cc_uint32 cci_credentials_v5_release (cc_credentials_v5_t *io_v5creds) cci_cc_data_contents_release (&io_v5creds->ticket); cci_cc_data_contents_release (&io_v5creds->second_ticket); cci_cc_data_array_release (io_v5creds->authdata); - free (io_v5creds); + free (io_v5creds); } - + return err; } @@ -447,78 +447,78 @@ static cc_uint32 cci_credentials_v5_read (cc_credentials_v5_t **out_v5creds, { cc_int32 err = ccNoError; cc_credentials_v5_t *v5creds = NULL; - + if (!io_stream ) { err = cci_check_error (ccErrBadParam); } if (!out_v5creds) { err = cci_check_error (ccErrBadParam); } - + if (!err) { v5creds = malloc (sizeof (*v5creds)); - if (v5creds) { + if (v5creds) { *v5creds = cci_credentials_v5_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = krb5int_ipc_stream_read_string (io_stream, &v5creds->client); } - + if (!err) { err = krb5int_ipc_stream_read_string (io_stream, &v5creds->server); } - + if (!err) { err = cci_cc_data_read (&v5creds->keyblock, io_stream); } - + if (!err) { err = krb5int_ipc_stream_read_time (io_stream, &v5creds->authtime); } - + if (!err) { err = krb5int_ipc_stream_read_time (io_stream, &v5creds->starttime); } - + if (!err) { err = krb5int_ipc_stream_read_time (io_stream, &v5creds->endtime); } - + if (!err) { err = krb5int_ipc_stream_read_time (io_stream, &v5creds->renew_till); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (io_stream, &v5creds->is_skey); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (io_stream, &v5creds->ticket_flags); } - + if (!err) { err = cci_cc_data_array_read (&v5creds->addresses, io_stream); } - + if (!err) { err = cci_cc_data_read (&v5creds->ticket, io_stream); } - + if (!err) { err = cci_cc_data_read (&v5creds->second_ticket, io_stream); } - + if (!err) { err = cci_cc_data_array_read (&v5creds->authdata, io_stream); } - + if (!err) { *out_v5creds = v5creds; v5creds = NULL; } - + cci_credentials_v5_release (v5creds); - + return cci_check_error (err); } @@ -528,63 +528,63 @@ static cc_uint32 cci_credentials_v5_write (cc_credentials_v5_t *in_v5creds, k5_ipc_stream io_stream) { cc_int32 err = ccNoError; - + if (!io_stream ) { err = cci_check_error (ccErrBadParam); } if (!in_v5creds) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_string (io_stream, in_v5creds->client); } - + if (!err) { err = krb5int_ipc_stream_write_string (io_stream, in_v5creds->server); } - + if (!err) { err = cci_cc_data_write (&in_v5creds->keyblock, io_stream); } - + if (!err) { err = krb5int_ipc_stream_write_time (io_stream, in_v5creds->authtime); } - + if (!err) { err = krb5int_ipc_stream_write_time (io_stream, in_v5creds->starttime); } - + if (!err) { err = krb5int_ipc_stream_write_time (io_stream, in_v5creds->endtime); } - + if (!err) { err = krb5int_ipc_stream_write_time (io_stream, in_v5creds->renew_till); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (io_stream, in_v5creds->is_skey); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (io_stream, in_v5creds->ticket_flags); } - + if (!err) { err = cci_cc_data_array_write (in_v5creds->addresses, io_stream); } - + if (!err) { err = cci_cc_data_write (&in_v5creds->ticket, io_stream); } - + if (!err) { err = cci_cc_data_write (&in_v5creds->second_ticket, io_stream); } - + if (!err) { err = cci_cc_data_array_write (in_v5creds->authdata, io_stream); } - - + + return cci_check_error (err); } @@ -597,9 +597,9 @@ static cc_uint32 cci_credentials_v5_write (cc_credentials_v5_t *in_v5creds, cc_uint32 cci_credentials_union_release (cc_credentials_union *io_cred_union) { cc_int32 err = ccNoError; - + if (!io_cred_union) { err = ccErrBadParam; } - + if (!err) { if (io_cred_union->version == cc_credentials_v4) { cci_credentials_v4_release (io_cred_union->credentials.credentials_v4); @@ -608,7 +608,7 @@ cc_uint32 cci_credentials_union_release (cc_credentials_union *io_cred_union) } free (io_cred_union); } - + return err; } @@ -619,41 +619,41 @@ cc_uint32 cci_credentials_union_read (cc_credentials_union **out_credentials_uni { cc_int32 err = ccNoError; cc_credentials_union *credentials_union = NULL; - + if (!io_stream ) { err = cci_check_error (ccErrBadParam); } if (!out_credentials_union) { err = cci_check_error (ccErrBadParam); } - + if (!err) { credentials_union = calloc (1, sizeof (*credentials_union)); if (!credentials_union) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (io_stream, &credentials_union->version); } - + if (!err) { if (credentials_union->version == cc_credentials_v4) { err = cci_credentials_v4_read (&credentials_union->credentials.credentials_v4, io_stream); - + } else if (credentials_union->version == cc_credentials_v5) { err = cci_credentials_v5_read (&credentials_union->credentials.credentials_v5, io_stream); - - + + } else { err = ccErrBadCredentialsVersion; } } - + if (!err) { *out_credentials_union = credentials_union; credentials_union = NULL; } - + if (credentials_union) { cci_credentials_union_release (credentials_union); } - + return cci_check_error (err); } @@ -663,29 +663,29 @@ cc_uint32 cci_credentials_union_write (const cc_credentials_union *in_credential k5_ipc_stream io_stream) { cc_int32 err = ccNoError; - + if (!io_stream ) { err = cci_check_error (ccErrBadParam); } if (!in_credentials_union) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (io_stream, in_credentials_union->version); } - + if (!err) { if (in_credentials_union->version == cc_credentials_v4) { err = cci_credentials_v4_write (in_credentials_union->credentials.credentials_v4, io_stream); - + } else if (in_credentials_union->version == cc_credentials_v5) { err = cci_credentials_v5_write (in_credentials_union->credentials.credentials_v5, io_stream); - + } else { err = ccErrBadCredentialsVersion; } } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -699,7 +699,7 @@ cc_credentials_v5_compat cci_credentials_v5_compat_initializer = { NULL, NULL, { 0, 0, NULL }, - 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, NULL, { 0, 0, NULL }, { 0, 0, NULL }, @@ -711,14 +711,14 @@ cc_credentials_v5_compat cci_credentials_v5_compat_initializer = { cc_uint32 cci_cred_union_release (cred_union *io_cred_union) { cc_int32 err = ccNoError; - + if (!io_cred_union) { err = ccErrBadParam; } - + if (!err) { if (io_cred_union->cred_type == CC_CRED_V4) { memset (io_cred_union->cred.pV4Cred, 0, sizeof (cc_credentials_v4_compat)); free (io_cred_union->cred.pV4Cred); - + } else if (io_cred_union->cred_type == CC_CRED_V5) { free (io_cred_union->cred.pV5Cred->client); free (io_cred_union->cred.pV5Cred->server); @@ -727,11 +727,11 @@ cc_uint32 cci_cred_union_release (cred_union *io_cred_union) cci_cc_data_contents_release (&io_cred_union->cred.pV5Cred->ticket); cci_cc_data_contents_release (&io_cred_union->cred.pV5Cred->second_ticket); cci_cc_data_array_release (io_cred_union->cred.pV5Cred->authdata); - free (io_cred_union->cred.pV5Cred); + free (io_cred_union->cred.pV5Cred); } free (io_cred_union); } - + return err; } @@ -742,28 +742,28 @@ static cc_uint32 cci_cc_data_copy_contents (cc_data *io_ccdata, { cc_int32 err = ccNoError; char *data = NULL; - + if (!io_ccdata) { err = cci_check_error (ccErrBadParam); } if (!in_ccdata) { err = cci_check_error (ccErrBadParam); } - + if (!err && in_ccdata->length > 0) { data = malloc (in_ccdata->length); if (data) { memcpy (data, in_ccdata->data, in_ccdata->length); - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { io_ccdata->type = in_ccdata->type; io_ccdata->length = in_ccdata->length; io_ccdata->data = data; data = NULL; } - + free (data); - + return cci_check_error (err); } @@ -776,40 +776,40 @@ static cc_uint32 cci_cc_data_array_copy (cc_data ***io_ccdata_array, cc_uint32 count = 0; cc_data **array = NULL; cc_uint32 i; - + if (!io_ccdata_array) { err = cci_check_error (ccErrBadParam); } - + if (!err) { for (count = 0; in_ccdata_array && in_ccdata_array[count]; count++); } - + if (!err && count > 0) { array = malloc ((count + 1) * sizeof (*array)); - if (array) { + if (array) { for (i = 0; i <= count; i++) { array[i] = NULL; } } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { for (i = 0; !err && i < count; i++) { array[i] = malloc (sizeof (cc_data)); if (!array[i]) { err = cci_check_error (ccErrNoMem); } - + if (!err) { err = cci_cc_data_copy_contents (array[i], in_ccdata_array[i]); } } } - + if (!err) { *io_ccdata_array = array; array = NULL; } - + cci_cc_data_array_release (array); - + return cci_check_error (err); } @@ -820,28 +820,28 @@ cc_uint32 cci_credentials_union_to_cred_union (const cc_credentials_union *in_c { cc_int32 err = ccNoError; cred_union *compat_cred_union = NULL; - + if (!in_credentials_union) { err = cci_check_error (ccErrBadParam); } if (!out_cred_union ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { compat_cred_union = calloc (1, sizeof (*compat_cred_union)); if (!compat_cred_union) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { if (in_credentials_union->version == cc_credentials_v4) { cc_credentials_v4_compat *compat_v4creds = NULL; - + compat_v4creds = malloc (sizeof (*compat_v4creds)); if (!compat_v4creds) { err = cci_check_error (ccErrNoMem); } - + if (!err) { cc_credentials_v4_t *v4creds = in_credentials_union->credentials.credentials_v4; - + compat_cred_union->cred_type = CC_CRED_V4; compat_cred_union->cred.pV4Cred = compat_v4creds; - + compat_v4creds->kversion = v4creds->version; strncpy (compat_v4creds->principal, v4creds->principal, KRB_NAME_SZ+1); strncpy (compat_v4creds->principal_instance, v4creds->principal_instance, KRB_INSTANCE_SZ+1); @@ -858,60 +858,60 @@ cc_uint32 cci_credentials_union_to_cred_union (const cc_credentials_union *in_c memcpy (compat_v4creds->ticket, v4creds->ticket, MAX_V4_CRED_LEN); compat_v4creds->oops = 0; } - + } else if (in_credentials_union->version == cc_credentials_v5) { cc_credentials_v5_t *v5creds = in_credentials_union->credentials.credentials_v5; cc_credentials_v5_compat *compat_v5creds = NULL; - + compat_v5creds = malloc (sizeof (*compat_v5creds)); - if (compat_v5creds) { + if (compat_v5creds) { *compat_v5creds = cci_credentials_v5_compat_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } - + if (!err) { - if (!v5creds->client) { + if (!v5creds->client) { err = cci_check_error (ccErrBadParam); } else { compat_v5creds->client = strdup (v5creds->client); if (!compat_v5creds->client) { err = cci_check_error (ccErrNoMem); } } } - + if (!err) { - if (!v5creds->server) { + if (!v5creds->server) { err = cci_check_error (ccErrBadParam); } else { compat_v5creds->server = strdup (v5creds->server); if (!compat_v5creds->server) { err = cci_check_error (ccErrNoMem); } } } - + if (!err) { err = cci_cc_data_copy_contents (&compat_v5creds->keyblock, &v5creds->keyblock); } - + if (!err) { err = cci_cc_data_array_copy (&compat_v5creds->addresses, v5creds->addresses); } - + if (!err) { err = cci_cc_data_copy_contents (&compat_v5creds->ticket, &v5creds->ticket); } - + if (!err) { err = cci_cc_data_copy_contents (&compat_v5creds->second_ticket, &v5creds->second_ticket); } - + if (!err) { err = cci_cc_data_array_copy (&compat_v5creds->authdata, v5creds->authdata); } - + if (!err) { compat_cred_union->cred_type = CC_CRED_V5; compat_cred_union->cred.pV5Cred = compat_v5creds; - + compat_v5creds->keyblock = v5creds->keyblock; compat_v5creds->authtime = v5creds->authtime; compat_v5creds->starttime = v5creds->starttime; @@ -923,15 +923,15 @@ cc_uint32 cci_credentials_union_to_cred_union (const cc_credentials_union *in_c } else { err = cci_check_error (ccErrBadCredentialsVersion); } - } - + } + if (!err) { *out_cred_union = compat_cred_union; compat_cred_union = NULL; } - + if (compat_cred_union) { cci_cred_union_release (compat_cred_union); } - + return cci_check_error (err); } @@ -942,29 +942,29 @@ cc_uint32 cci_cred_union_to_credentials_union (const cred_union *in_cred_un { cc_int32 err = ccNoError; cc_credentials_union *creds_union = NULL; - + if (!in_cred_union ) { err = cci_check_error (ccErrBadParam); } if (!out_credentials_union) { err = cci_check_error (ccErrBadParam); } - + if (!err) { creds_union = calloc (1, sizeof (*creds_union)); if (!creds_union) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { if (in_cred_union->cred_type == CC_CRED_V4) { cc_credentials_v4_compat *compat_v4creds = in_cred_union->cred.pV4Cred; cc_credentials_v4_t *v4creds = NULL; - + if (!err) { v4creds = malloc (sizeof (*v4creds)); if (!v4creds) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { creds_union->version = cc_credentials_v4; creds_union->credentials.credentials_v4 = v4creds; - + v4creds->version = compat_v4creds->kversion; strncpy (v4creds->principal, compat_v4creds->principal, KRB_NAME_SZ); strncpy (v4creds->principal_instance, compat_v4creds->principal_instance, KRB_INSTANCE_SZ); @@ -980,62 +980,62 @@ cc_uint32 cci_cred_union_to_credentials_union (const cred_union *in_cred_un v4creds->ticket_size = compat_v4creds->ticket_sz; memcpy (v4creds->ticket, compat_v4creds->ticket, MAX_V4_CRED_LEN); } - + } else if (in_cred_union->cred_type == CC_CRED_V5) { cc_credentials_v5_compat *compat_v5creds = in_cred_union->cred.pV5Cred; cc_credentials_v5_t *v5creds = NULL; - + if (!err) { v5creds = malloc (sizeof (*v5creds)); - if (v5creds) { + if (v5creds) { *v5creds = cci_credentials_v5_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { - if (!compat_v5creds->client) { + if (!compat_v5creds->client) { err = cci_check_error (ccErrBadParam); } else { v5creds->client = strdup (compat_v5creds->client); if (!v5creds->client) { err = cci_check_error (ccErrNoMem); } } } - + if (!err) { - if (!compat_v5creds->server) { + if (!compat_v5creds->server) { err = cci_check_error (ccErrBadParam); } else { v5creds->server = strdup (compat_v5creds->server); if (!v5creds->server) { err = cci_check_error (ccErrNoMem); } } } - + if (!err) { err = cci_cc_data_copy_contents (&v5creds->keyblock, &compat_v5creds->keyblock); } - + if (!err) { err = cci_cc_data_array_copy (&v5creds->addresses, compat_v5creds->addresses); } - + if (!err) { err = cci_cc_data_copy_contents (&v5creds->ticket, &compat_v5creds->ticket); } - + if (!err) { err = cci_cc_data_copy_contents (&v5creds->second_ticket, &compat_v5creds->second_ticket); } - + if (!err) { err = cci_cc_data_array_copy (&v5creds->authdata, compat_v5creds->authdata); } - + if (!err) { creds_union->version = cc_credentials_v5; creds_union->credentials.credentials_v5 = v5creds; - + v5creds->authtime = compat_v5creds->authtime; v5creds->starttime = compat_v5creds->starttime; v5creds->endtime = compat_v5creds->endtime; @@ -1043,73 +1043,73 @@ cc_uint32 cci_cred_union_to_credentials_union (const cred_union *in_cred_un v5creds->is_skey = compat_v5creds->is_skey; v5creds->ticket_flags = compat_v5creds->ticket_flags; } - + } else { err = cci_check_error (ccErrBadCredentialsVersion); } - } - + } + if (!err) { *out_credentials_union = creds_union; creds_union = NULL; } - + if (creds_union) { cci_credentials_union_release (creds_union); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ cc_uint32 cci_cred_union_compare_to_credentials_union (const cred_union *in_cred_union_compat, const cc_credentials_union *in_credentials_union, - cc_uint32 *out_equal) + cc_uint32 *out_equal) { cc_int32 err = ccNoError; cc_uint32 equal = 0; - + if (!in_cred_union_compat) { err = cci_check_error (ccErrBadParam); } if (!in_credentials_union) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - if (in_cred_union_compat->cred_type == CC_CRED_V4 && + if (in_cred_union_compat->cred_type == CC_CRED_V4 && in_credentials_union->version == cc_credentials_v4) { cc_credentials_v4_compat *old_creds_v4 = in_cred_union_compat->cred.pV4Cred; cc_credentials_v4_t *new_creds_v4 = in_credentials_union->credentials.credentials_v4; - + if (old_creds_v4 && new_creds_v4 && - !strcmp (old_creds_v4->principal, + !strcmp (old_creds_v4->principal, new_creds_v4->principal) && - !strcmp (old_creds_v4->principal_instance, + !strcmp (old_creds_v4->principal_instance, new_creds_v4->principal_instance) && - !strcmp (old_creds_v4->service, + !strcmp (old_creds_v4->service, new_creds_v4->service) && - !strcmp (old_creds_v4->service_instance, + !strcmp (old_creds_v4->service_instance, new_creds_v4->service_instance) && !strcmp (old_creds_v4->realm, new_creds_v4->realm) && - (old_creds_v4->issue_date == (long) new_creds_v4->issue_date)) { + (old_creds_v4->issue_date == (long) new_creds_v4->issue_date)) { equal = 1; } - - } else if (in_cred_union_compat->cred_type == CC_CRED_V5 && + + } else if (in_cred_union_compat->cred_type == CC_CRED_V5 && in_credentials_union->version == cc_credentials_v5) { cc_credentials_v5_compat *old_creds_v5 = in_cred_union_compat->cred.pV5Cred; cc_credentials_v5_t *new_creds_v5 = in_credentials_union->credentials.credentials_v5; - + /* Really should use krb5_parse_name and krb5_principal_compare */ if (old_creds_v5 && new_creds_v5 && !strcmp (old_creds_v5->client, new_creds_v5->client) && !strcmp (old_creds_v5->server, new_creds_v5->server) && - (old_creds_v5->starttime == new_creds_v5->starttime)) { + (old_creds_v5->starttime == new_creds_v5->starttime)) { equal = 1; } } } - + if (!err) { *out_equal = equal; } - + return cci_check_error (err); } diff --git a/src/ccapi/common/cci_debugging.c b/src/ccapi/common/cci_debugging.c index 4545b402e..d6b9c62c0 100644 --- a/src/ccapi/common/cci_debugging.c +++ b/src/ccapi/common/cci_debugging.c @@ -29,18 +29,18 @@ /* ------------------------------------------------------------------------ */ -cc_int32 _cci_check_error (cc_int32 in_error, - const char *in_function, - const char *in_file, +cc_int32 _cci_check_error (cc_int32 in_error, + const char *in_function, + const char *in_file, int in_line) { /* Do not log for flow control errors or when there is no error at all */ if (in_error != ccNoError && in_error != ccIteratorEnd) { - cci_debug_printf ("%s() got %d at %s: %d", in_function, + cci_debug_printf ("%s() got %d at %s: %d", in_function, in_error, in_file, in_line); } - - return in_error; + + return in_error; } /* ------------------------------------------------------------------------ */ @@ -48,7 +48,7 @@ cc_int32 _cci_check_error (cc_int32 in_error, void cci_debug_printf (const char *in_format, ...) { va_list args; - + va_start (args, in_format); cci_os_debug_vprintf (in_format, args); va_end (args); diff --git a/src/ccapi/common/cci_debugging.h b/src/ccapi/common/cci_debugging.h index 8875e1a03..aa2f1491b 100644 --- a/src/ccapi/common/cci_debugging.h +++ b/src/ccapi/common/cci_debugging.h @@ -29,9 +29,9 @@ #include "cci_types.h" -cc_int32 _cci_check_error (cc_int32 in_err, - const char *in_function, - const char *in_file, +cc_int32 _cci_check_error (cc_int32 in_err, + const char *in_function, + const char *in_file, int in_line); #define cci_check_error(err) _cci_check_error(err, __FUNCTION__, __FILE__, __LINE__) diff --git a/src/ccapi/common/cci_identifier.c b/src/ccapi/common/cci_identifier.c index a027c70c5..f1cc0cf92 100644 --- a/src/ccapi/common/cci_identifier.c +++ b/src/ccapi/common/cci_identifier.c @@ -37,9 +37,9 @@ struct cci_identifier_d cci_identifier_initializer = { NULL, NULL }; #define cci_uninitialized_server_id "NEEDS_SYNC" #define cci_uninitialized_object_id "NEEDS_SYNC" -struct cci_identifier_d cci_identifier_uninitialized_d = { - cci_uninitialized_server_id, - cci_uninitialized_object_id +struct cci_identifier_d cci_identifier_uninitialized_d = { + cci_uninitialized_server_id, + cci_uninitialized_object_id }; const cci_identifier_t cci_identifier_uninitialized = &cci_identifier_uninitialized_d; @@ -58,37 +58,37 @@ static cc_int32 cci_identifier_alloc (cci_identifier_t *out_identifier, { cc_int32 err = ccNoError; cci_identifier_t identifier = NULL; - + if (!out_identifier) { err = cci_check_error (ccErrBadParam); } if (!in_server_id ) { err = cci_check_error (ccErrBadParam); } if (!in_object_id ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { identifier = malloc (sizeof (*identifier)); - if (identifier) { + if (identifier) { *identifier = cci_identifier_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { identifier->server_id = strdup (in_server_id); - if (!identifier->server_id) { err = cci_check_error (ccErrNoMem); } + if (!identifier->server_id) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { identifier->object_id = strdup (in_object_id); - if (!identifier->object_id) { err = cci_check_error (ccErrNoMem); } + if (!identifier->object_id) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { *out_identifier = identifier; identifier = NULL; /* take ownership */ } - + cci_identifier_release (identifier); - + return cci_check_error (err); } @@ -99,18 +99,18 @@ cc_int32 cci_identifier_new (cci_identifier_t *out_identifier, { cc_int32 err = ccNoError; cci_uuid_string_t object_id = NULL; - + if (!out_identifier) { err = cci_check_error (ccErrBadParam); } if (!in_server_id ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_os_identifier_new_uuid (&object_id); } - + if (!err) { err = cci_identifier_alloc (out_identifier, in_server_id, object_id); } - + if (object_id) { free (object_id); } return cci_check_error (err); @@ -125,13 +125,13 @@ cc_int32 cci_identifier_copy (cci_identifier_t *out_identifier, if (!out_identifier) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_identifier_alloc (out_identifier, + err = cci_identifier_alloc (out_identifier, in_identifier->server_id, in_identifier->object_id); } - + return cci_check_error (err); } @@ -140,14 +140,14 @@ cc_int32 cci_identifier_copy (cci_identifier_t *out_identifier, cc_int32 cci_identifier_release (cci_identifier_t in_identifier) { cc_int32 err = ccNoError; - + /* Do not free the static "uninitialized" identifier */ if (!err && in_identifier && in_identifier != cci_identifier_uninitialized) { free (in_identifier->server_id); free (in_identifier->object_id); free (in_identifier); } - + return cci_check_error (err); } @@ -162,19 +162,19 @@ cc_int32 cci_identifier_compare (cci_identifier_t in_identifier, cc_uint32 *out_equal) { cc_int32 err = ccNoError; - + if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!in_compare_to_identifier) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - *out_equal = (!strcmp (in_identifier->object_id, + *out_equal = (!strcmp (in_identifier->object_id, in_compare_to_identifier->object_id) && - !strcmp (in_identifier->server_id, + !strcmp (in_identifier->server_id, in_compare_to_identifier->server_id)); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -184,17 +184,17 @@ cc_int32 cci_identifier_is_for_server (cci_identifier_t in_identifier, cc_uint32 *out_is_for_server) { cc_int32 err = ccNoError; - + if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!in_server_id ) { err = cci_check_error (ccErrBadParam); } if (!out_is_for_server) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_is_for_server = (!strcmp (in_identifier->server_id, in_server_id) || !strcmp (in_identifier->server_id, cci_uninitialized_server_id)); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -204,17 +204,17 @@ cc_int32 cci_identifier_compare_server_id (cci_identifier_t in_identifier, cc_uint32 *out_equal_server_id) { cc_int32 err = ccNoError; - + if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!in_compare_to_identifier) { err = cci_check_error (ccErrBadParam); } if (!out_equal_server_id ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - *out_equal_server_id = (!strcmp (in_identifier->server_id, + *out_equal_server_id = (!strcmp (in_identifier->server_id, in_compare_to_identifier->server_id)); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -223,16 +223,16 @@ cc_int32 cci_identifier_is_initialized (cci_identifier_t in_identifier, cc_uint32 *out_is_initialized) { cc_int32 err = ccNoError; - + if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_is_initialized) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - *out_is_initialized = (strcmp (in_identifier->server_id, + *out_is_initialized = (strcmp (in_identifier->server_id, cci_uninitialized_server_id) != 0); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -247,25 +247,25 @@ cc_uint32 cci_identifier_read (cci_identifier_t *out_identifier, cc_int32 err = ccNoError; cci_uuid_string_t server_id = NULL; cci_uuid_string_t object_id = NULL; - + if (!out_identifier) { err = cci_check_error (ccErrBadParam); } if (!io_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_string (io_stream, &server_id); } if (!err) { err = krb5int_ipc_stream_read_string (io_stream, &object_id); - } - + } + if (!err) { err = cci_identifier_alloc (out_identifier, server_id, object_id); } - + krb5int_ipc_stream_free_string (server_id); krb5int_ipc_stream_free_string (object_id); - + return cci_check_error (err); } @@ -275,17 +275,17 @@ cc_uint32 cci_identifier_write (cci_identifier_t in_identifier, k5_ipc_stream io_stream) { cc_int32 err = ccNoError; - + if (!in_identifier) { err = cci_check_error (ccErrBadParam); } if (!io_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_string (io_stream, in_identifier->server_id); } - + if (!err) { err = krb5int_ipc_stream_write_string (io_stream, in_identifier->object_id); } - + return cci_check_error (err); } diff --git a/src/ccapi/common/cci_message.c b/src/ccapi/common/cci_message.c index 0e12c0d48..af1f96153 100644 --- a/src/ccapi/common/cci_message.c +++ b/src/ccapi/common/cci_message.c @@ -31,27 +31,27 @@ cc_int32 cci_message_invalid_object_err (enum cci_msg_id_t in_request_name) { cc_int32 err = ccNoError; - + if (in_request_name > cci_context_first_msg_id && in_request_name < cci_context_last_msg_id) { err = ccErrInvalidContext; - + } else if (in_request_name > cci_ccache_first_msg_id && in_request_name < cci_ccache_last_msg_id) { err = ccErrInvalidCCache; - + } else if (in_request_name > cci_ccache_iterator_first_msg_id && in_request_name < cci_ccache_iterator_last_msg_id) { err = ccErrInvalidCCacheIterator; - + } else if (in_request_name > cci_credentials_iterator_first_msg_id && in_request_name < cci_credentials_iterator_last_msg_id) { err = ccErrInvalidCredentialsIterator; - + } else { err = ccErrBadInternalMessage; } - + return cci_check_error (err); } @@ -63,28 +63,28 @@ cc_int32 cci_message_new_request_header (k5_ipc_stream *out_request, { cc_int32 err = ccNoError; k5_ipc_stream request = NULL; - + if (!out_request) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_request_name); } - + if (!err) { err = cci_identifier_write (in_identifier, request); } - + if (!err) { *out_request = request; request = NULL; } - + krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -97,27 +97,27 @@ cc_int32 cci_message_read_request_header (k5_ipc_stream in_request, cc_int32 err = ccNoError; cc_uint32 request_name; cci_identifier_t identifier = NULL; - + if (!in_request ) { err = cci_check_error (ccErrBadParam); } if (!out_request_name) { err = cci_check_error (ccErrBadParam); } if (!out_identifier ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request, &request_name); } - + if (!err) { err = cci_identifier_read (&identifier, in_request); } - + if (!err) { *out_request_name = request_name; *out_identifier = identifier; identifier = NULL; /* take ownership */ } - + cci_identifier_release (identifier); - + return cci_check_error (err); } @@ -128,24 +128,24 @@ cc_int32 cci_message_new_reply_header (k5_ipc_stream *out_reply, { cc_int32 err = ccNoError; k5_ipc_stream reply = NULL; - + if (!out_reply) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&reply); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (reply, in_error); } - + if (!err) { *out_reply = reply; reply = NULL; } - + krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -156,18 +156,18 @@ cc_int32 cci_message_read_reply_header (k5_ipc_stream in_reply, { cc_int32 err = ccNoError; cc_int32 reply_err = 0; - + if (!in_reply ) { err = cci_check_error (ccErrBadParam); } if (!out_reply_error) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (in_reply, &reply_err); } - + if (!err) { *out_reply_error = reply_err; } - + return cci_check_error (err); } @@ -177,38 +177,38 @@ cc_int32 cci_message_read_reply_header (k5_ipc_stream in_reply, /* ------------------------------------------------------------------------ */ -uint32_t krb5int_ipc_stream_read_time (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_read_time (k5_ipc_stream io_stream, cc_time_t *out_time) { int32_t err = 0; int64_t t = 0; - + if (!io_stream) { err = cci_check_error (ccErrBadParam); } if (!out_time ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_int64 (io_stream, &t); } - + if (!err) { *out_time = t; } - + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ -uint32_t krb5int_ipc_stream_write_time (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_write_time (k5_ipc_stream io_stream, cc_time_t in_time) { int32_t err = 0; - + if (!io_stream) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_int64 (io_stream, in_time); } - + return cci_check_error (err); } diff --git a/src/ccapi/common/cci_message.h b/src/ccapi/common/cci_message.h index 8c1795b05..01085ac41 100644 --- a/src/ccapi/common/cci_message.h +++ b/src/ccapi/common/cci_message.h @@ -45,9 +45,9 @@ cc_int32 cci_message_new_reply_header (k5_ipc_stream *out_reply, cc_int32 cci_message_read_reply_header (k5_ipc_stream in_reply, cc_int32 *out_reply_error); -uint32_t krb5int_ipc_stream_read_time (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_read_time (k5_ipc_stream io_stream, cc_time_t *out_time); -uint32_t krb5int_ipc_stream_write_time (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_write_time (k5_ipc_stream io_stream, cc_time_t in_time); #endif /* CCI_MESSAGE_H */ diff --git a/src/ccapi/common/cci_types.h b/src/ccapi/common/cci_types.h index 43f7100ce..c3046331e 100644 --- a/src/ccapi/common/cci_types.h +++ b/src/ccapi/common/cci_types.h @@ -38,7 +38,7 @@ typedef struct cci_identifier_d *cci_identifier_t; enum cci_msg_id_t { /* cc_context_t */ cci_context_first_msg_id, - + cci_context_unused_release_msg_id, /* Unused. Handle for old clients. */ cci_context_sync_msg_id, cci_context_get_change_time_msg_id, @@ -52,12 +52,12 @@ enum cci_msg_id_t { cci_context_new_ccache_iterator_msg_id, cci_context_lock_msg_id, cci_context_unlock_msg_id, - + cci_context_last_msg_id, - + /* cc_ccache_t */ cci_ccache_first_msg_id, - + cci_ccache_destroy_msg_id, cci_ccache_set_default_msg_id, cci_ccache_get_credentials_version_msg_id, @@ -76,28 +76,28 @@ enum cci_msg_id_t { cci_ccache_get_kdc_time_offset_msg_id, cci_ccache_set_kdc_time_offset_msg_id, cci_ccache_clear_kdc_time_offset_msg_id, - + cci_ccache_last_msg_id, - + /* cc_ccache_iterator_t */ cci_ccache_iterator_first_msg_id, - + cci_ccache_iterator_release_msg_id, cci_ccache_iterator_next_msg_id, cci_ccache_iterator_clone_msg_id, - + cci_ccache_iterator_last_msg_id, - + /* cc_credentials_iterator_t */ cci_credentials_iterator_first_msg_id, - + cci_credentials_iterator_release_msg_id, cci_credentials_iterator_next_msg_id, cci_credentials_iterator_clone_msg_id, - + cci_credentials_iterator_last_msg_id, - + cci_max_msg_id /* must be last! */ -}; +}; #endif /* CCI_TYPES_H */ diff --git a/src/ccapi/common/mac/cci_os_identifier.c b/src/ccapi/common/mac/cci_os_identifier.c index 5f3d0651a..e87e400fc 100644 --- a/src/ccapi/common/mac/cci_os_identifier.c +++ b/src/ccapi/common/mac/cci_os_identifier.c @@ -39,42 +39,41 @@ cc_int32 cci_os_identifier_new_uuid (cci_uuid_string_t *out_uuid_string) CFStringRef uuid_stringref = NULL; CFStringEncoding encoding = kCFStringEncodingUTF8; CFIndex length = 0; - + if (!out_uuid_string) { err = cci_check_error (ccErrBadParam); } - + if (!err) { uuid = CFUUIDCreate (kCFAllocatorDefault); if (!uuid) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { - uuid_stringref = CFUUIDCreateString (kCFAllocatorDefault, uuid); + uuid_stringref = CFUUIDCreateString (kCFAllocatorDefault, uuid); if (!uuid_stringref) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { - length = CFStringGetMaximumSizeForEncoding (CFStringGetLength (uuid_stringref), + length = CFStringGetMaximumSizeForEncoding (CFStringGetLength (uuid_stringref), encoding) + 1; - + uuid_string = malloc (length); if (!uuid_string) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { if (!CFStringGetCString (uuid_stringref, uuid_string, length, encoding)) { err = cci_check_error (ccErrNoMem); - } + } } - + if (!err) { *out_uuid_string = uuid_string; uuid_string = NULL; /* take ownership */ } - + if (uuid_string ) { free (uuid_string); } if (uuid_stringref) { CFRelease (uuid_stringref); } if (uuid ) { CFRelease (uuid); } - + return cci_check_error (err); } - diff --git a/src/ccapi/common/win/OldCC/ccutils.c b/src/ccapi/common/win/OldCC/ccutils.c index cf881cda1..220b1d1d2 100644 --- a/src/ccapi/common/win/OldCC/ccutils.c +++ b/src/ccapi/common/win/OldCC/ccutils.c @@ -57,7 +57,7 @@ BOOL isNT() { bIsNT = FALSE; break; } - + if (!bSupportedVersion) { cci_debug_printf("%s Running on an unsupported version of Windows", __FUNCTION__); status = 1; @@ -104,7 +104,7 @@ HANDLE createThreadEvent(char* uuid, char* suffix) { } #if 0 cci_debug_printf("%s event_name:%s", __FUNCTION__, event_name); -#endif +#endif if (!status) { hEvent = CreateEvent(psa, FALSE, FALSE, event_name); if (!hEvent) status = cci_check_error(GetLastError()); @@ -112,7 +112,7 @@ HANDLE createThreadEvent(char* uuid, char* suffix) { if (!status) ResetEvent(hEvent); - + if (event_name) free(event_name); if (isNT()) free(sa.lpSecurityDescriptor); @@ -137,4 +137,4 @@ HANDLE openThreadEvent(char* uuid, char* suffix) { if (event_name) free(event_name); return hEvent; - } \ No newline at end of file + } diff --git a/src/ccapi/common/win/cci_os_debugging.c b/src/ccapi/common/win/cci_os_debugging.c index 6e6a7158d..5a8c9e723 100644 --- a/src/ccapi/common/win/cci_os_debugging.c +++ b/src/ccapi/common/win/cci_os_debugging.c @@ -24,7 +24,7 @@ * or implied warranty. */ -#include +#include #include #include "cci_os_debugging.h" diff --git a/src/ccapi/common/win/tls.c b/src/ccapi/common/win/tls.c index 5e0e11d7a..60c8ea160 100644 --- a/src/ccapi/common/win/tls.c +++ b/src/ccapi/common/win/tls.c @@ -73,15 +73,15 @@ char* tspdata_getUUID (const struct tspdata* p) {return p->_ RPC_ASYNC_STATE* tspdata_getRpcAState (const struct tspdata* p) {return p->_rpcState;} BOOL WINAPI PutTspData(DWORD dwTlsIndex, struct tspdata* dw) { - LPVOID lpvData; - struct tspdata** pData; // The stored memory pointer + LPVOID lpvData; + struct tspdata** pData; // The stored memory pointer // Retrieve a data pointer for the current thread: - lpvData = TlsGetValue(dwTlsIndex); + lpvData = TlsGetValue(dwTlsIndex); // If NULL, allocate memory for the TLS slot for this thread: if (lpvData == NULL) { - lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct tspdata)); + lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct tspdata)); if (lpvData == NULL) return FALSE; if (!TlsSetValue(dwTlsIndex, lpvData)) return FALSE; } @@ -95,12 +95,10 @@ BOOL WINAPI PutTspData(DWORD dwTlsIndex, struct tspdata* dw) { } BOOL WINAPI GetTspData(DWORD dwTlsIndex, struct tspdata** pdw) { - struct tspdata* pData; // The stored memory pointer + struct tspdata* pData; // The stored memory pointer - pData = (struct tspdata*)TlsGetValue(dwTlsIndex); + pData = (struct tspdata*)TlsGetValue(dwTlsIndex); if (pData == NULL) return FALSE; (*pdw) = pData; return TRUE; } - - diff --git a/src/ccapi/common/win/tls.h b/src/ccapi/common/win/tls.h index 32854f076..d688ed230 100644 --- a/src/ccapi/common/win/tls.h +++ b/src/ccapi/common/win/tls.h @@ -37,7 +37,7 @@ #define UUID_SIZE 128 -/* The client code can be run in any client thread. +/* The client code can be run in any client thread. The thread-specific data is defined here. */ diff --git a/src/ccapi/common/win/win-utils.c b/src/ccapi/common/win/win-utils.c index f60ee3b8f..3795ca544 100644 --- a/src/ccapi/common/win/win-utils.c +++ b/src/ccapi/common/win/win-utils.c @@ -52,18 +52,18 @@ char* clientEndpoint(const char* UUID) { strncat(_clientEndpoint, UUID, UUID_SIZE); // cci_debug_printf("%s returning %s", __FUNCTION__, _clientEndpoint); return _clientEndpoint; - } + } char* serverEndpoint(const char* user) { char* _serverEndpoint = (char*)malloc(strlen(user) + strlen(serverPrefix) + 2); strcpy(_serverEndpoint, serverPrefix); strncat(_serverEndpoint, user, UUID_SIZE); return _serverEndpoint; - } + } char* timestamp() { SYSTEMTIME _stime; GetSystemTime(&_stime); GetTimeFormat(LOCALE_SYSTEM_DEFAULT, 0, &_stime, "HH:mm:ss", _ts, sizeof(_ts)-1); return _ts; - } \ No newline at end of file + } diff --git a/src/ccapi/lib/ccapi_ccache.c b/src/ccapi/lib/ccapi_ccache.c index ec64c44d2..9104c8e0f 100644 --- a/src/ccapi/lib/ccapi_ccache.c +++ b/src/ccapi/lib/ccapi_ccache.c @@ -45,14 +45,14 @@ typedef struct cci_ccache_d { /* ------------------------------------------------------------------------ */ -struct cci_ccache_d cci_ccache_initializer = { - NULL - VECTOR_FUNCTIONS_INITIALIZER, +struct cci_ccache_d cci_ccache_initializer = { + NULL + VECTOR_FUNCTIONS_INITIALIZER, NULL, 0 }; -cc_ccache_f cci_ccache_f_initializer = { +cc_ccache_f cci_ccache_f_initializer = { ccapi_ccache_release, ccapi_ccache_destroy, ccapi_ccache_set_default, @@ -82,39 +82,39 @@ cc_int32 cci_ccache_new (cc_ccache_t *out_ccache, { cc_int32 err = ccNoError; cci_ccache_t ccache = NULL; - + if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier) { err = cci_check_error (ccErrBadParam); } if (!err) { ccache = malloc (sizeof (*ccache)); - if (ccache) { + if (ccache) { *ccache = cci_ccache_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { ccache->functions = malloc (sizeof (*ccache->functions)); - if (ccache->functions) { + if (ccache->functions) { *ccache->functions = cci_ccache_f_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = cci_identifier_copy (&ccache->identifier, in_identifier); } - + if (!err) { *out_ccache = (cc_ccache_t) ccache; ccache = NULL; /* take ownership */ } - + ccapi_ccache_release ((cc_ccache_t) ccache); - + return cci_check_error (err); } @@ -125,14 +125,14 @@ cc_int32 cci_ccache_write (cc_ccache_t in_ccache, { cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) in_ccache; - + if (!in_ccache) { err = cci_check_error (ccErrBadParam); } if (!in_stream) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_write (ccache->identifier, in_stream); } - + return cci_check_error (err); } @@ -146,16 +146,16 @@ cc_int32 ccapi_ccache_release (cc_ccache_t io_ccache) { cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; - + if (!io_ccache) { err = ccErrBadParam; } - + if (!err) { cci_identifier_release (ccache->identifier); - + free ((char *) ccache->functions); free (ccache); } - + return err; } @@ -165,20 +165,20 @@ cc_int32 ccapi_ccache_destroy (cc_ccache_t io_ccache) { cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; - + if (!io_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_ccache_destroy_msg_id, ccache->identifier, NULL, NULL); } - + if (!err) { err = ccapi_ccache_release (io_ccache); } - + return cci_check_error (err); } @@ -188,16 +188,16 @@ cc_int32 ccapi_ccache_set_default (cc_ccache_t io_ccache) { cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; - + if (!io_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_ccache_set_default_msg_id, ccache->identifier, NULL, NULL); } - + return cci_check_error (err); } @@ -209,23 +209,23 @@ cc_int32 ccapi_ccache_get_credentials_version (cc_ccache_t in_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) in_ccache; k5_ipc_stream reply = NULL; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_credentials_version) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_ccache_get_credentials_version_msg_id, ccache->identifier, NULL, &reply); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (reply, out_credentials_version); } - + krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -238,28 +238,28 @@ cc_int32 ccapi_ccache_get_name (cc_ccache_t in_ccache, cci_ccache_t ccache = (cci_ccache_t) in_ccache; k5_ipc_stream reply = NULL; char *name = NULL; - + if (!in_ccache) { err = cci_check_error (ccErrBadParam); } if (!out_name ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_ccache_get_name_msg_id, ccache->identifier, NULL, &reply); } - + if (!err) { err = krb5int_ipc_stream_read_string (reply, &name); } - + if (!err) { err = cci_string_new (out_name, name); } - + krb5int_ipc_stream_release (reply); krb5int_ipc_stream_free_string (name); - + return cci_check_error (err); } @@ -274,37 +274,37 @@ cc_int32 ccapi_ccache_get_principal (cc_ccache_t in_ccache, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; char *principal = NULL; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_principal) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_credentials_version); } - + if (!err) { err = cci_ipc_send (cci_ccache_get_principal_msg_id, ccache->identifier, request, &reply); } - + if (!err) { err = krb5int_ipc_stream_read_string (reply, &principal); } - + if (!err) { err = cci_string_new (out_principal, principal); } - + krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); krb5int_ipc_stream_free_string (principal); - + return cci_check_error (err); } @@ -317,18 +317,18 @@ cc_int32 ccapi_ccache_set_principal (cc_ccache_t io_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; k5_ipc_stream request = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_principal) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_credentials_version); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, in_principal); } @@ -339,7 +339,7 @@ cc_int32 ccapi_ccache_set_principal (cc_ccache_t io_ccache, request, NULL); } - + krb5int_ipc_stream_release (request); return cci_check_error (err); @@ -353,27 +353,27 @@ cc_int32 ccapi_ccache_store_credentials (cc_ccache_t io_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; k5_ipc_stream request = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_credentials_union) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = cci_credentials_union_write (in_credentials_union, request); } - + if (!err) { err = cci_ipc_send (cci_ccache_store_credentials_msg_id, ccache->identifier, request, NULL); } - + krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -385,27 +385,27 @@ cc_int32 ccapi_ccache_remove_credentials (cc_ccache_t io_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; k5_ipc_stream request = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_credentials) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = cci_credentials_write (in_credentials, request); } - + if (!err) { err = cci_ipc_send (cci_ccache_remove_credentials_msg_id, ccache->identifier, request, NULL); } - + krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -418,25 +418,25 @@ cc_int32 ccapi_ccache_new_credentials_iterator (cc_ccache_t in_cc cci_ccache_t ccache = (cci_ccache_t) in_ccache; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_credentials_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_ccache_new_credentials_iterator_msg_id, ccache->identifier, NULL, &reply); } - + if (!err) { err = cci_identifier_read (&identifier, reply); } - + if (!err) { err = cci_credentials_iterator_new (out_credentials_iterator, identifier); } - + krb5int_ipc_stream_release (reply); cci_identifier_release (identifier); @@ -454,25 +454,25 @@ cc_int32 ccapi_ccache_move (cc_ccache_t io_source_ccache, cci_ccache_t source_ccache = (cci_ccache_t) io_source_ccache; cci_ccache_t destination_ccache = (cci_ccache_t) io_destination_ccache; k5_ipc_stream request = NULL; - + if (!io_source_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_destination_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = cci_identifier_write (source_ccache->identifier, request); } - + if (!err) { err = cci_ipc_send (cci_ccache_move_msg_id, destination_ccache->identifier, request, NULL); } - + krb5int_ipc_stream_release (request); return cci_check_error (err); @@ -487,30 +487,30 @@ cc_int32 ccapi_ccache_lock (cc_ccache_t io_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; k5_ipc_stream request = NULL; - + if (!io_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_lock_type); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_block); } - + if (!err) { err = cci_ipc_send (cci_ccache_lock_msg_id, ccache->identifier, request, NULL); } - + krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -520,16 +520,16 @@ cc_int32 ccapi_ccache_unlock (cc_ccache_t io_ccache) { cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; - + if (!io_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_ccache_unlock_msg_id, ccache->identifier, NULL, NULL); } - + return cci_check_error (err); } @@ -541,21 +541,21 @@ cc_int32 ccapi_ccache_get_last_default_time (cc_ccache_t in_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) in_ccache; k5_ipc_stream reply = NULL; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_last_default_time) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_ccache_get_last_default_time_msg_id, ccache->identifier, NULL, &reply); } - + if (!err) { err = krb5int_ipc_stream_read_time (reply, out_last_default_time); } - + krb5int_ipc_stream_release (reply); return cci_check_error (err); @@ -569,23 +569,23 @@ cc_int32 ccapi_ccache_get_change_time (cc_ccache_t in_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) in_ccache; k5_ipc_stream reply = NULL; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_change_time) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_ccache_get_change_time_msg_id, ccache->identifier, NULL, &reply); } - + if (!err) { err = krb5int_ipc_stream_read_time (reply, out_change_time); } - + krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -597,31 +597,31 @@ cc_int32 ccapi_ccache_wait_for_change (cc_ccache_t in_ccache) cci_ccache_t ccache = (cci_ccache_t) in_ccache; k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; - + if (!in_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_time (request, ccache->last_wait_for_change_time); } - + if (!err) { err = cci_ipc_send (cci_ccache_wait_for_change_msg_id, ccache->identifier, - request, + request, &reply); } - + if (!err) { err = krb5int_ipc_stream_read_time (reply, &ccache->last_wait_for_change_time); - } - + } + krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -634,17 +634,17 @@ cc_int32 ccapi_ccache_compare (cc_ccache_t in_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) in_ccache; cci_ccache_t compare_to_ccache = (cci_ccache_t) in_compare_to_ccache; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_compare_to_ccache) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_identifier_compare (ccache->identifier, + err = cci_identifier_compare (ccache->identifier, compare_to_ccache->identifier, out_equal); } - + return cci_check_error (err); } @@ -658,14 +658,14 @@ cc_int32 ccapi_ccache_get_kdc_time_offset (cc_ccache_t in_ccache, cci_ccache_t ccache = (cci_ccache_t) in_ccache; k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_time_offset) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_credentials_version); } @@ -676,14 +676,14 @@ cc_int32 ccapi_ccache_get_kdc_time_offset (cc_ccache_t in_ccache, request, &reply); } - + if (!err) { err = krb5int_ipc_stream_read_time (reply, out_time_offset); } - + krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -696,30 +696,30 @@ cc_int32 ccapi_ccache_set_kdc_time_offset (cc_ccache_t io_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; k5_ipc_stream request = NULL; - + if (!io_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_credentials_version); } - + if (!err) { err = krb5int_ipc_stream_write_time (request, in_time_offset); } - + if (!err) { err = cci_ipc_send (cci_ccache_set_kdc_time_offset_msg_id, ccache->identifier, request, NULL); } - + krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -731,26 +731,26 @@ cc_int32 ccapi_ccache_clear_kdc_time_offset (cc_ccache_t io_ccache, cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) io_ccache; k5_ipc_stream request = NULL; - + if (!io_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_credentials_version); } - + if (!err) { err = cci_ipc_send (cci_ccache_clear_kdc_time_offset_msg_id, ccache->identifier, request, NULL); } - + krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -765,14 +765,14 @@ cc_int32 cci_ccache_get_compat_version (cc_ccache_t in_ccache, { cc_int32 err = ccNoError; cci_ccache_t ccache = (cci_ccache_t) in_ccache; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_compat_version) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_compat_version = ccache->compat_version; } - + return cci_check_error (err); } @@ -785,10 +785,10 @@ cc_int32 cci_ccache_set_compat_version (cc_ccache_t io_ccache, cci_ccache_t ccache = (cci_ccache_t) io_ccache; if (!io_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { ccache->compat_version = in_compat_version; } - + return cci_check_error (err); } diff --git a/src/ccapi/lib/ccapi_ccache_iterator.c b/src/ccapi/lib/ccapi_ccache_iterator.c index 0df9e0f8e..aa10e1e42 100644 --- a/src/ccapi/lib/ccapi_ccache_iterator.c +++ b/src/ccapi/lib/ccapi_ccache_iterator.c @@ -41,14 +41,14 @@ typedef struct cci_ccache_iterator_d { /* ------------------------------------------------------------------------ */ -struct cci_ccache_iterator_d cci_ccache_iterator_initializer = { - NULL - VECTOR_FUNCTIONS_INITIALIZER, +struct cci_ccache_iterator_d cci_ccache_iterator_initializer = { + NULL + VECTOR_FUNCTIONS_INITIALIZER, NULL, NULL }; -cc_ccache_iterator_f cci_ccache_iterator_f_initializer = { +cc_ccache_iterator_f cci_ccache_iterator_f_initializer = { ccapi_ccache_iterator_release, ccapi_ccache_iterator_next, ccapi_ccache_iterator_clone @@ -64,36 +64,36 @@ cc_int32 cci_ccache_iterator_new (cc_ccache_iterator_t *out_ccache_iterator, if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { ccache_iterator = malloc (sizeof (*ccache_iterator)); - if (ccache_iterator) { + if (ccache_iterator) { *ccache_iterator = cci_ccache_iterator_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { ccache_iterator->functions = malloc (sizeof (*ccache_iterator->functions)); - if (ccache_iterator->functions) { + if (ccache_iterator->functions) { *ccache_iterator->functions = cci_ccache_iterator_f_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = cci_identifier_copy (&ccache_iterator->identifier, in_identifier); } - + if (!err) { *out_ccache_iterator = (cc_ccache_iterator_t) ccache_iterator; ccache_iterator = NULL; /* take ownership */ } - + ccapi_ccache_iterator_release ((cc_ccache_iterator_t) ccache_iterator); - + return cci_check_error (err); } @@ -104,14 +104,14 @@ cc_int32 cci_ccache_iterator_write (cc_ccache_iterator_t in_ccache_iterator, { cc_int32 err = ccNoError; cci_ccache_iterator_t ccache_iterator = (cci_ccache_iterator_t) in_ccache_iterator; - + if (!in_ccache_iterator) { err = cci_check_error (ccErrBadParam); } if (!in_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_write (ccache_iterator->identifier, in_stream); } - + return cci_check_error (err); } @@ -121,35 +121,35 @@ cc_int32 ccapi_ccache_iterator_release (cc_ccache_iterator_t io_ccache_iterator) { cc_int32 err = ccNoError; cci_ccache_iterator_t ccache_iterator = (cci_ccache_iterator_t) io_ccache_iterator; - + if (!io_ccache_iterator) { err = ccErrBadParam; } - + if (!err) { cc_uint32 initialized = 0; - + err = cci_identifier_is_initialized (ccache_iterator->identifier, &initialized); - + if (!err && initialized) { err = cci_ipc_send (cci_ccache_iterator_release_msg_id, ccache_iterator->identifier, NULL, NULL); if (err) { - cci_debug_printf ("%s: cci_ipc_send failed with error %d", + cci_debug_printf ("%s: cci_ipc_send failed with error %d", __FUNCTION__, err); err = ccNoError; } } } - + if (!err) { free ((char *) ccache_iterator->functions); cci_identifier_release (ccache_iterator->identifier); free (ccache_iterator->saved_ccache_name); free (ccache_iterator); } - + return err; } @@ -162,10 +162,10 @@ cc_int32 ccapi_ccache_iterator_next (cc_ccache_iterator_t in_ccache_iterator, cci_ccache_iterator_t ccache_iterator = (cci_ccache_iterator_t) in_ccache_iterator; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_ccache_iterator) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cc_uint32 initialized = 0; @@ -177,25 +177,25 @@ cc_int32 ccapi_ccache_iterator_next (cc_ccache_iterator_t in_ccache_iterator, err = cci_check_error (ccIteratorEnd); } } - + if (!err) { err = cci_ipc_send (cci_ccache_iterator_next_msg_id, ccache_iterator->identifier, NULL, &reply); } - + if (!err) { err = cci_identifier_read (&identifier, reply); } - + if (!err) { err = cci_ccache_new (out_ccache, identifier); } - + krb5int_ipc_stream_release (reply); cci_identifier_release (identifier); - + return cci_check_error (err); } @@ -209,10 +209,10 @@ cc_int32 ccapi_ccache_iterator_clone (cc_ccache_iterator_t in_ccache_iterator, k5_ipc_stream reply = NULL; cc_uint32 initialized = 0; cci_identifier_t identifier = NULL; - + if (!in_ccache_iterator ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_is_initialized (ccache_iterator->identifier, &initialized); @@ -224,7 +224,7 @@ cc_int32 ccapi_ccache_iterator_clone (cc_ccache_iterator_t in_ccache_iterator, ccache_iterator->identifier, NULL, &reply); - + if (!err) { err = cci_identifier_read (&identifier, reply); } @@ -234,14 +234,14 @@ cc_int32 ccapi_ccache_iterator_clone (cc_ccache_iterator_t in_ccache_iterator, identifier = cci_identifier_uninitialized; } } - + if (!err) { err = cci_ccache_iterator_new (out_ccache_iterator, identifier); } cci_identifier_release (identifier); krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -252,14 +252,14 @@ cc_int32 cci_ccache_iterator_get_saved_ccache_name (cc_ccache_iterator_t in_cc { cc_int32 err = ccNoError; cci_ccache_iterator_t ccache_iterator = (cci_ccache_iterator_t) in_ccache_iterator; - + if (!in_ccache_iterator ) { err = cci_check_error (ccErrBadParam); } if (!out_saved_ccache_name) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_saved_ccache_name = ccache_iterator->saved_ccache_name; } - + return cci_check_error (err); } @@ -271,22 +271,22 @@ cc_int32 cci_ccache_iterator_set_saved_ccache_name (cc_ccache_iterator_t io_cca cc_int32 err = ccNoError; cci_ccache_iterator_t ccache_iterator = (cci_ccache_iterator_t) io_ccache_iterator; char *new_saved_ccache_name = NULL; - + if (!io_ccache_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err && in_saved_ccache_name) { new_saved_ccache_name = strdup (in_saved_ccache_name); if (!new_saved_ccache_name) { err = ccErrNoMem; } } - + if (!err) { free (ccache_iterator->saved_ccache_name); - + ccache_iterator->saved_ccache_name = new_saved_ccache_name; new_saved_ccache_name = NULL; /* take ownership */ } - + free (new_saved_ccache_name); - + return cci_check_error (err); } diff --git a/src/ccapi/lib/ccapi_context.c b/src/ccapi/lib/ccapi_context.c index 9b1d05dc8..da8aa59f0 100644 --- a/src/ccapi/lib/ccapi_context.c +++ b/src/ccapi/lib/ccapi_context.c @@ -49,15 +49,15 @@ typedef struct cci_context_d { /* ------------------------------------------------------------------------ */ -struct cci_context_d cci_context_initializer = { - NULL +struct cci_context_d cci_context_initializer = { + NULL VECTOR_FUNCTIONS_INITIALIZER, NULL, 0, 0 }; -cc_context_f cci_context_f_initializer = { +cc_context_f cci_context_f_initializer = { ccapi_context_release, ccapi_context_get_change_time, ccapi_context_get_default_ccache_name, @@ -73,7 +73,7 @@ cc_context_f cci_context_f_initializer = { ccapi_context_wait_for_change }; -static cc_int32 cci_context_sync (cci_context_t in_context, +static cc_int32 cci_context_sync (cci_context_t in_context, cc_uint32 in_launch); #ifdef TARGET_OS_MAC @@ -88,19 +88,19 @@ MAKE_FINI_FUNCTION(cci_thread_fini); static int cci_thread_init (void) { cc_int32 err = ccNoError; - + if (!err) { err = cci_context_change_time_thread_init (); } - + if (!err) { err = cci_ipc_thread_init (); } - + if (!err) { add_error_table (&et_CAPI_error_table); } - + return err; } @@ -111,7 +111,7 @@ static void cci_thread_fini (void) if (!INITIALIZER_RAN (cci_thread_init) || PROGRAM_EXITING ()) { return; } - + remove_error_table(&et_CAPI_error_table); cci_context_change_time_thread_fini (); cci_ipc_thread_fini (); @@ -132,64 +132,64 @@ cc_int32 cc_initialize (cc_context_t *out_context, cc_int32 err = ccNoError; cci_context_t context = NULL; static char *vendor_string = "MIT Kerberos CCAPI"; - + if (!out_context) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = CALL_INIT_FUNCTION (cci_thread_init); } - + if (!err) { - switch (in_version) { - case ccapi_version_2: + switch (in_version) { + case ccapi_version_2: case ccapi_version_3: case ccapi_version_4: case ccapi_version_5: case ccapi_version_6: case ccapi_version_7: break; - - default: + + default: err = ccErrBadAPIVersion; break; } } - + if (!err) { context = malloc (sizeof (*context)); - if (context) { + if (context) { *context = cci_context_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { context->functions = malloc (sizeof (*context->functions)); - if (context->functions) { + if (context->functions) { *context->functions = cci_context_f_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { context->identifier = cci_identifier_uninitialized; *out_context = (cc_context_t) context; context = NULL; /* take ownership */ - + if (out_supported_version) { *out_supported_version = ccapi_version_max; } - + if (out_vendor) { *out_vendor = vendor_string; } } - + ccapi_context_release ((cc_context_t) context); - + return cci_check_error (err); } @@ -198,30 +198,30 @@ cc_int32 cc_initialize (cc_context_t *out_context, #endif /* ------------------------------------------------------------------------ */ -/* - * Currently does not need to talk to the server since the server must - * handle cleaning up resources from crashed clients anyway. - * - * NOTE: if server communication is ever added here, make sure that +/* + * Currently does not need to talk to the server since the server must + * handle cleaning up resources from crashed clients anyway. + * + * NOTE: if server communication is ever added here, make sure that * krb5_stdcc_shutdown calls an internal function which does not talk to the - * server. krb5_stdcc_shutdown is called from thread fini functions and may - * crash talking to the server depending on what order the OS calls the fini - * functions (ie: if the ipc layer fini function is called first). + * server. krb5_stdcc_shutdown is called from thread fini functions and may + * crash talking to the server depending on what order the OS calls the fini + * functions (ie: if the ipc layer fini function is called first). */ cc_int32 ccapi_context_release (cc_context_t in_context) { cc_int32 err = ccNoError; cci_context_t context = (cci_context_t) in_context; - + if (!in_context) { err = ccErrBadParam; } - + if (!err) { cci_identifier_release (context->identifier); free (context->functions); free (context); } - + return err; } @@ -233,10 +233,10 @@ cc_int32 ccapi_context_get_change_time (cc_context_t in_context, cc_int32 err = ccNoError; cci_context_t context = (cci_context_t) in_context; k5_ipc_stream reply = NULL; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!out_change_time) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_context_sync (context, 0); } @@ -246,25 +246,25 @@ cc_int32 ccapi_context_get_change_time (cc_context_t in_context, context->identifier, NULL, &reply); } - + if (!err && krb5int_ipc_stream_size (reply) > 0) { cc_time_t change_time = 0; - + /* got a response from the server */ err = krb5int_ipc_stream_read_time (reply, &change_time); - + if (!err) { err = cci_context_change_time_update (context->identifier, change_time); } } - + if (!err) { err = cci_context_change_time_get (out_change_time); } - + krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -276,13 +276,13 @@ cc_int32 ccapi_context_wait_for_change (cc_context_t in_context) cci_context_t context = (cci_context_t) in_context; k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_time (request, context->last_wait_for_change_time); } @@ -290,18 +290,18 @@ cc_int32 ccapi_context_wait_for_change (cc_context_t in_context) if (!err) { err = cci_context_sync (context, 1); } - + if (!err) { err = cci_ipc_send (cci_context_wait_for_change_msg_id, context->identifier, - request, + request, &reply); } if (!err) { err = krb5int_ipc_stream_read_time (reply, &context->last_wait_for_change_time); } - + krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); @@ -318,26 +318,26 @@ cc_int32 ccapi_context_get_default_ccache_name (cc_context_t in_context, k5_ipc_stream reply = NULL; char *reply_name = NULL; char *name = NULL; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!out_name ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_context_sync (context, 0); } - + if (!err) { err = cci_ipc_send_no_launch (cci_context_get_default_ccache_name_msg_id, context->identifier, NULL, &reply); } - + if (!err) { if (krb5int_ipc_stream_size (reply) > 0) { /* got a response from the server */ err = krb5int_ipc_stream_read_string (reply, &reply_name); - + if (!err) { name = reply_name; } @@ -345,14 +345,14 @@ cc_int32 ccapi_context_get_default_ccache_name (cc_context_t in_context, name = k_cci_context_initial_ccache_name; } } - + if (!err) { err = cci_string_new (out_name, name); } - + krb5int_ipc_stream_release (reply); krb5int_ipc_stream_free_string (reply_name); - + return cci_check_error (err); } @@ -367,46 +367,46 @@ cc_int32 ccapi_context_open_ccache (cc_context_t in_context, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!in_name ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, in_name); } - + if (!err) { err = cci_context_sync (context, 0); } - + if (!err) { err = cci_ipc_send_no_launch (cci_context_open_ccache_msg_id, context->identifier, request, &reply); } - + if (!err && !(krb5int_ipc_stream_size (reply) > 0)) { err = ccErrCCacheNotFound; } - + if (!err) { err = cci_identifier_read (&identifier, reply); } - + if (!err) { err = cci_ccache_new (out_ccache, identifier); } - + cci_identifier_release (identifier); krb5int_ipc_stream_release (reply); krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -419,36 +419,36 @@ cc_int32 ccapi_context_open_default_ccache (cc_context_t in_context, cci_context_t context = (cci_context_t) in_context; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!out_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_context_sync (context, 0); } - + if (!err) { err = cci_ipc_send_no_launch (cci_context_open_default_ccache_msg_id, context->identifier, NULL, &reply); } - + if (!err && !(krb5int_ipc_stream_size (reply) > 0)) { err = ccErrCCacheNotFound; } - + if (!err) { err = cci_identifier_read (&identifier, reply); } - + if (!err) { err = cci_ccache_new (out_ccache, identifier); } - + cci_identifier_release (identifier); krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -457,7 +457,7 @@ cc_int32 ccapi_context_open_default_ccache (cc_context_t in_context, cc_int32 ccapi_context_create_ccache (cc_context_t in_context, const char *in_name, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache) { cc_int32 err = ccNoError; @@ -465,51 +465,51 @@ cc_int32 ccapi_context_create_ccache (cc_context_t in_context, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!in_name ) { err = cci_check_error (ccErrBadParam); } if (!in_principal) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, in_name); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_cred_vers); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, in_principal); } - + if (!err) { err = cci_context_sync (context, 1); } - + if (!err) { err = cci_ipc_send (cci_context_create_ccache_msg_id, context->identifier, request, &reply); } - + if (!err) { err = cci_identifier_read (&identifier, reply); } - + if (!err) { err = cci_ccache_new (out_ccache, identifier); } - + cci_identifier_release (identifier); krb5int_ipc_stream_release (reply); krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -517,7 +517,7 @@ cc_int32 ccapi_context_create_ccache (cc_context_t in_context, cc_int32 ccapi_context_create_default_ccache (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache) { cc_int32 err = ccNoError; @@ -525,46 +525,46 @@ cc_int32 ccapi_context_create_default_ccache (cc_context_t in_context, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!in_principal) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_cred_vers); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, in_principal); } - + if (!err) { err = cci_context_sync (context, 1); } - + if (!err) { err = cci_ipc_send (cci_context_create_default_ccache_msg_id, context->identifier, request, &reply); } - + if (!err) { err = cci_identifier_read (&identifier, reply); } - + if (!err) { err = cci_ccache_new (out_ccache, identifier); } - + cci_identifier_release (identifier); krb5int_ipc_stream_release (reply); krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -572,7 +572,7 @@ cc_int32 ccapi_context_create_default_ccache (cc_context_t in_context, cc_int32 ccapi_context_create_new_ccache (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache) { cc_int32 err = ccNoError; @@ -580,46 +580,46 @@ cc_int32 ccapi_context_create_new_ccache (cc_context_t in_context, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!in_principal) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_cred_vers); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, in_principal); } - + if (!err) { err = cci_context_sync (context, 1); } - + if (!err) { err = cci_ipc_send (cci_context_create_new_ccache_msg_id, context->identifier, request, &reply); } - + if (!err) { err = cci_identifier_read (&identifier, reply); } - + if (!err) { err = cci_ccache_new (out_ccache, identifier); } - + cci_identifier_release (identifier); krb5int_ipc_stream_release (reply); krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -632,21 +632,21 @@ cc_int32 ccapi_context_new_ccache_iterator (cc_context_t in_context, cci_context_t context = (cci_context_t) in_context; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!out_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_context_sync (context, 0); } - + if (!err) { err = cci_ipc_send_no_launch (cci_context_new_ccache_iterator_msg_id, context->identifier, NULL, &reply); } - + if (!err) { if (krb5int_ipc_stream_size (reply) > 0) { err = cci_identifier_read (&identifier, reply); @@ -654,7 +654,7 @@ cc_int32 ccapi_context_new_ccache_iterator (cc_context_t in_context, identifier = cci_identifier_uninitialized; } } - + if (!err) { err = cci_ccache_iterator_new (out_iterator, identifier); } @@ -674,34 +674,34 @@ cc_int32 ccapi_context_lock (cc_context_t in_context, cc_int32 err = ccNoError; cci_context_t context = (cci_context_t) in_context; k5_ipc_stream request = NULL; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_lock_type); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (request, in_block); } - + if (!err) { err = cci_context_sync (context, 1); } - + if (!err) { err = cci_ipc_send (cci_context_lock_msg_id, context->identifier, request, NULL); } - + krb5int_ipc_stream_release (request); - + return cci_check_error (err); } @@ -711,20 +711,20 @@ cc_int32 ccapi_context_unlock (cc_context_t in_context) { cc_int32 err = ccNoError; cci_context_t context = (cci_context_t) in_context; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_context_sync (context, 1); } - + if (!err) { err = cci_ipc_send (cci_context_unlock_msg_id, context->identifier, NULL, NULL); } - + return cci_check_error (err); } @@ -737,27 +737,27 @@ cc_int32 ccapi_context_compare (cc_context_t in_context, cc_int32 err = ccNoError; cci_context_t context = (cci_context_t) in_context; cci_context_t compare_to_context = (cci_context_t) in_compare_to_context; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!in_compare_to_context) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_context_sync (context, 0); } - + if (!err) { err = cci_context_sync (compare_to_context, 0); } - + if (!err) { - /* If both contexts can't talk to the server, then + /* If both contexts can't talk to the server, then * we assume they are equivalent */ - err = cci_identifier_compare (context->identifier, + err = cci_identifier_compare (context->identifier, compare_to_context->identifier, out_equal); } - + return cci_check_error (err); } @@ -767,16 +767,16 @@ cc_int32 ccapi_context_compare (cc_context_t in_context, /* ------------------------------------------------------------------------ */ -static cc_int32 cci_context_sync (cci_context_t in_context, +static cc_int32 cci_context_sync (cci_context_t in_context, cc_uint32 in_launch) { cc_int32 err = ccNoError; cci_context_t context = (cci_context_t) in_context; k5_ipc_stream reply = NULL; cci_identifier_t new_identifier = NULL; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } - + if (!err) { /* Use the uninitialized identifier because we may be talking */ /* to a different server which would reject our identifier and */ @@ -793,7 +793,7 @@ static cc_int32 cci_context_sync (cci_context_t in_context, &reply); } } - + if (!err) { if (krb5int_ipc_stream_size (reply) > 0) { err = cci_identifier_read (&new_identifier, reply); @@ -801,7 +801,7 @@ static cc_int32 cci_context_sync (cci_context_t in_context, new_identifier = cci_identifier_uninitialized; } } - + if (!err) { cc_uint32 equal = 0; @@ -815,20 +815,19 @@ static cc_int32 cci_context_sync (cci_context_t in_context, new_identifier = NULL; /* take ownership */ } } - + if (!err && context->synchronized) { err = cci_context_change_time_sync (context->identifier); } - + if (!err && !context->synchronized) { /* Keep state about whether this is the first call to avoid always */ /* modifying the global change time on the context's first ipc call. */ context->synchronized = 1; } - + cci_identifier_release (new_identifier); krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } - diff --git a/src/ccapi/lib/ccapi_context.h b/src/ccapi/lib/ccapi_context.h index 564f49db9..8bc2e3613 100644 --- a/src/ccapi/lib/ccapi_context.h +++ b/src/ccapi/lib/ccapi_context.h @@ -29,7 +29,7 @@ #include "cci_common.h" -/* Used for freeing ccapi context in thread fini calls +/* Used for freeing ccapi context in thread fini calls * Does not tell the server you are exiting. */ cc_int32 cci_context_destroy (cc_context_t in_context); @@ -53,17 +53,17 @@ cc_int32 ccapi_context_open_default_ccache (cc_context_t in_context, cc_int32 ccapi_context_create_ccache (cc_context_t in_context, const char *in_name, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); cc_int32 ccapi_context_create_default_ccache (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); cc_int32 ccapi_context_create_new_ccache (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); cc_int32 ccapi_context_new_ccache_iterator (cc_context_t in_context, diff --git a/src/ccapi/lib/ccapi_context_change_time.c b/src/ccapi/lib/ccapi_context_change_time.c index 4efc7db60..602ab26cb 100644 --- a/src/ccapi/lib/ccapi_context_change_time.c +++ b/src/ccapi/lib/ccapi_context_change_time.c @@ -60,27 +60,27 @@ static cc_int32 cci_context_change_time_update_identifier (cci_identifier_t in_ cc_uint32 server_ids_match = 0; cc_uint32 old_server_running = 0; cc_uint32 new_server_running = 0; - + if (!in_new_identifier) { err = cci_check_error (err); } - + if (!err && !g_change_time_identifer) { g_change_time_identifer = cci_identifier_uninitialized; } - + if (!err) { err = cci_identifier_compare_server_id (g_change_time_identifer, in_new_identifier, &server_ids_match); } - + if (!err && out_old_server_running) { err = cci_identifier_is_initialized (g_change_time_identifer, &old_server_running); } - + if (!err && out_new_server_running) { err = cci_identifier_is_initialized (in_new_identifier, &new_server_running); } - + if (!err && !server_ids_match) { cci_identifier_t new_change_time_identifer = NULL; @@ -94,14 +94,14 @@ static cc_int32 cci_context_change_time_update_identifier (cci_identifier_t in_ g_change_time_identifer = new_change_time_identifer; } } - + if (!err) { if (out_server_ids_match ) { *out_server_ids_match = server_ids_match; } if (out_old_server_running) { *out_old_server_running = old_server_running; } if (out_new_server_running) { *out_new_server_running = new_server_running; } } - - + + return cci_check_error (err); } @@ -114,14 +114,14 @@ static cc_int32 cci_context_change_time_update_identifier (cci_identifier_t in_ cc_int32 cci_context_change_time_get (cc_time_t *out_change_time) { cc_int32 err = ccNoError; - + err = k5_mutex_lock (&g_change_time_mutex); - + if (!err) { *out_change_time = g_change_time + g_change_time_offset; - k5_mutex_unlock (&g_change_time_mutex); + k5_mutex_unlock (&g_change_time_mutex); } - + return err; } @@ -132,25 +132,25 @@ cc_int32 cci_context_change_time_update (cci_identifier_t in_identifier, { cc_int32 err = ccNoError; cc_int32 lock_err = err = k5_mutex_lock (&g_change_time_mutex); - + if (!err) { if (!in_identifier) { err = cci_check_error (err); } } - + if (!err) { if (g_change_time < in_new_change_time) { /* Only update if it increases the time. May be a different server. */ g_change_time = in_new_change_time; - cci_debug_printf ("%s: setting change time to %d", + cci_debug_printf ("%s: setting change time to %d", __FUNCTION__, in_new_change_time); } } - + if (!err) { err = cci_context_change_time_update_identifier (in_identifier, NULL, NULL, NULL); } - + if (!lock_err) { k5_mutex_unlock (&g_change_time_mutex); } @@ -167,43 +167,43 @@ cc_int32 cci_context_change_time_sync (cci_identifier_t in_new_identifier) cc_uint32 server_ids_match = 0; cc_uint32 server_was_running = 0; cc_uint32 server_is_running = 0; - + if (!err) { if (!in_new_identifier) { err = cci_check_error (err); } } - + if (!err) { err = cci_context_change_time_update_identifier (in_new_identifier, &server_ids_match, &server_was_running, &server_is_running); } - - if (!err && !server_ids_match) { + + if (!err && !server_ids_match) { /* Increment the change time so callers re-read */ - g_change_time_offset++; - + g_change_time_offset++; + /* If the server died, absorb the offset */ if (server_was_running && !server_is_running) { cc_time_t now = time (NULL); - + g_change_time += g_change_time_offset; g_change_time_offset = 0; - + /* Make sure the change time increases, ideally with the current time */ g_change_time = (g_change_time < now) ? now : g_change_time; } - + cci_debug_printf ("%s noticed server changed (" "server_was_running = %d; server_is_running = %d; " - "g_change_time = %d; g_change_time_offset = %d", - __FUNCTION__, server_was_running, server_is_running, - g_change_time, g_change_time_offset); + "g_change_time = %d; g_change_time_offset = %d", + __FUNCTION__, server_was_running, server_is_running, + g_change_time, g_change_time_offset); } - + if (!lock_err) { k5_mutex_unlock (&g_change_time_mutex); } - + return err; } diff --git a/src/ccapi/lib/ccapi_credentials.c b/src/ccapi/lib/ccapi_credentials.c index 6a3b4cb91..c94b551df 100644 --- a/src/ccapi/lib/ccapi_credentials.c +++ b/src/ccapi/lib/ccapi_credentials.c @@ -41,14 +41,14 @@ typedef struct cci_credentials_d { /* ------------------------------------------------------------------------ */ -struct cci_credentials_d cci_credentials_initializer = { - NULL, - NULL - VECTOR_FUNCTIONS_INITIALIZER, +struct cci_credentials_d cci_credentials_initializer = { + NULL, + NULL + VECTOR_FUNCTIONS_INITIALIZER, NULL }; -cc_credentials_f cci_credentials_f_initializer = { +cc_credentials_f cci_credentials_f_initializer = { ccapi_credentials_release, ccapi_credentials_compare }; @@ -65,43 +65,43 @@ cc_int32 cci_credentials_read (cc_credentials_t *out_credentials, { cc_int32 err = ccNoError; cci_credentials_t credentials = NULL; - + if (!out_credentials) { err = cci_check_error (ccErrBadParam); } if (!in_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { credentials = malloc (sizeof (*credentials)); - if (credentials) { + if (credentials) { *credentials = cci_credentials_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { credentials->functions = malloc (sizeof (*credentials->functions)); - if (credentials->functions) { + if (credentials->functions) { *credentials->functions = cci_credentials_f_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = cci_identifier_read (&credentials->identifier, in_stream); } - + if (!err) { err = cci_credentials_union_read (&credentials->data, in_stream); } - + if (!err) { *out_credentials = (cc_credentials_t) credentials; credentials = NULL; /* take ownership */ } - + if (credentials) { ccapi_credentials_release ((cc_credentials_t) credentials); } - + return cci_check_error (err); } @@ -112,14 +112,14 @@ cc_int32 cci_credentials_write (cc_credentials_t in_credentials, { cc_int32 err = ccNoError; cci_credentials_t credentials = (cci_credentials_t) in_credentials; - + if (!in_credentials) { err = cci_check_error (ccErrBadParam); } if (!in_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_write (credentials->identifier, in_stream); } - + return cci_check_error (err); } @@ -132,17 +132,17 @@ cc_int32 ccapi_credentials_compare (cc_credentials_t in_credentials, cc_int32 err = ccNoError; cci_credentials_t credentials = (cci_credentials_t) in_credentials; cci_credentials_t compare_to_credentials = (cci_credentials_t) in_compare_to_credentials; - + if (!in_credentials ) { err = cci_check_error (ccErrBadParam); } if (!in_compare_to_credentials) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_identifier_compare (credentials->identifier, + err = cci_identifier_compare (credentials->identifier, compare_to_credentials->identifier, out_equal); } - + return cci_check_error (err); } @@ -152,15 +152,15 @@ cc_int32 ccapi_credentials_release (cc_credentials_t io_credentials) { cc_int32 err = ccNoError; cci_credentials_t credentials = (cci_credentials_t) io_credentials; - + if (!io_credentials) { err = ccErrBadParam; } - + if (!err) { cci_credentials_union_release (credentials->data); free ((char *) credentials->functions); cci_identifier_release (credentials->identifier); free (credentials); } - + return err; } diff --git a/src/ccapi/lib/ccapi_credentials_iterator.c b/src/ccapi/lib/ccapi_credentials_iterator.c index 59ffc7c64..0ff614849 100644 --- a/src/ccapi/lib/ccapi_credentials_iterator.c +++ b/src/ccapi/lib/ccapi_credentials_iterator.c @@ -41,14 +41,14 @@ typedef struct cci_credentials_iterator_d { /* ------------------------------------------------------------------------ */ -struct cci_credentials_iterator_d cci_credentials_iterator_initializer = { - NULL - VECTOR_FUNCTIONS_INITIALIZER, +struct cci_credentials_iterator_d cci_credentials_iterator_initializer = { + NULL + VECTOR_FUNCTIONS_INITIALIZER, NULL, 0 }; -cc_credentials_iterator_f cci_credentials_iterator_f_initializer = { +cc_credentials_iterator_f cci_credentials_iterator_f_initializer = { ccapi_credentials_iterator_release, ccapi_credentials_iterator_next, ccapi_credentials_iterator_clone @@ -61,39 +61,39 @@ cc_int32 cci_credentials_iterator_new (cc_credentials_iterator_t *out_credential { cc_int32 err = ccNoError; cci_credentials_iterator_t credentials_iterator = NULL; - + if (!out_credentials_iterator) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { credentials_iterator = malloc (sizeof (*credentials_iterator)); - if (credentials_iterator) { + if (credentials_iterator) { *credentials_iterator = cci_credentials_iterator_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { credentials_iterator->functions = malloc (sizeof (*credentials_iterator->functions)); - if (credentials_iterator->functions) { + if (credentials_iterator->functions) { *credentials_iterator->functions = cci_credentials_iterator_f_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = cci_identifier_copy (&credentials_iterator->identifier, in_identifier); } - + if (!err) { *out_credentials_iterator = (cc_credentials_iterator_t) credentials_iterator; credentials_iterator = NULL; /* take ownership */ } - + if (credentials_iterator) { ccapi_credentials_iterator_release ((cc_credentials_iterator_t) credentials_iterator); } - + return cci_check_error (err); } @@ -104,14 +104,14 @@ cc_int32 cci_credentials_iterator_write (cc_credentials_iterator_t in_credential { cc_int32 err = ccNoError; cci_credentials_iterator_t credentials_iterator = (cci_credentials_iterator_t) in_credentials_iterator; - + if (!in_credentials_iterator) { err = cci_check_error (ccErrBadParam); } if (!in_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_write (credentials_iterator->identifier, in_stream); } - + return cci_check_error (err); } @@ -121,16 +121,16 @@ cc_int32 ccapi_credentials_iterator_release (cc_credentials_iterator_t io_creden { cc_int32 err = ccNoError; cci_credentials_iterator_t credentials_iterator = (cci_credentials_iterator_t) io_credentials_iterator; - + if (!io_credentials_iterator) { err = ccErrBadParam; } - + if (!err) { err = cci_ipc_send (cci_credentials_iterator_release_msg_id, credentials_iterator->identifier, NULL, NULL); if (err) { - cci_debug_printf ("%s: cci_ipc_send failed with error %d", + cci_debug_printf ("%s: cci_ipc_send failed with error %d", __FUNCTION__, err); err = ccNoError; } @@ -141,7 +141,7 @@ cc_int32 ccapi_credentials_iterator_release (cc_credentials_iterator_t io_creden cci_identifier_release (credentials_iterator->identifier); free (credentials_iterator); } - + return err; } @@ -153,23 +153,23 @@ cc_int32 ccapi_credentials_iterator_next (cc_credentials_iterator_t in_credenti cc_int32 err = ccNoError; cci_credentials_iterator_t credentials_iterator = (cci_credentials_iterator_t) in_credentials_iterator; k5_ipc_stream reply = NULL; - + if (!in_credentials_iterator) { err = cci_check_error (ccErrBadParam); } if (!out_credentials ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_credentials_iterator_next_msg_id, credentials_iterator->identifier, NULL, &reply); } - + if (!err) { err = cci_credentials_read (out_credentials, reply); } - + krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } @@ -182,28 +182,28 @@ cc_int32 ccapi_credentials_iterator_clone (cc_credentials_iterator_t in_credent cci_credentials_iterator_t credentials_iterator = (cci_credentials_iterator_t) in_credentials_iterator; k5_ipc_stream reply = NULL; cci_identifier_t identifier = NULL; - + if (!in_credentials_iterator ) { err = cci_check_error (ccErrBadParam); } if (!out_credentials_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ipc_send (cci_credentials_iterator_next_msg_id, credentials_iterator->identifier, NULL, &reply); } - + if (!err) { err = cci_identifier_read (&identifier, reply); } - + if (!err) { err = cci_credentials_iterator_new (out_credentials_iterator, identifier); } - + krb5int_ipc_stream_release (reply); cci_identifier_release (identifier); - + return cci_check_error (err); } @@ -218,14 +218,14 @@ cc_int32 cci_credentials_iterator_get_compat_version (cc_credentials_iterator_t { cc_int32 err = ccNoError; cci_credentials_iterator_t credentials_iterator = (cci_credentials_iterator_t) in_credentials_iterator; - + if (!in_credentials_iterator) { err = cci_check_error (ccErrBadParam); } if (!out_compat_version ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_compat_version = credentials_iterator->compat_version; } - + return cci_check_error (err); } @@ -236,12 +236,12 @@ cc_int32 cci_credentials_iterator_set_compat_version (cc_credentials_iterator_t { cc_int32 err = ccNoError; cci_credentials_iterator_t credentials_iterator = (cci_credentials_iterator_t) io_credentials_iterator; - + if (!io_credentials_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { credentials_iterator->compat_version = in_compat_version; } - + return cci_check_error (err); } diff --git a/src/ccapi/lib/ccapi_ipc.c b/src/ccapi/lib/ccapi_ipc.c index 8d8b2d209..54b5faa86 100644 --- a/src/ccapi/lib/ccapi_ipc.c +++ b/src/ccapi/lib/ccapi_ipc.c @@ -53,23 +53,23 @@ static cc_int32 _cci_ipc_send (enum cci_msg_id_t in_request_name, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; cc_int32 reply_error = 0; - + if (!in_identifier) { err = cci_check_error (ccErrBadParam); } /* in_request_data may be NULL */ /* out_reply_data may be NULL */ - + if (!err) { err = cci_message_new_request_header (&request, in_request_name, in_identifier); } - + if (!err && in_request_data) { - err = krb5int_ipc_stream_write (request, - krb5int_ipc_stream_data (in_request_data), + err = krb5int_ipc_stream_write (request, + krb5int_ipc_stream_data (in_request_data), krb5int_ipc_stream_size (in_request_data)); } - + if (!err) { err = cci_os_ipc (in_launch_server, request, &reply); @@ -77,19 +77,19 @@ static cc_int32 _cci_ipc_send (enum cci_msg_id_t in_request_name, err = cci_message_read_reply_header (reply, &reply_error); } } - - if (!err && reply_error) { + + if (!err && reply_error) { err = reply_error; } - + if (!err && out_reply_data) { *out_reply_data = reply; reply = NULL; /* take ownership */ } - + krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); - + return cci_check_error (err); } diff --git a/src/ccapi/lib/ccapi_string.c b/src/ccapi/lib/ccapi_string.c index 4f4db6f43..d0386c3bb 100644 --- a/src/ccapi/lib/ccapi_string.c +++ b/src/ccapi/lib/ccapi_string.c @@ -28,13 +28,13 @@ /* ------------------------------------------------------------------------ */ -cc_string_d cci_string_d_initializer = { - NULL, - NULL +cc_string_d cci_string_d_initializer = { + NULL, + NULL VECTOR_FUNCTIONS_INITIALIZER }; -cc_string_f cci_string_f_initializer = { - ccapi_string_release +cc_string_f cci_string_f_initializer = { + ccapi_string_release }; /* ------------------------------------------------------------------------ */ @@ -44,43 +44,43 @@ cc_int32 cci_string_new (cc_string_t *out_string, { cc_int32 err = ccNoError; cc_string_t string = NULL; - + if (!out_string) { err = cci_check_error (ccErrBadParam); } if (!in_cstring) { err = cci_check_error (ccErrBadParam); } - + if (!err) { string = malloc (sizeof (*string)); - if (string) { + if (string) { *string = cci_string_d_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } if (!err) { string->functions = malloc (sizeof (*string->functions)); - if (string->functions) { + if (string->functions) { *((cc_string_f *) string->functions) = cci_string_f_initializer; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (!err) { string->data = strdup (in_cstring); - if (!string->data) { - err = cci_check_error (ccErrNoMem); + if (!string->data) { + err = cci_check_error (ccErrNoMem); } - + } - + if (!err) { *out_string = string; string = NULL; /* take ownership */ } - + if (string) { ccapi_string_release (string); } - + return cci_check_error (err); } @@ -89,14 +89,14 @@ cc_int32 cci_string_new (cc_string_t *out_string, cc_int32 ccapi_string_release (cc_string_t in_string) { cc_int32 err = ccNoError; - + if (!in_string) { err = ccErrBadParam; } - + if (!err) { free ((char *) in_string->data); free ((char *) in_string->functions); free (in_string); } - + return err; } diff --git a/src/ccapi/lib/ccapi_v2.c b/src/ccapi/lib/ccapi_v2.c index 08100481b..04edd863e 100644 --- a/src/ccapi/lib/ccapi_v2.c +++ b/src/ccapi/lib/ccapi_v2.c @@ -38,47 +38,47 @@ infoNC infoNC_initializer = { NULL, NULL, CC_CRED_UNKNOWN }; /* ------------------------------------------------------------------------ */ static cc_int32 cci_remap_version (cc_int32 in_v2_version, - cc_uint32 *out_v3_version) + cc_uint32 *out_v3_version) { cc_result err = ccNoError; - + if (!out_v3_version) { err = cci_check_error (ccErrBadParam); } - + if (!err) { if (in_v2_version == CC_CRED_V4) { *out_v3_version = cc_credentials_v4; - - } else if (in_v2_version == CC_CRED_V5) { + + } else if (in_v2_version == CC_CRED_V5) { *out_v3_version = cc_credentials_v5; - + } else { err = ccErrBadCredentialsVersion; } } - + return cci_check_error (err); -} +} /* ------------------------------------------------------------------------ */ -static cc_result _cci_remap_error (cc_result in_error, - const char *in_function, - const char *in_file, - int in_line) +static cc_result _cci_remap_error (cc_result in_error, + const char *in_function, + const char *in_file, + int in_line) { _cci_check_error (in_error, in_function, in_file, in_line); - + if (in_error >= CC_NOERROR && in_error <= CC_ERR_CRED_VERSION) { return in_error; } - + switch (in_error) { case ccNoError: return CC_NOERROR; - + case ccIteratorEnd: return CC_END; - + case ccErrBadParam: case ccErrContextNotFound: case ccErrInvalidContext: @@ -88,42 +88,42 @@ static cc_result _cci_remap_error (cc_result in_error, case ccErrInvalidLock: case ccErrBadLockType: return CC_BAD_PARM; - + case ccErrNoMem: return CC_NOMEM; - + case ccErrInvalidCCache: case ccErrCCacheNotFound: return CC_NO_EXIST; - + case ccErrCredentialsNotFound: return CC_NOTFOUND; - + case ccErrBadName: return CC_BADNAME; - + case ccErrBadCredentialsVersion: return CC_ERR_CRED_VERSION; - + case ccErrBadAPIVersion: return CC_BAD_API_VERSION; - + case ccErrContextLocked: case ccErrContextUnlocked: case ccErrCCacheLocked: case ccErrCCacheUnlocked: return CC_LOCKED; - + case ccErrServerUnavailable: case ccErrServerInsecure: case ccErrServerCantBecomeUID: case ccErrBadInternalMessage: case ccErrClientNotFound: return CC_IO; - + case ccErrNotImplemented: return CC_NOT_SUPP; - + default: cci_debug_printf ("%s(): Unhandled error", __FUNCTION__); return CC_BAD_PARM; @@ -138,37 +138,37 @@ static cc_result _cci_remap_error (cc_result in_error, /* ------------------------------------------------------------------------ */ -cc_result cc_shutdown (apiCB **io_context) +cc_result cc_shutdown (apiCB **io_context) { cc_result err = ccNoError; - + if (!io_context) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_context_release (*io_context); } - + if (!err) { *io_context = NULL; } - + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_get_change_time (apiCB *in_context, - cc_time_t *out_change_time) + cc_time_t *out_change_time) { cc_result err = ccNoError; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!out_change_time) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_context_get_change_time (in_context, out_change_time); } - + return cci_remap_error (err); } @@ -181,86 +181,86 @@ cc_result cc_get_NC_info (apiCB *in_context, infoNC **info = NULL; cc_uint64 count = 0; /* Preflight the size */ cc_uint64 i; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!out_info ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { ccache_cit *iterator = NULL; - + err = cc_seq_fetch_NCs_begin (in_context, &iterator); - + while (!err) { ccache_p *ccache = NULL; - + err = cc_seq_fetch_NCs_next (in_context, &ccache, iterator); - + if (!err) { count++; } - + if (ccache) { cc_close (in_context, &ccache); } } if (err == CC_END) { err = CC_NOERROR; } - + if (!err) { err = cc_seq_fetch_NCs_end (in_context, &iterator); - } + } } - + if (!err) { info = malloc (sizeof (*info) * (count + 1)); - if (info) { + if (info) { for (i = 0; i < count + 1; i++) { info[i] = NULL; } - } else { - err = cci_check_error (CC_NOMEM); + } else { + err = cci_check_error (CC_NOMEM); } } - + if (!err) { ccache_cit *iterator = NULL; - + err = cc_seq_fetch_NCs_begin (in_context, &iterator); - + for (i = 0; !err && i < count; i++) { ccache_p *ccache = NULL; - + err = cc_seq_fetch_NCs_next (in_context, &ccache, iterator); - + if (!err) { info[i] = malloc (sizeof (*info[i])); - if (info[i]) { - *info[i] = infoNC_initializer; + if (info[i]) { + *info[i] = infoNC_initializer; } else { - err = cci_check_error (CC_NOMEM); + err = cci_check_error (CC_NOMEM); } } - + if (!err) { err = cc_get_name (in_context, ccache, &info[i]->name); } - + if (!err) { err = cc_get_principal (in_context, ccache, &info[i]->principal); } - + if (!err) { err = cc_get_cred_version (in_context, ccache, &info[i]->vers); } - + if (ccache) { cc_close (in_context, &ccache); } } - + if (!err) { err = cc_seq_fetch_NCs_end (in_context, &iterator); } } - + if (!err) { *out_info = info; info = NULL; } - + if (info) { cc_free_NC_info (in_context, &info); } - + return cci_check_error (err); } @@ -274,17 +274,17 @@ cc_int32 cc_open (apiCB *in_context, const char *in_name, cc_int32 in_version, cc_uint32 in_flags, - ccache_p **out_ccache) -{ + ccache_p **out_ccache) +{ cc_result err = ccNoError; cc_ccache_t ccache = NULL; cc_uint32 compat_version; cc_uint32 real_version; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!in_name ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_remap_version (in_version, &compat_version); } @@ -292,15 +292,15 @@ cc_int32 cc_open (apiCB *in_context, if (!err) { err = ccapi_context_open_ccache (in_context, in_name, &ccache); } - + /* We must not allow a CCAPI v2 caller to open a v5-only ccache - as a v4 ccache and vice versa. Allowing that would break + as a v4 ccache and vice versa. Allowing that would break (valid) assumptions made by CCAPI v2 callers. */ - + if (!err) { err = ccapi_ccache_get_credentials_version (ccache, &real_version); - } - + } + if (!err) { /* check the version and set up the ccache to use it */ if (compat_version & real_version) { @@ -309,16 +309,16 @@ cc_int32 cc_open (apiCB *in_context, err = ccErrBadCredentialsVersion; } } - + if (!err) { *out_ccache = ccache; ccache = NULL; } - + if (ccache) { ccapi_ccache_release (ccache); } - + return cci_remap_error (err); -} +} /* ------------------------------------------------------------------------ */ @@ -327,78 +327,78 @@ cc_result cc_create (apiCB *in_context, const char *in_principal, cc_int32 in_version, cc_uint32 in_flags, - ccache_p **out_ccache) + ccache_p **out_ccache) { cc_result err = ccNoError; cc_ccache_t ccache = NULL; cc_uint32 compat_version; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!in_name ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_remap_version (in_version, &compat_version); } - + if (!err) { err = ccapi_context_create_ccache (in_context, in_name, compat_version, in_principal, &ccache); } - + if (!err) { err = cci_ccache_set_compat_version (ccache, compat_version); } - + if (!err) { *out_ccache = ccache; ccache = NULL; } - + if (ccache) { ccapi_ccache_release (ccache); } - + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_close (apiCB *in_context, - ccache_p **io_ccache) + ccache_p **io_ccache) { cc_result err = ccNoError; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_ccache_release (*io_ccache); } - + if (!err) { *io_ccache = NULL; } - + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_destroy (apiCB *in_context, - ccache_p **io_ccache) + ccache_p **io_ccache) { cc_result err = ccNoError; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_ccache_destroy (*io_ccache); } - + if (!err) { *io_ccache = NULL; } - + return cci_remap_error (err); } @@ -406,63 +406,63 @@ cc_result cc_destroy (apiCB *in_context, cc_result cc_get_name (apiCB *in_context, ccache_p *in_ccache, - char **out_name) + char **out_name) { cc_result err = ccNoError; cc_string_t name = NULL; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_name ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_ccache_get_name (in_ccache, &name); } - + if (!err) { char *string = strdup (name->data); - if (string) { + if (string) { *out_name = string; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (name) { ccapi_string_release (name); } - - return cci_remap_error (err); + + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_get_cred_version (apiCB *in_context, ccache_p *in_ccache, - cc_int32 *out_version) + cc_int32 *out_version) { cc_result err = ccNoError; cc_uint32 compat_version; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_version) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ccache_get_compat_version (in_ccache, &compat_version); } - + if (!err) { if (compat_version == cc_credentials_v4) { *out_version = CC_CRED_V4; - - } else if (compat_version == cc_credentials_v5) { + + } else if (compat_version == cc_credentials_v5) { *out_version = CC_CRED_V5; - + } else { err = ccErrBadCredentialsVersion; } } - - return cci_remap_error (err); + + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ @@ -470,16 +470,16 @@ cc_result cc_get_cred_version (apiCB *in_context, cc_result cc_set_principal (apiCB *in_context, ccache_p *io_ccache, cc_int32 in_version, - char *in_principal) + char *in_principal) { cc_result err = ccNoError; cc_uint32 version; cc_uint32 compat_version; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_principal) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_remap_version (in_version, &version); } @@ -487,75 +487,75 @@ cc_result cc_set_principal (apiCB *in_context, if (!err) { err = cci_ccache_get_compat_version (io_ccache, &compat_version); } - + if (!err && version != compat_version) { err = cci_check_error (ccErrBadCredentialsVersion); } - + if (!err) { err = ccapi_ccache_set_principal (io_ccache, version, in_principal); } - - return cci_remap_error (err); + + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_get_principal (apiCB *in_context, ccache_p *in_ccache, - char **out_principal) + char **out_principal) { cc_result err = ccNoError; cc_uint32 compat_version; cc_string_t principal = NULL; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_principal) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_ccache_get_compat_version (in_ccache, &compat_version); } - + if (!err) { err = ccapi_ccache_get_principal (in_ccache, compat_version, &principal); } - + if (!err) { char *string = strdup (principal->data); - if (string) { + if (string) { *out_principal = string; - } else { - err = cci_check_error (ccErrNoMem); + } else { + err = cci_check_error (ccErrNoMem); } } - + if (principal) { ccapi_string_release (principal); } - - return cci_remap_error (err); + + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_store (apiCB *in_context, ccache_p *io_ccache, - cred_union in_credentials) + cred_union in_credentials) { cc_result err = ccNoError; cc_credentials_union *creds_union = NULL; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_cred_union_to_credentials_union (&in_credentials, &creds_union); } - + if (!err) { err = ccapi_ccache_store_credentials (io_ccache, creds_union); } - + if (creds_union) { cci_credentials_union_release (creds_union); } return cci_remap_error (err); } @@ -564,39 +564,39 @@ cc_result cc_store (apiCB *in_context, cc_result cc_remove_cred (apiCB *in_context, ccache_p *in_ccache, - cred_union in_credentials) + cred_union in_credentials) { cc_result err = ccNoError; cc_credentials_iterator_t iterator = NULL; cc_uint32 found = 0; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_ccache_new_credentials_iterator (in_ccache, &iterator); } - + while (!err && !found) { cc_credentials_t creds = NULL; - + err = ccapi_credentials_iterator_next (iterator, &creds); - + if (!err) { - err = cci_cred_union_compare_to_credentials_union (&in_credentials, + err = cci_cred_union_compare_to_credentials_union (&in_credentials, creds->data, &found); } - + if (!err && found) { err = ccapi_ccache_remove_credentials (in_ccache, creds); } - + ccapi_credentials_release (creds); } if (err == ccIteratorEnd) { err = cci_check_error (ccErrCredentialsNotFound); } - - return cci_remap_error (err); + + return cci_remap_error (err); } #if TARGET_OS_MAC @@ -606,25 +606,25 @@ cc_result cc_remove_cred (apiCB *in_context, /* ------------------------------------------------------------------------ */ cc_result cc_seq_fetch_NCs_begin (apiCB *in_context, - ccache_cit **out_iterator) + ccache_cit **out_iterator) { cc_result err = ccNoError; cc_ccache_iterator_t iterator = NULL; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!out_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_context_new_ccache_iterator (in_context, &iterator); } - + if (!err) { *out_iterator = (ccache_cit *) iterator; iterator = NULL; /* take ownership */ } - + if (iterator) { ccapi_ccache_iterator_release (iterator); } - + return cci_remap_error (err); } @@ -632,17 +632,17 @@ cc_result cc_seq_fetch_NCs_begin (apiCB *in_context, cc_result cc_seq_fetch_NCs_next (apiCB *in_context, ccache_p **out_ccache, - ccache_cit *in_iterator) + ccache_cit *in_iterator) { cc_result err = ccNoError; cc_ccache_iterator_t iterator = (cc_ccache_iterator_t) in_iterator; cc_ccache_t ccache = NULL; const char *saved_ccache_name; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_iterator) { err = cci_check_error (ccErrBadParam); } - + /* CCache iterators need to return some ccaches twice (when v3 ccache has * two kinds of credentials). To do that, we return such ccaches twice * v4 first, then v5. */ @@ -651,82 +651,82 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context, err = cci_ccache_iterator_get_saved_ccache_name (iterator, &saved_ccache_name); } - + if (!err) { if (saved_ccache_name) { - err = ccapi_context_open_ccache (in_context, saved_ccache_name, + err = ccapi_context_open_ccache (in_context, saved_ccache_name, &ccache); - + if (!err) { err = cci_ccache_set_compat_version (ccache, cc_credentials_v5); } - + if (!err) { err = cci_ccache_iterator_set_saved_ccache_name (iterator, NULL); } - + } else { cc_uint32 version = 0; - + err = ccapi_ccache_iterator_next (iterator, &ccache); - + if (!err) { err = ccapi_ccache_get_credentials_version (ccache, &version); } - + if (!err) { if (version == cc_credentials_v4_v5) { cc_string_t name = NULL; - + err = cci_ccache_set_compat_version (ccache, cc_credentials_v4); - - if (!err) { + + if (!err) { err = ccapi_ccache_get_name (ccache, &name); - } - + } + if (!err) { - err = cci_ccache_iterator_set_saved_ccache_name (iterator, + err = cci_ccache_iterator_set_saved_ccache_name (iterator, name->data); } - + if (name) { ccapi_string_release (name); } - + } else { err = cci_ccache_set_compat_version (ccache, version); } } } } - + if (!err) { *out_ccache = ccache; ccache = NULL; /* take ownership */ } - + if (ccache) { ccapi_ccache_release (ccache); } - + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_seq_fetch_NCs_end (apiCB *in_context, - ccache_cit **io_iterator) + ccache_cit **io_iterator) { cc_result err = ccNoError; cc_ccache_iterator_t iterator = (cc_ccache_iterator_t) *io_iterator; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!io_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_ccache_iterator_release (iterator); } - + if (!err) { *io_iterator = NULL; } - + return cci_remap_error (err); } @@ -738,38 +738,38 @@ cc_result cc_seq_fetch_NCs_end (apiCB *in_context, cc_result cc_seq_fetch_creds_begin (apiCB *in_context, const ccache_p *in_ccache, - ccache_cit **out_iterator) + ccache_cit **out_iterator) { cc_result err = ccNoError; cc_credentials_iterator_t iterator = NULL; cc_uint32 compat_version; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!out_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_ccache_get_compat_version ((cc_ccache_t) in_ccache, + err = cci_ccache_get_compat_version ((cc_ccache_t) in_ccache, &compat_version); } - + if (!err) { - err = ccapi_ccache_new_credentials_iterator ((cc_ccache_t) in_ccache, + err = ccapi_ccache_new_credentials_iterator ((cc_ccache_t) in_ccache, &iterator); } - + if (!err) { - err = cci_credentials_iterator_set_compat_version (iterator, + err = cci_credentials_iterator_set_compat_version (iterator, compat_version); } - + if (!err) { *out_iterator = (ccache_cit *) iterator; iterator = NULL; /* take ownership */ } - + if (iterator) { ccapi_credentials_iterator_release (iterator); } - + return cci_remap_error (err); } @@ -777,58 +777,58 @@ cc_result cc_seq_fetch_creds_begin (apiCB *in_context, cc_result cc_seq_fetch_creds_next (apiCB *in_context, cred_union **out_creds, - ccache_cit *in_iterator) + ccache_cit *in_iterator) { cc_result err = ccNoError; cc_credentials_iterator_t iterator = (cc_credentials_iterator_t) in_iterator; cc_uint32 compat_version; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!out_creds ) { err = cci_check_error (ccErrBadParam); } if (!in_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_credentials_iterator_get_compat_version (iterator, + err = cci_credentials_iterator_get_compat_version (iterator, &compat_version); } while (!err) { cc_credentials_t credentials = NULL; - + err = ccapi_credentials_iterator_next (iterator, &credentials); - + if (!err && (credentials->data->version & compat_version)) { /* got the next credentials for the correct version */ - err = cci_credentials_union_to_cred_union (credentials->data, + err = cci_credentials_union_to_cred_union (credentials->data, out_creds); break; } - + if (credentials) { ccapi_credentials_release (credentials); } } - + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_seq_fetch_creds_end (apiCB *in_context, - ccache_cit **io_iterator) + ccache_cit **io_iterator) { cc_result err = ccNoError; cc_credentials_iterator_t iterator = (cc_credentials_iterator_t) *io_iterator; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!io_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccapi_credentials_iterator_release (iterator); } - + if (!err) { *io_iterator = NULL; } - + return cci_remap_error (err); } @@ -839,80 +839,80 @@ cc_result cc_seq_fetch_creds_end (apiCB *in_context, /* ------------------------------------------------------------------------ */ cc_result cc_free_principal (apiCB *in_context, - char **io_principal) + char **io_principal) { cc_result err = ccNoError; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!io_principal) { err = cci_check_error (ccErrBadParam); } - + if (!err) { free (*io_principal); *io_principal = NULL; } - + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_free_name (apiCB *in_context, - char **io_name) -{ + char **io_name) +{ cc_result err = ccNoError; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!io_name ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { free (*io_name); *io_name = NULL; } - + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_free_creds (apiCB *in_context, - cred_union **io_credentials) + cred_union **io_credentials) { cc_result err = ccNoError; - + if (!in_context ) { err = cci_check_error (ccErrBadParam); } if (!io_credentials) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_cred_union_release (*io_credentials); - if (!err) { *io_credentials = NULL; } + if (!err) { *io_credentials = NULL; } } - + return cci_remap_error (err); } /* ------------------------------------------------------------------------ */ cc_result cc_free_NC_info (apiCB *in_context, - infoNC ***io_info) -{ + infoNC ***io_info) +{ cc_result err = ccNoError; - + if (!in_context) { err = cci_check_error (ccErrBadParam); } if (!io_info ) { err = cci_check_error (ccErrBadParam); } - + if (!err && *io_info) { infoNC **data = *io_info; int i; - + for (i = 0; data[i] != NULL; i++) { cc_free_principal (in_context, &data[i]->principal); cc_free_name (in_context, &data[i]->name); free (data[i]); } free (data); - + *io_info = NULL; } - + return cci_remap_error (err); } diff --git a/src/ccapi/lib/mac/ccapi_vector.c b/src/ccapi/lib/mac/ccapi_vector.c index ea749c089..3893bc9b3 100644 --- a/src/ccapi/lib/mac/ccapi_vector.c +++ b/src/ccapi/lib/mac/ccapi_vector.c @@ -173,7 +173,7 @@ cc_int32 __cc_context_open_default_ccache_vector (cc_context_t in_context, cc_int32 __cc_context_create_ccache_vector (cc_context_t in_context, const char *in_name, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache) { cc_int32 err = ccNoError; @@ -188,7 +188,7 @@ cc_int32 __cc_context_create_ccache_vector (cc_context_t in_context, cc_int32 __cc_context_create_default_ccache_vector (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache) { cc_int32 err = ccNoError; @@ -202,7 +202,7 @@ cc_int32 __cc_context_create_default_ccache_vector (cc_context_t in_context, cc_int32 __cc_context_create_new_ccache_vector (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache) { cc_int32 err = ccNoError; @@ -632,7 +632,7 @@ cc_int32 __cc_seq_fetch_NCs_begin_vector (apiCB *in_context, cc_int32 __cc_seq_fetch_NCs_next_vector (apiCB *in_context, ccache_p **out_ccache, - ccache_cit *in_iterator) + ccache_cit *in_iterator) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -660,7 +660,7 @@ cc_int32 __cc_seq_fetch_NCs_end_vector (apiCB *in_context, cc_int32 __cc_get_name_vector (apiCB *in_context, ccache_p *in_ccache, - char **out_name) + char **out_name) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -675,7 +675,7 @@ cc_int32 __cc_get_name_vector (apiCB *in_context, cc_int32 __cc_get_cred_version_vector (apiCB *in_context, ccache_p *in_ccache, - cc_int32 *out_version) + cc_int32 *out_version) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -691,7 +691,7 @@ cc_int32 __cc_get_cred_version_vector (apiCB *in_context, cc_int32 __cc_set_principal_vector (apiCB *in_context, ccache_p *io_ccache, cc_int32 in_version, - char *in_principal) + char *in_principal) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -736,7 +736,7 @@ cc_int32 __cc_store_vector (apiCB *in_context, cc_int32 __cc_remove_cred_vector (apiCB *in_context, ccache_p *in_ccache, - cred_union in_credentials) + cred_union in_credentials) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -751,7 +751,7 @@ cc_int32 __cc_remove_cred_vector (apiCB *in_context, cc_int32 __cc_seq_fetch_creds_begin_vector (apiCB *in_context, const ccache_p *in_ccache, - ccache_cit **out_iterator) + ccache_cit **out_iterator) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -766,7 +766,7 @@ cc_int32 __cc_seq_fetch_creds_begin_vector (apiCB *in_context, cc_int32 __cc_seq_fetch_creds_next_vector (apiCB *in_context, cred_union **out_creds, - ccache_cit *in_iterator) + ccache_cit *in_iterator) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -780,7 +780,7 @@ cc_int32 __cc_seq_fetch_creds_next_vector (apiCB *in_context, /* ------------------------------------------------------------------------ */ cc_int32 __cc_seq_fetch_creds_end_vector (apiCB *in_context, - ccache_cit **io_iterator) + ccache_cit **io_iterator) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -793,7 +793,7 @@ cc_int32 __cc_seq_fetch_creds_end_vector (apiCB *in_context, /* ------------------------------------------------------------------------ */ cc_int32 __cc_free_principal_vector (apiCB *in_context, - char **io_principal) + char **io_principal) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); @@ -805,7 +805,7 @@ cc_int32 __cc_free_principal_vector (apiCB *in_context, /* ------------------------------------------------------------------------ */ cc_int32 __cc_free_name_vector (apiCB *in_context, - char **io_name) + char **io_name) { cc_int32 err = ccNoError; cci_swap_context_functions (in_context); diff --git a/src/ccapi/lib/mac/ccapi_vector.h b/src/ccapi/lib/mac/ccapi_vector.h index 80840f111..4bce9a358 100644 --- a/src/ccapi/lib/mac/ccapi_vector.h +++ b/src/ccapi/lib/mac/ccapi_vector.h @@ -52,17 +52,17 @@ cc_int32 __cc_context_open_default_ccache_vector (cc_context_t in_context, cc_int32 __cc_context_create_ccache_vector (cc_context_t in_context, const char *in_name, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); cc_int32 __cc_context_create_default_ccache_vector (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); cc_int32 __cc_context_create_new_ccache_vector (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); cc_int32 __cc_context_new_ccache_iterator_vector (cc_context_t in_context, @@ -174,23 +174,23 @@ cc_int32 __cc_seq_fetch_NCs_begin_vector (apiCB *in_context, cc_int32 __cc_seq_fetch_NCs_next_vector (apiCB *in_context, ccache_p **out_ccache, - ccache_cit *in_iterator); + ccache_cit *in_iterator); cc_int32 __cc_seq_fetch_NCs_end_vector (apiCB *in_context, ccache_cit **io_iterator); cc_int32 __cc_get_name_vector (apiCB *in_context, ccache_p *in_ccache, - char **out_name); + char **out_name); cc_int32 __cc_get_cred_version_vector (apiCB *in_context, ccache_p *in_ccache, - cc_int32 *out_version); + cc_int32 *out_version); cc_int32 __cc_set_principal_vector (apiCB *in_context, ccache_p *io_ccache, cc_int32 in_version, - char *in_principal); + char *in_principal); cc_int32 __cc_get_principal_vector (apiCB *in_context, ccache_p *in_ccache, @@ -202,24 +202,24 @@ cc_int32 __cc_store_vector (apiCB *in_context, cc_int32 __cc_remove_cred_vector (apiCB *in_context, ccache_p *in_ccache, - cred_union in_credentials); + cred_union in_credentials); cc_int32 __cc_seq_fetch_creds_begin_vector (apiCB *in_context, const ccache_p *in_ccache, - ccache_cit **out_iterator); + ccache_cit **out_iterator); cc_int32 __cc_seq_fetch_creds_next_vector (apiCB *in_context, cred_union **out_creds, - ccache_cit *in_iterator); + ccache_cit *in_iterator); cc_int32 __cc_seq_fetch_creds_end_vector (apiCB *in_context, - ccache_cit **io_iterator); + ccache_cit **io_iterator); cc_int32 __cc_free_principal_vector (apiCB *in_context, - char **io_principal); + char **io_principal); cc_int32 __cc_free_name_vector (apiCB *in_context, - char **io_name); + char **io_name); cc_int32 __cc_free_creds_vector (apiCB *in_context, cred_union **io_credentials); diff --git a/src/ccapi/lib/win/OldCC/ccapi.h b/src/ccapi/lib/win/OldCC/ccapi.h index c40bd1158..82512771a 100644 --- a/src/ccapi/lib/win/OldCC/ccapi.h +++ b/src/ccapi/lib/win/OldCC/ccapi.h @@ -1,5 +1,3 @@ - - /* this ALWAYS GENERATED file contains the definitions for the interfaces */ @@ -9,8 +7,8 @@ /* Compiler settings for ccapi.idl: Oic, W1, Zp8, env=Win32 (32b run) protocol : dce , ms_ext, c_ext, oldnames - error checks: allocation ref bounds_check enum stub_data - VC __declspec() decoration level: + error checks: allocation ref bounds_check enum stub_data + VC __declspec() decoration level: __declspec(uuid()), __declspec(selectany), __declspec(novtable) DECLSPEC_UUID(), MIDL_INTERFACE() */ @@ -34,20 +32,20 @@ #pragma once #endif -/* Forward Declarations */ +/* Forward Declarations */ #ifdef __cplusplus extern "C"{ -#endif +#endif void * __RPC_USER MIDL_user_allocate(size_t); -void __RPC_USER MIDL_user_free( void * ); +void __RPC_USER MIDL_user_free( void * ); #ifndef __ccapi_INTERFACE_DEFINED__ #define __ccapi_INTERFACE_DEFINED__ /* interface ccapi */ -/* [implicit_handle][unique][version][uuid] */ +/* [implicit_handle][unique][version][uuid] */ typedef /* [context_handle] */ struct opaque_handle_CTX *HCTX; @@ -157,17 +155,17 @@ typedef struct _CRED_UNION /* [switch_is] */ CRED_PTR_UNION cred; } CRED_UNION; -CC_INT32 rcc_initialize( +CC_INT32 rcc_initialize( /* [out] */ HCTX *pctx); -CC_INT32 rcc_shutdown( +CC_INT32 rcc_shutdown( /* [out][in] */ HCTX *pctx); -CC_INT32 rcc_get_change_time( +CC_INT32 rcc_get_change_time( /* [in] */ HCTX ctx, /* [out] */ CC_TIME_T *time); -CC_INT32 rcc_create( +CC_INT32 rcc_create( /* [in] */ HCTX ctx, /* [string][in] */ const CC_CHAR *name, /* [string][in] */ const CC_CHAR *principal, @@ -175,85 +173,85 @@ CC_INT32 rcc_create( /* [in] */ CC_UINT32 flags, /* [out] */ HCACHE *pcache); -CC_INT32 rcc_open( +CC_INT32 rcc_open( /* [in] */ HCTX ctx, /* [string][in] */ const CC_CHAR *name, /* [in] */ CC_INT32 vers, /* [in] */ CC_UINT32 flags, /* [out] */ HCACHE *pcache); -CC_INT32 rcc_close( +CC_INT32 rcc_close( /* [out][in] */ HCACHE *pcache); -CC_INT32 rcc_destroy( +CC_INT32 rcc_destroy( /* [out][in] */ HCACHE *pcache); -CC_INT32 rcc_seq_fetch_NCs_begin( +CC_INT32 rcc_seq_fetch_NCs_begin( /* [in] */ HCTX ctx, /* [out] */ HCACHE_ITER *piter); -CC_INT32 rcc_seq_fetch_NCs_end( +CC_INT32 rcc_seq_fetch_NCs_end( /* [out][in] */ HCACHE_ITER *piter); -CC_INT32 rcc_seq_fetch_NCs_next( +CC_INT32 rcc_seq_fetch_NCs_next( /* [in] */ HCACHE_ITER iter, /* [out] */ HCACHE *pcache); -CC_INT32 rcc_seq_fetch_NCs( +CC_INT32 rcc_seq_fetch_NCs( /* [in] */ HCTX ctx, /* [out][in] */ HCACHE_ITER *piter, /* [out] */ HCACHE *pcache); -CC_INT32 rcc_get_NC_info( +CC_INT32 rcc_get_NC_info( /* [in] */ HCTX ctx, /* [out] */ NC_INFO_LIST **info_list); -CC_INT32 rcc_get_name( +CC_INT32 rcc_get_name( /* [in] */ HCACHE cache, /* [string][out] */ CC_CHAR **name); -CC_INT32 rcc_set_principal( +CC_INT32 rcc_set_principal( /* [in] */ HCACHE cache, /* [in] */ CC_INT32 vers, /* [string][in] */ const CC_CHAR *principal); -CC_INT32 rcc_get_principal( +CC_INT32 rcc_get_principal( /* [in] */ HCACHE cache, /* [string][out] */ CC_CHAR **principal); -CC_INT32 rcc_get_cred_version( +CC_INT32 rcc_get_cred_version( /* [in] */ HCACHE cache, /* [out] */ CC_INT32 *vers); -CC_INT32 rcc_lock_request( +CC_INT32 rcc_lock_request( /* [in] */ HCACHE cache, /* [in] */ CC_INT32 lock_type); -CC_INT32 rcc_store( +CC_INT32 rcc_store( /* [in] */ HCACHE cache, /* [in] */ CRED_UNION cred); -CC_INT32 rcc_remove_cred( +CC_INT32 rcc_remove_cred( /* [in] */ HCACHE cache, /* [in] */ CRED_UNION cred); -CC_INT32 rcc_seq_fetch_creds( +CC_INT32 rcc_seq_fetch_creds( /* [in] */ HCACHE cache, /* [out][in] */ HCRED_ITER *piter, /* [out] */ CRED_UNION **cred); -CC_INT32 rcc_seq_fetch_creds_begin( +CC_INT32 rcc_seq_fetch_creds_begin( /* [in] */ HCACHE cache, /* [out] */ HCRED_ITER *piter); -CC_INT32 rcc_seq_fetch_creds_end( +CC_INT32 rcc_seq_fetch_creds_end( /* [out][in] */ HCRED_ITER *piter); -CC_INT32 rcc_seq_fetch_creds_next( +CC_INT32 rcc_seq_fetch_creds_next( /* [in] */ HCRED_ITER iter, /* [out] */ CRED_UNION **cred); -CC_UINT32 Connect( +CC_UINT32 Connect( /* [string][in] */ CC_CHAR *name); void Shutdown( void); @@ -280,5 +278,3 @@ void __RPC_USER HCRED_ITER_rundown( HCRED_ITER ); #endif #endif - - diff --git a/src/ccapi/lib/win/ccs_reply_proc.c b/src/ccapi/lib/win/ccs_reply_proc.c index b3ef3f740..4ac8940ae 100644 --- a/src/ccapi/lib/win/ccs_reply_proc.c +++ b/src/ccapi/lib/win/ccs_reply_proc.c @@ -52,7 +52,7 @@ void ccs_rpc_request_reply( #if 0 cci_debug_printf("%s! msg#:%d SST:%ld uuid:%s", __FUNCTION__, rpcmsg, srvStartTime, uuid); #endif - if (!status) { + if (!status) { status = krb5int_ipc_stream_new (&stream); /* Create a stream for the request data */ } diff --git a/src/ccapi/lib/win/dllmain.h b/src/ccapi/lib/win/dllmain.h index abf6afd4a..a43262d52 100644 --- a/src/ccapi/lib/win/dllmain.h +++ b/src/ccapi/lib/win/dllmain.h @@ -29,7 +29,7 @@ #include "windows.h" -#ifdef __cplusplus // If used by C++ code, +#ifdef __cplusplus // If used by C++ code, extern "C" { // we need to export the C interface #endif @@ -39,4 +39,4 @@ DWORD GetTlsIndex(); } #endif -#endif _dll_h \ No newline at end of file +#endif _dll_h diff --git a/src/ccapi/server/ccs_array.c b/src/ccapi/server/ccs_array.c index d5dd4adb2..c5fb4f3b5 100644 --- a/src/ccapi/server/ccs_array.c +++ b/src/ccapi/server/ccs_array.c @@ -31,7 +31,7 @@ static cc_int32 ccs_client_object_release (cci_array_object_t io_client) { - return cci_check_error (ccs_client_release ((ccs_client_t) io_client)); + return cci_check_error (ccs_client_release ((ccs_client_t) io_client)); } /* ------------------------------------------------------------------------ */ @@ -88,7 +88,7 @@ cc_int32 ccs_client_array_remove (ccs_client_array_t io_array, static cc_int32 ccs_lock_object_release (cci_array_object_t io_lock) { - return cci_check_error (ccs_lock_release ((ccs_lock_t) io_lock)); + return cci_check_error (ccs_lock_release ((ccs_lock_t) io_lock)); } /* ------------------------------------------------------------------------ */ @@ -154,7 +154,7 @@ cc_int32 ccs_lock_array_move (ccs_lock_array_t io_array, static cc_int32 ccs_callback_object_release (cci_array_object_t io_callback) { - return cci_check_error (ccs_callback_release ((ccs_callback_t) io_callback)); + return cci_check_error (ccs_callback_release ((ccs_callback_t) io_callback)); } /* ------------------------------------------------------------------------ */ @@ -286,7 +286,7 @@ cc_uint64 ccs_iteratorref_array_count (ccs_iteratorref_array_t in_array) ccs_generic_list_iterator_t ccs_iteratorref_array_object_at_index (ccs_iteratorref_array_t io_array, cc_uint64 in_position) { - return (ccs_generic_list_iterator_t) cci_array_object_at_index (io_array, + return (ccs_generic_list_iterator_t) cci_array_object_at_index (io_array, in_position); } @@ -296,8 +296,8 @@ cc_int32 ccs_iteratorref_array_insert (ccs_iteratorref_array_t io_array, ccs_generic_list_iterator_t in_iterator, cc_uint64 in_position) { - return cci_array_insert (io_array, - (cci_array_object_t) in_iterator, + return cci_array_insert (io_array, + (cci_array_object_t) in_iterator, in_position); } diff --git a/src/ccapi/server/ccs_cache_collection.c b/src/ccapi/server/ccs_cache_collection.c index 2137e816a..c96a75bee 100644 --- a/src/ccapi/server/ccs_cache_collection.c +++ b/src/ccapi/server/ccs_cache_collection.c @@ -45,48 +45,48 @@ cc_int32 ccs_cache_collection_new (ccs_cache_collection_t *out_cache_collection) { cc_int32 err = ccNoError; ccs_cache_collection_t cache_collection = NULL; - + if (!out_cache_collection) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cache_collection = malloc (sizeof (*cache_collection)); - if (cache_collection) { + if (cache_collection) { *cache_collection = ccs_cache_collection_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = ccs_server_new_identifier (&cache_collection->identifier); } - + if (!err) { err = ccs_lock_state_new (&cache_collection->lock_state, ccErrInvalidContext, ccErrContextLocked, ccErrContextUnlocked); } - + if (!err) { err = ccs_ccache_list_new (&cache_collection->ccaches); } - + if (!err) { err = ccs_callback_array_new (&cache_collection->change_callbacks); } - + if (!err) { err = ccs_cache_collection_changed (cache_collection); } - + if (!err) { *out_cache_collection = cache_collection; cache_collection = NULL; } - + ccs_cache_collection_release (cache_collection); - + return cci_check_error (err); } @@ -95,7 +95,7 @@ cc_int32 ccs_cache_collection_new (ccs_cache_collection_t *out_cache_collection) cc_int32 ccs_cache_collection_release (ccs_cache_collection_t io_cache_collection) { cc_int32 err = ccNoError; - + if (!err && io_cache_collection) { cci_identifier_release (io_cache_collection->identifier); ccs_lock_state_release (io_cache_collection->lock_state); @@ -103,7 +103,7 @@ cc_int32 ccs_cache_collection_release (ccs_cache_collection_t io_cache_collectio ccs_callback_array_release (io_cache_collection->change_callbacks); free (io_cache_collection); } - + return cci_check_error (err); } @@ -114,17 +114,17 @@ cc_int32 ccs_cache_collection_compare_identifier (ccs_cache_collection_t in_cac cc_uint32 *out_equal) { cc_int32 err = ccNoError; - + if (!in_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_identifier_compare (in_cache_collection->identifier, - in_identifier, + err = cci_identifier_compare (in_cache_collection->identifier, + in_identifier, out_equal); } - + return cci_check_error (err); } @@ -138,19 +138,19 @@ cc_int32 ccs_cache_collection_changed (ccs_cache_collection_t io_cache_collectio { cc_int32 err = ccNoError; k5_ipc_stream reply_data = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!err) { cc_time_t now = time (NULL); - + if (io_cache_collection->last_changed_time < now) { io_cache_collection->last_changed_time = now; } else { io_cache_collection->last_changed_time++; } } - + if (!err) { err = krb5int_ipc_stream_new (&reply_data); } @@ -158,17 +158,17 @@ cc_int32 ccs_cache_collection_changed (ccs_cache_collection_t io_cache_collectio if (!err) { err = krb5int_ipc_stream_write_time (reply_data, io_cache_collection->last_changed_time); } - + if (!err) { /* Loop over callbacks sending messages to them */ cc_uint64 i; cc_uint64 count = ccs_callback_array_count (io_cache_collection->change_callbacks); - + for (i = 0; !err && i < count; i++) { ccs_callback_t callback = ccs_callback_array_object_at_index (io_cache_collection->change_callbacks, i); - + err = ccs_callback_reply_to_client (callback, reply_data); - + if (!err) { cci_debug_printf ("%s: Removing callback reference %p.", __FUNCTION__, callback); err = ccs_callback_array_remove (io_cache_collection->change_callbacks, i); @@ -176,13 +176,13 @@ cc_int32 ccs_cache_collection_changed (ccs_cache_collection_t io_cache_collectio } } } - + if (!err) { err = ccs_os_notify_cache_collection_changed (io_cache_collection); } - + krb5int_ipc_stream_release (reply_data); - + return cci_check_error (err); } @@ -192,19 +192,19 @@ static cc_int32 ccs_cache_collection_invalidate_change_callback (ccs_callback_ow ccs_callback_t in_callback) { cc_int32 err = ccNoError; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_callback ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { /* Remove callback */ ccs_cache_collection_t cache_collection = (ccs_cache_collection_t) io_cache_collection; cc_uint64 i; cc_uint64 count = ccs_callback_array_count (cache_collection->change_callbacks); - + for (i = 0; !err && i < count; i++) { ccs_callback_t callback = ccs_callback_array_object_at_index (cache_collection->change_callbacks, i); - + if (callback == in_callback) { cci_debug_printf ("%s: Removing callback reference %p.", __FUNCTION__, callback); err = ccs_callback_array_remove (cache_collection->change_callbacks, i); @@ -212,7 +212,7 @@ static cc_int32 ccs_cache_collection_invalidate_change_callback (ccs_callback_ow } } } - + return cci_check_error (err); } @@ -228,27 +228,27 @@ static cc_int32 ccs_cache_collection_find_ccache_by_name (ccs_cache_collection_t { cc_int32 err = ccNoError; ccs_ccache_list_iterator_t iterator = NULL; - + if (!in_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_name ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_ccache_list_new_iterator (in_cache_collection->ccaches, - CCS_PIPE_NULL, + err = ccs_ccache_list_new_iterator (in_cache_collection->ccaches, + CCS_PIPE_NULL, &iterator); } - + while (!err) { ccs_ccache_t ccache = NULL; - + err = ccs_ccache_list_iterator_next (iterator, &ccache); - + if (!err) { cc_uint32 equal = 0; - + err = ccs_ccache_compare_name (ccache, in_name, &equal); - + if (!err && equal) { *out_ccache = ccache; break; @@ -256,9 +256,9 @@ static cc_int32 ccs_cache_collection_find_ccache_by_name (ccs_cache_collection_t } } if (err == ccIteratorEnd) { err = ccErrCCacheNotFound; } - + if (iterator) { ccs_ccache_list_iterator_release (iterator); } - + return cci_check_error (err); } @@ -273,16 +273,16 @@ cc_int32 ccs_cache_collection_find_ccache (ccs_cache_collection_t in_cache_coll ccs_ccache_t *out_ccache) { cc_int32 err = ccNoError; - + if (!in_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_ccache_list_find (in_cache_collection->ccaches, in_identifier, out_ccache); } - + return cci_check_error (err); } @@ -294,28 +294,28 @@ cc_int32 ccs_ccache_collection_move_ccache (ccs_cache_collection_t io_cache_coll { cc_int32 err = ccNoError; ccs_ccache_t source_ccache = NULL; - + if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_source_identifier ) { err = cci_check_error (ccErrBadParam); } if (!io_destination_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_cache_collection_find_ccache (io_cache_collection, - in_source_identifier, + in_source_identifier, &source_ccache); } - + if (!err) { - err = ccs_ccache_swap_contents (source_ccache, - io_destination_ccache, + err = ccs_ccache_swap_contents (source_ccache, + io_destination_ccache, io_cache_collection); } - + if (!err) { err = ccs_cache_collection_destroy_ccache (io_cache_collection, in_source_identifier); } - + return cci_check_error (err); } @@ -326,16 +326,16 @@ cc_int32 ccs_cache_collection_destroy_ccache (ccs_cache_collection_t io_cache_c { cc_int32 err = ccNoError; ccs_ccache_t ccache = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_cache_collection_find_ccache (io_cache_collection, - in_identifier, + in_identifier, &ccache); } - + if (!err) { /* Notify before deletion because after deletion the ccache * will no longer exist (and won't know about its clients) */ @@ -361,17 +361,17 @@ cc_int32 ccs_cache_collection_find_ccache_iterator (ccs_cache_collection_t in_c ccs_ccache_iterator_t *out_ccache_iterator) { cc_int32 err = ccNoError; - + if (!in_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_ccache_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_ccache_list_find_iterator (in_cache_collection->ccaches, in_identifier, out_ccache_iterator); } - + return cci_check_error (err); } @@ -388,36 +388,36 @@ cc_int32 ccs_cache_collection_find_credentials_iterator (ccs_cache_collection_t { cc_int32 err = ccNoError; ccs_ccache_list_iterator_t iterator = NULL; - + if (!in_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_credentials_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_ccache_list_new_iterator (in_cache_collection->ccaches, - CCS_PIPE_NULL, + err = ccs_ccache_list_new_iterator (in_cache_collection->ccaches, + CCS_PIPE_NULL, &iterator); } - + while (!err) { ccs_ccache_t ccache = NULL; - + err = ccs_ccache_list_iterator_next (iterator, &ccache); - + if (!err) { - cc_int32 terr = ccs_ccache_find_credentials_iterator (ccache, + cc_int32 terr = ccs_ccache_find_credentials_iterator (ccache, in_identifier, out_credentials_iterator); - if (!terr) { + if (!terr) { *out_ccache = ccache; - break; + break; } } } if (err == ccIteratorEnd) { err = cci_check_error (ccErrInvalidCredentialsIterator); } - + if (iterator) { ccs_ccache_list_iterator_release (iterator); } - + return cci_check_error (err); } @@ -433,27 +433,27 @@ static cc_int32 ccs_cache_collection_get_next_unique_ccache_name (ccs_cache_coll cc_int32 err = ccNoError; cc_uint64 count = 0; char *name = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!out_name ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_cache_collection_list_count (io_cache_collection->ccaches, &count); } - + if (!err) { if (count > 0) { while (!err) { int ret = asprintf (&name, "%lld", io_cache_collection->next_unique_name++); if (ret < 0 || !name) { err = cci_check_error (ccErrNoMem); } - + if (!err) { ccs_ccache_t ccache = NULL; /* temporary to hold ccache pointer */ - err = ccs_cache_collection_find_ccache_by_name (io_cache_collection, + err = ccs_cache_collection_find_ccache_by_name (io_cache_collection, name, &ccache); } - - if (err == ccErrCCacheNotFound) { + + if (err == ccErrCCacheNotFound) { err = ccNoError; break; /* found a unique one */ } @@ -463,9 +463,9 @@ static cc_int32 ccs_cache_collection_get_next_unique_ccache_name (ccs_cache_coll if (!name) { err = cci_check_error (ccErrNoMem); } } } - + if (!err) { - *out_name = name; + *out_name = name; name = NULL; } @@ -476,86 +476,86 @@ static cc_int32 ccs_cache_collection_get_next_unique_ccache_name (ccs_cache_coll /* ------------------------------------------------------------------------ */ -static cc_int32 ccs_cache_collection_get_default_ccache (ccs_cache_collection_t in_cache_collection, +static cc_int32 ccs_cache_collection_get_default_ccache (ccs_cache_collection_t in_cache_collection, ccs_ccache_t *out_ccache) { cc_int32 err = ccNoError; cc_uint64 count = 0; - + if (!in_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_ccache_list_count (in_cache_collection->ccaches, &count); } - + if (!err) { if (count > 0) { /* First ccache is the default */ ccs_ccache_list_iterator_t iterator = NULL; - + err = ccs_ccache_list_new_iterator (in_cache_collection->ccaches, - CCS_PIPE_NULL, + CCS_PIPE_NULL, &iterator); - + if (!err) { err = ccs_ccache_list_iterator_next (iterator, out_ccache); } - + ccs_ccache_list_iterator_release (iterator); - + } else { err = cci_check_error (ccErrCCacheNotFound); } } - + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ -cc_int32 ccs_cache_collection_set_default_ccache (ccs_cache_collection_t io_cache_collection, +cc_int32 ccs_cache_collection_set_default_ccache (ccs_cache_collection_t io_cache_collection, cci_identifier_t in_identifier) { cc_int32 err = ccNoError; ccs_ccache_t old_default = NULL; ccs_ccache_t new_default = NULL; cc_uint32 equal = 0; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_cache_collection_get_default_ccache (io_cache_collection, + err = ccs_cache_collection_get_default_ccache (io_cache_collection, &old_default); } - + if (!err) { err = ccs_ccache_compare_identifier (old_default, in_identifier, &equal); } - - + + if (!err && !equal) { err = ccs_ccache_list_push_front (io_cache_collection->ccaches, in_identifier); - + if (!err) { err = ccs_ccache_notify_default_state_changed (old_default, io_cache_collection, 0 /* no longer default */); } - + if (!err) { - err = ccs_cache_collection_get_default_ccache (io_cache_collection, + err = ccs_cache_collection_get_default_ccache (io_cache_collection, &new_default); } - + if (!err) { err = ccs_ccache_notify_default_state_changed (new_default, io_cache_collection, 1 /* now default */); } - + if (!err) { err = ccs_cache_collection_changed (io_cache_collection); } @@ -576,16 +576,16 @@ static cc_int32 ccs_cache_collection_sync (ccs_cache_collection_t io_cache_colle k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_write (io_cache_collection->identifier, io_reply_data); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -595,16 +595,16 @@ static cc_int32 ccs_cache_collection_get_change_time (ccs_cache_collection_t io_ k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_time (io_reply_data, io_cache_collection->last_changed_time); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -619,27 +619,27 @@ static cc_int32 ccs_cache_collection_wait_for_change (ccs_pipe_t in cc_int32 err = ccNoError; cc_time_t last_wait_for_change_time = 0; cc_uint32 will_block = 0; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe )) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!out_will_block ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_time (in_request_data, &last_wait_for_change_time); } - + if (!err) { if (last_wait_for_change_time < io_cache_collection->last_changed_time) { err = krb5int_ipc_stream_write_time (io_reply_data, io_cache_collection->last_changed_time); - + } else { ccs_callback_t callback = NULL; - err = ccs_callback_new (&callback, - ccErrInvalidContext, - in_client_pipe, + err = ccs_callback_new (&callback, + ccErrInvalidContext, + in_client_pipe, in_reply_pipe, (ccs_callback_owner_t) io_cache_collection, ccs_cache_collection_invalidate_change_callback); @@ -648,19 +648,19 @@ static cc_int32 ccs_cache_collection_wait_for_change (ccs_pipe_t in err = ccs_callback_array_insert (io_cache_collection->change_callbacks, callback, ccs_callback_array_count (io_cache_collection->change_callbacks)); if (!err) { callback = NULL; /* take ownership */ } - + will_block = 1; } ccs_callback_release (callback); } } - + if (!err) { *out_will_block = will_block; } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -671,31 +671,31 @@ static cc_int32 ccs_cache_collection_get_default_ccache_name (ccs_cache_collecti { cc_int32 err = ccNoError; cc_uint64 count = 0; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_cache_collection_list_count (io_cache_collection->ccaches, &count); } - + if (!err) { if (count > 0) { ccs_ccache_t ccache = NULL; err = ccs_cache_collection_get_default_ccache (io_cache_collection, &ccache); - + if (!err) { err = ccs_ccache_write_name (ccache, io_reply_data); } } else { - err = krb5int_ipc_stream_write_string (io_reply_data, + err = krb5int_ipc_stream_write_string (io_reply_data, k_cci_context_initial_ccache_name); } } - return cci_check_error (err); + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -707,27 +707,27 @@ static cc_int32 ccs_cache_collection_open_ccache (ccs_cache_collection_t io_cach cc_int32 err = ccNoError; char *name = NULL; ccs_ccache_t ccache = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_string (in_request_data, &name); } - + if (!err) { err = ccs_cache_collection_find_ccache_by_name (io_cache_collection, name, &ccache); } - + if (!err) { err = ccs_ccache_write (ccache, io_reply_data); } - + krb5int_ipc_stream_free_string (name); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -738,21 +738,21 @@ static cc_int32 ccs_cache_collection_open_default_ccache (ccs_cache_collection_t { cc_int32 err = ccNoError; ccs_ccache_t ccache = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_cache_collection_get_default_ccache (io_cache_collection, + err = ccs_cache_collection_get_default_ccache (io_cache_collection, &ccache); } - + if (!err) { err = ccs_ccache_write (ccache, io_reply_data); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -766,49 +766,49 @@ static cc_int32 ccs_cache_collection_create_ccache (ccs_cache_collection_t io_ca cc_uint32 cred_vers; char *principal = NULL; ccs_ccache_t ccache = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_string (in_request_data, &name); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &cred_vers); } - + if (!err) { err = krb5int_ipc_stream_read_string (in_request_data, &principal); } - + if (!err) { cc_int32 terr = ccs_cache_collection_find_ccache_by_name (io_cache_collection, name, &ccache); - + if (!terr) { err = ccs_ccache_reset (ccache, io_cache_collection, cred_vers, principal); - + } else { - err = ccs_ccache_new (&ccache, cred_vers, name, principal, + err = ccs_ccache_new (&ccache, cred_vers, name, principal, io_cache_collection->ccaches); } } - + if (!err) { err = ccs_ccache_write (ccache, io_reply_data); } - + if (!err) { err = ccs_cache_collection_changed (io_cache_collection); } - + krb5int_ipc_stream_free_string (name); krb5int_ipc_stream_free_string (principal); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -821,52 +821,52 @@ static cc_int32 ccs_cache_collection_create_default_ccache (ccs_cache_collection cc_uint32 cred_vers; char *principal = NULL; ccs_ccache_t ccache = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &cred_vers); } - + if (!err) { err = krb5int_ipc_stream_read_string (in_request_data, &principal); } - + if (!err) { err = ccs_cache_collection_get_default_ccache (io_cache_collection, &ccache); - + if (!err) { err = ccs_ccache_reset (ccache, io_cache_collection, cred_vers, principal); } else if (err == ccErrCCacheNotFound) { char *name = NULL; - - err = ccs_cache_collection_get_next_unique_ccache_name (io_cache_collection, + + err = ccs_cache_collection_get_next_unique_ccache_name (io_cache_collection, &name); - + if (!err) { - err = ccs_ccache_new (&ccache, cred_vers, name, principal, + err = ccs_ccache_new (&ccache, cred_vers, name, principal, io_cache_collection->ccaches); } - + free (name); } } - + if (!err) { err = ccs_ccache_write (ccache, io_reply_data); } - + if (!err) { err = ccs_cache_collection_changed (io_cache_collection); } - + krb5int_ipc_stream_free_string (principal); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -880,41 +880,41 @@ static cc_int32 ccs_cache_collection_create_new_ccache (ccs_cache_collection_t i char *principal = NULL; char *name = NULL; ccs_ccache_t ccache = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &cred_vers); } - + if (!err) { err = krb5int_ipc_stream_read_string (in_request_data, &principal); } - + if (!err) { - err = ccs_cache_collection_get_next_unique_ccache_name (io_cache_collection, + err = ccs_cache_collection_get_next_unique_ccache_name (io_cache_collection, &name); } - + if (!err) { - err = ccs_ccache_new (&ccache, cred_vers, name, principal, + err = ccs_ccache_new (&ccache, cred_vers, name, principal, io_cache_collection->ccaches); } - + if (!err) { err = ccs_ccache_write (ccache, io_reply_data); } - + if (!err) { err = ccs_cache_collection_changed (io_cache_collection); } - + free (name); krb5int_ipc_stream_free_string (principal); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -926,22 +926,22 @@ static cc_int32 ccs_cache_collection_new_ccache_iterator (ccs_cache_collection_ { cc_int32 err = ccNoError; ccs_ccache_iterator_t ccache_iterator = NULL; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_ccache_list_new_iterator (io_cache_collection->ccaches, in_client_pipe, &ccache_iterator); } - + if (!err) { err = ccs_ccache_list_iterator_write (ccache_iterator, io_reply_data); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -956,28 +956,28 @@ static cc_int32 ccs_cache_collection_lock (ccs_pipe_t in_client_pip cc_int32 err = ccNoError; cc_uint32 lock_type; cc_uint32 block; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!out_will_block ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &lock_type); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &block); } - + if (!err) { - err = ccs_lock_state_add (io_cache_collection->lock_state, - in_client_pipe, in_reply_pipe, + err = ccs_lock_state_add (io_cache_collection->lock_state, + in_client_pipe, in_reply_pipe, lock_type, block, out_will_block); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -988,18 +988,18 @@ static cc_int32 ccs_cache_collection_unlock (ccs_pipe_t in_client_pi k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_lock_state_remove (io_cache_collection->lock_state, + err = ccs_lock_state_remove (io_cache_collection->lock_state, in_client_pipe); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -1019,81 +1019,81 @@ static cc_int32 ccs_cache_collection_unlock (ccs_pipe_t in_client_pi cc_int32 err = ccNoError; cc_uint32 will_block = 0; k5_ipc_stream reply_data = NULL; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe) ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!out_will_block ) { err = cci_check_error (ccErrBadParam); } if (!out_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&reply_data); } - + if (!err) { if (in_request_name == cci_context_unused_release_msg_id) { /* Old release message. Do nothing. */ - + } else if (in_request_name == cci_context_sync_msg_id) { err = ccs_cache_collection_sync (io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_context_get_change_time_msg_id) { err = ccs_cache_collection_get_change_time (io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_context_wait_for_change_msg_id) { - err = ccs_cache_collection_wait_for_change (in_client_pipe, in_reply_pipe, + err = ccs_cache_collection_wait_for_change (in_client_pipe, in_reply_pipe, io_cache_collection, in_request_data, reply_data, &will_block); - + } else if (in_request_name == cci_context_get_default_ccache_name_msg_id) { err = ccs_cache_collection_get_default_ccache_name (io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_context_open_ccache_msg_id) { err = ccs_cache_collection_open_ccache (io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_context_open_default_ccache_msg_id) { err = ccs_cache_collection_open_default_ccache (io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_context_create_ccache_msg_id) { err = ccs_cache_collection_create_ccache (io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_context_create_default_ccache_msg_id) { err = ccs_cache_collection_create_default_ccache (io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_context_create_new_ccache_msg_id) { err = ccs_cache_collection_create_new_ccache (io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_context_new_ccache_iterator_msg_id) { err = ccs_cache_collection_new_ccache_iterator (io_cache_collection, in_client_pipe, - in_request_data, + in_request_data, reply_data); - + } else if (in_request_name == cci_context_lock_msg_id) { - err = ccs_cache_collection_lock (in_client_pipe, in_reply_pipe, + err = ccs_cache_collection_lock (in_client_pipe, in_reply_pipe, io_cache_collection, - in_request_data, + in_request_data, &will_block, reply_data); - + } else if (in_request_name == cci_context_unlock_msg_id) { err = ccs_cache_collection_unlock (in_client_pipe, io_cache_collection, in_request_data, reply_data); - + } else { err = ccErrBadInternalMessage; } } - + if (!err) { *out_will_block = will_block; if (!will_block) { @@ -1103,8 +1103,8 @@ static cc_int32 ccs_cache_collection_unlock (ccs_pipe_t in_client_pi *out_reply_data = NULL; } } - + krb5int_ipc_stream_release (reply_data); - + return cci_check_error (err); } diff --git a/src/ccapi/server/ccs_cache_collection.h b/src/ccapi/server/ccs_cache_collection.h index f0507967b..53f97092f 100644 --- a/src/ccapi/server/ccs_cache_collection.h +++ b/src/ccapi/server/ccs_cache_collection.h @@ -39,7 +39,7 @@ cc_int32 ccs_cache_collection_compare_identifier (ccs_cache_collection_t in_cac cc_int32 ccs_cache_collection_changed (ccs_cache_collection_t io_cache_collection); -cc_int32 ccs_cache_collection_set_default_ccache (ccs_cache_collection_t in_cache_collection, +cc_int32 ccs_cache_collection_set_default_ccache (ccs_cache_collection_t in_cache_collection, cci_identifier_t in_identifier); cc_int32 ccs_cache_collection_find_ccache (ccs_cache_collection_t in_cache_collection, diff --git a/src/ccapi/server/ccs_callback.c b/src/ccapi/server/ccs_callback.c index 94e9d9b4b..499ba30de 100644 --- a/src/ccapi/server/ccs_callback.c +++ b/src/ccapi/server/ccs_callback.c @@ -49,52 +49,52 @@ cc_int32 ccs_callback_new (ccs_callback_t *out_callback, cc_int32 err = ccNoError; ccs_callback_t callback = NULL; ccs_client_t client = NULL; - + if (!out_callback ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe) ) { err = cci_check_error (ccErrBadParam); } if (!in_owner ) { err = cci_check_error (ccErrBadParam); } if (!in_owner_invalidate_function ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { callback = malloc (sizeof (*callback)); - if (callback) { + if (callback) { *callback = ccs_callback_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = ccs_server_client_for_pipe (in_client_pipe, &client); } - + if (!err) { err = ccs_pipe_copy (&callback->client_pipe, in_client_pipe); } - + if (!err) { err = ccs_pipe_copy (&callback->reply_pipe, in_reply_pipe); } - + if (!err) { callback->client_pipe = in_client_pipe; callback->reply_pipe = in_reply_pipe; callback->invalid_object_err = in_invalid_object_err; callback->owner = in_owner; callback->owner_invalidate = in_owner_invalidate_function; - + err = ccs_client_add_callback (client, callback); } - + if (!err) { *out_callback = callback; callback = NULL; } - + ccs_callback_release (callback); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -102,34 +102,34 @@ cc_int32 ccs_callback_new (ccs_callback_t *out_callback, cc_int32 ccs_callback_release (ccs_callback_t io_callback) { cc_int32 err = ccNoError; - + if (!err && io_callback) { ccs_client_t client = NULL; if (io_callback->pending) { - err = ccs_server_send_reply (io_callback->reply_pipe, + err = ccs_server_send_reply (io_callback->reply_pipe, io_callback->invalid_object_err, NULL); - + io_callback->pending = 0; } - + if (!err) { err = ccs_server_client_for_pipe (io_callback->client_pipe, &client); } - + if (!err && client) { /* if client object still has a reference to us, remove it */ err = ccs_client_remove_callback (client, io_callback); } - + if (!err) { ccs_pipe_release (io_callback->client_pipe); ccs_pipe_release (io_callback->reply_pipe); free (io_callback); } } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -137,19 +137,19 @@ cc_int32 ccs_callback_release (ccs_callback_t io_callback) cc_int32 ccs_callback_invalidate (ccs_callback_t io_callback) { cc_int32 err = ccNoError; - + if (!io_callback) { err = cci_check_error (ccErrBadParam); } - + if (!err) { io_callback->pending = 0; /* client is dead, don't try to talk to it */ if (io_callback->owner_invalidate) { err = io_callback->owner_invalidate (io_callback->owner, io_callback); } else { - cci_debug_printf ("WARNING %s() unable to notify callback owner!", + cci_debug_printf ("WARNING %s() unable to notify callback owner!", __FUNCTION__); } } - + return cci_check_error (err); } @@ -159,28 +159,28 @@ cc_int32 ccs_callback_reply_to_client (ccs_callback_t io_callback, k5_ipc_stream in_stream) { cc_int32 err = ccNoError; - + if (!io_callback) { err = cci_check_error (ccErrBadParam); } - + if (!err) { if (io_callback->pending) { cci_debug_printf ("%s: callback %p replying to client.", __FUNCTION__, io_callback); err = ccs_server_send_reply (io_callback->reply_pipe, err, in_stream); - + if (err) { - cci_debug_printf ("WARNING %s() called on a lock belonging to a dead client!", + cci_debug_printf ("WARNING %s() called on a lock belonging to a dead client!", __FUNCTION__); } - + io_callback->pending = 0; } else { - cci_debug_printf ("WARNING %s() called on non-pending callback!", + cci_debug_printf ("WARNING %s() called on non-pending callback!", __FUNCTION__); } } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -189,15 +189,15 @@ cc_uint32 ccs_callback_is_pending (ccs_callback_t in_callback, cc_uint32 *out_pending) { cc_int32 err = ccNoError; - + if (!in_callback) { err = cci_check_error (ccErrBadParam); } if (!out_pending) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_pending = in_callback->pending; } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -207,17 +207,17 @@ cc_int32 ccs_callback_is_for_client_pipe (ccs_callback_t in_callback, cc_uint32 *out_is_for_client_pipe) { cc_int32 err = ccNoError; - + if (!in_callback ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!out_is_for_client_pipe ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_pipe_compare (in_callback->client_pipe, in_client_pipe, + err = ccs_pipe_compare (in_callback->client_pipe, in_client_pipe, out_is_for_client_pipe); } - - return cci_check_error (err); + + return cci_check_error (err); } @@ -227,13 +227,13 @@ cc_int32 ccs_callback_client_pipe (ccs_callback_t in_callback, ccs_pipe_t *out_client_pipe) { cc_int32 err = ccNoError; - + if (!in_callback ) { err = cci_check_error (ccErrBadParam); } if (!out_client_pipe) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_client_pipe = in_callback->client_pipe; } - - return cci_check_error (err); + + return cci_check_error (err); } diff --git a/src/ccapi/server/ccs_ccache.c b/src/ccapi/server/ccs_ccache.c index d7662343a..c1e91bce8 100644 --- a/src/ccapi/server/ccs_ccache.c +++ b/src/ccapi/server/ccs_ccache.c @@ -56,43 +56,43 @@ cc_int32 ccs_ccache_new (ccs_ccache_t *out_ccache, { cc_int32 err = ccNoError; ccs_ccache_t ccache = NULL; - + if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_name ) { err = cci_check_error (ccErrBadParam); } if (!in_principal) { err = cci_check_error (ccErrBadParam); } - + if (!err) { ccache = malloc (sizeof (*ccache)); - if (ccache) { + if (ccache) { *ccache = ccs_ccache_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = ccs_server_new_identifier (&ccache->identifier); } - + if (!err) { err = ccs_lock_state_new (&ccache->lock_state, ccErrInvalidCCache, ccErrCCacheLocked, ccErrCCacheUnlocked); } - + if (!err) { ccache->name = strdup (in_name); if (!ccache->name) { err = cci_check_error (ccErrNoMem); } } - + if (!err) { ccache->creds_version = in_creds_version; if (ccache->creds_version == cc_credentials_v4) { ccache->v4_principal = strdup (in_principal); if (!ccache->v4_principal) { err = cci_check_error (ccErrNoMem); } - + } else if (ccache->creds_version == cc_credentials_v5) { ccache->v5_principal = strdup (in_principal); if (!ccache->v5_principal) { err = cci_check_error (ccErrNoMem); } @@ -101,43 +101,43 @@ cc_int32 ccs_ccache_new (ccs_ccache_t *out_ccache, err = cci_check_error (ccErrBadCredentialsVersion); } } - + if (!err) { err = ccs_credentials_list_new (&ccache->credentials); } - + if (!err) { err = ccs_callback_array_new (&ccache->change_callbacks); } - + if (!err) { cc_uint64 now = time (NULL); cc_uint64 count = 0; - + err = ccs_ccache_list_count (io_ccache_list, &count); - + if (!err) { /* first cache is default */ ccache->last_default_time = (count == 0) ? now : 0; - cci_debug_printf ("%s ccache->last_default_time is %d.", + cci_debug_printf ("%s ccache->last_default_time is %d.", __FUNCTION__, ccache->last_default_time); ccache->last_changed_time = now; } } - + if (!err) { /* Add self to the list of ccaches */ err = ccs_ccache_list_add (io_ccache_list, ccache); } - + if (!err) { *out_ccache = ccache; ccache = NULL; } - + ccs_ccache_release (ccache); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -151,41 +151,41 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, char *v4_principal = NULL; char *v5_principal = NULL; ccs_credentials_list_t credentials = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_principal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { io_ccache->creds_version = in_creds_version; - + if (io_ccache->creds_version == cc_credentials_v4) { v4_principal = strdup (in_principal); if (!v4_principal) { err = cci_check_error (ccErrNoMem); } - + } else if (io_ccache->creds_version == cc_credentials_v5) { v5_principal = strdup (in_principal); if (!v5_principal) { err = cci_check_error (ccErrNoMem); } - + } else { err = cci_check_error (ccErrBadCredentialsVersion); } } - + if (!err) { err = ccs_credentials_list_new (&credentials); } - + if (!err) { io_ccache->kdc_time_offset_v4 = 0; io_ccache->kdc_time_offset_v4_valid = 0; io_ccache->kdc_time_offset_v5 = 0; io_ccache->kdc_time_offset_v5_valid = 0; - + if (io_ccache->v4_principal) { free (io_ccache->v4_principal); } io_ccache->v4_principal = v4_principal; v4_principal = NULL; /* take ownership */ - + if (io_ccache->v5_principal) { free (io_ccache->v5_principal); } io_ccache->v5_principal = v5_principal; v5_principal = NULL; /* take ownership */ @@ -193,51 +193,51 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, ccs_credentials_list_release (io_ccache->credentials); io_ccache->credentials = credentials; credentials = NULL; /* take ownership */ - + err = ccs_ccache_changed (io_ccache, io_cache_collection); } - + free (v4_principal); free (v5_principal); ccs_credentials_list_release (credentials); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ -cc_int32 ccs_ccache_swap_contents (ccs_ccache_t io_source_ccache, +cc_int32 ccs_ccache_swap_contents (ccs_ccache_t io_source_ccache, ccs_ccache_t io_destination_ccache, ccs_cache_collection_t io_cache_collection) { cc_int32 err = ccNoError; - + if (!io_source_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_destination_ccache) { err = cci_check_error (ccErrBadParam); } - + if (!err) { struct ccs_ccache_d temp_ccache = *io_destination_ccache; - + /* swap everything */ *io_destination_ccache = *io_source_ccache; *io_source_ccache = temp_ccache; - + /* swap back the name and identifier */ io_source_ccache->identifier = io_destination_ccache->identifier; io_destination_ccache->identifier = temp_ccache.identifier; - + io_source_ccache->name = io_destination_ccache->name; io_destination_ccache->name = temp_ccache.name; } - + if (!err) { err = ccs_ccache_changed (io_source_ccache, io_cache_collection); } - + if (!err) { err = ccs_ccache_changed (io_destination_ccache, io_cache_collection); } - + return cci_check_error (err); } @@ -246,7 +246,7 @@ cc_int32 ccs_ccache_swap_contents (ccs_ccache_t io_source_ccache, cc_int32 ccs_ccache_release (ccs_ccache_t io_ccache) { cc_int32 err = ccNoError; - + if (!err && io_ccache) { cci_identifier_release (io_ccache->identifier); ccs_lock_state_release (io_ccache->lock_state); @@ -257,8 +257,8 @@ cc_int32 ccs_ccache_release (ccs_ccache_t io_ccache) ccs_callback_array_release (io_ccache->change_callbacks); free (io_ccache); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -272,17 +272,17 @@ cc_int32 ccs_ccache_compare_identifier (ccs_ccache_t in_ccache, cc_uint32 *out_equal) { cc_int32 err = ccNoError; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_identifier_compare (in_ccache->identifier, - in_identifier, + err = cci_identifier_compare (in_ccache->identifier, + in_identifier, out_equal); } - + return cci_check_error (err); } @@ -293,15 +293,15 @@ cc_int32 ccs_ccache_compare_name (ccs_ccache_t in_ccache, cc_uint32 *out_equal) { cc_int32 err = ccNoError; - + if (!in_ccache) { err = cci_check_error (ccErrBadParam); } if (!in_name ) { err = cci_check_error (ccErrBadParam); } if (!out_equal) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_equal = (strcmp (in_ccache->name, in_name) == 0); } - + return cci_check_error (err); } @@ -316,28 +316,28 @@ cc_int32 ccs_ccache_changed (ccs_ccache_t io_ccache, { cc_int32 err = ccNoError; k5_ipc_stream reply_data = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cc_time_t now = time (NULL); - + if (io_ccache->last_changed_time < now) { io_ccache->last_changed_time = now; } else { io_ccache->last_changed_time++; } } - + if (!err) { err = ccs_cache_collection_changed (io_cache_collection); } - + if (!err) { err = krb5int_ipc_stream_new (&reply_data); } - + if (!err) { err = krb5int_ipc_stream_write_time (reply_data, io_ccache->last_changed_time); } @@ -346,12 +346,12 @@ cc_int32 ccs_ccache_changed (ccs_ccache_t io_ccache, /* Loop over callbacks sending messages to them */ cc_uint64 i; cc_uint64 count = ccs_callback_array_count (io_ccache->change_callbacks); - + for (i = 0; !err && i < count; i++) { ccs_callback_t callback = ccs_callback_array_object_at_index (io_ccache->change_callbacks, i); - + err = ccs_callback_reply_to_client (callback, reply_data); - + if (!err) { cci_debug_printf ("%s: Removing callback reference %p.", __FUNCTION__, callback); err = ccs_callback_array_remove (io_ccache->change_callbacks, i); @@ -359,14 +359,14 @@ cc_int32 ccs_ccache_changed (ccs_ccache_t io_ccache, } } } - + if (!err) { - err = ccs_os_notify_ccache_changed (io_cache_collection, + err = ccs_os_notify_ccache_changed (io_cache_collection, io_ccache->name); } - + krb5int_ipc_stream_release (reply_data); - + return cci_check_error (err); } @@ -376,19 +376,19 @@ static cc_int32 ccs_ccache_invalidate_change_callback (ccs_callback_owner_t io_c ccs_callback_t in_callback) { cc_int32 err = ccNoError; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_callback) { err = cci_check_error (ccErrBadParam); } - + if (!err) { /* Remove callback */ ccs_ccache_t ccache = (ccs_ccache_t) io_ccache; cc_uint64 i; cc_uint64 count = ccs_callback_array_count (ccache->change_callbacks); - + for (i = 0; !err && i < count; i++) { ccs_callback_t callback = ccs_callback_array_object_at_index (ccache->change_callbacks, i); - + if (callback == in_callback) { cci_debug_printf ("%s: Removing callback reference %p.", __FUNCTION__, callback); err = ccs_callback_array_remove (ccache->change_callbacks, i); @@ -396,7 +396,7 @@ static cc_int32 ccs_ccache_invalidate_change_callback (ccs_callback_owner_t io_c } } } - + return cci_check_error (err); } @@ -407,24 +407,24 @@ cc_int32 ccs_ccache_notify_default_state_changed (ccs_ccache_t io_ccac cc_uint32 in_new_default_state) { cc_int32 err = ccNoError; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } - + if (!err && in_new_default_state) { cc_time_t now = time (NULL); - + if (io_ccache->last_default_time < now) { io_ccache->last_default_time = now; } else { io_ccache->last_default_time++; } } - + if (!err) { err = ccs_ccache_changed (io_ccache, io_cache_collection); } - + return cci_check_error (err); } @@ -439,17 +439,17 @@ cc_int32 ccs_ccache_find_credentials_iterator (ccs_ccache_t in_cc ccs_credentials_iterator_t *out_credentials_iterator) { cc_int32 err = ccNoError; - + if (!in_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_credentials_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_credentials_list_find_iterator (in_ccache->credentials, in_identifier, out_credentials_iterator); } - + // Don't report ccErrInvalidCredentials to the log file. Non-fatal. return (err == ccErrInvalidCredentials) ? err : cci_check_error (err); } @@ -464,15 +464,15 @@ cc_int32 ccs_ccache_write (ccs_ccache_t in_ccache, k5_ipc_stream io_stream) { cc_int32 err = ccNoError; - + if (!in_ccache) { err = cci_check_error (ccErrBadParam); } if (!io_stream) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_write (in_ccache->identifier, io_stream); } - - return cci_check_error (err); + + return cci_check_error (err); } @@ -482,15 +482,15 @@ cc_int32 ccs_ccache_write_name (ccs_ccache_t in_ccache, k5_ipc_stream io_stream) { cc_int32 err = ccNoError; - + if (!in_ccache) { err = cci_check_error (ccErrBadParam); } if (!io_stream) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_string (io_stream, in_ccache->name); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -506,23 +506,23 @@ static cc_int32 ccs_ccache_destroy (ccs_ccache_t io_ccache, k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_cache_collection_destroy_ccache (io_cache_collection, + err = ccs_cache_collection_destroy_ccache (io_cache_collection, io_ccache->identifier); } - + if (!err) { /* ccache has been destroyed so just mark the cache collection */ err = ccs_cache_collection_changed (io_cache_collection); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -533,18 +533,18 @@ static cc_int32 ccs_ccache_set_default (ccs_ccache_t io_ccache, k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_cache_collection_set_default_ccache (io_cache_collection, + err = ccs_cache_collection_set_default_ccache (io_cache_collection, io_ccache->identifier); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -555,17 +555,17 @@ static cc_int32 ccs_ccache_get_credentials_version (ccs_ccache_t io_cc k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_uint32 (io_reply_data, io_ccache->creds_version); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -576,17 +576,17 @@ static cc_int32 ccs_ccache_get_name (ccs_ccache_t io_ccache, k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->name); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -598,33 +598,33 @@ static cc_int32 ccs_ccache_get_principal (ccs_ccache_t io_ccache, { cc_int32 err = ccNoError; cc_uint32 version = 0; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &version); } - + if (!err && version == cc_credentials_v4_v5) { err = cci_check_error (ccErrBadCredentialsVersion); } - + if (!err) { if (version == cc_credentials_v4) { err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v4_principal); - + } else if (version == cc_credentials_v5) { err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v5_principal); - + } else { err = cci_check_error (ccErrBadCredentialsVersion); } } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -637,35 +637,35 @@ static cc_int32 ccs_ccache_set_principal (ccs_ccache_t io_ccache, cc_int32 err = ccNoError; cc_uint32 version = 0; char *principal = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &version); } - + if (!err) { err = krb5int_ipc_stream_read_string (in_request_data, &principal); } - + if (!err) { /* reset KDC time offsets because they are per-KDC */ if (version == cc_credentials_v4) { io_ccache->kdc_time_offset_v4 = 0; io_ccache->kdc_time_offset_v4_valid = 0; - + if (io_ccache->v4_principal) { free (io_ccache->v4_principal); } io_ccache->v4_principal = principal; principal = NULL; /* take ownership */ - - + + } else if (version == cc_credentials_v5) { io_ccache->kdc_time_offset_v5 = 0; io_ccache->kdc_time_offset_v5_valid = 0; - + if (io_ccache->v5_principal) { free (io_ccache->v5_principal); } io_ccache->v5_principal = principal; principal = NULL; /* take ownership */ @@ -674,16 +674,16 @@ static cc_int32 ccs_ccache_set_principal (ccs_ccache_t io_ccache, err = cci_check_error (ccErrBadCredentialsVersion); } } - + if (!err) { io_ccache->creds_version |= version; - + err = ccs_ccache_changed (io_ccache, io_cache_collection); } - + krb5int_ipc_stream_free_string (principal); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -695,24 +695,24 @@ static cc_int32 ccs_ccache_store_credentials (ccs_ccache_t io_ccache, { cc_int32 err = ccNoError; ccs_credentials_t credentials = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_credentials_new (&credentials, in_request_data, - io_ccache->creds_version, + err = ccs_credentials_new (&credentials, in_request_data, + io_ccache->creds_version, io_ccache->credentials); } - + if (!err) { err = ccs_ccache_changed (io_ccache, io_cache_collection); } - - - return cci_check_error (err); + + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -724,27 +724,27 @@ static cc_int32 ccs_ccache_remove_credentials (ccs_ccache_t io_ccache, { cc_int32 err = ccNoError; cci_identifier_t credentials_identifier = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_read (&credentials_identifier, in_request_data); } - + if (!err) { err = ccs_credentials_list_remove (io_ccache->credentials, credentials_identifier); } - + if (!err) { err = ccs_ccache_changed (io_ccache, io_cache_collection); } - + cci_identifier_release (credentials_identifier); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -757,23 +757,23 @@ static cc_int32 ccs_ccache_new_credentials_iterator (ccs_ccache_t io_c { cc_int32 err = ccNoError; ccs_credentials_iterator_t credentials_iterator = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_credentials_list_new_iterator (io_ccache->credentials, in_client_pipe, &credentials_iterator); } - + if (!err) { err = ccs_credentials_list_iterator_write (credentials_iterator, io_reply_data); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -785,31 +785,31 @@ static cc_int32 ccs_ccache_move (ccs_ccache_t io_ccache, { cc_int32 err = ccNoError; cci_identifier_t source_identifier = NULL; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { /* Note: message is sent as the destination ccache to avoid */ /* extra work on the server when deleting it the source ccache. */ err = cci_identifier_read (&source_identifier, in_request_data); } - + if (!err) { err = ccs_ccache_collection_move_ccache (io_cache_collection, - source_identifier, + source_identifier, io_ccache); } - + if (!err) { err = ccs_ccache_changed (io_ccache, io_cache_collection); } - + cci_identifier_release (source_identifier); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -825,29 +825,29 @@ static cc_int32 ccs_ccache_lock (ccs_pipe_t in_client_pipe, cc_int32 err = ccNoError; cc_uint32 lock_type; cc_uint32 block; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!out_will_block ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &lock_type); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &block); } - + if (!err) { - err = ccs_lock_state_add (io_ccache->lock_state, - in_client_pipe, in_reply_pipe, + err = ccs_lock_state_add (io_ccache->lock_state, + in_client_pipe, in_reply_pipe, lock_type, block, out_will_block); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -859,18 +859,18 @@ static cc_int32 ccs_ccache_unlock (ccs_pipe_t in_client_pipe, k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_lock_state_remove (io_ccache->lock_state, in_client_pipe); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -881,21 +881,21 @@ static cc_int32 ccs_ccache_get_last_default_time (ccs_ccache_t io_ccac k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err && io_ccache->last_default_time == 0) { err = cci_check_error (ccErrNeverDefault); } - + if (!err) { err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->last_default_time); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -906,17 +906,17 @@ static cc_int32 ccs_ccache_get_change_time (ccs_ccache_t io_ccache, k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->last_changed_time); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -932,51 +932,51 @@ static cc_int32 ccs_ccache_wait_for_change (ccs_pipe_t in_client_pi cc_int32 err = ccNoError; cc_time_t last_wait_for_change_time = 0; cc_uint32 will_block = 0; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe )) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!out_will_block ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_time (in_request_data, &last_wait_for_change_time); } - + if (!err) { if (last_wait_for_change_time < io_ccache->last_changed_time) { cci_debug_printf ("%s returning immediately", __FUNCTION__); err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->last_changed_time); - + } else { ccs_callback_t callback = NULL; - err = ccs_callback_new (&callback, - ccErrInvalidCCache, - in_client_pipe, + err = ccs_callback_new (&callback, + ccErrInvalidCCache, + in_client_pipe, in_reply_pipe, (ccs_callback_owner_t) io_ccache, ccs_ccache_invalidate_change_callback); - + if (!err) { err = ccs_callback_array_insert (io_ccache->change_callbacks, callback, ccs_callback_array_count (io_ccache->change_callbacks)); if (!err) { callback = NULL; /* take ownership */ } - + cci_debug_printf ("%s blocking", __FUNCTION__); will_block = 1; } - + ccs_callback_release (callback); } } - + if (!err) { *out_will_block = will_block; } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -988,16 +988,16 @@ static cc_int32 ccs_ccache_get_kdc_time_offset (ccs_ccache_t io_ccache { cc_int32 err = ccNoError; cc_uint32 cred_vers = 0; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &cred_vers); } - + if (!err) { if (cred_vers == cc_credentials_v4) { if (io_ccache->kdc_time_offset_v4_valid) { @@ -1005,20 +1005,20 @@ static cc_int32 ccs_ccache_get_kdc_time_offset (ccs_ccache_t io_ccache } else { err = cci_check_error (ccErrTimeOffsetNotSet); } - + } else if (cred_vers == cc_credentials_v5) { if (io_ccache->kdc_time_offset_v5_valid) { err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v5); } else { err = cci_check_error (ccErrTimeOffsetNotSet); } - + } else { err = cci_check_error (ccErrBadCredentialsVersion); } } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -1030,26 +1030,26 @@ static cc_int32 ccs_ccache_set_kdc_time_offset (ccs_ccache_t io_ccache { cc_int32 err = ccNoError; cc_uint32 cred_vers = 0; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &cred_vers); } - + if (!err) { if (cred_vers == cc_credentials_v4) { err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v4); - + if (!err) { io_ccache->kdc_time_offset_v4_valid = 1; } } else if (cred_vers == cc_credentials_v5) { err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v5); - + if (!err) { io_ccache->kdc_time_offset_v5_valid = 1; } @@ -1057,12 +1057,12 @@ static cc_int32 ccs_ccache_set_kdc_time_offset (ccs_ccache_t io_ccache err = cci_check_error (ccErrBadCredentialsVersion); } } - + if (!err) { err = ccs_ccache_changed (io_ccache, io_cache_collection); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -1074,35 +1074,35 @@ static cc_int32 ccs_ccache_clear_kdc_time_offset (ccs_ccache_t io_ccac { cc_int32 err = ccNoError; cc_uint32 cred_vers = 0; - + if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (in_request_data, &cred_vers); } - + if (!err) { if (cred_vers == cc_credentials_v4) { io_ccache->kdc_time_offset_v4 = 0; io_ccache->kdc_time_offset_v4_valid = 0; - + } else if (cred_vers == cc_credentials_v5) { io_ccache->kdc_time_offset_v5 = 0; io_ccache->kdc_time_offset_v5_valid = 0; - + } else { err = cci_check_error (ccErrBadCredentialsVersion); } } - + if (!err) { err = ccs_ccache_changed (io_ccache, io_cache_collection); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -1123,104 +1123,104 @@ cc_int32 ccs_ccache_handle_message (ccs_pipe_t in_client_pipe, cc_int32 err = ccNoError; cc_uint32 will_block = 0; k5_ipc_stream reply_data = NULL; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe) ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!out_will_block ) { err = cci_check_error (ccErrBadParam); } if (!out_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&reply_data); } - + if (!err) { if (in_request_name == cci_ccache_destroy_msg_id) { err = ccs_ccache_destroy (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_set_default_msg_id) { err = ccs_ccache_set_default (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_get_credentials_version_msg_id) { err = ccs_ccache_get_credentials_version (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_get_name_msg_id) { err = ccs_ccache_get_name (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_get_principal_msg_id) { err = ccs_ccache_get_principal (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_set_principal_msg_id) { err = ccs_ccache_set_principal (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_store_credentials_msg_id) { err = ccs_ccache_store_credentials (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_remove_credentials_msg_id) { err = ccs_ccache_remove_credentials (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_new_credentials_iterator_msg_id) { - err = ccs_ccache_new_credentials_iterator (io_ccache, + err = ccs_ccache_new_credentials_iterator (io_ccache, io_cache_collection, in_client_pipe, - in_request_data, + in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_move_msg_id) { err = ccs_ccache_move (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_lock_msg_id) { - err = ccs_ccache_lock (in_client_pipe, in_reply_pipe, + err = ccs_ccache_lock (in_client_pipe, in_reply_pipe, io_ccache, io_cache_collection, - in_request_data, + in_request_data, &will_block, reply_data); - + } else if (in_request_name == cci_ccache_unlock_msg_id) { - err = ccs_ccache_unlock (in_client_pipe, + err = ccs_ccache_unlock (in_client_pipe, io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_get_last_default_time_msg_id) { err = ccs_ccache_get_last_default_time (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_get_change_time_msg_id) { err = ccs_ccache_get_change_time (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_wait_for_change_msg_id) { - err = ccs_ccache_wait_for_change (in_client_pipe, in_reply_pipe, + err = ccs_ccache_wait_for_change (in_client_pipe, in_reply_pipe, io_ccache, io_cache_collection, in_request_data, reply_data, &will_block); - + } else if (in_request_name == cci_ccache_get_kdc_time_offset_msg_id) { err = ccs_ccache_get_kdc_time_offset (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_set_kdc_time_offset_msg_id) { err = ccs_ccache_set_kdc_time_offset (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_clear_kdc_time_offset_msg_id) { err = ccs_ccache_clear_kdc_time_offset (io_ccache, io_cache_collection, in_request_data, reply_data); - + } else { err = ccErrBadInternalMessage; } } - + if (!err) { *out_will_block = will_block; if (!will_block) { @@ -1230,9 +1230,8 @@ cc_int32 ccs_ccache_handle_message (ccs_pipe_t in_client_pipe, *out_reply_data = NULL; } } - + krb5int_ipc_stream_release (reply_data); - + return cci_check_error (err); } - diff --git a/src/ccapi/server/ccs_ccache.h b/src/ccapi/server/ccs_ccache.h index 21c9f410f..9d4e607a8 100644 --- a/src/ccapi/server/ccs_ccache.h +++ b/src/ccapi/server/ccs_ccache.h @@ -40,7 +40,7 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, cc_uint32 in_cred_vers, const char *in_principal); -cc_int32 ccs_ccache_swap_contents (ccs_ccache_t io_source_ccache, +cc_int32 ccs_ccache_swap_contents (ccs_ccache_t io_source_ccache, ccs_ccache_t io_destination_ccache, ccs_cache_collection_t io_cache_collection); diff --git a/src/ccapi/server/ccs_ccache_iterator.c b/src/ccapi/server/ccs_ccache_iterator.c index fb007bf6b..045ad3d09 100644 --- a/src/ccapi/server/ccs_ccache_iterator.c +++ b/src/ccapi/server/ccs_ccache_iterator.c @@ -34,17 +34,17 @@ static cc_int32 ccs_ccache_iterator_release (ccs_ccache_iterator_t io_ccache_i k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_ccache_iterator ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_ccache_list_iterator_release (io_ccache_iterator); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -56,21 +56,21 @@ static cc_int32 ccs_ccache_iterator_next (ccs_ccache_iterator_t io_ccache_iter { cc_int32 err = ccNoError; ccs_ccache_t ccache = NULL; - + if (!io_ccache_iterator ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_ccache_list_iterator_next (io_ccache_iterator, &ccache); } - + if (!err) { err = ccs_ccache_write (ccache, io_reply_data); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -82,22 +82,22 @@ static cc_int32 ccs_ccache_iterator_clone (ccs_ccache_iterator_t io_ccache_ite { cc_int32 err = ccNoError; ccs_ccache_iterator_t ccache_iterator = NULL; - + if (!io_ccache_iterator ) { err = cci_check_error (ccErrBadParam); } if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_ccache_list_iterator_clone (io_ccache_iterator, &ccache_iterator); } - + if (!err) { err = ccs_ccache_list_iterator_write (ccache_iterator, io_reply_data); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -114,45 +114,44 @@ static cc_int32 ccs_ccache_iterator_clone (ccs_ccache_iterator_t io_ccache_ite { cc_int32 err = ccNoError; k5_ipc_stream reply_data = NULL; - + if (!in_request_data) { err = cci_check_error (ccErrBadParam); } if (!out_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&reply_data); } - + if (!err) { if (in_request_name == cci_ccache_iterator_release_msg_id) { err = ccs_ccache_iterator_release (io_ccache_iterator, io_cache_collection, - in_request_data, + in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_iterator_next_msg_id) { err = ccs_ccache_iterator_next (io_ccache_iterator, io_cache_collection, - in_request_data, + in_request_data, reply_data); - + } else if (in_request_name == cci_ccache_iterator_clone_msg_id) { err = ccs_ccache_iterator_clone (io_ccache_iterator, io_cache_collection, - in_request_data, + in_request_data, reply_data); - + } else { err = ccErrBadInternalMessage; } } - + if (!err) { *out_reply_data = reply_data; reply_data = NULL; /* take ownership */ } - + krb5int_ipc_stream_release (reply_data); - + return cci_check_error (err); } - diff --git a/src/ccapi/server/ccs_client.c b/src/ccapi/server/ccs_client.c index 31ed14ff4..72ae89de1 100644 --- a/src/ccapi/server/ccs_client.c +++ b/src/ccapi/server/ccs_client.c @@ -43,39 +43,39 @@ cc_int32 ccs_client_new (ccs_client_t *out_client, { cc_int32 err = ccNoError; ccs_client_t client = NULL; - + if (!out_client ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } - + if (!err) { client = malloc (sizeof (*client)); - if (client) { + if (client) { *client = ccs_client_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = ccs_callbackref_array_new (&client->callbacks); } - + if (!err) { err = ccs_iteratorref_array_new (&client->iterators); } - + if (!err) { err = ccs_pipe_copy (&client->client_pipe, in_client_pipe); } - + if (!err) { *out_client = client; client = NULL; } - + ccs_client_release (client); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -83,26 +83,26 @@ cc_int32 ccs_client_new (ccs_client_t *out_client, cc_int32 ccs_client_release (ccs_client_t io_client) { cc_int32 err = ccNoError; - + if (!err && io_client) { cc_uint64 i; cc_uint64 callback_count = ccs_callbackref_array_count (io_client->callbacks); cc_uint64 iterator_count = ccs_iteratorref_array_count (io_client->iterators); - + for (i = 0; !err && i < callback_count; i++) { ccs_callback_t callback = ccs_callbackref_array_object_at_index (io_client->callbacks, i); - - cci_debug_printf ("%s: Invalidating callback reference %p.", + + cci_debug_printf ("%s: Invalidating callback reference %p.", __FUNCTION__, callback); ccs_callback_invalidate (callback); } - + for (i = 0; !err && i < iterator_count; i++) { ccs_generic_list_iterator_t iterator = ccs_iteratorref_array_object_at_index (io_client->iterators, i); - - cci_debug_printf ("%s: Invalidating iterator reference %p.", + + cci_debug_printf ("%s: Invalidating iterator reference %p.", __FUNCTION__, iterator); - ccs_generic_list_iterator_invalidate (iterator); + ccs_generic_list_iterator_invalidate (iterator); } ccs_callbackref_array_release (io_client->callbacks); @@ -110,8 +110,8 @@ cc_int32 ccs_client_release (ccs_client_t io_client) ccs_pipe_release (io_client->client_pipe); free (io_client); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -120,16 +120,16 @@ cc_int32 ccs_client_add_callback (ccs_client_t io_client, ccs_callback_t in_callback) { cc_int32 err = ccNoError; - + if (!io_client ) { err = cci_check_error (ccErrBadParam); } if (!in_callback) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_callbackref_array_insert (io_client->callbacks, in_callback, ccs_callbackref_array_count (io_client->callbacks)); } - - return cci_check_error (err); + + return cci_check_error (err); } @@ -140,16 +140,16 @@ cc_int32 ccs_client_remove_callback (ccs_client_t io_client, { cc_int32 err = ccNoError; cc_uint32 found_callback = 0; - + if (!io_client) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cc_uint64 i; cc_uint64 lock_count = ccs_callbackref_array_count (io_client->callbacks); - + for (i = 0; !err && i < lock_count; i++) { ccs_callback_t callback = ccs_callbackref_array_object_at_index (io_client->callbacks, i); - + if (callback == in_callback) { cci_debug_printf ("%s: Removing callback reference %p.", __FUNCTION__, callback); found_callback = 1; @@ -158,12 +158,12 @@ cc_int32 ccs_client_remove_callback (ccs_client_t io_client, } } } - + if (!err && !found_callback) { cci_debug_printf ("%s: WARNING! callback not found.", __FUNCTION__); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -172,16 +172,16 @@ cc_int32 ccs_client_add_iterator (ccs_client_t io_client, ccs_generic_list_iterator_t in_iterator) { cc_int32 err = ccNoError; - + if (!io_client ) { err = cci_check_error (ccErrBadParam); } if (!in_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_iteratorref_array_insert (io_client->iterators, in_iterator, ccs_iteratorref_array_count (io_client->iterators)); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -191,16 +191,16 @@ cc_int32 ccs_client_remove_iterator (ccs_client_t io_client, { cc_int32 err = ccNoError; cc_uint32 found_iterator = 0; - + if (!io_client) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cc_uint64 i; cc_uint64 lock_count = ccs_iteratorref_array_count (io_client->iterators); - + for (i = 0; !err && i < lock_count; i++) { ccs_generic_list_iterator_t iterator = ccs_iteratorref_array_object_at_index (io_client->iterators, i); - + if (iterator == in_iterator) { cci_debug_printf ("%s: Removing iterator reference %p.", __FUNCTION__, iterator); found_iterator = 1; @@ -209,12 +209,12 @@ cc_int32 ccs_client_remove_iterator (ccs_client_t io_client, } } } - + if (!err && !found_iterator) { cci_debug_printf ("%s: WARNING! iterator not found.", __FUNCTION__); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -224,14 +224,14 @@ cc_int32 ccs_client_uses_pipe (ccs_client_t in_client, cc_uint32 *out_uses_pipe) { cc_int32 err = ccNoError; - + if (!in_client ) { err = cci_check_error (ccErrBadParam); } if (!in_pipe ) { err = cci_check_error (ccErrBadParam); } if (!out_uses_pipe) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_pipe_compare (in_client->client_pipe, in_pipe, out_uses_pipe); } - - return cci_check_error (err); + + return cci_check_error (err); } diff --git a/src/ccapi/server/ccs_credentials.c b/src/ccapi/server/ccs_credentials.c index 56b5a5799..9795ef86f 100644 --- a/src/ccapi/server/ccs_credentials.c +++ b/src/ccapi/server/ccs_credentials.c @@ -42,44 +42,44 @@ cc_int32 ccs_credentials_new (ccs_credentials_t *out_credentials, { cc_int32 err = ccNoError; ccs_credentials_t credentials = NULL; - + if (!out_credentials) { err = cci_check_error (ccErrBadParam); } if (!in_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { credentials = malloc (sizeof (*credentials)); - if (credentials) { + if (credentials) { *credentials = ccs_credentials_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = cci_credentials_union_read (&credentials->cred_union, in_stream); } - + if (!err && !(credentials->cred_union->version & in_ccache_version)) { /* ccache does not have a principal set for this credentials version */ err = cci_check_error (ccErrBadCredentialsVersion); } - + if (!err) { err = ccs_server_new_identifier (&credentials->identifier); } - + if (!err) { err = ccs_credentials_list_add (io_credentials_list, credentials); } - + if (!err) { *out_credentials = credentials; credentials = NULL; } - + ccs_credentials_release (credentials); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -87,14 +87,14 @@ cc_int32 ccs_credentials_new (ccs_credentials_t *out_credentials, cc_int32 ccs_credentials_release (ccs_credentials_t io_credentials) { cc_int32 err = ccNoError; - + if (!err && io_credentials) { cci_credentials_union_release (io_credentials->cred_union); cci_identifier_release (io_credentials->identifier); free (io_credentials); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -103,19 +103,19 @@ cc_int32 ccs_credentials_write (ccs_credentials_t in_credentials, k5_ipc_stream io_stream) { cc_int32 err = ccNoError; - + if (!in_credentials) { err = cci_check_error (ccErrBadParam); } if (!io_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_identifier_write (in_credentials->identifier, io_stream); } - + if (!err) { err = cci_credentials_union_write (in_credentials->cred_union, io_stream); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -125,16 +125,16 @@ cc_int32 ccs_credentials_compare_identifier (ccs_credentials_t in_credentials, cc_uint32 *out_equal) { cc_int32 err = ccNoError; - + if (!in_credentials) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_identifier_compare (in_credentials->identifier, - in_identifier, + err = cci_identifier_compare (in_credentials->identifier, + in_identifier, out_equal); } - + return cci_check_error (err); } diff --git a/src/ccapi/server/ccs_credentials_iterator.c b/src/ccapi/server/ccs_credentials_iterator.c index 3ca7eeeea..27751ed75 100644 --- a/src/ccapi/server/ccs_credentials_iterator.c +++ b/src/ccapi/server/ccs_credentials_iterator.c @@ -34,17 +34,17 @@ static cc_int32 ccs_credentials_iterator_release (ccs_credentials_iterator_t io_ k5_ipc_stream io_reply_data) { cc_int32 err = ccNoError; - + if (!io_credentials_iterator) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_credentials_list_iterator_release (io_credentials_iterator); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -56,22 +56,22 @@ static cc_int32 ccs_credentials_iterator_next (ccs_credentials_iterator_t io_cre { cc_int32 err = ccNoError; ccs_credentials_t credentials = NULL; - + if (!io_credentials_iterator) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_credentials_list_iterator_next (io_credentials_iterator, &credentials); } - + if (!err) { err = ccs_credentials_write (credentials, io_reply_data); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -83,23 +83,23 @@ static cc_int32 ccs_credentials_iterator_clone (ccs_credentials_iterator_t io_c { cc_int32 err = ccNoError; ccs_credentials_iterator_t credentials_iterator = NULL; - + if (!io_credentials_iterator) { err = cci_check_error (ccErrBadParam); } if (!io_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_request_data ) { err = cci_check_error (ccErrBadParam); } if (!io_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_credentials_list_iterator_clone (io_credentials_iterator, &credentials_iterator); } - + if (!err) { - err = ccs_credentials_list_iterator_write (credentials_iterator, + err = ccs_credentials_list_iterator_write (credentials_iterator, io_reply_data); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -116,45 +116,44 @@ static cc_int32 ccs_credentials_iterator_clone (ccs_credentials_iterator_t io_c { cc_int32 err = ccNoError; k5_ipc_stream reply_data = NULL; - + if (!in_request_data) { err = cci_check_error (ccErrBadParam); } if (!out_reply_data ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = krb5int_ipc_stream_new (&reply_data); } - + if (!err) { if (in_request_name == cci_credentials_iterator_release_msg_id) { err = ccs_credentials_iterator_release (io_credentials_iterator, io_ccache, in_request_data, reply_data); - + } else if (in_request_name == cci_credentials_iterator_next_msg_id) { err = ccs_credentials_iterator_next (io_credentials_iterator, io_ccache, in_request_data, reply_data); - + } else if (in_request_name == cci_credentials_iterator_clone_msg_id) { err = ccs_credentials_iterator_clone (io_credentials_iterator, io_ccache, in_request_data, reply_data); - + } else { err = ccErrBadInternalMessage; } } - + if (!err) { *out_reply_data = reply_data; reply_data = NULL; /* take ownership */ } - + krb5int_ipc_stream_release (reply_data); - + return cci_check_error (err); } - diff --git a/src/ccapi/server/ccs_list.c b/src/ccapi/server/ccs_list.c index c5b1eb421..8896734b8 100644 --- a/src/ccapi/server/ccs_list.c +++ b/src/ccapi/server/ccs_list.c @@ -49,7 +49,7 @@ static cc_int32 ccs_cache_collection_list_object_compare_identifier (ccs_list_ob cc_int32 ccs_cache_collection_list_new (ccs_cache_collection_list_t *out_list) { - return ccs_list_new (out_list, + return ccs_list_new (out_list, ccErrInvalidContext, ccErrInvalidContext, ccs_cache_collection_list_object_compare_identifier, @@ -122,7 +122,7 @@ static cc_int32 ccs_ccache_list_object_compare_identifier (ccs_list_object_t in cc_int32 ccs_ccache_list_new (ccs_ccache_list_t *out_list) { - return ccs_list_new (out_list, + return ccs_list_new (out_list, ccErrInvalidCCache, ccErrInvalidCCacheIterator, ccs_ccache_list_object_compare_identifier, @@ -161,7 +161,7 @@ cc_int32 ccs_ccache_list_find_iterator (ccs_ccache_list_t in_list, cci_identifier_t in_identifier, ccs_ccache_list_iterator_t *out_list_iterator) { - return ccs_list_find_iterator (in_list, in_identifier, + return ccs_list_find_iterator (in_list, in_identifier, (ccs_list_iterator_t *) out_list_iterator); } @@ -201,7 +201,7 @@ cc_int32 ccs_ccache_list_release (ccs_ccache_list_t io_list) cc_int32 ccs_ccache_list_iterator_write (ccs_ccache_list_iterator_t in_list_iterator, k5_ipc_stream in_stream) { - return ccs_list_iterator_write (in_list_iterator, in_stream); + return ccs_list_iterator_write (in_list_iterator, in_stream); } /* ------------------------------------------------------------------------ */ @@ -253,8 +253,8 @@ static cc_int32 ccs_credentials_list_object_compare_identifier (ccs_list_object_ cc_int32 ccs_credentials_list_new (ccs_credentials_list_t *out_list) { - return ccs_list_new (out_list, - ccErrInvalidCredentials, + return ccs_list_new (out_list, + ccErrInvalidCredentials, ccErrInvalidCredentialsIterator, ccs_credentials_list_object_compare_identifier, ccs_credentials_list_object_release); @@ -292,7 +292,7 @@ cc_int32 ccs_credentials_list_find_iterator (ccs_credentials_list_t in cci_identifier_t in_identifier, ccs_credentials_list_iterator_t *out_list_iterator) { - return ccs_list_find_iterator (in_list, in_identifier, + return ccs_list_find_iterator (in_list, in_identifier, (ccs_list_iterator_t *) out_list_iterator); } @@ -324,7 +324,7 @@ cc_int32 ccs_credentials_list_release (ccs_credentials_list_t io_list) cc_int32 ccs_credentials_list_iterator_write (ccs_credentials_list_iterator_t in_list_iterator, k5_ipc_stream in_stream) { - return ccs_list_iterator_write (in_list_iterator, in_stream); + return ccs_list_iterator_write (in_list_iterator, in_stream); } /* ------------------------------------------------------------------------ */ diff --git a/src/ccapi/server/ccs_list_internal.c b/src/ccapi/server/ccs_list_internal.c index 74bc45a6a..834a7bc47 100644 --- a/src/ccapi/server/ccs_list_internal.c +++ b/src/ccapi/server/ccs_list_internal.c @@ -84,37 +84,37 @@ cc_int32 ccs_list_new (ccs_list_t *out_list, { cc_int32 err = ccNoError; ccs_list_t list = NULL; - + if (!out_list) { err = cci_check_error (ccErrBadParam); } - + if (!err) { list = malloc (sizeof (*list)); - if (list) { + if (list) { *list = ccs_list_initializer; list->object_not_found_err = in_object_not_found_err; list->iterator_not_found_err = in_iterator_not_found_err; list->object_compare_identifier = in_object_compare_identifier; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = cci_array_new (&list->objects, in_object_release); } - + if (!err) { err = cci_array_new (&list->iterators, ccs_list_iterator_object_release); } - + if (!err) { *out_list = list; list = NULL; } - + ccs_list_release (list); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -122,14 +122,14 @@ cc_int32 ccs_list_new (ccs_list_t *out_list, cc_int32 ccs_list_release (ccs_list_t io_list) { cc_int32 err = ccNoError; - - if (!err && io_list) { + + if (!err && io_list) { cci_array_release (io_list->iterators); cci_array_release (io_list->objects); free (io_list); } - - return err; + + return err; } /* ------------------------------------------------------------------------ */ @@ -138,8 +138,8 @@ cc_int32 ccs_list_new_iterator (ccs_list_t io_list, ccs_pipe_t in_client_pipe, ccs_list_iterator_t *out_list_iterator) { - return cci_check_error (ccs_list_iterator_new (out_list_iterator, - io_list, + return cci_check_error (ccs_list_iterator_new (out_list_iterator, + io_list, in_client_pipe)); } @@ -150,19 +150,19 @@ cc_int32 ccs_list_release_iterator (ccs_list_t io_list, { cc_int32 err = ccNoError; ccs_list_iterator_t iterator = NULL; - + if (!io_list ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_list_find_iterator (io_list, in_identifier, &iterator); } - + if (!err) { err = ccs_list_iterator_release (iterator); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -171,15 +171,15 @@ cc_int32 ccs_list_count (ccs_list_t in_list, cc_uint64 *out_count) { cc_int32 err = ccNoError; - + if (!in_list ) { err = cci_check_error (ccErrBadParam); } if (!out_count) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_count = cci_array_count (in_list->objects); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -187,7 +187,7 @@ cc_int32 ccs_list_count (ccs_list_t in_list, static ccs_list_iterator_t ccs_list_iterator_at_index (ccs_list_t in_list, cc_uint64 in_index) { - return (ccs_list_iterator_t) cci_array_object_at_index (in_list->iterators, in_index); + return (ccs_list_iterator_t) cci_array_object_at_index (in_list->iterators, in_index); } /* ------------------------------------------------------------------------ */ @@ -198,33 +198,33 @@ static cc_int32 ccs_list_find_index (ccs_list_t in_list, { cc_int32 err = ccNoError; cc_int32 found = 0; - + if (!in_list ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_object_index) { err = cci_check_error (ccErrBadParam); } - + if (!err && !found) { cc_uint64 i; - + for (i = 0; !err && i < cci_array_count (in_list->objects); i++) { cc_uint32 equal = 0; cci_array_object_t object = cci_array_object_at_index (in_list->objects, i); - + err = in_list->object_compare_identifier (object, in_identifier, &equal); - + if (!err && equal) { found = 1; *out_object_index = i; break; } - } + } } - + if (!err && !found) { - err = cci_check_error (in_list->object_not_found_err); + err = cci_check_error (in_list->object_not_found_err); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -234,20 +234,20 @@ cc_int32 ccs_list_find (ccs_list_t in_list, { cc_int32 err = ccNoError; cc_uint64 i; - + if (!in_list ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier) { err = cci_check_error (ccErrBadParam); } if (!out_object ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_list_find_index (in_list, in_identifier, &i); } - + if (!err) { *out_object = cci_array_object_at_index (in_list->objects, i); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -258,33 +258,33 @@ static cc_int32 ccs_list_find_iterator_index (ccs_list_t in_list, { cc_int32 err = ccNoError; cc_int32 found = 0; - + if (!in_list ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_object_index) { err = cci_check_error (ccErrBadParam); } - + if (!err && !found) { cc_uint64 i; - + for (i = 0; !err && i < cci_array_count (in_list->iterators); i++) { cc_uint32 equal = 0; ccs_list_iterator_t iterator = ccs_list_iterator_at_index (in_list, i); - + err = cci_identifier_compare (iterator->identifier, in_identifier, &equal); - + if (!err && equal) { found = 1; *out_object_index = i; break; } - } + } } - + if (!err && !found) { // Don't report this error to the log file. Non-fatal. - return in_list->object_not_found_err; + return in_list->object_not_found_err; } else { - return cci_check_error (err); + return cci_check_error (err); } } @@ -296,20 +296,20 @@ cc_int32 ccs_list_find_iterator (ccs_list_t in_list, { cc_int32 err = ccNoError; cc_uint64 i; - + if (!in_list ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier ) { err = cci_check_error (ccErrBadParam); } if (!out_list_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_list_find_iterator_index (in_list, in_identifier, &i); } - + if (!err) { *out_list_iterator = ccs_list_iterator_at_index (in_list, i); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -319,28 +319,28 @@ cc_int32 ccs_list_add (ccs_list_t io_list, { cc_int32 err = ccNoError; cc_uint64 add_index; - + if (!io_list ) { err = cci_check_error (ccErrBadParam); } if (!in_object) { err = cci_check_error (ccErrBadParam); } - + if (!err) { add_index = cci_array_count (io_list->objects); - + err = cci_array_insert (io_list->objects, in_object, add_index); } - + if (!err) { /* Fixup iterator indexes */ cc_uint64 i; - + for (i = 0; !err && i < cci_array_count (io_list->iterators); i++) { ccs_list_iterator_t iterator = ccs_list_iterator_at_index (io_list, i); - + err = ccs_list_iterator_update (iterator, ccs_list_action_insert, add_index); - } - } - - return cci_check_error (err); + } + } + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -350,30 +350,30 @@ cc_int32 ccs_list_remove (ccs_list_t io_list, { cc_int32 err = ccNoError; cc_uint64 remove_index; - + if (!io_list ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_list_find_index (io_list, in_identifier, &remove_index); } - + if (!err) { err = cci_array_remove (io_list->objects, remove_index); } - + if (!err) { /* Fixup iterator indexes */ cc_uint64 i; - + for (i = 0; !err && i < cci_array_count (io_list->iterators); i++) { ccs_list_iterator_t iterator = ccs_list_iterator_at_index (io_list, i); - + err = ccs_list_iterator_update (iterator, ccs_list_action_remove, remove_index); - } - } - - return cci_check_error (err); + } + } + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -383,32 +383,32 @@ cc_int32 ccs_list_push_front (ccs_list_t io_list, { cc_int32 err = ccNoError; cc_uint64 push_front_index; - + if (!io_list ) { err = cci_check_error (ccErrBadParam); } if (!in_identifier) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_list_find_index (io_list, in_identifier, &push_front_index); } - + if (!err) { - err = cci_array_push_front (io_list->objects, push_front_index); + err = cci_array_push_front (io_list->objects, push_front_index); } - + if (!err) { /* Fixup iterator indexes */ cc_uint64 i; - + for (i = 0; !err && i < cci_array_count (io_list->iterators); i++) { ccs_list_iterator_t iterator = ccs_list_iterator_at_index (io_list, i); - - err = ccs_list_iterator_update (iterator, - ccs_list_action_push_front, + + err = ccs_list_iterator_update (iterator, + ccs_list_action_push_front, push_front_index); - } - } - - return cci_check_error (err); + } + } + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -423,20 +423,20 @@ static cc_int32 ccs_list_iterator_new (ccs_list_iterator_t *out_list_iterator, { cc_int32 err = ccNoError; ccs_list_iterator_t list_iterator = NULL; - + if (!out_list_iterator) { err = cci_check_error (ccErrBadParam); } if (!io_list ) { err = cci_check_error (ccErrBadParam); } /* client_pipe may be NULL if the iterator exists for internal server use */ - + if (!err) { list_iterator = malloc (sizeof (*list_iterator)); - if (list_iterator) { + if (list_iterator) { *list_iterator = ccs_list_iterator_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = ccs_server_new_identifier (&list_iterator->identifier); } @@ -444,21 +444,21 @@ static cc_int32 ccs_list_iterator_new (ccs_list_iterator_t *out_list_iterator, if (!err) { list_iterator->list = io_list; list_iterator->current = 0; - - err = cci_array_insert (io_list->iterators, - (cci_array_object_t) list_iterator, + + err = cci_array_insert (io_list->iterators, + (cci_array_object_t) list_iterator, cci_array_count (io_list->iterators)); } - + if (!err && ccs_pipe_valid (in_client_pipe)) { ccs_client_t client = NULL; - + err = ccs_pipe_copy (&list_iterator->client_pipe, in_client_pipe); - + if (!err) { err = ccs_server_client_for_pipe (in_client_pipe, &client); } - + if (!err) { err = ccs_client_add_iterator (client, list_iterator); } @@ -468,10 +468,10 @@ static cc_int32 ccs_list_iterator_new (ccs_list_iterator_t *out_list_iterator, *out_list_iterator = list_iterator; list_iterator = NULL; } - + ccs_list_iterator_release (list_iterator); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -480,16 +480,16 @@ cc_int32 ccs_list_iterator_write (ccs_list_iterator_t in_list_iterator, k5_ipc_stream in_stream) { cc_int32 err = ccNoError; - + if (!in_list_iterator) { err = cci_check_error (ccErrBadParam); } if (!in_stream ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = cci_identifier_write (in_list_iterator->identifier, + err = cci_identifier_write (in_list_iterator->identifier, in_stream); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -499,26 +499,26 @@ cc_int32 ccs_list_iterator_clone (ccs_list_iterator_t in_list_iterator, { cc_int32 err = ccNoError; ccs_list_iterator_t list_iterator = NULL; - + if (!in_list_iterator ) { err = cci_check_error (ccErrBadParam); } if (!out_list_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_list_iterator_new (&list_iterator, - in_list_iterator->list, + err = ccs_list_iterator_new (&list_iterator, + in_list_iterator->list, in_list_iterator->client_pipe); } - + if (!err) { list_iterator->current = in_list_iterator->current; *out_list_iterator = list_iterator; list_iterator = NULL; } - + ccs_list_iterator_release (list_iterator); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -527,27 +527,27 @@ static cc_int32 ccs_list_iterator_object_release (cci_array_object_t io_list_ite { cc_int32 err = ccNoError; ccs_list_iterator_t list_iterator = (ccs_list_iterator_t) io_list_iterator; - + if (!io_list_iterator) { err = ccErrBadParam; } - + if (!err && ccs_pipe_valid (list_iterator->client_pipe)) { ccs_client_t client = NULL; err = ccs_server_client_for_pipe (list_iterator->client_pipe, &client); - + if (!err && client) { /* if client object still has a reference to us, remove it */ err = ccs_client_remove_iterator (client, list_iterator); } } - + if (!err) { ccs_pipe_release (list_iterator->client_pipe); cci_identifier_release (list_iterator->identifier); free (io_list_iterator); } - - return err; + + return err; } /* ------------------------------------------------------------------------ */ @@ -555,12 +555,12 @@ static cc_int32 ccs_list_iterator_object_release (cci_array_object_t io_list_ite cc_int32 ccs_list_iterator_release (ccs_list_iterator_t io_list_iterator) { cc_int32 err = ccNoError; - + if (!err && io_list_iterator) { cc_uint64 i = 0; - - if (ccs_list_find_iterator_index (io_list_iterator->list, - io_list_iterator->identifier, + + if (ccs_list_find_iterator_index (io_list_iterator->list, + io_list_iterator->identifier, &i) == ccNoError) { /* cci_array_remove will call ccs_list_iterator_object_release */ err = cci_array_remove (io_list_iterator->list->iterators, i); @@ -568,8 +568,8 @@ cc_int32 ccs_list_iterator_release (ccs_list_iterator_t io_list_iterator) cci_debug_printf ("Warning: iterator not in iterator list!"); } } - - return err; + + return err; } /* ------------------------------------------------------------------------ */ @@ -578,20 +578,20 @@ cc_int32 ccs_list_iterator_invalidate (ccs_list_iterator_t io_list_iterator) { cc_int32 err = ccNoError; ccs_list_iterator_t list_iterator = (ccs_list_iterator_t) io_list_iterator; - + if (!io_list_iterator) { err = ccErrBadParam; } - + if (!err) { /* Client owner died. Remove client reference and then the iterator. */ - if (ccs_pipe_valid (list_iterator->client_pipe)) { + if (ccs_pipe_valid (list_iterator->client_pipe)) { ccs_pipe_release (list_iterator->client_pipe); list_iterator->client_pipe = CCS_PIPE_NULL; } - + err = ccs_list_iterator_release (io_list_iterator); } - - return err; + + return err; } /* ------------------------------------------------------------------------ */ @@ -600,20 +600,20 @@ cc_int32 ccs_list_iterator_current (ccs_list_iterator_t io_list_iterator, ccs_list_object_t *out_object) { cc_int32 err = ccNoError; - + if (!io_list_iterator) { err = cci_check_error (ccErrBadParam); } if (!out_object ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { if (io_list_iterator->current < cci_array_count (io_list_iterator->list->objects)) { - *out_object = cci_array_object_at_index (io_list_iterator->list->objects, + *out_object = cci_array_object_at_index (io_list_iterator->list->objects, io_list_iterator->current); } else { err = ccIteratorEnd; } } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -622,21 +622,21 @@ cc_int32 ccs_list_iterator_next (ccs_list_iterator_t io_list_iterator, ccs_list_object_t *out_object) { cc_int32 err = ccNoError; - + if (!io_list_iterator) { err = cci_check_error (ccErrBadParam); } if (!out_object ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { if (io_list_iterator->current < cci_array_count (io_list_iterator->list->objects)) { - *out_object = cci_array_object_at_index (io_list_iterator->list->objects, + *out_object = cci_array_object_at_index (io_list_iterator->list->objects, io_list_iterator->current); io_list_iterator->current++; } else { err = ccIteratorEnd; } } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -646,9 +646,9 @@ static cc_int32 ccs_list_iterator_update (ccs_list_iterator_t io_list_iterator, cc_uint64 in_object_index) { cc_int32 err = ccNoError; - + if (!io_list_iterator) { err = cci_check_error (ccErrBadParam); } - + if (!err) { /* When the list changes adjust the current index so that */ /* we don't unnecessarily skip or double count items */ @@ -656,22 +656,21 @@ static cc_int32 ccs_list_iterator_update (ccs_list_iterator_t io_list_iterator, if (io_list_iterator->current > in_object_index) { io_list_iterator->current++; } - + } else if (in_action == ccs_list_action_remove) { if (io_list_iterator->current >= in_object_index) { io_list_iterator->current--; } - + } else if (in_action == ccs_list_action_push_front) { if (io_list_iterator->current < in_object_index) { io_list_iterator->current++; } - + } else { err = cci_check_error (ccErrBadParam); } } - - return cci_check_error (err); -} + return cci_check_error (err); +} diff --git a/src/ccapi/server/ccs_lock.c b/src/ccapi/server/ccs_lock.c index 639bd1732..23756b49c 100644 --- a/src/ccapi/server/ccs_lock.c +++ b/src/ccapi/server/ccs_lock.c @@ -48,48 +48,48 @@ cc_int32 ccs_lock_new (ccs_lock_t *out_lock, { cc_int32 err = ccNoError; ccs_lock_t lock = NULL; - + if (!out_lock ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe) ) { err = cci_check_error (ccErrBadParam); } if (!in_lock_state_owner ) { err = cci_check_error (ccErrBadParam); } - - if (in_type != cc_lock_read && + + if (in_type != cc_lock_read && in_type != cc_lock_write && in_type != cc_lock_upgrade && - in_type != cc_lock_downgrade) { - err = cci_check_error (ccErrBadLockType); + in_type != cc_lock_downgrade) { + err = cci_check_error (ccErrBadLockType); } - + if (!err) { lock = malloc (sizeof (*lock)); - if (lock) { + if (lock) { *lock = ccs_lock_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { lock->type = in_type; lock->lock_state_owner = in_lock_state_owner; - err = ccs_callback_new (&lock->callback, - in_invalid_object_err, - in_client_pipe, + err = ccs_callback_new (&lock->callback, + in_invalid_object_err, + in_client_pipe, in_reply_pipe, (ccs_callback_owner_t) lock, ccs_lock_invalidate_callback); } - + if (!err) { *out_lock = lock; lock = NULL; } - + ccs_lock_release (lock); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -97,13 +97,13 @@ cc_int32 ccs_lock_new (ccs_lock_t *out_lock, cc_int32 ccs_lock_release (ccs_lock_t io_lock) { cc_int32 err = ccNoError; - + if (!err && io_lock) { ccs_callback_release (io_lock->callback); free (io_lock); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -112,17 +112,17 @@ static cc_int32 ccs_lock_invalidate_callback (ccs_callback_owner_t io_lock, ccs_callback_t in_callback) { cc_int32 err = ccNoError; - + if (!io_lock ) { err = cci_check_error (ccErrBadParam); } if (!in_callback) { err = cci_check_error (ccErrBadParam); } - + if (!err) { ccs_lock_t lock = (ccs_lock_t) io_lock; - + err = ccs_lock_state_invalidate_lock (lock->lock_state_owner, lock); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -130,14 +130,14 @@ static cc_int32 ccs_lock_invalidate_callback (ccs_callback_owner_t io_lock, cc_int32 ccs_lock_grant_lock (ccs_lock_t io_lock) { cc_int32 err = ccNoError; - + if (!io_lock) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_callback_reply_to_client (io_lock->callback, NULL); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -146,15 +146,15 @@ cc_uint32 ccs_lock_is_pending (ccs_lock_t in_lock, cc_uint32 *out_pending) { cc_int32 err = ccNoError; - + if (!in_lock ) { err = cci_check_error (ccErrBadParam); } if (!out_pending) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_callback_is_pending (in_lock->callback, out_pending); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -163,15 +163,15 @@ cc_int32 ccs_lock_type (ccs_lock_t in_lock, cc_uint32 *out_lock_type) { cc_int32 err = ccNoError; - + if (!in_lock ) { err = cci_check_error (ccErrBadParam); } if (!out_lock_type) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_lock_type = in_lock->type; } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -180,16 +180,16 @@ cc_int32 ccs_lock_is_read_lock (ccs_lock_t in_lock, cc_uint32 *out_is_read_lock) { cc_int32 err = ccNoError; - + if (!in_lock ) { err = cci_check_error (ccErrBadParam); } if (!out_is_read_lock) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - *out_is_read_lock = (in_lock->type == cc_lock_read || + *out_is_read_lock = (in_lock->type == cc_lock_read || in_lock->type == cc_lock_downgrade); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -198,16 +198,16 @@ cc_int32 ccs_lock_is_write_lock (ccs_lock_t in_lock, cc_uint32 *out_is_write_lock) { cc_int32 err = ccNoError; - + if (!in_lock ) { err = cci_check_error (ccErrBadParam); } if (!out_is_write_lock) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - *out_is_write_lock = (in_lock->type == cc_lock_write || + *out_is_write_lock = (in_lock->type == cc_lock_write || in_lock->type == cc_lock_upgrade); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -217,17 +217,17 @@ cc_int32 ccs_lock_is_for_client_pipe (ccs_lock_t in_lock, cc_uint32 *out_is_for_client_pipe) { cc_int32 err = ccNoError; - + if (!in_lock ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!out_is_for_client_pipe ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_callback_is_for_client_pipe (in_lock->callback, in_client_pipe, + err = ccs_callback_is_for_client_pipe (in_lock->callback, in_client_pipe, out_is_for_client_pipe); } - - return cci_check_error (err); + + return cci_check_error (err); } @@ -237,13 +237,13 @@ cc_int32 ccs_lock_client_pipe (ccs_lock_t in_lock, ccs_pipe_t *out_client_pipe) { cc_int32 err = ccNoError; - + if (!in_lock ) { err = cci_check_error (ccErrBadParam); } if (!out_client_pipe) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_callback_client_pipe (in_lock->callback, out_client_pipe); } - - return cci_check_error (err); + + return cci_check_error (err); } diff --git a/src/ccapi/server/ccs_lock_state.c b/src/ccapi/server/ccs_lock_state.c index 516a1e26a..94edcec0f 100644 --- a/src/ccapi/server/ccs_lock_state.c +++ b/src/ccapi/server/ccs_lock_state.c @@ -38,41 +38,41 @@ struct ccs_lock_state_d ccs_lock_state_initializer = { 1, 1, 1, NULL, 0 }; /* ------------------------------------------------------------------------ */ -cc_int32 ccs_lock_state_new (ccs_lock_state_t *out_lock_state, - cc_int32 in_invalid_object_err, - cc_int32 in_pending_lock_err, +cc_int32 ccs_lock_state_new (ccs_lock_state_t *out_lock_state, + cc_int32 in_invalid_object_err, + cc_int32 in_pending_lock_err, cc_int32 in_no_lock_err) { cc_int32 err = ccNoError; ccs_lock_state_t lock_state = NULL; - + if (!out_lock_state) { err = cci_check_error (ccErrBadParam); } - + if (!err) { lock_state = malloc (sizeof (*lock_state)); - if (lock_state) { + if (lock_state) { *lock_state = ccs_lock_state_initializer; } else { - err = cci_check_error (ccErrNoMem); + err = cci_check_error (ccErrNoMem); } } - + if (!err) { err = ccs_lock_array_new (&lock_state->locks); } - + if (!err) { lock_state->invalid_object_err = in_invalid_object_err; lock_state->pending_lock_err = in_pending_lock_err; lock_state->no_lock_err = in_no_lock_err; - + *out_lock_state = lock_state; lock_state = NULL; } - + ccs_lock_state_release (lock_state); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -80,13 +80,13 @@ cc_int32 ccs_lock_state_new (ccs_lock_state_t *out_lock_state, cc_int32 ccs_lock_state_release (ccs_lock_state_t io_lock_state) { cc_int32 err = ccNoError; - + if (!err && io_lock_state) { ccs_lock_array_release (io_lock_state->locks); free (io_lock_state); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -103,31 +103,31 @@ static cc_int32 ccs_lock_status_add_pending_lock (ccs_lock_state_t io_lock_stat { cc_int32 err = ccNoError; ccs_lock_t lock = NULL; - + if (!io_lock_state ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe) ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - err = ccs_lock_new (&lock, in_lock_type, + err = ccs_lock_new (&lock, in_lock_type, io_lock_state->invalid_object_err, - in_client_pipe, in_reply_pipe, + in_client_pipe, in_reply_pipe, io_lock_state); } - + if (!err) { err = ccs_lock_array_insert (io_lock_state->locks, lock, ccs_lock_array_count (io_lock_state->locks)); if (!err) { lock = NULL; /* take ownership */ } } - + if (!err) { *out_lock_index = ccs_lock_array_count (io_lock_state->locks) - 1; } - + ccs_lock_release (lock); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -136,18 +136,18 @@ static cc_int32 ccs_lock_status_remove_lock (ccs_lock_state_t io_lock_state, cc_uint64 in_lock_index) { cc_int32 err = ccNoError; - + if (!io_lock_state) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_lock_array_remove (io_lock_state->locks, in_lock_index); - - if (!err && in_lock_index < io_lock_state->first_pending_lock_index) { - io_lock_state->first_pending_lock_index--; + + if (!err && in_lock_index < io_lock_state->first_pending_lock_index) { + io_lock_state->first_pending_lock_index--; } } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -160,36 +160,36 @@ static cc_int32 ccs_lock_status_grant_lock (ccs_lock_state_t io_lock_state, cc_uint32 type = 0; if (!io_lock_state) { err = cci_check_error (ccErrBadParam); } - + if (!err) { - pending_lock = ccs_lock_array_object_at_index (io_lock_state->locks, + pending_lock = ccs_lock_array_object_at_index (io_lock_state->locks, in_pending_lock_index); if (!pending_lock || in_pending_lock_index < io_lock_state->first_pending_lock_index) { err = cci_check_error (ccErrBadParam); } } - + if (!err) { err = ccs_lock_type (pending_lock, &type); } - + if (!err && (type == cc_lock_upgrade || type == cc_lock_downgrade)) { /* lock upgrades or downgrades. Find the old lock and remove it. */ ccs_pipe_t pending_client_pipe = CCS_PIPE_NULL; - + err = ccs_lock_client_pipe (pending_lock, &pending_client_pipe); if (!err) { cc_uint64 i; - + for (i = 0; !err && i < io_lock_state->first_pending_lock_index; i++) { ccs_lock_t lock = ccs_lock_array_object_at_index (io_lock_state->locks, i); cc_uint32 is_lock_for_client = 0; - + err = ccs_lock_is_for_client_pipe (lock, pending_client_pipe, &is_lock_for_client); - + if (!err && is_lock_for_client) { - cci_debug_printf ("%s: Removing old lock %p at index %d to replace with pending lock %p.", + cci_debug_printf ("%s: Removing old lock %p at index %d to replace with pending lock %p.", __FUNCTION__, lock, (int) i, pending_lock); err = ccs_lock_status_remove_lock (io_lock_state, i); if (!err) { i--; in_pending_lock_index--; /* We removed one so back up an index */ } @@ -198,22 +198,22 @@ static cc_int32 ccs_lock_status_grant_lock (ccs_lock_state_t io_lock_state, } } } - - if (!err) { + + if (!err) { cc_uint64 new_lock_index = 0; - err = ccs_lock_array_move (io_lock_state->locks, - in_pending_lock_index, + err = ccs_lock_array_move (io_lock_state->locks, + in_pending_lock_index, io_lock_state->first_pending_lock_index, &new_lock_index); if (!err) { io_lock_state->first_pending_lock_index++; } } - + if (!err) { err = ccs_lock_grant_lock (pending_lock); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -234,35 +234,35 @@ static cc_int32 ccs_lock_state_check_pending_lock (ccs_lock_state_t io_lock_sta cc_uint32 client_lock_type = 0; cc_uint64 client_lock_index = 0; cc_uint32 grant_lock = 0; - + if (!io_lock_state ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_pending_lock_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!out_grant_lock ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cc_uint64 i; cc_uint64 lock_count = io_lock_state->first_pending_lock_index; - + for (i = 0; !err && i < lock_count; i++) { ccs_lock_t lock = ccs_lock_array_object_at_index (io_lock_state->locks, i); cc_uint32 lock_type = 0; cc_uint32 lock_is_for_client = 0; - + err = ccs_lock_type (lock, &lock_type); - + if (!err) { - err = ccs_lock_is_for_client_pipe (lock, in_pending_lock_client_pipe, + err = ccs_lock_is_for_client_pipe (lock, in_pending_lock_client_pipe, &lock_is_for_client); } - + if (!err) { if (lock_type == cc_lock_write || lock_type == cc_lock_upgrade) { is_write_locked = 1; } - + if (!lock_is_for_client) { other_clients_have_locks = 1; - + } else if (!client_has_lock) { /* only record type of 1st lock */ client_has_lock = 1; client_lock_type = lock_type; @@ -271,35 +271,35 @@ static cc_int32 ccs_lock_state_check_pending_lock (ccs_lock_state_t io_lock_sta } } } - + if (!err) { cc_uint64 lock_count = io_lock_state->first_pending_lock_index; - + if (in_pending_lock_type == cc_lock_write) { if (client_has_lock) { err = cci_check_error (ccErrBadLockType); } else { grant_lock = (lock_count == 0); } - + } else if (in_pending_lock_type == cc_lock_read) { if (client_has_lock) { err = cci_check_error (ccErrBadLockType); } else { grant_lock = !is_write_locked; } - + } else if (in_pending_lock_type == cc_lock_upgrade) { - if (!client_has_lock || (client_lock_type != cc_lock_read && + if (!client_has_lock || (client_lock_type != cc_lock_read && client_lock_type != cc_lock_downgrade)) { err = cci_check_error (ccErrBadLockType); } else { /* don't grant if other clients have read locks */ - grant_lock = !other_clients_have_locks; + grant_lock = !other_clients_have_locks; } - + } else if (in_pending_lock_type == cc_lock_downgrade) { - if (!client_has_lock || (client_lock_type != cc_lock_write && + if (!client_has_lock || (client_lock_type != cc_lock_write && client_lock_type != cc_lock_upgrade)) { err = cci_check_error (ccErrBadLockType); } else { @@ -310,62 +310,62 @@ static cc_int32 ccs_lock_state_check_pending_lock (ccs_lock_state_t io_lock_sta err = cci_check_error (ccErrBadLockType); } } - + if (!err) { *out_grant_lock = grant_lock; } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ -static cc_int32 ccs_lock_status_try_to_grant_pending_locks (ccs_lock_state_t io_lock_state) +static cc_int32 ccs_lock_status_try_to_grant_pending_locks (ccs_lock_state_t io_lock_state) { cc_int32 err = ccNoError; cc_uint32 done = 0; - + if (!io_lock_state) { err = cci_check_error (ccErrBadParam); } - - /* Look at the pending locks and see if we can grant them. + + /* Look at the pending locks and see if we can grant them. * Note that downgrade locks mean we must check all pending locks each pass * since a downgrade lock might be last in the list. */ - + while (!err && !done) { cc_uint64 i; cc_uint64 count = ccs_lock_array_count (io_lock_state->locks); cc_uint32 granted_lock = 0; - + for (i = io_lock_state->first_pending_lock_index; !err && i < count; i++) { ccs_lock_t lock = ccs_lock_array_object_at_index (io_lock_state->locks, i); cc_uint32 lock_type = 0; ccs_pipe_t client_pipe = CCS_PIPE_NULL; cc_uint32 can_grant_lock_now = 0; - + err = ccs_lock_client_pipe (lock, &client_pipe); - + if (!err) { err = ccs_lock_type (lock, &lock_type); } - + if (!err) { err = ccs_lock_state_check_pending_lock (io_lock_state, client_pipe, lock_type, &can_grant_lock_now); } - + if (!err && can_grant_lock_now) { err = ccs_lock_status_grant_lock (io_lock_state, i); if (!err) { granted_lock = 1; } } } - + if (!err && !granted_lock) { /* we walked over all the locks and couldn't grant any of them */ done = 1; } - } - - return cci_check_error (err); + } + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -383,54 +383,54 @@ cc_int32 ccs_lock_state_add (ccs_lock_state_t io_lock_state, { cc_int32 err = ccNoError; cc_uint32 can_grant_lock_now = 0; - + if (!io_lock_state ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe) ) { err = cci_check_error (ccErrBadParam); } if (!out_will_send_reply ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { /* Sanity check: if there are any pending locks for this client * the client must have timed out waiting for our reply. Remove any * existing pending locks for the client. */ cc_uint64 i; - + for (i = io_lock_state->first_pending_lock_index; !err && i < ccs_lock_array_count (io_lock_state->locks); i++) { ccs_lock_t lock = ccs_lock_array_object_at_index (io_lock_state->locks, i); cc_uint32 has_pending_lock_for_client = 0; - + err = ccs_lock_is_for_client_pipe (lock, in_client_pipe, &has_pending_lock_for_client); - + if (!err && has_pending_lock_for_client) { - cci_debug_printf ("WARNING %s: Removing unexpected pending lock %p at index %d.", + cci_debug_printf ("WARNING %s: Removing unexpected pending lock %p at index %d.", __FUNCTION__, lock, (int) i); err = ccs_lock_status_remove_lock (io_lock_state, i); if (!err) { i--; /* We removed one so back up an index */ } } } } - + if (!err) { err = ccs_lock_state_check_pending_lock (io_lock_state, in_client_pipe, in_lock_type, &can_grant_lock_now); } - + if (!err) { if (!can_grant_lock_now && (in_block == cc_lock_noblock)) { err = cci_check_error (io_lock_state->pending_lock_err); - + } else { cc_uint64 new_lock_index = 0; - + err = ccs_lock_status_add_pending_lock (io_lock_state, in_client_pipe, in_reply_pipe, in_lock_type, &new_lock_index); - + if (!err && can_grant_lock_now) { err = ccs_lock_status_grant_lock (io_lock_state, new_lock_index); - + if (!err && (in_lock_type == cc_lock_downgrade)) { /* downgrades can allow us to grant other locks */ err = ccs_lock_status_try_to_grant_pending_locks (io_lock_state); @@ -438,13 +438,13 @@ cc_int32 ccs_lock_state_add (ccs_lock_state_t io_lock_state, } } } - + if (!err) { /* ccs_lock_state_add sends its replies via callback so caller shouldn't */ *out_will_send_reply = 1; } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -454,45 +454,45 @@ cc_int32 ccs_lock_state_remove (ccs_lock_state_t io_lock_state, { cc_int32 err = ccNoError; cc_uint32 found_lock = 0; - + if (!io_lock_state ) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } - + if (!err) { cc_uint64 i; - - /* Remove all locks for this client. + + /* Remove all locks for this client. * There should only be one so warn if there are multiple */ for (i = 0; !err && i < io_lock_state->first_pending_lock_index; i++) { ccs_lock_t lock = ccs_lock_array_object_at_index (io_lock_state->locks, i); cc_uint32 is_for_client = 0; - + err = ccs_lock_is_for_client_pipe (lock, in_client_pipe, &is_for_client); - + if (!err && is_for_client) { if (found_lock) { - cci_debug_printf ("WARNING %s: Found multiple locks for client.", + cci_debug_printf ("WARNING %s: Found multiple locks for client.", __FUNCTION__); } - + found_lock = 1; - + cci_debug_printf ("%s: Removing lock %p at index %d.", __FUNCTION__, lock, (int) i); err = ccs_lock_status_remove_lock (io_lock_state, i); if (!err) { i--; /* We removed one so back up an index */ } } } } - + if (!err && !found_lock) { err = cci_check_error (io_lock_state->no_lock_err); } - + if (!err) { err = ccs_lock_status_try_to_grant_pending_locks (io_lock_state); - } - - return cci_check_error (err); + } + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -501,26 +501,26 @@ cc_int32 ccs_lock_state_invalidate_lock (ccs_lock_state_t io_lock_state, ccs_lock_t in_lock) { cc_int32 err = ccNoError; - + if (!io_lock_state) { err = ccErrBadParam; } - + if (!err) { cc_uint64 i; cc_uint64 count = ccs_lock_array_count (io_lock_state->locks); - + for (i = 0; !err && i < count; i++) { ccs_lock_t lock = ccs_lock_array_object_at_index (io_lock_state->locks, i); - + if (lock == in_lock) { err = ccs_lock_status_remove_lock (io_lock_state, i); - + if (!err) { err = ccs_lock_status_try_to_grant_pending_locks (io_lock_state); break; - } + } } } } - - return cci_check_error (err); + + return cci_check_error (err); } diff --git a/src/ccapi/server/ccs_lock_state.h b/src/ccapi/server/ccs_lock_state.h index c6b9bdb0d..aa0c23a3c 100644 --- a/src/ccapi/server/ccs_lock_state.h +++ b/src/ccapi/server/ccs_lock_state.h @@ -29,9 +29,9 @@ #include "ccs_types.h" -cc_int32 ccs_lock_state_new (ccs_lock_state_t *out_lock_state, - cc_int32 in_invalid_object_err, - cc_int32 in_pending_lock_err, +cc_int32 ccs_lock_state_new (ccs_lock_state_t *out_lock_state, + cc_int32 in_invalid_object_err, + cc_int32 in_pending_lock_err, cc_int32 in_no_lock_err); cc_int32 ccs_lock_state_release (ccs_lock_state_t io_lock_state); diff --git a/src/ccapi/server/ccs_pipe.c b/src/ccapi/server/ccs_pipe.c index 0a65a0aeb..41ec60c79 100644 --- a/src/ccapi/server/ccs_pipe.c +++ b/src/ccapi/server/ccs_pipe.c @@ -40,7 +40,7 @@ cc_int32 ccs_pipe_compare (ccs_pipe_t in_pipe, ccs_pipe_t in_compare_to_pipe, cc_uint32 *out_equal) { - return ccs_os_pipe_compare (in_pipe, in_compare_to_pipe, out_equal); + return ccs_os_pipe_compare (in_pipe, in_compare_to_pipe, out_equal); } /* ------------------------------------------------------------------------ */ diff --git a/src/ccapi/server/ccs_server.c b/src/ccapi/server/ccs_server.c index 30476e407..469834196 100644 --- a/src/ccapi/server/ccs_server.c +++ b/src/ccapi/server/ccs_server.c @@ -38,35 +38,35 @@ ccs_client_array_t g_client_array = NULL; int main (int argc, const char *argv[]) { cc_int32 err = 0; - + if (!err) { err = ccs_os_server_initialize (argc, argv); } - + if (!err) { err = cci_identifier_new_uuid (&g_server_id); } - + if (!err) { err = ccs_cache_collection_new (&g_cache_collection); } - + if (!err) { err = ccs_client_array_new (&g_client_array); } - + if (!err) { err = ccs_os_server_listen_loop (argc, argv); } - + if (!err) { free (g_server_id); cci_check_error (ccs_cache_collection_release (g_cache_collection)); cci_check_error (ccs_client_array_release (g_client_array)); - + err = ccs_os_server_cleanup (argc, argv); } - + return cci_check_error (err) ? 1 : 0; } @@ -92,19 +92,19 @@ cc_int32 ccs_server_add_client (ccs_pipe_t in_connection_pipe) { cc_int32 err = ccNoError; ccs_client_t client = NULL; - + if (!err) { err = ccs_client_new (&client, in_connection_pipe); } - + if (!err) { cci_debug_printf ("%s: Adding client %p.", __FUNCTION__, client); - err = ccs_client_array_insert (g_client_array, + err = ccs_client_array_insert (g_client_array, client, ccs_client_array_count (g_client_array)); } - return cci_check_error (err); + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -117,26 +117,26 @@ cc_int32 ccs_server_remove_client (ccs_pipe_t in_connection_pipe) cc_uint64 i; cc_uint64 count = ccs_client_array_count (g_client_array); cc_uint32 found = 0; - + for (i = 0; !err && i < count; i++) { ccs_client_t client = ccs_client_array_object_at_index (g_client_array, i); - + err = ccs_client_uses_pipe (client, in_connection_pipe, &found); - + if (!err && found) { cci_debug_printf ("%s: Removing client %p.", __FUNCTION__, client); err = ccs_client_array_remove (g_client_array, i); break; } } - + if (!err && !found) { - cci_debug_printf ("WARNING %s() didn't find client in client list.", + cci_debug_printf ("WARNING %s() didn't find client in client list.", __FUNCTION__); - } + } } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -146,32 +146,32 @@ cc_int32 ccs_server_client_for_pipe (ccs_pipe_t in_client_pipe, { cc_int32 err = ccNoError; ccs_client_t client_for_pipe = NULL; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!out_client ) { err = cci_check_error (ccErrBadParam); } if (!err) { cc_uint64 i; cc_uint64 count = ccs_client_array_count (g_client_array); - + for (i = 0; !err && i < count; i++) { ccs_client_t client = ccs_client_array_object_at_index (g_client_array, i); cc_uint32 uses_pipe = 0; - + err = ccs_client_uses_pipe (client, in_client_pipe, &uses_pipe); - + if (!err && uses_pipe) { client_for_pipe = client; break; } } } - + if (!err) { *out_client = client_for_pipe; /* may be NULL if not found */ } - return cci_check_error (err); + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -181,19 +181,19 @@ cc_int32 ccs_server_client_is_valid (ccs_pipe_t in_client_pipe, { cc_int32 err = ccNoError; ccs_client_t client = NULL; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!out_client_is_valid ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = ccs_server_client_for_pipe (in_client_pipe, &client); } - + if (!err) { *out_client_is_valid = (client != NULL); } - - return cci_check_error (err); + + return cci_check_error (err); } #ifdef TARGET_OS_MAC @@ -221,9 +221,9 @@ static cc_int32 ccs_server_request_demux (ccs_pipe_t in_client_pipe if (!err) { if (in_request_name > cci_context_first_msg_id && in_request_name < cci_context_last_msg_id) { - /* Note: context identifier doesn't need to match. + /* Note: context identifier doesn't need to match. * Client just uses the identifier to detect server relaunch. */ - + if (!err) { err = ccs_cache_collection_handle_message (in_client_pipe, in_reply_pipe, @@ -233,15 +233,15 @@ static cc_int32 ccs_server_request_demux (ccs_pipe_t in_client_pipe out_will_block, out_reply_data); } - + } else if (in_request_name > cci_ccache_first_msg_id && in_request_name < cci_ccache_last_msg_id) { ccs_ccache_t ccache = NULL; - + err = ccs_cache_collection_find_ccache (in_cache_collection, in_request_identifier, - &ccache); - + &ccache); + if (!err) { err = ccs_ccache_handle_message (in_client_pipe, in_reply_pipe, @@ -251,16 +251,16 @@ static cc_int32 ccs_server_request_demux (ccs_pipe_t in_client_pipe in_request_data, out_will_block, out_reply_data); - } - + } + } else if (in_request_name > cci_ccache_iterator_first_msg_id && in_request_name < cci_ccache_iterator_last_msg_id) { ccs_ccache_iterator_t ccache_iterator = NULL; - + err = ccs_cache_collection_find_ccache_iterator (in_cache_collection, in_request_identifier, - &ccache_iterator); - + &ccache_iterator); + if (!err) { err = ccs_ccache_iterator_handle_message (ccache_iterator, in_cache_collection, @@ -268,21 +268,21 @@ static cc_int32 ccs_server_request_demux (ccs_pipe_t in_client_pipe in_request_data, out_reply_data); } - + if (!err) { *out_will_block = 0; /* can't block */ } - + } else if (in_request_name > cci_credentials_iterator_first_msg_id && in_request_name < cci_credentials_iterator_last_msg_id) { ccs_credentials_iterator_t credentials_iterator = NULL; ccs_ccache_t ccache = NULL; - + err = ccs_cache_collection_find_credentials_iterator (in_cache_collection, in_request_identifier, &ccache, - &credentials_iterator); - + &credentials_iterator); + if (!err) { err = ccs_credentials_iterator_handle_message (credentials_iterator, ccache, @@ -290,16 +290,16 @@ static cc_int32 ccs_server_request_demux (ccs_pipe_t in_client_pipe in_request_data, out_reply_data); } - + if (!err) { *out_will_block = 0; /* can't block */ } - + } else { err = ccErrBadInternalMessage; } } - + return cci_check_error (err); } @@ -318,46 +318,46 @@ cc_int32 ccs_server_handle_request (ccs_pipe_t in_client_pipe, cci_identifier_t request_identifier = NULL; cc_uint32 will_block = 0; k5_ipc_stream reply_data = NULL; - + if (!ccs_pipe_valid (in_client_pipe)) { err = cci_check_error (ccErrBadParam); } if (!ccs_pipe_valid (in_reply_pipe) ) { err = cci_check_error (ccErrBadParam); } if (!in_request ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_message_read_request_header (in_request, &request_name, &request_identifier); } - + if (!err) { cc_uint32 server_err = 0; cc_uint32 valid = 0; ccs_cache_collection_t cache_collection = g_cache_collection; - - server_err = cci_identifier_is_for_server (request_identifier, - g_server_id, + + server_err = cci_identifier_is_for_server (request_identifier, + g_server_id, &valid); - + if (!server_err && !valid) { server_err = cci_message_invalid_object_err (request_name); } - + if (!server_err) { - - /* Monolithic server implementation would need to select + + /* Monolithic server implementation would need to select * cache collection here. Currently we only support per-user * servers so we always use the same cache collection. */ - + server_err = ccs_server_request_demux (in_client_pipe, in_reply_pipe, cache_collection, request_name, request_identifier, - in_request, + in_request, &will_block, &reply_data); } - + if (server_err || !will_block) { /* send a reply now if the server isn't blocked on something */ @@ -367,8 +367,8 @@ cc_int32 ccs_server_handle_request (ccs_pipe_t in_client_pipe, cci_identifier_release (request_identifier); krb5int_ipc_stream_release (reply_data); - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -379,24 +379,24 @@ cc_int32 ccs_server_send_reply (ccs_pipe_t in_reply_pipe, { cc_int32 err = ccNoError; k5_ipc_stream reply = NULL; - + if (!ccs_pipe_valid (in_reply_pipe) ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { err = cci_message_new_reply_header (&reply, in_reply_err); } - + if (!err && in_reply_data && krb5int_ipc_stream_size (in_reply_data) > 0) { - err = krb5int_ipc_stream_write (reply, - krb5int_ipc_stream_data (in_reply_data), + err = krb5int_ipc_stream_write (reply, + krb5int_ipc_stream_data (in_reply_data), krb5int_ipc_stream_size (in_reply_data)); } - + if (!err) { err = ccs_os_server_send_reply (in_reply_pipe, reply); } - + krb5int_ipc_stream_release (reply); - - return cci_check_error (err); + + return cci_check_error (err); } diff --git a/src/ccapi/server/mac/ccs_os_notify.c b/src/ccapi/server/mac/ccs_os_notify.c index 920282316..84501fbd6 100644 --- a/src/ccapi/server/mac/ccs_os_notify.c +++ b/src/ccapi/server/mac/ccs_os_notify.c @@ -33,22 +33,22 @@ cc_int32 ccs_os_notify_cache_collection_changed (ccs_cache_collection_t io_cache_collection) { cc_int32 err = ccNoError; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } - + if (!err) { CFNotificationCenterRef center = CFNotificationCenterGetDistributedCenter (); - if (center) { + if (center) { CFNotificationCenterPostNotification (center, kCCAPICacheCollectionChangedNotification, NULL, NULL, TRUE); } } - - - - return cci_check_error (err); + + + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -57,24 +57,24 @@ cc_int32 ccs_os_notify_ccache_changed (ccs_cache_collection_t io_cache_collecti const char *in_ccache_name) { cc_int32 err = ccNoError; - + if (!io_cache_collection) { err = cci_check_error (ccErrBadParam); } if (!in_ccache_name ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { CFNotificationCenterRef center = CFNotificationCenterGetDistributedCenter (); CFStringRef name = CFStringCreateWithCString (kCFAllocatorDefault, in_ccache_name, kCFStringEncodingUTF8); - - if (center && name) { + + if (center && name) { CFNotificationCenterPostNotification (center, kCCAPICCacheChangedNotification, name, NULL, TRUE); } - + if (name) { CFRelease (name); } } - - return cci_check_error (err); + + return cci_check_error (err); } diff --git a/src/ccapi/server/mac/ccs_os_pipe.c b/src/ccapi/server/mac/ccs_os_pipe.c index 91227676c..0462a64e6 100644 --- a/src/ccapi/server/mac/ccs_os_pipe.c +++ b/src/ccapi/server/mac/ccs_os_pipe.c @@ -44,16 +44,16 @@ cc_int32 ccs_os_pipe_compare (ccs_pipe_t in_pipe, cc_uint32 *out_equal) { cc_int32 err = ccNoError; - + if (!in_pipe ) { err = cci_check_error (ccErrBadParam); } if (!in_compare_to_pipe) { err = cci_check_error (ccErrBadParam); } if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - + if (!err) { *out_equal = (in_pipe == in_compare_to_pipe); } - - return cci_check_error (err); + + return cci_check_error (err); } /* ------------------------------------------------------------------------ */ @@ -62,9 +62,9 @@ cc_int32 ccs_os_pipe_copy (ccs_pipe_t *out_pipe, ccs_pipe_t in_pipe) { cc_int32 err = 0; - + *out_pipe = in_pipe; - + return cci_check_error (err); } @@ -73,9 +73,8 @@ cc_int32 ccs_os_pipe_copy (ccs_pipe_t *out_pipe, cc_int32 ccs_os_pipe_release (ccs_pipe_t io_pipe) { cc_int32 err = 0; - + /* Nothing to do here on Mac OS X */ - + return cci_check_error (err); } - diff --git a/src/ccapi/server/mac/ccs_os_server.c b/src/ccapi/server/mac/ccs_os_server.c index 98bc6b30a..276c1ad14 100644 --- a/src/ccapi/server/mac/ccs_os_server.c +++ b/src/ccapi/server/mac/ccs_os_server.c @@ -51,8 +51,8 @@ kern_return_t k5_ipc_server_handle_request (mach_port_t in_connection_port, mach_port_t in_reply_port, k5_ipc_stream in_request_stream) { - return cci_check_error (ccs_server_handle_request (in_connection_port, - in_reply_port, + return cci_check_error (ccs_server_handle_request (in_connection_port, + in_reply_port, in_request_stream)); } @@ -63,10 +63,10 @@ kern_return_t k5_ipc_server_handle_request (mach_port_t in_connection_port, cc_int32 ccs_os_server_initialize (int argc, const char *argv[]) { cc_int32 err = 0; - + openlog (argv[0], LOG_CONS | LOG_PID, LOG_AUTH); - syslog (LOG_INFO, "Starting up."); - + syslog (LOG_INFO, "Starting up."); + return cci_check_error (err); } @@ -75,9 +75,9 @@ cc_int32 ccs_os_server_initialize (int argc, const char *argv[]) cc_int32 ccs_os_server_cleanup (int argc, const char *argv[]) { cc_int32 err = 0; - + syslog (LOG_NOTICE, "Exiting."); - + return cci_check_error (err); } @@ -93,6 +93,6 @@ cc_int32 ccs_os_server_listen_loop (int argc, const char *argv[]) cc_int32 ccs_os_server_send_reply (ccs_pipe_t in_reply_pipe, k5_ipc_stream in_reply_stream) { - return cci_check_error (k5_ipc_server_send_reply (in_reply_pipe, + return cci_check_error (k5_ipc_server_send_reply (in_reply_pipe, in_reply_stream)); } diff --git a/src/ccapi/server/win/ccs_os_pipe.c b/src/ccapi/server/win/ccs_os_pipe.c index 95af378e7..4573fa5e9 100644 --- a/src/ccapi/server/win/ccs_os_pipe.c +++ b/src/ccapi/server/win/ccs_os_pipe.c @@ -31,7 +31,7 @@ /* ------------------------------------------------------------------------ */ /* On Windows, a pipe is a struct. See ccs_win_pipe.h for details. */ - + /* ------------------------------------------------------------------------ */ @@ -43,7 +43,7 @@ cc_int32 ccs_os_pipe_valid (ccs_pipe_t in_pipe) { cc_int32 ccs_os_pipe_copy (ccs_pipe_t* out_pipe, ccs_pipe_t in_pipe) { return ccs_win_pipe_copy( - out_pipe, + out_pipe, in_pipe); } @@ -61,4 +61,3 @@ cc_int32 ccs_os_pipe_compare (ccs_pipe_t pipe_1, return ccs_win_pipe_compare(pipe_1, pipe_2, out_equal); } - diff --git a/src/ccapi/server/win/ccs_request_proc.c b/src/ccapi/server/win/ccs_request_proc.c index 8421b7224..00a8f032d 100644 --- a/src/ccapi/server/win/ccs_request_proc.c +++ b/src/ccapi/server/win/ccs_request_proc.c @@ -50,8 +50,8 @@ void ccs_rpc_request( cci_debug_printf("%s rpcmsg:%d; UUID:<%s> SST:<%s>", __FUNCTION__, rpcmsg, pszUUID, serverStartTime); #endif status = (rpcmsg != CCMSG_REQUEST) && (rpcmsg != CCMSG_PING); - - if (!status) { + + if (!status) { status = krb5int_ipc_stream_new (&stream); /* Create a stream for the request data */ } @@ -59,7 +59,7 @@ void ccs_rpc_request( status = krb5int_ipc_stream_write (stream, pbRequest, lenRequest); } - pipe = ccs_win_pipe_new(pszUUID, *p); + pipe = ccs_win_pipe_new(pszUUID, *p); worklist_add(rpcmsg, pipe, stream, serverStartTime); *return_status = status; } @@ -76,7 +76,7 @@ void ccs_rpc_connect( #if 0 cci_debug_printf("%s; rpcmsg:%d; UUID: <%s>", __FUNCTION__, rpcmsg, pszUUID); #endif - worklist_add( rpcmsg, + worklist_add( rpcmsg, pipe, NULL, /* No payload with connect request */ (const time_t)0 ); /* No server session number with connect request */ diff --git a/src/ccapi/server/win/ccs_win_pipe.c b/src/ccapi/server/win/ccs_win_pipe.c index 4ef807dd5..243f8f222 100644 --- a/src/ccapi/server/win/ccs_win_pipe.c +++ b/src/ccapi/server/win/ccs_win_pipe.c @@ -55,7 +55,7 @@ struct ccs_win_pipe_t* ccs_win_pipe_new (const char* uuid, const HANDLE h) { if (!uuidCopy) {err = cci_check_error(ccErrBadParam);} strcpy(uuidCopy, uuid); } - + if (!err) { out_pipe = (struct ccs_win_pipe_t*)malloc(sizeof(struct ccs_win_pipe_t)); if (!out_pipe) {err = cci_check_error(ccErrBadParam);} @@ -70,10 +70,10 @@ struct ccs_win_pipe_t* ccs_win_pipe_new (const char* uuid, const HANDLE h) { /* ------------------------------------------------------------------------ */ -cc_int32 ccs_win_pipe_copy (WIN_PIPE** out_pipe, +cc_int32 ccs_win_pipe_copy (WIN_PIPE** out_pipe, const WIN_PIPE* in_pipe) { - *out_pipe = + *out_pipe = ccs_win_pipe_new( ccs_win_pipe_getUuid (in_pipe), ccs_win_pipe_getHandle(in_pipe) ); diff --git a/src/ccapi/server/win/ccs_win_pipe.h b/src/ccapi/server/win/ccs_win_pipe.h index 3600d12af..c489aafd2 100644 --- a/src/ccapi/server/win/ccs_win_pipe.h +++ b/src/ccapi/server/win/ccs_win_pipe.h @@ -33,16 +33,16 @@ /* ------------------------------------------------------------------------ */ -/* On Windows, a pipe is a struct containing a UUID and a handle. Both the - UUID and handle are supplied by the client. - - The UUID is used to build the client's reply endpoint. - +/* On Windows, a pipe is a struct containing a UUID and a handle. Both the + UUID and handle are supplied by the client. + + The UUID is used to build the client's reply endpoint. + The handle is to the requesting client thread's thread local storage struct, so that the client's one and only reply handler can put reply data where the requesting thread will be able to see it. */ - + struct ccs_win_pipe_t { char* uuid; HANDLE clientHandle; @@ -58,7 +58,7 @@ cc_int32 ccs_win_pipe_compare (const WIN_PIPE* win_pipe_1, const WIN_PIPE* win_pipe_2, cc_uint32 *out_equal); -cc_int32 ccs_win_pipe_copy (WIN_PIPE** out_pipe, +cc_int32 ccs_win_pipe_copy (WIN_PIPE** out_pipe, const WIN_PIPE* in_pipe); cc_int32 ccs_win_pipe_valid (const WIN_PIPE* in_pipe); @@ -66,4 +66,4 @@ cc_int32 ccs_win_pipe_valid (const WIN_PIPE* in_pipe); char* ccs_win_pipe_getUuid (const WIN_PIPE* in_pipe); HANDLE ccs_win_pipe_getHandle (const WIN_PIPE* in_pipe); -#endif // _ccs_win_pipe_h_ \ No newline at end of file +#endif // _ccs_win_pipe_h_ diff --git a/src/ccapi/server/win/workitem.h b/src/ccapi/server/win/workitem.h index 9829f8500..1d3df155c 100644 --- a/src/ccapi/server/win/workitem.h +++ b/src/ccapi/server/win/workitem.h @@ -15,9 +15,9 @@ private: const long _rpcmsg; const long _sst; public: - WorkItem( k5_ipc_stream buf, - WIN_PIPE* pipe, - const long type, + WorkItem( k5_ipc_stream buf, + WIN_PIPE* pipe, + const long type, const long serverStartTime); WorkItem( const WorkItem&); WorkItem(); diff --git a/src/ccapi/test/main.c b/src/ccapi/test/main.c index d48601003..2ace96783 100644 --- a/src/ccapi/test/main.c +++ b/src/ccapi/test/main.c @@ -11,16 +11,16 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; // cc_ccache_iterator_t cache_iterator = NULL; // cc_credentials_iterator_t cred_iterator = NULL; - + fprintf(stdout, "Testing CCAPI against CCAPI v3 rev 8 documentation...\n"); fprintf(stdout, "Warning: this test suite is woefully incomplete and unpolished.\n"); - + T_CCAPI_INIT; - + // *** ccapi v2 compat *** err = check_cc_shutdown(); err = check_cc_get_change_time(); @@ -39,9 +39,9 @@ int main (int argc, const char * argv[]) { err = check_cc_seq_fetch_creds_begin(); err = check_cc_seq_fetch_creds_next(); err = check_cc_get_NC_info(); - + err = check_constants(); - + // *** cc_context *** err = check_cc_initialize(); err = check_cc_context_release(); @@ -56,7 +56,7 @@ int main (int argc, const char * argv[]) { // err = check_cc_context_lock(); // err = check_cc_context_unlock(); err = check_cc_context_compare(); - + // *** cc_ccache *** err = check_cc_ccache_release(); err = check_cc_ccache_destroy(); @@ -77,14 +77,14 @@ int main (int argc, const char * argv[]) { err = check_cc_ccache_get_kdc_time_offset(); err = check_cc_ccache_set_kdc_time_offset(); err = check_cc_ccache_clear_kdc_time_offset(); - + // *** cc_ccache_iterator *** err = check_cc_ccache_iterator_next(); - + // *** cc_credentials_iterator *** err = check_cc_credentials_iterator_next(); - + fprintf(stdout, "\nFinished testing CCAPI. %d failure%s in total.\n", total_failure_count, (total_failure_count == 1) ? "" : "s"); - + return err; } diff --git a/src/ccapi/test/pingtest.c b/src/ccapi/test/pingtest.c index 637f8ab18..d64db2e4b 100644 --- a/src/ccapi/test/pingtest.c +++ b/src/ccapi/test/pingtest.c @@ -30,9 +30,9 @@ RPC_STATUS send_test(char* endpoint) { unsigned char* pszNetworkAddress = NULL; unsigned char* pszOptions = NULL; unsigned char* pszStringBinding = NULL; - unsigned char* pszUuid = NULL; + unsigned char* pszUuid = NULL; RPC_STATUS status; - + status = RpcStringBindingCompose(pszUuid, (RPC_CSTR)"ncalrpc", pszNetworkAddress, @@ -73,7 +73,7 @@ int main( int argc, char *argv[]) { char* message = "Hello, RPC!"; - if ((dwTlsIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) return FALSE; + if ((dwTlsIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) return FALSE; // send_test("krbcc.229026.0.ep"); @@ -90,14 +90,14 @@ int main( int argc, char *argv[]) { } if (!err) { - err = cci_os_ipc_msg(TRUE, send_stream, CCMSG_PING, &reply_stream); + err = cci_os_ipc_msg(TRUE, send_stream, CCMSG_PING, &reply_stream); } Sleep(10*1000); cci_debug_printf("Try finishing async call."); Sleep(INFINITE); cci_debug_printf("main: return. err == %d", err); - + return 0; } diff --git a/src/ccapi/test/simple_lock_test.c b/src/ccapi/test/simple_lock_test.c index 418d56ad0..8961d9999 100644 --- a/src/ccapi/test/simple_lock_test.c +++ b/src/ccapi/test/simple_lock_test.c @@ -1,6 +1,6 @@ /* simple_lock_test.c - + Initializes two contexts in two different threads and tries to get read locks on both at the same time. Hangs at line 24. */ @@ -25,7 +25,7 @@ void *other_thread (void) { cc_int32 err; cc_context_t context = NULL; - + err = cc_initialize(&context, ccapi_version_7, NULL, NULL); log_error("thread: attempting lock. may hang. err == %d", err); @@ -57,7 +57,7 @@ int main (int argc, char *argv[]) { if (!err) { err = cc_context_lock(context, cc_lock_read, cc_lock_noblock); } - + log_error("main: initialized and read locked context. err == %d", err); #ifdef TARGET_OS_MAC @@ -71,9 +71,9 @@ int main (int argc, char *argv[]) { #else #endif - + log_error("main: unlocking and releasing context. err == %d", err); - + if (context) { log_error("main: calling cc_context_unlock"); cc_context_unlock(context); @@ -83,7 +83,7 @@ int main (int argc, char *argv[]) { } log_error("main: return. err == %d", err); - + #if defined(_WIN32) UNREFERENCED_PARAMETER(status); // no whining! #endif diff --git a/src/ccapi/test/test_cc_ccache_compare.c b/src/ccapi/test/test_cc_ccache_compare.c index 6034a341d..96aaa56c7 100644 --- a/src/ccapi/test/test_cc_ccache_compare.c +++ b/src/ccapi/test/test_cc_ccache_compare.c @@ -7,7 +7,7 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_compare(); diff --git a/src/ccapi/test/test_cc_ccache_destroy.c b/src/ccapi/test/test_cc_ccache_destroy.c index 2b56f10c0..95c417ca5 100644 --- a/src/ccapi/test/test_cc_ccache_destroy.c +++ b/src/ccapi/test/test_cc_ccache_destroy.c @@ -7,7 +7,7 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_destroy(); diff --git a/src/ccapi/test/test_cc_ccache_get_change_time.c b/src/ccapi/test/test_cc_ccache_get_change_time.c index 323c66fe9..a515d5bdc 100644 --- a/src/ccapi/test/test_cc_ccache_get_change_time.c +++ b/src/ccapi/test/test_cc_ccache_get_change_time.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_get_change_time(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_get_credentials_version.c b/src/ccapi/test/test_cc_ccache_get_credentials_version.c index 7f3e71461..f5df7c078 100644 --- a/src/ccapi/test/test_cc_ccache_get_credentials_version.c +++ b/src/ccapi/test/test_cc_ccache_get_credentials_version.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_get_credentials_version(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_get_kdc_time_offset.c b/src/ccapi/test/test_cc_ccache_get_kdc_time_offset.c index 871342a10..13e61165c 100644 --- a/src/ccapi/test/test_cc_ccache_get_kdc_time_offset.c +++ b/src/ccapi/test/test_cc_ccache_get_kdc_time_offset.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_get_kdc_time_offset(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_get_last_default_time.c b/src/ccapi/test/test_cc_ccache_get_last_default_time.c index a820d1385..4de22e4a0 100644 --- a/src/ccapi/test/test_cc_ccache_get_last_default_time.c +++ b/src/ccapi/test/test_cc_ccache_get_last_default_time.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_get_last_default_time(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_get_name.c b/src/ccapi/test/test_cc_ccache_get_name.c index 77e525a31..f6649974f 100644 --- a/src/ccapi/test/test_cc_ccache_get_name.c +++ b/src/ccapi/test/test_cc_ccache_get_name.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_get_name(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_get_principal.c b/src/ccapi/test/test_cc_ccache_get_principal.c index 8e110ed01..05d7c4349 100644 --- a/src/ccapi/test/test_cc_ccache_get_principal.c +++ b/src/ccapi/test/test_cc_ccache_get_principal.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_get_principal(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_iterator_next.c b/src/ccapi/test/test_cc_ccache_iterator_next.c index ec81103d8..945a98d26 100644 --- a/src/ccapi/test/test_cc_ccache_iterator_next.c +++ b/src/ccapi/test/test_cc_ccache_iterator_next.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_iterator_next(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_move.c b/src/ccapi/test/test_cc_ccache_move.c index 37793181f..880198c89 100644 --- a/src/ccapi/test/test_cc_ccache_move.c +++ b/src/ccapi/test/test_cc_ccache_move.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_move(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_new_credentials_iterator.c b/src/ccapi/test/test_cc_ccache_new_credentials_iterator.c index cd18693d4..1338e832a 100644 --- a/src/ccapi/test/test_cc_ccache_new_credentials_iterator.c +++ b/src/ccapi/test/test_cc_ccache_new_credentials_iterator.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_new_credentials_iterator(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_release.c b/src/ccapi/test/test_cc_ccache_release.c index 4a8e685bd..75d604c91 100644 --- a/src/ccapi/test/test_cc_ccache_release.c +++ b/src/ccapi/test/test_cc_ccache_release.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_release(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_remove_credentials.c b/src/ccapi/test/test_cc_ccache_remove_credentials.c index c13a618ef..679da85c5 100644 --- a/src/ccapi/test/test_cc_ccache_remove_credentials.c +++ b/src/ccapi/test/test_cc_ccache_remove_credentials.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_remove_credentials(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_set_default.c b/src/ccapi/test/test_cc_ccache_set_default.c index 6adf3e977..71bba2a46 100644 --- a/src/ccapi/test/test_cc_ccache_set_default.c +++ b/src/ccapi/test/test_cc_ccache_set_default.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_set_default(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_set_kdc_time_offset.c b/src/ccapi/test/test_cc_ccache_set_kdc_time_offset.c index e15f246e9..b8b21e987 100644 --- a/src/ccapi/test/test_cc_ccache_set_kdc_time_offset.c +++ b/src/ccapi/test/test_cc_ccache_set_kdc_time_offset.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_set_kdc_time_offset(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_set_principal.c b/src/ccapi/test/test_cc_ccache_set_principal.c index 4cc453402..ec55acd71 100644 --- a/src/ccapi/test/test_cc_ccache_set_principal.c +++ b/src/ccapi/test/test_cc_ccache_set_principal.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_set_principal(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_ccache_store_credentials.c b/src/ccapi/test/test_cc_ccache_store_credentials.c index 53a6564c7..c52125bdb 100644 --- a/src/ccapi/test/test_cc_ccache_store_credentials.c +++ b/src/ccapi/test/test_cc_ccache_store_credentials.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_ccache_store_credentials(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_close.c b/src/ccapi/test/test_cc_close.c index b3a5bc2ef..b6bc3afaa 100644 --- a/src/ccapi/test/test_cc_close.c +++ b/src/ccapi/test/test_cc_close.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_close(); diff --git a/src/ccapi/test/test_cc_context_compare.c b/src/ccapi/test/test_cc_context_compare.c index 9b2626a5d..f4965af3a 100644 --- a/src/ccapi/test/test_cc_context_compare.c +++ b/src/ccapi/test/test_cc_context_compare.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_compare(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_create_ccache.c b/src/ccapi/test/test_cc_context_create_ccache.c index a616e1cab..c94294513 100644 --- a/src/ccapi/test/test_cc_context_create_ccache.c +++ b/src/ccapi/test/test_cc_context_create_ccache.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_create_ccache(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_create_default_ccache.c b/src/ccapi/test/test_cc_context_create_default_ccache.c index aaad4ab57..c3fb4054e 100644 --- a/src/ccapi/test/test_cc_context_create_default_ccache.c +++ b/src/ccapi/test/test_cc_context_create_default_ccache.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_create_default_ccache(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_create_new_ccache.c b/src/ccapi/test/test_cc_context_create_new_ccache.c index c77d931ff..d89fa4f3f 100644 --- a/src/ccapi/test/test_cc_context_create_new_ccache.c +++ b/src/ccapi/test/test_cc_context_create_new_ccache.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_create_new_ccache(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_get_change_time.c b/src/ccapi/test/test_cc_context_get_change_time.c index f98b2ce64..ad5c0a346 100644 --- a/src/ccapi/test/test_cc_context_get_change_time.c +++ b/src/ccapi/test/test_cc_context_get_change_time.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_get_change_time(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_get_default_ccache_name.c b/src/ccapi/test/test_cc_context_get_default_ccache_name.c index ffa8c2cbf..06fff955f 100644 --- a/src/ccapi/test/test_cc_context_get_default_ccache_name.c +++ b/src/ccapi/test/test_cc_context_get_default_ccache_name.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_get_default_ccache_name(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_new_ccache_iterator.c b/src/ccapi/test/test_cc_context_new_ccache_iterator.c index b7885de64..82209854a 100644 --- a/src/ccapi/test/test_cc_context_new_ccache_iterator.c +++ b/src/ccapi/test/test_cc_context_new_ccache_iterator.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_new_ccache_iterator(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_open_ccache.c b/src/ccapi/test/test_cc_context_open_ccache.c index 8e7e825b9..461d8df63 100644 --- a/src/ccapi/test/test_cc_context_open_ccache.c +++ b/src/ccapi/test/test_cc_context_open_ccache.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_open_ccache(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_open_default_ccache.c b/src/ccapi/test/test_cc_context_open_default_ccache.c index e6e72fa62..09c6b7c39 100644 --- a/src/ccapi/test/test_cc_context_open_default_ccache.c +++ b/src/ccapi/test/test_cc_context_open_default_ccache.c @@ -7,10 +7,9 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_open_default_ccache(); return err; } - \ No newline at end of file diff --git a/src/ccapi/test/test_cc_context_release.c b/src/ccapi/test/test_cc_context_release.c index 5510ab961..03faf233d 100644 --- a/src/ccapi/test/test_cc_context_release.c +++ b/src/ccapi/test/test_cc_context_release.c @@ -7,7 +7,7 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_context_release(); diff --git a/src/ccapi/test/test_cc_create.c b/src/ccapi/test/test_cc_create.c index d591d47be..a21c44334 100644 --- a/src/ccapi/test/test_cc_create.c +++ b/src/ccapi/test/test_cc_create.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_create(); diff --git a/src/ccapi/test/test_cc_credentials_iterator_next.c b/src/ccapi/test/test_cc_credentials_iterator_next.c index 5ae961154..beed791b8 100644 --- a/src/ccapi/test/test_cc_credentials_iterator_next.c +++ b/src/ccapi/test/test_cc_credentials_iterator_next.c @@ -7,7 +7,7 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_credentials_iterator_next(); diff --git a/src/ccapi/test/test_cc_destroy.c b/src/ccapi/test/test_cc_destroy.c index 13eae7b00..e55a83788 100644 --- a/src/ccapi/test/test_cc_destroy.c +++ b/src/ccapi/test/test_cc_destroy.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_destroy(); diff --git a/src/ccapi/test/test_cc_get_NC_info.c b/src/ccapi/test/test_cc_get_NC_info.c index fe72cbe35..6b8eb3748 100644 --- a/src/ccapi/test/test_cc_get_NC_info.c +++ b/src/ccapi/test/test_cc_get_NC_info.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_get_NC_info(); diff --git a/src/ccapi/test/test_cc_get_change_time.c b/src/ccapi/test/test_cc_get_change_time.c index 8b031c1a3..d2058fec5 100644 --- a/src/ccapi/test/test_cc_get_change_time.c +++ b/src/ccapi/test/test_cc_get_change_time.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_get_change_time(); diff --git a/src/ccapi/test/test_cc_get_cred_version.c b/src/ccapi/test/test_cc_get_cred_version.c index 865abf00f..1ff86781e 100644 --- a/src/ccapi/test/test_cc_get_cred_version.c +++ b/src/ccapi/test/test_cc_get_cred_version.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_get_cred_version(); diff --git a/src/ccapi/test/test_cc_get_name.c b/src/ccapi/test/test_cc_get_name.c index b4efa40fc..5b6e1462a 100644 --- a/src/ccapi/test/test_cc_get_name.c +++ b/src/ccapi/test/test_cc_get_name.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_get_name(); diff --git a/src/ccapi/test/test_cc_get_principal.c b/src/ccapi/test/test_cc_get_principal.c index f0078561d..a809e5d12 100644 --- a/src/ccapi/test/test_cc_get_principal.c +++ b/src/ccapi/test/test_cc_get_principal.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_get_principal(); diff --git a/src/ccapi/test/test_cc_initialize.c b/src/ccapi/test/test_cc_initialize.c index bf2fcdc26..1669a29a3 100644 --- a/src/ccapi/test/test_cc_initialize.c +++ b/src/ccapi/test/test_cc_initialize.c @@ -7,7 +7,7 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_initialize(); diff --git a/src/ccapi/test/test_cc_open.c b/src/ccapi/test/test_cc_open.c index d3253d8a3..83bb60201 100644 --- a/src/ccapi/test/test_cc_open.c +++ b/src/ccapi/test/test_cc_open.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_open(); diff --git a/src/ccapi/test/test_cc_remove_cred.c b/src/ccapi/test/test_cc_remove_cred.c index 121ad1b52..6f841bbc0 100644 --- a/src/ccapi/test/test_cc_remove_cred.c +++ b/src/ccapi/test/test_cc_remove_cred.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_remove_cred(); diff --git a/src/ccapi/test/test_cc_seq_fetch_NCs_begin.c b/src/ccapi/test/test_cc_seq_fetch_NCs_begin.c index 0d08e9151..329ca26ed 100644 --- a/src/ccapi/test/test_cc_seq_fetch_NCs_begin.c +++ b/src/ccapi/test/test_cc_seq_fetch_NCs_begin.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_seq_fetch_NCs_begin(); diff --git a/src/ccapi/test/test_cc_seq_fetch_NCs_next.c b/src/ccapi/test/test_cc_seq_fetch_NCs_next.c index c941fd4fe..31b5ac07c 100644 --- a/src/ccapi/test/test_cc_seq_fetch_NCs_next.c +++ b/src/ccapi/test/test_cc_seq_fetch_NCs_next.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_seq_fetch_NCs_next(); diff --git a/src/ccapi/test/test_cc_seq_fetch_creds_begin.c b/src/ccapi/test/test_cc_seq_fetch_creds_begin.c index 16c0a72cb..5bb5e9164 100644 --- a/src/ccapi/test/test_cc_seq_fetch_creds_begin.c +++ b/src/ccapi/test/test_cc_seq_fetch_creds_begin.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_seq_fetch_creds_begin(); diff --git a/src/ccapi/test/test_cc_seq_fetch_creds_next.c b/src/ccapi/test/test_cc_seq_fetch_creds_next.c index eaaf451c4..83528b30e 100644 --- a/src/ccapi/test/test_cc_seq_fetch_creds_next.c +++ b/src/ccapi/test/test_cc_seq_fetch_creds_next.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_seq_fetch_creds_next(); diff --git a/src/ccapi/test/test_cc_set_principal.c b/src/ccapi/test/test_cc_set_principal.c index bfe9162bf..04b55df9e 100644 --- a/src/ccapi/test/test_cc_set_principal.c +++ b/src/ccapi/test/test_cc_set_principal.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_set_principal(); diff --git a/src/ccapi/test/test_cc_shutdown.c b/src/ccapi/test/test_cc_shutdown.c index 31c3d7c57..8756ca9f3 100644 --- a/src/ccapi/test/test_cc_shutdown.c +++ b/src/ccapi/test/test_cc_shutdown.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_shutdown(); diff --git a/src/ccapi/test/test_cc_store.c b/src/ccapi/test/test_cc_store.c index 7edc77715..507b36120 100644 --- a/src/ccapi/test/test_cc_store.c +++ b/src/ccapi/test/test_cc_store.c @@ -6,7 +6,7 @@ #include "test_ccapi_v2.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_cc_store(); diff --git a/src/ccapi/test/test_ccapi_ccache.c b/src/ccapi/test/test_ccapi_ccache.c index 64a70e3c2..a0fd84af1 100644 --- a/src/ccapi/test/test_ccapi_ccache.c +++ b/src/ccapi/test/test_ccapi_ccache.c @@ -1,4 +1,3 @@ - #include #include #include @@ -15,69 +14,69 @@ int check_cc_ccache_release(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_release"); - + #ifndef cc_ccache_release log_error("cc_ccache_release is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); } - - - + + + if (!err) { check_once_cc_ccache_release(context, ccache, ccNoError, NULL); ccache = NULL; } - + if (context) { cc_context_release(context); } - + #endif /* cc_ccache_release */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_release(cc_context_t context, cc_ccache_t ccache, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; - + cc_int32 possible_return_values[2] = { - ccNoError, - ccErrInvalidCCache, + ccNoError, + ccErrInvalidCCache, }; cc_string_t name = NULL; - + err = cc_ccache_get_name(ccache, &name); err = cc_ccache_release(ccache); ccache = NULL; - + BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_release - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err && name) { // try opening released ccache to make sure it still exists err = cc_context_open_ccache(context, name->data, &ccache); } check_if(err == ccErrCCacheNotFound, "released ccache was actually destroyed instead"); - + if (ccache) { cc_ccache_destroy(ccache); } if (name) { cc_string_release(name); } - + #endif /* cc_ccache_release */ - + END_CHECK_ONCE; - + return err; } @@ -89,69 +88,69 @@ int check_cc_ccache_destroy(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_destroy"); - + #ifndef cc_ccache_destroy log_error("cc_ccache_destroy is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); } - - - + + + if (!err) { check_once_cc_ccache_destroy(context, ccache, ccNoError, NULL); ccache = NULL; } - + if (context) { cc_context_release(context); } - + #endif /* cc_ccache_destroy */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_destroy(cc_context_t context, cc_ccache_t ccache, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; - + cc_int32 possible_return_values[2] = { - ccNoError, - ccErrInvalidCCache, + ccNoError, + ccErrInvalidCCache, }; cc_string_t name = NULL; - + BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_destroy - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_ccache_get_name(ccache, &name); err = cc_ccache_destroy(ccache); ccache = NULL; - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err && name) { // try opening released ccache to make sure it still exists err = cc_context_open_ccache(context, name->data, &ccache); } check_if(err != ccErrCCacheNotFound, "destroyed ccache was actually released instead"); - + if (ccache) { cc_ccache_destroy(ccache); } if (name) { cc_string_release(name); } - + #endif /* cc_ccache_destroy */ - + END_CHECK_ONCE; - + return err; } @@ -163,16 +162,16 @@ int check_cc_ccache_set_default(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_set_default"); - + #ifndef cc_ccache_set_default log_error("cc_ccache_set_default is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + // try when it's the only ccache (already default) if (!err) { err = destroy_all_ccaches(context); @@ -187,7 +186,7 @@ int check_cc_ccache_set_default(void) { err = cc_ccache_release(ccache); ccache = NULL; } - + // try when it's not the only ccache (and not default) if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "baz@BAR.ORG", &ccache); @@ -199,8 +198,8 @@ int check_cc_ccache_set_default(void) { err = cc_ccache_release(ccache); ccache = NULL; } - - // try when it's not the only ccache (and already default) + + // try when it's not the only ccache (and already default) if (!err) { err = cc_context_open_default_ccache(context, &ccache); } @@ -211,41 +210,41 @@ int check_cc_ccache_set_default(void) { err = cc_ccache_release(ccache); ccache = NULL; } - + if (!err) { err = destroy_all_ccaches(context); } - + if (context) { cc_context_release(context); } - + #endif /* cc_ccache_set_default */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_set_default(cc_context_t context, cc_ccache_t ccache, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; - + cc_int32 possible_return_values[3] = { - ccNoError, - ccErrInvalidCCache, - ccErrCCacheNotFound, + ccNoError, + ccErrInvalidCCache, + ccErrCCacheNotFound, }; cc_ccache_t default_ccache = NULL; cc_string_t name = NULL; cc_string_t default_name = NULL; - + BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_set_default - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_ccache_set_default(ccache); // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { err = cc_ccache_get_name(ccache, &name); } @@ -261,16 +260,16 @@ cc_int32 check_once_cc_ccache_set_default(cc_context_t context, cc_ccache_t ccac else { check_if(1, "cc_ccache_get_name failed"); } - + if (default_ccache) { cc_ccache_release(default_ccache); } //if (ccache) { cc_ccache_destroy(ccache); } // ccache is released by the caller if (default_name) { cc_string_release(default_name); } if (name) { cc_string_release(name); } - + #endif /* cc_ccache_set_default */ - + END_CHECK_ONCE; - + return err; } @@ -282,16 +281,16 @@ int check_cc_ccache_get_credentials_version(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_get_credentials_version"); - + #ifndef cc_ccache_get_credentials_version log_error("cc_ccache_get_credentials_version is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + // try one created with v5 creds if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); @@ -303,7 +302,7 @@ int check_cc_ccache_get_credentials_version(void) { log_error("cc_context_create_new_ccache failed, can't complete test"); failure_count++; } - + // try it with added v4 creds if (!err) { err = cc_ccache_set_principal(ccache, cc_credentials_v4, "foo@BAR.ORG"); @@ -315,14 +314,14 @@ int check_cc_ccache_get_credentials_version(void) { log_error("cc_ccache_set_principal failed, can't complete test"); failure_count++; } - + if (ccache) { cc_ccache_destroy(ccache); ccache = NULL; } - + err = ccNoError; - + // try one created with v4 creds if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAR.ORG", &ccache); @@ -334,62 +333,62 @@ int check_cc_ccache_get_credentials_version(void) { log_error("cc_context_create_new_ccache failed, can't complete test"); failure_count++; } - + // try it with added v5 creds if (!err) { err = cc_ccache_set_principal(ccache, cc_credentials_v5, "foo@BAR.ORG"); } if (!err) { check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v4 with v5 creds added"); - } + } else { log_error("cc_ccache_set_principal failed, can't complete test"); failure_count++; } - + if (ccache) { cc_ccache_destroy(ccache); ccache = NULL; } - + if (context) { cc_context_release(context); } - + #endif /* cc_ccache_get_credentials_version */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_get_credentials_version(cc_ccache_t ccache, cc_uint32 expected_cred_vers, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; - + cc_int32 possible_return_values[4] = { - ccNoError, - ccErrInvalidCCache, - ccErrBadParam, - ccErrCCacheNotFound, + ccNoError, + ccErrInvalidCCache, + ccErrBadParam, + ccErrCCacheNotFound, }; cc_uint32 stored_cred_vers = 0; - + BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_get_credentials_version - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_ccache_get_credentials_version(ccache, &stored_cred_vers); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(stored_cred_vers != expected_cred_vers, NULL); } - + #endif /* cc_ccache_get_credentials_version */ - + END_CHECK_ONCE; - + return err; } @@ -401,20 +400,20 @@ int check_cc_ccache_get_name(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_get_name"); - + #ifndef cc_ccache_get_name log_error("cc_ccache_get_name is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + // try with unique ccache (which happens to be default) if (!err) { err = cc_context_create_ccache(context, "0", cc_credentials_v5, "foo@BAR.ORG", &ccache); @@ -425,12 +424,12 @@ int check_cc_ccache_get_name(void) { else { log_error("cc_context_create_ccache failed, can't complete test"); failure_count++; - } + } if (ccache) { cc_ccache_release(ccache); ccache = NULL; } - + // try with unique ccache (which is not default) if (!err) { err = cc_context_create_ccache(context, "1", cc_credentials_v5, "foo@BAR.ORG", &ccache); @@ -442,7 +441,7 @@ int check_cc_ccache_get_name(void) { log_error("cc_context_create_ccache failed, can't complete test"); failure_count++; } - + // try with bad param if (!err) { check_once_cc_ccache_get_name(ccache, NULL, ccErrBadParam, "NULL param"); @@ -451,104 +450,104 @@ int check_cc_ccache_get_name(void) { cc_ccache_release(ccache); ccache = NULL; } - - if (context) { + + if (context) { err = destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_get_name */ - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_get_name(cc_ccache_t ccache, const char *expected_name, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; - + cc_int32 possible_return_values[4] = { - ccNoError, - ccErrInvalidCCache, - ccErrBadParam, - ccErrCCacheNotFound, + ccNoError, + ccErrInvalidCCache, + ccErrBadParam, + ccErrCCacheNotFound, }; cc_string_t stored_name = NULL; - + BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_get_name - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (expected_name == NULL) { // we want to try with a NULL param err = cc_ccache_get_name(ccache, NULL); } else { err = cc_ccache_get_name(ccache, &stored_name); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(strcmp(stored_name->data, expected_name), NULL); } - + if (stored_name) { cc_string_release(stored_name); } - + #endif /* cc_ccache_get_name */ - + END_CHECK_ONCE; - + return err; } // --------------------------------------------------------------------------- -cc_int32 check_once_cc_ccache_get_principal(cc_ccache_t ccache, - cc_uint32 cred_vers, - const char *expected_principal, - cc_int32 expected_err, +cc_int32 check_once_cc_ccache_get_principal(cc_ccache_t ccache, + cc_uint32 cred_vers, + const char *expected_principal, + cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; cc_string_t stored_principal = NULL; - + cc_int32 possible_return_values[6] = { - ccNoError, - ccErrNoMem, - ccErrBadCredentialsVersion, - ccErrBadParam, - ccErrInvalidCCache, - ccErrCCacheNotFound, + ccNoError, + ccErrNoMem, + ccErrBadCredentialsVersion, + ccErrBadParam, + ccErrInvalidCCache, + ccErrCCacheNotFound, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_get_principal - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (expected_principal == NULL) { // we want to try with a NULL param err = cc_ccache_get_principal(ccache, cred_vers, NULL); } else { err = cc_ccache_get_principal(ccache, cred_vers, &stored_principal); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(strcmp(stored_principal->data, expected_principal), "expected princ == \"%s\" stored princ == \"%s\"", expected_principal, stored_principal->data); } - + if (stored_principal) { cc_string_release(stored_principal); } - + #endif /* cc_ccache_get_principal */ - + END_CHECK_ONCE; - + return err; } @@ -558,20 +557,20 @@ int check_cc_ccache_get_principal(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_get_principal"); - + #ifndef cc_ccache_get_principal log_error("cc_ccache_get_principal is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + // try with krb5 principal if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo/BAR@BAZ.ORG", &ccache); @@ -587,7 +586,7 @@ int check_cc_ccache_get_principal(void) { cc_ccache_release(ccache); ccache = NULL; } - + // try with krb4 principal if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo.BAR@BAZ.ORG", &ccache); @@ -599,29 +598,29 @@ int check_cc_ccache_get_principal(void) { log_error("cc_context_create_new_ccache failed, can't complete test"); failure_count++; } - + // try with bad param if (!err) { // cc_ccache_t doesn't have any concept of the difference between a v4 and v5 principal - check_once_cc_ccache_get_principal(ccache, cc_credentials_v4_v5, "foo.BAR@BAZ.ORG", + check_once_cc_ccache_get_principal(ccache, cc_credentials_v4_v5, "foo.BAR@BAZ.ORG", ccErrBadCredentialsVersion, "passing cc_credentials_v4_v5 (shouldn't be allowed)"); check_once_cc_ccache_get_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "passed null out param"); } - + if (ccache) { cc_ccache_release(ccache); ccache = NULL; } - - if (context) { + + if (context) { err = destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_get_principal */ - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } // --------------------------------------------------------------------------- @@ -630,20 +629,20 @@ int check_cc_ccache_set_principal(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_set_principal"); - + #ifndef cc_ccache_set_principal log_error("cc_ccache_set_principal is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + // bad params if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); @@ -660,7 +659,7 @@ int check_cc_ccache_set_principal(void) { cc_ccache_destroy(ccache); ccache = NULL; } - + // empty ccache @@ -679,7 +678,7 @@ int check_cc_ccache_set_principal(void) { cc_ccache_destroy(ccache); ccache = NULL; } - + // add v4 principal to v5 only ccache if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); @@ -711,7 +710,7 @@ int check_cc_ccache_set_principal(void) { cc_ccache_destroy(ccache); ccache = NULL; } - + // add v5 principal to v4 only ccache if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache); @@ -727,66 +726,66 @@ int check_cc_ccache_set_principal(void) { cc_ccache_destroy(ccache); ccache = NULL; } - + // with credentials - + // replace v5 only ccache's principal - + // add v4 principal to v5 only ccache // replace v4 only ccache's principal - + // add v5 principal to v4 only ccache - - if (context) { + + if (context) { err = destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_set_principal */ - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_set_principal(cc_ccache_t ccache, cc_uint32 cred_vers, const char *in_principal, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; cc_string_t stored_principal = NULL; - + cc_int32 possible_return_values[6] = { - ccNoError, - ccErrNoMem, - ccErrInvalidCCache, - ccErrBadCredentialsVersion, - ccErrBadParam, - ccErrCCacheNotFound, + ccNoError, + ccErrNoMem, + ccErrInvalidCCache, + ccErrBadCredentialsVersion, + ccErrBadParam, + ccErrCCacheNotFound, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_set_principal - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_ccache_set_principal(ccache, cred_vers, in_principal); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { err = cc_ccache_get_principal(ccache, cred_vers, &stored_principal); } - + // compare stored with input if (!err) { check_if(strcmp(stored_principal->data, in_principal), "expected princ == \"%s\" stored princ == \"%s\"", in_principal, stored_principal->data); } - + if (stored_principal) { cc_string_release(stored_principal); } - + #endif /* cc_ccache_set_principal */ - + END_CHECK_ONCE; - + return err; } @@ -801,20 +800,20 @@ int check_cc_ccache_store_credentials(void) { cc_ccache_t dup_ccache = NULL; cc_credentials_union creds_union; cc_string_t name = NULL; - + BEGIN_TEST("cc_ccache_store_credentials"); - + #ifndef cc_ccache_store_credentials log_error("cc_ccache_store_credentials is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); } @@ -823,21 +822,21 @@ int check_cc_ccache_store_credentials(void) { if (!err) { err = new_v5_creds_union(&creds_union, "BAR.ORG"); } - + if (!err) { check_once_cc_ccache_store_credentials(ccache, &creds_union, ccNoError, "ok creds"); } - + if (&creds_union) { release_v5_creds_union(&creds_union); } - + // try with bad params check_once_cc_ccache_store_credentials(ccache, NULL, ccErrBadParam, "NULL creds param"); - + // invalid creds if (!err) { err = new_v5_creds_union(&creds_union, "BAR.ORG"); } - + if (!err) { if (creds_union.credentials.credentials_v5->client) { free(creds_union.credentials.credentials_v5->client); @@ -845,14 +844,14 @@ int check_cc_ccache_store_credentials(void) { } check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadParam, "invalid creds (NULL client string)"); } - + if (&creds_union) { release_v5_creds_union(&creds_union); } - + // bad creds version if (!err) { err = new_v5_creds_union(&creds_union, "BAR.ORG"); } - + if (!err) { creds_union.version = cc_credentials_v4_v5; check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4_v5 creds (invalid) into a ccache with only v5 princ"); @@ -860,11 +859,11 @@ int check_cc_ccache_store_credentials(void) { check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4 creds into a ccache with only v5 princ"); creds_union.version = cc_credentials_v5; } - + if (&creds_union) { release_v5_creds_union(&creds_union); } - + // non-existent ccache - if (ccache) { + if (ccache) { err = cc_ccache_get_name(ccache, &name); if (!err) { err = cc_context_open_ccache(context, name->data, &dup_ccache); @@ -872,24 +871,24 @@ int check_cc_ccache_store_credentials(void) { if (name) { cc_string_release(name); } if (dup_ccache) { cc_ccache_destroy(dup_ccache); } } - + if (!err) { err = new_v5_creds_union(&creds_union, "BAR.ORG"); } - + if (!err) { check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrInvalidCCache, "invalid ccache"); } - + if (&creds_union) { release_v5_creds_union(&creds_union); } if (ccache) { cc_ccache_release(ccache); } - if (context) { + if (context) { destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_store_credentials */ - + END_TEST_AND_RETURN } @@ -897,27 +896,27 @@ cc_int32 check_once_cc_ccache_store_credentials(cc_ccache_t ccache, const cc_cre cc_int32 err = ccNoError; cc_credentials_iterator_t creds_iterator = NULL; cc_credentials_t creds = NULL; - + cc_int32 possible_return_values[6] = { - ccNoError, - ccErrBadParam, - ccErrInvalidCCache, - ccErrInvalidCredentials, - ccErrBadCredentialsVersion, - ccErrCCacheNotFound, + ccNoError, + ccErrBadParam, + ccErrInvalidCCache, + ccErrInvalidCredentials, + ccErrBadCredentialsVersion, + ccErrCCacheNotFound, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_store_credentials - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_ccache_store_credentials(ccache, credentials); - + // check returned error check_err(err, expected_err, possible_return_values); - + // make sure credentials were truly stored if (!err) { err = cc_ccache_new_credentials_iterator(ccache, &creds_iterator); @@ -929,20 +928,20 @@ cc_int32 check_once_cc_ccache_store_credentials(cc_ccache_t ccache, const cc_cre break; } cc_credentials_release(creds); - creds = NULL; + creds = NULL; } } - - if (err == ccIteratorEnd) { + + if (err == ccIteratorEnd) { check_if((creds != NULL), "stored credentials not found in ccache"); err = ccNoError; } if (creds) { cc_credentials_release(creds); } - + #endif /* cc_ccache_store_credentials */ - + END_CHECK_ONCE; - + return err; } @@ -961,24 +960,24 @@ int check_cc_ccache_remove_credentials(void) { cc_credentials_iterator_t creds_iterator = NULL; cc_string_t name = NULL; unsigned int i; - + BEGIN_TEST("cc_ccache_remove_credentials"); - + #ifndef cc_ccache_remove_credentials log_error("cc_ccache_remove_credentials is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); } - + // store 10 creds and retrieve their cc_credentials_t representations for(i = 0; !err && (i < 10); i++) { new_v5_creds_union(&creds_union, "BAR.ORG"); @@ -1000,7 +999,7 @@ int check_cc_ccache_remove_credentials(void) { } } if (err == ccIteratorEnd) { err = ccNoError; } - + // remove 10 valid creds for (i = 0; !err && (i < 8); i++) { check_once_cc_ccache_remove_credentials(ccache, creds_array[i], ccNoError, "10 ok creds"); @@ -1008,12 +1007,12 @@ int check_cc_ccache_remove_credentials(void) { // NULL param check_once_cc_ccache_remove_credentials(ccache, NULL, ccErrBadParam, "NULL creds in param"); - + // non-existent creds (remove same one twice) check_once_cc_ccache_remove_credentials(ccache, creds_array[0], ccErrInvalidCredentials, "removed same creds twice"); - + // non-existent ccache - if (ccache) { + if (ccache) { err = cc_ccache_get_name(ccache, &name); if (!err) { err = cc_context_open_ccache(context, name->data, &dup_ccache); @@ -1021,11 +1020,11 @@ int check_cc_ccache_remove_credentials(void) { if (name) { cc_string_release(name); } if (dup_ccache) { cc_ccache_destroy(dup_ccache); } } - + if (!err) { err = new_v5_creds_union(&creds_union, "BAR.ORG"); } - + if (!err) { check_once_cc_ccache_remove_credentials(ccache, creds_array[8], ccErrInvalidCCache, "invalid ccache"); } @@ -1035,13 +1034,13 @@ int check_cc_ccache_remove_credentials(void) { } if (ccache) { cc_ccache_release(ccache); } - if (context) { + if (context) { destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_remove_credentials */ - + END_TEST_AND_RETURN } @@ -1049,27 +1048,27 @@ cc_int32 check_once_cc_ccache_remove_credentials(cc_ccache_t ccache, cc_credenti cc_int32 err = ccNoError; cc_credentials_iterator_t creds_iterator = NULL; cc_credentials_t creds = NULL; - + cc_int32 possible_return_values[6] = { - ccNoError, - ccErrBadParam, - ccErrInvalidCCache, - ccErrInvalidCredentials, - ccErrCredentialsNotFound, + ccNoError, + ccErrBadParam, + ccErrInvalidCCache, + ccErrInvalidCredentials, + ccErrCredentialsNotFound, ccErrCCacheNotFound, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_remove_credentials - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_ccache_remove_credentials(ccache, in_creds); - + // check returned error check_err(err, expected_err, possible_return_values); - + // make sure credentials were truly removed if (!err) { err = cc_ccache_new_credentials_iterator(ccache, &creds_iterator); @@ -1081,22 +1080,22 @@ cc_int32 check_once_cc_ccache_remove_credentials(cc_ccache_t ccache, cc_credenti break; } cc_credentials_release(creds); - creds = NULL; + creds = NULL; } } - - if (err == ccIteratorEnd) { + + if (err == ccIteratorEnd) { err = ccNoError; } else { check_if((creds != NULL), "credentials not removed from ccache"); } if (creds) { cc_credentials_release(creds); } - + #endif /* cc_ccache_remove_credentials */ - + END_CHECK_ONCE; - + return err; } @@ -1111,44 +1110,44 @@ int check_cc_ccache_new_credentials_iterator(void) { cc_ccache_t dup_ccache = NULL; cc_credentials_iterator_t creds_iterator = NULL; cc_string_t name = NULL; - + BEGIN_TEST("cc_ccache_new_credentials_iterator"); - + #ifndef cc_ccache_new_credentials_iterator log_error("cc_ccache_new_credentials_iterator is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); } - + // valid params if (!err) { check_once_cc_ccache_new_credentials_iterator(ccache, &creds_iterator, ccNoError, "valid params"); } - if (creds_iterator) { - cc_credentials_iterator_release(creds_iterator); + if (creds_iterator) { + cc_credentials_iterator_release(creds_iterator); creds_iterator = NULL; } - + // NULL out param if (!err) { check_once_cc_ccache_new_credentials_iterator(ccache, NULL, ccErrBadParam, "NULL out iterator param"); } - if (creds_iterator) { - cc_credentials_iterator_release(creds_iterator); + if (creds_iterator) { + cc_credentials_iterator_release(creds_iterator); creds_iterator = NULL; } - + // non-existent ccache - if (ccache) { + if (ccache) { err = cc_ccache_get_name(ccache, &name); if (!err) { err = cc_context_open_ccache(context, name->data, &dup_ccache); @@ -1156,53 +1155,53 @@ int check_cc_ccache_new_credentials_iterator(void) { if (name) { cc_string_release(name); } if (dup_ccache) { cc_ccache_destroy(dup_ccache); } } - + if (!err) { check_once_cc_ccache_new_credentials_iterator(ccache, &creds_iterator, ccErrInvalidCCache, "invalid ccache"); } - - if (creds_iterator) { - cc_credentials_iterator_release(creds_iterator); + + if (creds_iterator) { + cc_credentials_iterator_release(creds_iterator); creds_iterator = NULL; } if (ccache) { cc_ccache_release(ccache); } - if (context) { + if (context) { destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_new_credentials_iterator */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_new_credentials_iterator(cc_ccache_t ccache, cc_credentials_iterator_t *iterator, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; - + cc_int32 possible_return_values[5] = { - ccNoError, - ccErrBadParam, - ccErrNoMem, - ccErrCCacheNotFound, - ccErrInvalidCCache, + ccNoError, + ccErrBadParam, + ccErrNoMem, + ccErrCCacheNotFound, + ccErrInvalidCCache, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_new_credentials_iterator - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_ccache_new_credentials_iterator(ccache, iterator); - + // check returned error check_err(err, expected_err, possible_return_values); - + #endif /* cc_ccache_new_credentials_iterator */ - + END_CHECK_ONCE; - + return err; } @@ -1212,38 +1211,38 @@ cc_int32 check_once_cc_ccache_new_credentials_iterator(cc_ccache_t ccache, cc_cr cc_int32 check_once_cc_ccache_get_change_time(cc_ccache_t ccache, cc_time_t *last_time, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; cc_time_t this_time = 0; - + cc_int32 possible_return_values[4] = { - ccNoError, - ccErrInvalidCCache, - ccErrBadParam, - ccErrCCacheNotFound, + ccNoError, + ccErrInvalidCCache, + ccErrBadParam, + ccErrCCacheNotFound, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_get_change_time - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (last_time == NULL) { err = cc_ccache_get_change_time(ccache, NULL); // passed NULL to compare against because intention is actually to pass bad param instead } else { err = cc_ccache_get_change_time(ccache, &this_time); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if ((!err) && last_time) { check_if(this_time <= *last_time, "change time didn't increase when expected"); *last_time = this_time; } - + #endif /* cc_ccache_get_change_time */ - + END_CHECK_ONCE; - + return err; } @@ -1258,20 +1257,20 @@ int check_cc_ccache_get_change_time(void) { cc_credentials_iterator_t creds_iterator = NULL; cc_credentials_t credentials = NULL; cc_time_t last_time = 0; - + BEGIN_TEST("cc_ccache_get_change_time"); - + #ifndef cc_ccache_get_change_time log_error("cc_ccache_get_change_time is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + // create some ccaches (so that the one we keep around as 'ccache' is not default) if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); @@ -1282,14 +1281,14 @@ int check_cc_ccache_get_change_time(void) { if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); } - + // change it in all the ways it can change, checking after each - + // the ccache is created if (!err) { check_once_cc_ccache_get_change_time(ccache, &last_time, ccNoError, "new ccache (change time should be > 0)"); } - + // the ccache is made default if (!err) { err = cc_ccache_set_default(ccache); @@ -1297,7 +1296,7 @@ int check_cc_ccache_get_change_time(void) { if (!err) { check_once_cc_ccache_get_change_time(ccache, &last_time, ccNoError, "non-default ccache became default"); } - + // the ccache is made not-default if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "something@ELSE.COM", &dummy_ccache); @@ -1305,20 +1304,20 @@ int check_cc_ccache_get_change_time(void) { if (!err) { err = cc_ccache_set_default(dummy_ccache); } - if (dummy_ccache) { + if (dummy_ccache) { cc_ccache_release(dummy_ccache); } if (!err) { check_once_cc_ccache_get_change_time(ccache, &last_time, ccNoError, "default ccache became non-default"); } - + // try with bad params - + // NULL out param if (!err) { check_once_cc_ccache_get_change_time(ccache, NULL, ccErrBadParam, "NULL out param for time"); } - + // store a credential if (!err) { new_v5_creds_union(&creds_union, "BAR.ORG"); @@ -1326,7 +1325,7 @@ int check_cc_ccache_get_change_time(void) { release_v5_creds_union(&creds_union); } check_once_cc_ccache_get_change_time(ccache, &last_time, ccNoError, "stored new credential"); - + if (!err) { // change principal (fails with ccErrBadInternalMessage) err = cc_ccache_set_principal(ccache, cc_credentials_v5, "foo@BAR.ORG"); @@ -1337,7 +1336,7 @@ int check_cc_ccache_get_change_time(void) { } } check_once_cc_context_get_change_time(context, &last_time, ccNoError, "after changing a principle"); - + // remove a credential if (!err) { err = cc_ccache_new_credentials_iterator(ccache, &creds_iterator); @@ -1352,8 +1351,8 @@ int check_cc_ccache_get_change_time(void) { err = cc_ccache_remove_credentials(ccache, credentials); } check_once_cc_context_get_change_time(context, &last_time, ccNoError, "after removing a credential"); - - + + // invalid ccache if (!err) { err = destroy_all_ccaches(context); @@ -1361,15 +1360,15 @@ int check_cc_ccache_get_change_time(void) { if (!err) { check_once_cc_ccache_get_change_time(ccache, &last_time, ccErrInvalidCCache, "getting change time on destroyed ccache"); } - + if (ccache) { cc_ccache_release(ccache); } - if (context) { + if (context) { destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_get_change_time */ - + END_TEST_AND_RETURN } @@ -1379,39 +1378,39 @@ int check_cc_ccache_get_change_time(void) { cc_int32 check_once_cc_ccache_get_last_default_time(cc_ccache_t ccache, cc_time_t *last_time, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; cc_time_t this_time = 0; - + cc_int32 possible_return_values[5] = { - ccNoError, - ccErrInvalidCCache, - ccErrBadParam, - ccErrNeverDefault, - ccErrCCacheNotFound, + ccNoError, + ccErrInvalidCCache, + ccErrBadParam, + ccErrNeverDefault, + ccErrCCacheNotFound, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_get_last_default_time - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (last_time == NULL) { err = cc_ccache_get_last_default_time(ccache, NULL); // passed NULL to compare against because intention is actually to pass bad param instead } else { err = cc_ccache_get_last_default_time(ccache, &this_time); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err && last_time) { check_if(this_time > *last_time, "last default time isn't as expected"); *last_time = this_time; } - + #endif /* cc_ccache_get_last_default_time */ - + END_CHECK_ONCE; - + return err; } @@ -1425,20 +1424,20 @@ int check_cc_ccache_get_last_default_time(void) { cc_time_t last_time_1 = 0; cc_time_t last_time_2 = 0; cc_string_t name = NULL; - + BEGIN_TEST("cc_ccache_get_last_default_time"); - + #ifndef cc_ccache_get_last_default_time log_error("cc_ccache_get_last_default_time is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + // create 2 ccaches if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@ONE.ORG", &ccache_1); @@ -1446,18 +1445,18 @@ int check_cc_ccache_get_last_default_time(void) { if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@TWO.ORG", &ccache_2); } - + if (!err) { err = cc_ccache_get_change_time(ccache_1, &last_time_1); } - - // since we destroyed all ccaches before creating these two, + + // since we destroyed all ccaches before creating these two, // ccache_1 should be default and ccache_2 should never have been default if (!err) { check_once_cc_ccache_get_last_default_time(ccache_1, &last_time_1, ccNoError, "ccache_1 default at creation"); check_once_cc_ccache_get_last_default_time(ccache_2, &last_time_2, ccErrNeverDefault, "ccache_2 never default"); } - + // make ccache_2 default and check each of their times again if (!err) { err = cc_ccache_set_default(ccache_2); @@ -1474,10 +1473,10 @@ int check_cc_ccache_get_last_default_time(void) { if (!err) { check_once_cc_ccache_get_last_default_time(ccache_1, NULL, ccErrBadParam, "NULL out param"); } - + // non-existent ccache - if (ccache_2) { - cc_ccache_release(ccache_2); + if (ccache_2) { + cc_ccache_release(ccache_2); ccache_2 = NULL; } if (!err) { @@ -1490,20 +1489,20 @@ int check_cc_ccache_get_last_default_time(void) { cc_ccache_destroy(ccache_2); ccache_2 = NULL; } - + if (!err) { check_once_cc_ccache_get_last_default_time(ccache_1, &last_time_1, ccErrInvalidCCache, "destroyed ccache"); } - + if (ccache_1) { cc_ccache_release(ccache_1); } - - if (context) { + + if (context) { destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_get_last_default_time */ - + END_TEST_AND_RETURN } @@ -1514,23 +1513,23 @@ int check_cc_ccache_move(void) { cc_context_t context = NULL; cc_ccache_t source = NULL; cc_ccache_t destination = NULL; - + cc_credentials_union creds_union; unsigned int i = 0; - + BEGIN_TEST("cc_ccache_move"); - + #ifndef cc_ccache_move log_error("cc_ccache_move is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + // create 2 ccaches if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@ONE.ORG", &source); @@ -1538,7 +1537,7 @@ int check_cc_ccache_move(void) { if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@TWO.ORG", &destination); } - + // store credentials in each for (i = 0; !err && (i < 10); i++) { new_v5_creds_union(&creds_union, "ONE.ORG"); @@ -1548,7 +1547,7 @@ int check_cc_ccache_move(void) { new_v5_creds_union(&creds_union, "TWO.ORG"); err = cc_ccache_store_credentials(destination, &creds_union); } - + // move source into destination if (!err) { check_once_cc_ccache_move(source, destination, ccNoError, "valid params"); @@ -1558,25 +1557,25 @@ int check_cc_ccache_move(void) { if (!err) { check_once_cc_ccache_move(destination, NULL, ccErrBadParam, "NULL destination param"); } - + // non-existent ccache if (!err) { check_once_cc_ccache_move(destination, source, ccErrInvalidCCache, "recently moved source as destination param"); } - + if (source) { cc_ccache_release(source); } if (destination) { cc_ccache_release(destination); } - - if (context) { + + if (context) { destroy_all_ccaches(context); cc_context_release(context); } - + #endif /* cc_ccache_move */ - + END_TEST_AND_RETURN - - + + } cc_int32 check_once_cc_ccache_move(cc_ccache_t source, cc_ccache_t destination, cc_int32 expected_err, const char *description) { @@ -1585,25 +1584,25 @@ cc_int32 check_once_cc_ccache_move(cc_ccache_t source, cc_ccache_t destination, cc_credentials_t creds = NULL; cc_credentials_iterator_t cred_iterator = NULL; unsigned int i = 0; - + cc_string_t src_principal = NULL; cc_string_t dst_principal = NULL; - + cc_int32 possible_return_values[4] = { - ccNoError, - ccErrBadParam, - ccErrInvalidCCache, + ccNoError, + ccErrBadParam, + ccErrInvalidCCache, ccErrCCacheNotFound, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_move - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (destination) { - // verify all of destination's credentials are no longer there (save a list and call remove_cred for each, expecting an err in response) + // verify all of destination's credentials are no longer there (save a list and call remove_cred for each, expecting an err in response) if (!err) { err = cc_ccache_new_credentials_iterator(destination, &cred_iterator); } @@ -1616,8 +1615,8 @@ cc_int32 check_once_cc_ccache_move(cc_ccache_t source, cc_ccache_t destination, if (err == ccIteratorEnd) { err = ccNoError; } - if (cred_iterator) { - cc_credentials_iterator_release(cred_iterator); + if (cred_iterator) { + cc_credentials_iterator_release(cred_iterator); cred_iterator = NULL; } @@ -1626,16 +1625,16 @@ cc_int32 check_once_cc_ccache_move(cc_ccache_t source, cc_ccache_t destination, err = cc_ccache_get_principal(source, cc_credentials_v5, &src_principal); } } - - + + if (!err) { err = cc_ccache_move(source, destination); } - + // check returned error check_err(err, expected_err, possible_return_values); - - + + if (!err) { // verify all of destination's credentials are no longer there (save a list and call remove_cred for each, expecting an err in response) i = 0; @@ -1657,7 +1656,7 @@ cc_int32 check_once_cc_ccache_move(cc_ccache_t source, cc_ccache_t destination, } // verify that handles for source are no longer valid (get_change_time) - if (src_principal) { + if (src_principal) { cc_string_release(src_principal); src_principal = NULL; } @@ -1665,16 +1664,16 @@ cc_int32 check_once_cc_ccache_move(cc_ccache_t source, cc_ccache_t destination, err = cc_ccache_get_principal(source, cc_credentials_v5, &src_principal); check_if(err != ccErrInvalidCCache, "source ccache was not invalidated after move"); } - - + + if (cred_iterator) { cc_credentials_iterator_release(cred_iterator); } if (src_principal) { cc_string_release(src_principal); } if (dst_principal) { cc_string_release(dst_principal); } - + #endif /* cc_ccache_move */ - + END_CHECK_ONCE; - + return err; } @@ -1687,14 +1686,14 @@ int check_cc_ccache_compare(void) { cc_ccache_t ccache_a = NULL; cc_ccache_t ccache_b = NULL; cc_uint32 equal = 0; - + BEGIN_TEST("cc_ccache_compare"); - + #ifndef cc_ccache_compare log_error("cc_ccache_compare is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); if (!err) { @@ -1711,7 +1710,7 @@ int check_cc_ccache_compare(void) { check_once_cc_ccache_compare(ccache_a, ccache_a, &equal, ccNoError, "compare ccache with same pointer"); equal = 1; check_once_cc_ccache_compare(ccache_a, ccache_b, &equal, ccNoError, "compare different handles to same ccache"); - + if (ccache_b) { cc_ccache_release(ccache_b); ccache_b = NULL; @@ -1726,40 +1725,40 @@ int check_cc_ccache_compare(void) { if (ccache_a) { cc_ccache_release(ccache_a); } if (ccache_b) { cc_ccache_release(ccache_b); } - - if (context) { + + if (context) { err = destroy_all_ccaches(context); - cc_context_release(context); + cc_context_release(context); } - + #endif /* cc_ccache_compare */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_compare(cc_ccache_t ccache, cc_ccache_t compare_to, cc_uint32 *equal, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; cc_uint32 actually_equal = 0; - + cc_int32 possible_return_values[4] = { - ccNoError, - ccErrInvalidContext, - ccErrBadParam, + ccNoError, + ccErrInvalidContext, + ccErrBadParam, ccErrServerUnavailable, }; BEGIN_CHECK_ONCE(description); #ifdef cc_ccache_compare - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (equal) { actually_equal = *equal; - } - + } + err = cc_ccache_compare(ccache, compare_to, equal); - + if (!err && equal) { if (actually_equal) { check_if(actually_equal != *equal, "equal ccaches not considered equal"); @@ -1768,12 +1767,12 @@ cc_int32 check_once_cc_ccache_compare(cc_ccache_t ccache, cc_ccache_t compare_to check_if(actually_equal != *equal, "non-equal ccaches considered equal"); } } - + // check returned error check_err(err, expected_err, possible_return_values); - + #endif /* cc_ccache_compare */ - + return err; } @@ -1785,14 +1784,14 @@ int check_cc_ccache_get_kdc_time_offset(void) { cc_context_t context = NULL; cc_ccache_t ccache = NULL; cc_time_t time_offset = 0; - + BEGIN_TEST("cc_ccache_get_kdc_time_offset"); - + #ifndef cc_ccache_get_kdc_time_offset log_error("cc_ccache_get_kdc_time_offset is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); if (!err) { @@ -1804,7 +1803,7 @@ int check_cc_ccache_get_kdc_time_offset(void) { time_offset = 0; check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccErrTimeOffsetNotSet, "brand new ccache (offset not yet set)"); - + time_offset = 10; if (!err) { err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, time_offset); @@ -1821,58 +1820,58 @@ int check_cc_ccache_get_kdc_time_offset(void) { if (!err) { check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccNoError, "asking for v4 offset when v4 and v5 are set"); } - + check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL time_offset out param"); check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4_v5, &time_offset, ccErrBadCredentialsVersion, "v4_v5 creds_vers in param (invalid)"); if (ccache) { cc_ccache_release(ccache); } - - if (context) { + + if (context) { err = destroy_all_ccaches(context); - cc_context_release(context); + cc_context_release(context); } - + #endif /* cc_ccache_get_kdc_time_offset */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_get_kdc_time_offset(cc_ccache_t ccache, cc_int32 credentials_version, cc_time_t *time_offset, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; cc_time_t expected_offset; - + cc_int32 possible_return_values[7] = { - ccNoError, - ccErrTimeOffsetNotSet, - ccErrCCacheNotFound, - ccErrInvalidCCache, - ccErrBadParam, - ccErrServerUnavailable, - ccErrBadCredentialsVersion, + ccNoError, + ccErrTimeOffsetNotSet, + ccErrCCacheNotFound, + ccErrInvalidCCache, + ccErrBadParam, + ccErrServerUnavailable, + ccErrBadCredentialsVersion, }; BEGIN_CHECK_ONCE(description); #ifdef cc_ccache_get_kdc_time_offset - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (time_offset) { expected_offset = *time_offset; } - + err = cc_ccache_get_kdc_time_offset(ccache, credentials_version, time_offset); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err && time_offset) { check_if(*time_offset != expected_offset, "kdc time offset doesn't match expected value"); } - + #endif /* cc_ccache_get_kdc_time_offset */ - + return err; } @@ -1883,14 +1882,14 @@ int check_cc_ccache_set_kdc_time_offset(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_set_kdc_time_offset"); - + #ifndef cc_ccache_set_kdc_time_offset log_error("cc_ccache_set_kdc_time_offset is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); if (!err) { @@ -1902,55 +1901,55 @@ int check_cc_ccache_set_kdc_time_offset(void) { check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0, ccNoError, "first time setting offset (v5)"); check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0, ccNoError, "first time setting offset (v4)"); - + check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4_v5, 0, ccErrBadCredentialsVersion, "invalid creds_vers (v4_v5)"); if (ccache) { cc_ccache_release(ccache); } - - if (context) { + + if (context) { err = destroy_all_ccaches(context); - cc_context_release(context); + cc_context_release(context); } - + #endif /* cc_ccache_set_kdc_time_offset */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_set_kdc_time_offset(cc_ccache_t ccache, cc_int32 credentials_version, cc_time_t time_offset, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; cc_time_t stored_offset = 0; - + cc_int32 possible_return_values[6] = { - ccNoError, - ccErrCCacheNotFound, - ccErrInvalidCCache, - ccErrBadParam, - ccErrServerUnavailable, + ccNoError, + ccErrCCacheNotFound, + ccErrInvalidCCache, + ccErrBadParam, + ccErrServerUnavailable, ccErrBadCredentialsVersion, }; BEGIN_CHECK_ONCE(description); #ifdef cc_ccache_set_kdc_time_offset - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_ccache_set_kdc_time_offset(ccache, credentials_version, time_offset); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { err = cc_ccache_get_kdc_time_offset(ccache, credentials_version, &stored_offset); } - + if (!err) { check_if(time_offset != stored_offset, "kdc time offset doesn't match expected value"); } - + #endif /* cc_ccache_set_kdc_time_offset */ - + return err; } @@ -1961,14 +1960,14 @@ int check_cc_ccache_clear_kdc_time_offset(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_ccache_clear_kdc_time_offset"); - + #ifndef cc_ccache_clear_kdc_time_offset log_error("cc_ccache_clear_kdc_time_offset is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); if (!err) { @@ -1983,55 +1982,53 @@ int check_cc_ccache_clear_kdc_time_offset(void) { err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0); err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0); - + check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing v5"); check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing v4"); - + check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4_v5, ccErrBadCredentialsVersion, "bad in param creds vers (v4_v5)"); - + if (ccache) { cc_ccache_release(ccache); } - - if (context) { + + if (context) { err = destroy_all_ccaches(context); - cc_context_release(context); + cc_context_release(context); } - + #endif /* cc_ccache_clear_kdc_time_offset */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_ccache_clear_kdc_time_offset(cc_ccache_t ccache, cc_int32 credentials_version, cc_int32 expected_err, const char *description) { cc_int32 err = ccNoError; cc_time_t stored_offset = 0; - + cc_int32 possible_return_values[6] = { - ccNoError, - ccErrCCacheNotFound, - ccErrInvalidCCache, - ccErrBadParam, - ccErrServerUnavailable, + ccNoError, + ccErrCCacheNotFound, + ccErrInvalidCCache, + ccErrBadParam, + ccErrServerUnavailable, ccErrBadCredentialsVersion, }; BEGIN_CHECK_ONCE(description); #ifdef cc_ccache_clear_kdc_time_offset - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) err = cc_ccache_clear_kdc_time_offset(ccache, credentials_version); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { err = cc_ccache_get_kdc_time_offset(ccache, credentials_version, &stored_offset); check_if(err != ccErrTimeOffsetNotSet, "time offset not cleared"); } - + #endif /* cc_ccache_clear_kdc_time_offset */ - + return err; } - - diff --git a/src/ccapi/test/test_ccapi_check.c b/src/ccapi/test/test_ccapi_check.c index 8352adfdc..7f55b4557 100644 --- a/src/ccapi/test/test_ccapi_check.c +++ b/src/ccapi/test/test_ccapi_check.c @@ -14,20 +14,20 @@ int _check_if(int expression, const char *file, int line, const char *expression _log_error_v(file, line, format, ap); va_end(ap); } - + if (current_test_activity) { fprintf(stdout, " (%s)", current_test_activity); } } - - return (expression != 0); + + return (expression != 0); } int array_contains_int(cc_int32 *array, int size, cc_int32 value) { if (array != NULL && size > 0) { int i = 0; - while (i < size && array[i] != value) { - i++; + while (i < size && array[i] != value) { + i++; } if (i < size) { return 1; diff --git a/src/ccapi/test/test_ccapi_check.h b/src/ccapi/test/test_ccapi_check.h index c05a5152e..0a953481a 100644 --- a/src/ccapi/test/test_ccapi_check.h +++ b/src/ccapi/test/test_ccapi_check.h @@ -7,21 +7,21 @@ #include "test_ccapi_globals.h" int _check_if(int expression, const char *file, int line, const char *expression_string, const char *format, ...); - + #define check_int(a, b) \ check_if(a != b, NULL) /* * if expression evaluates to true, check_if increments the failure_count and prints: - * + * * check_if(a!=a, NULL); - * ==> "/path/to/file:line: a!=a" - * + * ==> "/path/to/file:line: a!=a" + * * check_if(a!=a, "This shouldn't be happening"); * ==> "/path/to/file:line: This shouldn't be happening" - * + * * check_if(a!=a, "This has happened %d times now", 3); - * ==> "/path/to/file:line: This has happened 3 times now" + * ==> "/path/to/file:line: This has happened 3 times now" */ #define check_if(expression, format, ...) \ diff --git a/src/ccapi/test/test_ccapi_constants.c b/src/ccapi/test/test_ccapi_constants.c index 10d07f061..9f2aecbc2 100644 --- a/src/ccapi/test/test_ccapi_constants.c +++ b/src/ccapi/test/test_ccapi_constants.c @@ -5,16 +5,16 @@ int check_constants(void) { BEGIN_TEST("constants"); /* API versions */ - + check_int(ccapi_version_2, 2); check_int(ccapi_version_3, 3); check_int(ccapi_version_4, 4); check_int(ccapi_version_5, 5); check_int(ccapi_version_6, 6); - + /* Errors */ - - check_int(ccNoError , 0 ); // 0 + + check_int(ccNoError , 0 ); // 0 check_int(ccIteratorEnd , 201); // 201 check_int(ccErrBadParam , 202); // 202 check_int(ccErrNoMem , 203); // 203 @@ -45,7 +45,7 @@ int check_constants(void) { check_int(ccErrNotImplemented , 228); // 228 /* Credentials versions */ - + check_int(cc_credentials_v4, 1); check_int(cc_credentials_v5, 2); check_int(cc_credentials_v4_v5, (cc_credentials_v4 | cc_credentials_v5)); @@ -58,9 +58,9 @@ int check_constants(void) { check_int(cc_lock_downgrade, 3); /* Locking Modes */ - + check_int(cc_lock_noblock, 0); check_int(cc_lock_block, 1); - + END_TEST_AND_RETURN } diff --git a/src/ccapi/test/test_ccapi_context.c b/src/ccapi/test/test_ccapi_context.c index 51714539e..09feebee5 100644 --- a/src/ccapi/test/test_ccapi_context.c +++ b/src/ccapi/test/test_ccapi_context.c @@ -7,110 +7,110 @@ int check_cc_initialize(void) { cc_int32 err = 0; cc_context_t context = NULL; - + BEGIN_TEST("cc_initialize"); - + // try every api_version err = check_once_cc_initialize(&context, ccapi_version_2, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_2"); // err == CC_BAD_API_VERSION (9) would be imported by CredentialsCache2.h - err = check_once_cc_initialize(&context, ccapi_version_3, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_3"); // !err - err = check_once_cc_initialize(&context, ccapi_version_4, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_4"); // " - err = check_once_cc_initialize(&context, ccapi_version_5, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_5"); // " - err = check_once_cc_initialize(&context, ccapi_version_6, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_6"); // " - + err = check_once_cc_initialize(&context, ccapi_version_3, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_3"); // !err + err = check_once_cc_initialize(&context, ccapi_version_4, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_4"); // " + err = check_once_cc_initialize(&context, ccapi_version_5, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_5"); // " + err = check_once_cc_initialize(&context, ccapi_version_6, NULL, NULL, ccNoError, "cc_initialize with ccapi_version_6"); // " + // try bad api_version - err = check_once_cc_initialize(&context, INT_MAX, NULL, NULL, ccErrBadAPIVersion, NULL); // err == ccErrBadAPIVersion - + err = check_once_cc_initialize(&context, INT_MAX, NULL, NULL, ccErrBadAPIVersion, NULL); // err == ccErrBadAPIVersion + // try bad param - err = check_once_cc_initialize(NULL, ccapi_version_3, NULL, NULL, ccErrBadParam, NULL); // err == ccErrBadParam - + err = check_once_cc_initialize(NULL, ccapi_version_3, NULL, NULL, ccErrBadParam, NULL); // err == ccErrBadParam + END_TEST_AND_RETURN } cc_int32 check_once_cc_initialize(cc_context_t *out_context, cc_int32 in_version, cc_int32 *out_supported_version, char const **out_vendor, cc_int32 expected_err, const char *description) { cc_int32 err = 0; cc_context_t context; - + cc_int32 possible_return_values[4] = { - ccNoError, - ccErrNoMem, - ccErrBadAPIVersion, + ccNoError, + ccErrNoMem, + ccErrBadAPIVersion, ccErrBadParam, }; BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_initialize(out_context, in_version, out_supported_version, out_vendor); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (out_context) { context = *out_context; } else { context = NULL; } - + // check output parameters if (!err) { check_if(context == NULL, NULL); - if (context) { - cc_context_release(context); + if (context) { + cc_context_release(context); *out_context = NULL; } } else { check_if(context != NULL, NULL); } - + return err; } int check_cc_context_release(void) { cc_int32 err = 0; cc_context_t context = NULL; - + BEGIN_TEST("cc_context_release"); - + #ifndef cc_context_release log_error("cc_context_release is not implemented yet"); failure_count++; #else - + // try with valid context err = check_once_cc_context_release(&context, ccNoError, NULL); - + // try with NULL //err = check_once_cc_context_release(NULL, ccErrInvalidContext); - /* calling with NULL context crashes, because this macro expands to + /* calling with NULL context crashes, because this macro expands to ((NULL) -> functions -> release (NULL)) which is dereferencing NULL which is bad. */ - + if (context) { cc_context_release(context); } - + #endif /* cc_context_release */ - + END_TEST_AND_RETURN } cc_int32 check_once_cc_context_release(cc_context_t *out_context, cc_int32 expected_err, const char *description) { cc_int32 err = 0; cc_context_t context = NULL; - + cc_int32 possible_return_values[2] = { - ccNoError, - ccErrInvalidContext, + ccNoError, + ccErrInvalidContext, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_context_release - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (out_context) { err = cc_initialize(out_context, ccapi_version_3, NULL, NULL); - if (!err) { - context = *out_context; + if (!err) { + context = *out_context; } } - + if (err != ccNoError) { log_error("failure in cc_initialize, unable to perform check"); return err; @@ -120,13 +120,13 @@ cc_int32 check_once_cc_context_release(cc_context_t *out_context, cc_int32 expec // check returned error check_err(err, expected_err, possible_return_values); } - + *out_context = NULL; - + #endif /* cc_context_release */ - + END_CHECK_ONCE; - + return err; } @@ -138,32 +138,32 @@ int check_cc_context_get_change_time(void) { cc_credentials_union creds_union; cc_credentials_iterator_t creds_iterator = NULL; cc_credentials_t credentials = NULL; - + BEGIN_TEST("cc_context_get_change_time"); - + #ifndef cc_context_get_change_time log_error("cc_context_get_change_time is not implemented yet"); failure_count++; #else - + /* * Make a context * make sure the change time changes after: - * a ccache is created - * a ccache is destroyed - * a credential is stored - * a credential is removed - * a ccache principal is changed + * a ccache is created + * a ccache is destroyed + * a credential is stored + * a credential is removed + * a ccache principal is changed * the default ccache is changed * clean up memory */ - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); if (!err) { - + // try bad parameters first err = check_once_cc_context_get_change_time(context, NULL, ccErrBadParam, "NULL param, should fail"); - + // make sure we have a default ccache err = cc_context_open_default_ccache(context, &ccache); if (err == ccErrCCacheNotFound) { @@ -175,11 +175,11 @@ int check_cc_context_get_change_time(void) { // either the default ccache already existed or we just created it // either way, the get_change_time should now give something > 0 check_once_cc_context_get_change_time(context, &last_change_time, ccNoError, "first-run, should be > 0"); - + // create a ccache err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); check_once_cc_context_get_change_time(context, &last_change_time, ccNoError, "after creating a new ccache"); - + // store a credential if (!err) { new_v5_creds_union(&creds_union, "BAR.ORG"); @@ -187,7 +187,7 @@ int check_cc_context_get_change_time(void) { release_v5_creds_union(&creds_union); } check_once_cc_context_get_change_time(context, &last_change_time, ccNoError, "after storing a credential"); - + if (!err) { // change principal (fails with ccErrBadInternalMessage) err = cc_ccache_set_principal(ccache, cc_credentials_v5, "foo@BAR.ORG"); @@ -198,7 +198,7 @@ int check_cc_context_get_change_time(void) { } } check_once_cc_context_get_change_time(context, &last_change_time, ccNoError, "after changing a principle"); - + // remove a credential if (!err) { err = cc_ccache_new_credentials_iterator(ccache, &creds_iterator); @@ -212,25 +212,25 @@ int check_cc_context_get_change_time(void) { if (!err) { err = cc_ccache_remove_credentials(ccache, credentials); } - check_once_cc_context_get_change_time(context, &last_change_time, ccNoError, "after removing a credential"); - + check_once_cc_context_get_change_time(context, &last_change_time, ccNoError, "after removing a credential"); + if (!err) { // change default ccache err = cc_ccache_set_default(ccache); check_once_cc_context_get_change_time(context, &last_change_time, ccNoError, "after changing default ccache"); } - + if (ccache) { // destroy a ccache err = cc_ccache_destroy(ccache); check_once_cc_context_get_change_time(context, &last_change_time, ccNoError, "after destroying a ccache"); } } - + if (context) { cc_context_release(context); } - + #endif /* cc_get_change_time */ - + END_TEST_AND_RETURN } @@ -238,37 +238,37 @@ cc_int32 check_once_cc_context_get_change_time(cc_context_t context, cc_time_t * cc_int32 err = 0; cc_time_t last_change_time; cc_time_t current_change_time = 0; - + cc_int32 possible_return_values[3] = { - ccNoError, - ccErrInvalidContext, + ccNoError, + ccErrInvalidContext, ccErrBadParam, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_context_get_change_time - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (time != NULL) { // if we were passed NULL, then we're looking to pass a bad param err = cc_context_get_change_time(context, ¤t_change_time); } else { err = cc_context_get_change_time(context, NULL); } - + check_err(err, expected_err, possible_return_values); - + if (!err) { last_change_time = *time; check_if(current_change_time <= last_change_time, "context change time did not increase when it was supposed to (%d <= %d)", current_change_time, last_change_time); *time = current_change_time; } - + #endif /* cc_context_get_change_time */ - + END_CHECK_ONCE; - + return err; } @@ -277,19 +277,19 @@ int check_cc_context_get_default_ccache_name(void) { cc_context_t context = NULL; cc_ccache_t ccache = NULL; cc_string_t name = NULL; - + BEGIN_TEST("cc_context_get_default_ccache_name"); - + #ifndef cc_context_get_default_ccache_name log_error("cc_context_get_default_ccache_name is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - if (!err) { + if (!err) { // try bad parameters first err = check_once_cc_context_get_default_ccache_name(context, NULL, ccErrBadParam, NULL); - + // try with no default err = destroy_all_ccaches(context); err = cc_context_open_default_ccache(context, &ccache); @@ -297,54 +297,54 @@ int check_cc_context_get_default_ccache_name(void) { log_error("didn't remove all ccaches"); } err = check_once_cc_context_get_default_ccache_name(context, &name, ccNoError, NULL); - + // try normally err = cc_context_create_default_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); if (ccache) { cc_ccache_release(ccache); } err = check_once_cc_context_get_default_ccache_name(context, &name, ccNoError, NULL); - + } - + if (context) { cc_context_release(context); } - + #endif /* cc_context_get_default_ccache_name */ - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } cc_int32 check_once_cc_context_get_default_ccache_name(cc_context_t context, cc_string_t *name, cc_int32 expected_err, const char *description) { cc_int32 err = 0; - + cc_int32 possible_return_values[4] = { - ccNoError, - ccErrInvalidContext, - ccErrBadParam, - ccErrNoMem, + ccNoError, + ccErrInvalidContext, + ccErrBadParam, + ccErrNoMem, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_context_get_default_ccache_name - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (name != NULL) { // if we were passed NULL, then we're looking to pass a bad param err = cc_context_get_default_ccache_name(context, name); } else { err = cc_context_get_default_ccache_name(context, NULL); } - + // check returned error check_err(err, expected_err, possible_return_values); - + // not really anything else to check - + if (name && *name) { cc_string_release(*name); } - + #endif /* cc_context_get_default_ccache_name */ - + END_CHECK_ONCE; - + return err; } @@ -353,16 +353,16 @@ int check_cc_context_open_ccache(void) { cc_context_t context = NULL; cc_ccache_t ccache = NULL; cc_string_t name = NULL; - + BEGIN_TEST("cc_context_open_ccache"); - + #ifndef cc_context_open_ccache log_error("cc_context_open_ccache is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - if (!err) { + if (!err) { // make sure we have a default ccache err = cc_context_open_default_ccache(context, &ccache); if (err == ccErrCCacheNotFound) { @@ -372,7 +372,7 @@ int check_cc_context_open_ccache(void) { err = cc_ccache_release(ccache); ccache = NULL; } - + // try default ccache err = cc_context_get_default_ccache_name(context, &name); if (!err) { @@ -382,7 +382,7 @@ int check_cc_context_open_ccache(void) { // try bad parameters err = check_once_cc_context_open_ccache(context, NULL, &ccache, ccErrBadParam, NULL); err = check_once_cc_context_open_ccache(context, name->data, NULL, ccErrBadParam, NULL); - + // try a ccache that doesn't exist (create one and then destroy it) err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); if (!err) { @@ -392,67 +392,67 @@ int check_cc_context_open_ccache(void) { err = cc_ccache_destroy(ccache); ccache = NULL; } - + err = check_once_cc_context_open_ccache(context, name->data, &ccache, ccErrCCacheNotFound, NULL); } - + if (context) { cc_context_release(context); } - + #endif /* cc_context_open_ccache */ - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } cc_int32 check_once_cc_context_open_ccache(cc_context_t context, const char *name, cc_ccache_t *ccache, cc_int32 expected_err, const char *description) { cc_int32 err = 0; cc_string_t stored_name = NULL; - + cc_int32 possible_return_values[6] = { - ccNoError, - ccErrBadName, - ccErrInvalidContext, - ccErrNoMem, - ccErrCCacheNotFound, - ccErrBadParam, + ccNoError, + ccErrBadName, + ccErrInvalidContext, + ccErrNoMem, + ccErrCCacheNotFound, + ccErrBadParam, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_context_open_ccache - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (ccache != NULL) { // if we were passed NULL, then we're looking to pass a bad param err = cc_context_open_ccache(context, name, ccache); } else { err = cc_context_open_ccache(context, name, NULL); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(*ccache == NULL, NULL); - + if (!err) { err = cc_ccache_get_name(*ccache, &stored_name); } - if (!err) { - check_if(strcmp(stored_name->data, name), NULL); + if (!err) { + check_if(strcmp(stored_name->data, name), NULL); } if (stored_name) { cc_string_release(stored_name); } - - + + if (ccache && *ccache) { cc_ccache_release(*ccache); *ccache = NULL; } } - + #endif /* cc_context_open_ccache */ - + END_CHECK_ONCE; - + return err; } @@ -460,38 +460,38 @@ int check_cc_context_open_default_ccache(void) { cc_int32 err = 0; cc_context_t context = NULL; cc_ccache_t ccache = NULL; - + BEGIN_TEST("cc_context_open_default_ccache"); - + #ifndef cc_context_open_default_ccache log_error("cc_context_open_default_ccache is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - if (!err) { + if (!err) { // make sure we have a default ccache err = cc_context_create_default_ccache(context, cc_credentials_v5, "foo/bar@BAZ.ORG", &ccache); if (ccache) { cc_ccache_release(ccache); } - + // try default ccache if (!err) { err = check_once_cc_context_open_default_ccache(context, &ccache, ccNoError, NULL); } - + // try bad parameters err = check_once_cc_context_open_default_ccache(context, NULL, ccErrBadParam, NULL); - + // try with no default ccache (destroy all ccaches first) err = destroy_all_ccaches(context); - + err = check_once_cc_context_open_default_ccache(context, &ccache, ccErrCCacheNotFound, NULL); } - + if (context) { cc_context_release(context); } - + #endif /* cc_context_open_default_ccache */ - + END_TEST_AND_RETURN } @@ -499,33 +499,33 @@ cc_int32 check_once_cc_context_open_default_ccache(cc_context_t context, cc_ccac cc_int32 err = 0; cc_string_t given_name = NULL; cc_string_t default_name = NULL; - + cc_int32 possible_return_values[5] = { - ccNoError, - ccErrInvalidContext, - ccErrNoMem, - ccErrCCacheNotFound, - ccErrBadParam, + ccNoError, + ccErrInvalidContext, + ccErrNoMem, + ccErrCCacheNotFound, + ccErrBadParam, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_context_open_default_ccache - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (ccache != NULL) { // if we were passed NULL, then we're looking to pass a bad param err = cc_context_open_default_ccache(context, ccache); } else { err = cc_context_open_default_ccache(context, NULL); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(*ccache == NULL, NULL); - + // make sure this ccache is the one we were looking to get back (compare name with cc_context_get_default_ccache_name) err = cc_ccache_get_name(*ccache, &given_name); err = cc_context_get_default_ccache_name(context, &default_name); @@ -534,17 +534,17 @@ cc_int32 check_once_cc_context_open_default_ccache(cc_context_t context, cc_ccac } if (given_name) { cc_string_release(given_name); } if (default_name) { cc_string_release(default_name); } - + if (ccache && *ccache) { cc_ccache_release(*ccache); *ccache = NULL; } } - + #endif /* cc_context_open_default_ccache */ - + END_CHECK_ONCE; - + return err; } @@ -553,16 +553,16 @@ int check_cc_context_create_ccache(void) { cc_context_t context = NULL; cc_ccache_t ccache = NULL; cc_string_t name = NULL; - + BEGIN_TEST("cc_context_create_ccache"); - + #ifndef cc_context_create_ccache log_error("cc_context_create_ccache is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - if (!err) { + if (!err) { // try making a ccache with a non-unique name (the existing default's name) if (!err) { err = cc_context_create_default_ccache(context, cc_credentials_v5, "foo/bar@BAZ.ORG", &ccache); @@ -574,26 +574,26 @@ int check_cc_context_create_ccache(void) { if (!err) { err = check_once_cc_context_create_ccache(context, name->data, cc_credentials_v5, "foo@BAR.ORG", &ccache, ccNoError, NULL); } - + // try making a ccache with a unique name (the now destroyed default's name) if (ccache) { cc_ccache_destroy(ccache); } if (!err) { err = check_once_cc_context_create_ccache(context, name->data, cc_credentials_v5, "foo/baz@BAR.ORG", &ccache, ccNoError, NULL); } - + // try bad parameters err = check_once_cc_context_create_ccache(context, NULL, cc_credentials_v5, "foo@BAR.ORG", &ccache, ccErrBadParam, "NULL name"); // NULL name err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache } - + if (name) { cc_string_release(name); } if (ccache) { cc_ccache_destroy(ccache); } if (context) { cc_context_release(context); } - + #endif /* cc_context_create_ccache */ - + END_TEST_AND_RETURN } @@ -604,27 +604,27 @@ cc_int32 check_once_cc_context_create_ccache(cc_context_t context, const char *n cc_uint32 stored_creds_vers = 0; cc_int32 possible_return_values[6] = { - ccNoError, - ccErrBadName, - ccErrBadParam, - ccErrInvalidContext, - ccErrNoMem, - ccErrBadCredentialsVersion, + ccNoError, + ccErrBadName, + ccErrBadParam, + ccErrInvalidContext, + ccErrNoMem, + ccErrBadCredentialsVersion, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_context_create_ccache - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_context_create_ccache(context, name, cred_vers, principal, ccache); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(*ccache == NULL, NULL); - + // make sure all of the ccache's info matches what we gave it // name err = cc_ccache_get_name(*ccache, &stored_name); @@ -639,17 +639,17 @@ cc_int32 check_once_cc_context_create_ccache(cc_context_t context, const char *n err = cc_ccache_get_principal(*ccache, cc_credentials_v5, &stored_principal); if (!err) { check_if(strcmp(stored_principal->data, principal), NULL); } if (stored_principal) { cc_string_release(stored_principal); } - + if (ccache && *ccache) { cc_ccache_destroy(*ccache); *ccache = NULL; } } - + #endif /* cc_context_create_ccache */ - + END_CHECK_ONCE; - + return err; } @@ -658,41 +658,41 @@ int check_cc_context_create_default_ccache(void) { cc_context_t context = NULL; cc_ccache_t ccache = NULL; cc_string_t name = NULL; - + BEGIN_TEST("cc_context_create_default_ccache"); - + #ifndef cc_context_create_default_ccache log_error("cc_context_create_default_ccache is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - if (!err) { + if (!err) { // try making the default when there are no existing ccaches err = destroy_all_ccaches(context); if (!err) { err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache, ccNoError, NULL); } if (ccache) { cc_ccache_release(ccache); } - + // try making a new default when one already exists if (!err) { err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, "foo/baz@BAR.ORG", &ccache, ccNoError, NULL); } - + // try bad parameters err = check_once_cc_context_create_default_ccache(context, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache } - + if (name) { cc_string_release(name); } if (ccache) { cc_ccache_destroy(ccache); } if (context) { cc_context_release(context); } - + #endif /* cc_context_create_default_ccache */ - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } cc_int32 check_once_cc_context_create_default_ccache(cc_context_t context, cc_uint32 cred_vers, const char *principal, cc_ccache_t *ccache, cc_int32 expected_err, const char *description) { @@ -701,25 +701,25 @@ cc_int32 check_once_cc_context_create_default_ccache(cc_context_t context, cc_ui cc_uint32 stored_creds_vers = 0; cc_int32 possible_return_values[6] = { - ccNoError, + ccNoError, ccErrBadName, // how can this be possible when the name isn't a parameter? - ccErrBadParam, - ccErrInvalidContext, - ccErrNoMem, - ccErrBadCredentialsVersion, + ccErrBadParam, + ccErrInvalidContext, + ccErrNoMem, + ccErrBadCredentialsVersion, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_context_create_default_ccache - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_context_create_default_ccache(context, cred_vers, principal, ccache); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { if (ccache) { check_if(*ccache == NULL, NULL); } // make sure all of the ccache's info matches what we gave it @@ -730,17 +730,17 @@ cc_int32 check_once_cc_context_create_default_ccache(cc_context_t context, cc_ui err = cc_ccache_get_principal(*ccache, cc_credentials_v5, &stored_principal); if (!err) { check_if(strcmp(stored_principal->data, principal), NULL); } if (stored_principal) { cc_string_release(stored_principal); } - + if (ccache && *ccache) { cc_ccache_release(*ccache); *ccache = NULL; } } - + #endif /* cc_context_create_default_ccache */ - + END_CHECK_ONCE; - + return err; } @@ -749,41 +749,41 @@ int check_cc_context_create_new_ccache(void) { cc_context_t context = NULL; cc_ccache_t ccache = NULL; cc_string_t name = NULL; - + BEGIN_TEST("cc_context_create_new_ccache"); - + #ifndef cc_context_create_new_ccache log_error("cc_context_create_new_ccache is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - if (!err) { + if (!err) { // try making when there are no existing ccaches (should have name of default) err = destroy_all_ccaches(context); if (!err) { err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, "foo@BAR.ORG", &ccache, ccNoError, NULL); } if (ccache) { cc_ccache_release(ccache); } - + // try making a new ccache when one already exists (should not have name of default) if (!err) { err = check_once_cc_context_create_new_ccache(context, 0, cc_credentials_v5, "foo/baz@BAR.ORG", &ccache, ccNoError, NULL); } if (ccache) { cc_ccache_release(ccache); } - + // try bad parameters err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache } - + if (name) { cc_string_release(name); } if (ccache) { cc_ccache_destroy(ccache); } if (context) { cc_context_release(context); } - + #endif /* cc_context_create_new_ccache */ - + END_TEST_AND_RETURN } @@ -793,27 +793,27 @@ cc_int32 check_once_cc_context_create_new_ccache(cc_context_t context, cc_int32 cc_string_t stored_name = NULL; cc_string_t stored_principal = NULL; cc_uint32 stored_creds_vers = 0; - + cc_int32 possible_return_values[6] = { - ccNoError, + ccNoError, ccErrBadName, // how can this be possible when the name isn't a parameter? - ccErrBadParam, - ccErrInvalidContext, - ccErrNoMem, - ccErrBadCredentialsVersion, + ccErrBadParam, + ccErrInvalidContext, + ccErrNoMem, + ccErrBadCredentialsVersion, }; BEGIN_CHECK_ONCE(description); - + #ifdef cc_context_create_new_ccache - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_context_create_new_ccache(context, cred_vers, principal, ccache); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { if (ccache) { check_if(*ccache == NULL, NULL); } // make sure all of the ccache's info matches what we gave it @@ -823,17 +823,17 @@ cc_int32 check_once_cc_context_create_new_ccache(cc_context_t context, cc_int32 if (!err) { err = cc_ccache_get_name(*ccache, &stored_name); } - if (!err) { + if (!err) { if (should_be_default) { - check_if(strcmp(stored_name->data, name->data), "new ccache does not have name of default"); + check_if(strcmp(stored_name->data, name->data), "new ccache does not have name of default"); } else { - check_if((strcmp(stored_name->data, name->data) == 0), "new cache has name of default"); - } + check_if((strcmp(stored_name->data, name->data) == 0), "new cache has name of default"); + } } if (name) { cc_string_release(name); } if (stored_name) { cc_string_release(stored_name); } - + // cred_vers err = cc_ccache_get_credentials_version(*ccache, &stored_creds_vers); if (!err) { check_if(stored_creds_vers != cred_vers, NULL); } @@ -841,17 +841,17 @@ cc_int32 check_once_cc_context_create_new_ccache(cc_context_t context, cc_int32 err = cc_ccache_get_principal(*ccache, cc_credentials_v5, &stored_principal); if (!err) { check_if(strcmp(stored_principal->data, principal), NULL); } if (stored_principal) { cc_string_release(stored_principal); } - + if (ccache && *ccache) { cc_ccache_release(*ccache); *ccache = NULL; } } - + #endif /* cc_context_create_new_ccache */ - + END_CHECK_ONCE; - + return err; } @@ -861,39 +861,39 @@ int check_cc_context_new_ccache_iterator(void) { cc_ccache_t ccache = NULL; cc_string_t name = NULL; cc_ccache_iterator_t iterator = NULL; - + BEGIN_TEST("cc_context_new_ccache_iterator"); - + #ifndef cc_context_new_ccache_iterator log_error("cc_context_new_ccache_iterator is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - if (!err) { + if (!err) { err = destroy_all_ccaches(context); } - if (!err) { + if (!err) { // try making when there are no existing ccaches (shouldn't make a difference, but just in case) check_once_cc_context_new_ccache_iterator(context, &iterator, ccNoError, "when there are no existing ccaches"); - + err = cc_context_create_default_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); } - if (!err) { + if (!err) { // try making when at least one ccache already exists (just to cover all our bases) check_once_cc_context_new_ccache_iterator(context, &iterator, ccNoError, "when at least one ccache already exists"); - + // try bad parameters check_once_cc_context_new_ccache_iterator(context, NULL, ccErrBadParam, "NULL param"); // NULL iterator } // we'll do a comprehensive test of cc_ccache_iterator related functions later in the test suite - + if (name) { cc_string_release(name); } if (ccache) { cc_ccache_destroy(ccache); } if (context) { cc_context_release(context); } - + #endif /* cc_context_new_ccache_iterator */ - + END_TEST_AND_RETURN } @@ -901,27 +901,27 @@ cc_int32 check_once_cc_context_new_ccache_iterator(cc_context_t context, cc_ccac cc_int32 err = ccNoError; cc_int32 possible_return_values[4] = { - ccNoError, - ccErrBadParam, - ccErrNoMem, - ccErrInvalidContext, + ccNoError, + ccErrBadParam, + ccErrNoMem, + ccErrInvalidContext, }; BEGIN_CHECK_ONCE(description); #ifdef cc_context_create_new_ccache - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_context_new_ccache_iterator(context, iterator); - + // check returned error check_err(err, expected_err, possible_return_values); - + // we'll do a comprehensive test of cc_ccache_iterator related functions later - + #endif /* cc_context_create_new_ccache */ - + return err; } @@ -933,14 +933,14 @@ int check_cc_context_compare(void) { cc_context_t context_a = NULL; cc_context_t context_b = NULL; cc_uint32 equal = 0; - + BEGIN_TEST("cc_context_compare"); - + #ifndef cc_context_compare log_error("cc_context_compare is not implemented yet"); failure_count++; #else - + err = cc_initialize(&context_a, ccapi_version_3, NULL, NULL); if (!err) { err = cc_initialize(&context_b, ccapi_version_3, NULL, NULL); @@ -953,9 +953,9 @@ int check_cc_context_compare(void) { if (context_a) { cc_context_release(context_a); } if (context_b) { cc_context_release(context_b); } - + #endif /* cc_context_compare */ - + END_TEST_AND_RETURN } @@ -963,28 +963,28 @@ cc_int32 check_once_cc_context_compare(cc_context_t context, cc_context_t compar cc_int32 err = ccNoError; cc_int32 possible_return_values[4] = { - ccNoError, - ccErrInvalidContext, - ccErrBadParam, + ccNoError, + ccErrInvalidContext, + ccErrBadParam, ccErrServerUnavailable, }; BEGIN_CHECK_ONCE(description); #ifdef cc_context_compare - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_context_compare(context, compare_to, equal); - + if (!err) { *equal = 0; } - + // check returned error check_err(err, expected_err, possible_return_values); - + #endif /* cc_context_compare */ - + return err; } diff --git a/src/ccapi/test/test_ccapi_globals.c b/src/ccapi/test/test_ccapi_globals.c index f9aadbdda..a4ea63158 100644 --- a/src/ccapi/test/test_ccapi_globals.c +++ b/src/ccapi/test/test_ccapi_globals.c @@ -8,7 +8,7 @@ const char *current_test_name; const char *current_test_activity; const char * ccapi_error_strings[30] = { - + "ccNoError", /* 0 */ "ccIteratorEnd", /* 201 */ "ccErrBadParam", @@ -39,15 +39,15 @@ const char * ccapi_error_strings[30] = { "ccErrServerUnavailable", "ccErrServerInsecure", "ccErrServerCantBecomeUID", - + "ccErrTimeOffsetNotSet", /* 226 */ "ccErrBadInternalMessage", "ccErrNotImplemented", - + }; const char * ccapiv2_error_strings[24] = { - + "CC_NOERROR", "CC_BADNAME", "CC_NOTFOUND", @@ -65,23 +65,23 @@ const char * ccapiv2_error_strings[24] = { "CC_ERR_CACHE_RELEASE", "CC_ERR_CACHE_FULL", "CC_ERR_CRED_VERSION" - + }; const char *translate_ccapi_error(cc_int32 err) { - + if (err == 0) { return ccapi_error_strings[0]; - } else + } else if (err >= 0 && err <= 16){ return ccapiv2_error_strings[err]; - } else + } else if (err >= 201 && err <= 228){ return ccapi_error_strings[err - 200]; } else { return "\"Invalid or private CCAPI error\""; } - + return ""; } diff --git a/src/ccapi/test/test_ccapi_iterators.c b/src/ccapi/test/test_ccapi_iterators.c index c3254fbb2..e51c7cf32 100644 --- a/src/ccapi/test/test_ccapi_iterators.c +++ b/src/ccapi/test/test_ccapi_iterators.c @@ -13,13 +13,13 @@ int check_cc_ccache_iterator_next(void) { unsigned int i; BEGIN_TEST("cc_ccache_iterator_next"); - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + // iterate with no ccaches if (!err) { err = cc_context_new_ccache_iterator(context, &iterator); @@ -29,7 +29,7 @@ int check_cc_ccache_iterator_next(void) { cc_ccache_iterator_release(iterator); iterator = NULL; } - + // iterate with one ccache if (!err) { destroy_all_ccaches(context); @@ -47,14 +47,14 @@ int check_cc_ccache_iterator_next(void) { cc_ccache_iterator_release(iterator); iterator = NULL; } - + // iterate with several ccaches if (!err) { destroy_all_ccaches(context); } for(i = 0; !err && (i < 1000); i++) { - if (i%100 == 0) fprintf(stdout, "."); + if (i%100 == 0) fprintf(stdout, "."); err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); if (ccache) { cc_ccache_release(ccache); @@ -69,15 +69,15 @@ int check_cc_ccache_iterator_next(void) { cc_ccache_iterator_release(iterator); iterator = NULL; } - + if (ccache) { cc_ccache_release(ccache); } if (iterator) { cc_ccache_iterator_release(iterator); } - if (context) { + if (context) { destroy_all_ccaches(context); cc_context_release(context); } - + END_TEST_AND_RETURN } @@ -87,11 +87,11 @@ cc_int32 check_once_cc_ccache_iterator_next(cc_ccache_iterator_t iterator, cc_ui // BEGIN_CHECK_ONCE(description); cc_int32 possible_return_values[6] = { - ccNoError, - ccIteratorEnd, - ccErrBadParam, - ccErrNoMem, - ccErrInvalidCCacheIterator, + ccNoError, + ccIteratorEnd, + ccErrBadParam, + ccErrNoMem, + ccErrInvalidCCacheIterator, ccErrCCacheNotFound, }; #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) @@ -110,15 +110,15 @@ cc_int32 check_once_cc_ccache_iterator_next(cc_ccache_iterator_t iterator, cc_ui if (err == ccIteratorEnd) { err = ccNoError; } - + // check returned error check_err(err, expected_err, possible_return_values); - + check_if(actual_count != expected_count, "iterator didn't iterate over all ccaches"); // END_CHECK_ONCE; - return err; + return err; } @@ -131,15 +131,15 @@ int check_cc_credentials_iterator_next(void) { cc_credentials_union creds_union; cc_credentials_iterator_t iterator = NULL; unsigned int i; - + BEGIN_TEST("cc_credentials_iterator_next"); - + err = cc_initialize(&context, ccapi_version_3, NULL, NULL); - + if (!err) { err = destroy_all_ccaches(context); } - + // iterate with no creds if (!err) { err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); @@ -156,7 +156,7 @@ int check_cc_credentials_iterator_next(void) { cc_ccache_release(ccache); ccache = NULL; } - + // iterate with one cred if (!err) { destroy_all_ccaches(context); @@ -179,14 +179,14 @@ int check_cc_credentials_iterator_next(void) { cc_ccache_release(ccache); ccache = NULL; } - + // iterate with several creds if (!err) { destroy_all_ccaches(context); err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAR.ORG", &ccache); } for(i = 0; !err && (i < 1000); i++) { - if (i%100 == 0) fprintf(stdout, "."); + if (i%100 == 0) fprintf(stdout, "."); new_v5_creds_union(&creds_union, "BAR.ORG"); err = cc_ccache_store_credentials(ccache, &creds_union); release_v5_creds_union(&creds_union); @@ -194,15 +194,15 @@ int check_cc_credentials_iterator_next(void) { if (!err) { err = cc_ccache_new_credentials_iterator(ccache, &iterator); } - check_once_cc_credentials_iterator_next(iterator, 1000, ccNoError, "iterating over a ccache with 1000 creds"); + check_once_cc_credentials_iterator_next(iterator, 1000, ccNoError, "iterating over a ccache with 1000 creds"); if (ccache) { cc_ccache_release(ccache); } if (iterator) { cc_credentials_iterator_release(iterator); } - if (context) { + if (context) { destroy_all_ccaches(context); cc_context_release(context); } - + END_TEST_AND_RETURN } @@ -212,10 +212,10 @@ cc_int32 check_once_cc_credentials_iterator_next(cc_credentials_iterator_t itera cc_uint32 actual_count = 0; cc_int32 possible_return_values[5] = { - ccNoError, - ccIteratorEnd, - ccErrBadParam, - ccErrNoMem, + ccNoError, + ccIteratorEnd, + ccErrBadParam, + ccErrNoMem, ccErrInvalidCredentialsIterator, }; @@ -234,13 +234,13 @@ cc_int32 check_once_cc_credentials_iterator_next(cc_credentials_iterator_t itera if (err == ccIteratorEnd) { err = ccNoError; } - + // check returned error check_err(err, expected_err, possible_return_values); - + check_if(actual_count != expected_count, "iterator didn't iterate over all ccaches"); END_CHECK_ONCE; - return err; + return err; } diff --git a/src/ccapi/test/test_ccapi_log.c b/src/ccapi/test/test_ccapi_log.c index 348d55cdc..8ecb6931f 100644 --- a/src/ccapi/test/test_ccapi_log.c +++ b/src/ccapi/test/test_ccapi_log.c @@ -15,7 +15,7 @@ void _log_error_v(const char *file, int line, const char *format, va_list ap) } void _log_error(const char *file, int line, const char *format, ...) -{ +{ va_list ap; va_start(ap, format); _log_error_v(file, line, format, ap); @@ -36,7 +36,7 @@ void test_footer(const char *msg, int err) { } else { fprintf(stdout, "\n*** %d failure%s in %s ***\n", err, (err == 1) ? "" : "s", msg); - } + } } } diff --git a/src/ccapi/test/test_ccapi_util.c b/src/ccapi/test/test_ccapi_util.c index 1f66c991b..9af1a6b63 100644 --- a/src/ccapi/test/test_ccapi_util.c +++ b/src/ccapi/test/test_ccapi_util.c @@ -14,7 +14,7 @@ cc_int32 destroy_all_ccaches(cc_context_t context) { cc_int32 err = ccNoError; cc_ccache_t ccache = NULL; - + while (!err) { err = cc_context_open_default_ccache(context, &ccache); if (!err) { @@ -42,9 +42,9 @@ cc_int32 new_v5_creds_union (cc_credentials_union *out_union, const char *realm) static int num_runs = 1; char *client = NULL; char *server = NULL; - + if (!out_union) { err = ccErrBadParam; } - + if (!err) { v5creds = malloc (sizeof (*v5creds)); if (!v5creds) { @@ -81,22 +81,22 @@ cc_int32 new_v5_creds_union (cc_credentials_union *out_union, const char *realm) v5creds->second_ticket.data = NULL; v5creds->authdata = NULL; } - - + + if (!err) { cred_union = malloc (sizeof (*cred_union)); - if (cred_union) { + if (cred_union) { cred_union->version = cc_credentials_v5; cred_union->credentials.credentials_v5 = v5creds; - } else { - err = ccErrNoMem; + } else { + err = ccErrNoMem; } } if (!err) { *out_union = *cred_union; cred_union = NULL; } - + return err; } @@ -105,7 +105,7 @@ cc_int32 new_v5_creds_union (cc_credentials_union *out_union, const char *realm) void release_v5_creds_union(cc_credentials_union *creds_union) { cc_credentials_v5_t *v5creds = NULL; - + if (creds_union) { if (creds_union->credentials.credentials_v5) { v5creds = creds_union->credentials.credentials_v5; @@ -115,7 +115,7 @@ void release_v5_creds_union(cc_credentials_union *creds_union) { if (v5creds->ticket.data) { free(v5creds->ticket.data); } if (v5creds->second_ticket.data) { free(v5creds->second_ticket.data); } free(v5creds); - } + } //free(creds_union); } } @@ -127,16 +127,16 @@ void release_v5_creds_union(cc_credentials_union *creds_union) { int compare_v5_creds_unions(const cc_credentials_union *a, const cc_credentials_union *b) { int retval = -1; - - if (a && + + if (a && b && (a->version == cc_credentials_v5) && - (a->version == b->version) && - (strcmp(a->credentials.credentials_v5->client, b->credentials.credentials_v5->client) == 0) && - (strcmp(a->credentials.credentials_v5->server, b->credentials.credentials_v5->server) == 0)) + (a->version == b->version) && + (strcmp(a->credentials.credentials_v5->client, b->credentials.credentials_v5->client) == 0) && + (strcmp(a->credentials.credentials_v5->server, b->credentials.credentials_v5->server) == 0)) { retval = 0; } - + return retval; } diff --git a/src/ccapi/test/test_ccapi_v2.c b/src/ccapi/test/test_ccapi_v2.c index 054d216e6..9d9a7a56f 100644 --- a/src/ccapi/test/test_ccapi_v2.c +++ b/src/ccapi/test/test_ccapi_v2.c @@ -12,23 +12,23 @@ static cc_result destroy_all_ccaches_v2(apiCB *context) { cc_result err = CC_NOERROR; infoNC **info = NULL; int i = 0; - + err = cc_get_NC_info(context, &info); - + for (i = 0; !err && info[i]; i++) { ccache_p *ccache = NULL; - + err = cc_open(context, info[i]->name, info[i]->vers, 0, &ccache); - + if (!err) { cc_destroy(context, &ccache); } } - + if (info) { cc_free_NC_info(context, &info); } - + if (err) { log_error("cc_get_NC_info or cc_open failed with %s (%d)", translate_ccapi_error(err), err); } - + return err; } @@ -37,31 +37,31 @@ static cc_result destroy_all_ccaches_v2(apiCB *context) { static int compare_v5_creds_unions_compat(const cred_union *a, const cred_union *b) { int retval = -1; - + if (a && b && a->cred_type == b->cred_type) { if (a->cred_type == CC_CRED_V5) { - if (!strcmp(a->cred.pV5Cred->client, b->cred.pV5Cred->client) && + if (!strcmp(a->cred.pV5Cred->client, b->cred.pV5Cred->client) && !strcmp(a->cred.pV5Cred->server, b->cred.pV5Cred->server) && a->cred.pV5Cred->starttime == b->cred.pV5Cred->starttime) { retval = 0; } } else if (a->cred_type == CC_CRED_V4) { - if (!strcmp (a->cred.pV4Cred->principal, + if (!strcmp (a->cred.pV4Cred->principal, b->cred.pV4Cred->principal) && - !strcmp (a->cred.pV4Cred->principal_instance, + !strcmp (a->cred.pV4Cred->principal_instance, b->cred.pV4Cred->principal_instance) && - !strcmp (a->cred.pV4Cred->service, + !strcmp (a->cred.pV4Cred->service, b->cred.pV4Cred->service) && - !strcmp (a->cred.pV4Cred->service_instance, + !strcmp (a->cred.pV4Cred->service_instance, b->cred.pV4Cred->service_instance) && - !strcmp (a->cred.pV4Cred->realm, + !strcmp (a->cred.pV4Cred->realm, b->cred.pV4Cred->realm) && a->cred.pV4Cred->issue_date == b->cred.pV4Cred->issue_date) { retval = 0; - } + } } } - + return retval; } @@ -75,16 +75,16 @@ static cc_result new_v5_creds_union_compat (cred_union *out_union, const char *r static int num_runs = 1; char *client = NULL; char *server = NULL; - + if (!out_union) { err = CC_BAD_PARM; } - + if (!err) { v5creds = malloc (sizeof (*v5creds)); if (!v5creds) { err = CC_NOMEM; } } - + if (!err) { asprintf(&client, "client@%s", realm); asprintf(&server, "host/%d%s@%s", num_runs++, realm, realm); @@ -92,7 +92,7 @@ static cc_result new_v5_creds_union_compat (cred_union *out_union, const char *r err = CC_NOMEM; } } - + if (!err) { v5creds->client = client; v5creds->server = server; @@ -114,22 +114,22 @@ static cc_result new_v5_creds_union_compat (cred_union *out_union, const char *r v5creds->second_ticket.data = NULL; v5creds->authdata = NULL; } - - + + if (!err) { creds_union = malloc (sizeof (*creds_union)); - if (creds_union) { + if (creds_union) { creds_union->cred_type = CC_CRED_V5; creds_union->cred.pV5Cred = v5creds; - } else { - err = CC_NOMEM; + } else { + err = CC_NOMEM; } } if (!err) { *out_union = *creds_union; creds_union = NULL; } - + return err; } @@ -137,7 +137,7 @@ static cc_result new_v5_creds_union_compat (cred_union *out_union, const char *r static void release_v5_creds_union_compat(cred_union *creds_union) { cc_credentials_v5_compat *v5creds = NULL; - + if (creds_union) { if (creds_union->cred.pV5Cred) { v5creds = creds_union->cred.pV5Cred; @@ -147,7 +147,7 @@ static void release_v5_creds_union_compat(cred_union *creds_union) { if (v5creds->ticket.data) { free(v5creds->ticket.data); } if (v5creds->second_ticket.data) { free(v5creds->second_ticket.data); } free(v5creds); - } + } } } @@ -156,56 +156,56 @@ static void release_v5_creds_union_compat(cred_union *creds_union) { int check_cc_shutdown(void) { cc_result err = 0; apiCB *context = NULL; - + BEGIN_TEST("cc_shutdown"); - + // try with valid context err = check_once_cc_shutdown(&context, CC_NOERROR, NULL); - + // try with NULL err = check_once_cc_shutdown(NULL, CC_BAD_PARM, NULL); - + if (context) { cc_shutdown(&context); } - + END_TEST_AND_RETURN } cc_result check_once_cc_shutdown(apiCB **out_context, cc_result expected_err, const char *description) { cc_result err = 0; apiCB *context = NULL; - + cc_result possible_return_values[2] = { - CC_NOERROR, - CC_BAD_PARM, + CC_NOERROR, + CC_BAD_PARM, }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (out_context) { err = cc_initialize(out_context, ccapi_version_2, NULL, NULL); - if (!err) { - context = *out_context; + if (!err) { + context = *out_context; } else { log_error("failure in cc_initialize, unable to perform check"); return err; } } - + if (!err) { err = cc_shutdown(&context); // check returned error check_err(err, expected_err, possible_return_values); } - + if (out_context) { *out_context = NULL; } - + END_CHECK_ONCE; - + return err; } @@ -217,29 +217,29 @@ int check_cc_get_change_time(void) { cc_time_t last_change_time = 0; ccache_p *ccache = NULL; cred_union creds_union; - + BEGIN_TEST("cc_get_change_time"); - + /* * Make a context * make sure the change time changes after: - * a ccache is created - * a ccache is destroyed - * a credential is stored - * a credential is removed - * a ccache principal is changed + * a ccache is created + * a ccache is destroyed + * a credential is stored + * a credential is removed + * a ccache principal is changed * clean up memory */ - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); if (!err) { - + // try bad parameters first err = check_once_cc_get_change_time(context, NULL, CC_BAD_PARM, "NULL param, should fail"); - + // get_change_time should always give something > 0 check_once_cc_get_change_time(context, &last_change_time, CC_NOERROR, "first-run, should be > 0"); - + // create a ccache err = cc_create(context, "TEST_CCACHE", "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); if (err) { @@ -247,7 +247,7 @@ int check_cc_get_change_time(void) { failure_count++; } check_once_cc_get_change_time(context, &last_change_time, CC_NOERROR, "after creating a new ccache"); - + if (!err) { // change principal err = cc_set_principal(context, ccache, CC_CRED_V5, "foo@BAR.ORG"); @@ -258,7 +258,7 @@ int check_cc_get_change_time(void) { } } check_once_cc_get_change_time(context, &last_change_time, CC_NOERROR, "after changing a principle"); - + new_v5_creds_union_compat(&creds_union, "BAR.ORG"); // store a credential @@ -271,7 +271,7 @@ int check_cc_get_change_time(void) { } } check_once_cc_get_change_time(context, &last_change_time, CC_NOERROR, "after storing a credential"); - + // remove a credential if (!err) { err = cc_remove_cred(context, ccache, creds_union); @@ -281,19 +281,19 @@ int check_cc_get_change_time(void) { err = CC_NOERROR; } } - check_once_cc_get_change_time(context, &last_change_time, CC_NOERROR, "after removing a credential"); + check_once_cc_get_change_time(context, &last_change_time, CC_NOERROR, "after removing a credential"); release_v5_creds_union_compat(&creds_union); - + if (ccache) { // destroy a ccache err = cc_destroy(context, &ccache); check_once_cc_get_change_time(context, &last_change_time, CC_NOERROR, "after destroying a ccache"); } } - + if (context) { cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -303,33 +303,33 @@ cc_int32 check_once_cc_get_change_time(apiCB *context, cc_time_t *last_time, cc_ cc_result err = 0; cc_time_t last_change_time; cc_time_t current_change_time = 0; - + cc_result possible_return_values[3] = { - CC_NOERROR, - CC_BAD_PARM, + CC_NOERROR, + CC_BAD_PARM, CC_NO_EXIST, }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (last_time != NULL) { // if we were passed NULL, then we're looking to pass a bad param err = cc_get_change_time(context, ¤t_change_time); } else { err = cc_get_change_time(context, NULL); } - + check_err(err, expected_err, possible_return_values); - + if (!err) { last_change_time = *last_time; check_if(current_change_time <= last_change_time, "context change time did not increase when it was supposed to (%d <= %d)", current_change_time, last_change_time); *last_time = current_change_time; } - + END_CHECK_ONCE; - + return err; } @@ -340,11 +340,11 @@ int check_cc_open(void) { apiCB *context = NULL; ccache_p *ccache = NULL; char *name = "TEST_OPEN_CCACHE"; - + BEGIN_TEST("cc_open"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - if (!err) { + if (!err) { // create a ccache err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); if (err) { @@ -355,12 +355,12 @@ int check_cc_open(void) { err = cc_close(context, &ccache); ccache = NULL; } - + // try default ccache if (!err) { err = check_once_cc_open(context, name, CC_CRED_V5, &ccache, CC_NOERROR, NULL); } - + // check version if (!err) { err = check_once_cc_open(context, name, CC_CRED_V4, &ccache, CC_ERR_CRED_VERSION, NULL); @@ -370,10 +370,10 @@ int check_cc_open(void) { err = check_once_cc_open(context, name, CC_CRED_V5, NULL, CC_BAD_PARM, NULL); err = check_once_cc_open(context, name, CC_CRED_UNKNOWN, &ccache, CC_ERR_CRED_VERSION, NULL); } - + if (context) { cc_shutdown(&context); } - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } // --------------------------------------------------------------------------- @@ -381,48 +381,48 @@ int check_cc_open(void) { cc_result check_once_cc_open(apiCB *context, const char *name, cc_int32 version, ccache_p **ccache, cc_result expected_err, const char *description) { cc_result err = 0; char *stored_name = NULL; - + cc_result possible_return_values[5] = { - CC_NOERROR, - CC_BAD_PARM, + CC_NOERROR, + CC_BAD_PARM, CC_NO_EXIST, CC_NOMEM, CC_ERR_CRED_VERSION }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (ccache != NULL) { // if we were passed NULL, then we're looking to pass a bad param err = cc_open(context, name, version, 0, ccache); } else { err = cc_open(context, name, version, 0, NULL); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(*ccache == NULL, NULL); - + if (!err) { err = cc_get_name(context, *ccache, &stored_name); } - if (!err) { - check_if(strcmp(stored_name, name), NULL); + if (!err) { + check_if(strcmp(stored_name, name), NULL); } if (stored_name) { cc_free_name(context, &stored_name); } - - + + if (ccache && *ccache) { cc_ccache_release(*ccache); *ccache = NULL; } } - + END_CHECK_ONCE; - + return err; } @@ -433,11 +433,11 @@ int check_cc_create(void) { apiCB *context = NULL; ccache_p *ccache = NULL; char *name = "TEST_CC_CREATE"; - + BEGIN_TEST("cc_create"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - if (!err) { + if (!err) { if (!err) { err = cc_open(context, name, CC_CRED_V5, 0, &ccache); if (!err) { @@ -450,22 +450,22 @@ int check_cc_create(void) { if (!err) { err = check_once_cc_create(context, name, CC_CRED_V5, "foo@BAR.ORG", &ccache, CC_NOERROR, NULL); } - + // try making a ccache with a non-unique name (the existing cache's name) if (!err) { err = check_once_cc_create(context, name, CC_CRED_V5, "foo/baz@BAR.ORG", &ccache, CC_NOERROR, NULL); } - + // try bad parameters err = check_once_cc_create(context, NULL, CC_CRED_V5, "foo@BAR.ORG", &ccache, CC_BAD_PARM, "NULL name"); // NULL name err = check_once_cc_create(context, "name", CC_CRED_MAX, "foo@BAR.ORG", &ccache, CC_ERR_CRED_VERSION, "invalid creds_vers"); // invalid creds_vers err = check_once_cc_create(context, "name", CC_CRED_V5, NULL, &ccache, CC_BAD_PARM, "NULL principal"); // NULL principal err = check_once_cc_create(context, "name", CC_CRED_V5, "foo@BAR.ORG", NULL, CC_BAD_PARM, "NULL ccache"); // NULL ccache } - + if (ccache) { cc_destroy(context, &ccache); } if (context) { cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -476,27 +476,27 @@ cc_result check_once_cc_create(apiCB *context, const char *name, cc_int32 cred_ char *stored_name = NULL; char *stored_principal = NULL; cc_int32 stored_creds_vers = 0; - + cc_result possible_return_values[6] = { - CC_NOERROR, - CC_BADNAME, - CC_BAD_PARM, - CC_NO_EXIST, - CC_NOMEM, - CC_ERR_CRED_VERSION, + CC_NOERROR, + CC_BADNAME, + CC_BAD_PARM, + CC_NO_EXIST, + CC_NOMEM, + CC_ERR_CRED_VERSION, }; BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_create(context, name, principal, cred_vers, 0, ccache); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(*ccache == NULL, NULL); - + // make sure all of the ccache's info matches what we gave it // name err = cc_get_name(context, *ccache, &stored_name); @@ -509,15 +509,15 @@ cc_result check_once_cc_create(apiCB *context, const char *name, cc_int32 cred_ err = cc_get_principal(context, *ccache, &stored_principal); if (!err) { check_if(strcmp(stored_principal, principal), NULL); } if (stored_principal) { cc_free_principal(context, &stored_principal); } - + if (ccache && *ccache) { cc_destroy(context, ccache); *ccache = NULL; } } - + END_CHECK_ONCE; - + return err; } @@ -528,22 +528,22 @@ int check_cc_close(void) { apiCB *context = NULL; ccache_p *ccache = NULL; char *name = "TEST_CC_CLOSE"; - + BEGIN_TEST("cc_close"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); } - + if (!err) { check_once_cc_close(context, ccache, CC_NOERROR, NULL); ccache = NULL; } - + if (context) { cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -551,36 +551,36 @@ int check_cc_close(void) { cc_result check_once_cc_close(apiCB *context, ccache_p *ccache, cc_result expected_err, const char *description) { cc_result err = CC_NOERROR; - + cc_result possible_return_values[2] = { CC_NOERROR, - CC_BAD_PARM + CC_BAD_PARM }; - + char *name = NULL; - + err = cc_get_name(context, ccache, &name); err = cc_close(context, &ccache); ccache = NULL; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err && name) { // try opening released ccache to make sure it still exists err = cc_open(context, name, CC_CRED_V5, 0, &ccache); } check_if(err == CC_NO_EXIST, "released ccache was actually destroyed instead"); check_if(err != CC_NOERROR, "released ccache cannot be opened"); - + if (ccache) { cc_destroy(context, &ccache); } if (name) { cc_free_name(context, &name); } - + END_CHECK_ONCE; - + return err; } @@ -591,22 +591,22 @@ int check_cc_destroy(void) { apiCB *context = NULL; ccache_p *ccache = NULL; char *name = "TEST_CC_DESTROY"; - + BEGIN_TEST("cc_destroy"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); } - + if (!err) { check_once_cc_destroy(context, ccache, CC_NOERROR, NULL); ccache = NULL; } - + if (context) { cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -614,39 +614,39 @@ int check_cc_destroy(void) { cc_result check_once_cc_destroy(apiCB *context, ccache_p *ccache, cc_int32 expected_err, const char *description) { cc_result err = CC_NOERROR; - + cc_result possible_return_values[2] = { - CC_NOERROR, - CC_BAD_PARM, + CC_NOERROR, + CC_BAD_PARM, }; - + char *name = NULL; - + BEGIN_CHECK_ONCE(description); - + #ifdef cc_ccache_destroy - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_get_name(context, ccache, &name); err = cc_destroy(context, &ccache); ccache = NULL; - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err && name) { // try opening released ccache to make sure it still exists err = cc_open(context, name, CC_CRED_V5, 0, &ccache); } check_if(err != CC_NO_EXIST, "destroyed ccache was actually released instead"); - + if (ccache) { cc_destroy(context, &ccache); } if (name) { cc_free_name(context, &name); } - + #endif /* cc_ccache_destroy */ - + END_CHECK_ONCE; - + return err; } @@ -657,11 +657,11 @@ int check_cc_get_cred_version(void) { apiCB *context = NULL; ccache_p *ccache = NULL; char *name = "TEST_CC_GET_CRED_VERSION_V5"; - + BEGIN_TEST("cc_get_cred_version"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + // try one created with v5 creds if (!err) { err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); @@ -673,14 +673,14 @@ int check_cc_get_cred_version(void) { log_error("cc_context_create_new_ccache failed, can't complete test"); failure_count++; } - + if (ccache) { cc_destroy(context, &ccache); ccache = NULL; } - + err = CC_NOERROR; - + // try one created with v4 creds if (!err) { err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V4, 0, &ccache); @@ -696,9 +696,9 @@ int check_cc_get_cred_version(void) { cc_destroy(context, &ccache); ccache = NULL; } - + if (context) { cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -706,30 +706,30 @@ int check_cc_get_cred_version(void) { cc_result check_once_cc_get_cred_version(apiCB *context, ccache_p *ccache, cc_int32 expected_cred_vers, cc_int32 expected_err, const char *description) { cc_result err = CC_NOERROR; - + cc_result possible_return_values[3] = { - CC_NOERROR, - CC_BAD_PARM, - CC_NO_EXIST, + CC_NOERROR, + CC_BAD_PARM, + CC_NO_EXIST, }; - + cc_int32 stored_cred_vers = 0; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_get_cred_version(context, ccache, &stored_cred_vers); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(stored_cred_vers != expected_cred_vers, NULL); } - + END_CHECK_ONCE; - + return err; } @@ -739,15 +739,15 @@ int check_cc_get_name(void) { cc_result err = 0; apiCB *context = NULL; ccache_p *ccache = NULL; - + BEGIN_TEST("cc_get_name"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + // try with unique ccache (which happens to be default) if (!err) { err = cc_create(context, "0", "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); @@ -758,12 +758,12 @@ int check_cc_get_name(void) { else { log_error("cc_context_create_ccache failed, can't complete test"); failure_count++; - } + } if (ccache) { cc_close(context, &ccache); ccache = NULL; } - + // try with unique ccache (which is not default) if (!err) { err = cc_context_create_ccache(context, "1", CC_CRED_V5, "foo@BAR.ORG", &ccache); @@ -775,7 +775,7 @@ int check_cc_get_name(void) { log_error("cc_context_create_ccache failed, can't complete test"); failure_count++; } - + // try with bad param if (!err) { check_once_cc_get_name(context, ccache, NULL, CC_BAD_PARM, "NULL param"); @@ -784,51 +784,51 @@ int check_cc_get_name(void) { cc_close(context, &ccache); ccache = NULL; } - - if (context) { + + if (context) { err = destroy_all_ccaches_v2(context); cc_shutdown(&context); } - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } // --------------------------------------------------------------------------- cc_int32 check_once_cc_get_name(apiCB *context, ccache_p *ccache, const char *expected_name, cc_int32 expected_err, const char *description) { cc_result err = CC_NOERROR; - + cc_result possible_return_values[4] = { - CC_NOERROR, - CC_NOMEM, - CC_BAD_PARM, - CC_NO_EXIST, + CC_NOERROR, + CC_NOMEM, + CC_BAD_PARM, + CC_NO_EXIST, }; - + char *stored_name = NULL; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (expected_name == NULL) { // we want to try with a NULL param err = cc_get_name(context, ccache, NULL); } else { err = cc_get_name(context, ccache, &stored_name); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(strcmp(stored_name, expected_name), NULL); } - + if (stored_name) { cc_free_name(context, &stored_name); } - + END_CHECK_ONCE; - + return err; } @@ -841,15 +841,15 @@ int check_cc_get_principal(void) { ccache_p *ccache = NULL; char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5"; char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4"; - + BEGIN_TEST("cc_get_principal"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + // try with krb5 principal if (!err) { err = cc_create(context, name_v5, "foo/BAR@BAZ.ORG", CC_CRED_V5, 0, &ccache); @@ -865,7 +865,7 @@ int check_cc_get_principal(void) { cc_close(context, &ccache); ccache = NULL; } - + // try with krb4 principal if (!err) { err = cc_create(context, name_v4, "foo.BAR@BAZ.ORG", CC_CRED_V4, 0, &ccache); @@ -877,64 +877,64 @@ int check_cc_get_principal(void) { log_error("cc_create failed, can't complete test"); failure_count++; } - + // try with bad param if (!err) { check_once_cc_get_principal(context, ccache, NULL, CC_BAD_PARM, "passed null out param"); } - + if (ccache) { cc_close(context, &ccache); ccache = NULL; } - - if (context) { + + if (context) { err = destroy_all_ccaches_v2(context); cc_shutdown(&context); } - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } // --------------------------------------------------------------------------- -cc_result check_once_cc_get_principal(apiCB *context, - ccache_p *ccache, - const char *expected_principal, - cc_int32 expected_err, +cc_result check_once_cc_get_principal(apiCB *context, + ccache_p *ccache, + const char *expected_principal, + cc_int32 expected_err, const char *description) { cc_result err = CC_NOERROR; char *stored_principal = NULL; - + cc_result possible_return_values[4] = { - CC_NOERROR, - CC_NOMEM, - CC_NO_EXIST, + CC_NOERROR, + CC_NOMEM, + CC_NO_EXIST, CC_BAD_PARM }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + if (expected_principal == NULL) { // we want to try with a NULL param err = cc_get_principal(context, ccache, NULL); } else { err = cc_get_principal(context, ccache, &stored_principal); } - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { check_if(strcmp(stored_principal, expected_principal), "expected princ == \"%s\" stored princ == \"%s\"", expected_principal, stored_principal); } - + if (stored_principal) { cc_free_principal(context, &stored_principal); } - + END_CHECK_ONCE; - + return err; } @@ -946,15 +946,15 @@ int check_cc_set_principal(void) { ccache_p *ccache = NULL; char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5"; char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4"; - + BEGIN_TEST("cc_set_principal"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + // bad params if (!err) { err = cc_create(context, name_v5, "foo@BAZ.ORG", CC_CRED_V5, 0, &ccache); @@ -971,9 +971,9 @@ int check_cc_set_principal(void) { cc_destroy(context, &ccache); ccache = NULL; } - + // empty ccache - + // replace v5 ccache's principal if (!err) { err = cc_create(context, name_v5, "foo@BAZ.ORG", CC_CRED_V5, 0, &ccache); @@ -990,7 +990,7 @@ int check_cc_set_principal(void) { cc_destroy(context, &ccache); ccache = NULL; } - + // replace v4 ccache's principal if (!err) { err = cc_create(context, name_v4, "foo@BAZ.ORG", CC_CRED_V4, 0, &ccache); @@ -1007,13 +1007,13 @@ int check_cc_set_principal(void) { cc_destroy(context, &ccache); ccache = NULL; } - - if (context) { + + if (context) { err = destroy_all_ccaches_v2(context); cc_shutdown(&context); } - - END_TEST_AND_RETURN + + END_TEST_AND_RETURN } // --------------------------------------------------------------------------- @@ -1021,37 +1021,37 @@ int check_cc_set_principal(void) { cc_int32 check_once_cc_set_principal(apiCB *context, ccache_p *ccache, cc_int32 cred_vers, const char *in_principal, cc_int32 expected_err, const char *description) { cc_result err = CC_NOERROR; char *stored_principal = NULL; - + cc_result possible_return_values[5] = { - CC_NOERROR, - CC_NOMEM, - CC_NO_EXIST, - CC_ERR_CRED_VERSION, + CC_NOERROR, + CC_NOMEM, + CC_NO_EXIST, + CC_ERR_CRED_VERSION, CC_BAD_PARM }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_set_principal(context, ccache, cred_vers, (char *) in_principal); - + // check returned error check_err(err, expected_err, possible_return_values); - + if (!err) { err = cc_get_principal(context, ccache, &stored_principal); } - + // compare stored with input if (!err) { check_if(strcmp(stored_principal, in_principal), "expected princ == \"%s\" stored princ == \"%s\"", in_principal, stored_principal); } - + if (stored_principal) { cc_free_principal(context, &stored_principal); } - + END_CHECK_ONCE; - + return err; } @@ -1064,61 +1064,61 @@ int check_cc_store(void) { ccache_p *dup_ccache = NULL; cred_union creds_union; char *name = NULL; - + BEGIN_TEST("cc_store"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + if (!err) { err = cc_create(context, "TEST_CC_STORE", "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); } - + // cred with matching version and realm if (!err) { err = new_v5_creds_union_compat(&creds_union, "BAR.ORG"); - + if (!err) { check_once_cc_store(context, ccache, creds_union, CC_NOERROR, "ok creds"); release_v5_creds_union_compat(&creds_union); } } - + // invalid creds if (!err) { err = new_v5_creds_union_compat(&creds_union, "BAR.ORG"); - + if (!err) { if (creds_union.cred.pV5Cred->client) { free(creds_union.cred.pV5Cred->client); creds_union.cred.pV5Cred->client = NULL; } check_once_cc_store(context, ccache, creds_union, CC_BAD_PARM, "invalid creds (NULL client string)"); - + release_v5_creds_union_compat(&creds_union); } } - + // bad creds version if (!err) { err = new_v5_creds_union_compat(&creds_union, "BAR.ORG"); - + if (!err) { creds_union.cred_type = CC_CRED_MAX; check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "CC_CRED_MAX (invalid) into a ccache with only v5 princ"); creds_union.cred_type = CC_CRED_V4; check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "v4 creds into a v5 ccache"); creds_union.cred_type = CC_CRED_V5; - + release_v5_creds_union_compat(&creds_union); } } - + // non-existent ccache - if (ccache) { + if (ccache) { err = cc_get_name(context, ccache, &name); if (!err) { err = cc_open(context, name, CC_CRED_V5, 0, &dup_ccache); @@ -1126,23 +1126,23 @@ int check_cc_store(void) { if (name) { cc_free_name(context, &name); } if (dup_ccache) { cc_destroy(context, &dup_ccache); } } - + if (!err) { err = new_v5_creds_union_compat(&creds_union, "BAR.ORG"); - + if (!err) { check_once_cc_store(context, ccache, creds_union, CC_NO_EXIST, "invalid ccache"); - + release_v5_creds_union_compat(&creds_union); } } - + if (ccache) { cc_close(context, &ccache); } - if (context) { + if (context) { destroy_all_ccaches_v2(context); cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -1152,24 +1152,24 @@ cc_result check_once_cc_store(apiCB *context, ccache_p *ccache, const cred_union cc_result err = CC_NOERROR; ccache_cit *iterator = NULL; int found = 0; - + cc_result possible_return_values[5] = { - CC_NOERROR, - CC_BAD_PARM, - CC_ERR_CACHE_FULL, - CC_ERR_CRED_VERSION, - CC_NO_EXIST + CC_NOERROR, + CC_BAD_PARM, + CC_ERR_CACHE_FULL, + CC_ERR_CRED_VERSION, + CC_NO_EXIST }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_store(context, ccache, in_creds); - + // check returned error check_err(err, expected_err, possible_return_values); - + // make sure credentials were truly stored if (!err) { err = cc_seq_fetch_creds_begin(context, ccache, &iterator); @@ -1181,19 +1181,19 @@ cc_result check_once_cc_store(apiCB *context, ccache_p *ccache, const cred_union if (!err) { found = !compare_v5_creds_unions_compat(&in_creds, creds); } - + if (creds) { cc_free_creds(context, &creds); } } - - if (err == CC_END) { + + if (err == CC_END) { check_if(found, "stored credentials not found in ccache"); err = CC_NOERROR; } - + if (iterator) { cc_seq_fetch_creds_end(context, &iterator); } - + END_CHECK_ONCE; - + return err; } @@ -1207,19 +1207,19 @@ int check_cc_remove_cred(void) { ccache_cit *iterator = NULL; char *name = NULL; unsigned int i; - + BEGIN_TEST("cc_remove_cred"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + if (!err) { err = cc_create(context, "TEST_CC_REMOVE_CRED", "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); } - + // store 10 creds and retrieve their cc_credentials_t representations for(i = 0; !err && (i < 10); i++) { cred_union creds; @@ -1231,55 +1231,55 @@ int check_cc_remove_cred(void) { } release_v5_creds_union_compat(&creds); } - + if (!err) { err = cc_seq_fetch_creds_begin(context, ccache, &iterator); } - + for (i = 0; !err && i < 10; i++) { creds_array[i] = NULL; err = cc_seq_fetch_creds_next(context, &creds_array[i], iterator); } if (err == CC_END) { err = CC_NOERROR; } - + // remove 10 valid creds for (i = 0; !err && (i < 10); i++) { check_once_cc_remove_cred(context, ccache, *creds_array[i], CC_NOERROR, "10 ok creds"); } - + // non-existent creds (remove same one twice) check_once_cc_remove_cred(context, ccache, *creds_array[0], CC_NOTFOUND, "removed same creds twice"); - + // non-existent ccache - if (ccache) { + if (ccache) { ccache_p *dup_ccache = NULL; err = cc_get_name(context, ccache, &name); - + if (!err) { err = cc_open(context, name, CC_CRED_V5, 0, &dup_ccache); } - + if (!err) { err = cc_destroy(context, &dup_ccache); check_once_cc_remove_cred(context, ccache, *creds_array[0], CC_NO_EXIST, "invalid ccache"); } - + if (name) { cc_free_name(context, &name); } } - + for(i = 0; i < 10 && creds_array[i]; i++) { cc_free_creds(context, &creds_array[i]); } - - + + if (iterator) { cc_seq_fetch_creds_end(context, &iterator); iterator = NULL; } if (ccache) { cc_close(context, &ccache); } - if (context) { + if (context) { destroy_all_ccaches_v2(context); cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -1289,49 +1289,49 @@ cc_result check_once_cc_remove_cred(apiCB *context, ccache_p *ccache, cred_union cc_result err = CC_NOERROR; ccache_cit *iterator = NULL; int found = 0; - + cc_result possible_return_values[5] = { - CC_NOERROR, - CC_BAD_PARM, - CC_ERR_CRED_VERSION, - CC_NOTFOUND, + CC_NOERROR, + CC_BAD_PARM, + CC_ERR_CRED_VERSION, + CC_NOTFOUND, CC_NO_EXIST }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_remove_cred(context, ccache, in_creds); - + // check returned error check_err(err, expected_err, possible_return_values); - + // make sure credentials were truly stored if (!err) { err = cc_seq_fetch_creds_begin(context, ccache, &iterator); } - + while (!err && !found) { cred_union *creds = NULL; - + err = cc_seq_fetch_creds_next(context, &creds, iterator); if (!err) { found = !compare_v5_creds_unions_compat(&in_creds, creds); } - + if (creds) { cc_free_creds(context, &creds); } } - - if (err == CC_END) { + + if (err == CC_END) { check_if(found, "credentials not removed from ccache"); err = CC_NOERROR; } - + if (iterator) { cc_seq_fetch_creds_end(context, &iterator); } - + END_CHECK_ONCE; - + return err; } @@ -1342,31 +1342,31 @@ int check_cc_seq_fetch_NCs_begin(void) { apiCB *context = NULL; ccache_p *ccache = NULL; ccache_cit *iterator = NULL; - + BEGIN_TEST("cc_seq_fetch_NCs_begin"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - if (!err) { + if (!err) { err = destroy_all_ccaches_v2(context); } - if (!err) { + if (!err) { // try making when there are no existing ccaches (shouldn't make a difference, but just in case) check_once_cc_seq_fetch_NCs_begin(context, &iterator, CC_NOERROR, "when there are no existing ccaches"); - + err = cc_create(context, "TEST_CC_SEQ_FETCH_NCS_BEGIN", "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); } - if (!err) { + if (!err) { // try making when at least one ccache already exists (just to cover all our bases) check_once_cc_seq_fetch_NCs_begin(context, &iterator, CC_NOERROR, "when at least one ccache already exists"); - + // try bad parameters check_once_cc_seq_fetch_NCs_begin(context, NULL, CC_BAD_PARM, "NULL param"); // NULL iterator } // we'll do a comprehensive test of cc_ccache_iterator related functions later in the test suite - + if (ccache ) { cc_close(context, &ccache); } if (context) { cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -1374,25 +1374,25 @@ int check_cc_seq_fetch_NCs_begin(void) { cc_result check_once_cc_seq_fetch_NCs_begin(apiCB *context, ccache_cit **iterator, cc_result expected_err, const char *description) { cc_result err = CC_NOERROR; - + cc_result possible_return_values[4] = { - CC_NOERROR, - CC_BAD_PARM, - CC_NOMEM, - CC_NO_EXIST + CC_NOERROR, + CC_BAD_PARM, + CC_NOMEM, + CC_NO_EXIST }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_seq_fetch_NCs_begin(context, iterator); - + // check returned error check_err(err, expected_err, possible_return_values); - + // we'll do a comprehensive test of cc_ccache_iterator related functions later - + return err; } @@ -1404,15 +1404,15 @@ int check_cc_seq_fetch_NCs_next(void) { ccache_p *ccache = NULL; ccache_cit *iterator = NULL; unsigned int i; - + BEGIN_TEST("cc_seq_fetch_NCs_next"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + // iterate with no ccaches if (!err) { err = cc_seq_fetch_NCs_begin(context, &iterator); @@ -1422,7 +1422,7 @@ int check_cc_seq_fetch_NCs_next(void) { cc_seq_fetch_creds_end(context, &iterator); iterator = NULL; } - + // iterate with one ccache if (!err) { destroy_all_ccaches_v2(context); @@ -1440,7 +1440,7 @@ int check_cc_seq_fetch_NCs_next(void) { cc_seq_fetch_creds_end(context, &iterator); iterator = NULL; } - + // iterate with several ccaches if (!err) { destroy_all_ccaches_v2(context); @@ -1448,8 +1448,8 @@ int check_cc_seq_fetch_NCs_next(void) { for(i = 0; !err && (i < 1000); i++) { char *name = NULL; - - if (i%100 == 0) fprintf(stdout, "."); + + if (i%100 == 0) fprintf(stdout, "."); asprintf (&name, "TEST_CC_SEQ_FETCH_NCS_NEXT_%d", i); err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); if (ccache) { @@ -1466,15 +1466,15 @@ int check_cc_seq_fetch_NCs_next(void) { cc_seq_fetch_creds_end(context, &iterator); iterator = NULL; } - - + + if (ccache) { cc_close(context, &ccache); } if (iterator) { cc_seq_fetch_creds_end(context, &iterator); } - if (context) { + if (context) { destroy_all_ccaches_v2(context); cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -1482,21 +1482,21 @@ int check_cc_seq_fetch_NCs_next(void) { cc_result check_once_cc_seq_fetch_NCs_next(apiCB *context, ccache_cit *iterator, cc_uint32 expected_count, cc_result expected_err, const char *description) { cc_result err = CC_NOERROR; - + cc_result possible_return_values[5] = { - CC_NOERROR, - CC_END, - CC_BAD_PARM, - CC_NOMEM, + CC_NOERROR, + CC_END, + CC_BAD_PARM, + CC_NOMEM, CC_NO_EXIST }; #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + ccache_p *ccache = NULL; cc_uint32 actual_count = 0; - + BEGIN_CHECK_ONCE(description); - + while (!err) { err = cc_seq_fetch_NCs_next(context, &ccache, iterator); if (ccache) { @@ -1508,15 +1508,15 @@ cc_result check_once_cc_seq_fetch_NCs_next(apiCB *context, ccache_cit *iterator, if (err == CC_END) { err = CC_NOERROR; } - + // check returned error check_err(err, expected_err, possible_return_values); - + check_if(actual_count != expected_count, "iterator didn't iterate over all ccaches"); - + END_CHECK_ONCE; - - return err; + + return err; } // --------------------------------------------------------------------------- @@ -1526,18 +1526,18 @@ int check_cc_get_NC_info(void) { apiCB *context = NULL; ccache_p *ccache = NULL; unsigned int i; - + BEGIN_TEST("cc_get_NC_info"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + // iterate with no ccaches check_once_cc_get_NC_info(context, "", "", CC_CRED_MAX, 0, CC_NOERROR, "iterating over an empty collection"); - + // iterate with one ccache if (!err) { destroy_all_ccaches_v2(context); @@ -1548,7 +1548,7 @@ int check_cc_get_NC_info(void) { ccache = NULL; } check_once_cc_get_NC_info(context, "TEST_CC_GET_NC_INFO", "foo@BAR.ORG", CC_CRED_V5, 1, CC_NOERROR, "iterating over a collection of 1 ccache"); - + // iterate with several ccaches if (!err) { destroy_all_ccaches_v2(context); @@ -1556,8 +1556,8 @@ int check_cc_get_NC_info(void) { for(i = 0; !err && (i < 1000); i++) { char *name = NULL; - - if (i%100 == 0) fprintf(stdout, "."); + + if (i%100 == 0) fprintf(stdout, "."); asprintf (&name, "TEST_CC_GET_NC_INFO_%d", i); err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); if (ccache) { @@ -1566,58 +1566,58 @@ int check_cc_get_NC_info(void) { } free (name); } - check_once_cc_get_NC_info(context, "TEST_CC_GET_NC_INFO", "foo@BAR.ORG", CC_CRED_V5, 1000, CC_NOERROR, "iterating over a collection of 1000 ccache"); - + check_once_cc_get_NC_info(context, "TEST_CC_GET_NC_INFO", "foo@BAR.ORG", CC_CRED_V5, 1000, CC_NOERROR, "iterating over a collection of 1000 ccache"); + if (ccache) { cc_close(context, &ccache); } - if (context) { + if (context) { destroy_all_ccaches_v2(context); cc_shutdown(&context); } - + END_TEST_AND_RETURN } // --------------------------------------------------------------------------- -cc_result check_once_cc_get_NC_info(apiCB *context, - const char *expected_name_prefix, - const char *expected_principal, - cc_int32 expected_version, - cc_uint32 expected_count, - cc_result expected_err, +cc_result check_once_cc_get_NC_info(apiCB *context, + const char *expected_name_prefix, + const char *expected_principal, + cc_int32 expected_version, + cc_uint32 expected_count, + cc_result expected_err, const char *description) { cc_result err = CC_NOERROR; infoNC **info = NULL; - + cc_result possible_return_values[4] = { CC_NOERROR, - CC_BAD_PARM, - CC_NOMEM, + CC_BAD_PARM, + CC_NOMEM, CC_NO_EXIST }; #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + cc_uint32 actual_count = 0; - + BEGIN_CHECK_ONCE(description); - + err = cc_get_NC_info(context, &info); - + for (actual_count = 0; !err && info[actual_count]; actual_count++) { check_if(strncmp(info[actual_count]->name, expected_name_prefix, strlen(expected_name_prefix)), "got incorrect ccache name"); check_if(strcmp(info[actual_count]->principal, expected_principal), "got incorrect principal name"); check_if(info[actual_count]->vers != expected_version, "got incorrect cred version"); } - + // check returned error check_err(err, expected_err, possible_return_values); - + check_if(actual_count != expected_count, "NC info didn't list all ccaches"); - + if (info) { cc_free_NC_info (context, &info); } END_CHECK_ONCE; - - return err; + + return err; } // --------------------------------------------------------------------------- @@ -1629,39 +1629,39 @@ int check_cc_seq_fetch_creds_begin(void) { ccache_p *dup_ccache = NULL; ccache_cit *creds_iterator = NULL; char *name = NULL; - + BEGIN_TEST("cc_seq_fetch_creds_begin"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + if (!err) { err = cc_create(context, "TEST_CC_SEQ_FETCH_CREDS_BEGIN", "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); } - + // valid params if (!err) { check_once_cc_seq_fetch_creds_begin(context, ccache, &creds_iterator, CC_NOERROR, "valid params"); } - if (creds_iterator) { - cc_seq_fetch_creds_end(context, &creds_iterator); + if (creds_iterator) { + cc_seq_fetch_creds_end(context, &creds_iterator); creds_iterator = NULL; } - + // NULL out param if (!err) { check_once_cc_seq_fetch_creds_begin(context, ccache, NULL, CC_BAD_PARM, "NULL out iterator param"); } - if (creds_iterator) { - cc_seq_fetch_creds_end(context, &creds_iterator); + if (creds_iterator) { + cc_seq_fetch_creds_end(context, &creds_iterator); creds_iterator = NULL; } - + // non-existent ccache - if (ccache) { + if (ccache) { err = cc_get_name(context, ccache, &name); if (!err) { err = cc_open(context, name, CC_CRED_V5, 0, &dup_ccache); @@ -1669,21 +1669,21 @@ int check_cc_seq_fetch_creds_begin(void) { if (name) { cc_free_name(context, &name); } if (dup_ccache) { cc_destroy(context, &dup_ccache); } } - + if (!err) { check_once_cc_seq_fetch_creds_begin(context, ccache, &creds_iterator, CC_NO_EXIST, "invalid ccache"); } - - if (creds_iterator) { - cc_seq_fetch_creds_end(context, &creds_iterator); + + if (creds_iterator) { + cc_seq_fetch_creds_end(context, &creds_iterator); creds_iterator = NULL; } if (ccache) { cc_close(context, &ccache); } - if (context) { + if (context) { destroy_all_ccaches_v2(context); cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -1691,25 +1691,25 @@ int check_cc_seq_fetch_creds_begin(void) { cc_result check_once_cc_seq_fetch_creds_begin(apiCB *context, ccache_p *ccache, ccache_cit **iterator, cc_result expected_err, const char *description) { cc_result err = CC_NOERROR; - + cc_result possible_return_values[5] = { - CC_NOERROR, - CC_BAD_PARM, - CC_NOMEM, + CC_NOERROR, + CC_BAD_PARM, + CC_NOMEM, CC_NO_EXIST }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + err = cc_seq_fetch_creds_begin(context, ccache, iterator); - + // check returned error check_err(err, expected_err, possible_return_values); - + END_CHECK_ONCE; - + return err; } @@ -1722,15 +1722,15 @@ int check_cc_seq_fetch_creds_next(void) { cred_union creds_union; ccache_cit *iterator = NULL; unsigned int i; - + BEGIN_TEST("cc_seq_fetch_creds_next"); - + err = cc_initialize(&context, ccapi_version_2, NULL, NULL); - + if (!err) { err = destroy_all_ccaches_v2(context); } - + // iterate with no creds if (!err) { err = cc_create(context, "TEST_CC_SEQ_FETCH_CREDS_NEXT", "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); @@ -1747,7 +1747,7 @@ int check_cc_seq_fetch_creds_next(void) { cc_close(context, &ccache); ccache = NULL; } - + // iterate with one cred if (!err) { destroy_all_ccaches_v2(context); @@ -1770,14 +1770,14 @@ int check_cc_seq_fetch_creds_next(void) { cc_close(context, &ccache); ccache = NULL; } - + // iterate with several creds if (!err) { destroy_all_ccaches_v2(context); err = cc_create(context, "TEST_CC_SEQ_FETCH_CREDS_NEXT", "foo@BAR.ORG", CC_CRED_V5, 0, &ccache); } for(i = 0; !err && (i < 1000); i++) { - if (i%100 == 0) fprintf(stdout, "."); + if (i%100 == 0) fprintf(stdout, "."); new_v5_creds_union_compat(&creds_union, "BAR.ORG"); err = cc_store(context, ccache, creds_union); release_v5_creds_union_compat(&creds_union); @@ -1785,15 +1785,15 @@ int check_cc_seq_fetch_creds_next(void) { if (!err) { err = cc_seq_fetch_creds_begin(context, ccache, &iterator); } - check_once_cc_seq_fetch_creds_next(context, iterator, 1000, CC_NOERROR, "iterating over a ccache with 1000 creds"); - + check_once_cc_seq_fetch_creds_next(context, iterator, 1000, CC_NOERROR, "iterating over a ccache with 1000 creds"); + if (ccache) { cc_close(context, &ccache); } if (iterator) { cc_seq_fetch_creds_end(context, &iterator); } - if (context) { + if (context) { destroy_all_ccaches_v2(context); cc_shutdown(&context); } - + END_TEST_AND_RETURN } @@ -1803,19 +1803,19 @@ cc_result check_once_cc_seq_fetch_creds_next(apiCB *context, ccache_cit *iterato cc_result err = CC_NOERROR; cred_union *creds = NULL; cc_uint32 actual_count = 0; - + cc_result possible_return_values[5] = { - CC_NOERROR, - CC_END, - CC_BAD_PARM, - CC_NOMEM, + CC_NOERROR, + CC_END, + CC_BAD_PARM, + CC_NOMEM, CC_NO_EXIST, }; - + BEGIN_CHECK_ONCE(description); - + #define possible_ret_val_count sizeof(possible_return_values)/sizeof(possible_return_values[0]) - + while (!err) { err = cc_seq_fetch_creds_next(context, &creds, iterator); if (creds) { @@ -1827,14 +1827,13 @@ cc_result check_once_cc_seq_fetch_creds_next(apiCB *context, ccache_cit *iterato if (err == CC_END) { err = CC_NOERROR; } - + // check returned error check_err(err, expected_err, possible_return_values); - + check_if(actual_count != expected_count, "iterator didn't iterate over all ccaches"); - + END_CHECK_ONCE; - - return err; -} + return err; +} diff --git a/src/ccapi/test/test_ccapi_v2.h b/src/ccapi/test/test_ccapi_v2.h index 55abdffde..8508daa45 100644 --- a/src/ccapi/test/test_ccapi_v2.h +++ b/src/ccapi/test/test_ccapi_v2.h @@ -34,10 +34,10 @@ int check_cc_get_name(void); cc_int32 check_once_cc_get_name(apiCB *context, ccache_p *ccache, const char *expected_name, cc_int32 expected_err, const char *description); int check_cc_get_principal(void); -cc_result check_once_cc_get_principal(apiCB *context, - ccache_p *ccache, - const char *expected_principal, - cc_int32 expected_err, +cc_result check_once_cc_get_principal(apiCB *context, + ccache_p *ccache, + const char *expected_principal, + cc_int32 expected_err, const char *description); int check_cc_set_principal(void); @@ -56,18 +56,18 @@ int check_cc_seq_fetch_NCs_next(void); cc_result check_once_cc_seq_fetch_NCs_next(apiCB *context, ccache_cit *iterator, cc_uint32 expected_count, cc_result expected_err, const char *description); int check_cc_get_NC_info(void); -cc_result check_once_cc_get_NC_info(apiCB *context, - const char *expected_name, - const char *expected_principal, - cc_int32 expected_version, - cc_uint32 expected_count, - cc_result expected_err, +cc_result check_once_cc_get_NC_info(apiCB *context, + const char *expected_name, + const char *expected_principal, + cc_int32 expected_version, + cc_uint32 expected_count, + cc_result expected_err, const char *description); int check_cc_seq_fetch_creds_begin(void); cc_result check_once_cc_seq_fetch_creds_begin(apiCB *context, ccache_p *ccache, ccache_cit **iterator, cc_result expected_err, const char *description); int check_cc_seq_fetch_creds_next(void); -cc_result check_once_cc_seq_fetch_creds_next(apiCB *context, ccache_cit *iterator, cc_uint32 expected_count, cc_result expected_err, const char *description); +cc_result check_once_cc_seq_fetch_creds_next(apiCB *context, ccache_cit *iterator, cc_uint32 expected_count, cc_result expected_err, const char *description); #endif /* _TEST_CCAPI_V2_H_ */ diff --git a/src/ccapi/test/test_constants.c b/src/ccapi/test/test_constants.c index 367baac4c..f4f272c4d 100644 --- a/src/ccapi/test/test_constants.c +++ b/src/ccapi/test/test_constants.c @@ -7,7 +7,7 @@ #include "test_ccapi_ccache.h" int main (int argc, const char * argv[]) { - + cc_int32 err = ccNoError; T_CCAPI_INIT; err = check_constants(); diff --git a/src/clients/kcpytkt/kcpytkt.c b/src/clients/kcpytkt/kcpytkt.c index 8efddb413..d39af4585 100644 --- a/src/clients/kcpytkt/kcpytkt.c +++ b/src/clients/kcpytkt/kcpytkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include @@ -33,34 +34,34 @@ int main(int argc, char *argv[]) prog = prog ? (prog + 1) : argv[0]; while ((option = getopt(argc, argv, "c:e:f:hq")) != -1) { - switch (option) { + switch (option) { case 'c': fromccachestr = optarg; break; - case 'e': - etypestr = optarg; - break; + case 'e': + etypestr = optarg; + break; case 'f': flags = atoi(optarg); break; - case 'q': - quiet = 1; - break; - case 'h': - default: - xusage(); - break; - } + case 'q': + quiet = 1; + break; + case 'h': + default: + xusage(); + break; + } } if ((argc - optind) < 2) - xusage(); + xusage(); do_kcpytkt(argc - optind, argv + optind, fromccachestr, etypestr, flags); return 0; } -static void do_kcpytkt (int count, char *names[], +static void do_kcpytkt (int count, char *names[], char *fromccachestr, char *etypestr, int flags) { krb5_context context; @@ -76,19 +77,19 @@ static void do_kcpytkt (int count, char *names[], ret = krb5_init_context(&context); if (ret) { - com_err(prog, ret, "while initializing krb5 library"); - exit(1); + com_err(prog, ret, "while initializing krb5 library"); + exit(1); } if (etypestr) { ret = krb5_string_to_enctype(etypestr, &etype); - if (ret) { - com_err(prog, ret, "while converting etype"); - exit(1); - } + if (ret) { + com_err(prog, ret, "while converting etype"); + exit(1); + } retflags = KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES; } else { - etype = 0; + etype = 0; retflags = KRB5_TC_MATCH_SRV_NAMEONLY; } @@ -97,76 +98,76 @@ static void do_kcpytkt (int count, char *names[], else ret = krb5_cc_default(context, &fromccache); if (ret) { - com_err(prog, ret, "while opening source ccache"); - exit(1); + com_err(prog, ret, "while opening source ccache"); + exit(1); } ret = krb5_cc_get_principal(context, fromccache, &me); if (ret) { - com_err(prog, ret, "while getting client principal name"); - exit(1); + com_err(prog, ret, "while getting client principal name"); + exit(1); } ret = krb5_cc_resolve(context, names[0], &destccache); if (ret) { - com_err(prog, ret, "while opening destination cache"); - exit(1); + com_err(prog, ret, "while opening destination cache"); + exit(1); } errors = 0; for (i = 1; i < count; i++) { - memset(&in_creds, 0, sizeof(in_creds)); + memset(&in_creds, 0, sizeof(in_creds)); - in_creds.client = me; + in_creds.client = me; - ret = krb5_parse_name(context, names[i], &in_creds.server); - if (ret) { - if (!quiet) - fprintf(stderr, "%s: %s while parsing principal name\n", - names[i], error_message(ret)); - errors++; - continue; - } + ret = krb5_parse_name(context, names[i], &in_creds.server); + if (ret) { + if (!quiet) + fprintf(stderr, "%s: %s while parsing principal name\n", + names[i], error_message(ret)); + errors++; + continue; + } - ret = krb5_unparse_name(context, in_creds.server, &princ); - if (ret) { - fprintf(stderr, "%s: %s while printing principal name\n", - names[i], error_message(ret)); - errors++; - continue; - } + ret = krb5_unparse_name(context, in_creds.server, &princ); + if (ret) { + fprintf(stderr, "%s: %s while printing principal name\n", + names[i], error_message(ret)); + errors++; + continue; + } - in_creds.keyblock.enctype = etype; + in_creds.keyblock.enctype = etype; ret = krb5_cc_retrieve_cred(context, fromccache, retflags, - &in_creds, &out_creds); - if (ret) { - fprintf(stderr, "%s: %s while retrieving credentials\n", - princ, error_message(ret)); + &in_creds, &out_creds); + if (ret) { + fprintf(stderr, "%s: %s while retrieving credentials\n", + princ, error_message(ret)); - krb5_free_unparsed_name(context, princ); + krb5_free_unparsed_name(context, princ); - errors++; - continue; - } + errors++; + continue; + } - ret = krb5_cc_store_cred(context, destccache, &out_creds); + ret = krb5_cc_store_cred(context, destccache, &out_creds); - krb5_free_principal(context, in_creds.server); + krb5_free_principal(context, in_creds.server); - if (ret) { - fprintf(stderr, "%s: %s while removing credentials\n", - princ, error_message(ret)); + if (ret) { + fprintf(stderr, "%s: %s while removing credentials\n", + princ, error_message(ret)); krb5_free_cred_contents(context, &out_creds); - krb5_free_unparsed_name(context, princ); + krb5_free_unparsed_name(context, princ); - errors++; - continue; - } + errors++; + continue; + } - krb5_free_unparsed_name(context, princ); + krb5_free_unparsed_name(context, princ); krb5_free_cred_contents(context, &out_creds); } @@ -176,7 +177,7 @@ static void do_kcpytkt (int count, char *names[], krb5_free_context(context); if (errors) - exit(1); + exit(1); exit(0); } diff --git a/src/clients/kdeltkt/kdeltkt.c b/src/clients/kdeltkt/kdeltkt.c index 832a07075..2ca42c1f4 100644 --- a/src/clients/kdeltkt/kdeltkt.c +++ b/src/clients/kdeltkt/kdeltkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include @@ -33,34 +34,34 @@ int main(int argc, char *argv[]) prog = prog ? (prog + 1) : argv[0]; while ((option = getopt(argc, argv, "c:e:f:hq")) != -1) { - switch (option) { + switch (option) { case 'c': ccachestr = optarg; break; - case 'e': - etypestr = optarg; - break; + case 'e': + etypestr = optarg; + break; case 'f': flags = atoi(optarg); break; - case 'q': - quiet = 1; - break; - case 'h': - default: - xusage(); - break; - } + case 'q': + quiet = 1; + break; + case 'h': + default: + xusage(); + break; + } } if ((argc - optind) < 1) - xusage(); + xusage(); do_kdeltkt(argc - optind, argv + optind, ccachestr, etypestr, flags); return 0; } -static void do_kdeltkt (int count, char *names[], +static void do_kdeltkt (int count, char *names[], char *ccachestr, char *etypestr, int flags) { krb5_context context; @@ -75,19 +76,19 @@ static void do_kdeltkt (int count, char *names[], ret = krb5_init_context(&context); if (ret) { - com_err(prog, ret, "while initializing krb5 library"); - exit(1); + com_err(prog, ret, "while initializing krb5 library"); + exit(1); } if (etypestr) { ret = krb5_string_to_enctype(etypestr, &etype); - if (ret) { - com_err(prog, ret, "while converting etype"); - exit(1); - } + if (ret) { + com_err(prog, ret, "while converting etype"); + exit(1); + } retflags = KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES; } else { - etype = 0; + etype = 0; retflags = KRB5_TC_MATCH_SRV_NAMEONLY; } @@ -96,71 +97,71 @@ static void do_kdeltkt (int count, char *names[], else ret = krb5_cc_default(context, &ccache); if (ret) { - com_err(prog, ret, "while opening ccache"); - exit(1); + com_err(prog, ret, "while opening ccache"); + exit(1); } ret = krb5_cc_get_principal(context, ccache, &me); if (ret) { - com_err(prog, ret, "while getting client principal name"); - exit(1); + com_err(prog, ret, "while getting client principal name"); + exit(1); } errors = 0; for (i = 0; i < count; i++) { - memset(&in_creds, 0, sizeof(in_creds)); + memset(&in_creds, 0, sizeof(in_creds)); - in_creds.client = me; + in_creds.client = me; - ret = krb5_parse_name(context, names[i], &in_creds.server); - if (ret) { - if (!quiet) - fprintf(stderr, "%s: %s while parsing principal name\n", - names[i], error_message(ret)); - errors++; - continue; - } + ret = krb5_parse_name(context, names[i], &in_creds.server); + if (ret) { + if (!quiet) + fprintf(stderr, "%s: %s while parsing principal name\n", + names[i], error_message(ret)); + errors++; + continue; + } - ret = krb5_unparse_name(context, in_creds.server, &princ); - if (ret) { - fprintf(stderr, "%s: %s while printing principal name\n", - names[i], error_message(ret)); - errors++; - continue; - } + ret = krb5_unparse_name(context, in_creds.server, &princ); + if (ret) { + fprintf(stderr, "%s: %s while printing principal name\n", + names[i], error_message(ret)); + errors++; + continue; + } - in_creds.keyblock.enctype = etype; + in_creds.keyblock.enctype = etype; ret = krb5_cc_retrieve_cred(context, ccache, retflags, - &in_creds, &out_creds); - if (ret) { - fprintf(stderr, "%s: %s while retrieving credentials\n", - princ, error_message(ret)); + &in_creds, &out_creds); + if (ret) { + fprintf(stderr, "%s: %s while retrieving credentials\n", + princ, error_message(ret)); - krb5_free_unparsed_name(context, princ); + krb5_free_unparsed_name(context, princ); - errors++; - continue; - } + errors++; + continue; + } - ret = krb5_cc_remove_cred(context, ccache, flags, &out_creds); + ret = krb5_cc_remove_cred(context, ccache, flags, &out_creds); - krb5_free_principal(context, in_creds.server); + krb5_free_principal(context, in_creds.server); - if (ret) { - fprintf(stderr, "%s: %s while removing credentials\n", - princ, error_message(ret)); + if (ret) { + fprintf(stderr, "%s: %s while removing credentials\n", + princ, error_message(ret)); krb5_free_cred_contents(context, &out_creds); - krb5_free_unparsed_name(context, princ); + krb5_free_unparsed_name(context, princ); - errors++; - continue; - } + errors++; + continue; + } - krb5_free_unparsed_name(context, princ); - krb5_free_cred_contents(context, &out_creds); + krb5_free_unparsed_name(context, princ); + krb5_free_cred_contents(context, &out_creds); } krb5_free_principal(context, me); @@ -168,7 +169,7 @@ static void do_kdeltkt (int count, char *names[], krb5_free_context(context); if (errors) - exit(1); + exit(1); exit(0); } diff --git a/src/clients/kdestroy/kdestroy.c b/src/clients/kdestroy/kdestroy.c index 3f2f32682..4741f1a35 100644 --- a/src/clients/kdestroy/kdestroy.c +++ b/src/clients/kdestroy/kdestroy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * clients/kdestroy/kdestroy.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Destroy the contents of your credential cache. */ @@ -81,70 +82,70 @@ main(argc, argv) progname = GET_PROGNAME(argv[0]); while ((c = getopt(argc, argv, "54qc:")) != -1) { - switch (c) { - case 'q': - quiet = 1; - break; - case 'c': - if (cache_name) { - fprintf(stderr, "Only one -c option allowed\n"); - errflg++; - } else { - cache_name = optarg; - } - break; - case '4': - fprintf(stderr, "Kerberos 4 is no longer supported\n"); - exit(3); - break; - case '5': - break; - case '?': - default: - errflg++; - break; - } + switch (c) { + case 'q': + quiet = 1; + break; + case 'c': + if (cache_name) { + fprintf(stderr, "Only one -c option allowed\n"); + errflg++; + } else { + cache_name = optarg; + } + break; + case '4': + fprintf(stderr, "Kerberos 4 is no longer supported\n"); + exit(3); + break; + case '5': + break; + case '?': + default: + errflg++; + break; + } } if (optind != argc) - errflg++; - + errflg++; + if (errflg) { - usage(); + usage(); } retval = krb5_init_context(&kcontext); if (retval) { - com_err(progname, retval, "while initializing krb5"); - exit(1); + com_err(progname, retval, "while initializing krb5"); + exit(1); } if (cache_name) { - code = krb5_cc_resolve (kcontext, cache_name, &cache); - if (code != 0) { - com_err (progname, code, "while resolving %s", cache_name); - exit(1); - } + code = krb5_cc_resolve (kcontext, cache_name, &cache); + if (code != 0) { + com_err (progname, code, "while resolving %s", cache_name); + exit(1); + } } else { - code = krb5_cc_default(kcontext, &cache); - if (code) { - com_err(progname, code, "while getting default ccache"); - exit(1); - } + code = krb5_cc_default(kcontext, &cache); + if (code) { + com_err(progname, code, "while getting default ccache"); + exit(1); + } } code = krb5_cc_destroy (kcontext, cache); if (code != 0) { - com_err (progname, code, "while destroying cache"); - if (code != KRB5_FCC_NOFILE) { - if (quiet) - fprintf(stderr, "Ticket cache NOT destroyed!\n"); - else { - fprintf(stderr, "Ticket cache %cNOT%c destroyed!\n", - BELL_CHAR, BELL_CHAR); - } - errflg = 1; - } + com_err (progname, code, "while destroying cache"); + if (code != KRB5_FCC_NOFILE) { + if (quiet) + fprintf(stderr, "Ticket cache NOT destroyed!\n"); + else { + fprintf(stderr, "Ticket cache %cNOT%c destroyed!\n", + BELL_CHAR, BELL_CHAR); + } + errflg = 1; + } } return errflg; } diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index 808107f79..96bb9cdcc 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * clients/kinit/kinit.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,13 +23,13 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Initialize a credentials cache. */ #include "autoconf.h" -#include "k5-platform.h" /* for asprintf */ +#include "k5-platform.h" /* for asprintf */ #include #include #include @@ -61,12 +62,12 @@ extern int getopt(); #ifdef HAVE_PWD_H #include -static +static char * get_name_from_os() { struct passwd *pw; if ((pw = getpwuid((int) getuid()))) - return pw->pw_name; + return pw->pw_name; return 0; } #else /* HAVE_PWD_H */ @@ -77,10 +78,10 @@ char * get_name_from_os() static char name[1024]; DWORD name_size = sizeof(name); if (GetUserName(name, &name_size)) { - name[sizeof(name)-1] = 0; /* Just to be extra safe */ - return name; + name[sizeof(name)-1] = 0; /* Just to be extra safe */ + return name; } else { - return 0; + return 0; } } #else /* _WIN32 */ @@ -175,34 +176,34 @@ usage() #define USAGE_LONG_FORWARDABLE "" #define USAGE_LONG_PROXIABLE "" #define USAGE_LONG_ADDRESSES "" -#define USAGE_LONG_CANONICALIZE "" -#define USAGE_LONG_ENTERPRISE "" +#define USAGE_LONG_CANONICALIZE "" +#define USAGE_LONG_ENTERPRISE "" #define USAGE_BREAK_LONG "" #endif fprintf(stderr, "Usage: %s [-V] " - "[-l lifetime] [-s start_time] " - USAGE_BREAK - "[-r renewable_life] " - "[-f | -F" USAGE_LONG_FORWARDABLE "] " - USAGE_BREAK_LONG - "[-p | -P" USAGE_LONG_PROXIABLE "] " - USAGE_BREAK_LONG - "[-a | -A" USAGE_LONG_ADDRESSES "] " - USAGE_BREAK_LONG - "[-C" USAGE_LONG_CANONICALIZE "] " - USAGE_BREAK - "[-E" USAGE_LONG_ENTERPRISE "] " - USAGE_BREAK - "[-v] [-R] " - "[-k [-t keytab_file]] " - "[-c cachename] " - USAGE_BREAK - "[-S service_name] [-T ticket_armor_cache]" - USAGE_BREAK - "[-X [=]] [principal]" - "\n\n", - progname); + "[-l lifetime] [-s start_time] " + USAGE_BREAK + "[-r renewable_life] " + "[-f | -F" USAGE_LONG_FORWARDABLE "] " + USAGE_BREAK_LONG + "[-p | -P" USAGE_LONG_PROXIABLE "] " + USAGE_BREAK_LONG + "[-a | -A" USAGE_LONG_ADDRESSES "] " + USAGE_BREAK_LONG + "[-C" USAGE_LONG_CANONICALIZE "] " + USAGE_BREAK + "[-E" USAGE_LONG_ENTERPRISE "] " + USAGE_BREAK + "[-v] [-R] " + "[-k [-t keytab_file]] " + "[-c cachename] " + USAGE_BREAK + "[-S service_name] [-T ticket_armor_cache]" + USAGE_BREAK + "[-X [=]] [principal]" + "\n\n", + progname); fprintf(stderr, " options:"); fprintf(stderr, "\t-V verbose\n"); @@ -230,7 +231,7 @@ usage() static krb5_context errctx; static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) + const char *fmt, va_list args) { const char *emsg; emsg = krb5_get_error_message (errctx, code); @@ -247,24 +248,24 @@ add_preauth_opt(struct k_opts *opts, char *av) krb5_gic_opt_pa_data *p, *x; if (opts->num_pa_opts == 0) { - opts->pa_opts = malloc(sizeof(krb5_gic_opt_pa_data)); - if (opts->pa_opts == NULL) - return ENOMEM; + opts->pa_opts = malloc(sizeof(krb5_gic_opt_pa_data)); + if (opts->pa_opts == NULL) + return ENOMEM; } else { - size_t newsize = (opts->num_pa_opts + 1) * sizeof(krb5_gic_opt_pa_data); - x = realloc(opts->pa_opts, newsize); - if (x == NULL) - return ENOMEM; - opts->pa_opts = x; + size_t newsize = (opts->num_pa_opts + 1) * sizeof(krb5_gic_opt_pa_data); + x = realloc(opts->pa_opts, newsize); + if (x == NULL) + return ENOMEM; + opts->pa_opts = x; } p = &opts->pa_opts[opts->num_pa_opts]; sep = strchr(av, '='); if (sep) { - *sep = '\0'; - v = ++sep; - p->value = v; + *sep = '\0'; + v = ++sep; + p->value = v; } else { - p->value = "yes"; + p->value = "yes"; } p->attr = av; opts->num_pa_opts++; @@ -282,145 +283,145 @@ parse_options(argc, argv, opts) int i; while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:T:RS:vX:CE")) - != -1) { - switch (i) { - case 'V': - opts->verbose = 1; - break; - case 'l': - /* Lifetime */ - code = krb5_string_to_deltat(optarg, &opts->lifetime); - if (code != 0 || opts->lifetime == 0) { - fprintf(stderr, "Bad lifetime value %s\n", optarg); - errflg++; - } - break; - case 'r': - /* Renewable Time */ - code = krb5_string_to_deltat(optarg, &opts->rlife); - if (code != 0 || opts->rlife == 0) { - fprintf(stderr, "Bad lifetime value %s\n", optarg); - errflg++; - } - break; - case 'f': - opts->forwardable = 1; - break; - case 'F': - opts->not_forwardable = 1; - break; - case 'p': - opts->proxiable = 1; - break; - case 'P': - opts->not_proxiable = 1; - break; - case 'a': - opts->addresses = 1; - break; - case 'A': - opts->no_addresses = 1; - break; - case 's': - code = krb5_string_to_deltat(optarg, &opts->starttime); - if (code != 0 || opts->starttime == 0) { - krb5_timestamp abs_starttime; - - code = krb5_string_to_timestamp(optarg, &abs_starttime); - if (code != 0 || abs_starttime == 0) { - fprintf(stderr, "Bad start time value %s\n", optarg); - errflg++; - } else { - opts->starttime = abs_starttime - time(0); - } - } - break; - case 'S': - opts->service_name = optarg; - break; - case 'k': - opts->action = INIT_KT; - break; - case 't': - if (opts->keytab_name) - { - fprintf(stderr, "Only one -t option allowed.\n"); - errflg++; - } else { - opts->keytab_name = optarg; - } - break; - case 'T': - if (opts->armor_ccache) { - fprintf(stderr, "Only one armor_ccache\n"); - errflg++; - } else opts->armor_ccache = optarg; - break; - case 'R': - opts->action = RENEW; - break; - case 'v': - opts->action = VALIDATE; - break; - case 'c': - if (opts->k5_cache_name) - { - fprintf(stderr, "Only one -c option allowed\n"); - errflg++; - } else { - opts->k5_cache_name = optarg; - } - break; - case 'X': - code = add_preauth_opt(opts, optarg); - if (code) - { - com_err(progname, code, "while adding preauth option"); - errflg++; - } - break; - case 'C': - opts->canonicalize = 1; - break; - case 'E': - opts->enterprise = 1; - break; - case '4': - fprintf(stderr, "Kerberos 4 is no longer supported\n"); - exit(3); - break; - case '5': - break; - default: - errflg++; - break; - } + != -1) { + switch (i) { + case 'V': + opts->verbose = 1; + break; + case 'l': + /* Lifetime */ + code = krb5_string_to_deltat(optarg, &opts->lifetime); + if (code != 0 || opts->lifetime == 0) { + fprintf(stderr, "Bad lifetime value %s\n", optarg); + errflg++; + } + break; + case 'r': + /* Renewable Time */ + code = krb5_string_to_deltat(optarg, &opts->rlife); + if (code != 0 || opts->rlife == 0) { + fprintf(stderr, "Bad lifetime value %s\n", optarg); + errflg++; + } + break; + case 'f': + opts->forwardable = 1; + break; + case 'F': + opts->not_forwardable = 1; + break; + case 'p': + opts->proxiable = 1; + break; + case 'P': + opts->not_proxiable = 1; + break; + case 'a': + opts->addresses = 1; + break; + case 'A': + opts->no_addresses = 1; + break; + case 's': + code = krb5_string_to_deltat(optarg, &opts->starttime); + if (code != 0 || opts->starttime == 0) { + krb5_timestamp abs_starttime; + + code = krb5_string_to_timestamp(optarg, &abs_starttime); + if (code != 0 || abs_starttime == 0) { + fprintf(stderr, "Bad start time value %s\n", optarg); + errflg++; + } else { + opts->starttime = abs_starttime - time(0); + } + } + break; + case 'S': + opts->service_name = optarg; + break; + case 'k': + opts->action = INIT_KT; + break; + case 't': + if (opts->keytab_name) + { + fprintf(stderr, "Only one -t option allowed.\n"); + errflg++; + } else { + opts->keytab_name = optarg; + } + break; + case 'T': + if (opts->armor_ccache) { + fprintf(stderr, "Only one armor_ccache\n"); + errflg++; + } else opts->armor_ccache = optarg; + break; + case 'R': + opts->action = RENEW; + break; + case 'v': + opts->action = VALIDATE; + break; + case 'c': + if (opts->k5_cache_name) + { + fprintf(stderr, "Only one -c option allowed\n"); + errflg++; + } else { + opts->k5_cache_name = optarg; + } + break; + case 'X': + code = add_preauth_opt(opts, optarg); + if (code) + { + com_err(progname, code, "while adding preauth option"); + errflg++; + } + break; + case 'C': + opts->canonicalize = 1; + break; + case 'E': + opts->enterprise = 1; + break; + case '4': + fprintf(stderr, "Kerberos 4 is no longer supported\n"); + exit(3); + break; + case '5': + break; + default: + errflg++; + break; + } } if (opts->forwardable && opts->not_forwardable) { - fprintf(stderr, "Only one of -f and -F allowed\n"); - errflg++; + fprintf(stderr, "Only one of -f and -F allowed\n"); + errflg++; } if (opts->proxiable && opts->not_proxiable) { - fprintf(stderr, "Only one of -p and -P allowed\n"); - errflg++; + fprintf(stderr, "Only one of -p and -P allowed\n"); + errflg++; } if (opts->addresses && opts->no_addresses) { - fprintf(stderr, "Only one of -a and -A allowed\n"); - errflg++; + fprintf(stderr, "Only one of -a and -A allowed\n"); + errflg++; } if (argc - optind > 1) { - fprintf(stderr, "Extra arguments (starting with \"%s\").\n", - argv[optind+1]); - errflg++; + fprintf(stderr, "Extra arguments (starting with \"%s\").\n", + argv[optind+1]); + errflg++; } if (errflg) { - usage(); + usage(); } opts->principal_name = (optind == argc-1) ? argv[optind] : 0; @@ -437,86 +438,86 @@ k5_begin(opts, k5) code = krb5_init_context(&k5->ctx); if (code) { - com_err(progname, code, "while initializing Kerberos 5 library"); - return 0; + com_err(progname, code, "while initializing Kerberos 5 library"); + return 0; } errctx = k5->ctx; if (opts->k5_cache_name) { - code = krb5_cc_resolve(k5->ctx, opts->k5_cache_name, &k5->cc); - if (code != 0) { - com_err(progname, code, "resolving ccache %s", - opts->k5_cache_name); - return 0; - } - } + code = krb5_cc_resolve(k5->ctx, opts->k5_cache_name, &k5->cc); + if (code != 0) { + com_err(progname, code, "resolving ccache %s", + opts->k5_cache_name); + return 0; + } + } else { - if ((code = krb5_cc_default(k5->ctx, &k5->cc))) { - com_err(progname, code, "while getting default ccache"); - return 0; - } + if ((code = krb5_cc_default(k5->ctx, &k5->cc))) { + com_err(progname, code, "while getting default ccache"); + return 0; + } } if (opts->principal_name) { - /* Use specified name */ - if ((code = krb5_parse_name_flags(k5->ctx, opts->principal_name, - flags, &k5->me))) { - com_err(progname, code, "when parsing name %s", - opts->principal_name); - return 0; - } + /* Use specified name */ + if ((code = krb5_parse_name_flags(k5->ctx, opts->principal_name, + flags, &k5->me))) { + com_err(progname, code, "when parsing name %s", + opts->principal_name); + return 0; + } } else { - /* No principal name specified */ - if (opts->action == INIT_KT) { - /* Use the default host/service name */ - code = krb5_sname_to_principal(k5->ctx, NULL, NULL, - KRB5_NT_SRV_HST, &k5->me); - if (code) { - com_err(progname, code, - "when creating default server principal name"); - return 0; - } - if (k5->me->realm.data[0] == 0) { - code = krb5_unparse_name(k5->ctx, k5->me, &k5->name); - if (code == 0) - com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN, - "(principal %s)", k5->name); - else - com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN, - "for local services"); - return 0; - } - } else { - /* Get default principal from cache if one exists */ - code = krb5_cc_get_principal(k5->ctx, k5->cc, - &k5->me); - if (code) - { - char *name = get_name_from_os(); - if (!name) - { - fprintf(stderr, "Unable to identify user\n"); - return 0; - } - if ((code = krb5_parse_name_flags(k5->ctx, name, - flags, &k5->me))) - { - com_err(progname, code, "when parsing name %s", - name); - return 0; - } - } - } + /* No principal name specified */ + if (opts->action == INIT_KT) { + /* Use the default host/service name */ + code = krb5_sname_to_principal(k5->ctx, NULL, NULL, + KRB5_NT_SRV_HST, &k5->me); + if (code) { + com_err(progname, code, + "when creating default server principal name"); + return 0; + } + if (k5->me->realm.data[0] == 0) { + code = krb5_unparse_name(k5->ctx, k5->me, &k5->name); + if (code == 0) + com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN, + "(principal %s)", k5->name); + else + com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN, + "for local services"); + return 0; + } + } else { + /* Get default principal from cache if one exists */ + code = krb5_cc_get_principal(k5->ctx, k5->cc, + &k5->me); + if (code) + { + char *name = get_name_from_os(); + if (!name) + { + fprintf(stderr, "Unable to identify user\n"); + return 0; + } + if ((code = krb5_parse_name_flags(k5->ctx, name, + flags, &k5->me))) + { + com_err(progname, code, "when parsing name %s", + name); + return 0; + } + } + } } code = krb5_unparse_name(k5->ctx, k5->me, &k5->name); if (code) { - com_err(progname, code, "when unparsing name"); - return 0; + com_err(progname, code, "when unparsing name"); + return 0; } opts->principal_name = k5->name; @@ -528,13 +529,13 @@ k5_end(k5) struct k5_data* k5; { if (k5->name) - krb5_free_unparsed_name(k5->ctx, k5->name); + krb5_free_unparsed_name(k5->ctx, k5->name); if (k5->me) - krb5_free_principal(k5->ctx, k5->me); + krb5_free_principal(k5->ctx, k5->me); if (k5->cc) - krb5_cc_close(k5->ctx, k5->cc); + krb5_cc_close(k5->ctx, k5->cc); if (k5->ctx) - krb5_free_context(k5->ctx); + krb5_free_context(k5->ctx); errctx = NULL; memset(k5, 0, sizeof(*k5)); } @@ -548,10 +549,10 @@ kinit_prompter( const char *banner, int num_prompts, krb5_prompt prompts[] - ) +) { krb5_error_code rc = - krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); + krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); return rc; } @@ -571,7 +572,7 @@ k5_kinit(opts, k5) code = krb5_get_init_creds_opt_alloc(k5->ctx, &options); if (code) - goto cleanup; + goto cleanup; /* From this point on, we can goto cleanup because my_creds is @@ -579,134 +580,134 @@ k5_kinit(opts, k5) */ if (opts->lifetime) - krb5_get_init_creds_opt_set_tkt_life(options, opts->lifetime); + krb5_get_init_creds_opt_set_tkt_life(options, opts->lifetime); if (opts->rlife) - krb5_get_init_creds_opt_set_renew_life(options, opts->rlife); + krb5_get_init_creds_opt_set_renew_life(options, opts->rlife); if (opts->forwardable) - krb5_get_init_creds_opt_set_forwardable(options, 1); + krb5_get_init_creds_opt_set_forwardable(options, 1); if (opts->not_forwardable) - krb5_get_init_creds_opt_set_forwardable(options, 0); + krb5_get_init_creds_opt_set_forwardable(options, 0); if (opts->proxiable) - krb5_get_init_creds_opt_set_proxiable(options, 1); + krb5_get_init_creds_opt_set_proxiable(options, 1); if (opts->not_proxiable) - krb5_get_init_creds_opt_set_proxiable(options, 0); + krb5_get_init_creds_opt_set_proxiable(options, 0); if (opts->canonicalize) - krb5_get_init_creds_opt_set_canonicalize(options, 1); + krb5_get_init_creds_opt_set_canonicalize(options, 1); if (opts->addresses) { - krb5_address **addresses = NULL; - code = krb5_os_localaddr(k5->ctx, &addresses); - if (code != 0) { - com_err(progname, code, "getting local addresses"); - goto cleanup; - } - krb5_get_init_creds_opt_set_address_list(options, addresses); + krb5_address **addresses = NULL; + code = krb5_os_localaddr(k5->ctx, &addresses); + if (code != 0) { + com_err(progname, code, "getting local addresses"); + goto cleanup; + } + krb5_get_init_creds_opt_set_address_list(options, addresses); } if (opts->no_addresses) - krb5_get_init_creds_opt_set_address_list(options, NULL); + krb5_get_init_creds_opt_set_address_list(options, NULL); if (opts->armor_ccache) - krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache); - + krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache); + if ((opts->action == INIT_KT) && opts->keytab_name) { - code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab); - if (code != 0) { - com_err(progname, code, "resolving keytab %s", - opts->keytab_name); - goto cleanup; - } + code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab); + if (code != 0) { + com_err(progname, code, "resolving keytab %s", + opts->keytab_name); + goto cleanup; + } } for (i = 0; i < opts->num_pa_opts; i++) { - code = krb5_get_init_creds_opt_set_pa(k5->ctx, options, - opts->pa_opts[i].attr, - opts->pa_opts[i].value); - if (code != 0) { - com_err(progname, code, "while setting '%s'='%s'", - opts->pa_opts[i].attr, opts->pa_opts[i].value); - goto cleanup; - } + code = krb5_get_init_creds_opt_set_pa(k5->ctx, options, + opts->pa_opts[i].attr, + opts->pa_opts[i].value); + if (code != 0) { + com_err(progname, code, "while setting '%s'='%s'", + opts->pa_opts[i].attr, opts->pa_opts[i].value); + goto cleanup; + } } switch (opts->action) { case INIT_PW: - code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, - 0, kinit_prompter, 0, - opts->starttime, - opts->service_name, - options); - break; + code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, + 0, kinit_prompter, 0, + opts->starttime, + opts->service_name, + options); + break; case INIT_KT: - code = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me, - keytab, - opts->starttime, - opts->service_name, - options); - break; + code = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me, + keytab, + opts->starttime, + opts->service_name, + options); + break; case VALIDATE: - code = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->cc, - opts->service_name); - break; + code = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->cc, + opts->service_name); + break; case RENEW: - code = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->cc, - opts->service_name); - break; + code = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->cc, + opts->service_name); + break; } if (code) { - char *doing = 0; - switch (opts->action) { - case INIT_PW: - case INIT_KT: - doing = "getting initial credentials"; - break; - case VALIDATE: - doing = "validating credentials"; - break; - case RENEW: - doing = "renewing credentials"; - break; - } - - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) - fprintf(stderr, "%s: Password incorrect while %s\n", progname, - doing); - else - com_err(progname, code, "while %s", doing); - goto cleanup; + char *doing = 0; + switch (opts->action) { + case INIT_PW: + case INIT_KT: + doing = "getting initial credentials"; + break; + case VALIDATE: + doing = "validating credentials"; + break; + case RENEW: + doing = "renewing credentials"; + break; + } + + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) + fprintf(stderr, "%s: Password incorrect while %s\n", progname, + doing); + else + com_err(progname, code, "while %s", doing); + goto cleanup; } code = krb5_cc_initialize(k5->ctx, k5->cc, - opts->canonicalize ? my_creds.client : k5->me); + opts->canonicalize ? my_creds.client : k5->me); if (code) { - com_err(progname, code, "when initializing cache %s", - opts->k5_cache_name?opts->k5_cache_name:""); - goto cleanup; + com_err(progname, code, "when initializing cache %s", + opts->k5_cache_name?opts->k5_cache_name:""); + goto cleanup; } code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds); if (code) { - com_err(progname, code, "while storing credentials"); - goto cleanup; + com_err(progname, code, "while storing credentials"); + goto cleanup; } notix = 0; - cleanup: +cleanup: if (options) - krb5_get_init_creds_opt_free(k5->ctx, options); + krb5_get_init_creds_opt_free(k5->ctx, options); if (my_creds.client == k5->me) { - my_creds.client = 0; + my_creds.client = 0; } if (opts->pa_opts) { - free(opts->pa_opts); - opts->pa_opts = NULL; - opts->num_pa_opts = 0; + free(opts->pa_opts); + opts->pa_opts = NULL; + opts->num_pa_opts = 0; } krb5_free_cred_contents(k5->ctx, &my_creds); if (keytab) - krb5_kt_close(k5->ctx, keytab); + krb5_kt_close(k5->ctx, keytab); return notix?0:1; } @@ -723,11 +724,11 @@ main(argc, argv) /* Ensure we can be driven from a pipe */ if(!isatty(fileno(stdin))) - setvbuf(stdin, 0, _IONBF, 0); + setvbuf(stdin, 0, _IONBF, 0); if(!isatty(fileno(stdout))) - setvbuf(stdout, 0, _IONBF, 0); + setvbuf(stdout, 0, _IONBF, 0); if(!isatty(fileno(stderr))) - setvbuf(stderr, 0, _IONBF, 0); + setvbuf(stderr, 0, _IONBF, 0); memset(&opts, 0, sizeof(opts)); opts.action = INIT_PW; @@ -739,14 +740,14 @@ main(argc, argv) parse_options(argc, argv, &opts); if (k5_begin(&opts, &k5)) - authed_k5 = k5_kinit(&opts, &k5); + authed_k5 = k5_kinit(&opts, &k5); if (authed_k5 && opts.verbose) - fprintf(stderr, "Authenticated to Kerberos v5\n"); + fprintf(stderr, "Authenticated to Kerberos v5\n"); k5_end(&k5); if (!authed_k5) - exit(1); + exit(1); return 0; } diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index 9e93f7b35..1a6309eb1 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * clients/klist/klist.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * List out the contents of your credential cache or keytab. */ @@ -67,7 +68,7 @@ krb5_context kcontext; char * etype_string (krb5_enctype ); void show_credential (krb5_creds *); - + void do_ccache (char *); void do_keytab (char *); void printtime (time_t); @@ -83,7 +84,7 @@ static void usage() #define KRB_AVAIL_STRING(x) ((x)?"available":"not available") fprintf(stderr, "Usage: %s [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] %s", - progname, "[-k [-t] [-K]] [name]\n"); + progname, "[-k [-t] [-K]] [name]\n"); fprintf(stderr, "\t-c specifies credentials cache\n"); fprintf(stderr, "\t-k specifies keytab\n"); fprintf(stderr, "\t (Default is credentials cache)\n"); @@ -116,194 +117,194 @@ main(argc, argv) mode = DEFAULT; /* V=version so v can be used for verbose later if desired. */ while ((c = getopt(argc, argv, "dfetKsnack45V")) != -1) { - switch (c) { - case 'd': - show_adtype = 1; - break; - case 'f': - show_flags = 1; - break; - case 'e': - show_etype = 1; - break; - case 't': - show_time = 1; - break; - case 'K': - show_keys = 1; - break; - case 's': - status_only = 1; - break; - case 'n': - no_resolve = 1; - break; - case 'a': - show_addresses = 1; - break; - case 'c': - if (mode != DEFAULT) usage(); - mode = CCACHE; - break; - case 'k': - if (mode != DEFAULT) usage(); - mode = KEYTAB; - break; - case '4': - fprintf(stderr, "Kerberos 4 is no longer supported\n"); - exit(3); - break; - case '5': - break; - case 'V': - print_version = 1; - break; - default: - usage(); - break; - } + switch (c) { + case 'd': + show_adtype = 1; + break; + case 'f': + show_flags = 1; + break; + case 'e': + show_etype = 1; + break; + case 't': + show_time = 1; + break; + case 'K': + show_keys = 1; + break; + case 's': + status_only = 1; + break; + case 'n': + no_resolve = 1; + break; + case 'a': + show_addresses = 1; + break; + case 'c': + if (mode != DEFAULT) usage(); + mode = CCACHE; + break; + case 'k': + if (mode != DEFAULT) usage(); + mode = KEYTAB; + break; + case '4': + fprintf(stderr, "Kerberos 4 is no longer supported\n"); + exit(3); + break; + case '5': + break; + case 'V': + print_version = 1; + break; + default: + usage(); + break; + } } if (no_resolve && !show_addresses) { - usage(); + usage(); } if (mode == DEFAULT || mode == CCACHE) { - if (show_time || show_keys) - usage(); + if (show_time || show_keys) + usage(); } else { - if (show_flags || status_only || show_addresses) - usage(); + if (show_flags || status_only || show_addresses) + usage(); } if (argc - optind > 1) { - fprintf(stderr, "Extra arguments (starting with \"%s\").\n", - argv[optind+1]); - usage(); + fprintf(stderr, "Extra arguments (starting with \"%s\").\n", + argv[optind+1]); + usage(); } if (print_version) { - printf("%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION); - exit(0); + printf("%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION); + exit(0); } name = (optind == argc-1) ? argv[optind] : 0; now = time(0); { - char tmp[BUFSIZ]; - - if (!krb5_timestamp_to_sfstring(now, tmp, 20, (char *) NULL) || - !krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp), - (char *) NULL)) - timestamp_width = (int) strlen(tmp); - else - timestamp_width = 15; + char tmp[BUFSIZ]; + + if (!krb5_timestamp_to_sfstring(now, tmp, 20, (char *) NULL) || + !krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp), + (char *) NULL)) + timestamp_width = (int) strlen(tmp); + else + timestamp_width = 15; } { - krb5_error_code retval; - retval = krb5_init_context(&kcontext); - if (retval) { - com_err(progname, retval, "while initializing krb5"); - exit(1); - } - - if (mode == DEFAULT || mode == CCACHE) - do_ccache(name); - else - do_keytab(name); + krb5_error_code retval; + retval = krb5_init_context(&kcontext); + if (retval) { + com_err(progname, retval, "while initializing krb5"); + exit(1); + } + + if (mode == DEFAULT || mode == CCACHE) + do_ccache(name); + else + do_keytab(name); } return 0; -} +} void do_keytab(name) - char *name; + char *name; { - krb5_keytab kt; - krb5_keytab_entry entry; - krb5_kt_cursor cursor; - char buf[BUFSIZ]; /* hopefully large enough for any type */ - char *pname; - int code; - - if (name == NULL) { - if ((code = krb5_kt_default(kcontext, &kt))) { - com_err(progname, code, "while getting default keytab"); - exit(1); - } - } else { - if ((code = krb5_kt_resolve(kcontext, name, &kt))) { - com_err(progname, code, "while resolving keytab %s", - name); - exit(1); - } - } - - if ((code = krb5_kt_get_name(kcontext, kt, buf, BUFSIZ))) { - com_err(progname, code, "while getting keytab name"); - exit(1); - } - - printf("Keytab name: %s\n", buf); - - if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor))) { - com_err(progname, code, "while starting keytab scan"); - exit(1); - } - - if (show_time) { - printf("KVNO Timestamp"); - fillit(stdout, timestamp_width - sizeof("Timestamp") + 2, (int) ' '); - printf("Principal\n"); - printf("---- "); - fillit(stdout, timestamp_width, (int) '-'); - printf(" "); - fillit(stdout, 78 - timestamp_width - sizeof("KVNO"), (int) '-'); - printf("\n"); - } else { - printf("KVNO Principal\n"); - printf("---- --------------------------------------------------------------------------\n"); - } - - while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) { - if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) { - com_err(progname, code, "while unparsing principal name"); - exit(1); - } - printf("%4d ", entry.vno); - if (show_time) { - printtime(entry.timestamp); - printf(" "); - } - printf("%s", pname); - if (show_etype) - printf(" (%s) " , etype_string(entry.key.enctype)); - if (show_keys) { - printf(" (0x"); - { - int i; - for (i = 0; i < entry.key.length; i++) - printf("%02x", entry.key.contents[i]); - } - printf(")"); - } - printf("\n"); - krb5_free_unparsed_name(kcontext, pname); - } - if (code && code != KRB5_KT_END) { - com_err(progname, code, "while scanning keytab"); - exit(1); - } - if ((code = krb5_kt_end_seq_get(kcontext, kt, &cursor))) { - com_err(progname, code, "while ending keytab scan"); - exit(1); - } - exit(0); + krb5_keytab kt; + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + char buf[BUFSIZ]; /* hopefully large enough for any type */ + char *pname; + int code; + + if (name == NULL) { + if ((code = krb5_kt_default(kcontext, &kt))) { + com_err(progname, code, "while getting default keytab"); + exit(1); + } + } else { + if ((code = krb5_kt_resolve(kcontext, name, &kt))) { + com_err(progname, code, "while resolving keytab %s", + name); + exit(1); + } + } + + if ((code = krb5_kt_get_name(kcontext, kt, buf, BUFSIZ))) { + com_err(progname, code, "while getting keytab name"); + exit(1); + } + + printf("Keytab name: %s\n", buf); + + if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor))) { + com_err(progname, code, "while starting keytab scan"); + exit(1); + } + + if (show_time) { + printf("KVNO Timestamp"); + fillit(stdout, timestamp_width - sizeof("Timestamp") + 2, (int) ' '); + printf("Principal\n"); + printf("---- "); + fillit(stdout, timestamp_width, (int) '-'); + printf(" "); + fillit(stdout, 78 - timestamp_width - sizeof("KVNO"), (int) '-'); + printf("\n"); + } else { + printf("KVNO Principal\n"); + printf("---- --------------------------------------------------------------------------\n"); + } + + while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) { + if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) { + com_err(progname, code, "while unparsing principal name"); + exit(1); + } + printf("%4d ", entry.vno); + if (show_time) { + printtime(entry.timestamp); + printf(" "); + } + printf("%s", pname); + if (show_etype) + printf(" (%s) " , etype_string(entry.key.enctype)); + if (show_keys) { + printf(" (0x"); + { + int i; + for (i = 0; i < entry.key.length; i++) + printf("%02x", entry.key.contents[i]); + } + printf(")"); + } + printf("\n"); + krb5_free_unparsed_name(kcontext, pname); + } + if (code && code != KRB5_KT_END) { + com_err(progname, code, "while scanning keytab"); + exit(1); + } + if ((code = krb5_kt_end_seq_get(kcontext, kt, &cursor))) { + com_err(progname, code, "while ending keytab scan"); + exit(1); + } + exit(0); } void do_ccache(name) - char *name; + char *name; { krb5_ccache cache = NULL; krb5_cc_cursor cur; @@ -311,111 +312,111 @@ void do_ccache(name) krb5_principal princ; krb5_flags flags; krb5_error_code code; - int exit_status = 0; - + int exit_status = 0; + if (status_only) - /* exit_status is set back to 0 if a valid tgt is found */ - exit_status = 1; + /* exit_status is set back to 0 if a valid tgt is found */ + exit_status = 1; if (name == NULL) { - if ((code = krb5_cc_default(kcontext, &cache))) { - if (!status_only) - com_err(progname, code, "while getting default ccache"); - exit(1); - } + if ((code = krb5_cc_default(kcontext, &cache))) { + if (!status_only) + com_err(progname, code, "while getting default ccache"); + exit(1); + } } else { - if ((code = krb5_cc_resolve(kcontext, name, &cache))) { - if (!status_only) - com_err(progname, code, "while resolving ccache %s", - name); - exit(1); - } - } - - flags = 0; /* turns off OPENCLOSE mode */ + if ((code = krb5_cc_resolve(kcontext, name, &cache))) { + if (!status_only) + com_err(progname, code, "while resolving ccache %s", + name); + exit(1); + } + } + + flags = 0; /* turns off OPENCLOSE mode */ if ((code = krb5_cc_set_flags(kcontext, cache, flags))) { - if (code == KRB5_FCC_NOFILE) { - if (!status_only) { - com_err(progname, code, "(ticket cache %s:%s)", - krb5_cc_get_type(kcontext, cache), - krb5_cc_get_name(kcontext, cache)); + if (code == KRB5_FCC_NOFILE) { + if (!status_only) { + com_err(progname, code, "(ticket cache %s:%s)", + krb5_cc_get_type(kcontext, cache), + krb5_cc_get_name(kcontext, cache)); #ifdef KRB5_KRB4_COMPAT - if (name == NULL) - do_v4_ccache(0); + if (name == NULL) + do_v4_ccache(0); #endif - } - } else { - if (!status_only) - com_err(progname, code, - "while setting cache flags (ticket cache %s:%s)", - krb5_cc_get_type(kcontext, cache), - krb5_cc_get_name(kcontext, cache)); - } - exit(1); + } + } else { + if (!status_only) + com_err(progname, code, + "while setting cache flags (ticket cache %s:%s)", + krb5_cc_get_type(kcontext, cache), + krb5_cc_get_name(kcontext, cache)); + } + exit(1); } if ((code = krb5_cc_get_principal(kcontext, cache, &princ))) { - if (!status_only) - com_err(progname, code, "while retrieving principal name"); - exit(1); + if (!status_only) + com_err(progname, code, "while retrieving principal name"); + exit(1); } if ((code = krb5_unparse_name(kcontext, princ, &defname))) { - if (!status_only) - com_err(progname, code, "while unparsing principal name"); - exit(1); + if (!status_only) + com_err(progname, code, "while unparsing principal name"); + exit(1); } if (!status_only) { - printf("Ticket cache: %s:%s\nDefault principal: %s\n\n", - krb5_cc_get_type(kcontext, cache), - krb5_cc_get_name(kcontext, cache), defname); - fputs("Valid starting", stdout); - fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, - (int) ' '); - fputs("Expires", stdout); - fillit(stdout, timestamp_width - sizeof("Expires") + 3, - (int) ' '); - fputs("Service principal\n", stdout); + printf("Ticket cache: %s:%s\nDefault principal: %s\n\n", + krb5_cc_get_type(kcontext, cache), + krb5_cc_get_name(kcontext, cache), defname); + fputs("Valid starting", stdout); + fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, + (int) ' '); + fputs("Expires", stdout); + fillit(stdout, timestamp_width - sizeof("Expires") + 3, + (int) ' '); + fputs("Service principal\n", stdout); } if ((code = krb5_cc_start_seq_get(kcontext, cache, &cur))) { - if (!status_only) - com_err(progname, code, "while starting to retrieve tickets"); - exit(1); + if (!status_only) + com_err(progname, code, "while starting to retrieve tickets"); + exit(1); } while (!(code = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) { - if (status_only) { - if (exit_status && creds.server->length == 2 && - strcmp(creds.server->realm.data, princ->realm.data) == 0 && - strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 && - strcmp((char *)creds.server->data[1].data, - princ->realm.data) == 0 && - creds.times.endtime > now) - exit_status = 0; - } else { - show_credential(&creds); - } - krb5_free_cred_contents(kcontext, &creds); + if (status_only) { + if (exit_status && creds.server->length == 2 && + strcmp(creds.server->realm.data, princ->realm.data) == 0 && + strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 && + strcmp((char *)creds.server->data[1].data, + princ->realm.data) == 0 && + creds.times.endtime > now) + exit_status = 0; + } else { + show_credential(&creds); + } + krb5_free_cred_contents(kcontext, &creds); } if (code == KRB5_CC_END) { - if ((code = krb5_cc_end_seq_get(kcontext, cache, &cur))) { - if (!status_only) - com_err(progname, code, "while finishing ticket retrieval"); - exit(1); - } - flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */ - if ((code = krb5_cc_set_flags(kcontext, cache, flags))) { - if (!status_only) - com_err(progname, code, "while closing ccache"); - exit(1); - } + if ((code = krb5_cc_end_seq_get(kcontext, cache, &cur))) { + if (!status_only) + com_err(progname, code, "while finishing ticket retrieval"); + exit(1); + } + flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */ + if ((code = krb5_cc_set_flags(kcontext, cache, flags))) { + if (!status_only) + com_err(progname, code, "while closing ccache"); + exit(1); + } #ifdef KRB5_KRB4_COMPAT - if (name == NULL && !status_only) - do_v4_ccache(0); + if (name == NULL && !status_only) + do_v4_ccache(0); #endif - exit(exit_status); + exit(exit_status); } else { - if (!status_only) - com_err(progname, code, "while retrieving a ticket"); - exit(1); - } + if (!status_only) + com_err(progname, code, "while retrieving a ticket"); + exit(1); + } } char * @@ -424,10 +425,10 @@ etype_string(enctype) { static char buf[100]; krb5_error_code retval; - + if ((retval = krb5_enctype_to_string(enctype, buf, sizeof(buf)))) { - /* XXX if there's an error != EINVAL, I should probably report it */ - snprintf(buf, sizeof(buf), "etype %d", enctype); + /* XXX if there's an error != EINVAL, I should probably report it */ + snprintf(buf, sizeof(buf), "etype %d", enctype); } return buf; @@ -439,40 +440,40 @@ flags_string(cred) { static char buf[32]; int i = 0; - + if (cred->ticket_flags & TKT_FLG_FORWARDABLE) - buf[i++] = 'F'; + buf[i++] = 'F'; if (cred->ticket_flags & TKT_FLG_FORWARDED) - buf[i++] = 'f'; + buf[i++] = 'f'; if (cred->ticket_flags & TKT_FLG_PROXIABLE) - buf[i++] = 'P'; + buf[i++] = 'P'; if (cred->ticket_flags & TKT_FLG_PROXY) - buf[i++] = 'p'; + buf[i++] = 'p'; if (cred->ticket_flags & TKT_FLG_MAY_POSTDATE) - buf[i++] = 'D'; + buf[i++] = 'D'; if (cred->ticket_flags & TKT_FLG_POSTDATED) - buf[i++] = 'd'; + buf[i++] = 'd'; if (cred->ticket_flags & TKT_FLG_INVALID) - buf[i++] = 'i'; + buf[i++] = 'i'; if (cred->ticket_flags & TKT_FLG_RENEWABLE) - buf[i++] = 'R'; + buf[i++] = 'R'; if (cred->ticket_flags & TKT_FLG_INITIAL) - buf[i++] = 'I'; + buf[i++] = 'I'; if (cred->ticket_flags & TKT_FLG_HW_AUTH) - buf[i++] = 'H'; + buf[i++] = 'H'; if (cred->ticket_flags & TKT_FLG_PRE_AUTH) - buf[i++] = 'A'; + buf[i++] = 'A'; if (cred->ticket_flags & TKT_FLG_TRANSIT_POLICY_CHECKED) - buf[i++] = 'T'; + buf[i++] = 'T'; if (cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE) - buf[i++] = 'O'; /* D/d are taken. Use short strings? */ + buf[i++] = 'O'; /* D/d are taken. Use short strings? */ if (cred->ticket_flags & TKT_FLG_ANONYMOUS) - buf[i++] = 'a'; + buf[i++] = 'a'; buf[i] = '\0'; return(buf); } -void +void printtime(tv) time_t tv; { @@ -481,10 +482,10 @@ printtime(tv) fill = ' '; if (!krb5_timestamp_to_sfstring((krb5_timestamp) tv, - timestring, - timestamp_width+1, - &fill)) { - printf(timestring); + timestring, + timestamp_width+1, + &fill)) { + printf(timestring); } } @@ -495,21 +496,21 @@ show_credential(cred) krb5_error_code retval; krb5_ticket *tkt; char *name, *sname, *flags; - int extra_field = 0; + int extra_field = 0; retval = krb5_unparse_name(kcontext, cred->client, &name); if (retval) { - com_err(progname, retval, "while unparsing client name"); - return; + com_err(progname, retval, "while unparsing client name"); + return; } retval = krb5_unparse_name(kcontext, cred->server, &sname); if (retval) { - com_err(progname, retval, "while unparsing server name"); - krb5_free_unparsed_name(kcontext, name); - return; + com_err(progname, retval, "while unparsing server name"); + krb5_free_unparsed_name(kcontext, name); + return; } if (!cred->times.starttime) - cred->times.starttime = cred->times.authtime; + cred->times.starttime = cred->times.authtime; printtime(cred->times.starttime); putchar(' '); putchar(' '); @@ -519,101 +520,101 @@ show_credential(cred) printf("%s\n", sname); if (strcmp(name, defname)) { - printf("\tfor client %s", name); - extra_field++; + printf("\tfor client %s", name); + extra_field++; } - + if (cred->times.renew_till) { - if (!extra_field) - fputs("\t",stdout); - else - fputs(", ",stdout); - fputs("renew until ", stdout); - printtime(cred->times.renew_till); - extra_field += 2; + if (!extra_field) + fputs("\t",stdout); + else + fputs(", ",stdout); + fputs("renew until ", stdout); + printtime(cred->times.renew_till); + extra_field += 2; } if (extra_field > 3) { - fputs("\n", stdout); - extra_field = 0; + fputs("\n", stdout); + extra_field = 0; } if (show_flags) { - flags = flags_string(cred); - if (flags && *flags) { - if (!extra_field) - fputs("\t",stdout); - else - fputs(", ",stdout); - printf("Flags: %s", flags); - extra_field++; - } + flags = flags_string(cred); + if (flags && *flags) { + if (!extra_field) + fputs("\t",stdout); + else + fputs(", ",stdout); + printf("Flags: %s", flags); + extra_field++; + } } if (extra_field > 2) { - fputs("\n", stdout); - extra_field = 0; + fputs("\n", stdout); + extra_field = 0; } if (show_etype) { - retval = krb5_decode_ticket(&cred->ticket, &tkt); - if (retval) - goto err_tkt; - - if (!extra_field) - fputs("\t",stdout); - else - fputs(", ",stdout); - printf("Etype (skey, tkt): %s, ", - etype_string(cred->keyblock.enctype)); - printf("%s ", - etype_string(tkt->enc_part.enctype)); - extra_field++; + retval = krb5_decode_ticket(&cred->ticket, &tkt); + if (retval) + goto err_tkt; + + if (!extra_field) + fputs("\t",stdout); + else + fputs(", ",stdout); + printf("Etype (skey, tkt): %s, ", + etype_string(cred->keyblock.enctype)); + printf("%s ", + etype_string(tkt->enc_part.enctype)); + extra_field++; err_tkt: - if (tkt != NULL) - krb5_free_ticket(kcontext, tkt); + if (tkt != NULL) + krb5_free_ticket(kcontext, tkt); } if (show_adtype) { - int i; - - if (cred->authdata != NULL) { - if (!extra_field) - fputs("\t",stdout); - else - fputs(", ",stdout); - printf("AD types: "); - for (i = 0; cred->authdata[i] != NULL; i++) { - if (i) - printf(", "); - printf("%d", cred->authdata[i]->ad_type); - } - extra_field++; - } + int i; + + if (cred->authdata != NULL) { + if (!extra_field) + fputs("\t",stdout); + else + fputs(", ",stdout); + printf("AD types: "); + for (i = 0; cred->authdata[i] != NULL; i++) { + if (i) + printf(", "); + printf("%d", cred->authdata[i]->ad_type); + } + extra_field++; + } } /* if any additional info was printed, extra_field is non-zero */ if (extra_field) - putchar('\n'); + putchar('\n'); if (show_addresses) { - if (!cred->addresses || !cred->addresses[0]) { - printf("\tAddresses: (none)\n"); - } else { - int i; + if (!cred->addresses || !cred->addresses[0]) { + printf("\tAddresses: (none)\n"); + } else { + int i; - printf("\tAddresses: "); - one_addr(cred->addresses[0]); + printf("\tAddresses: "); + one_addr(cred->addresses[0]); - for (i=1; cred->addresses[i]; i++) { - printf(", "); - one_addr(cred->addresses[i]); - } + for (i=1; cred->addresses[i]; i++) { + printf(", "); + one_addr(cred->addresses[i]); + } - printf("\n"); - } + printf("\n"); + } } krb5_free_unparsed_name(kcontext, name); @@ -635,60 +636,60 @@ void one_addr(a) switch (a->addrtype) { case ADDRTYPE_INET: - if (a->length != 4) { - broken: - printf ("broken address (type %d length %d)", - a->addrtype, a->length); - return; - } - { - struct sockaddr_in *sinp = ss2sin (&ss); - sinp->sin_family = AF_INET; + if (a->length != 4) { + broken: + printf ("broken address (type %d length %d)", + a->addrtype, a->length); + return; + } + { + struct sockaddr_in *sinp = ss2sin (&ss); + sinp->sin_family = AF_INET; #ifdef HAVE_SA_LEN - sinp->sin_len = sizeof (struct sockaddr_in); + sinp->sin_len = sizeof (struct sockaddr_in); #endif - memcpy (&sinp->sin_addr, a->contents, 4); - } - break; + memcpy (&sinp->sin_addr, a->contents, 4); + } + break; #ifdef KRB5_USE_INET6 case ADDRTYPE_INET6: - if (a->length != 16) - goto broken; - { - struct sockaddr_in6 *sin6p = ss2sin6 (&ss); - sin6p->sin6_family = AF_INET6; + if (a->length != 16) + goto broken; + { + struct sockaddr_in6 *sin6p = ss2sin6 (&ss); + sin6p->sin6_family = AF_INET6; #ifdef HAVE_SA_LEN - sin6p->sin6_len = sizeof (struct sockaddr_in6); + sin6p->sin6_len = sizeof (struct sockaddr_in6); #endif - memcpy (&sin6p->sin6_addr, a->contents, 16); - } - break; + memcpy (&sin6p->sin6_addr, a->contents, 16); + } + break; #endif default: - printf ("unknown addrtype %d", a->addrtype); - return; + printf ("unknown addrtype %d", a->addrtype); + return; } namebuf[0] = 0; err = getnameinfo (ss2sa (&ss), socklen (ss2sa (&ss)), - namebuf, sizeof (namebuf), 0, 0, - no_resolve ? NI_NUMERICHOST : 0U); + namebuf, sizeof (namebuf), 0, 0, + no_resolve ? NI_NUMERICHOST : 0U); if (err) { - printf ("unprintable address (type %d, error %d %s)", a->addrtype, err, - gai_strerror (err)); - return; + printf ("unprintable address (type %d, error %d %s)", a->addrtype, err, + gai_strerror (err)); + return; } printf ("%s", namebuf); } void fillit(f, num, c) - FILE *f; - unsigned int num; - int c; + FILE *f; + unsigned int num; + int c; { int i; for (i=0; i #include #include "autoconf.h" @@ -23,13 +24,13 @@ void get_name_from_passwd_file(program_name, kcontext, me) struct passwd *pw; krb5_error_code code; if ((pw = getpwuid(getuid()))) { - if ((code = krb5_parse_name(kcontext, pw->pw_name, me))) { - com_err (program_name, code, "when parsing name %s", pw->pw_name); - exit(1); - } + if ((code = krb5_parse_name(kcontext, pw->pw_name, me))) { + com_err (program_name, code, "when parsing name %s", pw->pw_name); + exit(1); + } } else { - fprintf(stderr, "Unable to identify user from password file\n"); - exit(1); + fprintf(stderr, "Unable to identify user from password file\n"); + exit(1); } } #else /* HAVE_PWD_H */ @@ -44,116 +45,116 @@ void get_name_from_passwd_file(kcontext, me) int main(int argc, char *argv[]) { - krb5_error_code ret; - krb5_context context; - krb5_principal princ; - char *pname; - krb5_ccache ccache; - krb5_get_init_creds_opt *opts = NULL; - krb5_creds creds; - - char pw[1024]; - unsigned int pwlen; - int result_code; - krb5_data result_code_string, result_string; - - if (argc > 2) { - fprintf(stderr, "usage: %s [principal]\n", argv[0]); - exit(1); - } - - pname = argv[1]; - - ret = krb5_init_context(&context); - if (ret) { - com_err(argv[0], ret, "initializing kerberos library"); - exit(1); - } - - /* in order, use the first of: - - a name specified on the command line - - the principal name from an existing ccache - - the name corresponding to the ruid of the process - - otherwise, it's an error. - */ - - if (pname) { - if ((ret = krb5_parse_name(context, pname, &princ))) { - com_err(argv[0], ret, "parsing client name"); - exit(1); - } - } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { - if (ret) { - com_err(argv[0], ret, "opening default ccache"); - exit(1); - } - - if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { - com_err(argv[0], ret, "getting principal from ccache"); - exit(1); - } - - if ((ret = krb5_cc_close(context, ccache))) { - com_err(argv[0], ret, "closing ccache"); - exit(1); - } - } else { - get_name_from_passwd_file(argv[0], context, &princ); - } - - if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { - com_err(argv[0], ret, "allocating krb5_get_init_creds_opt"); - exit(1); - } - krb5_get_init_creds_opt_set_tkt_life(opts, 5*60); - krb5_get_init_creds_opt_set_renew_life(opts, 0); - krb5_get_init_creds_opt_set_forwardable(opts, 0); - krb5_get_init_creds_opt_set_proxiable(opts, 0); - - if ((ret = krb5_get_init_creds_password(context, &creds, princ, NULL, - krb5_prompter_posix, NULL, - 0, "kadmin/changepw", opts))) { - if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) - com_err(argv[0], 0, - "Password incorrect while getting initial ticket"); - else - com_err(argv[0], ret, "getting initial ticket"); - krb5_get_init_creds_opt_free(context, opts); - exit(1); - } - - pwlen = sizeof(pw); - if ((ret = krb5_read_password(context, P1, P2, pw, &pwlen))) { - com_err(argv[0], ret, "while reading password"); - krb5_get_init_creds_opt_free(context, opts); - exit(1); - } - - if ((ret = krb5_change_password(context, &creds, pw, - &result_code, &result_code_string, - &result_string))) { - com_err(argv[0], ret, "changing password"); - krb5_get_init_creds_opt_free(context, opts); - exit(1); - } - - if (result_code) { - printf("%.*s%s%.*s\n", - (int) result_code_string.length, result_code_string.data, - result_string.length?": ":"", - (int) result_string.length, - result_string.data ? result_string.data : ""); - krb5_get_init_creds_opt_free(context, opts); - exit(2); - } - - if (result_string.data != NULL) - free(result_string.data); - if (result_code_string.data != NULL) - free(result_code_string.data); - krb5_get_init_creds_opt_free(context, opts); - - printf("Password changed.\n"); - exit(0); + krb5_error_code ret; + krb5_context context; + krb5_principal princ; + char *pname; + krb5_ccache ccache; + krb5_get_init_creds_opt *opts = NULL; + krb5_creds creds; + + char pw[1024]; + unsigned int pwlen; + int result_code; + krb5_data result_code_string, result_string; + + if (argc > 2) { + fprintf(stderr, "usage: %s [principal]\n", argv[0]); + exit(1); + } + + pname = argv[1]; + + ret = krb5_init_context(&context); + if (ret) { + com_err(argv[0], ret, "initializing kerberos library"); + exit(1); + } + + /* in order, use the first of: + - a name specified on the command line + - the principal name from an existing ccache + - the name corresponding to the ruid of the process + + otherwise, it's an error. + */ + + if (pname) { + if ((ret = krb5_parse_name(context, pname, &princ))) { + com_err(argv[0], ret, "parsing client name"); + exit(1); + } + } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { + if (ret) { + com_err(argv[0], ret, "opening default ccache"); + exit(1); + } + + if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { + com_err(argv[0], ret, "getting principal from ccache"); + exit(1); + } + + if ((ret = krb5_cc_close(context, ccache))) { + com_err(argv[0], ret, "closing ccache"); + exit(1); + } + } else { + get_name_from_passwd_file(argv[0], context, &princ); + } + + if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { + com_err(argv[0], ret, "allocating krb5_get_init_creds_opt"); + exit(1); + } + krb5_get_init_creds_opt_set_tkt_life(opts, 5*60); + krb5_get_init_creds_opt_set_renew_life(opts, 0); + krb5_get_init_creds_opt_set_forwardable(opts, 0); + krb5_get_init_creds_opt_set_proxiable(opts, 0); + + if ((ret = krb5_get_init_creds_password(context, &creds, princ, NULL, + krb5_prompter_posix, NULL, + 0, "kadmin/changepw", opts))) { + if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) + com_err(argv[0], 0, + "Password incorrect while getting initial ticket"); + else + com_err(argv[0], ret, "getting initial ticket"); + krb5_get_init_creds_opt_free(context, opts); + exit(1); + } + + pwlen = sizeof(pw); + if ((ret = krb5_read_password(context, P1, P2, pw, &pwlen))) { + com_err(argv[0], ret, "while reading password"); + krb5_get_init_creds_opt_free(context, opts); + exit(1); + } + + if ((ret = krb5_change_password(context, &creds, pw, + &result_code, &result_code_string, + &result_string))) { + com_err(argv[0], ret, "changing password"); + krb5_get_init_creds_opt_free(context, opts); + exit(1); + } + + if (result_code) { + printf("%.*s%s%.*s\n", + (int) result_code_string.length, result_code_string.data, + result_string.length?": ":"", + (int) result_string.length, + result_string.data ? result_string.data : ""); + krb5_get_init_creds_opt_free(context, opts); + exit(2); + } + + if (result_string.data != NULL) + free(result_string.data); + if (result_code_string.data != NULL) + free(result_code_string.data); + krb5_get_init_creds_opt_free(context, opts); + + printf("Password changed.\n"); + exit(0); } diff --git a/src/clients/kpasswd/ksetpwd.c b/src/clients/kpasswd/ksetpwd.c index a489f06e3..971990506 100644 --- a/src/clients/kpasswd/ksetpwd.c +++ b/src/clients/kpasswd/ksetpwd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include @@ -9,26 +10,26 @@ static int verify_creds() { - krb5_context kcontext; - krb5_ccache ccache; - krb5_error_code kres; + krb5_context kcontext; + krb5_ccache ccache; + krb5_error_code kres; - kres = krb5_init_context(&kcontext); - if( kres == 0 ) - { - kres = krb5_cc_default( kcontext, &ccache ); - if( kres == 0 ) - { - krb5_principal user_princ; + kres = krb5_init_context(&kcontext); + if( kres == 0 ) + { + kres = krb5_cc_default( kcontext, &ccache ); + if( kres == 0 ) + { + krb5_principal user_princ; - kres = krb5_cc_get_principal( kcontext, ccache, &user_princ ); - if( kres == 0 ) - krb5_free_principal( kcontext, user_princ ); - krb5_cc_close( kcontext, ccache ); - } - krb5_free_context(kcontext); - } - return kres; + kres = krb5_cc_get_principal( kcontext, ccache, &user_princ ); + if( kres == 0 ) + krb5_free_principal( kcontext, user_princ ); + krb5_cc_close( kcontext, ccache ); + } + krb5_free_context(kcontext); + } + return kres; } static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions ) @@ -44,269 +45,269 @@ typedef void * kbrccache_t; #define CCACHE_PREFIX_DEFAULT "MEMORY:C_" static kbrccache_t userinitcontext( - const char * user, const char * domain, const char * passwd, const char * cachename, int initialize, - int * outError ) + const char * user, const char * domain, const char * passwd, const char * cachename, int initialize, + int * outError ) { - krb5_context kcontext = 0; - krb5_ccache kcache = 0; - krb5_creds kcreds; - krb5_principal kme = 0; - krb5_error_code kres; - char * pPass = strdup( passwd ); - char * pName = NULL; - char * pCacheName = NULL; - int numCreds = 0; + krb5_context kcontext = 0; + krb5_ccache kcache = 0; + krb5_creds kcreds; + krb5_principal kme = 0; + krb5_error_code kres; + char * pPass = strdup( passwd ); + char * pName = NULL; + char * pCacheName = NULL; + int numCreds = 0; - memset( &kcreds, 0, sizeof(kcreds) ); - kres = krb5_init_context( &kcontext ); - if( kres ) - goto return_error; - if( domain ) - kres = krb5_build_principal( kcontext, &kme, strlen(domain), domain, user, (char *) 0 ); - else - kres = krb5_parse_name( kcontext, user, &kme ); - if( kres ) - goto fail; - krb5_unparse_name( kcontext, kme, &pName ); - if( cachename ) - { - if (asprintf(&pCacheName, "%s%s", cachename, pName) < 0) - { - kres = KRB5_CC_NOMEM; - goto fail; - } - kres = krb5_cc_resolve( kcontext, pCacheName, &kcache ); - if( kres ) - { - kres = krb5_cc_resolve( kcontext, CCACHE_PREFIX_DEFAULT, &kcache ); - if( kres == 0 ) - pCacheName = strdup(CCACHE_PREFIX_DEFAULT); - } - } - else - { - kres = krb5_cc_default( kcontext, &kcache ); - pCacheName = strdup( krb5_cc_get_name( kcontext, kcache ) ); - } - if( kres ) - { - krb5_free_context(kcontext); - goto return_error; - } - if( initialize ) - krb5_cc_initialize( kcontext, kcache, kme ); - if( kres == 0 && user && passwd ) - { - long timeneeded = time(0L) +TKTTIMELEFT; - int have_credentials = 0; - krb5_cc_cursor cc_curs = NULL; - numCreds = 0; - if( (kres=krb5_cc_start_seq_get(kcontext, kcache, &cc_curs)) >= 0 ) - { - while( (kres=krb5_cc_next_cred(kcontext, kcache, &cc_curs, &kcreds))== 0) - { - numCreds++; - if( krb5_principal_compare( kcontext, kme, kcreds.client ) ) - { - if( kcreds.ticket_flags & TKT_FLG_INITIAL && kcreds.times.endtime>timeneeded ) - have_credentials = 1; - } - krb5_free_cred_contents( kcontext, &kcreds ); - if( have_credentials ) - break; - } - krb5_cc_end_seq_get( kcontext, kcache, &cc_curs ); - } - else - { - const char * errmsg = error_message(kres); - fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg ); - } - if( kres != 0 || have_credentials == 0 ) - { - krb5_get_init_creds_opt *options = NULL; - kres = krb5_get_init_creds_opt_alloc(kcontext, &options); - if ( kres == 0 ) - { - get_init_creds_opt_init(options); + memset( &kcreds, 0, sizeof(kcreds) ); + kres = krb5_init_context( &kcontext ); + if( kres ) + goto return_error; + if( domain ) + kres = krb5_build_principal( kcontext, &kme, strlen(domain), domain, user, (char *) 0 ); + else + kres = krb5_parse_name( kcontext, user, &kme ); + if( kres ) + goto fail; + krb5_unparse_name( kcontext, kme, &pName ); + if( cachename ) + { + if (asprintf(&pCacheName, "%s%s", cachename, pName) < 0) + { + kres = KRB5_CC_NOMEM; + goto fail; + } + kres = krb5_cc_resolve( kcontext, pCacheName, &kcache ); + if( kres ) + { + kres = krb5_cc_resolve( kcontext, CCACHE_PREFIX_DEFAULT, &kcache ); + if( kres == 0 ) + pCacheName = strdup(CCACHE_PREFIX_DEFAULT); + } + } + else + { + kres = krb5_cc_default( kcontext, &kcache ); + pCacheName = strdup( krb5_cc_get_name( kcontext, kcache ) ); + } + if( kres ) + { + krb5_free_context(kcontext); + goto return_error; + } + if( initialize ) + krb5_cc_initialize( kcontext, kcache, kme ); + if( kres == 0 && user && passwd ) + { + long timeneeded = time(0L) +TKTTIMELEFT; + int have_credentials = 0; + krb5_cc_cursor cc_curs = NULL; + numCreds = 0; + if( (kres=krb5_cc_start_seq_get(kcontext, kcache, &cc_curs)) >= 0 ) + { + while( (kres=krb5_cc_next_cred(kcontext, kcache, &cc_curs, &kcreds))== 0) + { + numCreds++; + if( krb5_principal_compare( kcontext, kme, kcreds.client ) ) + { + if( kcreds.ticket_flags & TKT_FLG_INITIAL && kcreds.times.endtime>timeneeded ) + have_credentials = 1; + } + krb5_free_cred_contents( kcontext, &kcreds ); + if( have_credentials ) + break; + } + krb5_cc_end_seq_get( kcontext, kcache, &cc_curs ); + } + else + { + const char * errmsg = error_message(kres); + fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg ); + } + if( kres != 0 || have_credentials == 0 ) + { + krb5_get_init_creds_opt *options = NULL; + kres = krb5_get_init_creds_opt_alloc(kcontext, &options); + if ( kres == 0 ) + { + get_init_creds_opt_init(options); /* ** no valid credentials - get new ones */ - kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass, - NULL /*prompter*/, - NULL /*data*/, - 0 /*starttime*/, - 0 /*in_tkt_service*/, - options /*options*/ ); - } - if( kres == 0 ) - { - if( numCreds <= 0 ) - kres = krb5_cc_initialize( kcontext, kcache, kme ); - if( kres == 0 ) - kres = krb5_cc_store_cred( kcontext, kcache, &kcreds ); - if( kres == 0 ) - have_credentials = 1; - } - krb5_get_init_creds_opt_free(kcontext, options); - } + kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass, + NULL /*prompter*/, + NULL /*data*/, + 0 /*starttime*/, + 0 /*in_tkt_service*/, + options /*options*/ ); + } + if( kres == 0 ) + { + if( numCreds <= 0 ) + kres = krb5_cc_initialize( kcontext, kcache, kme ); + if( kres == 0 ) + kres = krb5_cc_store_cred( kcontext, kcache, &kcreds ); + if( kres == 0 ) + have_credentials = 1; + } + krb5_get_init_creds_opt_free(kcontext, options); + } #ifdef NOTUSED - if( have_credentials ) - { - int mstat; - kres = gss_krb5_ccache_name( &mstat, pCacheName, NULL ); - if( getenv( ENV_DEBUG_LDAPKERB ) ) - fprintf( stderr, "gss credentials cache set to %s(%d)\n", pCacheName, kres ); - } + if( have_credentials ) + { + int mstat; + kres = gss_krb5_ccache_name( &mstat, pCacheName, NULL ); + if( getenv( ENV_DEBUG_LDAPKERB ) ) + fprintf( stderr, "gss credentials cache set to %s(%d)\n", pCacheName, kres ); + } #endif - krb5_cc_close( kcontext, kcache ); - } + krb5_cc_close( kcontext, kcache ); + } fail: - if( kres ) - { - const char * errmsg = error_message(kres); - fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg ); - } - krb5_free_principal( kcontext, kme ); - krb5_free_cred_contents( kcontext, &kcreds ); - if( pName ) - free( pName ); - free(pPass); - krb5_free_context(kcontext); + if( kres ) + { + const char * errmsg = error_message(kres); + fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg ); + } + krb5_free_principal( kcontext, kme ); + krb5_free_cred_contents( kcontext, &kcreds ); + if( pName ) + free( pName ); + free(pPass); + krb5_free_context(kcontext); return_error: - if( kres ) - { - if( pCacheName ) - { - free(pCacheName); - pCacheName = NULL; - } - } - if( outError ) - *outError = kres; - return pCacheName; + if( kres ) + { + if( pCacheName ) + { + free(pCacheName); + pCacheName = NULL; + } + } + if( outError ) + *outError = kres; + return pCacheName; } static int init_creds() { - char user[512]; - char * password = NULL; - int result; + char user[512]; + char * password = NULL; + int result; - user[0] = 0; - result = -1; + user[0] = 0; + result = -1; - for(;;) - { - while( user[0] == 0 ) - { - int userlen; - printf( "Username: "); - fflush(stdout); - if( fgets( user, sizeof(user), stdin ) == NULL ) - return -1; - userlen = strlen( user); - if( userlen < 2 ) - continue; - user[userlen-1] = 0; /* get rid of the newline */ - break; - } - { - kbrccache_t usercontext; - password = getpass( "Password: "); - if( ! password ) - return -1; - result = 0; - usercontext = userinitcontext( user, NULL, password, NULL, 1, &result ); - if( usercontext ) - break; - } - } - return result; + for(;;) + { + while( user[0] == 0 ) + { + int userlen; + printf( "Username: "); + fflush(stdout); + if( fgets( user, sizeof(user), stdin ) == NULL ) + return -1; + userlen = strlen( user); + if( userlen < 2 ) + continue; + user[userlen-1] = 0; /* get rid of the newline */ + break; + } + { + kbrccache_t usercontext; + password = getpass( "Password: "); + if( ! password ) + return -1; + result = 0; + usercontext = userinitcontext( user, NULL, password, NULL, 1, &result ); + if( usercontext ) + break; + } + } + return result; } int main( int argc, char ** argv ) { - char * new_password = NULL; - char * new_password2; - krb5_context kcontext; - krb5_error_code kerr; - krb5_principal target_principal; + char * new_password = NULL; + char * new_password2; + krb5_context kcontext; + krb5_error_code kerr; + krb5_principal target_principal; - if( argc < 2 ) - { - fprintf( stderr, "Usage: setpass user@REALM\n"); - exit(1); - } + if( argc < 2 ) + { + fprintf( stderr, "Usage: setpass user@REALM\n"); + exit(1); + } /* ** verify credentials - */ - if( verify_creds() ) - init_creds(); - if( verify_creds() ) - { - fprintf( stderr, "No user credentials available\n"); - exit(1); - } + if( verify_creds() ) + init_creds(); + if( verify_creds() ) + { + fprintf( stderr, "No user credentials available\n"); + exit(1); + } /* ** check the principal name - */ - krb5_init_context(&kcontext); - kerr = krb5_parse_name( kcontext, argv[1], &target_principal ); + krb5_init_context(&kcontext); + kerr = krb5_parse_name( kcontext, argv[1], &target_principal ); - { - char * pname = NULL; - kerr = krb5_unparse_name( kcontext, target_principal, &pname ); - printf( "Changing password for %s:\n", pname); - fflush( stdout ); - free( pname ); - } + { + char * pname = NULL; + kerr = krb5_unparse_name( kcontext, target_principal, &pname ); + printf( "Changing password for %s:\n", pname); + fflush( stdout ); + free( pname ); + } /* ** get the new password - */ - while( !new_password ) - { - new_password = getpass("Enter new password: "); - new_password2 = getpass("Verify new password: "); - if( strcmp( new_password, new_password2 ) ) - { - printf("Passwords do not match\n"); - free( new_password ); - free( new_password2 ); - continue; - } - } + while( !new_password ) + { + new_password = getpass("Enter new password: "); + new_password2 = getpass("Verify new password: "); + if( strcmp( new_password, new_password2 ) ) + { + printf("Passwords do not match\n"); + free( new_password ); + free( new_password2 ); + continue; + } + } /* ** change the password - */ - { - int pw_result; - krb5_ccache ccache; - krb5_data pw_res_string, res_string; + { + int pw_result; + krb5_ccache ccache; + krb5_data pw_res_string, res_string; - kerr = krb5_cc_default( kcontext, &ccache ); - if( kerr == 0 ) - { - kerr = krb5_set_password_using_ccache(kcontext, ccache, new_password, target_principal, - &pw_result, &pw_res_string, &res_string ); - if( kerr ) - fprintf( stderr, "Failed: %s\n", error_message(kerr) ); - else - { - if( pw_result ) - { - fprintf( stderr, "Failed(%d)", pw_result ); - if( pw_res_string.length > 0 ) - fprintf( stderr, ": %s", pw_res_string.data); - if( res_string.length > 0 ) - fprintf( stderr, " %s", res_string.data); - fprintf( stderr, "\n"); - } - } - } - } - return(0); + kerr = krb5_cc_default( kcontext, &ccache ); + if( kerr == 0 ) + { + kerr = krb5_set_password_using_ccache(kcontext, ccache, new_password, target_principal, + &pw_result, &pw_res_string, &res_string ); + if( kerr ) + fprintf( stderr, "Failed: %s\n", error_message(kerr) ); + else + { + if( pw_result ) + { + fprintf( stderr, "Failed(%d)", pw_result ); + if( pw_res_string.length > 0 ) + fprintf( stderr, ": %s", pw_res_string.data); + if( res_string.length > 0 ) + fprintf( stderr, " %s", res_string.data); + fprintf( stderr, "\n"); + } + } + } + } + return(0); } diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c index 0c90d2713..fcc5ca99d 100644 --- a/src/clients/ksu/authorization.c +++ b/src/clients/ksu/authorization.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1994 by the University of Southern California * @@ -40,11 +41,11 @@ krb5_boolean fowner(fp, uid) * the user himself, or by root. Otherwise, don't grant access. */ if (fstat(fileno(fp), &sbuf)) { - return(FALSE); + return(FALSE); } if ((sbuf.st_uid != uid) && sbuf.st_uid) { - return(FALSE); + return(FALSE); } return(TRUE); @@ -59,8 +60,8 @@ krb5_boolean fowner(fp, uid) */ krb5_error_code krb5_authorization(context, principal, luser, - cmd, ok, out_fcmd) - /* IN */ + cmd, ok, out_fcmd) +/* IN */ krb5_context context; krb5_principal principal; const char *luser; @@ -82,11 +83,11 @@ krb5_error_code krb5_authorization(context, principal, luser, /* no account => no access */ if ((pwd = getpwnam(luser)) == NULL) - return 0; + return 0; retval = krb5_unparse_name(context, principal, &princname); if (retval) - return retval; + return retval; #ifdef DEBUG printf("principal to be authorized %s\n", princname); @@ -99,43 +100,43 @@ krb5_error_code krb5_authorization(context, principal, luser, /* k5login and k5users must be owned by target user or root */ if (!k5login_flag){ - if ((login_fp = fopen(k5login_path, "r")) == NULL) - return 0; - if ( fowner(login_fp, pwd->pw_uid) == FALSE) { - fclose(login_fp); - return 0; - } + if ((login_fp = fopen(k5login_path, "r")) == NULL) + return 0; + if ( fowner(login_fp, pwd->pw_uid) == FALSE) { + fclose(login_fp); + return 0; + } } if (!k5users_flag){ - if ((users_fp = fopen(k5users_path, "r")) == NULL) { - return 0; - } - if ( fowner(users_fp, pwd->pw_uid) == FALSE){ - fclose(users_fp); - return 0; - } + if ((users_fp = fopen(k5users_path, "r")) == NULL) { + return 0; + } + if ( fowner(users_fp, pwd->pw_uid) == FALSE){ + fclose(users_fp); + return 0; + } } if (auth_debug){ - fprintf(stderr, - "In krb5_authorization: if auth files exist -> can access\n"); + fprintf(stderr, + "In krb5_authorization: if auth files exist -> can access\n"); } #if 0 if (cmd){ - if(k5users_flag){ - return 0; /* if kusers does not exist -> done */ - }else{ - if(retval = k5users_lookup(users_fp,princname, - cmd,&retbool,out_fcmd)){ - auth_cleanup(users_fp, login_fp, princname); - return retval; - }else{ - *ok =retbool; - return retval; - } - } + if(k5users_flag){ + return 0; /* if kusers does not exist -> done */ + }else{ + if(retval = k5users_lookup(users_fp,princname, + cmd,&retbool,out_fcmd)){ + auth_cleanup(users_fp, login_fp, princname); + return retval; + }else{ + *ok =retbool; + return retval; + } + } } #endif @@ -144,41 +145,41 @@ krb5_error_code krb5_authorization(context, principal, luser, if it's not there check the k5users file */ if (!k5login_flag){ - if (auth_debug) - fprintf(stderr, - "In krb5_authorization: principal to be authorized %s\n", - princname); - - retval = k5login_lookup(login_fp, princname, &retbool); - if (retval) { - auth_cleanup(users_fp, login_fp, princname); - return retval; - } - if (retbool) { - if (cmd) - *out_fcmd = xstrdup(cmd); - } + if (auth_debug) + fprintf(stderr, + "In krb5_authorization: principal to be authorized %s\n", + princname); + + retval = k5login_lookup(login_fp, princname, &retbool); + if (retval) { + auth_cleanup(users_fp, login_fp, princname); + return retval; + } + if (retbool) { + if (cmd) + *out_fcmd = xstrdup(cmd); + } } if ((!k5users_flag) && (retbool == FALSE) ){ - retval = k5users_lookup (users_fp, princname, - cmd, &retbool, out_fcmd); - if(retval) { - auth_cleanup(users_fp, login_fp, princname); - return retval; - } + retval = k5users_lookup (users_fp, princname, + cmd, &retbool, out_fcmd); + if(retval) { + auth_cleanup(users_fp, login_fp, princname); + return retval; + } } if (k5login_flag && k5users_flag){ - char * kuser = (char *) xcalloc (strlen(princname), sizeof(char)); - if (!(krb5_aname_to_localname(context, principal, - strlen(princname), kuser)) - && (strcmp(kuser, luser) == 0)) { - retbool = TRUE; - } + char * kuser = (char *) xcalloc (strlen(princname), sizeof(char)); + if (!(krb5_aname_to_localname(context, principal, + strlen(princname), kuser)) + && (strcmp(kuser, luser) == 0)) { + retbool = TRUE; + } - free(kuser); + free(kuser); } *ok =retbool; @@ -208,28 +209,28 @@ krb5_error_code k5login_lookup (fp, princname, found) retval = get_line(fp, &line); if (retval) - return retval; + return retval; while (line){ - fprinc = get_first_token (line, &lp); - - if (fprinc && (!strcmp(princname, fprinc))){ - if( get_next_token (&lp) ){ - free (line); - break; /* nothing should follow princname*/ - } - else{ - loc_found = TRUE; - free (line); - break; - } - } - - free (line); - - retval = get_line(fp, &line); - if (retval) - return retval; + fprinc = get_first_token (line, &lp); + + if (fprinc && (!strcmp(princname, fprinc))){ + if( get_next_token (&lp) ){ + free (line); + break; /* nothing should follow princname*/ + } + else{ + loc_found = TRUE; + free (line); + break; + } + } + + free (line); + + retval = get_line(fp, &line); + if (retval) + return retval; } @@ -248,10 +249,10 @@ authorization alg: if princname is not found return false. if princname is found{ - if cmd == NULL then the file entry after principal - name must be nothing or * + if cmd == NULL then the file entry after principal + name must be nothing or * - if cmd !=NULL then entry must be matched (* is ok) + if cmd !=NULL then entry must be matched (* is ok) } @@ -272,62 +273,62 @@ krb5_error_code k5users_lookup (fp, princname, cmd, found, out_fcmd) retval = get_line(fp, &line); if (retval) - return retval; + return retval; while (line){ - fprinc = get_first_token (line, &lp); - - if (fprinc && (!strcmp(princname, fprinc))){ - fcmd = get_next_token (&lp); - - if ((fcmd) && (!strcmp(fcmd, PERMIT_ALL_COMMANDS))){ - if (get_next_token(&lp) == NULL){ - loc_fcmd =cmd ? xstrdup(cmd): NULL; - loc_found = TRUE; - } - free (line); - break; - } - - if (cmd == NULL){ - if (fcmd == NULL) - loc_found = TRUE; - free (line); - break; - - }else{ - if (fcmd != NULL) { - char * temp_rfcmd, *err; - krb5_boolean match; - do { - if(match_commands(fcmd,cmd,&match, - &temp_rfcmd, &err)){ - if (auth_debug){ - fprintf(stderr,"%s",err); - } - loc_fcmd = err; - break; - }else{ - if (match == TRUE){ - loc_fcmd = temp_rfcmd; - loc_found = TRUE; - break; - } - } - - }while ((fcmd = get_next_token( &lp))); - } - free (line); - break; - } - } - - free (line); - - retval = get_line(fp, &line); - if (retval) { - return retval; - } + fprinc = get_first_token (line, &lp); + + if (fprinc && (!strcmp(princname, fprinc))){ + fcmd = get_next_token (&lp); + + if ((fcmd) && (!strcmp(fcmd, PERMIT_ALL_COMMANDS))){ + if (get_next_token(&lp) == NULL){ + loc_fcmd =cmd ? xstrdup(cmd): NULL; + loc_found = TRUE; + } + free (line); + break; + } + + if (cmd == NULL){ + if (fcmd == NULL) + loc_found = TRUE; + free (line); + break; + + }else{ + if (fcmd != NULL) { + char * temp_rfcmd, *err; + krb5_boolean match; + do { + if(match_commands(fcmd,cmd,&match, + &temp_rfcmd, &err)){ + if (auth_debug){ + fprintf(stderr,"%s",err); + } + loc_fcmd = err; + break; + }else{ + if (match == TRUE){ + loc_fcmd = temp_rfcmd; + loc_found = TRUE; + break; + } + } + + }while ((fcmd = get_next_token( &lp))); + } + free (line); + break; + } + } + + free (line); + + retval = get_line(fp, &line); + if (retval) { + return retval; + } } *out_fcmd = loc_fcmd; @@ -358,54 +359,54 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err) tmp_fcmd = (char **) xcalloc (MAX_CMD, sizeof(char *)); if (*fcmd == '/'){ /* must be full path */ - tmp_fcmd[0] = xstrdup(fcmd); - tmp_fcmd[1] = NULL; - *out_fcmd = tmp_fcmd; - return TRUE; + tmp_fcmd[0] = xstrdup(fcmd); + tmp_fcmd[1] = NULL; + *out_fcmd = tmp_fcmd; + return TRUE; }else{ - /* must be either full path or just the cmd name */ - if (strchr(fcmd, '/')){ - asprintf(&err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME); - *out_err = err; - return FALSE; - } + /* must be either full path or just the cmd name */ + if (strchr(fcmd, '/')){ + asprintf(&err,"Error: bad entry - %s in %s file, must be either full path or just the cmd name\n", fcmd, KRB5_USERS_NAME); + *out_err = err; + return FALSE; + } #ifndef CMD_PATH - asprintf(&err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd); - *out_err = err; - return FALSE; + asprintf(&err,"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH must be defined \n", fcmd, KRB5_USERS_NAME, fcmd); + *out_err = err; + return FALSE; #else - path = xstrdup (CMD_PATH); - path_ptr = path; + path = xstrdup (CMD_PATH); + path_ptr = path; - while ((*path_ptr == ' ') || (*path_ptr == '\t')) path_ptr ++; + while ((*path_ptr == ' ') || (*path_ptr == '\t')) path_ptr ++; - tc = get_first_token (path_ptr, &lp); + tc = get_first_token (path_ptr, &lp); - if (! tc){ - asprintf(&err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME); - *out_err = err; - return FALSE; - } + if (! tc){ + asprintf(&err,"Error: bad entry - %s in %s file, CMD_PATH contains no paths \n", fcmd, KRB5_USERS_NAME); + *out_err = err; + return FALSE; + } - i=0; - do{ - if (*tc != '/'){ /* must be full path */ - asprintf(&err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME ); - *out_err = err; - return FALSE; - } + i=0; + do{ + if (*tc != '/'){ /* must be full path */ + asprintf(&err,"Error: bad path %s in CMD_PATH for %s must start with '/' \n",tc, KRB5_USERS_NAME ); + *out_err = err; + return FALSE; + } - tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd); + tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd); - i++; + i++; - } while((tc = get_next_token (&lp))); + } while((tc = get_next_token (&lp))); - tmp_fcmd[i] = NULL; - *out_fcmd = tmp_fcmd; - return TRUE; + tmp_fcmd[i] = NULL; + *out_fcmd = tmp_fcmd; + return TRUE; #endif /* CMD_PATH */ } @@ -413,7 +414,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err) /******************************************** cmd_single - checks if cmd consists of a path - or a single token + or a single token ********************************************/ @@ -422,9 +423,9 @@ krb5_boolean cmd_single(cmd) { if ( ( strrchr( cmd, '/')) == NULL){ - return TRUE; + return TRUE; }else{ - return FALSE; + return FALSE; } } @@ -443,17 +444,17 @@ int cmd_arr_cmp_postfix(fcmd_arr, cmd) int i = 0; while(fcmd_arr[i]){ - if ( (ptr = strrchr( fcmd_arr[i], '/')) == NULL){ - temp_fcmd = fcmd_arr[i]; - }else { - temp_fcmd = ptr + 1; - } - - result = strcmp (temp_fcmd, cmd); - if (result == 0){ - break; - } - i++; + if ( (ptr = strrchr( fcmd_arr[i], '/')) == NULL){ + temp_fcmd = fcmd_arr[i]; + }else { + temp_fcmd = ptr + 1; + } + + result = strcmp (temp_fcmd, cmd); + if (result == 0){ + break; + } + i++; } return result; @@ -475,11 +476,11 @@ int cmd_arr_cmp (fcmd_arr, cmd) int i = 0; while(fcmd_arr[i]){ - result = strcmp (fcmd_arr[i], cmd); - if (result == 0){ - break; - } - i++; + result = strcmp (fcmd_arr[i], cmd); + if (result == 0){ + break; + } + i++; } return result; } @@ -497,25 +498,25 @@ krb5_boolean find_first_cmd_that_exists(fcmd_arr, cmd_out, err_out) struct k5buf buf; while(fcmd_arr[i]){ - if (!stat (fcmd_arr[i], &st_temp )){ - *cmd_out = xstrdup(fcmd_arr[i]); - retbool = TRUE; - break; - } - i++; + if (!stat (fcmd_arr[i], &st_temp )){ + *cmd_out = xstrdup(fcmd_arr[i]); + retbool = TRUE; + break; + } + i++; } if (retbool == FALSE ){ - krb5int_buf_init_dynamic(&buf); - krb5int_buf_add(&buf, "Error: not found -> "); - for(j= 0; j < i; j ++) - krb5int_buf_add_fmt(&buf, " %s ", fcmd_arr[j]); - krb5int_buf_add(&buf, "\n"); - *err_out = krb5int_buf_data(&buf); - if (*err_out == NULL) { - perror(prog_name); - exit(1); - } + krb5int_buf_init_dynamic(&buf); + krb5int_buf_add(&buf, "Error: not found -> "); + for(j= 0; j < i; j ++) + krb5int_buf_add_fmt(&buf, " %s ", fcmd_arr[j]); + krb5int_buf_add(&buf, "\n"); + *err_out = krb5int_buf_data(&buf); + if (*err_out == NULL) { + perror(prog_name); + exit(1); + } } @@ -539,45 +540,45 @@ int match_commands (fcmd, cmd, match, cmd_out, err_out) char * cmd_temp; if(fcmd_resolve(fcmd, &fcmd_arr, &err )== FALSE ){ - *err_out = err; - return 1; + *err_out = err; + return 1; } if (cmd_single( cmd ) == TRUE){ - if (!cmd_arr_cmp_postfix(fcmd_arr, cmd)){ /* found */ - - if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){ - *match = TRUE; - *cmd_out = cmd_temp; - return 0; - }else{ - *err_out = err; - return 1; - } - }else{ - *match = FALSE; - return 0; - } + if (!cmd_arr_cmp_postfix(fcmd_arr, cmd)){ /* found */ + + if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){ + *match = TRUE; + *cmd_out = cmd_temp; + return 0; + }else{ + *err_out = err; + return 1; + } + }else{ + *match = FALSE; + return 0; + } }else{ - if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */ - *match = TRUE; - *cmd_out = xstrdup(cmd); - return 0; - } else{ - *match = FALSE; - return 0; - } + if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */ + *match = TRUE; + *cmd_out = xstrdup(cmd); + return 0; + } else{ + *match = FALSE; + return 0; + } } } /********************************************************* get_line - returns a line of any length. out_line - is set to null if eof. + is set to null if eof. *********************************************************/ krb5_error_code get_line (fp, out_line) - /* IN */ +/* IN */ FILE *fp; /* OUT */ char **out_line; @@ -590,27 +591,27 @@ krb5_error_code get_line (fp, out_line) line[0] = '\0'; while (( r = fgets(line_ptr, BUFSIZ , fp)) != NULL){ - newline = strchr(line_ptr, '\n'); - if (newline) { - *newline = '\0'; - break; - } - else { - chunk_count ++; - if(!( line = (char *) realloc( line, - chunk_count * sizeof(char) * BUFSIZ))){ - return ENOMEM; - } - - line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ; - } + newline = strchr(line_ptr, '\n'); + if (newline) { + *newline = '\0'; + break; + } + else { + chunk_count ++; + if(!( line = (char *) realloc( line, + chunk_count * sizeof(char) * BUFSIZ))){ + return ENOMEM; + } + + line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ; + } } if ((r == NULL) && (strlen(line) == 0)) { - *out_line = NULL; + *out_line = NULL; } else{ - *out_line = line; + *out_line = line; } return 0; @@ -635,20 +636,20 @@ char * get_first_token (line, lnext) out_ptr = line; lptr = line; - + while (( *lptr == ' ') || (*lptr == '\t')) lptr ++; - + if (strlen(lptr) == 0) return NULL; - + while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++; - + if (*lptr == '\0'){ - *lnext = lptr; + *lnext = lptr; } else{ - *lptr = '\0'; - *lnext = lptr + 1; + *lptr = '\0'; + *lnext = lptr + 1; } - + return out_ptr; } /********************************************************** @@ -678,10 +679,10 @@ char * get_next_token (lnext) while (( *lptr != ' ') && (*lptr != '\t') && (*lptr != '\0')) lptr ++; if (*lptr == '\0'){ - *lnext = lptr; + *lnext = lptr; } else{ - *lptr = '\0'; - *lnext = lptr + 1; + *lptr = '\0'; + *lnext = lptr + 1; } return out_ptr; @@ -695,9 +696,9 @@ static void auth_cleanup(users_fp, login_fp, princname) free (princname); if (users_fp) - fclose(users_fp); + fclose(users_fp); if (login_fp) - fclose(login_fp); + fclose(login_fp); } void init_auth_names(pw_dir) @@ -708,14 +709,14 @@ void init_auth_names(pw_dir) sep = ((strlen(pw_dir) == 1) && (*pw_dir == '/')) ? "" : "/"; r1 = snprintf(k5login_path, sizeof(k5login_path), "%s%s%s", - pw_dir, sep, KRB5_LOGIN_NAME); + pw_dir, sep, KRB5_LOGIN_NAME); r2 = snprintf(k5users_path, sizeof(k5users_path), "%s%s%s", - pw_dir, sep, KRB5_USERS_NAME); + pw_dir, sep, KRB5_USERS_NAME); if (SNPRINTF_OVERFLOW(r1, sizeof(k5login_path)) || - SNPRINTF_OVERFLOW(r2, sizeof(k5users_path))) { - fprintf (stderr, - "home directory name `%s' too long, can't search for .k5login\n", - pw_dir); - exit (1); + SNPRINTF_OVERFLOW(r2, sizeof(k5users_path))) { + fprintf (stderr, + "home directory name `%s' too long, can't search for .k5login\n", + pw_dir); + exit (1); } } diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c index 8ed5fb185..2eafd0934 100644 --- a/src/clients/ksu/ccache.c +++ b/src/clients/ksu/ccache.c @@ -1,4 +1,5 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +11,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -25,7 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ -#include "ksu.h" +#include "ksu.h" #include "adm_proto.h" #include #include @@ -34,95 +35,95 @@ krb5_cache_copy gets rid of any expired tickets in the secondary cache, -copies the default cache into the secondary cache, +copies the default cache into the secondary cache, ************************************************************************/ void show_credential(); /* modifies only the cc_other, the algorithm may look a bit funny, - but I had to do it this way, since remove function did not come - with k5 beta 3 release. + but I had to do it this way, since remove function did not come + with k5 beta 3 release. */ -krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - primary_principal, cc_out, stored, target_uid) - /* IN */ +krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, + primary_principal, cc_out, stored, target_uid) +/* IN */ krb5_context context; krb5_ccache cc_def; char *cc_other_tag; krb5_principal primary_principal; -uid_t target_uid; + uid_t target_uid; /* OUT */ krb5_ccache *cc_out; krb5_boolean *stored; { -int i=0; -krb5_ccache * cc_other; -const char * cc_def_name; -const char * cc_other_name; -krb5_error_code retval=0; -krb5_creds ** cc_def_creds_arr = NULL; -krb5_creds ** cc_other_creds_arr = NULL; -struct stat st_temp; + int i=0; + krb5_ccache * cc_other; + const char * cc_def_name; + const char * cc_other_name; + krb5_error_code retval=0; + krb5_creds ** cc_def_creds_arr = NULL; + krb5_creds ** cc_other_creds_arr = NULL; + struct stat st_temp; - cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); + cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){ - com_err (prog_name, retval, "resolving ccache %s", - cc_other_tag); - return retval; + com_err (prog_name, retval, "resolving ccache %s", + cc_other_tag); + return retval; } - cc_def_name = krb5_cc_get_name(context, cc_def); - cc_other_name = krb5_cc_get_name(context, *cc_other); + cc_def_name = krb5_cc_get_name(context, cc_def); + cc_other_name = krb5_cc_get_name(context, *cc_other); if ( ! stat(cc_def_name, &st_temp)){ - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ - return retval; - } + if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ + return retval; + } } *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, - primary_principal); + primary_principal); #ifdef HAVE_LSTAT if (!lstat( cc_other_name, &st_temp)) #else /*HAVE_LSTAT*/ - if (!stat( cc_other_name, &st_temp)) + if (!stat( cc_other_name, &st_temp)) #endif - return EINVAL; - - if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { - return errno; - } - - + return EINVAL; + + if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { + return errno; + } + + if ((retval = krb5_cc_initialize(context, *cc_other, primary_principal))){ - return retval; + return retval; } - retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr, - cc_other_creds_arr); + retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr, + cc_other_creds_arr); - if (cc_def_creds_arr){ - while (cc_def_creds_arr[i]){ - krb5_free_creds(context, cc_def_creds_arr[i]); - i++; - } - } + if (cc_def_creds_arr){ + while (cc_def_creds_arr[i]){ + krb5_free_creds(context, cc_def_creds_arr[i]); + i++; + } + } i=0; - if(cc_other_creds_arr){ - while (cc_other_creds_arr[i]){ - krb5_free_creds(context, cc_other_creds_arr[i]); - i++; - } + if(cc_other_creds_arr){ + while (cc_other_creds_arr[i]){ + krb5_free_creds(context, cc_other_creds_arr[i]); + i++; + } } - *cc_out = *cc_other; - return retval; + *cc_out = *cc_other; + return retval; } @@ -133,65 +134,65 @@ krb5_error_code krb5_store_all_creds(context, cc, creds_def, creds_other) krb5_creds **creds_other; { -int i = 0; -krb5_error_code retval = 0; -krb5_creds ** temp_creds= NULL; - - - if ((creds_def == NULL) && (creds_other == NULL)) - return 0; - - if ((creds_def == NULL) && (creds_other != NULL)) - temp_creds = creds_other; - - if ((creds_def != NULL) && (creds_other == NULL)) - temp_creds = creds_def; - - - if (temp_creds){ - while(temp_creds[i]){ - if ((retval= krb5_cc_store_cred(context, cc, - temp_creds[i]))){ - return retval; - } - i++; - } - } - else { /* both arrays have elements in them */ - - return KRB5KRB_ERR_GENERIC; - -/************ while(creds_other[i]){ - cmp = FALSE; - j = 0; - while(creds_def[j]){ - cmp = compare_creds(creds_other[i],creds_def[j]); - - if( cmp == TRUE) break; - - j++; - } - if (cmp == FALSE){ - if (retval= krb5_cc_store_cred(context, cc, - creds_other[i])){ - return retval; - } - } - i ++; - } - - i=0; - while(creds_def[i]){ - if (retval= krb5_cc_store_cred(context, cc, - creds_def[i])){ - return retval; - } - i++; - } + int i = 0; + krb5_error_code retval = 0; + krb5_creds ** temp_creds= NULL; + + + if ((creds_def == NULL) && (creds_other == NULL)) + return 0; + + if ((creds_def == NULL) && (creds_other != NULL)) + temp_creds = creds_other; + + if ((creds_def != NULL) && (creds_other == NULL)) + temp_creds = creds_def; + + + if (temp_creds){ + while(temp_creds[i]){ + if ((retval= krb5_cc_store_cred(context, cc, + temp_creds[i]))){ + return retval; + } + i++; + } + } + else { /* both arrays have elements in them */ + + return KRB5KRB_ERR_GENERIC; + +/************ while(creds_other[i]){ + cmp = FALSE; + j = 0; + while(creds_def[j]){ + cmp = compare_creds(creds_other[i],creds_def[j]); + + if( cmp == TRUE) break; + + j++; + } + if (cmp == FALSE){ + if (retval= krb5_cc_store_cred(context, cc, + creds_other[i])){ + return retval; + } + } + i ++; + } + + i=0; + while(creds_def[i]){ + if (retval= krb5_cc_store_cred(context, cc, + creds_def[i])){ + return retval; + } + i++; + } **************/ - } - return 0; + } + return 0; } krb5_boolean compare_creds(context, cred1, cred2) @@ -199,86 +200,86 @@ krb5_boolean compare_creds(context, cred1, cred2) krb5_creds *cred1; krb5_creds *cred2; { -krb5_boolean retval; + krb5_boolean retval; - retval = krb5_principal_compare (context, cred1->client, cred2->client); + retval = krb5_principal_compare (context, cred1->client, cred2->client); - if (retval == TRUE) - retval = krb5_principal_compare (context, cred1->server, cred2->server); + if (retval == TRUE) + retval = krb5_principal_compare (context, cred1->server, cred2->server); - return retval; + return retval; } - + krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array) krb5_context context; krb5_ccache cc; krb5_creds ***creds_array; { -krb5_creds creds, temp_tktq, temp_tkt; -krb5_creds **temp_creds; -krb5_error_code retval=0; -krb5_cc_cursor cur; -int count = 0; -int chunk_count = 1; - - if ( ! ( temp_creds = (krb5_creds **) malloc( CHUNK * sizeof(krb5_creds *)))){ - return ENOMEM; - } + krb5_creds creds, temp_tktq, temp_tkt; + krb5_creds **temp_creds; + krb5_error_code retval=0; + krb5_cc_cursor cur; + int count = 0; + int chunk_count = 1; + + if ( ! ( temp_creds = (krb5_creds **) malloc( CHUNK * sizeof(krb5_creds *)))){ + return ENOMEM; + } - memset(&temp_tktq, 0, sizeof(temp_tktq)); - memset(&temp_tkt, 0, sizeof(temp_tkt)); - memset(&creds, 0, sizeof(creds)); + memset(&temp_tktq, 0, sizeof(temp_tktq)); + memset(&temp_tkt, 0, sizeof(temp_tkt)); + memset(&creds, 0, sizeof(creds)); - /* initialize the cursor */ + /* initialize the cursor */ if ((retval = krb5_cc_start_seq_get(context, cc, &cur))) { - return retval; + return retval; } while (!(retval = krb5_cc_next_cred(context, cc, &cur, &creds))){ - if ((retval = krb5_check_exp(context, creds.times))){ - if (retval != KRB5KRB_AP_ERR_TKT_EXPIRED){ - return retval; - } - if (auth_debug){ - fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n"); - fputs(" Valid starting Expires Service principal\n",stdout); - show_credential(context, &creds, cc); - fprintf(stderr,"\n"); - } - } - else { /* these credentials didn't expire */ - - if ((retval = krb5_copy_creds(context, &creds, - &temp_creds[count]))){ - return retval; - } - count ++; - - if (count == (chunk_count * CHUNK -1)){ - chunk_count ++; - if (!(temp_creds = (krb5_creds **) realloc(temp_creds, - chunk_count * CHUNK * sizeof(krb5_creds *)))){ - return ENOMEM; - } - } - } - - } - - temp_creds[count] = NULL; - *creds_array = temp_creds; + if ((retval = krb5_check_exp(context, creds.times))){ + if (retval != KRB5KRB_AP_ERR_TKT_EXPIRED){ + return retval; + } + if (auth_debug){ + fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n"); + fputs(" Valid starting Expires Service principal\n",stdout); + show_credential(context, &creds, cc); + fprintf(stderr,"\n"); + } + } + else { /* these credentials didn't expire */ + + if ((retval = krb5_copy_creds(context, &creds, + &temp_creds[count]))){ + return retval; + } + count ++; + + if (count == (chunk_count * CHUNK -1)){ + chunk_count ++; + if (!(temp_creds = (krb5_creds **) realloc(temp_creds, + chunk_count * CHUNK * sizeof(krb5_creds *)))){ + return ENOMEM; + } + } + } + + } + + temp_creds[count] = NULL; + *creds_array = temp_creds; if (retval == KRB5_CC_END) { - retval = krb5_cc_end_seq_get(context, cc, &cur); - } + retval = krb5_cc_end_seq_get(context, cc, &cur); + } - return retval; + return retval; } @@ -287,27 +288,27 @@ krb5_error_code krb5_check_exp(context, tkt_time) krb5_context context; krb5_ticket_times tkt_time; { -krb5_error_code retval =0; -krb5_timestamp currenttime; - - if ((retval = krb5_timeofday (context, ¤ttime))){ - return retval; - } - if (auth_debug){ - fprintf(stderr,"krb5_check_exp: the krb5_clockskew is %d \n", - context->clockskew); - - fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n", - (currenttime - tkt_time.endtime )); - - } - - if (currenttime - tkt_time.endtime > context->clockskew){ - retval = KRB5KRB_AP_ERR_TKT_EXPIRED ; - return retval; - } - - return 0; + krb5_error_code retval =0; + krb5_timestamp currenttime; + + if ((retval = krb5_timeofday (context, ¤ttime))){ + return retval; + } + if (auth_debug){ + fprintf(stderr,"krb5_check_exp: the krb5_clockskew is %d \n", + context->clockskew); + + fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n", + (currenttime - tkt_time.endtime )); + + } + + if (currenttime - tkt_time.endtime > context->clockskew){ + retval = KRB5KRB_AP_ERR_TKT_EXPIRED ; + return retval; + } + + return 0; } @@ -316,7 +317,7 @@ char *flags_string(cred) { static char buf[32]; int i = 0; - + if (cred->ticket_flags & TKT_FLG_FORWARDABLE) buf[i++] = 'F'; if (cred->ticket_flags & TKT_FLG_FORWARDED) @@ -355,10 +356,10 @@ void printtime(tv) tstamp = tv; fill = ' '; if (!krb5_timestamp_to_sfstring(tstamp, - fmtbuf, - sizeof(fmtbuf), - &fill)) - printf(fmtbuf); + fmtbuf, + sizeof(fmtbuf), + &fill)) + printf(fmtbuf); } @@ -376,39 +377,39 @@ krb5_get_login_princ(luser, princ_list) int gobble, result; char ** buf_out; struct stat st_temp; - int count = 0, chunk_count = 1; + int count = 0, chunk_count = 1; /* no account => no access */ if ((pwd = getpwnam(luser)) == NULL) { - return 0; + return 0; } result = snprintf(pbuf, sizeof(pbuf), "%s/.k5login", pwd->pw_dir); if (SNPRINTF_OVERFLOW(result, sizeof(pbuf))) { - fprintf (stderr, "home directory path for %s too long\n", luser); - exit (1); + fprintf (stderr, "home directory path for %s too long\n", luser); + exit (1); } - if (stat(pbuf, &st_temp)) { /* not accessible */ - return 0; + if (stat(pbuf, &st_temp)) { /* not accessible */ + return 0; } /* open ~/.k5login */ if ((fp = fopen(pbuf, "r")) == NULL) { - return 0; + return 0; } /* * For security reasons, the .k5login file must be owned either by * the user himself, or by root. Otherwise, don't grant access. */ if (fstat(fileno(fp), &sbuf)) { - fclose(fp); - return 0; + fclose(fp); + return 0; } if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) { - fclose(fp); - return 0; + fclose(fp); + return 0; } /* check each line */ @@ -419,33 +420,33 @@ krb5_get_login_princ(luser, princ_list) if (!(buf_out = (char **) malloc( CHUNK * sizeof(char *)))) return ENOMEM; while ( fgets(linebuf, BUFSIZ, fp) != NULL) { - /* null-terminate the input string */ - linebuf[BUFSIZ-1] = '\0'; - newline = NULL; - /* nuke the newline if it exists */ - if ((newline = strchr(linebuf, '\n'))) - *newline = '\0'; - - buf_out[count] = linebuf; + /* null-terminate the input string */ + linebuf[BUFSIZ-1] = '\0'; + newline = NULL; + /* nuke the newline if it exists */ + if ((newline = strchr(linebuf, '\n'))) + *newline = '\0'; + + buf_out[count] = linebuf; count ++; if (count == (chunk_count * CHUNK -1)){ chunk_count ++; if (!(buf_out = (char **) realloc(buf_out, - chunk_count * CHUNK * sizeof(char *)))){ - return ENOMEM; + chunk_count * CHUNK * sizeof(char *)))){ + return ENOMEM; } } - /* clean up the rest of the line if necessary */ - if (!newline) - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); + /* clean up the rest of the line if necessary */ + if (!newline) + while (((gobble = getc(fp)) != EOF) && gobble != '\n'); - if( !(linebuf = (char *) calloc (BUFSIZ, sizeof(char)))) return ENOMEM; + if( !(linebuf = (char *) calloc (BUFSIZ, sizeof(char)))) return ENOMEM; } buf_out[count] = NULL; - *princ_list = buf_out; + *princ_list = buf_out; fclose(fp); return 0; } @@ -460,34 +461,34 @@ show_credential(context, cred, cc) { krb5_error_code retval; char *name, *sname, *flags; - int first = 1; + int first = 1; krb5_principal princ; - char * defname; + char * defname; int show_flags =1; retval = krb5_unparse_name(context, cred->client, &name); if (retval) { - com_err(prog_name, retval, "while unparsing client name"); - return; + com_err(prog_name, retval, "while unparsing client name"); + return; } retval = krb5_unparse_name(context, cred->server, &sname); if (retval) { - com_err(prog_name, retval, "while unparsing server name"); - free(name); - return; + com_err(prog_name, retval, "while unparsing server name"); + free(name); + return; } if ((retval = krb5_cc_get_principal(context, cc, &princ))) { com_err(prog_name, retval, "while retrieving principal name"); - return; + return; } if ((retval = krb5_unparse_name(context, princ, &defname))) { com_err(prog_name, retval, "while unparsing principal name"); - return; - } + return; + } if (!cred->times.starttime) - cred->times.starttime = cred->times.authtime; + cred->times.starttime = cred->times.authtime; printtime(cred->times.starttime); putchar(' '); putchar(' '); @@ -497,27 +498,27 @@ show_credential(context, cred, cc) printf("%s\n", sname); if (strcmp(name, defname)) { - printf("\tfor client %s", name); - first = 0; + printf("\tfor client %s", name); + first = 0; } - + if (cred->times.renew_till) { - if (first) - fputs("\t",stdout); - else - fputs(", ",stdout); - fputs("renew until ", stdout); + if (first) + fputs("\t",stdout); + else + fputs(", ",stdout); + fputs("renew until ", stdout); printtime(cred->times.renew_till); } if (show_flags) { - flags = flags_string(cred); - if (flags && *flags) { - if (first) - fputs("\t",stdout); - else - fputs(", ",stdout); - printf("Flags: %s", flags); - first = 0; + flags = flags_string(cred); + if (flags && *flags) { + if (first) + fputs("\t",stdout); + else + fputs(", ",stdout); + printf("Flags: %s", flags); + first = 0; } } putchar('\n'); @@ -526,9 +527,9 @@ show_credential(context, cred, cc) } int gen_sym(){ - static int i = 0; - i ++; - return i; + static int i = 0; + i ++; + return i; } krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) @@ -537,49 +538,49 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) krb5_ccache cct; krb5_principal primary_principal; { -const char * cct_name; -const char * ccs_name; -krb5_error_code retval=0; -krb5_principal temp_principal; -krb5_creds ** ccs_creds_arr = NULL; -int i=0; -struct stat st_temp; + const char * cct_name; + const char * ccs_name; + krb5_error_code retval=0; + krb5_principal temp_principal; + krb5_creds ** ccs_creds_arr = NULL; + int i=0; + struct stat st_temp; - ccs_name = krb5_cc_get_name(context, ccs); - cct_name = krb5_cc_get_name(context, cct); + ccs_name = krb5_cc_get_name(context, ccs); + cct_name = krb5_cc_get_name(context, cct); if ( ! stat(ccs_name, &st_temp)){ - if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){ - return retval; - } - } + if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){ + return retval; + } + } if ( ! stat(cct_name, &st_temp)){ - if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){ - return retval; - } + if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){ + return retval; + } }else{ - temp_principal = primary_principal; + temp_principal = primary_principal; } if ((retval = krb5_cc_initialize(context, cct, temp_principal))){ - return retval; + return retval; } - retval = krb5_store_all_creds(context, cct, ccs_creds_arr, NULL); + retval = krb5_store_all_creds(context, cct, ccs_creds_arr, NULL); - if (ccs_creds_arr){ - while (ccs_creds_arr[i]){ - krb5_free_creds(context, ccs_creds_arr[i]); - i++; - } - } + if (ccs_creds_arr){ + while (ccs_creds_arr[i]){ + krb5_free_creds(context, ccs_creds_arr[i]); + i++; + } + } - return retval; + return retval; } krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, - stored) + stored) krb5_context context; krb5_ccache cc; krb5_creds **creds_def; @@ -588,231 +589,231 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, krb5_boolean *stored; { -int i = 0; -krb5_error_code retval = 0; -krb5_creds ** temp_creds= NULL; -krb5_boolean temp_stored = FALSE; + int i = 0; + krb5_error_code retval = 0; + krb5_creds ** temp_creds= NULL; + krb5_boolean temp_stored = FALSE; - - if ((creds_def == NULL) && (creds_other == NULL)) - return 0; - if ((creds_def == NULL) && (creds_other != NULL)) - temp_creds = creds_other; + if ((creds_def == NULL) && (creds_other == NULL)) + return 0; - if ((creds_def != NULL) && (creds_other == NULL)) - temp_creds = creds_def; + if ((creds_def == NULL) && (creds_other != NULL)) + temp_creds = creds_other; + if ((creds_def != NULL) && (creds_other == NULL)) + temp_creds = creds_def; - if (temp_creds){ - while(temp_creds[i]){ - if (krb5_principal_compare(context, - temp_creds[i]->client, - prst)== TRUE) { - if ((retval = krb5_cc_store_cred(context, - cc,temp_creds[i]))){ - return retval; - } - temp_stored = TRUE; - } + if (temp_creds){ + while(temp_creds[i]){ + if (krb5_principal_compare(context, + temp_creds[i]->client, + prst)== TRUE) { - i++; - } - } - else { /* both arrays have elements in them */ - return KRB5KRB_ERR_GENERIC; - } + if ((retval = krb5_cc_store_cred(context, + cc,temp_creds[i]))){ + return retval; + } + temp_stored = TRUE; + } -*stored = temp_stored; -return 0; + i++; + } + } + else { /* both arrays have elements in them */ + return KRB5KRB_ERR_GENERIC; + } + + *stored = temp_stored; + return 0; } /****************************************************************** krb5_cache_copy_restricted gets rid of any expired tickets in the secondary cache, -copies the default cache into the secondary cache, -only credentials that are for prst are copied. +copies the default cache into the secondary cache, +only credentials that are for prst are copied. the algorithm may look a bit funny, -but I had to do it this way, since cc_remove function did not come -with k5 beta 3 release. +but I had to do it this way, since cc_remove function did not come +with k5 beta 3 release. ************************************************************************/ -krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, - prst, cc_out, stored, target_uid) +krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, + prst, cc_out, stored, target_uid) krb5_context context; krb5_ccache cc_def; char *cc_other_tag; krb5_principal prst; -uid_t target_uid; + uid_t target_uid; /* OUT */ krb5_ccache *cc_out; krb5_boolean *stored; { -int i=0; -krb5_ccache * cc_other; -const char * cc_def_name; -const char * cc_other_name; -krb5_error_code retval=0; -krb5_creds ** cc_def_creds_arr = NULL; -krb5_creds ** cc_other_creds_arr = NULL; -struct stat st_temp; + int i=0; + krb5_ccache * cc_other; + const char * cc_def_name; + const char * cc_other_name; + krb5_error_code retval=0; + krb5_creds ** cc_def_creds_arr = NULL; + krb5_creds ** cc_other_creds_arr = NULL; + struct stat st_temp; - cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); + cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){ - com_err (prog_name, retval, "resolving ccache %s", - cc_other_tag); - return retval; + com_err (prog_name, retval, "resolving ccache %s", + cc_other_tag); + return retval; } - cc_def_name = krb5_cc_get_name(context, cc_def); - cc_other_name = krb5_cc_get_name(context, *cc_other); + cc_def_name = krb5_cc_get_name(context, cc_def); + cc_other_name = krb5_cc_get_name(context, *cc_other); if ( ! stat(cc_def_name, &st_temp)){ - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ - return retval; - } + if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ + return retval; + } } #ifdef HAVE_LSTAT if (!lstat( cc_other_name, &st_temp)) { #else /*HAVE_LSTAT*/ - if (!stat( cc_other_name, &st_temp)) { + if (!stat( cc_other_name, &st_temp)) { #endif - return EINVAL; - } - - if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { - return errno; - } - - - if ((retval = krb5_cc_initialize(context, *cc_other, prst))){ - return retval; - } + return EINVAL; + } - retval = krb5_store_some_creds(context, * cc_other, - cc_def_creds_arr, cc_other_creds_arr, prst, stored); + if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { + return errno; + } + if ((retval = krb5_cc_initialize(context, *cc_other, prst))){ + return retval; + } - if (cc_def_creds_arr){ - while (cc_def_creds_arr[i]){ - krb5_free_creds(context, cc_def_creds_arr[i]); - i++; - } - } + retval = krb5_store_some_creds(context, * cc_other, + cc_def_creds_arr, cc_other_creds_arr, prst, stored); - i=0; - if(cc_other_creds_arr){ - while (cc_other_creds_arr[i]){ - krb5_free_creds(context, cc_other_creds_arr[i]); - i++; - } - } - *cc_out = *cc_other; - return retval; -} + if (cc_def_creds_arr){ + while (cc_def_creds_arr[i]){ + krb5_free_creds(context, cc_def_creds_arr[i]); + i++; + } + } -krb5_error_code krb5_ccache_filter (context, cc, prst) - krb5_context context; + i=0; + + if(cc_other_creds_arr){ + while (cc_other_creds_arr[i]){ + krb5_free_creds(context, cc_other_creds_arr[i]); + i++; + } + } + + *cc_out = *cc_other; + return retval; + } + + krb5_error_code krb5_ccache_filter (context, cc, prst) + krb5_context context; krb5_ccache cc; krb5_principal prst; -{ + { -int i=0; -krb5_error_code retval=0; -krb5_principal temp_principal; -krb5_creds ** cc_creds_arr = NULL; -const char * cc_name; -krb5_boolean stored; -struct stat st_temp; + int i=0; + krb5_error_code retval=0; + krb5_principal temp_principal; + krb5_creds ** cc_creds_arr = NULL; + const char * cc_name; + krb5_boolean stored; + struct stat st_temp; - cc_name = krb5_cc_get_name(context, cc); + cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ + if ( ! stat(cc_name, &st_temp)){ - if (auth_debug) { - fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name); - } + if (auth_debug) { + fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name); + } - if ((retval = krb5_get_nonexp_tkts(context, cc, &cc_creds_arr))){ - return retval; - } + if ((retval = krb5_get_nonexp_tkts(context, cc, &cc_creds_arr))){ + return retval; + } - if ((retval = krb5_cc_get_principal(context, cc, &temp_principal))){ - return retval; - } + if ((retval = krb5_cc_get_principal(context, cc, &temp_principal))){ + return retval; + } - if ((retval = krb5_cc_initialize(context, cc, temp_principal))){ - return retval; - } + if ((retval = krb5_cc_initialize(context, cc, temp_principal))){ + return retval; + } - if ((retval = krb5_store_some_creds(context, cc, cc_creds_arr, - NULL, prst, &stored))){ - return retval; - } + if ((retval = krb5_store_some_creds(context, cc, cc_creds_arr, + NULL, prst, &stored))){ + return retval; + } - if (cc_creds_arr){ - while (cc_creds_arr[i]){ - krb5_free_creds(context, cc_creds_arr[i]); - i++; - } - } + if (cc_creds_arr){ + while (cc_creds_arr[i]){ + krb5_free_creds(context, cc_creds_arr[i]); + i++; + } + } + } + return 0; } - return 0; -} -krb5_boolean krb5_find_princ_in_cred_list (context, creds_list, princ) - krb5_context context; + krb5_boolean krb5_find_princ_in_cred_list (context, creds_list, princ) + krb5_context context; krb5_creds **creds_list; krb5_principal princ; -{ + { -int i = 0; -krb5_boolean temp_stored = FALSE; + int i = 0; + krb5_boolean temp_stored = FALSE; - if (creds_list){ - while(creds_list[i]){ - if (krb5_principal_compare(context, - creds_list[i]->client, - princ)== TRUE){ - temp_stored = TRUE; - break; - } + if (creds_list){ + while(creds_list[i]){ + if (krb5_principal_compare(context, + creds_list[i]->client, + princ)== TRUE){ + temp_stored = TRUE; + break; + } - i++; - } - } + i++; + } + } -return temp_stored; -} + return temp_stored; + } -krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) - krb5_context context; + krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) + krb5_context context; krb5_ccache cc; krb5_principal princ; krb5_boolean *found; -{ -krb5_error_code retval; -krb5_creds ** creds_list = NULL; -const char * cc_name; -struct stat st_temp; + { + krb5_error_code retval; + krb5_creds ** creds_list = NULL; + const char * cc_name; + struct stat st_temp; - cc_name = krb5_cc_get_name(context, cc); + cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ - if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){ - return retval; - } - } + if ( ! stat(cc_name, &st_temp)){ + if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){ + return retval; + } + } - *found = krb5_find_princ_in_cred_list(context, creds_list, princ); -return 0; -} + *found = krb5_find_princ_in_cred_list(context, creds_list, princ); + return 0; + } diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index 65d44a39b..c7e691cd6 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1994 by the University of Southern California * @@ -34,7 +35,7 @@ /******************************************************************* get_all_princ_from_file - retrieves all principal names - from file pointed to by fp. + from file pointed to by fp. *******************************************************************/ static void close_time (int, FILE *, int, FILE *); @@ -50,33 +51,33 @@ krb5_error_code get_all_princ_from_file (fp, plist) int count = 0, chunk_count = 1; if (!(temp_list = (char **) malloc( CHUNK * sizeof(char *)))) - return ENOMEM; + return ENOMEM; retval = get_line(fp, &line); if (retval) - return retval; + return retval; while (line){ - fprinc = get_first_token (line, &lp); - - if (fprinc ){ - temp_list[count] = xstrdup(fprinc); - count ++; - } - - if(count == (chunk_count * CHUNK -1)){ - chunk_count ++; - if (!(temp_list = (char **) realloc(temp_list, - chunk_count * CHUNK * sizeof(char *)))){ - return ENOMEM; - } - } - - - free (line); - retval = get_line(fp, &line); - if (retval) - return retval; + fprinc = get_first_token (line, &lp); + + if (fprinc ){ + temp_list[count] = xstrdup(fprinc); + count ++; + } + + if(count == (chunk_count * CHUNK -1)){ + chunk_count ++; + if (!(temp_list = (char **) realloc(temp_list, + chunk_count * CHUNK * sizeof(char *)))){ + return ENOMEM; + } + } + + + free (line); + retval = get_line(fp, &line); + if (retval) + return retval; } temp_list[count] = NULL; @@ -87,8 +88,8 @@ krb5_error_code get_all_princ_from_file (fp, plist) /************************************************************* list_union - combines list1 and list2 into combined_list. - the space for list1 and list2 is either freed - or used by combined_list. + the space for list1 and list2 is either freed + or used by combined_list. **************************************************************/ krb5_error_code list_union(list1, list2, combined_list) @@ -100,39 +101,39 @@ krb5_error_code list_union(list1, list2, combined_list) unsigned int c1 =0, c2 = 0, i=0, j=0; char ** tlist; - if (! list1){ - *combined_list = list2; - return 0; + if (! list1){ + *combined_list = list2; + return 0; } - if (! list2){ - *combined_list = list1; - return 0; + if (! list2){ + *combined_list = list1; + return 0; } while (list1[c1]) c1++; while (list2[c2]) c2++; - + if (!(tlist = (char **) calloc( c1 + c2 + 1, sizeof ( char *)))) - return ENOMEM; + return ENOMEM; i = 0; while(list1[i]) { - tlist[i] = list1[i]; - i++; + tlist[i] = list1[i]; + i++; } j = 0; while(list2[j]){ - if(find_str_in_list(list1, list2[j])==FALSE){ - tlist[i] = list2[j]; - i++; - } - j++; + if(find_str_in_list(list1, list2[j])==FALSE){ + tlist[i] = list2[j]; + i++; + } + j++; } - free (list1); - free (list2); - + free (list1); + free (list2); + tlist[i]= NULL; *combined_list = tlist; @@ -150,44 +151,44 @@ filter(fp, cmd, k5users_list, k5users_filt_list) krb5_error_code retval =0; krb5_boolean found = FALSE; char * out_cmd = NULL; - unsigned int i=0, j=0, found_count = 0, k=0; + unsigned int i=0, j=0, found_count = 0, k=0; char ** temp_filt_list; *k5users_filt_list = NULL; - if (! k5users_list){ - return 0; + if (! k5users_list){ + return 0; } - while(k5users_list[i]){ + while(k5users_list[i]){ - retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd); - if (retval) - return retval; + retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd); + if (retval) + return retval; - if (found == FALSE){ - free (k5users_list[i]); - k5users_list[i] = NULL; - if (out_cmd) gb_err = out_cmd; - } else - found_count ++; + if (found == FALSE){ + free (k5users_list[i]); + k5users_list[i] = NULL; + if (out_cmd) gb_err = out_cmd; + } else + found_count ++; - i++; + i++; } if (! (temp_filt_list = (char **) calloc(found_count +1, sizeof (char*)))) - return ENOMEM; + return ENOMEM; - for(j= 0, k=0; j < i; j++ ) { - if (k5users_list[j]){ - temp_filt_list[k] = k5users_list[j]; - k++; - } + for(j= 0, k=0; j < i; j++ ) { + if (k5users_list[j]){ + temp_filt_list[k] = k5users_list[j]; + k++; + } } temp_filt_list[k] = NULL; - free (k5users_list); + free (k5users_list); *k5users_filt_list = temp_filt_list; return 0; @@ -208,74 +209,74 @@ get_authorized_princ_names(luser, cmd, princ_list) char ** k5users_filt_list = NULL; char ** combined_list = NULL; struct stat tb; - krb5_error_code retval; + krb5_error_code retval; - *princ_list = NULL; + *princ_list = NULL; /* no account => no access */ if ((pwd = getpwnam(luser)) == NULL) - return 0; + return 0; k5login_flag = stat(k5login_path, &tb); k5users_flag = stat(k5users_path, &tb); if (!k5login_flag){ if ((login_fp = fopen(k5login_path, "r")) == NULL) - return 0; + return 0; if ( fowner(login_fp, pwd->pw_uid) == FALSE){ - close_time(1 /*k5users_flag*/, (FILE *) 0 /*users_fp*/, - k5login_flag,login_fp); - return 0; + close_time(1 /*k5users_flag*/, (FILE *) 0 /*users_fp*/, + k5login_flag,login_fp); + return 0; } } if (!k5users_flag){ if ((users_fp = fopen(k5users_path, "r")) == NULL) - return 0; + return 0; if ( fowner(users_fp, pwd->pw_uid) == FALSE){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return 0; + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return 0; + } + + retval = get_all_princ_from_file (users_fp, &k5users_list); + if(retval) { + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; } - retval = get_all_princ_from_file (users_fp, &k5users_list); - if(retval) { - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; - } - - rewind(users_fp); - - retval = filter(users_fp,cmd, k5users_list, &k5users_filt_list); - if(retval) { - close_time(k5users_flag,users_fp, k5login_flag, login_fp); - return retval; - } + rewind(users_fp); + + retval = filter(users_fp,cmd, k5users_list, &k5users_filt_list); + if(retval) { + close_time(k5users_flag,users_fp, k5login_flag, login_fp); + return retval; + } } - + if (!k5login_flag){ - retval = get_all_princ_from_file (login_fp, &k5login_list); - if(retval) { - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; - } - } + retval = get_all_princ_from_file (login_fp, &k5login_list); + if(retval) { + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; + } + } close_time(k5users_flag,users_fp, k5login_flag, login_fp); if (cmd) { - retval = list_union(k5login_list, k5users_filt_list, &combined_list); - if (retval){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; - } - *princ_list = combined_list; - return 0; + retval = list_union(k5login_list, k5users_filt_list, &combined_list); + if (retval){ + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; + } + *princ_list = combined_list; + return 0; } else { - if (k5users_filt_list != NULL) - free(k5users_filt_list); - *princ_list = k5login_list; - return 0; + if (k5users_filt_list != NULL) + free(k5users_filt_list); + *princ_list = k5login_list; + return 0; } } @@ -303,8 +304,8 @@ static krb5_boolean find_str_in_list(list , elm) while (list[i] ){ if (!strcmp(list[i], elm)){ - found = TRUE; - break; + found = TRUE; + break; } i++; } @@ -331,7 +332,7 @@ krb5_error_code get_closest_principal(context, plist, client, found) krb5_principal temp_client, best_client = NULL; int i = 0, j=0, cnelem, pnelem; krb5_boolean got_one; - + *found = FALSE; if (! plist ) return 0; @@ -340,48 +341,48 @@ krb5_error_code get_closest_principal(context, plist, client, found) while(plist[i]){ - retval = krb5_parse_name(context, plist[i], &temp_client); - if (retval) - return retval; - - pnelem = krb5_princ_size(context, temp_client); - - if ( cnelem > pnelem){ - i++; - continue; - } - - if (data_eq(*krb5_princ_realm(context, *client), - *krb5_princ_realm(context, temp_client))) { - - got_one = TRUE; - for(j =0; j < cnelem; j ++){ - krb5_data *p1 = - krb5_princ_component(context, *client, j); - krb5_data *p2 = - krb5_princ_component(context, temp_client, j); - - if (!p1 || !p2 || !data_eq(*p1, *p2)) { - got_one = FALSE; - break; - } - } - if (got_one == TRUE){ - if(best_client){ - if(krb5_princ_size(context, best_client) > - krb5_princ_size(context, temp_client)){ - best_client = temp_client; - } - }else - best_client = temp_client; - } - } - i++; + retval = krb5_parse_name(context, plist[i], &temp_client); + if (retval) + return retval; + + pnelem = krb5_princ_size(context, temp_client); + + if ( cnelem > pnelem){ + i++; + continue; + } + + if (data_eq(*krb5_princ_realm(context, *client), + *krb5_princ_realm(context, temp_client))) { + + got_one = TRUE; + for(j =0; j < cnelem; j ++){ + krb5_data *p1 = + krb5_princ_component(context, *client, j); + krb5_data *p2 = + krb5_princ_component(context, temp_client, j); + + if (!p1 || !p2 || !data_eq(*p1, *p2)) { + got_one = FALSE; + break; + } + } + if (got_one == TRUE){ + if(best_client){ + if(krb5_princ_size(context, best_client) > + krb5_princ_size(context, temp_client)){ + best_client = temp_client; + } + }else + best_client = temp_client; + } + } + i++; } - + if (best_client) { - *found = TRUE; - *client = best_client; + *found = TRUE; + *client = best_client; } return 0; @@ -410,24 +411,24 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found) if ( ! stat(cc_source_name, &st_temp)){ - retval = find_ticket(context, cc, client, end_server, &temp_found); - if (retval) - return retval; - - if (temp_found == FALSE){ - retval = ksu_tgtname(context, - krb5_princ_realm(context, client), - krb5_princ_realm(context, client), - &kdc_server); - if (retval) - return retval; - - retval = find_ticket(context, cc,client, kdc_server, &temp_found); - if(retval) - return retval; - } - else if (auth_debug) - printf("find_either_ticket: found end server ticket\n"); + retval = find_ticket(context, cc, client, end_server, &temp_found); + if (retval) + return retval; + + if (temp_found == FALSE){ + retval = ksu_tgtname(context, + krb5_princ_realm(context, client), + krb5_princ_realm(context, client), + &kdc_server); + if (retval) + return retval; + + retval = find_ticket(context, cc,client, kdc_server, &temp_found); + if(retval) + return retval; + } + else if (auth_debug) + printf("find_either_ticket: found end server ticket\n"); } *found = temp_found; @@ -446,7 +447,7 @@ krb5_error_code find_ticket (context, cc, client, server, found) krb5_creds tgt, tgtq; krb5_error_code retval; - + *found = FALSE; memset(&tgtq, 0, sizeof(tgtq)); @@ -454,25 +455,25 @@ krb5_error_code find_ticket (context, cc, client, server, found) retval= krb5_copy_principal(context, client, &tgtq.client); if (retval) - return retval; + return retval; retval= krb5_copy_principal(context, server, &tgtq.server); if (retval) - return retval ; + return retval ; retval = krb5_cc_retrieve_cred(context, cc, KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, - &tgtq, &tgt); + &tgtq, &tgt); if (! retval) retval = krb5_check_exp(context, tgt.times); if (retval){ - if ((retval != KRB5_CC_NOTFOUND) && - (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ - return retval ; - } + if ((retval != KRB5_CC_NOTFOUND) && + (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ + return retval ; + } } else{ - *found = TRUE; - return 0; + *found = TRUE; + return 0; } free(tgtq.server); @@ -500,14 +501,14 @@ krb5_error_code find_princ_in_list (context, princ, plist, found) retval = krb5_unparse_name(context, princ, &princname); if (retval) - return retval; + return retval; while (plist[i] ){ - if (!strcmp(plist[i], princname)){ - *found = TRUE; - break; - } - i++; + if (!strcmp(plist[i], princname)){ + *found = TRUE; + break; + } + i++; } return 0; @@ -515,8 +516,8 @@ krb5_error_code find_princ_in_list (context, princ, plist, found) } typedef struct princ_info { - krb5_principal p; - krb5_boolean found; + krb5_principal p; + krb5_boolean found; }princ_info; /********************************************************************** @@ -528,9 +529,9 @@ path_out gets set to ... ***********************************************************************/ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, - source_user, target_user, - cc_source, options, cmd, - hostname, client, path_out) + source_user, target_user, + cc_source, options, cmd, + hostname, client, path_out) krb5_context context; uid_t source_uid; uid_t target_uid; @@ -563,88 +564,88 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, /* -n option was specified client is set we are done */ if (options->princ) - return 0; + return 0; cc_source_name = krb5_cc_get_name(context, cc_source); - + if (! stat(cc_source_name, &st_temp)) { - retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); - if (retval) - return retval; + retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); + if (retval) + return retval; } retval=krb5_parse_name(context, target_user, &target_client); if (retval) - return retval; + return retval; retval=krb5_parse_name(context, source_user, &source_client); if (retval) - return retval; + return retval; if (source_uid == 0){ - if (target_uid != 0) - *client = target_client; /* this will be used to restrict - the cache copty */ - else { - if(cc_def_princ) - *client = cc_def_princ; - else - *client = target_client; - } - - if (auth_debug) - printf(" GET_best_princ_for_target: via source_uid == 0\n"); - - return 0; + if (target_uid != 0) + *client = target_client; /* this will be used to restrict + the cache copty */ + else { + if(cc_def_princ) + *client = cc_def_princ; + else + *client = target_client; + } + + if (auth_debug) + printf(" GET_best_princ_for_target: via source_uid == 0\n"); + + return 0; } /* from here on, the code is for source_uid != 0 */ if (source_uid && (source_uid == target_uid)){ - if(cc_def_princ) - *client = cc_def_princ; - else - *client = target_client; - if (auth_debug) - printf("GET_best_princ_for_target: via source_uid == target_uid\n"); - return 0; + if(cc_def_princ) + *client = cc_def_princ; + else + *client = target_client; + if (auth_debug) + printf("GET_best_princ_for_target: via source_uid == target_uid\n"); + return 0; } /* Become root, then target for looking at .k5login.*/ if (krb5_seteuid(0) || krb5_seteuid(target_uid) ) { - return errno; + return errno; } - - /* if .k5users and .k5login do not exist */ + + /* if .k5users and .k5login do not exist */ if (stat(k5login_path, &tb) && stat(k5users_path, &tb) ){ - *client = target_client; + *client = target_client; - if (cmd) - *path_out = NOT_AUTHORIZED; + if (cmd) + *path_out = NOT_AUTHORIZED; - if (auth_debug) - printf(" GET_best_princ_for_target: via no auth files path\n"); + if (auth_debug) + printf(" GET_best_princ_for_target: via no auth files path\n"); - return 0; + return 0; }else{ - retval = get_authorized_princ_names(target_user, cmd, &aplist); - if (retval) - return retval; - - /* .k5users or .k5login exist, but no authorization */ - if ((!aplist) || (!aplist[0])) { - *path_out = NOT_AUTHORIZED; - if (auth_debug) - printf("GET_best_princ_for_target: via empty auth files path\n"); - return 0; - } + retval = get_authorized_princ_names(target_user, cmd, &aplist); + if (retval) + return retval; + + /* .k5users or .k5login exist, but no authorization */ + if ((!aplist) || (!aplist[0])) { + *path_out = NOT_AUTHORIZED; + if (auth_debug) + printf("GET_best_princ_for_target: via empty auth files path\n"); + return 0; + } } retval = krb5_sname_to_principal(context, hostname, NULL, - KRB5_NT_SRV_HST, &end_server); + KRB5_NT_SRV_HST, &end_server); if (retval) - return retval; + return retval; /* first see if default principal of the source cache @@ -653,39 +654,39 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, * other ticket in the cache. */ if (cc_def_princ) - princ_trials[count ++].p = cc_def_princ; + princ_trials[count ++].p = cc_def_princ; else - princ_trials[count ++].p = NULL; + princ_trials[count ++].p = NULL; princ_trials[count ++].p = target_client; princ_trials[count ++].p = source_client; for (i= 0; i < count; i ++) - princ_trials[i].found = FALSE; + princ_trials[i].found = FALSE; for (i= 0; i < count; i ++){ - if(princ_trials[i].p) { - retval= find_princ_in_list(context, princ_trials[i].p, aplist, - &found); - if (retval) - return retval; - - if (found == TRUE){ - princ_trials[i].found = TRUE; - - retval = find_either_ticket (context, cc_source, - princ_trials[i].p, - end_server, &found); - if (retval) - return retval; - if (found == TRUE){ - *client = princ_trials[i].p; - if (auth_debug) - printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i); - return 0; - } - } - } + if(princ_trials[i].p) { + retval= find_princ_in_list(context, princ_trials[i].p, aplist, + &found); + if (retval) + return retval; + + if (found == TRUE){ + princ_trials[i].found = TRUE; + + retval = find_either_ticket (context, cc_source, + princ_trials[i].p, + end_server, &found); + if (retval) + return retval; + if (found == TRUE){ + *client = princ_trials[i].p; + if (auth_debug) + printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i); + return 0; + } + } + } } /* out of preferred principals, see if there is any ticket that will @@ -693,25 +694,25 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, i=0; while (aplist[i]){ - retval = krb5_parse_name(context, aplist[i], &temp_client); - if (retval) - return retval; - - retval = find_either_ticket (context, cc_source, temp_client, - end_server, &found); - if (retval) - return retval; - - if (found == TRUE){ - if (auth_debug) - printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" ); - *client = temp_client; - return 0; - } + retval = krb5_parse_name(context, aplist[i], &temp_client); + if (retval) + return retval; + + retval = find_either_ticket (context, cc_source, temp_client, + end_server, &found); + if (retval) + return retval; + + if (found == TRUE){ + if (auth_debug) + printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" ); + *client = temp_client; + return 0; + } - krb5_free_principal(context, temp_client); + krb5_free_principal(context, temp_client); - i++; + i++; } /* no tickets qualified, select a principal, that may be used @@ -719,46 +720,46 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, for (i=0; i < count; i ++){ - if (princ_trials[i].found == TRUE){ - *client = princ_trials[i].p; + if (princ_trials[i].found == TRUE){ + *client = princ_trials[i].p; - if (auth_debug) - printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i); - return 0; - } + if (auth_debug) + printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i); + return 0; + } } #ifdef PRINC_LOOK_AHEAD for (i=0; i < count; i ++){ - if (princ_trials[i].p){ - retval=krb5_copy_principal(context, princ_trials[i].p, - &temp_client); - if(retval) - return retval; - - /* get the client name that is the closest - to the three princ in trials */ - - retval=get_closest_principal(context, aplist, &temp_client, - &found); - if(retval) - return retval; - - if (found == TRUE){ - *client = temp_client; - if (auth_debug) - printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i); - return 0; - } - krb5_free_principal(context, temp_client); - } + if (princ_trials[i].p){ + retval=krb5_copy_principal(context, princ_trials[i].p, + &temp_client); + if(retval) + return retval; + + /* get the client name that is the closest + to the three princ in trials */ + + retval=get_closest_principal(context, aplist, &temp_client, + &found); + if(retval) + return retval; + + if (found == TRUE){ + *client = temp_client; + if (auth_debug) + printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i); + return 0; + } + krb5_free_principal(context, temp_client); + } } #endif /* PRINC_LOOK_AHEAD */ if(auth_debug) - printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n"); + printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n"); *path_out = NOT_AUTHORIZED; return 0; diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c index 230a1b399..39b85473f 100644 --- a/src/clients/ksu/krb_auth_su.c +++ b/src/clients/ksu/krb_auth_su.c @@ -1,4 +1,5 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +11,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -26,7 +27,7 @@ */ #include "ksu.h" - + void plain_dump_principal (); @@ -38,7 +39,7 @@ krb5_preauthtype * preauth_ptr = NULL; krb5_boolean krb5_auth_check(context, client_pname, hostname, options, - target_user, cc, path_passwd, target_uid) + target_user, cc, path_passwd, target_uid) krb5_context context; krb5_principal client_pname; char *hostname; @@ -51,183 +52,183 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options, krb5_principal client, server; krb5_verify_init_creds_opt vfy_opts; krb5_creds tgt, tgtq, in_creds, * out_creds; - krb5_creds **tgts = NULL; /* list of ticket granting tickets */ - - krb5_ticket * target_tkt; /* decrypted ticket for server */ + krb5_creds **tgts = NULL; /* list of ticket granting tickets */ + + krb5_ticket * target_tkt; /* decrypted ticket for server */ krb5_error_code retval =0; - int got_it = 0; + int got_it = 0; krb5_boolean zero_password; - + *path_passwd = 0; - memset(&tgtq, 0, sizeof(tgtq)); - memset(&tgt, 0, sizeof(tgt)); - memset(&in_creds, 0, sizeof(krb5_creds)); - - + memset(&tgtq, 0, sizeof(tgtq)); + memset(&tgt, 0, sizeof(tgt)); + memset(&in_creds, 0, sizeof(krb5_creds)); + + if ((retval= krb5_copy_principal(context, client_pname, &client))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if (auth_debug) { - dump_principal(context, "krb5_auth_check: Client principal name", - client); + dump_principal(context, "krb5_auth_check: Client principal name", + client); } - + if ((retval = krb5_sname_to_principal(context, hostname, NULL, - KRB5_NT_SRV_HST, &server))){ - com_err(prog_name, retval, - "while creating server %s principal name", hostname); - krb5_free_principal(context, client); - return (FALSE) ; + KRB5_NT_SRV_HST, &server))){ + com_err(prog_name, retval, + "while creating server %s principal name", hostname); + krb5_free_principal(context, client); + return (FALSE) ; } - + if (auth_debug) { - dump_principal(context, "krb5_auth_check: Server principal name", - server); + dump_principal(context, "krb5_auth_check: Server principal name", + server); } - - - + + + /* check if ticket is already in the cache, if it is - then use it. - */ + then use it. + */ if( krb5_fast_auth(context, client, server, target_user, cc) == TRUE){ - if (auth_debug ){ - fprintf (stderr,"Authenticated via fast_auth \n"); - } - return TRUE; + if (auth_debug ){ + fprintf (stderr,"Authenticated via fast_auth \n"); + } + return TRUE; } - - /* check to see if the local tgt is in the cache */ - + + /* check to see if the local tgt is in the cache */ + if ((retval= krb5_copy_principal(context, client, &tgtq.client))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if ((retval = ksu_tgtname(context, krb5_princ_realm(context, client), - krb5_princ_realm(context, client), - &tgtq.server))){ - com_err(prog_name, retval, "while creating tgt for local realm"); - krb5_free_principal(context, client); - krb5_free_principal(context, server); - return (FALSE) ; - } - - if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); } + krb5_princ_realm(context, client), + &tgtq.server))){ + com_err(prog_name, retval, "while creating tgt for local realm"); + krb5_free_principal(context, client); + krb5_free_principal(context, server); + return (FALSE) ; + } + + if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); } retval = krb5_cc_retrieve_cred(context, cc, - KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, - &tgtq, &tgt); - + KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, + &tgtq, &tgt); + if (! retval) retval = krb5_check_exp(context, tgt.times); - - if (retval){ - if ((retval != KRB5_CC_NOTFOUND) && - (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ - com_err(prog_name, retval, - "while retrieving creds from cache"); - return (FALSE) ; - } + + if (retval){ + if ((retval != KRB5_CC_NOTFOUND) && + (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ + com_err(prog_name, retval, + "while retrieving creds from cache"); + return (FALSE) ; + } } else{ - got_it = 1; + got_it = 1; } - + if (! got_it){ - + #ifdef GET_TGT_VIA_PASSWD - if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { - com_err("ksu", errno, "while switching to target uid"); - return FALSE; - } - - - fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged \n"); - fprintf(stderr," in remotely using an unsecure (non-encrypted) channel. \n"); - - /*get the ticket granting ticket, via passwd(promt for passwd)*/ - if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server, - options, & zero_password) == FALSE){ - krb5_seteuid(0); - - return FALSE; - } - *path_passwd = 1; - if (krb5_seteuid(0)) { - com_err("ksu", errno, "while reclaiming root uid"); - return FALSE; - } - + if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { + com_err("ksu", errno, "while switching to target uid"); + return FALSE; + } + + + fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged \n"); + fprintf(stderr," in remotely using an unsecure (non-encrypted) channel. \n"); + + /*get the ticket granting ticket, via passwd(promt for passwd)*/ + if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server, + options, & zero_password) == FALSE){ + krb5_seteuid(0); + + return FALSE; + } + *path_passwd = 1; + if (krb5_seteuid(0)) { + com_err("ksu", errno, "while reclaiming root uid"); + return FALSE; + } + #else - plain_dump_principal (context, client); - fprintf(stderr,"does not have any appropriate tickets in the cache.\n"); - return FALSE; - -#endif /* GET_TGT_VIA_PASSWD */ + plain_dump_principal (context, client); + fprintf(stderr,"does not have any appropriate tickets in the cache.\n"); + return FALSE; + +#endif /* GET_TGT_VIA_PASSWD */ } - + if ((retval= krb5_copy_principal(context, client, &in_creds.client))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if ((retval= krb5_copy_principal(context, server, &in_creds.server))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - - if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds, - &out_creds, &tgts))){ - com_err(prog_name, retval, "while getting credentials from kdc"); - return (FALSE); + + if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds, + &out_creds, &tgts))){ + com_err(prog_name, retval, "while getting credentials from kdc"); + return (FALSE); } - - - if (auth_debug){ - fprintf(stderr,"krb5_auth_check: got ticket for end server \n"); - dump_principal(context, "out_creds->server", out_creds->server ); - } - - - if (tgts){ - register int i =0; - - if (auth_debug){ - fprintf(stderr, "krb5_auth_check: went via multiple realms"); - } - while (tgts[i]){ - if ((retval=krb5_cc_store_cred(context,cc,tgts[i]))) { - com_err(prog_name, retval, - "while storing credentials from cross-realm walk"); - return (FALSE); - } - i++; - } - krb5_free_tgt_creds(context, tgts); + + + if (auth_debug){ + fprintf(stderr,"krb5_auth_check: got ticket for end server \n"); + dump_principal(context, "out_creds->server", out_creds->server ); } - + + + if (tgts){ + register int i =0; + + if (auth_debug){ + fprintf(stderr, "krb5_auth_check: went via multiple realms"); + } + while (tgts[i]){ + if ((retval=krb5_cc_store_cred(context,cc,tgts[i]))) { + com_err(prog_name, retval, + "while storing credentials from cross-realm walk"); + return (FALSE); + } + i++; + } + krb5_free_tgt_creds(context, tgts); + } + krb5_verify_init_creds_opt_init(&vfy_opts); krb5_verify_init_creds_opt_set_ap_req_nofail( &vfy_opts, 1); - retval = krb5_verify_init_creds(context, out_creds, server, NULL /*keytab*/, - NULL /*output ccache*/, - &vfy_opts); + retval = krb5_verify_init_creds(context, out_creds, server, NULL /*keytab*/, + NULL /*output ccache*/, + &vfy_opts); if (retval) { - com_err(prog_name, retval, "while verifying ticket for server"); - return (FALSE); + com_err(prog_name, retval, "while verifying ticket for server"); + return (FALSE); } - + if ((retval = krb5_cc_store_cred(context, cc, out_creds))){ - com_err(prog_name, retval, - "While storing credentials"); - return (FALSE); + com_err(prog_name, retval, + "While storing credentials"); + return (FALSE); } return (TRUE); } /* krb5_fast_auth checks if ticket for the end server is already in - the cache, if it is, we don't need a tgt */ + the cache, if it is, we don't need a tgt */ krb5_boolean krb5_fast_auth(context, client, server, target_user, cc) krb5_context context; @@ -236,49 +237,49 @@ krb5_boolean krb5_fast_auth(context, client, server, target_user, cc) char *target_user; krb5_ccache cc; { - + krb5_creds tgt, tgtq; krb5_verify_init_creds_opt vfy_opts; krb5_error_code retval; - - memset(&tgtq, 0, sizeof(tgtq)); - memset(&tgt, 0, sizeof(tgt)); - + + memset(&tgtq, 0, sizeof(tgtq)); + memset(&tgt, 0, sizeof(tgt)); + if ((retval= krb5_copy_principal(context, client, &tgtq.client))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if ((retval= krb5_copy_principal(context, server, &tgtq.server))){ - com_err(prog_name, retval,"while copying client principal"); - return (FALSE) ; + com_err(prog_name, retval,"while copying client principal"); + return (FALSE) ; } - + if ((retval = krb5_cc_retrieve_cred(context, cc, - KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, - &tgtq, &tgt))){ - if (auth_debug) - com_err(prog_name, retval,"While Retrieving credentials"); - return (FALSE) ; - + KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, + &tgtq, &tgt))){ + if (auth_debug) + com_err(prog_name, retval,"While Retrieving credentials"); + return (FALSE) ; + } krb5_verify_init_creds_opt_init(&vfy_opts); krb5_verify_init_creds_opt_set_ap_req_nofail( &vfy_opts, 1); - retval = krb5_verify_init_creds(context, &tgt, server, NULL /*keytab*/, - NULL /*output ccache*/, - &vfy_opts); - if (retval){ - com_err(prog_name, retval, "while verifing ticket for server"); - return (FALSE); + retval = krb5_verify_init_creds(context, &tgt, server, NULL /*keytab*/, + NULL /*output ccache*/, + &vfy_opts); + if (retval){ + com_err(prog_name, retval, "while verifing ticket for server"); + return (FALSE); } - + return TRUE; } krb5_boolean krb5_get_tkt_via_passwd (context, ccache, client, server, - options, zero_password) + options, zero_password) krb5_context context; krb5_ccache *ccache; krb5_principal client; @@ -293,77 +294,77 @@ krb5_boolean krb5_get_tkt_via_passwd (context, ccache, client, server, char password[255], *client_name, prompt[255]; int result; - *zero_password = FALSE; - + *zero_password = FALSE; + if ((code = krb5_unparse_name(context, client, &client_name))) { com_err (prog_name, code, "when unparsing name"); return (FALSE); } memset(&my_creds, 0, sizeof(my_creds)); - - if ((code = krb5_copy_principal(context, client, &my_creds.client))){ + + if ((code = krb5_copy_principal(context, client, &my_creds.client))){ com_err (prog_name, code, "while copying principal"); - return (FALSE); - } + return (FALSE); + } - if ((code = krb5_copy_principal(context, server, &my_creds.server))){ + if ((code = krb5_copy_principal(context, server, &my_creds.server))){ com_err (prog_name, code, "while copying principal"); - return (FALSE); - } + return (FALSE); + } if ((code = krb5_timeofday(context, &now))) { - com_err(prog_name, code, "while getting time of day"); - return (FALSE); + com_err(prog_name, code, "while getting time of day"); + return (FALSE); } - my_creds.times.starttime = 0; /* start timer when request - gets to KDC */ - + my_creds.times.starttime = 0; /* start timer when request + gets to KDC */ + my_creds.times.endtime = now + options->lifetime; if (options->opt & KDC_OPT_RENEWABLE) { - my_creds.times.renew_till = now + options->rlife; + my_creds.times.renew_till = now + options->rlife; } else - my_creds.times.renew_till = 0; + my_creds.times.renew_till = 0; result = snprintf(prompt, sizeof(prompt), "Kerberos password for %s: ", - client_name); + client_name); if (SNPRINTF_OVERFLOW(result, sizeof(prompt))) { - fprintf (stderr, - "principal name %s too long for internal buffer space\n", - client_name); - return FALSE; + fprintf (stderr, + "principal name %s too long for internal buffer space\n", + client_name); + return FALSE; } - + pwsize = sizeof(password); - + code = krb5_read_password(context, prompt, 0, password, &pwsize); if (code ) { - com_err(prog_name, code, "while reading password for '%s'\n", - client_name); - memset(password, 0, sizeof(password)); - return (FALSE); + com_err(prog_name, code, "while reading password for '%s'\n", + client_name); + memset(password, 0, sizeof(password)); + return (FALSE); } - + if ( pwsize == 0) { - fprintf(stderr, "No password given\n"); - *zero_password = TRUE; - memset(password, 0, sizeof(password)); - return (FALSE); + fprintf(stderr, "No password given\n"); + *zero_password = TRUE; + memset(password, 0, sizeof(password)); + return (FALSE); } - - code = krb5_get_in_tkt_with_password(context, options->opt, - 0, NULL, preauth_ptr, - password, *ccache, &my_creds, 0); + + code = krb5_get_in_tkt_with_password(context, options->opt, + 0, NULL, preauth_ptr, + password, *ccache, &my_creds, 0); memset(password, 0, sizeof(password)); - - + + if (code) { - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) - fprintf (stderr, "%s: Password incorrect\n", prog_name); - else - com_err (prog_name, code, "while getting initial credentials"); - return (FALSE); + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) + fprintf (stderr, "%s: Password incorrect\n", prog_name); + else + com_err (prog_name, code, "while getting initial credentials"); + return (FALSE); } return (TRUE); } @@ -375,10 +376,10 @@ void dump_principal (context, str, p) krb5_principal p; { char * stname; - krb5_error_code retval; + krb5_error_code retval; if ((retval = krb5_unparse_name(context, p, &stname))) { - fprintf(stderr, " %s while unparsing name\n", error_message(retval)); + fprintf(stderr, " %s while unparsing name\n", error_message(retval)); } fprintf(stderr, " %s: %s\n", str, stname); } @@ -386,21 +387,21 @@ void dump_principal (context, str, p) void plain_dump_principal (context, p) krb5_context context; krb5_principal p; -{ +{ char * stname; - krb5_error_code retval; + krb5_error_code retval; if ((retval = krb5_unparse_name(context, p, &stname))) - fprintf(stderr, " %s while unparsing name\n", error_message(retval)); + fprintf(stderr, " %s while unparsing name\n", error_message(retval)); fprintf(stderr, "%s ", stname); } /********************************************************************** returns the principal that is closest to client. plist contains -a principal list obtained from .k5login and parhaps .k5users file. -This routine gets called before getting the password for a tgt. -A principal is picked that has the best chance of getting in. +a principal list obtained from .k5login and parhaps .k5users file. +This routine gets called before getting the password for a tgt. +A principal is picked that has the best chance of getting in. **********************************************************************/ @@ -410,55 +411,55 @@ krb5_error_code get_best_principal(context, plist, client) char **plist; krb5_principal *client; { - krb5_error_code retval =0; + krb5_error_code retval =0; krb5_principal temp_client, best_client = NULL; - + int i = 0, nelem; - + if (! plist ) return 0; - + nelem = krb5_princ_size(context, *client); - + while(plist[i]){ - - if ((retval = krb5_parse_name(context, plist[i], &temp_client))){ - return retval; - } - - if (data_eq(*krb5_princ_realm(context, *client), - *krb5_princ_realm(context, temp_client))) { - - if (nelem && - krb5_princ_size(context, *client) > 0 && - krb5_princ_size(context, temp_client) > 0) { - krb5_data *p1 = - krb5_princ_component(context, *client, 0); - krb5_data *p2 = - krb5_princ_component(context, temp_client, 0); - - if (data_eq(*p1, *p2)) { - - if (auth_debug){ - fprintf(stderr, - "get_best_principal: compare with %s\n", - plist[i]); - } - - if(best_client){ - if(krb5_princ_size(context, best_client) > - krb5_princ_size(context, temp_client)){ - best_client = temp_client; - } - }else{ - best_client = temp_client; - } - } - } - - } - i++; + + if ((retval = krb5_parse_name(context, plist[i], &temp_client))){ + return retval; + } + + if (data_eq(*krb5_princ_realm(context, *client), + *krb5_princ_realm(context, temp_client))) { + + if (nelem && + krb5_princ_size(context, *client) > 0 && + krb5_princ_size(context, temp_client) > 0) { + krb5_data *p1 = + krb5_princ_component(context, *client, 0); + krb5_data *p2 = + krb5_princ_component(context, temp_client, 0); + + if (data_eq(*p1, *p2)) { + + if (auth_debug){ + fprintf(stderr, + "get_best_principal: compare with %s\n", + plist[i]); + } + + if(best_client){ + if(krb5_princ_size(context, best_client) > + krb5_princ_size(context, temp_client)){ + best_client = temp_client; + } + }else{ + best_client = temp_client; + } + } + } + + } + i++; } - + if (best_client) *client = best_client; return 0; } diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h index 76ed7032d..f2c0811fc 100644 --- a/src/clients/ksu/ksu.h +++ b/src/clients/ksu/ksu.h @@ -1,4 +1,5 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +11,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -29,7 +30,7 @@ #include "k5-util.h" #include #include "com_err.h" -#include +#include #include #include #include @@ -48,15 +49,15 @@ #define KRB5_LOGIN_NAME ".k5login" #define KRB5_USERS_NAME ".k5users" #define USE_DEFAULT_REALM_NAME "." -#define PERMIT_ALL_COMMANDS "*" +#define PERMIT_ALL_COMMANDS "*" #define KRB5_SEC_BUFFSIZE 80 #define NOT_AUTHORIZED 1 #define CHUNK 3 #define CACHE_MODE 0600 -#define MAX_CMD 2048 /* this is temp, should use realloc instead, - as done in most of the code */ - +#define MAX_CMD 2048 /* this is temp, should use realloc instead, + as done in most of the code */ + extern int optind; extern char * optarg; @@ -71,90 +72,90 @@ extern char * gb_err; /***********/ typedef struct opt_info{ - int opt; - krb5_deltat lifetime; - krb5_deltat rlife; - int princ; + int opt; + krb5_deltat lifetime; + krb5_deltat rlife; + int princ; }opt_info; /* krb_auth_su.c */ extern krb5_boolean krb5_auth_check - (krb5_context, krb5_principal, char *, opt_info *, - char *, krb5_ccache, int *, uid_t); +(krb5_context, krb5_principal, char *, opt_info *, + char *, krb5_ccache, int *, uid_t); extern krb5_boolean krb5_fast_auth - (krb5_context, krb5_principal, krb5_principal, char *, - krb5_ccache); +(krb5_context, krb5_principal, krb5_principal, char *, + krb5_ccache); -extern krb5_boolean krb5_get_tkt_via_passwd - (krb5_context, krb5_ccache *, krb5_principal, - krb5_principal, opt_info *, krb5_boolean *); +extern krb5_boolean krb5_get_tkt_via_passwd +(krb5_context, krb5_ccache *, krb5_principal, + krb5_principal, opt_info *, krb5_boolean *); -extern void dump_principal - (krb5_context, char *, krb5_principal); +extern void dump_principal +(krb5_context, char *, krb5_principal); -extern void plain_dump_principal - (krb5_context, krb5_principal); +extern void plain_dump_principal +(krb5_context, krb5_principal); extern krb5_error_code krb5_parse_lifetime - (char *, long *); +(char *, long *); extern krb5_error_code get_best_principal - (krb5_context, char **, krb5_principal *); +(krb5_context, char **, krb5_principal *); /* ccache.c */ extern krb5_error_code krb5_ccache_copy - (krb5_context, krb5_ccache, char *, krb5_principal, - krb5_ccache *, krb5_boolean *, uid_t); +(krb5_context, krb5_ccache, char *, krb5_principal, + krb5_ccache *, krb5_boolean *, uid_t); extern krb5_error_code krb5_store_all_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); +(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); extern krb5_error_code krb5_store_all_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); +(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); extern krb5_boolean compare_creds - (krb5_context, krb5_creds *, krb5_creds *); +(krb5_context, krb5_creds *, krb5_creds *); extern krb5_error_code krb5_get_nonexp_tkts - (krb5_context, krb5_ccache, krb5_creds ***); +(krb5_context, krb5_ccache, krb5_creds ***); extern krb5_error_code krb5_check_exp - (krb5_context, krb5_ticket_times); +(krb5_context, krb5_ticket_times); extern char *flags_string (krb5_creds *); extern krb5_error_code krb5_get_login_princ - (const char *, char ***); +(const char *, char ***); extern void show_credential - (krb5_context, krb5_creds *, krb5_ccache); +(krb5_context, krb5_creds *, krb5_ccache); extern int gen_sym (void); extern krb5_error_code krb5_ccache_overwrite - (krb5_context, krb5_ccache, krb5_ccache, krb5_principal); +(krb5_context, krb5_ccache, krb5_ccache, krb5_principal); extern krb5_error_code krb5_store_some_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, - krb5_principal, krb5_boolean *); +(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, + krb5_principal, krb5_boolean *); extern krb5_error_code krb5_ccache_copy_restricted - (krb5_context, krb5_ccache, char *, krb5_principal, - krb5_ccache *, krb5_boolean *, uid_t); +(krb5_context, krb5_ccache, char *, krb5_principal, + krb5_ccache *, krb5_boolean *, uid_t); extern krb5_error_code krb5_ccache_refresh - (krb5_context, krb5_ccache); +(krb5_context, krb5_ccache); extern krb5_error_code krb5_ccache_filter - (krb5_context, krb5_ccache, krb5_principal); +(krb5_context, krb5_ccache, krb5_principal); extern krb5_boolean krb5_find_princ_in_cred_list - (krb5_context, krb5_creds **, krb5_principal); +(krb5_context, krb5_creds **, krb5_principal); extern krb5_error_code krb5_find_princ_in_cache - (krb5_context, krb5_ccache, krb5_principal, krb5_boolean *); +(krb5_context, krb5_ccache, krb5_principal, krb5_boolean *); extern void printtime (time_t); @@ -162,17 +163,17 @@ extern void printtime (time_t); extern krb5_boolean fowner (FILE *, uid_t); extern krb5_error_code krb5_authorization - (krb5_context, krb5_principal, const char *, char *, - krb5_boolean *, char **); +(krb5_context, krb5_principal, const char *, char *, + krb5_boolean *, char **); extern krb5_error_code k5login_lookup (FILE *, char *, - krb5_boolean *); + krb5_boolean *); -extern krb5_error_code k5users_lookup - (FILE *, char *, char *, krb5_boolean *, char **); +extern krb5_error_code k5users_lookup +(FILE *, char *, char *, krb5_boolean *, char **); extern krb5_boolean fcmd_resolve - (char *, char ***, char **); +(char *, char ***, char **); extern krb5_boolean cmd_single (char *); @@ -180,11 +181,11 @@ extern int cmd_arr_cmp_postfix (char **, char *); extern int cmd_arr_cmp (char **, char *); -extern krb5_boolean find_first_cmd_that_exists - (char **, char **, char **); +extern krb5_boolean find_first_cmd_that_exists +(char **, char **, char **); -extern int match_commands - (char *, char *, krb5_boolean *, char **, char **); +extern int match_commands +(char *, char *, krb5_boolean *, char **, char **); extern krb5_error_code get_line (FILE *, char **); @@ -211,30 +212,30 @@ extern krb5_error_code list_union (char **, char **, char ***); extern krb5_error_code filter (FILE *, char *, char **, char ***); extern krb5_error_code get_authorized_princ_names - (const char *, char *, char ***); +(const char *, char *, char ***); -extern krb5_error_code get_closest_principal - (krb5_context, char **, krb5_principal *, krb5_boolean *); +extern krb5_error_code get_closest_principal +(krb5_context, char **, krb5_principal *, krb5_boolean *); -extern krb5_error_code find_either_ticket - (krb5_context, krb5_ccache, krb5_principal, - krb5_principal, krb5_boolean *); +extern krb5_error_code find_either_ticket +(krb5_context, krb5_ccache, krb5_principal, + krb5_principal, krb5_boolean *); -extern krb5_error_code find_ticket - (krb5_context, krb5_ccache, krb5_principal, - krb5_principal, krb5_boolean *); +extern krb5_error_code find_ticket +(krb5_context, krb5_ccache, krb5_principal, + krb5_principal, krb5_boolean *); extern krb5_error_code find_princ_in_list - (krb5_context, krb5_principal, char **, krb5_boolean *); +(krb5_context, krb5_principal, char **, krb5_boolean *); extern krb5_error_code get_best_princ_for_target - (krb5_context, uid_t, uid_t, char *, char *, krb5_ccache, - opt_info *, char *, char *, krb5_principal *, int *); +(krb5_context, uid_t, uid_t, char *, char *, krb5_ccache, + opt_info *, char *, char *, krb5_principal *, int *); extern krb5_error_code ksu_tgtname (krb5_context, const krb5_data *, - const krb5_data *, - krb5_principal *tgtprinc); + const krb5_data *, + krb5_principal *tgtprinc); #ifndef min #define min(a,b) ((a) > (b) ? (b) : (a)) @@ -242,14 +243,14 @@ extern krb5_error_code ksu_tgtname (krb5_context, const krb5_data *, extern char *krb5_lname_file; /* Note: print this out just be sure - that it gets set */ + that it gets set */ -extern void *xmalloc (size_t), - *xrealloc (void *, size_t), +extern void *xmalloc (size_t), + *xrealloc (void *, size_t), *xcalloc (size_t, size_t); -extern char *xstrdup (const char *); -extern char *xasprintf (const char *format, ...); + extern char *xstrdup (const char *); + extern char *xasprintf (const char *format, ...); #ifndef HAVE_UNSETENV -void unsetenv (char *); + void unsetenv (char *); #endif diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c index 0aba56933..b7dcdadc6 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -1,4 +1,5 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * Copyright (c) 1994 by the University of Southern California * * EXPORT OF THIS SOFTWARE from the United States of America may @@ -10,7 +11,7 @@ * this software and its documentation in source and binary forms is * hereby granted, provided that any documentation or other materials * related to such distribution or use acknowledge that the software - * was developed by the University of Southern California. + * was developed by the University of Southern California. * * DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The * University of Southern California MAKES NO REPRESENTATIONS OR @@ -34,31 +35,31 @@ /* globals */ char * prog_name; -int auth_debug =0; +int auth_debug =0; char k5login_path[MAXPATHLEN]; char k5users_path[MAXPATHLEN]; char * gb_err = NULL; int quiet = 0; /***********/ -#define _DEF_CSH "/bin/csh" +#define _DEF_CSH "/bin/csh" static int set_env_var (char *, char *); static void sweep_up (krb5_context, krb5_ccache); static char * ontty (void); #ifdef HAVE_STDARG_H static void print_status( const char *fmt, ...) #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7) - __attribute__ ((__format__ (__printf__, 1, 2))) + __attribute__ ((__format__ (__printf__, 1, 2))) #endif - ; + ; #else static void print_status(); #endif -char * get_dir_of_file(); +char * get_dir_of_file(); /* Note -e and -a options are mutually exclusive */ -/* insure the proper specification of target user as well as catching - ill specified arguments to commands */ +/* insure the proper specification of target user as well as catching + ill specified arguments to commands */ void usage (){ fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name); @@ -76,31 +77,31 @@ int main (argc, argv) int argc; char ** argv; -{ +{ int hp =0; - int some_rest_copy = 0; - int all_rest_copy = 0; + int some_rest_copy = 0; + int all_rest_copy = 0; char *localhostname = NULL; opt_info options; int option=0; int statusp=0; - krb5_error_code retval = 0; + krb5_error_code retval = 0; krb5_principal client = NULL; krb5_ccache cc_target = NULL; krb5_context ksu_context; - char * cc_target_tag = NULL; + char * cc_target_tag = NULL; char * target_user = NULL; char * source_user; - + krb5_ccache cc_source = NULL; - const char * cc_source_tag = NULL; + const char * cc_source_tag = NULL; uid_t source_gid, target_gid; const char * cc_source_tag_tmp = NULL; - char * cc_target_tag_tmp=NULL; + char * cc_target_tag_tmp=NULL; char * cmd = NULL, * exec_cmd = NULL; int errflg = 0; - krb5_boolean auth_val; - krb5_boolean authorization_val = FALSE; + krb5_boolean auth_val; + krb5_boolean authorization_val = FALSE; int path_passwd = 0; int done =0,i,j; uid_t ruid = getuid (); @@ -116,12 +117,12 @@ main (argc, argv) krb5_boolean stored = FALSE; krb5_principal kdc_server; krb5_boolean zero_password; - char * dir_of_cc_target; - + char * dir_of_cc_target; + options.opt = KRB5_DEFAULT_OPTIONS; options.lifetime = KRB5_DEFAULT_TKT_LIFE; - options.rlife =0; - options.princ =0; + options.rlife =0; + options.princ =0; params = (char **) xcalloc (2, sizeof (char *)); params[1] = NULL; @@ -132,157 +133,157 @@ main (argc, argv) retval = krb5_init_secure_context(&ksu_context); if (retval) { com_err(argv[0], retval, "while initializing krb5"); - exit(1); + exit(1); } if (strrchr(argv[0], '/')) - argv[0] = strrchr(argv[0], '/')+1; + argv[0] = strrchr(argv[0], '/')+1; prog_name = argv[0]; if (strlen (prog_name) > 50) { - /* this many chars *after* last / ?? */ - com_err(prog_name, 0, "program name too long - quitting to avoid triggering system logging bugs"); - exit (1); + /* this many chars *after* last / ?? */ + com_err(prog_name, 0, "program name too long - quitting to avoid triggering system logging bugs"); + exit (1); } #ifndef LOG_NDELAY #define LOG_NDELAY 0 #endif - + #ifndef LOG_AUTH /* 4.2 syslog */ openlog(prog_name, LOG_PID|LOG_NDELAY); #else openlog(prog_name, LOG_PID | LOG_NDELAY, LOG_AUTH); #endif /* 4.2 syslog */ - - + + if (( argc == 1) || (argv[1][0] == '-')){ - target_user = xstrdup("root"); - pargc = argc; - pargv = argv; + target_user = xstrdup("root"); + pargc = argc; + pargv = argv; } else { - target_user = xstrdup(argv[1]); - pargc = argc -1; - - if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){ - com_err(prog_name, errno, "while allocating memory"); - exit(1); - } - - pargv[pargc] = NULL; - pargv[0] = argv[0]; - - for(i =1; i< pargc; i ++){ - pargv[i] = argv[i + 1]; - } - } - + target_user = xstrdup(argv[1]); + pargc = argc -1; + + if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){ + com_err(prog_name, errno, "while allocating memory"); + exit(1); + } + + pargv[pargc] = NULL; + pargv[0] = argv[0]; + + for(i =1; i< pargc; i ++){ + pargv[i] = argv[i + 1]; + } + } + if (krb5_seteuid (ruid)) { - com_err (prog_name, errno, "while setting euid to source user"); - exit (1); + com_err (prog_name, errno, "while setting euid to source user"); + exit (1); } while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){ - switch (option) { - case 'r': - options.opt |= KDC_OPT_RENEWABLE; - if (strlen (optarg) >= 14) - optarg = "bad-time"; - retval = krb5_string_to_deltat(optarg, &options.rlife); - if (retval != 0 || options.rlife == 0) { - fprintf(stderr, "Bad lifetime value (%s hours?)\n", optarg); - errflg++; - } - break; - case 'a': + switch (option) { + case 'r': + options.opt |= KDC_OPT_RENEWABLE; + if (strlen (optarg) >= 14) + optarg = "bad-time"; + retval = krb5_string_to_deltat(optarg, &options.rlife); + if (retval != 0 || options.rlife == 0) { + fprintf(stderr, "Bad lifetime value (%s hours?)\n", optarg); + errflg++; + } + break; + case 'a': /* when integrating this remember to pass in pargc, pargv and take care of params argument */ - optind --; - if (auth_debug){printf("Before get_params optind=%d\n", optind);} - + optind --; + if (auth_debug){printf("Before get_params optind=%d\n", optind);} + if ((retval = get_params( & optind, pargc, pargv, ¶ms))){ com_err(prog_name, retval, "when gathering parameters"); errflg++; } if(auth_debug){ printf("After get_params optind=%d\n", optind);} - done = 1; + done = 1; + break; + case 'p': + options.opt |= KDC_OPT_PROXIABLE; + break; + case 'f': + options.opt |= KDC_OPT_FORWARDABLE; + break; + case 'k': + keep_target_cache =1; + break; + case 'q': + quiet =1; break; - case 'p': - options.opt |= KDC_OPT_PROXIABLE; - break; - case 'f': - options.opt |= KDC_OPT_FORWARDABLE; - break; - case 'k': - keep_target_cache =1; - break; - case 'q': - quiet =1; - break; case 'l': - if (strlen (optarg) >= 14) - optarg = "bad-time"; - retval = krb5_string_to_deltat(optarg, &options.lifetime); - if (retval != 0 || options.lifetime == 0) { - fprintf(stderr, "Bad lifetime value (%s hours?)\n", optarg); - errflg++; - } - break; - case 'n': - if ((retval = krb5_parse_name(ksu_context, optarg, &client))){ - com_err(prog_name, retval, "when parsing name %s", optarg); - errflg++; - } - - options.princ = 1; - - break; + if (strlen (optarg) >= 14) + optarg = "bad-time"; + retval = krb5_string_to_deltat(optarg, &options.lifetime); + if (retval != 0 || options.lifetime == 0) { + fprintf(stderr, "Bad lifetime value (%s hours?)\n", optarg); + errflg++; + } + break; + case 'n': + if ((retval = krb5_parse_name(ksu_context, optarg, &client))){ + com_err(prog_name, retval, "when parsing name %s", optarg); + errflg++; + } + + options.princ = 1; + + break; #ifdef DEBUG - case 'D': - auth_debug = 1; - break; + case 'D': + auth_debug = 1; + break; #endif - case 'z': - some_rest_copy = 1; - if(all_rest_copy) { - fprintf(stderr, - "-z option is mutually exclusive with -Z.\n"); - errflg++; - } - break; - case 'Z': - all_rest_copy = 1; - if(some_rest_copy) { - fprintf(stderr, - "-Z option is mutually exclusive with -z.\n"); - errflg++; - } - break; - case 'c': - if (cc_source_tag == NULL) { - cc_source_tag = xstrdup(optarg); - if ( strchr(cc_source_tag, ':')){ - cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; - - if( stat( cc_source_tag_tmp, &st_temp)){ - com_err (prog_name, errno, - "while looking for credentials file %s", - cc_source_tag_tmp); - exit (1); - } - } - else { - fprintf(stderr,"malformed credential cache name %s\n", - cc_source_tag); - errflg++; - } - - } else { - fprintf(stderr, "Only one -c option allowed\n"); - errflg++; - } - break; - case 'e': - cmd = xstrdup(optarg); + case 'z': + some_rest_copy = 1; + if(all_rest_copy) { + fprintf(stderr, + "-z option is mutually exclusive with -Z.\n"); + errflg++; + } + break; + case 'Z': + all_rest_copy = 1; + if(some_rest_copy) { + fprintf(stderr, + "-Z option is mutually exclusive with -z.\n"); + errflg++; + } + break; + case 'c': + if (cc_source_tag == NULL) { + cc_source_tag = xstrdup(optarg); + if ( strchr(cc_source_tag, ':')){ + cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; + + if( stat( cc_source_tag_tmp, &st_temp)){ + com_err (prog_name, errno, + "while looking for credentials file %s", + cc_source_tag_tmp); + exit (1); + } + } + else { + fprintf(stderr,"malformed credential cache name %s\n", + cc_source_tag); + errflg++; + } + + } else { + fprintf(stderr, "Only one -c option allowed\n"); + errflg++; + } + break; + case 'e': + cmd = xstrdup(optarg); if(auth_debug){printf("Before get_params optind=%d\n", optind);} if ((retval = get_params( & optind, pargc, pargv, ¶ms))){ com_err(prog_name, retval, "when gathering parameters"); @@ -295,16 +296,16 @@ main (argc, argv) fprintf(stderr,"Command to be executed: %s\n", cmd); } break; - case '?': - default: - errflg++; - break; - } + case '?': + default: + errflg++; + break; + } } if (errflg) { - usage(); - exit(2); + usage(); + exit(2); } if (optind != pargc ){ @@ -312,544 +313,544 @@ main (argc, argv) exit(2); } - if (auth_debug){ - for(j=1; params[j] != NULL; j++){ - fprintf (stderr,"params[%d]= %s\n", j,params[j]); - } - } + if (auth_debug){ + for(j=1; params[j] != NULL; j++){ + fprintf (stderr,"params[%d]= %s\n", j,params[j]); + } + } /***********************************/ source_user = getlogin(); /*checks for the the login name in /etc/utmp*/ - + /* verify that that the user exists and get his passwd structure */ - + if (source_user == NULL ||(pwd = getpwnam(source_user)) == NULL || - pwd->pw_uid != ruid){ - pwd = getpwuid(ruid); + pwd->pw_uid != ruid){ + pwd = getpwuid(ruid); } - + if (pwd == NULL) { - fprintf(stderr, "ksu: who are you?\n"); - exit(1); + fprintf(stderr, "ksu: who are you?\n"); + exit(1); } if (pwd->pw_uid != ruid) { - fprintf (stderr, "Your uid doesn't match your passwd entry?!\n"); - exit (1); + fprintf (stderr, "Your uid doesn't match your passwd entry?!\n"); + exit (1); } /* Okay, now we have *some* passwd entry that matches the current real uid. */ - - /* allocate space and copy the usernamane there */ + + /* allocate space and copy the usernamane there */ source_user = xstrdup(pwd->pw_name); source_uid = pwd->pw_uid; source_gid = pwd->pw_gid; - - + + if (!strcmp(SOURCE_USER_LOGIN, target_user)){ - target_user = xstrdup (source_user); + target_user = xstrdup (source_user); } - - if ((target_pwd = getpwnam(target_user)) == NULL){ - fprintf(stderr, "ksu: unknown login %s\n", target_user); - exit(1); + + if ((target_pwd = getpwnam(target_user)) == NULL){ + fprintf(stderr, "ksu: unknown login %s\n", target_user); + exit(1); } target_uid = target_pwd->pw_uid; target_gid = target_pwd->pw_gid; - + init_auth_names(target_pwd->pw_dir); - + /***********************************/ - + if (cc_source_tag == NULL){ - cc_source_tag = krb5_cc_default_name(ksu_context); - cc_source_tag_tmp = strchr(cc_source_tag, ':'); - if (cc_source_tag_tmp == 0) - cc_source_tag_tmp = cc_source_tag; - else - cc_source_tag_tmp++; - } - - /* get a handle for the cache */ + cc_source_tag = krb5_cc_default_name(ksu_context); + cc_source_tag_tmp = strchr(cc_source_tag, ':'); + if (cc_source_tag_tmp == 0) + cc_source_tag_tmp = cc_source_tag; + else + cc_source_tag_tmp++; + } + + /* get a handle for the cache */ if ((retval = krb5_cc_resolve(ksu_context, cc_source_tag, &cc_source))){ - com_err(prog_name, retval,"while getting source cache"); - exit(1); + com_err(prog_name, retval,"while getting source cache"); + exit(1); } - + if (((retval = krb5_cc_set_flags(ksu_context, cc_source, 0x0)) != 0) - && (retval != KRB5_FCC_NOFILE)) { - com_err(prog_name, retval, "while opening ccache"); - exit(1); + && (retval != KRB5_FCC_NOFILE)) { + com_err(prog_name, retval, "while opening ccache"); + exit(1); } if ((retval = get_best_princ_for_target(ksu_context, source_uid, - target_uid, source_user, - target_user, cc_source, - &options, cmd, localhostname, - &client, &hp))){ - com_err(prog_name,retval, "while selecting the best principal"); - exit(1); - } - + target_uid, source_user, + target_user, cc_source, + &options, cmd, localhostname, + &client, &hp))){ + com_err(prog_name,retval, "while selecting the best principal"); + exit(1); + } + /* We may be running as either source or target, depending on what happened; become source.*/ if ( geteuid() != source_uid) { - if (krb5_seteuid(0) || krb5_seteuid(source_uid) ) { - com_err(prog_name, errno, "while returning to source uid after finding best principal"); - exit(1); - } + if (krb5_seteuid(0) || krb5_seteuid(source_uid) ) { + com_err(prog_name, errno, "while returning to source uid after finding best principal"); + exit(1); + } } - + if (auth_debug){ - if (hp){ - fprintf(stderr, - "GET_best_princ_for_target result: NOT AUTHORIZED\n"); - }else{ - fprintf(stderr, - "GET_best_princ_for_target result-best principal "); - plain_dump_principal (ksu_context, client); - fprintf(stderr,"\n"); - } - } - - if (hp){ - if (gb_err) fprintf(stderr, "%s", gb_err); - fprintf(stderr,"account %s: authorization failed\n",target_user); - exit(1); - } - + if (hp){ + fprintf(stderr, + "GET_best_princ_for_target result: NOT AUTHORIZED\n"); + }else{ + fprintf(stderr, + "GET_best_princ_for_target result-best principal "); + plain_dump_principal (ksu_context, client); + fprintf(stderr,"\n"); + } + } + + if (hp){ + if (gb_err) fprintf(stderr, "%s", gb_err); + fprintf(stderr,"account %s: authorization failed\n",target_user); + exit(1); + } + if (cc_target_tag == NULL) { - - cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char)); - /* make sure that the new ticket file does not already exist - This is run as source_uid because it is reasonable to - require the source user to have write to where the target - cache will be created.*/ - - do { - snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", - KRB5_SECONDARY_CACHE, - (long) target_uid, gen_sym()); - cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1; - - }while ( !stat ( cc_target_tag_tmp, &st_temp)); - } - - + + cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char)); + /* make sure that the new ticket file does not already exist + This is run as source_uid because it is reasonable to + require the source user to have write to where the target + cache will be created.*/ + + do { + snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", + KRB5_SECONDARY_CACHE, + (long) target_uid, gen_sym()); + cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1; + + }while ( !stat ( cc_target_tag_tmp, &st_temp)); + } + + dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp); - + if (access(dir_of_cc_target, R_OK | W_OK )){ - fprintf(stderr, - "%s does not have correct permissions for %s\n", - source_user, cc_target_tag); - exit(1); - } - - if (auth_debug){ - fprintf(stderr, " source cache = %s\n", cc_source_tag); - fprintf(stderr, " target cache = %s\n", cc_target_tag); - } - - /* + fprintf(stderr, + "%s does not have correct permissions for %s\n", + source_user, cc_target_tag); + exit(1); + } + + if (auth_debug){ + fprintf(stderr, " source cache = %s\n", cc_source_tag); + fprintf(stderr, " target cache = %s\n", cc_target_tag); + } + + /* Only when proper authentication and authorization - takes place, the target user becomes the owner of the cache. - */ - + takes place, the target user becomes the owner of the cache. + */ + /* we continue to run as source uid until the middle of the copy, when becomewe become the target user The cache is owned by the target user.*/ - - - /* if root ksu's to a regular user, then - then only the credentials for that particular user - should be copied */ - + + + /* if root ksu's to a regular user, then + then only the credentials for that particular user + should be copied */ + if ((source_uid == 0) && (target_uid != 0)) { - - if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, - cc_target_tag, client, - &cc_target, &stored, - target_uid))){ - com_err (prog_name, retval, - "while copying cache %s to %s", - krb5_cc_get_name(ksu_context, cc_source),cc_target_tag); - exit(1); - } - + + if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, + cc_target_tag, client, + &cc_target, &stored, + target_uid))){ + com_err (prog_name, retval, + "while copying cache %s to %s", + krb5_cc_get_name(ksu_context, cc_source),cc_target_tag); + exit(1); + } + } else { - if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, - client,&cc_target, &stored, target_uid))) { - com_err (prog_name, retval, - "while copying cache %s to %s", - krb5_cc_get_name(ksu_context, cc_source), - cc_target_tag); - exit(1); - } - - } - + if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, + client,&cc_target, &stored, target_uid))) { + com_err (prog_name, retval, + "while copying cache %s to %s", + krb5_cc_get_name(ksu_context, cc_source), + cc_target_tag); + exit(1); + } + + } + /* Become root for authentication*/ - + if (krb5_seteuid(0)) { - com_err(prog_name, errno, "while reclaiming root uid"); - exit(1); + com_err(prog_name, errno, "while reclaiming root uid"); + exit(1); } - + if ((source_uid == 0) || (target_uid == source_uid)){ #ifdef GET_TGT_VIA_PASSWD - if ((!all_rest_copy) && options.princ && (stored == FALSE)){ - if ((retval = ksu_tgtname(ksu_context, - krb5_princ_realm (ksu_context, client), - krb5_princ_realm(ksu_context, client), - &kdc_server))){ - com_err(prog_name, retval, - "while creating tgt for local realm"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged\n"); - fprintf(stderr," in remotely using an unsecure (non-encrypted) channel.\n"); - if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client, - kdc_server, &options, - &zero_password) == FALSE){ - - if (zero_password == FALSE){ - fprintf(stderr,"Goodbye\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - fprintf(stderr, - "Could not get a tgt for "); - plain_dump_principal (ksu_context, client); - fprintf(stderr, "\n"); - - } - } + if ((!all_rest_copy) && options.princ && (stored == FALSE)){ + if ((retval = ksu_tgtname(ksu_context, + krb5_princ_realm (ksu_context, client), + krb5_princ_realm(ksu_context, client), + &kdc_server))){ + com_err(prog_name, retval, + "while creating tgt for local realm"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged\n"); + fprintf(stderr," in remotely using an unsecure (non-encrypted) channel.\n"); + if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client, + kdc_server, &options, + &zero_password) == FALSE){ + + if (zero_password == FALSE){ + fprintf(stderr,"Goodbye\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + fprintf(stderr, + "Could not get a tgt for "); + plain_dump_principal (ksu_context, client); + fprintf(stderr, "\n"); + + } + } #endif /* GET_TGT_VIA_PASSWD */ } - + /* if the user is root or same uid then authentication is not neccesary, - root gets in automatically */ - + root gets in automatically */ + if (source_uid && (source_uid != target_uid)) { - char * client_name; - - auth_val = krb5_auth_check(ksu_context, client, localhostname, &options, - target_user,cc_target, &path_passwd, target_uid); - - /* if Kerberos authentication failed then exit */ - if (auth_val ==FALSE){ - fprintf(stderr, "Authentication failed.\n"); - syslog(LOG_WARNING, - "'%s %s' authentication failed for %s%s", - prog_name,target_user,source_user,ontty()); - sweep_up(ksu_context, cc_target); - exit(1); - } - + char * client_name; + + auth_val = krb5_auth_check(ksu_context, client, localhostname, &options, + target_user,cc_target, &path_passwd, target_uid); + + /* if Kerberos authentication failed then exit */ + if (auth_val ==FALSE){ + fprintf(stderr, "Authentication failed.\n"); + syslog(LOG_WARNING, + "'%s %s' authentication failed for %s%s", + prog_name,target_user,source_user,ontty()); + sweep_up(ksu_context, cc_target); + exit(1); + } + #if 0 - /* At best, this avoids a single kdc request - It is hard to implement dealing with file permissions and - is unnecessary. It is important - to properly handle races in chown if this code is ever re-enabled. - */ - /* cache the tickets if possible in the source cache */ - if (!path_passwd){ - - if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source, - client))){ - com_err (prog_name, retval, - "while copying cache %s to %s", - krb5_cc_get_name(ksu_context, cc_target), - krb5_cc_get_name(ksu_context, cc_source)); - sweep_up(ksu_context, cc_target); - exit(1); - } - if (chown(cc_source_tag_tmp, source_uid, source_gid)){ - com_err(prog_name, errno, - "while changing owner for %s", - cc_source_tag_tmp); - exit(1); - } - } + /* At best, this avoids a single kdc request + It is hard to implement dealing with file permissions and + is unnecessary. It is important + to properly handle races in chown if this code is ever re-enabled. + */ + /* cache the tickets if possible in the source cache */ + if (!path_passwd){ + + if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source, + client))){ + com_err (prog_name, retval, + "while copying cache %s to %s", + krb5_cc_get_name(ksu_context, cc_target), + krb5_cc_get_name(ksu_context, cc_source)); + sweep_up(ksu_context, cc_target); + exit(1); + } + if (chown(cc_source_tag_tmp, source_uid, source_gid)){ + com_err(prog_name, errno, + "while changing owner for %s", + cc_source_tag_tmp); + exit(1); + } + } #endif /*0*/ - if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) { - com_err (prog_name, retval, "When unparsing name"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - print_status("Authenticated %s\n", client_name); - syslog(LOG_NOTICE,"'%s %s' authenticated %s for %s%s", - prog_name,target_user,client_name, - source_user,ontty()); - - /* Run authorization as target.*/ - if (krb5_seteuid(target_uid)) { - com_err(prog_name, errno, "while switching to target for authorization check"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - if ((retval = krb5_authorization(ksu_context, client,target_user, - cmd, &authorization_val, &exec_cmd))){ - com_err(prog_name,retval,"while checking authorization"); - krb5_seteuid(0); /*So we have some chance of sweeping up*/ - sweep_up(ksu_context, cc_target); - exit(1); - } - - if (krb5_seteuid(0)) { - com_err(prog_name, errno, "while switching back from target after authorization check"); - sweep_up(ksu_context, cc_target); - exit(1); - } - if (authorization_val == TRUE){ - - if (cmd) { - print_status( - "Account %s: authorization for %s for execution of\n", - target_user, client_name); - print_status(" %s successful\n",exec_cmd); - syslog(LOG_NOTICE, - "Account %s: authorization for %s for execution of %s successful", - target_user, client_name, exec_cmd); - - }else{ - print_status( - "Account %s: authorization for %s successful\n", - target_user, client_name); - syslog(LOG_NOTICE, - "Account %s: authorization for %s successful", - target_user, client_name); - } - }else { - if (cmd){ - if (exec_cmd){ /* was used to pass back the error msg */ - fprintf(stderr, "%s", exec_cmd ); - syslog(LOG_WARNING, "%s",exec_cmd); - } - fprintf(stderr, - "Account %s: authorization for %s for execution of %s failed\n", - target_user, client_name, cmd ); - syslog(LOG_WARNING, - "Account %s: authorization for %s for execution of %s failed", - target_user, client_name, cmd ); - - }else{ - fprintf(stderr, - "Account %s: authorization of %s failed\n", - target_user, client_name); - syslog(LOG_WARNING, - "Account %s: authorization of %s failed", - target_user, client_name); - - } - - sweep_up(ksu_context, cc_target); - exit(1); - } - } - - if( some_rest_copy){ - if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){ - com_err(prog_name,retval,"while calling cc_filter"); - sweep_up(ksu_context, cc_target); - exit(1); - } - } - + if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) { + com_err (prog_name, retval, "When unparsing name"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + print_status("Authenticated %s\n", client_name); + syslog(LOG_NOTICE,"'%s %s' authenticated %s for %s%s", + prog_name,target_user,client_name, + source_user,ontty()); + + /* Run authorization as target.*/ + if (krb5_seteuid(target_uid)) { + com_err(prog_name, errno, "while switching to target for authorization check"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + if ((retval = krb5_authorization(ksu_context, client,target_user, + cmd, &authorization_val, &exec_cmd))){ + com_err(prog_name,retval,"while checking authorization"); + krb5_seteuid(0); /*So we have some chance of sweeping up*/ + sweep_up(ksu_context, cc_target); + exit(1); + } + + if (krb5_seteuid(0)) { + com_err(prog_name, errno, "while switching back from target after authorization check"); + sweep_up(ksu_context, cc_target); + exit(1); + } + if (authorization_val == TRUE){ + + if (cmd) { + print_status( + "Account %s: authorization for %s for execution of\n", + target_user, client_name); + print_status(" %s successful\n",exec_cmd); + syslog(LOG_NOTICE, + "Account %s: authorization for %s for execution of %s successful", + target_user, client_name, exec_cmd); + + }else{ + print_status( + "Account %s: authorization for %s successful\n", + target_user, client_name); + syslog(LOG_NOTICE, + "Account %s: authorization for %s successful", + target_user, client_name); + } + }else { + if (cmd){ + if (exec_cmd){ /* was used to pass back the error msg */ + fprintf(stderr, "%s", exec_cmd ); + syslog(LOG_WARNING, "%s",exec_cmd); + } + fprintf(stderr, + "Account %s: authorization for %s for execution of %s failed\n", + target_user, client_name, cmd ); + syslog(LOG_WARNING, + "Account %s: authorization for %s for execution of %s failed", + target_user, client_name, cmd ); + + }else{ + fprintf(stderr, + "Account %s: authorization of %s failed\n", + target_user, client_name); + syslog(LOG_WARNING, + "Account %s: authorization of %s failed", + target_user, client_name); + + } + + sweep_up(ksu_context, cc_target); + exit(1); + } + } + + if( some_rest_copy){ + if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){ + com_err(prog_name,retval,"while calling cc_filter"); + sweep_up(ksu_context, cc_target); + exit(1); + } + } + if (all_rest_copy){ - if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){ - com_err(prog_name, retval, - "while erasing target cache"); - exit(1); - } - - } - - /* get the shell of the user, this will be the shell used by su */ + if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){ + com_err(prog_name, retval, + "while erasing target cache"); + exit(1); + } + + } + + /* get the shell of the user, this will be the shell used by su */ target_pwd = getpwnam(target_user); - + if (target_pwd->pw_shell) - shell = xstrdup(target_pwd->pw_shell); + shell = xstrdup(target_pwd->pw_shell); else { - shell = _DEF_CSH; /* default is cshell */ + shell = _DEF_CSH; /* default is cshell */ } - + #ifdef HAVE_GETUSERSHELL - - /* insist that the target login uses a standard shell (root is omited) */ - + + /* insist that the target login uses a standard shell (root is omited) */ + if (!standard_shell(target_pwd->pw_shell) && source_uid) { - fprintf(stderr, "ksu: permission denied (shell).\n"); - sweep_up(ksu_context, cc_target); - exit(1); + fprintf(stderr, "ksu: permission denied (shell).\n"); + sweep_up(ksu_context, cc_target); + exit(1); } #endif /* HAVE_GETUSERSHELL */ - + if (target_pwd->pw_uid){ - - if(set_env_var("USER", target_pwd->pw_name)){ - fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - } - + + if(set_env_var("USER", target_pwd->pw_name)){ + fprintf(stderr,"ksu: couldn't set environment variable USER\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + } + if(set_env_var( "HOME", target_pwd->pw_dir)){ - fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - + fprintf(stderr,"ksu: couldn't set environment variable USER\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + if(set_env_var( "SHELL", shell)){ - fprintf(stderr,"ksu: couldn't set environment variable USER\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - /* set the cc env name to target */ - + fprintf(stderr,"ksu: couldn't set environment variable USER\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + /* set the cc env name to target */ + if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){ - fprintf(stderr,"ksu: couldn't set environment variable %s\n", - KRB5_ENV_CCNAME); - sweep_up(ksu_context, cc_target); - exit(1); - } - + fprintf(stderr,"ksu: couldn't set environment variable %s\n", + KRB5_ENV_CCNAME); + sweep_up(ksu_context, cc_target); + exit(1); + } + /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { - perror("ksu: setgid"); - sweep_up(ksu_context, cc_target); - exit(1); + perror("ksu: setgid"); + sweep_up(ksu_context, cc_target); + exit(1); } - - + + if (initgroups(target_user, target_pwd->pw_gid)) { - fprintf(stderr, "ksu: initgroups failed.\n"); - sweep_up(ksu_context, cc_target); - exit(1); - } - - if ( ! strcmp(target_user, source_user)){ - print_status("Leaving uid as %s (%ld)\n", - target_user, (long) target_pwd->pw_uid); + fprintf(stderr, "ksu: initgroups failed.\n"); + sweep_up(ksu_context, cc_target); + exit(1); + } + + if ( ! strcmp(target_user, source_user)){ + print_status("Leaving uid as %s (%ld)\n", + target_user, (long) target_pwd->pw_uid); }else{ - print_status("Changing uid to %s (%ld)\n", - target_user, (long) target_pwd->pw_uid); + print_status("Changing uid to %s (%ld)\n", + target_user, (long) target_pwd->pw_uid); } - -#ifdef HAVE_SETLUID + +#ifdef HAVE_SETLUID /* * If we're on a system which keeps track of login uids, then * set the login uid. If this fails this opens up a problem on DEC OSF * with C2 enabled. */ if (setluid((uid_t) pwd->pw_uid) < 0) { - perror("setluid"); - sweep_up(ksu_context, cc_target); - exit(1); + perror("setluid"); + sweep_up(ksu_context, cc_target); + exit(1); } -#endif /* HAVE_SETLUID */ - +#endif /* HAVE_SETLUID */ + if (setuid(target_pwd->pw_uid) < 0) { - perror("ksu: setuid"); - sweep_up(ksu_context, cc_target); - exit(1); - } - + perror("ksu: setuid"); + sweep_up(ksu_context, cc_target); + exit(1); + } + if (access( cc_target_tag_tmp, R_OK | W_OK )){ - com_err(prog_name, errno, - "%s does not have correct permissions for %s, %s aborted", - target_user, cc_target_tag_tmp, prog_name); - exit(1); + com_err(prog_name, errno, + "%s does not have correct permissions for %s, %s aborted", + target_user, cc_target_tag_tmp, prog_name); + exit(1); } - + if ( cc_source) - krb5_cc_close(ksu_context, cc_source); - + krb5_cc_close(ksu_context, cc_source); + if (cmd){ - if ((source_uid == 0) || (source_uid == target_uid )){ - exec_cmd = cmd; - } - - if( !exec_cmd){ - fprintf(stderr, - "Internal error: command %s did not get resolved\n",cmd); - exit(1); - } - - params[0] = exec_cmd; + if ((source_uid == 0) || (source_uid == target_uid )){ + exec_cmd = cmd; + } + + if( !exec_cmd){ + fprintf(stderr, + "Internal error: command %s did not get resolved\n",cmd); + exit(1); + } + + params[0] = exec_cmd; } else{ - params[0] = shell; + params[0] = shell; } - - if (auth_debug){ - fprintf(stderr, "program to be execed %s\n",params[0]); + + if (auth_debug){ + fprintf(stderr, "program to be execed %s\n",params[0]); } - + if( keep_target_cache ) { - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", - params[0]); - sweep_up(ksu_context, cc_target); - exit(1); + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", + params[0]); + sweep_up(ksu_context, cc_target); + exit(1); }else{ - statusp = 1; - switch ((child_pid = fork())) { - default: - if (auth_debug){ - printf(" The child pid is %ld\n", (long) child_pid); - printf(" The parent pid is %ld\n", (long) getpid()); - } + statusp = 1; + switch ((child_pid = fork())) { + default: + if (auth_debug){ + printf(" The child pid is %ld\n", (long) child_pid); + printf(" The parent pid is %ld\n", (long) getpid()); + } while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) { - if (WIFSTOPPED(statusp)) { - child_pgrp = tcgetpgrp(1); - kill(getpid(), SIGSTOP); - tcsetpgrp(1, child_pgrp); - kill(child_pid, SIGCONT); - statusp = 1; - continue; - } - break; + if (WIFSTOPPED(statusp)) { + child_pgrp = tcgetpgrp(1); + kill(getpid(), SIGSTOP); + tcsetpgrp(1, child_pgrp); + kill(child_pid, SIGCONT); + statusp = 1; + continue; + } + break; + } + if (auth_debug){ + printf("The exit status of the child is %d\n", statusp); + } + if (ret_pid == -1) { + com_err(prog_name, errno, "while calling waitpid"); } - if (auth_debug){ - printf("The exit status of the child is %d\n", statusp); - } - if (ret_pid == -1) { - com_err(prog_name, errno, "while calling waitpid"); - } - sweep_up(ksu_context, cc_target); - exit (statusp); - case -1: - com_err(prog_name, errno, "while trying to fork."); - sweep_up(ksu_context, cc_target); - exit (1); - case 0: - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", params[0]); - exit (1); - } + sweep_up(ksu_context, cc_target); + exit (statusp); + case -1: + com_err(prog_name, errno, "while trying to fork."); + sweep_up(ksu_context, cc_target); + exit (1); + case 0: + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", params[0]); + exit (1); + } } } #ifdef HAVE_GETUSERSHELL int standard_shell(sh) -char *sh; + char *sh; { register char *cp; char *getusershell(); - + while ((cp = getusershell()) != NULL) - if (!strcmp(cp, sh)) - return (1); - return (0); + if (!strcmp(cp, sh)) + return (1); + return (0); } - + #endif /* HAVE_GETUSERSHELL */ static char * ontty() @@ -857,14 +858,14 @@ static char * ontty() char *p, *ttyname(); static char buf[MAXPATHLEN + 5]; int result; - + buf[0] = 0; if ((p = ttyname(STDERR_FILENO))) { - result = snprintf(buf, sizeof(buf), " on %s", p); - if (SNPRINTF_OVERFLOW(result, sizeof(buf))) { - fprintf (stderr, "terminal name %s too long\n", p); - exit (1); - } + result = snprintf(buf, sizeof(buf), " on %s", p); + if (SNPRINTF_OVERFLOW(result, sizeof(buf))) { + fprintf (stderr, "terminal name %s too long\n", p); + exit (1); + } } return (buf); } @@ -875,33 +876,33 @@ static int set_env_var(name, value) char *value; { char * env_var_buf; - - asprintf(&env_var_buf,"%s=%s",name, value); + + asprintf(&env_var_buf,"%s=%s",name, value); return putenv(env_var_buf); - + } static void sweep_up(context, cc) krb5_context context; krb5_ccache cc; { - krb5_error_code retval; + krb5_error_code retval; const char * cc_name; struct stat st_temp; krb5_seteuid(0); if (krb5_seteuid(target_uid) < 0) { - com_err(prog_name, errno, - "while changing to target uid for destroying ccache"); - exit(1); + com_err(prog_name, errno, + "while changing to target uid for destroying ccache"); + exit(1); } cc_name = krb5_cc_get_name(context, cc); if ( ! stat(cc_name, &st_temp)){ - if ((retval = krb5_cc_destroy(context, cc))){ - com_err(prog_name, retval, - "while destroying cache"); - } + if ((retval = krb5_cc_destroy(context, cc))){ + com_err(prog_name, retval, + "while destroying cache"); + } } } @@ -926,16 +927,16 @@ get_params(optindex, pargc, pargv, params) int i,j; char ** ret_params; int size = pargc - *optindex + 2; - + if ((ret_params = (char **) calloc(size, sizeof (char *)))== NULL ){ - return ENOMEM; + return ENOMEM; } - + for (i = *optindex, j=1; i < pargc; i++,j++){ - ret_params[j] = pargv[i]; - *optindex = *optindex + 1; + ret_params[j] = pargv[i]; + *optindex = *optindex + 1; } - + ret_params[size-1] = NULL; *params = ret_params; return 0; @@ -945,8 +946,8 @@ static #ifdef HAVE_STDARG_H void print_status( const char *fmt, ...) #else -void print_status (va_alist) - va_dcl + void print_status (va_alist) + va_dcl #endif { va_list ap; @@ -958,9 +959,9 @@ void print_status (va_alist) va_end(ap); #else if (! quiet){ - va_start(ap, fmt); - vfprintf(stderr, fmt, ap); - va_end(ap); + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); } #endif } @@ -969,20 +970,20 @@ void print_status (va_alist) char *get_dir_of_file(path) const char *path; { - char * temp_path; + char * temp_path; char * ptr; temp_path = xstrdup(path); - + if ((ptr = strrchr( temp_path, '/'))) { - *ptr = '\0'; + *ptr = '\0'; } else { - free (temp_path); - temp_path = xmalloc(MAXPATHLEN); - if (temp_path) - getcwd(temp_path, MAXPATHLEN); + free (temp_path); + temp_path = xmalloc(MAXPATHLEN); + if (temp_path) + getcwd(temp_path, MAXPATHLEN); } - return temp_path; + return temp_path; } krb5_error_code @@ -992,7 +993,7 @@ ksu_tgtname(context, server, client, tgtprinc) krb5_principal *tgtprinc; { return krb5_build_principal_ext(context, tgtprinc, client->length, client->data, - KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, - server->length, server->data, - 0); + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, + server->length, server->data, + 0); } diff --git a/src/clients/ksu/setenv.c b/src/clients/ksu/setenv.c index 056a478e5..6e8710df6 100644 --- a/src/clients/ksu/setenv.c +++ b/src/clients/ksu/setenv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1987 Regents of the University of California. * All rights reserved. @@ -15,7 +16,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -/* based on @(#)setenv.c 5.2 (Berkeley) 6/27/88 */ +/* based on @(#)setenv.c 5.2 (Berkeley) 6/27/88 */ #include #include @@ -33,81 +34,81 @@ extern void unsetenv(char *); /* * setenv -- - * Set the value of the environmental variable "name" to be - * "value". If rewrite is set, replace any current value. + * Set the value of the environmental variable "name" to be + * "value". If rewrite is set, replace any current value. */ #ifndef HAVE_SETENV int setenv(name, value, rewrite) - register char *name, *value; - int rewrite; + register char *name, *value; + int rewrite; { - extern char **environ; - static int alloced; /* if allocated space before */ - register char *C; - int l_value, offset; + extern char **environ; + static int alloced; /* if allocated space before */ + register char *C; + int l_value, offset; - if (*value == '=') /* no `=' in value */ - ++value; - l_value = strlen(value); - if ((C = _findenv(name, &offset))) { /* find if already exists */ - if (!rewrite) - return(0); - if (strlen(C) >= l_value) { /* old larger; copy over */ - while ((*C++ = *value++)); - return(0); - } - } - else { /* create new slot */ - register int cnt; - register char **P; + if (*value == '=') /* no `=' in value */ + ++value; + l_value = strlen(value); + if ((C = _findenv(name, &offset))) { /* find if already exists */ + if (!rewrite) + return(0); + if (strlen(C) >= l_value) { /* old larger; copy over */ + while ((*C++ = *value++)); + return(0); + } + } + else { /* create new slot */ + register int cnt; + register char **P; - for (P = environ, cnt = 0; *P; ++P, ++cnt); - if (alloced) { /* just increase size */ - environ = (char **)realloc((char *)environ, - (u_int)(sizeof(char *) * (cnt + 2))); - if (!environ) - return(-1); - } - else { /* get new space */ - alloced = 1; /* copy old entries into it */ - P = (char **)malloc((u_int)(sizeof(char *) * - (cnt + 2))); - if (!P) - return(-1); - memcpy(P, environ, cnt * sizeof(char *)); - environ = P; - } - environ[cnt + 1] = NULL; - offset = cnt; - } - for (C = name; *C && *C != '='; ++C); /* no `=' in name */ - if (!(environ[offset] = /* name + `=' + value */ - malloc((u_int)((int)(C - name) + l_value + 2)))) - return(-1); - for (C = environ[offset]; (*C = *name++) &&( *C != '='); ++C); - for (*C++ = '='; (*C++ = *value++) != NULL;); - return(0); + for (P = environ, cnt = 0; *P; ++P, ++cnt); + if (alloced) { /* just increase size */ + environ = (char **)realloc((char *)environ, + (u_int)(sizeof(char *) * (cnt + 2))); + if (!environ) + return(-1); + } + else { /* get new space */ + alloced = 1; /* copy old entries into it */ + P = (char **)malloc((u_int)(sizeof(char *) * + (cnt + 2))); + if (!P) + return(-1); + memcpy(P, environ, cnt * sizeof(char *)); + environ = P; + } + environ[cnt + 1] = NULL; + offset = cnt; + } + for (C = name; *C && *C != '='; ++C); /* no `=' in name */ + if (!(environ[offset] = /* name + `=' + value */ + malloc((u_int)((int)(C - name) + l_value + 2)))) + return(-1); + for (C = environ[offset]; (*C = *name++) &&( *C != '='); ++C); + for (*C++ = '='; (*C++ = *value++) != NULL;); + return(0); } #endif /* * unsetenv(name) -- - * Delete environmental variable "name". + * Delete environmental variable "name". */ #ifndef HAVE_UNSETENV void unsetenv(name) - char *name; + char *name; { - extern char **environ; - register char **P; - int offset; + extern char **environ; + register char **P; + int offset; - while (_findenv(name, &offset)) /* if set multiple times */ - for (P = &environ[offset];; ++P) - if (!(*P = *(P + 1))) - break; + while (_findenv(name, &offset)) /* if set multiple times */ + for (P = &environ[offset];; ++P) + if (!(*P = *(P + 1))) + break; } #endif /* @@ -127,46 +128,46 @@ unsetenv(name) * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -/* based on @(#)getenv.c 5.5 (Berkeley) 6/27/88 */ +/* based on @(#)getenv.c 5.5 (Berkeley) 6/27/88 */ /* * getenv -- - * Returns ptr to value associated with name, if any, else NULL. + * Returns ptr to value associated with name, if any, else NULL. */ #ifndef HAVE_GETENV char * getenv(name) - char *name; + char *name; { - int offset; + int offset; - return(_findenv(name, &offset)); + return(_findenv(name, &offset)); } #endif /* * _findenv -- - * Returns pointer to value associated with name, if any, else NULL. - * Sets offset to be the offset of the name/value combination in the - * environmental array, for use by setenv(3) and unsetenv(3). - * Explicitly removes '=' in argument name. + * Returns pointer to value associated with name, if any, else NULL. + * Sets offset to be the offset of the name/value combination in the + * environmental array, for use by setenv(3) and unsetenv(3). + * Explicitly removes '=' in argument name. * */ static char * _findenv(name, offset) - register char *name; - int *offset; + register char *name; + int *offset; { - extern char **environ; - register int len; - register char **P, *C; + extern char **environ; + register int len; + register char **P, *C; - for (C = name, len = 0; *C && *C != '='; ++C, ++len); - for (P = environ; *P; ++P) - if (!strncmp(*P, name, len)) - if (*(C = *P + len) == '=') { - *offset = P - environ; - return(++C); - } - return(NULL); + for (C = name, len = 0; *C && *C != '='; ++C, ++len); + for (P = environ; *P; ++P) + if (!strncmp(*P, name, len)) + if (*(C = *P + len) == '=') { + *offset = P - environ; + return(++C); + } + return(NULL); } diff --git a/src/clients/ksu/xmalloc.c b/src/clients/ksu/xmalloc.c index 44bdca16d..f88c0a652 100644 --- a/src/clients/ksu/xmalloc.c +++ b/src/clients/ksu/xmalloc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * clients/ksu/xmalloc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Perform simple allocation/copy operations, exiting on failure. */ @@ -35,8 +36,8 @@ void *xmalloc (size_t sz) { void *ret = malloc (sz); if (ret == 0 && sz != 0) { - perror (prog_name); - exit (1); + perror (prog_name); + exit (1); } return ret; } @@ -45,8 +46,8 @@ void *xrealloc (void *old, size_t newsz) { void *ret = realloc (old, newsz); if (ret == 0 && newsz != 0) { - perror (prog_name); - exit (1); + perror (prog_name); + exit (1); } return ret; } @@ -55,8 +56,8 @@ void *xcalloc (size_t nelts, size_t eltsz) { void *ret = calloc (nelts, eltsz); if (ret == 0 && nelts != 0 && eltsz != 0) { - perror (prog_name); - exit (1); + perror (prog_name); + exit (1); } return ret; } @@ -76,8 +77,8 @@ char *xasprintf (const char *format, ...) va_start (args, format); if (vasprintf(&out, format, args) < 0) { - perror (prog_name); - exit (1); + perror (prog_name); + exit (1); } va_end(args); return out; diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c index 58702525f..3f01b0eb9 100644 --- a/src/clients/kvno/kvno.c +++ b/src/clients/kvno/kvno.c @@ -1,13 +1,14 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +19,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -47,14 +48,14 @@ static void xusage() int quiet = 0; -static void do_v5_kvno (int argc, char *argv[], +static void do_v5_kvno (int argc, char *argv[], char *ccachestr, char *etypestr, char *keytab_name, - char *sname, int canon, int unknown, - char *for_user, int proxy); + char *sname, int canon, int unknown, + char *for_user, int proxy); #include static void extended_com_err_fn (const char *, errcode_t, const char *, - va_list); + va_list); int main(int argc, char *argv[]) { @@ -70,76 +71,76 @@ int main(int argc, char *argv[]) prog = prog ? (prog + 1) : argv[0]; while ((option = getopt(argc, argv, "uCc:e:hk:qPS:U:")) != -1) { - switch (option) { - case 'C': - canon = 1; - break; - case 'c': - ccachestr = optarg; - break; - case 'e': - etypestr = optarg; - break; - case 'h': - xusage(); - break; - case 'k': - keytab_name = optarg; - break; - case 'q': - quiet = 1; - break; - case 'P': - proxy = 1; /* S4U2Proxy - constrained delegation */ - break; - case 'S': - sname = optarg; - if (unknown == 1){ + switch (option) { + case 'C': + canon = 1; + break; + case 'c': + ccachestr = optarg; + break; + case 'e': + etypestr = optarg; + break; + case 'h': + xusage(); + break; + case 'k': + keytab_name = optarg; + break; + case 'q': + quiet = 1; + break; + case 'P': + proxy = 1; /* S4U2Proxy - constrained delegation */ + break; + case 'S': + sname = optarg; + if (unknown == 1){ fprintf(stderr, "Options -u and -S are mutually exclusive\n"); - xusage(); + xusage(); } - break; + break; case 'u': unknown = 1; - if (sname){ + if (sname){ fprintf(stderr, "Options -u and -S are mutually exclusive\n"); - xusage(); + xusage(); } break; - case 'U': - for_user = optarg; /* S4U2Self - protocol transition */ - break; - default: - xusage(); - break; - } + case 'U': + for_user = optarg; /* S4U2Self - protocol transition */ + break; + default: + xusage(); + break; + } } if (proxy) { - if (keytab_name == NULL) { - fprintf(stderr, "Option -P (constrained delegation) " - "requires keytab to be specified\n"); - xusage(); - } else if (for_user == NULL) { - fprintf(stderr, "Option -P (constrained delegation) requires " - "option -U (protocol transition)\n"); - xusage(); - } + if (keytab_name == NULL) { + fprintf(stderr, "Option -P (constrained delegation) " + "requires keytab to be specified\n"); + xusage(); + } else if (for_user == NULL) { + fprintf(stderr, "Option -P (constrained delegation) requires " + "option -U (protocol transition)\n"); + xusage(); + } } if ((argc - optind) < 1) - xusage(); + xusage(); - do_v5_kvno(argc - optind, argv + optind, - ccachestr, etypestr, keytab_name, sname, - canon, unknown, for_user, proxy); + do_v5_kvno(argc - optind, argv + optind, + ccachestr, etypestr, keytab_name, sname, + canon, unknown, for_user, proxy); return 0; } #include static krb5_context context; static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) + const char *fmt, va_list args) { const char *emsg; emsg = krb5_get_error_message (context, code); @@ -149,10 +150,10 @@ static void extended_com_err_fn (const char *myprog, errcode_t code, fprintf (stderr, "\n"); } -static void do_v5_kvno (int count, char *names[], +static void do_v5_kvno (int count, char *names[], char * ccachestr, char *etypestr, char *keytab_name, - char *sname, int canon, int unknown, char *for_user, - int proxy) + char *sname, int canon, int unknown, char *for_user, + int proxy) { krb5_error_code ret; int i, errors; @@ -166,18 +167,18 @@ static void do_v5_kvno (int count, char *names[], ret = krb5_init_context(&context); if (ret) { - com_err(prog, ret, "while initializing krb5 library"); - exit(1); + com_err(prog, ret, "while initializing krb5 library"); + exit(1); } if (etypestr) { ret = krb5_string_to_enctype(etypestr, &etype); - if (ret) { - com_err(prog, ret, "while converting etype"); - exit(1); - } + if (ret) { + com_err(prog, ret, "while converting etype"); + exit(1); + } } else { - etype = 0; + etype = 0; } if (ccachestr) @@ -185,166 +186,166 @@ static void do_v5_kvno (int count, char *names[], else ret = krb5_cc_default(context, &ccache); if (ret) { - com_err(prog, ret, "while opening ccache"); - exit(1); + com_err(prog, ret, "while opening ccache"); + exit(1); } if (keytab_name) { - ret = krb5_kt_resolve(context, keytab_name, &keytab); - if (ret) { - com_err(prog, ret, "resolving keytab %s", keytab_name); - exit(1); - } + ret = krb5_kt_resolve(context, keytab_name, &keytab); + if (ret) { + com_err(prog, ret, "resolving keytab %s", keytab_name); + exit(1); + } } if (for_user) { - ret = krb5_parse_name_flags(context, for_user, - KRB5_PRINCIPAL_PARSE_ENTERPRISE, - &for_user_princ); - if (ret) { - com_err(prog, ret, "while parsing principal name %s", for_user); - exit(1); - } + ret = krb5_parse_name_flags(context, for_user, + KRB5_PRINCIPAL_PARSE_ENTERPRISE, + &for_user_princ); + if (ret) { + com_err(prog, ret, "while parsing principal name %s", for_user); + exit(1); + } } ret = krb5_cc_get_principal(context, ccache, &me); if (ret) { - com_err(prog, ret, "while getting client principal name"); - exit(1); + com_err(prog, ret, "while getting client principal name"); + exit(1); } errors = 0; options = 0; if (canon) - options |= KRB5_GC_CANONICALIZE; + options |= KRB5_GC_CANONICALIZE; for (i = 0; i < count; i++) { - krb5_principal server = NULL; - krb5_ticket *ticket = NULL; - krb5_creds *out_creds = NULL; - char *princ = NULL; - - memset(&in_creds, 0, sizeof(in_creds)); - - if (sname != NULL) { - ret = krb5_sname_to_principal(context, names[i], - sname, KRB5_NT_SRV_HST, - &server); - } else { - ret = krb5_parse_name(context, names[i], &server); - } - if (ret) { - if (!quiet) - com_err(prog, ret, "while parsing principal name %s", names[i]); - goto error; - } + krb5_principal server = NULL; + krb5_ticket *ticket = NULL; + krb5_creds *out_creds = NULL; + char *princ = NULL; + + memset(&in_creds, 0, sizeof(in_creds)); + + if (sname != NULL) { + ret = krb5_sname_to_principal(context, names[i], + sname, KRB5_NT_SRV_HST, + &server); + } else { + ret = krb5_parse_name(context, names[i], &server); + } + if (ret) { + if (!quiet) + com_err(prog, ret, "while parsing principal name %s", names[i]); + goto error; + } if (unknown == 1) { krb5_princ_type(context, server) = KRB5_NT_UNKNOWN; } - ret = krb5_unparse_name(context, server, &princ); - if (ret) { - com_err(prog, ret, - "while formatting parsed principal name for '%s'", - names[i]); - goto error; - } - - in_creds.keyblock.enctype = etype; - - if (for_user) { - if (!proxy && - !krb5_principal_compare(context, me, server)) { - com_err(prog, EINVAL, - "client and server principal names must match"); - goto error; - } - - in_creds.client = for_user_princ; - in_creds.server = me; - - ret = krb5_get_credentials_for_user(context, options, ccache, - &in_creds, NULL, &out_creds); - } else { - in_creds.client = me; - in_creds.server = server; - ret = krb5_get_credentials(context, options, ccache, - &in_creds, &out_creds); - } - - if (ret) { - com_err(prog, ret, "while getting credentials for %s", princ); - goto error; - } - - /* we need a native ticket */ - ret = krb5_decode_ticket(&out_creds->ticket, &ticket); - if (ret) { - com_err(prog, ret, "while decoding ticket for %s", princ); - goto error; - } - - if (keytab) { - ret = krb5_server_decrypt_ticket_keytab(context, keytab, ticket); - if (ret) { - if (!quiet) { - fprintf(stderr, "%s: kvno = %d, keytab entry invalid\n", - princ, ticket->enc_part.kvno); - } - com_err(prog, ret, "while decrypting ticket for %s", princ); - goto error; - } - if (!quiet) - printf("%s: kvno = %d, keytab entry valid\n", - princ, ticket->enc_part.kvno); - if (proxy) { - krb5_free_creds(context, out_creds); - out_creds = NULL; - - in_creds.client = ticket->enc_part2->client; - in_creds.server = server; - - ret = krb5_get_credentials_for_proxy(context, - KRB5_GC_CANONICALIZE, - ccache, - &in_creds, - ticket, - &out_creds); - if (ret) { - com_err(prog, ret, - "%s: constrained delegation failed", princ); - goto error; - } - } - } else { - if (!quiet) - printf("%s: kvno = %d\n", princ, ticket->enc_part.kvno); - } - - continue; - -error: - if (server != NULL) - krb5_free_principal(context, server); - if (ticket != NULL) - krb5_free_ticket(context, ticket); - if (out_creds != NULL) - krb5_free_creds(context, out_creds); - if (princ != NULL) - krb5_free_unparsed_name(context, princ); - errors++; + ret = krb5_unparse_name(context, server, &princ); + if (ret) { + com_err(prog, ret, + "while formatting parsed principal name for '%s'", + names[i]); + goto error; + } + + in_creds.keyblock.enctype = etype; + + if (for_user) { + if (!proxy && + !krb5_principal_compare(context, me, server)) { + com_err(prog, EINVAL, + "client and server principal names must match"); + goto error; + } + + in_creds.client = for_user_princ; + in_creds.server = me; + + ret = krb5_get_credentials_for_user(context, options, ccache, + &in_creds, NULL, &out_creds); + } else { + in_creds.client = me; + in_creds.server = server; + ret = krb5_get_credentials(context, options, ccache, + &in_creds, &out_creds); + } + + if (ret) { + com_err(prog, ret, "while getting credentials for %s", princ); + goto error; + } + + /* we need a native ticket */ + ret = krb5_decode_ticket(&out_creds->ticket, &ticket); + if (ret) { + com_err(prog, ret, "while decoding ticket for %s", princ); + goto error; + } + + if (keytab) { + ret = krb5_server_decrypt_ticket_keytab(context, keytab, ticket); + if (ret) { + if (!quiet) { + fprintf(stderr, "%s: kvno = %d, keytab entry invalid\n", + princ, ticket->enc_part.kvno); + } + com_err(prog, ret, "while decrypting ticket for %s", princ); + goto error; + } + if (!quiet) + printf("%s: kvno = %d, keytab entry valid\n", + princ, ticket->enc_part.kvno); + if (proxy) { + krb5_free_creds(context, out_creds); + out_creds = NULL; + + in_creds.client = ticket->enc_part2->client; + in_creds.server = server; + + ret = krb5_get_credentials_for_proxy(context, + KRB5_GC_CANONICALIZE, + ccache, + &in_creds, + ticket, + &out_creds); + if (ret) { + com_err(prog, ret, + "%s: constrained delegation failed", princ); + goto error; + } + } + } else { + if (!quiet) + printf("%s: kvno = %d\n", princ, ticket->enc_part.kvno); + } + + continue; + + error: + if (server != NULL) + krb5_free_principal(context, server); + if (ticket != NULL) + krb5_free_ticket(context, ticket); + if (out_creds != NULL) + krb5_free_creds(context, out_creds); + if (princ != NULL) + krb5_free_unparsed_name(context, princ); + errors++; } if (keytab) - krb5_kt_close(context, keytab); + krb5_kt_close(context, keytab); krb5_free_principal(context, me); krb5_free_principal(context, for_user_princ); krb5_cc_close(context, ccache); krb5_free_context(context); if (errors) - exit(1); + exit(1); exit(0); } diff --git a/src/include/CredentialsCache.h b/src/include/CredentialsCache.h index cd573e710..656b43625 100644 --- a/src/include/CredentialsCache.h +++ b/src/include/CredentialsCache.h @@ -23,7 +23,7 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. */ - + #ifndef __CREDENTIALSCACHE__ #define __CREDENTIALSCACHE__ @@ -35,7 +35,7 @@ * The object for kCCAPICacheCollectionChangedNotification is NULL. * The object for kCCAPICCacheChangedNotification is a CFString containing the * name of the ccache. - * + * * Note: Notifications are not sent if the CCacheServer crashes. */ #define kCCAPICacheCollectionChangedNotification CFSTR ("CCAPICacheCollectionChangedNotification") #define kCCAPICCacheChangedNotification CFSTR ("CCAPICCacheChangedNotification") @@ -54,7 +54,7 @@ extern "C" { #if TARGET_OS_MAC #pragma pack(push,2) -#endif +#endif #if defined(_WIN32) #define CCACHE_API __declspec(dllexport) @@ -64,7 +64,7 @@ extern "C" { #error time_t has been defined as a 64-bit integer which is incompatible with Kerberos on this platform. #endif /* _TIME_T_DEFINED */ #define _USE_32BIT_TIME_T -#endif +#endif #else #define CCACHE_API #endif @@ -100,89 +100,89 @@ extern "C" { * * \li \ref cc_string_reference * \li \ref cc_string_f "cc_string_t Functions" - * + * * \section introduction Introduction * - * This is the specification for an API which provides Credentials Cache - * services for both Kerberos v5 and v4. The idea behind this API is that - * multiple Kerberos implementations can share a single collection of - * credentials caches, mediated by this API specification. On the Mac OS - * and Microsoft Windows platforms this will allow single-login, even when + * This is the specification for an API which provides Credentials Cache + * services for both Kerberos v5 and v4. The idea behind this API is that + * multiple Kerberos implementations can share a single collection of + * credentials caches, mediated by this API specification. On the Mac OS + * and Microsoft Windows platforms this will allow single-login, even when * more than one Kerberos shared library is in use on a particular system. * - * Abstractly, a credentials cache collection contains one or more credentials - * caches, or ccaches. A ccache is uniquely identified by its name, which is - * a string internal to the API and not intended to be presented to users. + * Abstractly, a credentials cache collection contains one or more credentials + * caches, or ccaches. A ccache is uniquely identified by its name, which is + * a string internal to the API and not intended to be presented to users. * The user presentable identifier of a ccache is its principal. * - * Unlike the previous versions of the API, version 3 of the API stores both + * Unlike the previous versions of the API, version 3 of the API stores both * Kerberos v4 and v5 credentials in the same ccache. * - * At any given time, one ccache is the "default" ccache. The exact meaning - * of a default ccache is OS-specific; refer to implementation requirements + * At any given time, one ccache is the "default" ccache. The exact meaning + * of a default ccache is OS-specific; refer to implementation requirements * for details. * * \section error_handling Error Handling * - * All functions of the API return some of the error constants listed FIXME; - * the exact list of error constants returned by any API function is provided + * All functions of the API return some of the error constants listed FIXME; + * the exact list of error constants returned by any API function is provided * in the function descriptions below. - * - * When returning an error constant other than ccNoError or ccIteratorEnd, API + * + * When returning an error constant other than ccNoError or ccIteratorEnd, API * functions never modify any of the values passed in by reference. * * \section synchronization_atomicity Synchronization and Atomicity - * + * * Every function in the API is atomic. In order to make a series of calls * atomic, callers should lock the ccache or cache collection they are working - * with to advise other callers not to modify that container. Note that - * advisory locks are per container so even if you have a read lock on the cache - * collection other callers can obtain write locks on ccaches in that cache + * with to advise other callers not to modify that container. Note that + * advisory locks are per container so even if you have a read lock on the cache + * collection other callers can obtain write locks on ccaches in that cache * collection. - * - * Note that iterators do not iterate over ccaches and credentials atomically - * because locking ccaches and the cache collection over every iteration would - * degrade performance considerably under high load. However, iterators do - * guarantee a consistent view of items they are iterating over. Iterators - * will never return duplicate entries or skip entries when items are removed - * or added to the container they are iterating over. - * + * + * Note that iterators do not iterate over ccaches and credentials atomically + * because locking ccaches and the cache collection over every iteration would + * degrade performance considerably under high load. However, iterators do + * guarantee a consistent view of items they are iterating over. Iterators + * will never return duplicate entries or skip entries when items are removed + * or added to the container they are iterating over. + * * An application can always lock a ccache or the cache collection to guarantee - * that other callers participating in the advisory locking system do not + * that other callers participating in the advisory locking system do not * modify the ccache or cache collection. - * + * * Implementations should not use copy-on-write techniques to implement locks - * because those techniques imply that same parts of the ccache collection - * remain visible to some callers even though they are not present in the - * collection, which is a potential security risk. For example, a copy-on-write - * technique might make a copy of the entire collection when a read lock is - * acquired, so as to allow the owner of the lock to access the collection in - * an apparently unmodified state, while also allowing others to make - * modifications to the collection. However, this would also enable the owner - * of the lock to indefinitely (until the expiration time) use credentials that + * because those techniques imply that same parts of the ccache collection + * remain visible to some callers even though they are not present in the + * collection, which is a potential security risk. For example, a copy-on-write + * technique might make a copy of the entire collection when a read lock is + * acquired, so as to allow the owner of the lock to access the collection in + * an apparently unmodified state, while also allowing others to make + * modifications to the collection. However, this would also enable the owner + * of the lock to indefinitely (until the expiration time) use credentials that * have actually been deleted from the collection. - * + * * \section memory_management Object Memory Management - * - * The lifetime of an object returned by the API is until release() is called - * for it. Releasing one object has no effect on existence of any other object. - * For example, a ccache obtained within a context continue to exist when the + * + * The lifetime of an object returned by the API is until release() is called + * for it. Releasing one object has no effect on existence of any other object. + * For example, a ccache obtained within a context continue to exist when the * context is released. - * - * Every object returned by the API (cc_context_t, cc_ccache_t, cc_ccache_iterator_t, - * cc_credentials_t, cc_credentials_iterator_t, cc_string_t) is owned by the - * caller of the API, and it is the responsibility of the caller to call release() + * + * Every object returned by the API (cc_context_t, cc_ccache_t, cc_ccache_iterator_t, + * cc_credentials_t, cc_credentials_iterator_t, cc_string_t) is owned by the + * caller of the API, and it is the responsibility of the caller to call release() * for every object to prevent memory leaks. - * + * * \section opaque_types Opaque Types - * - * All of the opaque high-level types in CCache API are implemented as structures - * of function pointers and private data. To perform some operation on a type, the - * caller of the API has to first obtain an instance of that type, and then call the - * appropriate function pointer from that instance. For example, to call - * get_change_time() on a cc_context_t, one would call cc_initialize() which creates + * + * All of the opaque high-level types in CCache API are implemented as structures + * of function pointers and private data. To perform some operation on a type, the + * caller of the API has to first obtain an instance of that type, and then call the + * appropriate function pointer from that instance. For example, to call + * get_change_time() on a cc_context_t, one would call cc_initialize() which creates * a new cc_context_t and then call its get_change_time(), like this: - * + * * \code * cc_context_t context; * cc_int32 err = cc_initialize (&context, ccapi_version_3, nil, nil); @@ -190,10 +190,10 @@ extern "C" { * time = context->functions->get_change_time (context) * \endcode * - * All API functions also have convenience preprocessor macros, which make the API - * seem completely function-based. For example, cc_context_get_change_time - * (context, time) is equivalent to context->functions->get_change_time - * (context, time). The convenience macros follow the following naming convention: + * All API functions also have convenience preprocessor macros, which make the API + * seem completely function-based. For example, cc_context_get_change_time + * (context, time) is equivalent to context->functions->get_change_time + * (context, time). The convenience macros follow the following naming convention: * * The API function some_function() * \code @@ -207,39 +207,39 @@ extern "C" { * result = cc_type_some_function (an_object, args) * \endcode * - * The specifications below include the names for both the functions and the - * convenience macros, in that order. For clarity, it is recommended that clients + * The specifications below include the names for both the functions and the + * convenience macros, in that order. For clarity, it is recommended that clients * using the API use the convenience macros, but that is merely a stylistic choice. * - * Implementing the API in this manner allows us to extend and change the interface + * Implementing the API in this manner allows us to extend and change the interface * in the future, while preserving compatibility with older clients. * - * For example, consider the case when the signature or the semantics of a cc_ccache_t - * function is changed. The API version number is incremented. The library - * implementation contains both a function with the old signature and semantics and - * a function with the new signature and semantics. When a context is created, the API - * version number used in that context is stored in the context, and therefore it can - * be used whenever a ccache is created in that context. When a ccache is created in a - * context with the old API version number, the function pointer structure for the - * ccache is filled with pointers to functions implementing the old semantics; when a - * ccache is created in a context with the new API version number, the function pointer - * structure for the ccache is filled with poitners to functions implementing the new + * For example, consider the case when the signature or the semantics of a cc_ccache_t + * function is changed. The API version number is incremented. The library + * implementation contains both a function with the old signature and semantics and + * a function with the new signature and semantics. When a context is created, the API + * version number used in that context is stored in the context, and therefore it can + * be used whenever a ccache is created in that context. When a ccache is created in a + * context with the old API version number, the function pointer structure for the + * ccache is filled with pointers to functions implementing the old semantics; when a + * ccache is created in a context with the new API version number, the function pointer + * structure for the ccache is filled with poitners to functions implementing the new * semantics. * - * Similarly, if a function is added to the API, the version number in the context can - * be used to decide whether to include the implementation of the new function in the + * Similarly, if a function is added to the API, the version number in the context can + * be used to decide whether to include the implementation of the new function in the * appropriate function pointer structure or not. */ - + /*! * \defgroup ccapi_constants_reference Constants * @{ */ - + /*! - * API version numbers + * API version numbers * - * These constants are passed into cc_initialize() to indicate the version + * These constants are passed into cc_initialize() to indicate the version * of the API the caller wants to use. * * CCAPI v1 and v2 are deprecated and should not be used. @@ -253,67 +253,67 @@ enum { ccapi_version_7 = 7, ccapi_version_max = ccapi_version_7 }; - -/*! - * Error codes + +/*! + * Error codes */ enum { - - ccNoError = 0, /*!< Success. */ - ccIteratorEnd = 201, /*!< Iterator is done iterating. */ + ccNoError = 0, /*!< Success. */ + + ccIteratorEnd = 201, /*!< Iterator is done iterating. */ ccErrBadParam, /*!< Bad parameter (NULL or invalid pointer where valid pointer expected). */ ccErrNoMem, /*!< Not enough memory to complete the operation. */ ccErrInvalidContext, /*!< Context is invalid (e.g., it was released). */ ccErrInvalidCCache, /*!< CCache is invalid (e.g., it was released or destroyed). */ /* 206 */ - ccErrInvalidString, /*!< String is invalid (e.g., it was released). */ + ccErrInvalidString, /*!< String is invalid (e.g., it was released). */ ccErrInvalidCredentials, /*!< Credentials are invalid (e.g., they were released), or they have a bad version. */ ccErrInvalidCCacheIterator, /*!< CCache iterator is invalid (e.g., it was released). */ ccErrInvalidCredentialsIterator, /*!< Credentials iterator is invalid (e.g., it was released). */ ccErrInvalidLock, /*!< Lock is invalid (e.g., it was released). */ /* 211 */ - ccErrBadName, /*!< Bad credential cache name format. */ + ccErrBadName, /*!< Bad credential cache name format. */ ccErrBadCredentialsVersion, /*!< Credentials version is invalid. */ ccErrBadAPIVersion, /*!< Unsupported API version. */ ccErrContextLocked, /*!< Context is already locked. */ ccErrContextUnlocked, /*!< Context is not locked by the caller. */ /* 216 */ - ccErrCCacheLocked, /*!< CCache is already locked. */ + ccErrCCacheLocked, /*!< CCache is already locked. */ ccErrCCacheUnlocked, /*!< CCache is not locked by the caller. */ ccErrBadLockType, /*!< Bad lock type. */ ccErrNeverDefault, /*!< CCache was never default. */ ccErrCredentialsNotFound, /*!< Matching credentials not found in the ccache. */ /* 221 */ - ccErrCCacheNotFound, /*!< Matching ccache not found in the collection. */ + ccErrCCacheNotFound, /*!< Matching ccache not found in the collection. */ ccErrContextNotFound, /*!< Matching cache collection not found. */ ccErrServerUnavailable, /*!< CCacheServer is unavailable. */ ccErrServerInsecure, /*!< CCacheServer has detected that it is running as the wrong user. */ ccErrServerCantBecomeUID, /*!< CCacheServer failed to start running as the user. */ - + /* 226 */ - ccErrTimeOffsetNotSet, /*!< KDC time offset not set for this ccache. */ + ccErrTimeOffsetNotSet, /*!< KDC time offset not set for this ccache. */ ccErrBadInternalMessage, /*!< The client and CCacheServer can't communicate (e.g., a version mismatch). */ ccErrNotImplemented, /*!< API function not supported by this implementation. */ ccErrClientNotFound /*!< CCacheServer has no record of the caller's process (e.g., the server crashed). */ }; -/*! - * Credentials versions +/*! + * Credentials versions * - * These constants are used in several places in the API to discern - * between Kerberos v4 and Kerberos v5. Not all values are valid - * inputs and outputs for all functions; function specifications + * These constants are used in several places in the API to discern + * between Kerberos v4 and Kerberos v5. Not all values are valid + * inputs and outputs for all functions; function specifications * below detail the allowed values. * - * Kerberos version constants will always be a bit-field, and can be + * Kerberos version constants will always be a bit-field, and can be * tested as such; for example the following test will tell you if * a ccacheVersion includes v5 credentials: - * + * * if ((ccacheVersion & cc_credentials_v5) != 0) */ enum cc_credential_versions { @@ -322,9 +322,9 @@ enum cc_credential_versions { cc_credentials_v4_v5 = 3 }; -/*! - * Lock types - * +/*! + * Lock types + * * These constants are used in the locking functions to describe the * type of lock requested. Note that all CCAPI locks are advisory * so only callers using the lock calls will be blocked by each other. @@ -338,14 +338,14 @@ enum cc_lock_types { cc_lock_downgrade = 3 }; -/*! - * Locking Modes +/*! + * Locking Modes * - * These constants are used in the advisory locking functions to - * describe whether or not the lock function should block waiting for - * a lock or return an error immediately. For example, attempting to - * acquire a lock with a non-blocking call will result in an error if the - * lock cannot be acquired; otherwise, the call will block until the lock + * These constants are used in the advisory locking functions to + * describe whether or not the lock function should block waiting for + * a lock or return an error immediately. For example, attempting to + * acquire a lock with a non-blocking call will result in an error if the + * lock cannot be acquired; otherwise, the call will block until the lock * can be acquired. */ enum cc_lock_modes { @@ -353,10 +353,10 @@ enum cc_lock_modes { cc_lock_block = 1 }; -/*! +/*! * Sizes of fields in cc_credentials_v4_t. */ -enum { +enum { /* Make sure all of these are multiples of four (for alignment sanity) */ cc_v4_name_size = 40, cc_v4_instance_size = 40, @@ -396,8 +396,8 @@ typedef int64_t cc_int64; /*! Signed 64-bit integer type */ typedef uint64_t cc_uint64; #endif -/*! - * The cc_time_t type is used to represent a time in seconds. The time must +/*! + * The cc_time_t type is used to represent a time in seconds. The time must * be stored as the number of seconds since midnight GMT on January 1, 1970. */ typedef cc_uint32 cc_time_t; @@ -407,10 +407,10 @@ typedef cc_uint32 cc_time_t; /*! * \defgroup cc_context_reference cc_context_t Overview * @{ - * - * The cc_context_t type gives the caller access to a ccache collection. - * Before being able to call any functions in the CCache API, the caller - * needs to acquire an instance of cc_context_t by calling cc_initialize(). + * + * The cc_context_t type gives the caller access to a ccache collection. + * Before being able to call any functions in the CCache API, the caller + * needs to acquire an instance of cc_context_t by calling cc_initialize(). * * For API function documentation see \ref cc_context_f. */ @@ -431,11 +431,11 @@ typedef cc_context_d *cc_context_t; /*! * \defgroup cc_ccache_reference cc_ccache_t Overview * @{ - * - * The cc_ccache_t type represents a reference to a ccache. - * Callers can access a ccache and the credentials stored in it - * via a cc_ccache_t. A cc_ccache_t can be acquired via - * cc_context_open_ccache(), cc_context_open_default_ccache(), or + * + * The cc_ccache_t type represents a reference to a ccache. + * Callers can access a ccache and the credentials stored in it + * via a cc_ccache_t. A cc_ccache_t can be acquired via + * cc_context_open_ccache(), cc_context_open_default_ccache(), or * cc_ccache_iterator_next(). * * For API function documentation see \ref cc_ccache_f. @@ -457,10 +457,10 @@ typedef cc_ccache_d *cc_ccache_t; /*! * \defgroup cc_ccache_iterator_reference cc_ccache_iterator_t Overview * @{ - * - * The cc_ccache_iterator_t type represents an iterator that - * iterates over a set of ccaches and returns them in all in some - * order. A new instance of this type can be obtained by calling + * + * The cc_ccache_iterator_t type represents an iterator that + * iterates over a set of ccaches and returns them in all in some + * order. A new instance of this type can be obtained by calling * cc_context_new_ccache_iterator(). * * For API function documentation see \ref cc_ccache_iterator_f. @@ -481,30 +481,30 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t; /*! * \defgroup cc_credentials_reference cc_credentials_t Overview * @{ - * - * The cc_credentials_t type is used to store a single set of - * credentials for either Kerberos v4 or Kerberos v5. In addition - * to its only function, release(), it contains a pointer to a - * cc_credentials_union structure. A cc_credentials_union - * structure contains an integer of the enumerator type - * cc_credentials_version, which is either #cc_credentials_v4 or - * #cc_credentials_v5, and a pointer union, which contains either a - * cc_credentials_v4_t pointer or a cc_credentials_v5_t pointer, - * depending on the value in version. - * + * + * The cc_credentials_t type is used to store a single set of + * credentials for either Kerberos v4 or Kerberos v5. In addition + * to its only function, release(), it contains a pointer to a + * cc_credentials_union structure. A cc_credentials_union + * structure contains an integer of the enumerator type + * cc_credentials_version, which is either #cc_credentials_v4 or + * #cc_credentials_v5, and a pointer union, which contains either a + * cc_credentials_v4_t pointer or a cc_credentials_v5_t pointer, + * depending on the value in version. + * * Variables of the type cc_credentials_t are allocated by the CCAPI - * implementation, and should be released with their release() - * function. API functions which receive credentials structures - * from the caller always accept cc_credentials_union, which is + * implementation, and should be released with their release() + * function. API functions which receive credentials structures + * from the caller always accept cc_credentials_union, which is * allocated by the caller, and accordingly disposed by the caller. * * For API functions see \ref cc_credentials_f. */ /*! - * If a cc_credentials_t variable is used to store Kerberos v4 - * credentials, then credentials.credentials_v4 points to a v4 - * credentials structure. This structure is similar to a + * If a cc_credentials_t variable is used to store Kerberos v4 + * credentials, then credentials.credentials_v4 points to a v4 + * credentials structure. This structure is similar to a * krb4 API CREDENTIALS structure. */ struct cc_credentials_v4_t { @@ -535,20 +535,20 @@ struct cc_credentials_v4_t { cc_int32 ticket_size; /*! Ticket data */ unsigned char ticket [cc_v4_ticket_size]; -}; +}; typedef struct cc_credentials_v4_t cc_credentials_v4_t; /*! * The CCAPI data structure. This structure is similar to a krb5_data structure. - * In a v5 credentials structure, cc_data structures are used - * to store tagged variable-length binary data. Specifically, - * for cc_credentials_v5.ticket and - * cc_credentials_v5.second_ticket, the cc_data.type field must - * be zero. For the cc_credentials_v5.addresses, - * cc_credentials_v5.authdata, and cc_credentials_v5.keyblock, - * the cc_data.type field should be the address type, - * authorization data type, and encryption type, as defined by - * the Kerberos v5 protocol definition. + * In a v5 credentials structure, cc_data structures are used + * to store tagged variable-length binary data. Specifically, + * for cc_credentials_v5.ticket and + * cc_credentials_v5.second_ticket, the cc_data.type field must + * be zero. For the cc_credentials_v5.addresses, + * cc_credentials_v5.authdata, and cc_credentials_v5.keyblock, + * the cc_data.type field should be the address type, + * authorization data type, and encryption type, as defined by + * the Kerberos v5 protocol definition. */ struct cc_data { /*! The type of the data as defined by the krb5_data structure. */ @@ -557,13 +557,13 @@ struct cc_data { cc_uint32 length; /*! The data buffer. */ void* data; -}; +}; typedef struct cc_data cc_data; /*! * If a cc_credentials_t variable is used to store Kerberos v5 c - * redentials, and then credentials.credentials_v5 points to a - * v5 credentials structure. This structure is similar to a + * redentials, and then credentials.credentials_v5 points to a + * v5 credentials structure. This structure is similar to a * krb5_creds structure. */ struct cc_credentials_v5_t { @@ -585,7 +585,7 @@ struct cc_credentials_v5_t { cc_uint32 is_skey; /*! Ticket flags, as defined by the Kerberos 5 API. */ cc_uint32 ticket_flags; - /*! The the list of network addresses of hosts that are allowed to authenticate + /*! The the list of network addresses of hosts that are allowed to authenticate * using this ticket. */ cc_data** addresses; /*! Ticket data. */ @@ -594,7 +594,7 @@ struct cc_credentials_v5_t { cc_data second_ticket; /*! Authorization data. */ cc_data** authdata; -}; +}; typedef struct cc_credentials_v5_t cc_credentials_v5_t; struct cc_credentials_union { @@ -628,8 +628,8 @@ typedef cc_credentials_d *cc_credentials_t; * \defgroup cc_credentials_iterator_reference cc_credentials_iterator_t * @{ * The cc_credentials_iterator_t type represents an iterator that - * iterates over a set of credentials. A new instance of this type - * can be obtained by calling cc_ccache_new_credentials_iterator(). + * iterates over a set of credentials. A new instance of this type + * can be obtained by calling cc_ccache_new_credentials_iterator(). * * For API function documentation see \ref cc_credentials_iterator_f. */ @@ -649,11 +649,11 @@ typedef cc_credentials_iterator_d *cc_credentials_iterator_t; /*! * \defgroup cc_string_reference cc_string_t Overview * @{ - * The cc_string_t represents a C string returned by the API. - * It has a pointer to the string data and a release() function. - * This type is used for both principal names and ccache names - * returned by the API. Principal names may contain UTF-8 encoded - * strings for internationalization purposes. + * The cc_string_t represents a C string returned by the API. + * It has a pointer to the string data and a release() function. + * This type is used for both principal names and ccache names + * returned by the API. Principal names may contain UTF-8 encoded + * strings for internationalization purposes. * * For API function documentation see \ref cc_string_f. */ @@ -672,7 +672,7 @@ typedef cc_string_d *cc_string_t; /*!@}*/ /*! - * Function pointer table for cc_context_t. For more information see + * Function pointer table for cc_context_t. For more information see * \ref cc_context_reference. */ struct cc_context_f { @@ -682,19 +682,19 @@ struct cc_context_f { * \brief \b cc_context_release(): Release memory associated with a cc_context_t. */ cc_int32 (*release) (cc_context_t io_context); - + /*! * \param in_context the context object for the cache collection to examine. * \param out_time on exit, the time of the most recent change for the entire ccache collection. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_get_change_time(): Get the last time the cache collection changed. - * - * This function returns the time of the most recent change for the entire ccache collection. - * By maintaining a local copy the caller can deduce whether or not the ccache collection has + * + * This function returns the time of the most recent change for the entire ccache collection. + * By maintaining a local copy the caller can deduce whether or not the ccache collection has * been modified since the previous call to cc_context_get_change_time(). - * + * * The time returned by cc_context_get_changed_time() increases whenever: - * + * * \li a ccache is created * \li a ccache is destroyed * \li a credential is stored @@ -702,76 +702,76 @@ struct cc_context_f { * \li a ccache principal is changed * \li the default ccache is changed * - * \note In order to be able to compare two values returned by cc_context_get_change_time(), - * the caller must use the same context to acquire them. Callers should maintain a single - * context in memory for cc_context_get_change_time() calls rather than creating a new + * \note In order to be able to compare two values returned by cc_context_get_change_time(), + * the caller must use the same context to acquire them. Callers should maintain a single + * context in memory for cc_context_get_change_time() calls rather than creating a new * context for every call. - * + * * \sa wait_for_change */ cc_int32 (*get_change_time) (cc_context_t in_context, cc_time_t *out_time); - + /*! * \param in_context the context object for the cache collection. * \param out_name on exit, the name of the default ccache. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_get_default_ccache_name(): Get the name of the default ccache. - * - * This function returns the name of the default ccache. When the default ccache - * exists, its name is returned. If there are no ccaches in the collection, and - * thus there is no default ccache, the name that the default ccache should have - * is returned. The ccache with that name will be used as the default ccache by + * + * This function returns the name of the default ccache. When the default ccache + * exists, its name is returned. If there are no ccaches in the collection, and + * thus there is no default ccache, the name that the default ccache should have + * is returned. The ccache with that name will be used as the default ccache by * all processes which initialized Kerberos libraries before the ccache was created. - * - * If there is no default ccache, and the client is creating a new ccache, it + * + * If there is no default ccache, and the client is creating a new ccache, it * should be created with the default name. If there already is a default ccache, - * and the client wants to create a new ccache (as opposed to reusing an existing - * ccache), it should be created with any unique name; #create_new_ccache() + * and the client wants to create a new ccache (as opposed to reusing an existing + * ccache), it should be created with any unique name; #create_new_ccache() * can be used to accomplish that more easily. - * - * If the first ccache is created with a name other than the default name, then - * the processes already running will not notice the credentials stored in the + * + * If the first ccache is created with a name other than the default name, then + * the processes already running will not notice the credentials stored in the * new ccache, which is normally undesirable. */ cc_int32 (*get_default_ccache_name) (cc_context_t in_context, cc_string_t *out_name); - + /*! * \param in_context the context object for the cache collection. * \param in_name the name of the ccache to open. * \param out_ccache on exit, a ccache object for the ccache - * \return On success, #ccNoError. If no ccache named \a in_name exists, + * \return On success, #ccNoError. If no ccache named \a in_name exists, * #ccErrCCacheNotFound. On failure, an error code representing the failure. * \brief \b cc_context_open_ccache(): Open a ccache. - * - * Opens an already existing ccache identified by its name. It returns a reference + * + * Opens an already existing ccache identified by its name. It returns a reference * to the ccache in \a out_ccache. * - * The list of all ccache names, principals, and credentials versions may be retrieved - * by calling cc_context_new_cache_iterator(), cc_ccache_get_name(), + * The list of all ccache names, principals, and credentials versions may be retrieved + * by calling cc_context_new_cache_iterator(), cc_ccache_get_name(), * cc_ccache_get_principal(), and cc_ccache_get_cred_version(). */ cc_int32 (*open_ccache) (cc_context_t in_context, const char *in_name, cc_ccache_t *out_ccache); - + /*! * \param in_context the context object for the cache collection. * \param out_ccache on exit, a ccache object for the default ccache - * \return On success, #ccNoError. If no default ccache exists, + * \return On success, #ccNoError. If no default ccache exists, * #ccErrCCacheNotFound. On failure, an error code representing the failure. * \brief \b cc_context_open_default_ccache(): Open the default ccache. - * + * * Opens the default ccache. It returns a reference to the ccache in *ccache. - * - * This function performs the same function as calling + * + * This function performs the same function as calling * cc_context_get_default_ccache_name followed by cc_context_open_ccache, * but it performs it atomically. */ cc_int32 (*open_default_ccache) (cc_context_t in_context, cc_ccache_t *out_ccache); - + /*! * \param in_context the context object for the cache collection. * \param in_name the name of the new ccache to create @@ -780,51 +780,51 @@ struct cc_context_f { * \param out_ccache on exit, a ccache object for the newly created ccache * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_create_ccache(): Create a new ccache. - * - * Create a new credentials cache. The ccache is uniquely identified by its name. - * The principal given is also associated with the ccache and the credentials - * version specified. A NULL name is not allowed (and ccErrBadName is returned - * if one is passed in). Only cc_credentials_v4 and cc_credentials_v5 are valid - * input values for cred_vers. If you want to create a new ccache that will hold - * both versions of credentials, call cc_context_create_ccache() with one version, + * + * Create a new credentials cache. The ccache is uniquely identified by its name. + * The principal given is also associated with the ccache and the credentials + * version specified. A NULL name is not allowed (and ccErrBadName is returned + * if one is passed in). Only cc_credentials_v4 and cc_credentials_v5 are valid + * input values for cred_vers. If you want to create a new ccache that will hold + * both versions of credentials, call cc_context_create_ccache() with one version, * and then cc_ccache_set_principal() with the other version. - * - * If you want to create a new ccache (with a unique name), you should use - * cc_context_create_new_ccache() instead. If you want to create or reinitialize + * + * If you want to create a new ccache (with a unique name), you should use + * cc_context_create_new_ccache() instead. If you want to create or reinitialize * the default cache, you should use cc_context_create_default_ccache(). - * + * * If name is non-NULL and there is already a ccache named name: - * + * * \li the credentials in the ccache whose version is cred_vers are removed * \li the principal (of the existing ccache) associated with cred_vers is set to principal * \li a handle for the existing ccache is returned and all existing handles for the ccache remain valid * * If no ccache named name already exists: - * + * * \li a new empty ccache is created * \li the principal of the new ccache associated with cred_vers is set to principal * \li a handle for the new ccache is returned * - * For a new ccache, the name should be any unique string. The name is not + * For a new ccache, the name should be any unique string. The name is not * intended to be presented to users. - * - * If the created ccache is the first ccache in the collection, it is made - * the default ccache. Note that normally it is undesirable to create the first - * ccache with a name different from the default ccache name (as returned by - * cc_context_get_default_ccache_name()); see the description of + * + * If the created ccache is the first ccache in the collection, it is made + * the default ccache. Note that normally it is undesirable to create the first + * ccache with a name different from the default ccache name (as returned by + * cc_context_get_default_ccache_name()); see the description of * cc_context_get_default_ccache_name() for details. - * - * The principal should be a C string containing an unparsed Kerberos principal - * in the format of the appropriate Kerberos version, i.e. \verbatim foo.bar/@BAZ - * \endverbatim for Kerberos v4 and \verbatim foo/bar/@BAZ \endverbatim - * for Kerberos v5. + * + * The principal should be a C string containing an unparsed Kerberos principal + * in the format of the appropriate Kerberos version, i.e. \verbatim foo.bar/@BAZ + * \endverbatim for Kerberos v4 and \verbatim foo/bar/@BAZ \endverbatim + * for Kerberos v5. */ cc_int32 (*create_ccache) (cc_context_t in_context, const char *in_name, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); - + /*! * \param in_context the context object for the cache collection. * \param in_cred_vers the version of the credentials the new default ccache will hold @@ -833,19 +833,19 @@ struct cc_context_f { * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_create_default_ccache(): Create a new default ccache. * - * Create the default credentials cache. The behavior of this function is - * similar to that of cc_create_ccache(). If there is a default ccache - * (which is always the case except when there are no ccaches at all in - * the collection), it is initialized with the specified credentials version - * and principal, as per cc_create_ccache(); otherwise, a new ccache is - * created, and its name is the name returned by + * Create the default credentials cache. The behavior of this function is + * similar to that of cc_create_ccache(). If there is a default ccache + * (which is always the case except when there are no ccaches at all in + * the collection), it is initialized with the specified credentials version + * and principal, as per cc_create_ccache(); otherwise, a new ccache is + * created, and its name is the name returned by * cc_context_get_default_ccache_name(). */ cc_int32 (*create_default_ccache) (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); - + /*! * \param in_context the context object for the cache collection. * \param in_cred_vers the version of the credentials the new ccache will hold @@ -854,36 +854,36 @@ struct cc_context_f { * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_create_new_ccache(): Create a new uniquely named ccache. * - * Create a new unique credentials cache. The behavior of this function - * is similar to that of cc_create_ccache(). If there are no ccaches, and - * therefore no default ccache, the new ccache is created with the default - * ccache name as would be returned by get_default_ccache_name(). If there - * are some ccaches, and therefore there is a default ccache, the new ccache - * is created with a new unique name. Clearly, this function never reinitializes + * Create a new unique credentials cache. The behavior of this function + * is similar to that of cc_create_ccache(). If there are no ccaches, and + * therefore no default ccache, the new ccache is created with the default + * ccache name as would be returned by get_default_ccache_name(). If there + * are some ccaches, and therefore there is a default ccache, the new ccache + * is created with a new unique name. Clearly, this function never reinitializes * a ccache, since it always uses a unique name. */ cc_int32 (*create_new_ccache) (cc_context_t in_context, cc_uint32 in_cred_vers, - const char *in_principal, + const char *in_principal, cc_ccache_t *out_ccache); - + /*! * \param in_context the context object for the cache collection. * \param out_iterator on exit, a ccache iterator object for the ccache collection. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_new_ccache_iterator(): Get an iterator for the cache collection. * - * Used to allocate memory and initialize iterator. Successive calls to iterator's + * Used to allocate memory and initialize iterator. Successive calls to iterator's * next() function will return ccaches in the collection. * - * If changes are made to the collection while an iterator is being used - * on it, the iterator must return at least the intersection, and at most - * the union, of the set of ccaches that were present when the iteration + * If changes are made to the collection while an iterator is being used + * on it, the iterator must return at least the intersection, and at most + * the union, of the set of ccaches that were present when the iteration * began and the set of ccaches that are present when it ends. */ cc_int32 (*new_ccache_iterator) (cc_context_t in_context, cc_ccache_iterator_t *out_iterator); - + /*! * \param in_context the context object for the cache collection. * \param in_lock_type the type of lock to obtain. @@ -891,49 +891,49 @@ struct cc_context_f { * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_lock(): Lock the cache collection. * - * Attempts to acquire an advisory lock for the ccache collection. Allowed values + * Attempts to acquire an advisory lock for the ccache collection. Allowed values * for lock_type are: - * + * * \li cc_lock_read: a read lock. * \li cc_lock_write: a write lock * \li cc_lock_upgrade: upgrade an already-obtained read lock to a write lock * \li cc_lock_downgrade: downgrade an already-obtained write lock to a read lock - * - * If block is cc_lock_block, lock() will not return until the lock is acquired. - * If block is cc_lock_noblock, lock() will return immediately, either acquiring - * the lock and returning ccNoError, or failing to acquire the lock and returning + * + * If block is cc_lock_block, lock() will not return until the lock is acquired. + * If block is cc_lock_noblock, lock() will return immediately, either acquiring + * the lock and returning ccNoError, or failing to acquire the lock and returning * an error explaining why. * * Locks apply only to the list of ccaches, not the contents of those ccaches. To * prevent callers participating in the advisory locking from changing the credentials * in a cache you must also lock that ccache with cc_ccache_lock(). This is so - * that you can get the list of ccaches without preventing applications from + * that you can get the list of ccaches without preventing applications from * simultaneously obtaining service tickets. - * - * To avoid having to deal with differences between thread semantics on different - * platforms, locks are granted per context, rather than per thread or per process. - * That means that different threads of execution have to acquire separate contexts + * + * To avoid having to deal with differences between thread semantics on different + * platforms, locks are granted per context, rather than per thread or per process. + * That means that different threads of execution have to acquire separate contexts * in order to be able to synchronize with each other. * * The lock should be unlocked by using cc_context_unlock(). - * - * \note All locks are advisory. For example, callers which do not call - * cc_context_lock() and cc_context_unlock() will not be prevented from writing + * + * \note All locks are advisory. For example, callers which do not call + * cc_context_lock() and cc_context_unlock() will not be prevented from writing * to the cache collection when you have a read lock. This is because the CCAPI - * locking was added after the first release and thus adding mandatory locks would + * locking was added after the first release and thus adding mandatory locks would * have changed the user experience and performance of existing applications. */ cc_int32 (*lock) (cc_context_t in_context, cc_uint32 in_lock_type, cc_uint32 in_block); - + /*! * \param in_context the context object for the cache collection. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_unlock(): Unlock the cache collection. */ cc_int32 (*unlock) (cc_context_t in_cc_context); - + /*! * \param in_context a context object. * \param in_compare_to_context a context object to compare with \a in_context. @@ -944,20 +944,20 @@ struct cc_context_f { cc_int32 (*compare) (cc_context_t in_cc_context, cc_context_t in_compare_to_context, cc_uint32 *out_equal); - + /*! * \param in_context a context object. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_wait_for_change(): Wait for the next change in the cache collection. * - * This function blocks until the next change is made to the cache collection - * ccache collection. By repeatedly calling cc_context_wait_for_change() from - * a worker thread the caller can effectively receive callbacks whenever the + * This function blocks until the next change is made to the cache collection + * ccache collection. By repeatedly calling cc_context_wait_for_change() from + * a worker thread the caller can effectively receive callbacks whenever the * cache collection changes. This is considerably more efficient than polling * with cc_context_get_change_time(). - * + * * cc_context_wait_for_change() will return whenever: - * + * * \li a ccache is created * \li a ccache is destroyed * \li a credential is stored @@ -965,19 +965,19 @@ struct cc_context_f { * \li a ccache principal is changed * \li the default ccache is changed * - * \note In order to make sure that the caller doesn't miss any changes, + * \note In order to make sure that the caller doesn't miss any changes, * cc_context_wait_for_change() always returns immediately after the first time it * is called on a new context object. Callers must use the same context object - * for successive calls to cc_context_wait_for_change() rather than creating a new + * for successive calls to cc_context_wait_for_change() rather than creating a new * context for every call. - * + * * \sa get_change_time */ cc_int32 (*wait_for_change) (cc_context_t in_cc_context); }; /*! - * Function pointer table for cc_ccache_t. For more information see + * Function pointer table for cc_ccache_t. For more information see * \ref cc_ccache_reference. */ struct cc_ccache_f { @@ -988,54 +988,54 @@ struct cc_ccache_f { * \note Does not modify the ccache. If you wish to remove the ccache see cc_ccache_destroy(). */ cc_int32 (*release) (cc_ccache_t io_ccache); - + /*! * \param io_ccache the ccache object to destroy and release. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_destroy(): Destroy a ccache. - * + * * Destroy the ccache referred to by \a io_ccache and releases memory associated with - * the \a io_ccache object. After this call \a io_ccache becomes invalid. If + * the \a io_ccache object. After this call \a io_ccache becomes invalid. If * \a io_ccache was the default ccache, the next ccache in the cache collection (if any) * becomes the new default. */ cc_int32 (*destroy) (cc_ccache_t io_ccache); - + /*! * \param io_ccache a ccache object to make the new default ccache. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_set_default(): Make a ccache the default ccache. */ cc_int32 (*set_default) (cc_ccache_t io_ccache); - + /*! * \param in_ccache a ccache object. * \param out_credentials_version on exit, the credentials version of \a in_ccache. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_get_credentials_version(): Get the credentials version of a ccache. * - * cc_ccache_get_credentials_version() returns one value of the enumerated type - * cc_credentials_vers. The possible return values are #cc_credentials_v4 - * (if ccache's v4 principal has been set), #cc_credentials_v5 - * (if ccache's v5 principal has been set), or #cc_credentials_v4_v5 - * (if both ccache's v4 and v5 principals have been set). A ccache's - * principal is set with one of cc_context_create_ccache(), - * cc_context_create_new_ccache(), cc_context_create_default_ccache(), or + * cc_ccache_get_credentials_version() returns one value of the enumerated type + * cc_credentials_vers. The possible return values are #cc_credentials_v4 + * (if ccache's v4 principal has been set), #cc_credentials_v5 + * (if ccache's v5 principal has been set), or #cc_credentials_v4_v5 + * (if both ccache's v4 and v5 principals have been set). A ccache's + * principal is set with one of cc_context_create_ccache(), + * cc_context_create_new_ccache(), cc_context_create_default_ccache(), or * cc_ccache_set_principal(). */ cc_int32 (*get_credentials_version) (cc_ccache_t in_ccache, cc_uint32 *out_credentials_version); - + /*! * \param in_ccache a ccache object. - * \param out_name on exit, a cc_string_t representing the name of \a in_ccache. + * \param out_name on exit, a cc_string_t representing the name of \a in_ccache. * \a out_name must be released with cc_string_release(). * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_get_name(): Get the name of a ccache. */ cc_int32 (*get_name) (cc_ccache_t in_ccache, cc_string_t *out_name); - + /*! * \param in_ccache a ccache object. * \param in_credentials_version the credentials version to get the principal for. @@ -1043,118 +1043,118 @@ struct cc_ccache_f { * \a out_principal must be released with cc_string_release(). * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_get_principal(): Get the principal of a ccache. - * - * Return the principal for the ccache that was set via cc_context_create_ccache(), - * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or - * cc_ccache_set_principal(). Principals for v4 and v5 are separate, but - * should be kept synchronized for each ccache; they can be retrieved by - * passing cc_credentials_v4 or cc_credentials_v5 in cred_vers. Passing + * + * Return the principal for the ccache that was set via cc_context_create_ccache(), + * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or + * cc_ccache_set_principal(). Principals for v4 and v5 are separate, but + * should be kept synchronized for each ccache; they can be retrieved by + * passing cc_credentials_v4 or cc_credentials_v5 in cred_vers. Passing * cc_credentials_v4_v5 will result in the error ccErrBadCredentialsVersion. */ cc_int32 (*get_principal) (cc_ccache_t in_ccache, cc_uint32 in_credentials_version, cc_string_t *out_principal); - - + + /*! * \param in_ccache a ccache object. * \param in_credentials_version the credentials version to set the principal for. * \param in_principal a C string representing the new principal of \a in_ccache. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_set_principal(): Set the principal of a ccache. - * - * Set the a principal for ccache. The v4 and v5 principals can be set - * independently, but they should always be kept equal, up to differences in - * string representation between v4 and v5. Passing cc_credentials_v4_v5 in + * + * Set the a principal for ccache. The v4 and v5 principals can be set + * independently, but they should always be kept equal, up to differences in + * string representation between v4 and v5. Passing cc_credentials_v4_v5 in * cred_vers will result in the error ccErrBadCredentialsVersion. */ cc_int32 (*set_principal) (cc_ccache_t io_ccache, cc_uint32 in_credentials_version, const char *in_principal); - + /*! * \param io_ccache a ccache object. * \param in_credentials_union the credentials to store in \a io_ccache. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_store_credentials(): Store credentials in a ccache. - * + * * Store a copy of credentials in the ccache. - * - * See the description of the credentials types for the meaning of + * + * See the description of the credentials types for the meaning of * cc_credentials_union fields. - * - * Before credentials of a specific credential type can be stored in a ccache, - * the corresponding principal version has to be set. For example, before you can - * store Kerberos v4 credentials in a ccache, the Kerberos v4 principal has to be set - * either by cc_context_create_ccache(), cc_context_create_default_ccache(), - * cc_context_create_new_ccache(), or cc_ccache_set_principal(); likewise for + * + * Before credentials of a specific credential type can be stored in a ccache, + * the corresponding principal version has to be set. For example, before you can + * store Kerberos v4 credentials in a ccache, the Kerberos v4 principal has to be set + * either by cc_context_create_ccache(), cc_context_create_default_ccache(), + * cc_context_create_new_ccache(), or cc_ccache_set_principal(); likewise for * Kerberos v5. Otherwise, ccErrBadCredentialsVersion is returned. */ cc_int32 (*store_credentials) (cc_ccache_t io_ccache, const cc_credentials_union *in_credentials_union); - + /*! * \param io_ccache a ccache object. * \param in_credentials the credentials to remove from \a io_ccache. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_remove_credentials(): Remove credentials from a ccache. - * - * Removes credentials from a ccache. Note that credentials must be previously - * acquired from the CCache API; only exactly matching credentials will be - * removed. (This places the burden of determining exactly which credentials - * to remove on the caller, but ensures there is no ambigity about which - * credentials will be removed.) cc_credentials_t objects can be obtained by + * + * Removes credentials from a ccache. Note that credentials must be previously + * acquired from the CCache API; only exactly matching credentials will be + * removed. (This places the burden of determining exactly which credentials + * to remove on the caller, but ensures there is no ambigity about which + * credentials will be removed.) cc_credentials_t objects can be obtained by * iterating over the ccache's credentials with cc_ccache_new_credentials_iterator(). - * - * If found, the credentials are removed from the ccache. The credentials - * parameter is not modified and should be freed by the caller. It is - * legitimate to call this function while an iterator is traversing the - * ccache, and the deletion of a credential already returned by - * cc_credentials_iterator_next() will not disturb sequence of credentials + * + * If found, the credentials are removed from the ccache. The credentials + * parameter is not modified and should be freed by the caller. It is + * legitimate to call this function while an iterator is traversing the + * ccache, and the deletion of a credential already returned by + * cc_credentials_iterator_next() will not disturb sequence of credentials * returned by cc_credentials_iterator_next(). */ cc_int32 (*remove_credentials) (cc_ccache_t io_ccache, cc_credentials_t in_credentials); - + /*! * \param in_ccache a ccache object. * \param out_credentials_iterator a credentials iterator for \a io_ccache. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_new_credentials_iterator(): Iterate over credentials in a ccache. - * - * Allocates memory for iterator and initializes it. Successive calls to + * + * Allocates memory for iterator and initializes it. Successive calls to * cc_credentials_iterator_next() will return credentials from the ccache. - * - * If changes are made to the ccache while an iterator is being used on it, - * the iterator must return at least the intersection, and at most the union, - * of the set of credentials that were in the ccache when the iteration began + * + * If changes are made to the ccache while an iterator is being used on it, + * the iterator must return at least the intersection, and at most the union, + * of the set of credentials that were in the ccache when the iteration began * and the set of credentials that are in the ccache when it ends. */ cc_int32 (*new_credentials_iterator) (cc_ccache_t in_ccache, cc_credentials_iterator_t *out_credentials_iterator); - + /*! * \param io_source_ccache a ccache object to move. * \param io_destination_ccache a ccache object replace with the contents of \a io_source_ccache. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_move(): Move the contents of one ccache into another, destroying the source. - * - * cc_ccache_move() atomically copies the credentials, credential versions and principals - * from one ccache to another. On successful completion \a io_source_ccache will be + * + * cc_ccache_move() atomically copies the credentials, credential versions and principals + * from one ccache to another. On successful completion \a io_source_ccache will be * released and the ccache it points to will be destroyed. Any credentials previously * in \a io_destination_ccache will be replaced with credentials from \a io_source_ccache. * The only part of \a io_destination_ccache which remains constant is the name. Any other * callers referring to \a io_destination_ccache will suddenly see new data in it. * - * Typically cc_ccache_move() is used when the caller wishes to safely overwrite the - * contents of a ccache with new data which requires several steps to generate. - * cc_ccache_move() allows the caller to create a temporary ccache + * Typically cc_ccache_move() is used when the caller wishes to safely overwrite the + * contents of a ccache with new data which requires several steps to generate. + * cc_ccache_move() allows the caller to create a temporary ccache * (which can be destroyed if any intermediate step fails) and the atomically copy * the temporary cache into the destination. */ cc_int32 (*move) (cc_ccache_t io_source_ccache, cc_ccache_t io_destination_ccache); - + /*! * \param io_ccache the ccache object for the ccache you wish to lock. * \param in_lock_type the type of lock to obtain. @@ -1163,84 +1163,84 @@ struct cc_ccache_f { * \brief \b cc_ccache_lock(): Lock a ccache. * * Attempts to acquire an advisory lock for a ccache. Allowed values for lock_type are: - * + * * \li cc_lock_read: a read lock. * \li cc_lock_write: a write lock * \li cc_lock_upgrade: upgrade an already-obtained read lock to a write lock * \li cc_lock_downgrade: downgrade an already-obtained write lock to a read lock - * - * If block is cc_lock_block, lock() will not return until the lock is acquired. - * If block is cc_lock_noblock, lock() will return immediately, either acquiring - * the lock and returning ccNoError, or failing to acquire the lock and returning + * + * If block is cc_lock_block, lock() will not return until the lock is acquired. + * If block is cc_lock_noblock, lock() will return immediately, either acquiring + * the lock and returning ccNoError, or failing to acquire the lock and returning * an error explaining why. * - * To avoid having to deal with differences between thread semantics on different - * platforms, locks are granted per ccache, rather than per thread or per process. - * That means that different threads of execution have to acquire separate contexts + * To avoid having to deal with differences between thread semantics on different + * platforms, locks are granted per ccache, rather than per thread or per process. + * That means that different threads of execution have to acquire separate contexts * in order to be able to synchronize with each other. * * The lock should be unlocked by using cc_ccache_unlock(). - * - * \note All locks are advisory. For example, callers which do not call - * cc_ccache_lock() and cc_ccache_unlock() will not be prevented from writing + * + * \note All locks are advisory. For example, callers which do not call + * cc_ccache_lock() and cc_ccache_unlock() will not be prevented from writing * to the ccache when you have a read lock. This is because the CCAPI - * locking was added after the first release and thus adding mandatory locks would + * locking was added after the first release and thus adding mandatory locks would * have changed the user experience and performance of existing applications. */ cc_int32 (*lock) (cc_ccache_t io_ccache, cc_uint32 in_lock_type, cc_uint32 in_block); - + /*! * \param io_ccache a ccache object. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_unlock(): Unlock a ccache. */ cc_int32 (*unlock) (cc_ccache_t io_ccache); - + /*! * \param in_ccache a cache object. * \param out_last_default_time on exit, the last time the ccache was default. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_get_change_time(): Get the last time a ccache was the default ccache. - * - * This function returns the last time when the ccache was made the default ccache. - * This allows clients to sort the ccaches by how recently they were default, which - * is useful for user listing of ccaches. If the ccache was never default, + * + * This function returns the last time when the ccache was made the default ccache. + * This allows clients to sort the ccaches by how recently they were default, which + * is useful for user listing of ccaches. If the ccache was never default, * ccErrNeverDefault is returned. */ cc_int32 (*get_last_default_time) (cc_ccache_t in_ccache, cc_time_t *out_last_default_time); - + /*! * \param in_ccache a cache object. * \param out_change_time on exit, the last time the ccache changed. * \return On success, #ccNoError. If the ccache was never the default ccache, * #ccErrNeverDefault. Otherwise, an error code representing the failure. * \brief \b cc_ccache_get_change_time(): Get the last time a ccache changed. - * - * This function returns the time of the most recent change made to a ccache. - * By maintaining a local copy the caller can deduce whether or not the ccache has + * + * This function returns the time of the most recent change made to a ccache. + * By maintaining a local copy the caller can deduce whether or not the ccache has * been modified since the previous call to cc_ccache_get_change_time(). - * + * * The time returned by cc_ccache_get_change_time() increases whenever: - * + * * \li a credential is stored * \li a credential is removed * \li a ccache principal is changed * \li the ccache becomes the default ccache * \li the ccache is no longer the default ccache * - * \note In order to be able to compare two values returned by cc_ccache_get_change_time(), - * the caller must use the same ccache object to acquire them. Callers should maintain a - * single ccache object in memory for cc_ccache_get_change_time() calls rather than + * \note In order to be able to compare two values returned by cc_ccache_get_change_time(), + * the caller must use the same ccache object to acquire them. Callers should maintain a + * single ccache object in memory for cc_ccache_get_change_time() calls rather than * creating a new ccache object for every call. - * + * * \sa wait_for_change */ cc_int32 (*get_change_time) (cc_ccache_t in_ccache, cc_time_t *out_change_time); - + /*! * \param in_ccache a ccache object. * \param in_compare_to_ccache a ccache object to compare with \a in_ccache. @@ -1251,26 +1251,26 @@ struct cc_ccache_f { cc_int32 (*compare) (cc_ccache_t in_ccache, cc_ccache_t in_compare_to_ccache, cc_uint32 *out_equal); - + /*! * \param in_ccache a ccache object. * \param in_credentials_version the credentials version to get the time offset for. * \param out_time_offset on exit, the KDC time offset for \a in_ccache for credentials version * \a in_credentials_version. - * \return On success, #ccNoError if a time offset was obtained or #ccErrTimeOffsetNotSet + * \return On success, #ccNoError if a time offset was obtained or #ccErrTimeOffsetNotSet * if a time offset has not been set. On failure, an error code representing the failure. * \brief \b cc_ccache_get_kdc_time_offset(): Get the KDC time offset for credentials in a ccache. * \sa set_kdc_time_offset, clear_kdc_time_offset - * + * * Sometimes the KDC and client's clocks get out of sync. cc_ccache_get_kdc_time_offset() - * returns the difference between the KDC and client's clocks at the time credentials were - * acquired. This offset allows callers to figure out how much time is left on a given + * returns the difference between the KDC and client's clocks at the time credentials were + * acquired. This offset allows callers to figure out how much time is left on a given * credential even though the end_time is based on the KDC's clock not the client's clock. */ cc_int32 (*get_kdc_time_offset) (cc_ccache_t in_ccache, cc_uint32 in_credentials_version, cc_time_t *out_time_offset); - + /*! * \param in_ccache a ccache object. * \param in_credentials_version the credentials version to get the time offset for. @@ -1279,63 +1279,63 @@ struct cc_ccache_f { * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_set_kdc_time_offset(): Set the KDC time offset for credentials in a ccache. * \sa get_kdc_time_offset, clear_kdc_time_offset - * + * * Sometimes the KDC and client's clocks get out of sync. cc_ccache_set_kdc_time_offset() - * sets the difference between the KDC and client's clocks at the time credentials were - * acquired. This offset allows callers to figure out how much time is left on a given + * sets the difference between the KDC and client's clocks at the time credentials were + * acquired. This offset allows callers to figure out how much time is left on a given * credential even though the end_time is based on the KDC's clock not the client's clock. */ cc_int32 (*set_kdc_time_offset) (cc_ccache_t io_ccache, cc_uint32 in_credentials_version, cc_time_t in_time_offset); - + /*! * \param in_ccache a ccache object. * \param in_credentials_version the credentials version to get the time offset for. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_clear_kdc_time_offset(): Clear the KDC time offset for credentials in a ccache. * \sa get_kdc_time_offset, set_kdc_time_offset - * + * * Sometimes the KDC and client's clocks get out of sync. cc_ccache_clear_kdc_time_offset() - * clears the difference between the KDC and client's clocks at the time credentials were - * acquired. This offset allows callers to figure out how much time is left on a given + * clears the difference between the KDC and client's clocks at the time credentials were + * acquired. This offset allows callers to figure out how much time is left on a given * credential even though the end_time is based on the KDC's clock not the client's clock. */ cc_int32 (*clear_kdc_time_offset) (cc_ccache_t io_ccache, cc_uint32 in_credentials_version); - + /*! * \param in_ccache a ccache object. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_wait_for_change(): Wait for the next change to a ccache. * - * This function blocks until the next change is made to the ccache referenced by - * \a in_ccache. By repeatedly calling cc_ccache_wait_for_change() from - * a worker thread the caller can effectively receive callbacks whenever the + * This function blocks until the next change is made to the ccache referenced by + * \a in_ccache. By repeatedly calling cc_ccache_wait_for_change() from + * a worker thread the caller can effectively receive callbacks whenever the * ccache changes. This is considerably more efficient than polling * with cc_ccache_get_change_time(). - * + * * cc_ccache_wait_for_change() will return whenever: - * + * * \li a credential is stored * \li a credential is removed * \li the ccache principal is changed * \li the ccache becomes the default ccache * \li the ccache is no longer the default ccache * - * \note In order to make sure that the caller doesn't miss any changes, + * \note In order to make sure that the caller doesn't miss any changes, * cc_ccache_wait_for_change() always returns immediately after the first time it * is called on a new ccache object. Callers must use the same ccache object - * for successive calls to cc_ccache_wait_for_change() rather than creating a new + * for successive calls to cc_ccache_wait_for_change() rather than creating a new * ccache object for every call. - * + * * \sa get_change_time */ cc_int32 (*wait_for_change) (cc_ccache_t in_ccache); }; /*! - * Function pointer table for cc_string_t. For more information see + * Function pointer table for cc_string_t. For more information see * \ref cc_string_reference. */ struct cc_string_f { @@ -1348,7 +1348,7 @@ struct cc_string_f { }; /*! - * Function pointer table for cc_credentials_t. For more information see + * Function pointer table for cc_credentials_t. For more information see * \ref cc_credentials_reference. */ struct cc_credentials_f { @@ -1358,11 +1358,11 @@ struct cc_credentials_f { * \brief \b cc_credentials_release(): Release memory associated with a cc_credentials_t object. */ cc_int32 (*release) (cc_credentials_t io_credentials); - + /*! * \param in_credentials a credentials object. * \param in_compare_to_credentials a credentials object to compare with \a in_credentials. - * \param out_equal on exit, whether or not the two credentials objects refer to the + * \param out_equal on exit, whether or not the two credentials objects refer to the * same credentials in the cache collection. * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_credentials_compare(): Compare two credentials objects. @@ -1373,7 +1373,7 @@ struct cc_credentials_f { }; /*! - * Function pointer table for cc_ccache_iterator_t. For more information see + * Function pointer table for cc_ccache_iterator_t. For more information see * \ref cc_ccache_iterator_reference. */ struct cc_ccache_iterator_f { @@ -1383,18 +1383,18 @@ struct cc_ccache_iterator_f { * \brief \b cc_ccache_iterator_release(): Release memory associated with a cc_ccache_iterator_t object. */ cc_int32 (*release) (cc_ccache_iterator_t io_ccache_iterator); - + /*! * \param in_ccache_iterator a ccache iterator object. * \param out_ccache on exit, the next ccache in the cache collection. - * \return On success, #ccNoError if the next ccache in the cache collection was - * obtained or #ccIteratorEnd if there are no more ccaches. + * \return On success, #ccNoError if the next ccache in the cache collection was + * obtained or #ccIteratorEnd if there are no more ccaches. * On failure, an error code representing the failure. * \brief \b cc_ccache_iterator_next(): Get the next ccache in the cache collection. */ cc_int32 (*next) (cc_ccache_iterator_t in_ccache_iterator, cc_ccache_t *out_ccache); - + /*! * \param in_ccache_iterator a ccache iterator object. * \param out_ccache_iterator on exit, a copy of \a in_ccache_iterator. @@ -1406,7 +1406,7 @@ struct cc_ccache_iterator_f { }; /*! - * Function pointer table for cc_credentials_iterator_t. For more information see + * Function pointer table for cc_credentials_iterator_t. For more information see * \ref cc_credentials_iterator_reference. */ struct cc_credentials_iterator_f { @@ -1416,18 +1416,18 @@ struct cc_credentials_iterator_f { * \brief \b cc_credentials_iterator_release(): Release memory associated with a cc_credentials_iterator_t object. */ cc_int32 (*release) (cc_credentials_iterator_t io_credentials_iterator); - + /*! * \param in_credentials_iterator a credentials iterator object. * \param out_credentials on exit, the next credentials in the ccache. * \return On success, #ccNoError if the next credential in the ccache was obtained - * or #ccIteratorEnd if there are no more credentials. + * or #ccIteratorEnd if there are no more credentials. * On failure, an error code representing the failure. * \brief \b cc_credentials_iterator_next(): Get the next credentials in the ccache. */ cc_int32 (*next) (cc_credentials_iterator_t in_credentials_iterator, cc_credentials_t *out_credentials); - + /*! * \ingroup cc_credentials_iterator_reference * \param in_credentials_iterator a credentials iterator object. @@ -1442,11 +1442,11 @@ struct cc_credentials_iterator_f { /*! * \ingroup cc_context_reference * \param out_context on exit, a new context object. Must be free with cc_context_release(). - * \param in_version the requested API version. This should be the maximum version the + * \param in_version the requested API version. This should be the maximum version the * application supports. * \param out_supported_version if non-NULL, on exit contains the maximum API version * supported by the implementation. - * \param out_vendor if non-NULL, on exit contains a pointer to a read-only C string which + * \param out_vendor if non-NULL, on exit contains a pointer to a read-only C string which * contains a string describing the vendor which implemented the credentials cache API. * \return On success, #ccNoError. On failure, an error code representing the failure. * May return CCAPI v2 error CC_BAD_API_VERSION if #ccapi_version_2 is passed in. @@ -1456,7 +1456,7 @@ CCACHE_API cc_int32 cc_initialize (cc_context_t *out_context, cc_int32 in_version, cc_int32 *out_supported_version, char const **out_vendor); - + /*! \defgroup helper_macros CCAPI Function Helper Macros * @{ */ @@ -1582,7 +1582,7 @@ CCACHE_API cc_int32 cc_initialize (cc_context_t *out_context, /*! Helper macro for cc_ccache_iterator_f clone() */ #define cc_ccache_iterator_clone(iterator, new_iterator) \ ((iterator) -> functions -> clone (iterator, new_iterator)) - + /*! Helper macro for cc_credentials_iterator_f release() */ #define cc_credentials_iterator_release(iterator) \ ((iterator) -> functions -> release (iterator)) diff --git a/src/include/CredentialsCache2.h b/src/include/CredentialsCache2.h index b0c45d59e..e9ea311cf 100644 --- a/src/include/CredentialsCache2.h +++ b/src/include/CredentialsCache2.h @@ -25,13 +25,13 @@ */ /* - * This is backwards compatibility for CCache API v2 clients to be able to run + * This is backwards compatibility for CCache API v2 clients to be able to run * against the CCache API v3 library */ - + #ifndef CCAPI_V2_H #define CCAPI_V2_H - + #include #if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__)) @@ -53,7 +53,7 @@ extern "C" { #if TARGET_OS_MAC #pragma pack(push,2) #endif - + /* Some old types get directly mapped to new types */ typedef cc_context_d apiCB; @@ -84,17 +84,17 @@ typedef struct cc_credentials_v5_compat { cc_data_compat second_ticket; cc_data_compat** authdata; } cc_credentials_v5_compat; - + enum { MAX_V4_CRED_LEN = 1250 }; - + enum { KRB_NAME_SZ = 40, KRB_INSTANCE_SZ = 40, KRB_REALM_SZ = 40 }; - + typedef struct cc_credentials_v4_compat { unsigned char kversion; char principal[KRB_NAME_SZ+1]; @@ -117,7 +117,7 @@ typedef union cred_ptr_union_compat { cc_credentials_v4_compat* pV4Cred; cc_credentials_v5_compat* pV5Cred; } cred_ptr_union_compat; - + typedef struct cred_union { cc_int32 cred_type; /* cc_cred_vers */ cred_ptr_union_compat cred; @@ -162,7 +162,7 @@ enum { CC_ERR_CACHE_RELEASE, CC_ERR_CACHE_FULL, CC_ERR_CRED_VERSION -}; +}; enum { CC_CRED_UNKNOWN, @@ -178,21 +178,21 @@ enum { CC_LOCK_NOBLOCK = 16 }; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_shutdown (apiCB **io_context) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_get_NC_info (apiCB *in_context, infoNC ***out_info) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_get_change_time (apiCB *in_context, cc_time_t *out_change_time) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_open (apiCB *in_context, const char *in_name, cc_int32 in_version, @@ -200,7 +200,7 @@ cc_open (apiCB *in_context, ccache_p **out_ccache) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_create (apiCB *in_context, const char *in_name, const char *in_principal, @@ -209,107 +209,107 @@ cc_create (apiCB *in_context, ccache_p **out_ccache) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_close (apiCB *in_context, ccache_p **ioCCache) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_destroy (apiCB *in_context, ccache_p **io_ccache) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_seq_fetch_NCs_begin (apiCB *in_context, ccache_cit **out_nc_iterator) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_seq_fetch_NCs_next (apiCB *in_context, ccache_p **out_ccache, ccache_cit *in_nc_iterator) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_seq_fetch_NCs_end (apiCB *in_context, ccache_cit **io_nc_iterator) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_get_name (apiCB *in_context, ccache_p *in_ccache, char **out_name) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_get_cred_version (apiCB *in_context, ccache_p *in_ccache, cc_int32 *out_version) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_set_principal (apiCB *in_context, ccache_p *in_ccache, cc_int32 in_version, char *in_principal) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_get_principal (apiCB *in_context, ccache_p *in_ccache, char **out_principal) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_store (apiCB *in_context, ccache_p *in_ccache, cred_union in_credentials) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_remove_cred (apiCB *in_context, ccache_p *in_ccache, cred_union in_credentials) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_seq_fetch_creds_begin (apiCB *in_context, const ccache_p *in_ccache, ccache_cit **out_ccache_iterator) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_seq_fetch_creds_next (apiCB *in_context, cred_union **out_cred_union, ccache_cit *in_ccache_iterator) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_seq_fetch_creds_end (apiCB *in_context, ccache_cit **io_ccache_iterator) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_free_principal (apiCB *in_context, char **io_principal) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_free_name (apiCB *in_context, char **io_name) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_free_creds (apiCB *in_context, cred_union **io_cred_union) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_free_NC_info (apiCB *in_context, infoNC ***io_info) CCAPI_DEPRECATED; -CCACHE_API cc_int32 +CCACHE_API cc_int32 cc_lock_request (apiCB *in_context, const ccache_p *in_ccache, const cc_int32 in_lock_type) diff --git a/src/include/adm_proto.h b/src/include/adm_proto.h index 47d500d0d..cd17a2fa6 100644 --- a/src/include/adm_proto.h +++ b/src/include/adm_proto.h @@ -111,7 +111,7 @@ krb5_flags_to_string (krb5_flags, char *, size_t); krb5_error_code -krb5_input_flag_to_string (int, +krb5_input_flag_to_string (int, char *, size_t); @@ -128,7 +128,7 @@ krb5_keysalt_iterate (krb5_key_salt_tuple *, krb5_error_code (*) (krb5_key_salt_tuple *, krb5_pointer), krb5_pointer); - + krb5_error_code krb5_string_to_keysalts (char *, const char *, diff --git a/src/include/cm.h b/src/include/cm.h index 716e6cb59..a317c835a 100644 --- a/src/include/cm.h +++ b/src/include/cm.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -75,7 +75,7 @@ struct conn_state { struct sendto_callback_info { int (*pfn_callback) (struct conn_state *, void *, krb5_data *); void (*pfn_cleanup) (void *, krb5_data *); - void *context; + void *context; }; diff --git a/src/include/copyright.h b/src/include/copyright.h index b1740ce3c..68dcfdbdb 100644 --- a/src/include/copyright.h +++ b/src/include/copyright.h @@ -1,40 +1,40 @@ /* * Copyright (C) 1989-1994 by the Massachusetts Institute of Technology, * Cambridge, MA, USA. All Rights Reserved. - * - * This software is being provided to you, the LICENSEE, by the - * Massachusetts Institute of Technology (M.I.T.) under the following - * license. By obtaining, using and/or copying this software, you agree - * that you have read, understood, and will comply with these terms and - * conditions: - * + * + * This software is being provided to you, the LICENSEE, by the + * Massachusetts Institute of Technology (M.I.T.) under the following + * license. By obtaining, using and/or copying this software, you agree + * that you have read, understood, and will comply with these terms and + * conditions: + * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute - * this software and its documentation for any purpose and without fee or - * royalty is hereby granted, provided that you agree to comply with the - * following copyright notice and statements, including the disclaimer, and - * that the same appear on ALL copies of the software and documentation, - * including modifications that you make for internal use or for + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute + * this software and its documentation for any purpose and without fee or + * royalty is hereby granted, provided that you agree to comply with the + * following copyright notice and statements, including the disclaimer, and + * that the same appear on ALL copies of the software and documentation, + * including modifications that you make for internal use or for * distribution: - * - * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS - * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not - * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF - * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF - * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY - * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. - * - * The name of the Massachusetts Institute of Technology or M.I.T. may NOT - * be used in advertising or publicity pertaining to distribution of the - * software. Title to copyright in this software and any associated - * documentation shall at all times remain with M.I.T., and USER agrees to + * + * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS + * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF + * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY + * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. + * + * The name of the Massachusetts Institute of Technology or M.I.T. may NOT + * be used in advertising or publicity pertaining to distribution of the + * software. Title to copyright in this software and any associated + * documentation shall at all times remain with M.I.T., and USER agrees to * preserve same. * * Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. + * fashion that it might be confused with the original M.I.T. software. */ diff --git a/src/include/fake-addrinfo.h b/src/include/fake-addrinfo.h index 952b43f0b..d6ba0fb7c 100644 --- a/src/include/fake-addrinfo.h +++ b/src/include/fake-addrinfo.h @@ -1,42 +1,42 @@ /* * Copyright (C) 2001,2002,2003,2004 by the Massachusetts Institute of Technology, * Cambridge, MA, USA. All Rights Reserved. - * - * This software is being provided to you, the LICENSEE, by the - * Massachusetts Institute of Technology (M.I.T.) under the following - * license. By obtaining, using and/or copying this software, you agree - * that you have read, understood, and will comply with these terms and - * conditions: - * + * + * This software is being provided to you, the LICENSEE, by the + * Massachusetts Institute of Technology (M.I.T.) under the following + * license. By obtaining, using and/or copying this software, you agree + * that you have read, understood, and will comply with these terms and + * conditions: + * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute - * this software and its documentation for any purpose and without fee or - * royalty is hereby granted, provided that you agree to comply with the - * following copyright notice and statements, including the disclaimer, and - * that the same appear on ALL copies of the software and documentation, - * including modifications that you make for internal use or for + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute + * this software and its documentation for any purpose and without fee or + * royalty is hereby granted, provided that you agree to comply with the + * following copyright notice and statements, including the disclaimer, and + * that the same appear on ALL copies of the software and documentation, + * including modifications that you make for internal use or for * distribution: - * - * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS - * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not - * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF - * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF - * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY - * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. - * - * The name of the Massachusetts Institute of Technology or M.I.T. may NOT - * be used in advertising or publicity pertaining to distribution of the - * software. Title to copyright in this software and any associated - * documentation shall at all times remain with M.I.T., and USER agrees to + * + * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS + * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF + * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY + * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. + * + * The name of the Massachusetts Institute of Technology or M.I.T. may NOT + * be used in advertising or publicity pertaining to distribution of the + * software. Title to copyright in this software and any associated + * documentation shall at all times remain with M.I.T., and USER agrees to * preserve same. * * Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. + * fashion that it might be confused with the original M.I.T. software. */ /* Approach overview: @@ -202,7 +202,7 @@ struct addrinfo { # define AI_DEFAULT (AI_ADDRCONFIG|AI_V4MAPPED) #endif -#if defined(KRB5_USE_INET6) && defined(NEED_INSIXADDR_ANY) +#if defined(KRB5_USE_INET6) && defined(NEED_INSIXADDR_ANY) /* If compiling with IPv6 support and C library does not define in6addr_any */ extern const struct in6_addr krb5int_in6addr_any; #undef in6addr_any diff --git a/src/include/foreachaddr.h b/src/include/foreachaddr.h index 57591f596..ae422c7b1 100644 --- a/src/include/foreachaddr.h +++ b/src/include/foreachaddr.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Iterate over the protocol addresses supported by this host, invoking * a callback function or three supplied by the caller. diff --git a/src/include/gssapi.h b/src/include/gssapi.h index f55768144..7ce379ac4 100644 --- a/src/include/gssapi.h +++ b/src/include/gssapi.h @@ -1,4 +1,4 @@ -/* +/* * Wrapper so that #include will work without special include * paths. */ diff --git a/src/include/gssrpc/auth.h b/src/include/gssrpc/auth.h index cc3de9764..0bcb90148 100644 --- a/src/include/gssrpc/auth.h +++ b/src/include/gssrpc/auth.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 @@ -115,11 +115,11 @@ typedef struct AUTH { /* destroy this structure */ void (*ah_destroy)(struct AUTH *); /* encode data for wire */ - int (*ah_wrap)(struct AUTH *, XDR *, + int (*ah_wrap)(struct AUTH *, XDR *, xdrproc_t, caddr_t); /* decode data from wire */ - int (*ah_unwrap)(struct AUTH *, XDR *, - xdrproc_t, caddr_t); + int (*ah_unwrap)(struct AUTH *, XDR *, + xdrproc_t, caddr_t); } *ah_ops; void *ah_private; } AUTH; diff --git a/src/include/gssrpc/auth_gss.h b/src/include/gssrpc/auth_gss.h index ea5db92b9..c850b03bb 100644 --- a/src/include/gssrpc/auth_gss.h +++ b/src/include/gssrpc/auth_gss.h @@ -1,9 +1,9 @@ /* auth_gssapi.h - + Copyright (c) 2000 The Regents of the University of Michigan. All rights reserved. - + Copyright (c) 2000 Dug Song . All rights reserved, all wrongs reversed. @@ -81,20 +81,20 @@ struct authgss_private_data { uint32_t pd_seq_win; /* Sequence window */ }; -/* Krb 5 default mechanism +/* Krb 5 default mechanism #define KRB5OID "1.2.840.113554.1.2.2" gss_OID_desc krb5oid = { - 20, KRB5OID + 20, KRB5OID }; */ /* -struct rpc_gss_sec krb5mech = { +struct rpc_gss_sec krb5mech = { (gss_OID)&krb5oid, GSS_QOP_DEFAULT, RPCSEC_GSS_SVC_NONE -}; +}; */ /* Credentials. */ diff --git a/src/include/gssrpc/auth_gssapi.h b/src/include/gssrpc/auth_gssapi.h index 73a2f0b16..cd405d407 100644 --- a/src/include/gssrpc/auth_gssapi.h +++ b/src/include/gssrpc/auth_gssapi.h @@ -1,6 +1,6 @@ /* * auth_gssapi.h, Protocol for GSS-API style authentication parameters for RPC - * + * * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * * $Id$ @@ -57,7 +57,7 @@ typedef void (*auth_gssapi_log_badauth_func) OM_uint32 minor, struct sockaddr_in *raddr, caddr_t data); - + typedef void (*auth_gssapi_log_badverf_func) (gss_name_t client, gss_name_t server, @@ -105,7 +105,7 @@ AUTH *auth_gssapi_create_default void auth_gssapi_display_status (char *msg, OM_uint32 major, - OM_uint32 minor); + OM_uint32 minor); bool_t auth_gssapi_seal_seq (gss_ctx_id_t context, uint32_t seq_num, gss_buffer_t out_buf); diff --git a/src/include/gssrpc/auth_unix.h b/src/include/gssrpc/auth_unix.h index 9be442278..b19bb72b4 100644 --- a/src/include/gssrpc/auth_unix.h +++ b/src/include/gssrpc/auth_unix.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 @@ -66,8 +66,8 @@ struct authunix_parms { extern bool_t xdr_authunix_parms(XDR *, struct authunix_parms *); -/* - * If a response verifier has flavor AUTH_SHORT, +/* + * If a response verifier has flavor AUTH_SHORT, * then the body of the response verifier encapsulates the following structure; * again it is serialized in the obvious fashion. */ diff --git a/src/include/gssrpc/clnt.h b/src/include/gssrpc/clnt.h index 95450a241..36707c78e 100644 --- a/src/include/gssrpc/clnt.h +++ b/src/include/gssrpc/clnt.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 @@ -117,13 +117,13 @@ typedef struct CLIENT { /* call remote procedure */ enum clnt_stat (*cl_call)(struct CLIENT *, rpcproc_t, xdrproc_t, void *, - xdrproc_t, void *, - struct timeval); + xdrproc_t, void *, + struct timeval); /* abort a call */ - void (*cl_abort)(struct CLIENT *); + void (*cl_abort)(struct CLIENT *); /* get specific error code */ - void (*cl_geterr)(struct CLIENT *, - struct rpc_err *); + void (*cl_geterr)(struct CLIENT *, + struct rpc_err *); /* frees results */ bool_t (*cl_freeres)(struct CLIENT *, xdrproc_t, void *); @@ -242,7 +242,7 @@ typedef struct CLIENT { /* * Below are the client handle creation routines for the various - * implementations of client side rpc. They can return NULL if a + * implementations of client side rpc. They can return NULL if a * creation failure occurs. */ @@ -310,7 +310,7 @@ char *clnt_spcreateerror(char *); /* string */ /* * Like clnt_perror(), but is more verbose in its output - */ + */ void clnt_perrno(enum clnt_stat); /* stderr */ /* @@ -319,7 +319,7 @@ void clnt_perrno(enum clnt_stat); /* stderr */ void clnt_perror(CLIENT *, char *); /* stderr */ char *clnt_sperror(CLIENT *, char *); /* string */ -/* +/* * If a creation fails, the following allows the user to figure out why. */ struct rpc_createerr { diff --git a/src/include/gssrpc/netdb.h b/src/include/gssrpc/netdb.h index 69267874e..1cb082a4e 100644 --- a/src/include/gssrpc/netdb.h +++ b/src/include/gssrpc/netdb.h @@ -9,11 +9,11 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. @@ -21,11 +21,11 @@ * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 diff --git a/src/include/gssrpc/pmap_clnt.h b/src/include/gssrpc/pmap_clnt.h index 808306865..2bdfc1e7f 100644 --- a/src/include/gssrpc/pmap_clnt.h +++ b/src/include/gssrpc/pmap_clnt.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 @@ -46,7 +46,7 @@ * head = pmap_getmaps(address); * clnt_stat = pmap_rmtcall(address, program, version, procedure, * xdrargs, argsp, xdrres, resp, tout, port_ptr) - * (works for udp only.) + * (works for udp only.) * clnt_stat = clnt_broadcast(program, version, procedure, * xdrargs, argsp, xdrres, resp, eachresult) * (like pmap_rmtcall, except the call is broadcasted to all @@ -64,9 +64,9 @@ GSSRPC__BEGIN_DECLS extern bool_t pmap_set(rpcprog_t, rpcvers_t, rpcprot_t, u_int); extern bool_t pmap_unset(rpcprog_t, rpcvers_t); extern struct pmaplist *pmap_getmaps(struct sockaddr_in *); -enum clnt_stat pmap_rmtcall(struct sockaddr_in *, rpcprog_t, - rpcvers_t, rpcproc_t, xdrproc_t, - caddr_t, xdrproc_t, caddr_t, +enum clnt_stat pmap_rmtcall(struct sockaddr_in *, rpcprog_t, + rpcvers_t, rpcproc_t, xdrproc_t, + caddr_t, xdrproc_t, caddr_t, struct timeval, rpcport_t *); typedef bool_t (*resultproc_t)(caddr_t, struct sockaddr_in *); @@ -74,8 +74,8 @@ typedef bool_t (*resultproc_t)(caddr_t, struct sockaddr_in *); enum clnt_stat clnt_broadcast(rpcprog_t, rpcvers_t, rpcproc_t, xdrproc_t, caddr_t, xdrproc_t, caddr_t, resultproc_t); -extern u_short pmap_getport(struct sockaddr_in *, - rpcprog_t, +extern u_short pmap_getport(struct sockaddr_in *, + rpcprog_t, rpcvers_t, rpcprot_t); GSSRPC__END_DECLS #endif /* !defined(GSSRPC_PMAP_CLNT_H) */ diff --git a/src/include/gssrpc/pmap_prot.h b/src/include/gssrpc/pmap_prot.h index 8a8802b05..5069723ff 100644 --- a/src/include/gssrpc/pmap_prot.h +++ b/src/include/gssrpc/pmap_prot.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 diff --git a/src/include/gssrpc/pmap_rmt.h b/src/include/gssrpc/pmap_rmt.h index 48789b453..ca3f35d26 100644 --- a/src/include/gssrpc/pmap_rmt.h +++ b/src/include/gssrpc/pmap_rmt.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 diff --git a/src/include/gssrpc/rename.h b/src/include/gssrpc/rename.h index 6e472e617..a4da2cdfb 100644 --- a/src/include/gssrpc/rename.h +++ b/src/include/gssrpc/rename.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/include/gssrpc/rpc.h b/src/include/gssrpc/rpc.h index 0f1730d18..6aa1f9471 100644 --- a/src/include/gssrpc/rpc.h +++ b/src/include/gssrpc/rpc.h @@ -6,11 +6,11 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. @@ -54,7 +54,7 @@ #include /* protocol for unix style cred */ #include /* RPCSEC_GSS */ /* - * Uncomment-out the next line if you are building the rpc library with + * Uncomment-out the next line if you are building the rpc library with * DES Authentication (see the README file in the secure_rpc/ directory). */ #if 0 diff --git a/src/include/gssrpc/rpc_msg.h b/src/include/gssrpc/rpc_msg.h index 62d632967..6e91de6c9 100644 --- a/src/include/gssrpc/rpc_msg.h +++ b/src/include/gssrpc/rpc_msg.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 diff --git a/src/include/gssrpc/svc.h b/src/include/gssrpc/svc.h index dfe0bec65..16f07206b 100644 --- a/src/include/gssrpc/svc.h +++ b/src/include/gssrpc/svc.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 @@ -82,18 +82,18 @@ typedef struct SVCXPRT { /* receive incomming requests */ bool_t (*xp_recv)(struct SVCXPRT *, struct rpc_msg *); /* get transport status */ - enum xprt_stat (*xp_stat)(struct SVCXPRT *); + enum xprt_stat (*xp_stat)(struct SVCXPRT *); /* get arguments */ bool_t (*xp_getargs)(struct SVCXPRT *, xdrproc_t, void *); /* send reply */ bool_t (*xp_reply)(struct SVCXPRT *, - struct rpc_msg *); + struct rpc_msg *); /* free mem allocated for args */ bool_t (*xp_freeargs)(struct SVCXPRT *, xdrproc_t, void *); /* destroy this struct */ - void (*xp_destroy)(struct SVCXPRT *); + void (*xp_destroy)(struct SVCXPRT *); } *xp_ops; int xp_addrlen; /* length of remote address */ struct sockaddr_in xp_raddr; /* remote address */ @@ -188,7 +188,7 @@ struct svc_req { * rpcprog_t prog; * rpcvers_t vers; * void (*dispatch)(); - * int protocol; like IPPROTO_TCP or _UDP; zero means do not register + * int protocol; like IPPROTO_TCP or _UDP; zero means do not register * * registerrpc(prog, vers, proc, routine, inproc, outproc) * returns 0 upon success, -1 if error. @@ -241,7 +241,7 @@ extern void xprt_unregister(SVCXPRT *); * Note: do not confuse access-control failure with weak authentication! * * NB: In pure implementations of rpc, the caller always waits for a reply - * msg. This message is sent when svc_sendreply is called. + * msg. This message is sent when svc_sendreply is called. * Therefore pure service implementations should always call * svc_sendreply even if the function logically returns void; use * xdr.h - xdr_void for the xdr routine. HOWEVER, tcp based rpc allows @@ -275,7 +275,7 @@ extern void svcerr_systemerr(SVCXPRT *); /* * Global keeper of rpc service descriptors in use - * dynamic; must be inspected before each call to select + * dynamic; must be inspected before each call to select */ extern int svc_maxfd; #ifdef FD_SETSIZE diff --git a/src/include/gssrpc/svc_auth.h b/src/include/gssrpc/svc_auth.h index 541aa4514..4c2719c03 100644 --- a/src/include/gssrpc/svc_auth.h +++ b/src/include/gssrpc/svc_auth.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 @@ -31,7 +31,7 @@ /* * svc_auth.h, Service side of rpc authentication. - * + * * Copyright (C) 1984, Sun Microsystems, Inc. */ diff --git a/src/include/gssrpc/types.hin b/src/include/gssrpc/types.hin index ed612f1f5..c048129da 100644 --- a/src/include/gssrpc/types.hin +++ b/src/include/gssrpc/types.hin @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 @@ -157,7 +157,7 @@ typedef int32_t rpc_inline_t; #if 0 #include /* XXX This should not have to be here. * I got sick of seeing the warnings for MAXHOSTNAMELEN - * and the two values were different. -- shanzer + * and the two values were different. -- shanzer */ #endif diff --git a/src/include/gssrpc/xdr.h b/src/include/gssrpc/xdr.h index b7c2843a4..9fbf26585 100644 --- a/src/include/gssrpc/xdr.h +++ b/src/include/gssrpc/xdr.h @@ -6,23 +6,23 @@ * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. - * + * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * + * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. - * + * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. - * + * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. - * + * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 diff --git a/src/include/k5-err.h b/src/include/k5-err.h index e5fc9bddf..4259ce682 100644 --- a/src/include/k5-err.h +++ b/src/include/k5-err.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Error-message handling */ diff --git a/src/include/k5-gmt_mktime.h b/src/include/k5-gmt_mktime.h index d9d1d1e5a..e7115a54f 100644 --- a/src/include/k5-gmt_mktime.h +++ b/src/include/k5-gmt_mktime.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * GMT struct tm conversion * diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h index 2fb5f8719..2acc956f9 100644 --- a/src/include/k5-int-pkinit.h +++ b/src/include/k5-int-pkinit.h @@ -2,7 +2,7 @@ * COPYRIGHT (C) 2006 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN * ALL RIGHTS RESERVED - * + * * Permission is granted to use, copy, create derivative works * and redistribute this software and such derivative works * for any purpose, so long as the name of The University of @@ -13,7 +13,7 @@ * University of Michigan is included in any copy of any * portion of this software, then the disclaimer below must * also be included. - * + * * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF @@ -249,7 +249,7 @@ krb5_error_code decode_krb5_auth_pack krb5_error_code decode_krb5_auth_pack_draft9 (const krb5_data *, krb5_auth_pack_draft9 **); -krb5_error_code decode_krb5_kdc_dh_key_info +krb5_error_code decode_krb5_kdc_dh_key_info (const krb5_data *, krb5_kdc_dh_key_info **); krb5_error_code decode_krb5_principal_name diff --git a/src/include/k5-int.h b/src/include/k5-int.h index f6f091fcc..c583efd1f 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1,54 +1,54 @@ /* * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2007,2008,2009 by the Massachusetts Institute of Technology, * Cambridge, MA, USA. All Rights Reserved. - * - * This software is being provided to you, the LICENSEE, by the - * Massachusetts Institute of Technology (M.I.T.) under the following - * license. By obtaining, using and/or copying this software, you agree - * that you have read, understood, and will comply with these terms and - * conditions: - * + * + * This software is being provided to you, the LICENSEE, by the + * Massachusetts Institute of Technology (M.I.T.) under the following + * license. By obtaining, using and/or copying this software, you agree + * that you have read, understood, and will comply with these terms and + * conditions: + * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute - * this software and its documentation for any purpose and without fee or - * royalty is hereby granted, provided that you agree to comply with the - * following copyright notice and statements, including the disclaimer, and - * that the same appear on ALL copies of the software and documentation, - * including modifications that you make for internal use or for + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute + * this software and its documentation for any purpose and without fee or + * royalty is hereby granted, provided that you agree to comply with the + * following copyright notice and statements, including the disclaimer, and + * that the same appear on ALL copies of the software and documentation, + * including modifications that you make for internal use or for * distribution: - * - * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS - * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not - * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF - * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF - * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY - * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. - * - * The name of the Massachusetts Institute of Technology or M.I.T. may NOT - * be used in advertising or publicity pertaining to distribution of the - * software. Title to copyright in this software and any associated - * documentation shall at all times remain with M.I.T., and USER agrees to + * + * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS + * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF + * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY + * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. + * + * The name of the Massachusetts Institute of Technology or M.I.T. may NOT + * be used in advertising or publicity pertaining to distribution of the + * software. Title to copyright in this software and any associated + * documentation shall at all times remain with M.I.T., and USER agrees to * preserve same. * * Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. + * fashion that it might be confused with the original M.I.T. software. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -59,7 +59,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -96,7 +96,7 @@ #ifndef KRB5_CONFIG__ #define KRB5_CONFIG__ -/* +/* * Machine-type definitions: PC Clone 386 running Microloss Windows */ @@ -140,7 +140,7 @@ typedef INT64_TYPE krb5_int64; #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */ -/* +/* * Windows requires a different api interface to each function. Here * just define it as NULL. */ @@ -381,11 +381,11 @@ typedef struct _krb5_etype_info_entry { krb5_data s2kparams; } krb5_etype_info_entry; -/* +/* * This is essentially -1 without sign extension which can screw up * comparisons on 64 bit machines. If the length is this value, then * the salt data is not present. This is to distinguish between not - * being set and being of 0 length. + * being set and being of 0 length. */ #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS @@ -398,7 +398,7 @@ typedef struct _krb5_etype_list { } krb5_etype_list; /* - * a sam_challenge is returned for alternate preauth + * a sam_challenge is returned for alternate preauth */ /* SAMFlags ::= BIT STRING { @@ -597,9 +597,9 @@ krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean); void krb5_os_free_context (krb5_context); -/* This function is needed by KfM's KerberosPreferences API +/* This function is needed by KfM's KerberosPreferences API * because it needs to be able to specify "secure" */ -krb5_error_code os_get_default_config_files +krb5_error_code os_get_default_config_files (profile_filespec_t **pfiles, krb5_boolean secure); krb5_error_code krb5_os_hostaddr @@ -651,7 +651,7 @@ struct krb5_key_st { /* new encryption provider api */ struct krb5_enc_provider { - /* keybytes is the input size to make_key; + /* keybytes is the input size to make_key; keylength is the output size */ size_t block_size, keybytes, keylength; @@ -817,7 +817,7 @@ zapfree(void *ptr, size_t len) krb5_error_code krb5int_des_init_state (const krb5_keyblock *key, krb5_keyusage keyusage, krb5_data *new_state); -/* +/* * normally to free a cipher_state you can just memset the length to zero and * free it. */ @@ -839,7 +839,7 @@ void krb5int_c_free_keyblock_contents (krb5_context, krb5_keyblock *); krb5_error_code krb5int_c_init_keyblock (krb5_context, krb5_enctype enctype, - size_t length, krb5_keyblock **out); + size_t length, krb5_keyblock **out); krb5_error_code krb5int_c_copy_keyblock (krb5_context context, const krb5_keyblock *from, krb5_keyblock **to); krb5_error_code krb5int_c_copy_keyblock_contents @@ -851,7 +851,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents extern void krb5int_prng_cleanup (void); -/* +/* * These declarations are here, so both krb5 and k5crypto * can get to them. * krb5 needs to get to them so it can make them available to libgssapi. @@ -942,10 +942,10 @@ error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE) * (Originally written by Glen Machin at Sandia Labs.) */ /* - * Sandia National Laboratories also makes no representations about the - * suitability of the modifications, or additions to this software for + * Sandia National Laboratories also makes no representations about the + * suitability of the modifications, or additions to this software for * any purpose. It is provided "as is" without express or implied warranty. - * + * */ #ifndef KRB5_PREAUTH__ #define KRB5_PREAUTH__ @@ -1079,7 +1079,7 @@ typedef krb5_error_code (*krb5_preauth_obtain_proc) (krb5_context, krb5_pa_data *, krb5_etype_info, - krb5_keyblock *, + krb5_keyblock *, krb5_error_code ( * )(krb5_context, const krb5_enctype, krb5_data *, @@ -1106,7 +1106,7 @@ typedef krb5_error_code (*krb5_preauth_process_proc) krb5_const_pointer, krb5_kdc_rep * ), krb5_keyblock **, - krb5_creds *, + krb5_creds *, krb5_int32 *, krb5_int32 *); @@ -1126,7 +1126,7 @@ krb5_error_code krb5_obtain_padata krb5_data *, krb5_const_pointer, krb5_keyblock **), - krb5_const_pointer, + krb5_const_pointer, krb5_creds *, krb5_kdc_req *); @@ -1144,9 +1144,9 @@ krb5_error_code krb5_process_padata const krb5_keyblock *, krb5_const_pointer, krb5_kdc_rep * ), - krb5_keyblock **, - krb5_creds *, - krb5_int32 *); + krb5_keyblock **, + krb5_creds *, + krb5_int32 *); krb5_pa_data * krb5int_find_pa_data (krb5_context, krb5_pa_data * const *, krb5_preauthtype); @@ -1185,7 +1185,7 @@ void krb5_free_etype_info * with the new krb5_get_init_creds_opt_alloc() function. * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended * structure is a shadow copy of an original krb5_get_init_creds_opt - * structure. + * structure. * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to * krb5int_gic_opt_to_opte(), the resulting extended structure should be * freed (using krb5_get_init_creds_free). Otherwise, the original @@ -1357,7 +1357,7 @@ void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents (krb5_context, krb5_enc_sam_response_enc * ); void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents (krb5_context, krb5_enc_sam_response_enc_2 * ); - + void KRB5_CALLCONV krb5_free_pa_enc_ts (krb5_context, krb5_pa_enc_ts *); void KRB5_CALLCONV krb5_free_pa_for_user @@ -1591,7 +1591,7 @@ void KRB5_CALLCONV krb5_free_priv_enc_part /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */ /* here we use some knowledge of ASN.1 encodings */ -/* +/* Ticket is APPLICATION 1. Authenticator is APPLICATION 2. AS_REQ is APPLICATION 10. @@ -1661,11 +1661,11 @@ krb5_error_code encode_krb5_enc_tkt_part krb5_error_code encode_krb5_enc_kdc_rep_part (const krb5_enc_kdc_rep_part *rep, krb5_data **code); -/* yes, the translation is identical to that used for KDC__REP */ +/* yes, the translation is identical to that used for KDC__REP */ krb5_error_code encode_krb5_as_rep (const krb5_kdc_rep *rep, krb5_data **code); -/* yes, the translation is identical to that used for KDC__REP */ +/* yes, the translation is identical to that used for KDC__REP */ krb5_error_code encode_krb5_tgs_rep (const krb5_kdc_rep *rep, krb5_data **code); @@ -1848,13 +1848,13 @@ krb5_error_code decode_krb5_sam_response_2 *************************************************************************/ krb5_error_code krb5_validate_times - (krb5_context, + (krb5_context, krb5_ticket_times *); /* krb5_error_code decode_krb5_structure(const krb5_data *code, krb5_structure **rep); - + requires Expects **rep to not have been allocated; a new *rep is allocated regardless of the old value. effects Decodes *code into **rep. @@ -2165,7 +2165,7 @@ krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context, /* set and change password helpers */ krb5_error_code krb5int_mk_chpw_req - (krb5_context context, krb5_auth_context auth_context, + (krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet); krb5_error_code krb5int_rd_chpw_rep (krb5_context context, krb5_auth_context auth_context, @@ -2425,7 +2425,7 @@ struct _krb5_cc_ops { krb5_ccache *); krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context, krb5_cc_ptcursor *); - krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache, + krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache, krb5_ccache); krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context, krb5_ccache, krb5_timestamp *); @@ -2450,23 +2450,23 @@ typedef struct _krb5_donot_replay { krb5_timestamp ctime; } krb5_donot_replay; -krb5_error_code krb5_rc_default +krb5_error_code krb5_rc_default (krb5_context, krb5_rcache *); -krb5_error_code krb5_rc_resolve_type +krb5_error_code krb5_rc_resolve_type (krb5_context, krb5_rcache *,char *); -krb5_error_code krb5_rc_resolve_full +krb5_error_code krb5_rc_resolve_full (krb5_context, krb5_rcache *,char *); -char * krb5_rc_get_type +char * krb5_rc_get_type (krb5_context, krb5_rcache); -char * krb5_rc_default_type +char * krb5_rc_default_type (krb5_context); -char * krb5_rc_default_name +char * krb5_rc_default_name (krb5_context); -krb5_error_code krb5_auth_to_rep +krb5_error_code krb5_auth_to_rep (krb5_context, krb5_tkt_authent *, krb5_donot_replay *); @@ -2500,44 +2500,44 @@ typedef struct _krb5_kt_ops { krb5_magic magic; char *prefix; /* routines always present */ - krb5_error_code (KRB5_CALLCONV *resolve) + krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, const char *, krb5_keytab *); - krb5_error_code (KRB5_CALLCONV *get_name) + krb5_error_code (KRB5_CALLCONV *get_name) (krb5_context, krb5_keytab, char *, unsigned int); - krb5_error_code (KRB5_CALLCONV *close) + krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_keytab); - krb5_error_code (KRB5_CALLCONV *get) + krb5_error_code (KRB5_CALLCONV *get) (krb5_context, krb5_keytab, krb5_const_principal, krb5_kvno, krb5_enctype, krb5_keytab_entry *); - krb5_error_code (KRB5_CALLCONV *start_seq_get) + krb5_error_code (KRB5_CALLCONV *start_seq_get) (krb5_context, krb5_keytab, - krb5_kt_cursor *); - krb5_error_code (KRB5_CALLCONV *get_next) + krb5_kt_cursor *); + krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_keytab, krb5_keytab_entry *, krb5_kt_cursor *); - krb5_error_code (KRB5_CALLCONV *end_get) + krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_keytab, krb5_kt_cursor *); /* routines to be included on extended version (write routines) */ - krb5_error_code (KRB5_CALLCONV *add) + krb5_error_code (KRB5_CALLCONV *add) (krb5_context, krb5_keytab, krb5_keytab_entry *); - krb5_error_code (KRB5_CALLCONV *remove) + krb5_error_code (KRB5_CALLCONV *remove) (krb5_context, krb5_keytab, krb5_keytab_entry *); @@ -2588,13 +2588,13 @@ krb5_error_code KRB5_CALLCONV krb5_random_confounder (size_t, krb5_pointer); krb5_error_code krb5_encrypt_data - (krb5_context context, krb5_keyblock *key, - krb5_pointer ivec, krb5_data *data, + (krb5_context context, krb5_keyblock *key, + krb5_pointer ivec, krb5_data *data, krb5_enc_data *enc_data); krb5_error_code krb5_decrypt_data - (krb5_context context, krb5_keyblock *key, - krb5_pointer ivec, krb5_enc_data *data, + (krb5_context context, krb5_keyblock *key, + krb5_pointer ivec, krb5_enc_data *data, krb5_data *enc_data); krb5_error_code @@ -2639,7 +2639,7 @@ typedef struct krb5_int32 etype_count; } krb5_etypes_permitted; -krb5_boolean krb5_is_permitted_enctype_ext +krb5_boolean krb5_is_permitted_enctype_ext ( krb5_context, krb5_etypes_permitted *); krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype); @@ -2944,10 +2944,10 @@ void KRB5_CALLCONV krb5_free_realm_string /* Internal principal function used by KIM to avoid code duplication */ krb5_error_code KRB5_CALLCONV -krb5int_build_principal_alloc_va(krb5_context context, - krb5_principal *princ, - unsigned int rlen, - const char *realm, +krb5int_build_principal_alloc_va(krb5_context context, + krb5_principal *princ, + unsigned int rlen, + const char *realm, const char *first, va_list ap); diff --git a/src/include/k5-ipc_stream.h b/src/include/k5-ipc_stream.h index 680b763b0..1f56d76f2 100644 --- a/src/include/k5-ipc_stream.h +++ b/src/include/k5-ipc_stream.h @@ -41,37 +41,37 @@ uint64_t krb5int_ipc_stream_size (k5_ipc_stream in_stream); const char *krb5int_ipc_stream_data (k5_ipc_stream in_stream); -uint32_t krb5int_ipc_stream_read (k5_ipc_stream in_stream, +uint32_t krb5int_ipc_stream_read (k5_ipc_stream in_stream, void *io_data, uint64_t in_size); -uint32_t krb5int_ipc_stream_write (k5_ipc_stream in_stream, +uint32_t krb5int_ipc_stream_write (k5_ipc_stream in_stream, const void *in_data, uint64_t in_size); -uint32_t krb5int_ipc_stream_read_string (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_read_string (k5_ipc_stream io_stream, char **out_string); -uint32_t krb5int_ipc_stream_write_string (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_write_string (k5_ipc_stream io_stream, const char *in_string); void krb5int_ipc_stream_free_string (char *in_string); -uint32_t krb5int_ipc_stream_read_int32 (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_read_int32 (k5_ipc_stream io_stream, int32_t *out_int32); -uint32_t krb5int_ipc_stream_write_int32 (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_write_int32 (k5_ipc_stream io_stream, int32_t in_int32); -uint32_t krb5int_ipc_stream_read_uint32 (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_read_uint32 (k5_ipc_stream io_stream, uint32_t *out_uint32); -uint32_t krb5int_ipc_stream_write_uint32 (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_write_uint32 (k5_ipc_stream io_stream, uint32_t in_uint32); -uint32_t krb5int_ipc_stream_read_int64 (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_read_int64 (k5_ipc_stream io_stream, int64_t *out_int64); -uint32_t krb5int_ipc_stream_write_int64 (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_write_int64 (k5_ipc_stream io_stream, int64_t in_int64); -uint32_t krb5int_ipc_stream_read_uint64 (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_read_uint64 (k5_ipc_stream io_stream, uint64_t *out_uint64); -uint32_t krb5int_ipc_stream_write_uint64 (k5_ipc_stream io_stream, +uint32_t krb5int_ipc_stream_write_uint64 (k5_ipc_stream io_stream, uint64_t in_uint64); #endif /* K5_IPC_STREAM_H */ diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h index ef5dd419b..d4d05aee1 100644 --- a/src/include/k5-platform.h +++ b/src/include/k5-platform.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Some platform-dependent definitions to sync up the C support level. * Some to a C99-ish level, some related utility code. diff --git a/src/include/k5-plugin.h b/src/include/k5-plugin.h index 2190c0349..498c5668c 100644 --- a/src/include/k5-plugin.h +++ b/src/include/k5-plugin.h @@ -1,42 +1,42 @@ /* * Copyright (C) 2006 Massachusetts Institute of Technology. * All Rights Reserved. - * - * This software is being provided to you, the LICENSEE, by the - * Massachusetts Institute of Technology (M.I.T.) under the following - * license. By obtaining, using and/or copying this software, you agree - * that you have read, understood, and will comply with these terms and - * conditions: - * + * + * This software is being provided to you, the LICENSEE, by the + * Massachusetts Institute of Technology (M.I.T.) under the following + * license. By obtaining, using and/or copying this software, you agree + * that you have read, understood, and will comply with these terms and + * conditions: + * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute - * this software and its documentation for any purpose and without fee or - * royalty is hereby granted, provided that you agree to comply with the - * following copyright notice and statements, including the disclaimer, and - * that the same appear on ALL copies of the software and documentation, - * including modifications that you make for internal use or for + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute + * this software and its documentation for any purpose and without fee or + * royalty is hereby granted, provided that you agree to comply with the + * following copyright notice and statements, including the disclaimer, and + * that the same appear on ALL copies of the software and documentation, + * including modifications that you make for internal use or for * distribution: - * - * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS - * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not - * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF - * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF - * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY - * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. - * - * The name of the Massachusetts Institute of Technology or M.I.T. may NOT - * be used in advertising or publicity pertaining to distribution of the - * software. Title to copyright in this software and any associated - * documentation shall at all times remain with M.I.T., and USER agrees to + * + * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS + * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF + * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY + * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. + * + * The name of the Massachusetts Institute of Technology or M.I.T. may NOT + * be used in advertising or publicity pertaining to distribution of the + * software. Title to copyright in this software and any associated + * documentation shall at all times remain with M.I.T., and USER agrees to * preserve same. * * Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. + * fashion that it might be confused with the original M.I.T. software. */ /* Just those definitions which are needed by util/support/plugins.c, @@ -108,19 +108,19 @@ krb5int_get_plugin_func (struct plugin_file_handle *, const char *, long KRB5_CALLCONV krb5int_open_plugin_dirs (const char * const *, const char * const *, struct plugin_dir_handle *, struct errinfo *); -void KRB5_CALLCONV +void KRB5_CALLCONV krb5int_close_plugin_dirs (struct plugin_dir_handle *); -long KRB5_CALLCONV -krb5int_get_plugin_dir_data (struct plugin_dir_handle *, const char *, +long KRB5_CALLCONV +krb5int_get_plugin_dir_data (struct plugin_dir_handle *, const char *, void ***, struct errinfo *); -void KRB5_CALLCONV +void KRB5_CALLCONV krb5int_free_plugin_dir_data (void **); -long KRB5_CALLCONV -krb5int_get_plugin_dir_func (struct plugin_dir_handle *, const char *, +long KRB5_CALLCONV +krb5int_get_plugin_dir_func (struct plugin_dir_handle *, const char *, void (***)(void), struct errinfo *); -void KRB5_CALLCONV +void KRB5_CALLCONV krb5int_free_plugin_dir_func (void (**)(void)); #endif /* K5_PLUGIN_H */ diff --git a/src/include/k5-thread.h b/src/include/k5-thread.h index 821fe8457..069b51c74 100644 --- a/src/include/k5-thread.h +++ b/src/include/k5-thread.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Preliminary thread support. */ diff --git a/src/include/k5-unicode.h b/src/include/k5-unicode.h index 0f8f12a38..3a42a8269 100644 --- a/src/include/k5-unicode.h +++ b/src/include/k5-unicode.h @@ -1,42 +1,42 @@ /* * Copyright (C) 2008 by the Massachusetts Institute of Technology, * Cambridge, MA, USA. All Rights Reserved. - * - * This software is being provided to you, the LICENSEE, by the - * Massachusetts Institute of Technology (M.I.T.) under the following - * license. By obtaining, using and/or copying this software, you agree - * that you have read, understood, and will comply with these terms and - * conditions: - * + * + * This software is being provided to you, the LICENSEE, by the + * Massachusetts Institute of Technology (M.I.T.) under the following + * license. By obtaining, using and/or copying this software, you agree + * that you have read, understood, and will comply with these terms and + * conditions: + * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute - * this software and its documentation for any purpose and without fee or - * royalty is hereby granted, provided that you agree to comply with the - * following copyright notice and statements, including the disclaimer, and - * that the same appear on ALL copies of the software and documentation, - * including modifications that you make for internal use or for + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute + * this software and its documentation for any purpose and without fee or + * royalty is hereby granted, provided that you agree to comply with the + * following copyright notice and statements, including the disclaimer, and + * that the same appear on ALL copies of the software and documentation, + * including modifications that you make for internal use or for * distribution: - * - * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS - * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not - * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF - * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF - * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY - * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. - * - * The name of the Massachusetts Institute of Technology or M.I.T. may NOT - * be used in advertising or publicity pertaining to distribution of the - * software. Title to copyright in this software and any associated - * documentation shall at all times remain with M.I.T., and USER agrees to + * + * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS + * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF + * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY + * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. + * + * The name of the Massachusetts Institute of Technology or M.I.T. may NOT + * be used in advertising or publicity pertaining to distribution of the + * software. Title to copyright in this software and any associated + * documentation shall at all times remain with M.I.T., and USER agrees to * preserve same. * * Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. + * fashion that it might be confused with the original M.I.T. software. */ /* This work is part of OpenLDAP Software . * diff --git a/src/include/k5-utf8.h b/src/include/k5-utf8.h index e3f134b56..c27d20923 100644 --- a/src/include/k5-utf8.h +++ b/src/include/k5-utf8.h @@ -1,42 +1,42 @@ /* * Copyright (C) 2008 by the Massachusetts Institute of Technology, * Cambridge, MA, USA. All Rights Reserved. - * - * This software is being provided to you, the LICENSEE, by the - * Massachusetts Institute of Technology (M.I.T.) under the following - * license. By obtaining, using and/or copying this software, you agree - * that you have read, understood, and will comply with these terms and - * conditions: - * + * + * This software is being provided to you, the LICENSEE, by the + * Massachusetts Institute of Technology (M.I.T.) under the following + * license. By obtaining, using and/or copying this software, you agree + * that you have read, understood, and will comply with these terms and + * conditions: + * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute - * this software and its documentation for any purpose and without fee or - * royalty is hereby granted, provided that you agree to comply with the - * following copyright notice and statements, including the disclaimer, and - * that the same appear on ALL copies of the software and documentation, - * including modifications that you make for internal use or for + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute + * this software and its documentation for any purpose and without fee or + * royalty is hereby granted, provided that you agree to comply with the + * following copyright notice and statements, including the disclaimer, and + * that the same appear on ALL copies of the software and documentation, + * including modifications that you make for internal use or for * distribution: - * - * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS - * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not - * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF - * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF - * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY - * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. - * - * The name of the Massachusetts Institute of Technology or M.I.T. may NOT - * be used in advertising or publicity pertaining to distribution of the - * software. Title to copyright in this software and any associated - * documentation shall at all times remain with M.I.T., and USER agrees to + * + * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS + * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF + * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY + * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. + * + * The name of the Massachusetts Institute of Technology or M.I.T. may NOT + * be used in advertising or publicity pertaining to distribution of the + * software. Title to copyright in this software and any associated + * documentation shall at all times remain with M.I.T., and USER agrees to * preserve same. * * Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. + * fashion that it might be confused with the original M.I.T. software. */ /* This work is part of OpenLDAP Software . * diff --git a/src/include/k5-util.h b/src/include/k5-util.h index 7bb8cfbe9..11b275f55 100644 --- a/src/include/k5-util.h +++ b/src/include/k5-util.h @@ -1,42 +1,42 @@ /* * Copyright (C) 1989-1998,2002 by the Massachusetts Institute of Technology, * Cambridge, MA, USA. All Rights Reserved. - * - * This software is being provided to you, the LICENSEE, by the - * Massachusetts Institute of Technology (M.I.T.) under the following - * license. By obtaining, using and/or copying this software, you agree - * that you have read, understood, and will comply with these terms and - * conditions: - * + * + * This software is being provided to you, the LICENSEE, by the + * Massachusetts Institute of Technology (M.I.T.) under the following + * license. By obtaining, using and/or copying this software, you agree + * that you have read, understood, and will comply with these terms and + * conditions: + * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute - * this software and its documentation for any purpose and without fee or - * royalty is hereby granted, provided that you agree to comply with the - * following copyright notice and statements, including the disclaimer, and - * that the same appear on ALL copies of the software and documentation, - * including modifications that you make for internal use or for + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute + * this software and its documentation for any purpose and without fee or + * royalty is hereby granted, provided that you agree to comply with the + * following copyright notice and statements, including the disclaimer, and + * that the same appear on ALL copies of the software and documentation, + * including modifications that you make for internal use or for * distribution: - * - * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS - * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not - * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF - * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF - * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY - * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. - * - * The name of the Massachusetts Institute of Technology or M.I.T. may NOT - * be used in advertising or publicity pertaining to distribution of the - * software. Title to copyright in this software and any associated - * documentation shall at all times remain with M.I.T., and USER agrees to + * + * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS + * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF + * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY + * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. + * + * The name of the Massachusetts Institute of Technology or M.I.T. may NOT + * be used in advertising or publicity pertaining to distribution of the + * software. Title to copyright in this software and any associated + * documentation shall at all times remain with M.I.T., and USER agrees to * preserve same. * * Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. + * fashion that it might be confused with the original M.I.T. software. */ /* diff --git a/src/include/kdb.h b/src/include/kdb.h index d74e3e323..7506f1c0e 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +22,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * KDC Database interface definitions. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -112,12 +112,12 @@ */ typedef struct _krb5_tl_data { struct _krb5_tl_data* tl_data_next; /* NOT saved */ - krb5_int16 tl_data_type; - krb5_ui_2 tl_data_length; - krb5_octet * tl_data_contents; + krb5_int16 tl_data_type; + krb5_ui_2 tl_data_length; + krb5_octet * tl_data_contents; } krb5_tl_data; -/* +/* * If this ever changes up the version number and make the arrays be as * big as necessary. * @@ -134,14 +134,14 @@ typedef struct _krb5_key_data { #define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */ typedef struct _krb5_keysalt { - krb5_int16 type; + krb5_int16 type; krb5_data data; /* Length, data */ } krb5_keysalt; typedef struct _krb5_db_entry_new { krb5_magic magic; /* NOT saved */ - krb5_ui_2 len; - krb5_ui_4 mask; /* members currently changed/set */ + krb5_ui_2 len; + krb5_ui_4 mask; /* members currently changed/set */ krb5_flags attributes; krb5_deltat max_life; krb5_deltat max_renewable_life; @@ -155,7 +155,7 @@ typedef struct _krb5_db_entry_new { krb5_ui_2 e_length; /* Length of extra data */ krb5_octet * e_data; /* Extra data to be saved */ - krb5_principal princ; /* Length, data */ + krb5_principal princ; /* Length, data */ krb5_tl_data * tl_data; /* Linked list */ krb5_key_data * key_data; /* Array */ } krb5_db_entry; @@ -259,11 +259,11 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_KDB_OPEN_RO 1 #ifndef KRB5_KDB_SRV_TYPE_KDC -#define KRB5_KDB_SRV_TYPE_KDC 0x0100 +#define KRB5_KDB_SRV_TYPE_KDC 0x0100 #endif #ifndef KRB5_KDB_SRV_TYPE_ADMIN -#define KRB5_KDB_SRV_TYPE_ADMIN 0x0200 +#define KRB5_KDB_SRV_TYPE_ADMIN 0x0200 #endif #ifndef KRB5_KDB_SRV_TYPE_PASSWD @@ -271,7 +271,7 @@ extern char *krb5_mkey_pwd_prompt2; #endif #ifndef KRB5_KDB_SRV_TYPE_OTHER -#define KRB5_KDB_SRV_TYPE_OTHER 0x0400 +#define KRB5_KDB_SRV_TYPE_OTHER 0x0400 #endif #define KRB5_KDB_OPT_SET_DB_NAME 0 @@ -322,7 +322,7 @@ krb5_error_code krb5_free_supported_realms ( krb5_context kcontext, krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext, char *pwd, krb5_keyblock *key ); -krb5_error_code krb5_db_set_mkey ( krb5_context context, +krb5_error_code krb5_db_set_mkey ( krb5_context context, krb5_keyblock *key); krb5_error_code krb5_db_get_mkey ( krb5_context kcontext, krb5_keyblock **key ); @@ -335,14 +335,14 @@ krb5_error_code krb5_db_get_mkey_list( krb5_context kcontext, krb5_error_code krb5_db_free_master_key ( krb5_context kcontext, krb5_keyblock *key ); -krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, - char *keyfile, +krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, + char *keyfile, krb5_principal mname, krb5_kvno kvno, krb5_keyblock *key, char *master_pwd); -krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext, - char *keyfile, +krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext, + char *keyfile, krb5_principal mname, krb5_keylist_node *keylist, char *master_pwd); @@ -379,12 +379,12 @@ krb5_dbe_find_enctype( krb5_context kcontext, krb5_key_data **kdatap); -krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext, - krb5_db_entry *dbentp, - krb5_int32 *start, - krb5_int32 ktype, - krb5_int32 stype, - krb5_int32 kvno, +krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext, + krb5_db_entry *dbentp, + krb5_int32 *start, + krb5_int32 ktype, + krb5_int32 stype, + krb5_int32 kvno, krb5_key_data **kdatap); krb5_error_code @@ -437,7 +437,7 @@ krb5_dbe_lookup_mod_princ_data( krb5_context context, krb5_db_entry * entry, krb5_timestamp * mod_time, krb5_principal * mod_princ); - + krb5_error_code krb5_dbe_lookup_mkey_aux( krb5_context context, krb5_db_entry * entry, @@ -552,12 +552,12 @@ krb5_db_get_key_data_kvno( krb5_context context, */ krb5_error_code -krb5_dbe_def_search_enctype( krb5_context kcontext, - krb5_db_entry *dbentp, - krb5_int32 *start, - krb5_int32 ktype, - krb5_int32 stype, - krb5_int32 kvno, +krb5_dbe_def_search_enctype( krb5_context kcontext, + krb5_db_entry *dbentp, + krb5_int32 *start, + krb5_int32 ktype, + krb5_int32 stype, + krb5_int32 kvno, krb5_key_data **kdatap); krb5_error_code @@ -651,32 +651,32 @@ krb5_dbekd_def_encrypt_key_data( krb5_context context, int keyver, krb5_key_data * key_data); -krb5_error_code -krb5_db_create_policy( krb5_context kcontext, +krb5_error_code +krb5_db_create_policy( krb5_context kcontext, osa_policy_ent_t policy); -krb5_error_code -krb5_db_get_policy ( krb5_context kcontext, - char *name, +krb5_error_code +krb5_db_get_policy ( krb5_context kcontext, + char *name, osa_policy_ent_t *policy, int *nentries); -krb5_error_code -krb5_db_put_policy( krb5_context kcontext, +krb5_error_code +krb5_db_put_policy( krb5_context kcontext, osa_policy_ent_t policy); -krb5_error_code +krb5_error_code krb5_db_iter_policy( krb5_context kcontext, char *match_entry, osa_adb_iter_policy_func func, void *data); -krb5_error_code -krb5_db_delete_policy( krb5_context kcontext, +krb5_error_code +krb5_db_delete_policy( krb5_context kcontext, char *policy); -void -krb5_db_free_policy( krb5_context kcontext, +void +krb5_db_free_policy( krb5_context kcontext, osa_policy_ent_t policy); @@ -741,8 +741,8 @@ typedef struct _kdb_vftabl { char *conf_section, char ** db_args ); - krb5_error_code (*db_get_age) ( krb5_context kcontext, - char *db_name, + krb5_error_code (*db_get_age) ( krb5_context kcontext, + char *db_name, time_t *age ); krb5_error_code (*db_set_option) ( krb5_context kcontext, @@ -820,8 +820,8 @@ typedef struct _kdb_vftabl { /* optional functions */ - krb5_error_code (*set_master_key) ( krb5_context kcontext, - char *pwd, + krb5_error_code (*set_master_key) ( krb5_context kcontext, + char *pwd, krb5_keyblock *key); krb5_error_code (*get_master_key) ( krb5_context kcontext, @@ -835,12 +835,12 @@ typedef struct _kdb_vftabl { krb5_error_code (*setup_master_key_name) ( krb5_context kcontext, char *keyname, - char *realm, - char **fullname, + char *realm, + char **fullname, krb5_principal *principal); - krb5_error_code (*store_master_key) ( krb5_context kcontext, - char *db_arg, + krb5_error_code (*store_master_key) ( krb5_context kcontext, + char *db_arg, krb5_principal mname, krb5_kvno kvno, krb5_keyblock *key, @@ -863,20 +863,20 @@ typedef struct _kdb_vftabl { krb5_kvno kvno, krb5_keylist_node **mkeys_list); - krb5_error_code (*store_master_key_list) ( krb5_context kcontext, - char *db_arg, + krb5_error_code (*store_master_key_list) ( krb5_context kcontext, + char *db_arg, krb5_principal mname, krb5_keylist_node *keylist, char *master_pwd); - krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext, - krb5_db_entry *dbentp, - krb5_int32 *start, - krb5_int32 ktype, - krb5_int32 stype, - krb5_int32 kvno, + krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext, + krb5_db_entry *dbentp, + krb5_int32 *start, + krb5_int32 ktype, + krb5_int32 stype, + krb5_int32 kvno, krb5_key_data **kdatap); - + krb5_error_code (*db_change_pwd) ( krb5_context context, diff --git a/src/include/kdb_kt.h b/src/include/kdb_kt.h index 1dbd7f30d..a628bb326 100644 --- a/src/include/kdb_kt.h +++ b/src/include/kdb_kt.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * KDC keytab definitions. */ diff --git a/src/include/kim/kim.h b/src/include/kim/kim.h index 050e01b03..83248e3d1 100644 --- a/src/include/kim/kim.h +++ b/src/include/kim/kim.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -44,68 +44,68 @@ extern "C" { * * \section introduction Introduction * - * The Kerberos Identity Management API is a high level API for managing the selection + * The Kerberos Identity Management API is a high level API for managing the selection * and management of Kerberos credentials. It is intended for use by applications, - * credential management applications (eg: kinit, kpasswd, etc) and internally by the - * Kerberos libraries. Under some circumstances client applications may also benefit + * credential management applications (eg: kinit, kpasswd, etc) and internally by the + * Kerberos libraries. Under some circumstances client applications may also benefit * from the Kerberos Identity Management API. * * * \section conventions API Conventions * - * Although KIM currently only provides a C API, it attempts to make that API as - * object-oriented as possible. KIM functions are grouped by object and all of the - * object types are opaque, including errors. The reason for this is two-fold. First, - * the KIM API is rather large. Grouping functions by object allows the API to be - * broken up into smaller, more manageable chunks. Second, providing an object-like C + * Although KIM currently only provides a C API, it attempts to make that API as + * object-oriented as possible. KIM functions are grouped by object and all of the + * object types are opaque, including errors. The reason for this is two-fold. First, + * the KIM API is rather large. Grouping functions by object allows the API to be + * broken up into smaller, more manageable chunks. Second, providing an object-like C * API will make it easier to port to object oriented languages. * - * Because C lacks classes and other object oriented syntax, KIM functions adhere to + * Because C lacks classes and other object oriented syntax, KIM functions adhere to * the following naming conventions to make functions easier to identify: * * \li Functions beginning with \b kim_object_create are constructors for an object of * type kim_object. On success these functions return a newly allocated object which * must later be freed by the caller. - * + * * \li Functions of the form \b kim_object_copy are copy constructors. They instantiate * a new object of kim_object from an object of the same type. - * - * \li Functions of the form \b kim_object_free are destructors for objects of type - * kim_object. + * + * \li Functions of the form \b kim_object_free are destructors for objects of type + * kim_object. * * \li Functions beginning with \b kim_object_get and \b kim_object_set * examine and modify properties of objects of type kim_object. * - * \li All KIM APIs except destructors and error management APIs return a - * KIM Error object (kim_error_t). + * \li All KIM APIs except destructors and error management APIs return a + * KIM Error object (kim_error_t). * * * \section terminology Terminology * * Kerberos organizes its authentication tokens by client identity (the name of the user) - * and service identity (the name of a service). The following terms are used throughout + * and service identity (the name of a service). The following terms are used throughout * this documentation: * - * \li credential - A token which authenticates a client identity to a - * service identity. + * \li credential - A token which authenticates a client identity to a + * service identity. * - * \li ccache - Short for "credentials cache". A set of credentials for a single + * \li ccache - Short for "credentials cache". A set of credentials for a single * client identity. * * \li cache collection - The set of all credential caches. * - * \li default ccache - A credentials cache that the Kerberos libraries will use + * \li default ccache - A credentials cache that the Kerberos libraries will use * if no ccache is specified by the caller. Use of the default - * ccache is now discouraged. Instead applications should use + * ccache is now discouraged. Instead applications should use * selection hints to choose an appropriate client identity. * * \section selection_api Client Identity Selection APIs * - * KIM provides high level APIs for applications to select which client identity to - * use. Use of these APIs is intended to replace the traditional "default ccache" + * KIM provides high level APIs for applications to select which client identity to + * use. Use of these APIs is intended to replace the traditional "default ccache" * mechanism previously used by Kerberos. - * - * KIM Selection Hints (kim_selection_hints_t) controls options for selecting + * + * KIM Selection Hints (kim_selection_hints_t) controls options for selecting * a client identity: * - \subpage kim_selection_hints_overview * - \subpage kim_selection_hints_reference @@ -117,14 +117,14 @@ extern "C" { * * \section management_api Credential Management APIs * - * KIM also provides APIs for acquiring new credentials over the network + * KIM also provides APIs for acquiring new credentials over the network * by contacting a KDC and for viewing and modifying the existing credentials * in the cache collection * * Whether or not you use the credential or ccache APIs depends on * whether you want KIM to store any newly acquired credentials in the - * cache collection. KIM ccache APIs always create a ccache in the cache - * collection containing newly acquired credentials whereas the KIM + * cache collection. KIM ccache APIs always create a ccache in the cache + * collection containing newly acquired credentials whereas the KIM * credential APIs just return a credential object. In general most * callers want to store newly acquired credentials and should use the * KIM ccache APIs when acquiring credentials. @@ -133,14 +133,14 @@ extern "C" { * - \subpage kim_ccache_overview * - \subpage kim_ccache_reference * - * KIM Credential (kim_credential_t) manipulates credentials: + * KIM Credential (kim_credential_t) manipulates credentials: * - \subpage kim_credential_overview * - \subpage kim_credential_reference * * KIM Options (kim_options_t) control options for credential acquisition: * - \subpage kim_options_overview * - \subpage kim_options_reference - * + * * KIM Preferences (kim_preferences_t) views and edits the current user's preferences: * - \subpage kim_preferences_overview * - \subpage kim_preferences_reference diff --git a/src/include/kim/kim_ccache.h b/src/include/kim/kim_ccache.h index a1cba1710..88cfeb602 100644 --- a/src/include/kim/kim_ccache.h +++ b/src/include/kim/kim_ccache.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -30,45 +30,45 @@ extern "C" { #endif #include - + /*! * \page kim_ccache_overview KIM CCache Overview * * \section kim_ccache_introduction Introduction * * Kerberos credentials are stored in "ccaches" (short for "credentials caches"). - * The set of all ccaches which the KIM can use is called the "cache collection". - * Each ccache has a name and type which uniquely identify it in the cache - * collection and a client identity. The ccache's client identity is the - * identity whose credentials are stored in the ccache. This allows for easy - * lookup of all the credentials for a given identity. + * The set of all ccaches which the KIM can use is called the "cache collection". + * Each ccache has a name and type which uniquely identify it in the cache + * collection and a client identity. The ccache's client identity is the + * identity whose credentials are stored in the ccache. This allows for easy + * lookup of all the credentials for a given identity. * * KIM attempts to preserve a one-to-one relationship between client identities * and ccaches. If the KIM is used to manipulate the cache collection, there * will be one ccache per identity. However, because low-level APIs allow callers - * to create multiple ccaches for the same client identity or a single ccache + * to create multiple ccaches for the same client identity or a single ccache * containing credentials for different client identities, KIM handles those - * situations. In general when searching KIM will find the first ccache matching - * the requested client identity. It will not find credentials for the requested + * situations. In general when searching KIM will find the first ccache matching + * the requested client identity. It will not find credentials for the requested * client identity if they are in a ccache with a different client identity. * - * The kim_ccache_t object is a reference to a ccache in the cache collection. - * If other applications make changes to the the ccache pointed to by a KIM ccache - * object, the object will immediately show those changes. KIM performs locking - * on the cache collection to prevent deadlocks and maintain a consistent behavior + * The kim_ccache_t object is a reference to a ccache in the cache collection. + * If other applications make changes to the the ccache pointed to by a KIM ccache + * object, the object will immediately show those changes. KIM performs locking + * on the cache collection to prevent deadlocks and maintain a consistent behavior * when multiple applications attempt to modify the cache collection. * - * \note KIM ccache APIs are intended for applications and system + * \note KIM ccache APIs are intended for applications and system * tools which manage credentials for the user. They are not a substitute for * krb5 and GSSAPI functions which obtain service credentials for the purpose * of authenticating a client to an application server. - * + * * \section kim_credential_cache_collection Acquiring a CCache from the Cache Collection * * KIM provides a simple iterator API for iterating over the ccaches - * in the cache collection. First, call #kim_ccache_iterator_create() to obtain - * an iterator for the cache collection. Then loop calling - * #kim_ccache_iterator_next() until either you find the ccache you are looking + * in the cache collection. First, call #kim_ccache_iterator_create() to obtain + * an iterator for the cache collection. Then loop calling + * #kim_ccache_iterator_next() until either you find the ccache you are looking * for or the API returns a NULL ccache, indicating that there are no more * ccaches in the cache collection. When you are done with the iterator, call * #kim_ccache_iterator_free(). @@ -80,15 +80,15 @@ extern "C" { * which returns the ccache for a specific client identity, if any exists. * Typically callers of this API obtain the client identity using * #kim_selection_hints_get_identity(). - * + * * * \section kim_ccache_acquire_default Acquiring Credentials from the Default CCache * * #kim_ccache_create_from_default() returns the default ccache. - * The default ccache is a legacy concept which was replaced by selection - * hints. Prior to the existence of selection hints, applications always - * looked at the default ccache for credentials. By setting the system default - * ccache, users could manually control which credentials each application used. + * The default ccache is a legacy concept which was replaced by selection + * hints. Prior to the existence of selection hints, applications always + * looked at the default ccache for credentials. By setting the system default + * ccache, users could manually control which credentials each application used. * As the number of ccaches and applications has grown, this mechanism has become * unusable. You should avoid using this API whenever possible. * @@ -96,39 +96,39 @@ extern "C" { * \section kim_ccache_acquire_new Acquiring New Credentials in a CCache * * KIM provides the #kim_ccache_create_new() API for acquiring new - * credentials and storing them in a ccache. Credentials can either be - * obtained for a specific client identity or by specifying - * #KIM_IDENTITY_ANY to allow the user to choose. Typically - * callers of this API obtain the client identity using + * credentials and storing them in a ccache. Credentials can either be + * obtained for a specific client identity or by specifying + * #KIM_IDENTITY_ANY to allow the user to choose. Typically + * callers of this API obtain the client identity using * #kim_selection_hints_get_identity(). Depending on the kim_options - * specified, #kim_ccache_create_new() may present a GUI or command line + * specified, #kim_ccache_create_new() may present a GUI or command line * prompt to obtain information from the user. - * - * #kim_ccache_create_new_if_needed() + * + * #kim_ccache_create_new_if_needed() * searches the cache collection for a ccache for the client identity * and if no appropriate ccache is available, attempts to acquire - * new credentials and store them in a new ccache. Depending on the - * kim_options specified, #kim_ccache_create_new_if_needed() may - * present a GUI or command line prompt to obtain information from the - * user. This function exists for convenience and to avoid code duplication. - * It can be trivially implemented using - * #kim_ccache_create_from_client_identity() and #kim_ccache_create_new(). + * new credentials and store them in a new ccache. Depending on the + * kim_options specified, #kim_ccache_create_new_if_needed() may + * present a GUI or command line prompt to obtain information from the + * user. This function exists for convenience and to avoid code duplication. + * It can be trivially implemented using + * #kim_ccache_create_from_client_identity() and #kim_ccache_create_new(). * * For legacy password-based Kerberos environments KIM also provides - * #kim_ccache_create_new_with_password() and - * #kim_ccache_create_new_if_needed_with_password(). You should not use these - * functions unless you know that they will only be used in environments using + * #kim_ccache_create_new_with_password() and + * #kim_ccache_create_new_if_needed_with_password(). You should not use these + * functions unless you know that they will only be used in environments using * passwords. Otherwise users without passwords may be prompted for them. * - * KIM provides the #kim_ccache_create_from_keytab() to create credentials - * using a keytab and store them in the cache collection. A keytab is an - * on-disk copy of a client identity's secret key. Typically sites use - * keytabs for client identities that identify a machine or service and - * protect the keytab with disk permissions. Because a keytab is - * sufficient to obtain credentials, keytabs will normally only be readable - * by root, Administrator or some other privileged account. + * KIM provides the #kim_ccache_create_from_keytab() to create credentials + * using a keytab and store them in the cache collection. A keytab is an + * on-disk copy of a client identity's secret key. Typically sites use + * keytabs for client identities that identify a machine or service and + * protect the keytab with disk permissions. Because a keytab is + * sufficient to obtain credentials, keytabs will normally only be readable + * by root, Administrator or some other privileged account. * Typically applications use credentials obtained from keytabs to obtain - * credentials for batch processes. These keytabs and credentials are usually + * credentials for batch processes. These keytabs and credentials are usually * for a special identity used for the batch process rather than a user * identity. * @@ -136,16 +136,16 @@ extern "C" { * \section kim_ccache_validate Validating Credentials in a CCache * * A credential with a start time in the future (ie: after the issue date) - * is called a post-dated credential. Because the KDC administrator may + * is called a post-dated credential. Because the KDC administrator may * wish to disable a identity, once the start time is reached, all post-dated * credentials must be validated before they can be used. Otherwise an - * attacker using a compromised account could acquire lots of post-dated + * attacker using a compromised account could acquire lots of post-dated * credentials to circumvent the acccount being disabled. * - * KIM provides the #kim_ccache_validate() API to validate the TGT - * credential in a ccache. Note that this API replaces any existing + * KIM provides the #kim_ccache_validate() API to validate the TGT + * credential in a ccache. Note that this API replaces any existing * credentials with the validated credential. - * + * * * \section kim_ccache_renew Renewing Credentials in a CCache * @@ -155,52 +155,52 @@ extern "C" { * valid. * * KIM provides the #kim_ccache_renew() API to renew the TGT credential - * in a ccache. Note that this API replaces any existing credentials with the + * in a ccache. Note that this API replaces any existing credentials with the * renewed credential. * * * \section kim_ccache_verify Verifying Credentials in a CCache * * When a program acquires TGT credentials for the purpose of authenticating - * itself to the machine it is running on, it is insufficient for the machine - * to assume that the caller is authorized just because it got credentials. - * Instead, the credentials must be verified using a key the local machine. - * The reason this is necessary is because an attacker can trick the + * itself to the machine it is running on, it is insufficient for the machine + * to assume that the caller is authorized just because it got credentials. + * Instead, the credentials must be verified using a key the local machine. + * The reason this is necessary is because an attacker can trick the * machine into obtaining credentials from any KDC, including malicious ones - * with the same realm name as the local machine's realm. This exploit is - * called the Zanarotti attack. + * with the same realm name as the local machine's realm. This exploit is + * called the Zanarotti attack. * * In order to avoid the Zanarotti attack, the local machine must authenticate * the process in the same way an application server would authenticate a client. - * Like an application server, the local machine must have its own identity in + * Like an application server, the local machine must have its own identity in * its realm and a keytab for that identity on its local disk. However, - * rather than forcing system daemons to use the network-oriented calls in the - * krb5 and GSS APIs, KIM provides the #kim_ccache_verify() API to - * verify credentials directly. - * - * The most common reason for using #kim_ccache_verify() is user login. + * rather than forcing system daemons to use the network-oriented calls in the + * krb5 and GSS APIs, KIM provides the #kim_ccache_verify() API to + * verify credentials directly. + * + * The most common reason for using #kim_ccache_verify() is user login. * If the local machine wants to use Kerberos to verify the username and password * provided by the user, it must call #kim_ccache_verify() on the credentials * it obtains to make sure they are really from a KDC it trusts. Another common * case is a server which is only using Kerberos internally. For example an * LDAP or web server might use a username and password obtained over the network - * to get Kerberos credentials. In order to make sure they aren't being tricked - * into talking to the wrong KDC, these servers must also call + * to get Kerberos credentials. In order to make sure they aren't being tricked + * into talking to the wrong KDC, these servers must also call * #kim_ccache_verify(). - * - * The Zanarotti attack is only a concern if the act of accessing the machine - * gives the process special access. Thus a managed cluster machine with - * Kerberos-authenticated networked home directories does not need to call - * #kim_ccache_verify(). Even though an attacker can log in as any user on - * the cluster machine, the attacker can't actually access any of the user's data - * or use any of their privileges because those are all authenticated via - * Kerberized application servers (and thus require actually having credentials + * + * The Zanarotti attack is only a concern if the act of accessing the machine + * gives the process special access. Thus a managed cluster machine with + * Kerberos-authenticated networked home directories does not need to call + * #kim_ccache_verify(). Even though an attacker can log in as any user on + * the cluster machine, the attacker can't actually access any of the user's data + * or use any of their privileges because those are all authenticated via + * Kerberized application servers (and thus require actually having credentials * for the real local realm). * - * #kim_ccache_verify() provides an option to - * return success even if the machine's host key is not present. This option - * exists for sites which have a mix of different machines, some of which are - * vulnerable to the Zanarotti attack and some are not. If this option is used, + * #kim_ccache_verify() provides an option to + * return success even if the machine's host key is not present. This option + * exists for sites which have a mix of different machines, some of which are + * vulnerable to the Zanarotti attack and some are not. If this option is used, * it is the responsiblity of the machine's maintainer to obtain a keytab * for their machine if it needs one. * @@ -219,48 +219,48 @@ extern "C" { * identifies a ccache. A ccache display name is of the form ":" * and can be displayed to the user or used as an argument to certain krb5 * APIs, such as krb5_cc_resolve(). - * + * * \li #kim_ccache_get_client_identity() * returns the ccache's client identity. * - * \li #kim_ccache_get_valid_credential() - * returns the first valid TGT in the ccache for its client identity. + * \li #kim_ccache_get_valid_credential() + * returns the first valid TGT in the ccache for its client identity. * If there are no TGTs in the ccache, it returns the first - * valid non-TGT credential for the ccache's client identity. - * TGT credentials (ie: "ticket-granting tickets") are credentials for - * the krbtgt service: a service identity of the form "krbtgt/@". - * These credentials allow the entity named by the client identity to obtain + * valid non-TGT credential for the ccache's client identity. + * TGT credentials (ie: "ticket-granting tickets") are credentials for + * the krbtgt service: a service identity of the form "krbtgt/@". + * These credentials allow the entity named by the client identity to obtain * additional credentials without resending shared secrets (such as a password) * to the KDC. Kerberos uses TGTs to provide single sign-on authentication. * - * \li #kim_ccache_get_start_time() - * returns when the credential's in a ccache will become valid. - * Credentials may be "post-dated" which means that their lifetime starts sometime - * in the future. Note that when a post-dated credential's start time is reached, + * \li #kim_ccache_get_start_time() + * returns when the credential's in a ccache will become valid. + * Credentials may be "post-dated" which means that their lifetime starts sometime + * in the future. Note that when a post-dated credential's start time is reached, * the credential must be validated. See \ref kim_credential_validate for more information. * - * \li #kim_ccache_get_expiration_time() - * returns when the credential's in a ccache will expire. - * Credentials are time limited by the lifetime of the credential. While you can - * request a credential of any lifetime, the KDC limits the credential lifetime + * \li #kim_ccache_get_expiration_time() + * returns when the credential's in a ccache will expire. + * Credentials are time limited by the lifetime of the credential. While you can + * request a credential of any lifetime, the KDC limits the credential lifetime * to a administrator-defined maximum. Typically credential lifetime range from 10 * to 21 hours. * - * \li #kim_ccache_get_renewal_expiration_time() - * returns when the credential's in a ccache will no longer be renewable. - * Valid credentials may be renewed up until their renewal expiration time. - * Renewing credentials acquires a fresh set of credentials with a full lifetime - * without resending secrets to the KDC (such as a password). If credentials are + * \li #kim_ccache_get_renewal_expiration_time() + * returns when the credential's in a ccache will no longer be renewable. + * Valid credentials may be renewed up until their renewal expiration time. + * Renewing credentials acquires a fresh set of credentials with a full lifetime + * without resending secrets to the KDC (such as a password). If credentials are * not renewable, this function will return an error. * - * \li #kim_ccache_get_options() + * \li #kim_ccache_get_options() * returns a kim_options object with the credential options of the credentials - * in the ccache. This function is intended to be used when adding + * in the ccache. This function is intended to be used when adding * an identity with existing credentials to the favorite identities list. * By passing in the options returned by this call, future requests for the * favorite identity will use the same credential options. * - * See \ref kim_ccache_reference and \ref kim_ccache_iterator_reference for + * See \ref kim_ccache_reference and \ref kim_ccache_iterator_reference for * information on specific APIs. */ @@ -279,8 +279,8 @@ kim_error kim_ccache_iterator_create (kim_ccache_iterator *out_ccache_iterator); /*! * \param in_ccache_iterator a ccache iterator object. - * \param out_ccache on exit, the next ccache in the cache collection. If there are - * no more ccaches in the cache collection this argument will be + * \param out_ccache on exit, the next ccache in the cache collection. If there are + * no more ccaches in the cache collection this argument will be * set to NULL. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the next ccache in the cache collection. @@ -302,13 +302,13 @@ void kim_ccache_iterator_free (kim_ccache_iterator *io_ccache_iterator); */ /*! - * \param out_ccache on exit, a new cache object for a ccache containing a newly acquired + * \param out_ccache on exit, a new cache object for a ccache containing a newly acquired * initial credential. Must be freed with kim_ccache_free(). - * \param in_client_identity a client identity to obtain a credential for. Specify KIM_IDENTITY_ANY to + * \param in_client_identity a client identity to obtain a credential for. Specify KIM_IDENTITY_ANY to * allow the user to choose. - * \param in_options options to control credential acquisition. - * \note #kim_ccache_create_new() may - * present a GUI or command line prompt to obtain information from the user. + * \param in_options options to control credential acquisition. + * \note #kim_ccache_create_new() may + * present a GUI or command line prompt to obtain information from the user. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Acquire a new initial credential and store it in a ccache. */ @@ -317,14 +317,14 @@ kim_error kim_ccache_create_new (kim_ccache *out_ccache, kim_options in_options); /*! - * \param out_ccache on exit, a new cache object for a ccache containing a newly acquired + * \param out_ccache on exit, a new cache object for a ccache containing a newly acquired * initial credential. Must be freed with kim_ccache_free(). - * \param in_client_identity a client identity to obtain a credential for. Specify KIM_IDENTITY_ANY to + * \param in_client_identity a client identity to obtain a credential for. Specify KIM_IDENTITY_ANY to * allow the user to choose. - * \param in_options options to control credential acquisition. - * \param in_password a password to be used while obtaining credentials. + * \param in_options options to control credential acquisition. + * \param in_password a password to be used while obtaining credentials. * \note #kim_ccache_create_new_with_password() exists to support - * legacy password-based Kerberos environments. You should not use this + * legacy password-based Kerberos environments. You should not use this * function unless you know that it will only be used in environments using passwords. * This function may also present a GUI or command line prompt to obtain * additional information needed to obtain credentials (eg: SecurID pin). @@ -338,12 +338,12 @@ kim_error kim_ccache_create_new_with_password (kim_ccache *out_ccache, kim_string in_password); /*! - * \param out_ccache on exit, a ccache object for a ccache containing a newly acquired + * \param out_ccache on exit, a ccache object for a ccache containing a newly acquired * initial credential. Must be freed with kim_ccache_free(). * \param in_client_identity a client identity to obtain a credential for. - * \param in_options options to control credential acquisition (if a credential is acquired). - * \note #kim_ccache_create_new_if_needed() may - * present a GUI or command line prompt to obtain information from the user. + * \param in_options options to control credential acquisition (if a credential is acquired). + * \note #kim_ccache_create_new_if_needed() may + * present a GUI or command line prompt to obtain information from the user. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Find a ccache containing a valid initial credential in the cache collection, or if * unavailable, acquire and store a new initial credential. @@ -353,13 +353,13 @@ kim_error kim_ccache_create_new_if_needed (kim_ccache *out_ccache, kim_options in_options); /*! - * \param out_ccache on exit, a ccache object for a ccache containing a newly acquired + * \param out_ccache on exit, a ccache object for a ccache containing a newly acquired * initial credential. Must be freed with kim_ccache_free(). * \param in_client_identity a client identity to obtain a credential for. - * \param in_options options to control credential acquisition (if a credential is acquired). - * \param in_password a password to be used while obtaining credentials. + * \param in_options options to control credential acquisition (if a credential is acquired). + * \param in_password a password to be used while obtaining credentials. * \note #kim_ccache_create_new_if_needed_with_password() exists to support - * legacy password-based Kerberos environments. You should not use this + * legacy password-based Kerberos environments. You should not use this * function unless you know that it will only be used in environments using passwords. * This function may also present a GUI or command line prompt to obtain * additional information needed to obtain credentials (eg: SecurID pin). @@ -373,10 +373,10 @@ kim_error kim_ccache_create_new_if_needed_with_password (kim_ccache *out_ccach kim_string in_password); /*! - * \param out_ccache on exit, a ccache object for a ccache containing a TGT + * \param out_ccache on exit, a ccache object for a ccache containing a TGT * credential. Must be freed with kim_ccache_free(). - * \param in_client_identity a client identity to find a ccache for. If - * \a in_client_identity is #KIM_IDENTITY_ANY, this + * \param in_client_identity a client identity to find a ccache for. If + * \a in_client_identity is #KIM_IDENTITY_ANY, this * function returns the default ccache * (ie: is equivalent to #kim_ccache_create_from_default()). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -386,13 +386,13 @@ kim_error kim_ccache_create_from_client_identity (kim_ccache *out_ccache, kim_identity in_client_identity); /*! - * \param out_ccache on exit, a new ccache object containing an initial credential - * for the client identity \a in_identity obtained using in_keytab. + * \param out_ccache on exit, a new ccache object containing an initial credential + * for the client identity \a in_identity obtained using in_keytab. * Must be freed with kim_ccache_free(). * \param in_identity a client identity to obtain a credential for. Specify NULL for * the first client identity in the keytab. - * \param in_options options to control credential acquisition. - * \param in_keytab a path to a keytab. Specify NULL for the default keytab location. + * \param in_options options to control credential acquisition. + * \param in_keytab a path to a keytab. Specify NULL for the default keytab location. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Acquire a new initial credential from a keytab and store it in a ccache. */ @@ -402,7 +402,7 @@ kim_error kim_ccache_create_from_keytab (kim_ccache *out_ccache, kim_string in_keytab); /*! - * \param out_ccache on exit, a ccache object for the default ccache. + * \param out_ccache on exit, a ccache object for the default ccache. * Must be freed with kim_ccache_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the default ccache. @@ -410,7 +410,7 @@ kim_error kim_ccache_create_from_keytab (kim_ccache *out_ccache, kim_error kim_ccache_create_from_default (kim_ccache *out_ccache); /*! - * \param out_ccache on exit, a ccache object for the ccache identified by + * \param out_ccache on exit, a ccache object for the ccache identified by * \a in_display_name. Must be freed with kim_ccache_free(). * \param in_display_name a ccache display name string (ie: "TYPE:NAME"). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -421,10 +421,10 @@ kim_error kim_ccache_create_from_display_name (kim_ccache *out_ccache, kim_string in_display_name); /*! - * \param out_ccache on exit, a ccache object for the ccache identified by + * \param out_ccache on exit, a ccache object for the ccache identified by * \a in_type and \a in_name. Must be freed with kim_ccache_free(). - * \param in_type a ccache type string. - * \param in_name a ccache name string. + * \param in_type a ccache type string. + * \param in_name a ccache name string. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \note This API is provided for backwards compatibilty with applications which are not * KIM-aware and should be avoided whenever possible. @@ -435,10 +435,10 @@ kim_error kim_ccache_create_from_type_and_name (kim_ccache *out_ccache, kim_string in_name); /*! - * \param out_ccache on exit, a new ccache object which is a copy of in_krb5_ccache. + * \param out_ccache on exit, a new ccache object which is a copy of in_krb5_ccache. * Must be freed with kim_ccache_free(). - * \param in_krb5_context the krb5 context used to create \a in_krb5_ccache. - * \param in_krb5_ccache a krb5 ccache object. + * \param in_krb5_context the krb5 context used to create \a in_krb5_ccache. + * \param in_krb5_ccache a krb5 ccache object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get a ccache for a krb5 ccache. */ @@ -447,9 +447,9 @@ kim_error kim_ccache_create_from_krb5_ccache (kim_ccache *out_ccache, krb5_ccache in_krb5_ccache); /*! - * \param out_ccache on exit, the new ccache object which is a copy of in_ccache. + * \param out_ccache on exit, the new ccache object which is a copy of in_ccache. * Must be freed with kim_ccache_free(). - * \param in_ccache a ccache object. + * \param in_ccache a ccache object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Copy a ccache. */ @@ -459,7 +459,7 @@ kim_error kim_ccache_copy (kim_ccache *out_ccache, /*! * \param in_ccache a ccache object. * \param in_compare_to_ccache a ccache object. - * \param out_comparison on exit, a comparison of \a in_ccache and + * \param out_comparison on exit, a comparison of \a in_ccache and * \a in_compare_to_ccache which determines whether * or not the two ccache objects refer to the same ccache. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -468,11 +468,11 @@ kim_error kim_ccache_copy (kim_ccache *out_ccache, kim_error kim_ccache_compare (kim_ccache in_ccache, kim_ccache in_compare_to_ccache, kim_comparison *out_comparison); - + /*! - * \param in_ccache a ccache object. - * \param in_krb5_context a krb5 context which will be used to create out_krb5_ccache. - * \param out_krb5_ccache on exit, a new krb5 ccache object which is a copy of in_ccache. + * \param in_ccache a ccache object. + * \param in_krb5_context a krb5 context which will be used to create out_krb5_ccache. + * \param out_krb5_ccache on exit, a new krb5 ccache object which is a copy of in_ccache. * Must be freed with krb5_cc_close() or krb5_cc_destroy(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get a krb5 ccache for a ccache. @@ -482,7 +482,7 @@ kim_error kim_ccache_get_krb5_ccache (kim_ccache in_ccache, krb5_ccache *out_krb5_ccache); /*! - * \param in_ccache a ccache object. + * \param in_ccache a ccache object. * \param out_name on exit, the name string of \a in_ccache. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the name of a ccache. @@ -491,7 +491,7 @@ kim_error kim_ccache_get_name (kim_ccache in_ccache, kim_string *out_name); /*! - * \param in_ccache a ccache object. + * \param in_ccache a ccache object. * \param out_type on exit, the type string of \a in_ccache. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the type of a ccache. @@ -500,8 +500,8 @@ kim_error kim_ccache_get_type (kim_ccache in_ccache, kim_string *out_type); /*! - * \param in_ccache a ccache object. - * \param out_display_name on exit, the type and name of \a in_ccache in a format appropriate for + * \param in_ccache a ccache object. + * \param out_display_name on exit, the type and name of \a in_ccache in a format appropriate for * display to the user in command line programs. (ie: ":") * Must be freed with kim_string_free(). * Note: this string can also be passed to krb5_cc_resolve(). @@ -512,8 +512,8 @@ kim_error kim_ccache_get_display_name (kim_ccache in_ccache, kim_string *out_display_name); /*! - * \param in_ccache a ccache object. - * \param out_client_identity on exit, an identity object containing the client identity of + * \param in_ccache a ccache object. + * \param out_client_identity on exit, an identity object containing the client identity of * \a in_ccache. Must be freed with kim_identity_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the client identity for a ccache. @@ -522,15 +522,15 @@ kim_error kim_ccache_get_client_identity (kim_ccache in_ccache, kim_identity *out_client_identity); /*! - * \param in_ccache a ccache object. - * \param out_credential on exit, the first valid credential in \a in_ccache. + * \param in_ccache a ccache object. + * \param out_credential on exit, the first valid credential in \a in_ccache. * Must be freed with kim_credential_free(). Set to NULL * if you only want return value, not the actual credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the first valid credential in a ccache. * \note This function prefers valid TGT credentials. If there are only non-valid TGTs - * in the ccache, it will always return an error. However, if there are no - * TGTs at all, it will return the first valid non-TGT credential. If you only want + * in the ccache, it will always return an error. However, if there are no + * TGTs at all, it will return the first valid non-TGT credential. If you only want * TGTs, use kim_credential_is_tgt() to verify that \a out_credential is a tgt. */ kim_error kim_ccache_get_valid_credential (kim_ccache in_ccache, @@ -538,20 +538,20 @@ kim_error kim_ccache_get_valid_credential (kim_ccache in_ccache, /*! * \param in_ccache a ccache object. - * \param out_state on exit, the state of the credentials in \a in_ccache. + * \param out_state on exit, the state of the credentials in \a in_ccache. * See #kim_credential_state_enum for the possible values * of \a out_state. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Check the state of the credentials in a ccache (valid, expired, postdated, etc). - * \note This function prefers TGT credentials. If there are any TGTs in the - * ccache, it will always return their state. However, if there are no + * \note This function prefers TGT credentials. If there are any TGTs in the + * ccache, it will always return their state. However, if there are no * TGTs at all, it will return the state of the first non-TGT credential. */ kim_error kim_ccache_get_state (kim_ccache in_ccache, kim_credential_state *out_state); - + /*! - * \param in_ccache a ccache object. + * \param in_ccache a ccache object. * \param out_start_time on exit, the time when the credentials in \a in_ccache * become valid. May be in the past or future. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -561,8 +561,8 @@ kim_error kim_ccache_get_start_time (kim_ccache in_ccache, kim_time *out_start_time); /*! - * \param in_ccache a ccache object. - * \param out_expiration_time on exit, the time when the credentials in + * \param in_ccache a ccache object. + * \param out_expiration_time on exit, the time when the credentials in * \a in_ccache will expire. May be in the past or future. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the time when the credentials in the ccache will expire. @@ -571,8 +571,8 @@ kim_error kim_ccache_get_expiration_time (kim_ccache in_ccache, kim_time *out_expiration_time); /*! - * \param in_ccache a ccache object. - * \param out_renewal_expiration_time on exit, the time when the credentials in \a in_ccache + * \param in_ccache a ccache object. + * \param out_renewal_expiration_time on exit, the time when the credentials in \a in_ccache * will no longer be renewable. May be in the past or future. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the time when the credentials in the ccache will no longer be renewable. @@ -581,7 +581,7 @@ kim_error kim_ccache_get_renewal_expiration_time (kim_ccache in_ccache, kim_time *out_renewal_expiration_time); /*! - * \param in_ccache a ccache object. + * \param in_ccache a ccache object. * \param out_options on exit, an options object reflecting the ticket * options of the credentials in \a in_ccache. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -591,7 +591,7 @@ kim_error kim_ccache_get_options (kim_ccache in_ccache, kim_options *out_options); /*! - * \param io_ccache a ccache object which will be set to the default ccache. + * \param io_ccache a ccache object which will be set to the default ccache. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \note This API is provided for backwards compatibilty with applications which are not * KIM-aware and should be avoided whenever possible. @@ -600,14 +600,14 @@ kim_error kim_ccache_get_options (kim_ccache in_ccache, kim_error kim_ccache_set_default (kim_ccache io_ccache); /*! - * \param in_ccache a ccache object containing the TGT credential to be verified. - * \param in_service_identity a service identity to look for in the keytab. Specify + * \param in_ccache a ccache object containing the TGT credential to be verified. + * \param in_service_identity a service identity to look for in the keytab. Specify * KIM_IDENTITY_ANY to use the default service identity * (usually host/@). - * \param in_keytab a path to a keytab. Specify NULL for the default keytab location. + * \param in_keytab a path to a keytab. Specify NULL for the default keytab location. * \param in_fail_if_no_service_key whether or not the absence of a key for \a in_service_identity - * in the host's keytab will cause a failure. - * \note specifying FALSE for \a in_fail_if_no_service_key may expose the calling program to + * in the host's keytab will cause a failure. + * \note specifying FALSE for \a in_fail_if_no_service_key may expose the calling program to * the Zanarotti attack if the host has no keytab installed. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Verify the TGT in a ccache. @@ -618,7 +618,7 @@ kim_error kim_ccache_verify (kim_ccache in_ccache, kim_boolean in_fail_if_no_service_key); /*! - * \param in_ccache a ccache object containing a TGT to be renewed. + * \param in_ccache a ccache object containing a TGT to be renewed. * \param in_options initial credential options to be used if a new credential is obtained. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Renew the TGT in a ccache. @@ -627,7 +627,7 @@ kim_error kim_ccache_renew (kim_ccache in_ccache, kim_options in_options); /*! - * \param in_ccache a ccache object containing a TGT to be validated. + * \param in_ccache a ccache object containing a TGT to be validated. * \param in_options initial credential options. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Validate the TGT in a ccache. diff --git a/src/include/kim/kim_credential.h b/src/include/kim/kim_credential.h index c061f1199..634c458f0 100644 --- a/src/include/kim/kim_credential.h +++ b/src/include/kim/kim_credential.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -28,10 +28,10 @@ #ifdef __cplusplus extern "C" { #endif - + #include #include - + /*! * \addtogroup kim_types_reference * @{ @@ -41,12 +41,12 @@ extern "C" { * Possible credential states. Credentials may be: * \li valid - The credential can be used. * \li expired - The credential's lifetime has been exceeded. - * \li not_yet_valid - The credential is post dated and the time when + * \li not_yet_valid - The credential is post dated and the time when * it becomes valid has not yet been reached. * \li needs_validation - The credential is post-dated and although * the time when it becomes valid has been reached * it has not yet been validated. - * \li address_mismatch - The credential contains IP address(es) which do + * \li address_mismatch - The credential contains IP address(es) which do * not match the host's local address(es). */ enum kim_credential_state_enum { @@ -63,23 +63,23 @@ enum kim_credential_state_enum { */ typedef int kim_credential_state; -/*! @} */ +/*! @} */ /*! * \page kim_credential_overview KIM Credential Overview * * \section kim_credential_introduction Introduction * - * A Kerberos credential (also called a "Kerberos ticket") is a time-limited - * token issued by a KDC which authenticates the entity named by the credential's - * client identity to the service named by the credential's service identity. + * A Kerberos credential (also called a "Kerberos ticket") is a time-limited + * token issued by a KDC which authenticates the entity named by the credential's + * client identity to the service named by the credential's service identity. * * The kim_credential object contains a single Kerberos credential. KIM credentials * objects are always copies of credentials, not references to credentials - * stored in the cache collection. Modifying credential objects in the ccache + * stored in the cache collection. Modifying credential objects in the ccache * collection will not change any existing KIM credential objects. * - * KIM credential APIs are intended for applications and system + * KIM credential APIs are intended for applications and system * tools which manage credentials for the user. They are not a substitute for * krb5 and GSSAPI functions which obtain service credentials for the purpose * of authenticating a client to an application server. @@ -87,7 +87,7 @@ typedef int kim_credential_state; * \note Many of the APIs listed below have equivalent functions which * operate on ccaches. In most cases applications will want to use the * ccache versions of these APIs since they automatically store any - * newly created credentials. See \ref kim_ccache_overview for more + * newly created credentials. See \ref kim_ccache_overview for more * information. * * @@ -95,25 +95,25 @@ typedef int kim_credential_state; * * KIM provides the #kim_credential_create_new() API for acquiring new * credentials. Credentials can either be obtained for a specific - * client identity or by specifying #KIM_IDENTITY_ANY to allow + * client identity or by specifying #KIM_IDENTITY_ANY to allow * the user to choose. Typically callers of this API obtain the client - * identity using #kim_selection_hints_get_identity(). Depending on the - * kim_options specified, #kim_credential_create_new() may present a + * identity using #kim_selection_hints_get_identity(). Depending on the + * kim_options specified, #kim_credential_create_new() may present a * GUI or command line prompt to obtain information from the user. * * For legacy password-based Kerberos environments KIM also provides - * #kim_credential_create_new_with_password(). You should not use this - * function unless you know that it will only be used in environments using + * #kim_credential_create_new_with_password(). You should not use this + * function unless you know that it will only be used in environments using * passwords. Otherwise users without passwords may be prompted for them. * - * KIM provides the #kim_credential_create_from_keytab() to create credentials - * using a keytab. A keytab is an on-disk copy of a client identity's secret - * key. Typically sites use keytabs for client identities that identify a - * machine or service and protect the keytab with disk permissions. Because - * a keytab is sufficient to obtain credentials, keytabs will normally only - * be readable by root, Administrator or some other privileged account. + * KIM provides the #kim_credential_create_from_keytab() to create credentials + * using a keytab. A keytab is an on-disk copy of a client identity's secret + * key. Typically sites use keytabs for client identities that identify a + * machine or service and protect the keytab with disk permissions. Because + * a keytab is sufficient to obtain credentials, keytabs will normally only + * be readable by root, Administrator or some other privileged account. * Typically applications use credentials obtained from keytabs to obtain - * credentials for batch processes. These keytabs and credentials are usually + * credentials for batch processes. These keytabs and credentials are usually * for a special identity used for the batch process rather than a user * identity. * @@ -121,18 +121,18 @@ typedef int kim_credential_state; * \section kim_credential_validate Validating Credentials * * A credential with a start time in the future (ie: after the issue date) - * is called a post-dated credential. Because the KDC administrator may + * is called a post-dated credential. Because the KDC administrator may * wish to disable a identity, once the start time is reached, all post-dated * credentials must be validated before they can be used. Otherwise an - * attacker using a compromised account could acquire lots of post-dated + * attacker using a compromised account could acquire lots of post-dated * credentials to circumvent the acccount being disabled. * * KIM provides the #kim_credential_validate() API to validate a credential. - * Note that this API replaces the credential object with a new validated - * credential object. If you wish to store the new credential in the - * ccache collection you must either call #kim_credential_store() on the + * Note that this API replaces the credential object with a new validated + * credential object. If you wish to store the new credential in the + * ccache collection you must either call #kim_credential_store() on the * validated credential or use #kim_ccache_validate() instead. - * + * * * \section kim_credential_renew Renewing Credentials * @@ -142,19 +142,19 @@ typedef int kim_credential_state; * valid. * * KIM provides the #kim_credential_renew() API to renew a credential. - * Note that this API replaces the credential object with a new renewed - * credential object. If you wish to store the new credential in the - * ccache collection you must either call #kim_credential_store() on the + * Note that this API replaces the credential object with a new renewed + * credential object. If you wish to store the new credential in the + * ccache collection you must either call #kim_credential_store() on the * renewed credential or use #kim_ccache_renew() instead. * * * \section kim_credential_storing Storing Credentials in the Cache Collection * - * KIM credential objects may be stored in the ccache collection using + * KIM credential objects may be stored in the ccache collection using * #kim_credential_store(). This function runs any KIM authentication - * plugins on the credential and if the plugins return successfully, creates a - * new ccache for the credential's client identity in the cache collection - * and stores the credential in that ccache. Any existing ccaches and credentials + * plugins on the credential and if the plugins return successfully, creates a + * new ccache for the credential's client identity in the cache collection + * and stores the credential in that ccache. Any existing ccaches and credentials * for that client identity will be overwritten. #kim_credential_store() may * optionally return a kim_ccache object for the new ccache if you need to perform * further operations on the new ccache. @@ -168,9 +168,9 @@ typedef int kim_credential_state; * \section kim_credential_iterator Iterating over the Credentials in a CCache * * KIM provides a simple iterator API for iterating over the credentials - * in a ccache. First, call #kim_credential_iterator_create() to obtain + * in a ccache. First, call #kim_credential_iterator_create() to obtain * an iterator for a ccache. Then loop calling #kim_credential_iterator_next() - * until either you find the credential you are looking for or the API + * until either you find the credential you are looking for or the API * returns a NULL credential, indicating that there are no more * credentials in the ccache. When you are done with the iterator, call * #kim_credential_iterator_free(). @@ -182,65 +182,65 @@ typedef int kim_credential_state; * \section kim_credential_verify Verifying Credentials * * When a program acquires TGT credentials for the purpose of authenticating - * itself to the machine it is running on, it is insufficient for the machine - * to assume that the caller is authorized just because it got credentials. - * Instead, the credentials must be verified using a key the local machine. - * The reason this is necessary is because an attacker can trick the + * itself to the machine it is running on, it is insufficient for the machine + * to assume that the caller is authorized just because it got credentials. + * Instead, the credentials must be verified using a key the local machine. + * The reason this is necessary is because an attacker can trick the * machine into obtaining credentials from any KDC, including malicious ones - * with the same realm name as the local machine's realm. This exploit is - * called the Zanarotti attack. + * with the same realm name as the local machine's realm. This exploit is + * called the Zanarotti attack. * * In order to avoid the Zanarotti attack, the local machine must authenticate * the process in the same way an application server would authenticate a client. - * Like an application server, the local machine must have its own identity in + * Like an application server, the local machine must have its own identity in * its realm and a keytab for that identity on its local disk. However, - * rather than forcing system daemons to use the network-oriented calls in the - * krb5 and GSS APIs, KIM provides the #kim_credential_verify() API to - * verify credentials directly. - * - * The most common reason for using #kim_credential_verify() is user login. + * rather than forcing system daemons to use the network-oriented calls in the + * krb5 and GSS APIs, KIM provides the #kim_credential_verify() API to + * verify credentials directly. + * + * The most common reason for using #kim_credential_verify() is user login. * If the local machine wants to use Kerberos to verify the username and password * provided by the user, it must call #kim_credential_verify() on the credentials * it obtains to make sure they are really from a KDC it trusts. Another common * case is a server which is only using Kerberos internally. For example an * LDAP or web server might use a username and password obtained over the network - * to get Kerberos credentials. In order to make sure they aren't being tricked - * into talking to the wrong KDC, these servers must also call + * to get Kerberos credentials. In order to make sure they aren't being tricked + * into talking to the wrong KDC, these servers must also call * #kim_credential_verify(). - * - * The Zanarotti attack is only a concern if the act of accessing the machine - * gives the process special access. Thus a managed cluster machine with - * Kerberos-authenticated networked home directories does not need to call - * #kim_credential_verify(). Even though an attacker can log in as any user on - * the cluster machine, the attacker can't actually access any of the user's data - * or use any of their privileges because those are all authenticated via - * Kerberized application servers (and thus require actually having credentials + * + * The Zanarotti attack is only a concern if the act of accessing the machine + * gives the process special access. Thus a managed cluster machine with + * Kerberos-authenticated networked home directories does not need to call + * #kim_credential_verify(). Even though an attacker can log in as any user on + * the cluster machine, the attacker can't actually access any of the user's data + * or use any of their privileges because those are all authenticated via + * Kerberized application servers (and thus require actually having credentials * for the real local realm). * - * #kim_credential_verify() provides an option to - * return success even if the machine's host key is not present. This option - * exists for sites which have a mix of different machines, some of which are - * vulnerable to the Zanarotti attack and some are not. If this option is used, + * #kim_credential_verify() provides an option to + * return success even if the machine's host key is not present. This option + * exists for sites which have a mix of different machines, some of which are + * vulnerable to the Zanarotti attack and some are not. If this option is used, * it is the responsiblity of the machine's maintainer to obtain a keytab * for their machine if it needs one. * * * \section kim_credential_properties Examining Credential Properties - * + * * \li #kim_credential_get_client_identity() * returns the credential's client identity. * - * \li #kim_credential_get_service_identity() + * \li #kim_credential_get_service_identity() * returns the credential's service identity. * - * \li #kim_credential_is_tgt() - * returns whether the credential is a TGT (ie: "ticket-granting ticket"). TGTs are - * credentials for the krbtgt service: a service identity of the form "krbtgt/@". - * These credentials allow the entity named by the client identity to obtain + * \li #kim_credential_is_tgt() + * returns whether the credential is a TGT (ie: "ticket-granting ticket"). TGTs are + * credentials for the krbtgt service: a service identity of the form "krbtgt/@". + * These credentials allow the entity named by the client identity to obtain * additional service credentials without resending shared secrets (such as a password) * to the KDC. Kerberos uses TGTs to provide single sign-on authentication. * - * \li #kim_credential_get_state() + * \li #kim_credential_get_state() * returns a #kim_credential_state containing the state of the credential. * Possible values are: * * kim_credentials_state_valid @@ -249,35 +249,35 @@ typedef int kim_credential_state; * * kim_credentials_state_needs_validation * * kim_credentials_state_address_mismatch * - * \li #kim_credential_get_start_time() - * returns when the credential will become valid. - * Credentials may be "post-dated" which means that their lifetime starts sometime - * in the future. Note that when a post-dated credential's start time is reached, + * \li #kim_credential_get_start_time() + * returns when the credential will become valid. + * Credentials may be "post-dated" which means that their lifetime starts sometime + * in the future. Note that when a post-dated credential's start time is reached, * the credential must be validated. See \ref kim_credential_validate for more information. * - * \li #kim_credential_get_expiration_time() - * returns when the credential will expire. - * Credentials are time limited by the lifetime of the credential. While you can - * request a credential of any lifetime, the KDC limits the credential lifetime + * \li #kim_credential_get_expiration_time() + * returns when the credential will expire. + * Credentials are time limited by the lifetime of the credential. While you can + * request a credential of any lifetime, the KDC limits the credential lifetime * to a administrator-defined maximum. Typically credential lifetime range from 10 * to 21 hours. * - * \li #kim_credential_get_renewal_expiration_time() - * returns when the credential will no longer be renewable. - * Valid credentials may be renewed up until their renewal expiration time. - * Renewing credentials acquires a fresh set of credentials with a full lifetime - * without resending secrets to the KDC (such as a password). If credentials are + * \li #kim_credential_get_renewal_expiration_time() + * returns when the credential will no longer be renewable. + * Valid credentials may be renewed up until their renewal expiration time. + * Renewing credentials acquires a fresh set of credentials with a full lifetime + * without resending secrets to the KDC (such as a password). If credentials are * not renewable, this function will return a renewal expiration time of 0. * - * \li #kim_credential_get_options() - * returns a kim_options object with the credential options of the - * credential. This function is intended to be used when adding + * \li #kim_credential_get_options() + * returns a kim_options object with the credential options of the + * credential. This function is intended to be used when adding * an identity with existing credentials to the favorite identities list. * By passing in the options returned by this call, future requests for the * favorite identity will use the same credential options. * * - * See \ref kim_credential_reference and \ref kim_credential_iterator_reference for + * See \ref kim_credential_reference and \ref kim_credential_iterator_reference for * information on specific APIs. */ @@ -299,8 +299,8 @@ kim_error kim_credential_iterator_create (kim_credential_iterator *out_credentia /*! * \param in_credential_iterator a credential iterator object. - * \param out_credential on exit, the next credential in the ccache iterated by - * \a in_credential_iterator. Must be freed with + * \param out_credential on exit, the next credential in the ccache iterated by + * \a in_credential_iterator. Must be freed with * kim_credential_free(). If there are no more credentials * this argument will be set to NULL. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -324,13 +324,13 @@ void kim_credential_iterator_free (kim_credential_iterator *io_credential_iterat */ /*! - * \param out_credential on exit, a new credential object containing a newly acquired + * \param out_credential on exit, a new credential object containing a newly acquired * initial credential. Must be freed with kim_credential_free(). - * \param in_client_identity a client identity to obtain a credential for. Specify NULL to + * \param in_client_identity a client identity to obtain a credential for. Specify NULL to * allow the user to choose the identity - * \param in_options options to control credential acquisition. - * \note #kim_credential_create_new() may - * present a GUI or command line prompt to obtain information from the user. + * \param in_options options to control credential acquisition. + * \note #kim_credential_create_new() may + * present a GUI or command line prompt to obtain information from the user. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Acquire a new initial credential. * \sa kim_ccache_create_new @@ -340,14 +340,14 @@ kim_error kim_credential_create_new (kim_credential *out_credential, kim_options in_options); /*! - * \param out_credential on exit, a new credential object containing a newly acquired + * \param out_credential on exit, a new credential object containing a newly acquired * initial credential. Must be freed with kim_credential_free(). - * \param in_client_identity a client identity to obtain a credential for. Specify NULL to + * \param in_client_identity a client identity to obtain a credential for. Specify NULL to * allow the user to choose the identity - * \param in_options options to control credential acquisition. - * \param in_password a password to be used while obtaining the credential. + * \param in_options options to control credential acquisition. + * \param in_password a password to be used while obtaining the credential. * \note #kim_credential_create_new_with_password() exists to support - * legacy password-based Kerberos environments. You should not use this + * legacy password-based Kerberos environments. You should not use this * function unless you know that it will only be used in environments using passwords. * This function may also present a GUI or command line prompt to obtain * additional information needed to obtain credentials (eg: SecurID pin). @@ -359,15 +359,15 @@ kim_error kim_credential_create_new_with_password (kim_credential *out_credentia kim_identity in_client_identity, kim_options in_options, kim_string in_password); - + /*! * \param out_credential on exit, a new credential object containing an initial credential - * for \a in_identity obtained using \a in_keytab. + * for \a in_identity obtained using \a in_keytab. * Must be freed with kim_credential_free(). * \param in_identity a client identity to obtain a credential for. Specify NULL for * the first identity in the keytab. - * \param in_options options to control credential acquisition. - * \param in_keytab a path to a keytab. Specify NULL for the default keytab location. + * \param in_options options to control credential acquisition. + * \param in_keytab a path to a keytab. Specify NULL for the default keytab location. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Acquire a new initial credential from a keytab. * \sa kim_ccache_create_from_keytab @@ -378,10 +378,10 @@ kim_error kim_credential_create_from_keytab (kim_credential *out_credential, kim_string in_keytab); /*! - * \param out_credential on exit, a new credential object which is a copy of \a in_krb5_creds. + * \param out_credential on exit, a new credential object which is a copy of \a in_krb5_creds. * Must be freed with kim_credential_free(). - * \param in_krb5_context the krb5 context used to create \a in_krb5_creds. - * \param in_krb5_creds a krb5 credential object. + * \param in_krb5_context the krb5 context used to create \a in_krb5_creds. + * \param in_krb5_creds a krb5 credential object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Copy a credential from a krb5 credential object. */ @@ -390,9 +390,9 @@ kim_error kim_credential_create_from_krb5_creds (kim_credential *out_credential, krb5_creds *in_krb5_creds); /*! - * \param out_credential on exit, a new credential object which is a copy of \a in_credential. + * \param out_credential on exit, a new credential object which is a copy of \a in_credential. * Must be freed with kim_credential_free(). - * \param in_credential a credential object. + * \param in_credential a credential object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Copy a credential object. */ @@ -400,9 +400,9 @@ kim_error kim_credential_copy (kim_credential *out_credential, kim_credential in_credential); /*! - * \param in_credential a credential object. - * \param in_krb5_context a krb5 context which will be used to create \a out_krb5_creds. - * \param out_krb5_creds on exit, a new krb5 creds object which is a copy of \a in_credential. + * \param in_credential a credential object. + * \param in_krb5_context a krb5 context which will be used to create \a out_krb5_creds. + * \param out_krb5_creds on exit, a new krb5 creds object which is a copy of \a in_credential. * Must be freed with krb5_free_creds(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get a krb5 credentials object for a credential object. @@ -412,8 +412,8 @@ kim_error kim_credential_get_krb5_creds (kim_credential in_credential, krb5_creds **out_krb5_creds); /*! - * \param in_credential a credential object. - * \param out_client_identity on exit, an identity object containing the client identity of + * \param in_credential a credential object. + * \param out_client_identity on exit, an identity object containing the client identity of * \a in_credential. Must be freed with kim_identity_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the client identity of a credential object. @@ -422,8 +422,8 @@ kim_error kim_credential_get_client_identity (kim_credential in_credential, kim_identity *out_client_identity); /*! - * \param in_credential a credential object. - * \param out_service_identity on exit, an identity object containing the service identity of + * \param in_credential a credential object. + * \param out_service_identity on exit, an identity object containing the service identity of * \a in_credential. Must be freed with kim_identity_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the service identity of a credential object. @@ -432,7 +432,7 @@ kim_error kim_credential_get_service_identity (kim_credential in_credential, kim_identity *out_service_identity); /*! - * \param in_credential a credential object. + * \param in_credential a credential object. * \param out_is_tgt on exit, whether or not the credential is a TGT. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Check if a credential is a ticket granting ticket. @@ -441,7 +441,7 @@ kim_error kim_credential_is_tgt (kim_credential in_credential, kim_boolean *out_is_tgt); /*! - * \param in_credential a credential object. + * \param in_credential a credential object. * \param out_state on exit, the state of the credential. See #kim_credential_state_enum * for the possible values of \a out_state. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -451,7 +451,7 @@ kim_error kim_credential_get_state (kim_credential in_credential, kim_credential_state *out_state); /*! - * \param in_credential a credential object. + * \param in_credential a credential object. * \param out_start_time on exit, the time when \a in_credential becomes valid. * May be in the past or future. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -462,7 +462,7 @@ kim_error kim_credential_get_start_time (kim_credential in_credential, kim_time *out_start_time); /*! - * \param in_credential a credential object. + * \param in_credential a credential object. * \param out_expiration_time on exit, the time when \a in_credential will expire. * May be in the past or future. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -473,9 +473,9 @@ kim_error kim_credential_get_expiration_time (kim_credential in_credential, kim_time *out_expiration_time); /*! - * \param in_credential a credential object. - * \param out_renewal_expiration_time on exit, the time when \a in_credential will no longer - * be renewable. May be in the past or future. If + * \param in_credential a credential object. + * \param out_renewal_expiration_time on exit, the time when \a in_credential will no longer + * be renewable. May be in the past or future. If * credentials are not renewable at all, returns 0. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the time when the credentials will no longer be renewable. @@ -485,7 +485,7 @@ kim_error kim_credential_get_renewal_expiration_time (kim_credential in_credent kim_time *out_renewal_expiration_time); /*! - * \param in_credential a credential object. + * \param in_credential a credential object. * \param out_options on exit, an options object reflecting the ticket * options of \a in_credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -493,11 +493,11 @@ kim_error kim_credential_get_renewal_expiration_time (kim_credential in_credent */ kim_error kim_credential_get_options (kim_credential in_credential, kim_options *out_options); - + /*! - * \param in_credential a credential object. + * \param in_credential a credential object. * \param in_client_identity a client identity. - * \param out_ccache on exit, a ccache object containing \a in_credential with the client + * \param out_ccache on exit, a ccache object containing \a in_credential with the client * identity \a in_client_identity. Must be freed with kim_ccache_free(). * Specify NULL if you don't want this return value. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -508,14 +508,14 @@ kim_error kim_credential_store (kim_credential in_credential, kim_ccache *out_ccache); /*! - * \param in_credential a TGT credential to be verified. - * \param in_service_identity a service identity to look for in the keytab. Specify + * \param in_credential a TGT credential to be verified. + * \param in_service_identity a service identity to look for in the keytab. Specify * KIM_IDENTITY_ANY to use the default service identity * (usually host/@). - * \param in_keytab a path to a keytab. Specify NULL for the default keytab location. + * \param in_keytab a path to a keytab. Specify NULL for the default keytab location. * \param in_fail_if_no_service_key whether or not the absence of a key for \a in_service_identity - * in the host's keytab will cause a failure. - * \note specifying FALSE for \a in_fail_if_no_service_key may expose the calling program to + * in the host's keytab will cause a failure. + * \note specifying FALSE for \a in_fail_if_no_service_key may expose the calling program to * the Zanarotti attack if the host has no keytab installed. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Verify a TGT credential. @@ -527,9 +527,9 @@ kim_error kim_credential_verify (kim_credential in_credential, kim_boolean in_fail_if_no_service_key); /*! - * \param io_credential a TGT credential to be renewed. On exit, the old credential - * object will be freed and \a io_credential will be replaced - * with a new renewed credential. The new credential must be freed + * \param io_credential a TGT credential to be renewed. On exit, the old credential + * object will be freed and \a io_credential will be replaced + * with a new renewed credential. The new credential must be freed * with kim_credential_free(). * \param in_options initial credential options. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -540,9 +540,9 @@ kim_error kim_credential_renew (kim_credential *io_credential, kim_options in_options); /*! - * \param io_credential a credential object to be validated. On exit, the old credential - * object will be freed and \a io_credential will be replaced - * with a new validated credential. The new credential must be freed + * \param io_credential a credential object to be validated. On exit, the old credential + * object will be freed and \a io_credential will be replaced + * with a new validated credential. The new credential must be freed * with kim_credential_free(). * \param in_options initial credential options. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -559,8 +559,8 @@ kim_error kim_credential_validate (kim_credential *io_credential, void kim_credential_free (kim_credential *io_credential); /*!@}*/ - - + + #ifdef __cplusplus } #endif diff --git a/src/include/kim/kim_identity.h b/src/include/kim/kim_identity.h index cd50a4080..a8540277d 100644 --- a/src/include/kim/kim_identity.h +++ b/src/include/kim/kim_identity.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -32,13 +32,13 @@ extern "C" { #include #include #include - + /*! * \ingroup kim_types_reference * Constant to specify any Kerberos identity is acceptable. */ #define KIM_IDENTITY_ANY ((kim_identity) NULL) - + /*! * \page kim_identity_overview KIM Identity Overview * @@ -46,22 +46,22 @@ extern "C" { * * Identities in Kerberos are named by "principals". These identies may be people (users) * or services (a server running on a host). When Kerberos issues credentials which - * authenticate one identity to another, the identity being authenticated is called - * the "client identity" and the identity being authenticated to is called the - * "service identity". + * authenticate one identity to another, the identity being authenticated is called + * the "client identity" and the identity being authenticated to is called the + * "service identity". * - * Kerberos identities are made up of one or more components, as well as the Kerberos realm - * the entity belongs to. For client identities the first component is usually the client - * username (eg: "jdoe"). For service identities the first component is the name of the + * Kerberos identities are made up of one or more components, as well as the Kerberos realm + * the entity belongs to. For client identities the first component is usually the client + * username (eg: "jdoe"). For service identities the first component is the name of the * service (eg: "imap"). * - * Kerberos identities have both a binary (opaque) representation and also a string + * Kerberos identities have both a binary (opaque) representation and also a string * representation. The string representation consists of the components separated by '/' * followed by an '@' and then the realm. For example, the identity "jdoe/admin@EXAMPLE.COM" - * represents John Doe's administrator identity at the realm EXAMPLE.COM. Note that + * represents John Doe's administrator identity at the realm EXAMPLE.COM. Note that * identity components may contain both '/' and '@' characters. When building a - * identity from its string representation these syntactic characters must be escaped - * with '\'. + * identity from its string representation these syntactic characters must be escaped + * with '\'. * * * \section kim_identity_create_display Creating and Displaying Identities @@ -70,7 +70,7 @@ extern "C" { * or from a krb5_principal. Once you have a KIM identity object, you can also get * the component, string or krb5_principal representations back out: * - * \li #kim_identity_create_from_components() creates an identity object from a list of components. + * \li #kim_identity_create_from_components() creates an identity object from a list of components. * \li #kim_identity_get_number_of_components() returns the number of components in an identity object. * \li #kim_identity_get_component_at_index() return a component of an identity object. * \li #kim_identity_get_realm() returns the identity's realm. @@ -88,15 +88,15 @@ extern "C" { * * \section kim_identity_selection Choosing a Client Identity * - * Unfortunately most of the time applications don't know what client identity to use. - * Users may have identities for multiple Kerberos realms, as well as multiple identities + * Unfortunately most of the time applications don't know what client identity to use. + * Users may have identities for multiple Kerberos realms, as well as multiple identities * in a single realm (such as a user and administrator identity). * * To solve this problem, #kim_selection_hints_get_identity() takes information * from the application in the form of a selection hints object and returns the best * matching client identity, if one is available. See \ref kim_selection_hints_overview * for more information. - * + * * * \section kim_identity_password Changing a Identity's Password * @@ -105,12 +105,12 @@ extern "C" { * change the identity's password directly, and also handles changing the identity's * password when it has expired. * - * #kim_identity_change_password() presents a user interface to obtain the old and - * new passwords from the user. + * #kim_identity_change_password() presents a user interface to obtain the old and + * new passwords from the user. * - * \note Not all identities have a password. Some sites use certificates (pkinit) + * \note Not all identities have a password. Some sites use certificates (pkinit) * and in the future there may be other authentication mechanisms (eg: smart cards). - * + * * See \ref kim_identity_reference for information on specific APIs. */ @@ -121,7 +121,7 @@ extern "C" { /*! * \param out_identity on exit, a new identity object. Must be freed with kim_identity_free(). - * \param in_string a string representation of a Kerberos identity. + * \param in_string a string representation of a Kerberos identity. * Special characters such as '/' and '@' must be escaped with '\'. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Create a identity from a string. @@ -131,26 +131,26 @@ kim_error kim_identity_create_from_string (kim_identity *out_identity, /*! * \param out_identity on exit, a new identity object. Must be freed with kim_identity_free(). - * \param in_realm a string representation of a Kerberos realm. + * \param in_realm a string representation of a Kerberos realm. * \param in_1st_component a string representing the first component of the identity. - * \param ... zero or more strings of type kim_string_t representing additional components - * of the identity followed by a terminating NULL. Components will be assembled in - * order (ie: the 4th argument to kim_identity_create_from_components() will be + * \param ... zero or more strings of type kim_string_t representing additional components + * of the identity followed by a terminating NULL. Components will be assembled in + * order (ie: the 4th argument to kim_identity_create_from_components() will be * the 2nd component of the identity). * \note The last argument must be a NULL or kim_identity_create_from_components() may crash. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Create a identity from a realm and component strings. */ kim_error kim_identity_create_from_components (kim_identity *out_identity, - kim_string in_realm, + kim_string in_realm, kim_string in_1st_component, ...); /*! - * \param out_identity on exit, a new identity object which is a copy of \a in_krb5_principal. + * \param out_identity on exit, a new identity object which is a copy of \a in_krb5_principal. * Must be freed with kim_identity_free(). * \param in_krb5_context the krb5 context used to create \a in_krb5_principal. - * \param in_krb5_principal a krb5 principal object. + * \param in_krb5_principal a krb5 principal object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Create an identity object from a krb5_principal. */ @@ -159,9 +159,9 @@ kim_error kim_identity_create_from_krb5_principal (kim_identity *out_identity, krb5_principal in_krb5_principal); /*! - * \param out_identity on exit, a new identity object which is a copy of \a in_identity. + * \param out_identity on exit, a new identity object which is a copy of \a in_identity. * Must be freed with kim_identity_free(). - * \param in_identity an identity object. + * \param in_identity an identity object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Copy an identity object. */ @@ -172,7 +172,7 @@ kim_error kim_identity_copy (kim_identity *out_identity, /*! * \param in_identity an identity object. * \param in_compare_to_identity an identity object. - * \param out_comparison on exit, a comparison of \a in_identity and + * \param out_comparison on exit, a comparison of \a in_identity and * \a in_compare_to_identity which determines whether * or not the two identities are equivalent and their * sort order (for display to the user) if they are not. @@ -183,8 +183,8 @@ kim_error kim_identity_compare (kim_identity in_identity, kim_identity in_compare_to_identity, kim_comparison *out_comparison); /*! - * \param in_identity an identity object. - * \param out_string on exit, a string representation of \a in_identity. + * \param in_identity an identity object. + * \param out_string on exit, a string representation of \a in_identity. * Must be freed with kim_string_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the string representation of a identity. @@ -195,7 +195,7 @@ kim_error kim_identity_get_string (kim_identity in_identity, /*! - * \param in_identity an identity object. + * \param in_identity an identity object. * \param out_display_string on exit, a string representation of \a in_identity appropriate for * display to the user. Must be freed with kim_string_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -209,7 +209,7 @@ kim_error kim_identity_get_display_string (kim_identity in_identity, kim_string *out_display_string); /*! - * \param in_identity an identity object. + * \param in_identity an identity object. * \param out_realm_string on exit, a string representation of \a in_identity's realm. * Must be freed with kim_string_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -219,7 +219,7 @@ kim_error kim_identity_get_realm (kim_identity in_identity, kim_string *out_realm_string); /*! - * \param in_identity an identity object. + * \param in_identity an identity object. * \param out_number_of_components on exit the number of components in \a in_identity. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the number of components of an identity. @@ -230,7 +230,7 @@ kim_error kim_identity_get_number_of_components (kim_identity in_identity, /*! * \param in_identity an identity object. * \param in_index the index of the desired component. Component indexes start at 0. - * \param out_component_string on exit, a string representation of the component in \a in_identity + * \param out_component_string on exit, a string representation of the component in \a in_identity * specified by \a in_index. Must be freed with kim_string_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the Nth component of an identity. @@ -241,19 +241,19 @@ kim_error kim_identity_get_component_at_index (kim_identity in_identity, /*! * \param in_identity an identity object. - * \param out_components on exit, a string of the non-realm components of \a in_identity + * \param out_components on exit, a string of the non-realm components of \a in_identity * separated by '/' characters. Must be freed with kim_string_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get a display string of the non-realm components of an identity. */ kim_error kim_identity_get_components_string (kim_identity in_identity, kim_string *out_components); - + /*! * \param in_identity an identity object. - * \param in_krb5_context a krb5 context object. + * \param in_krb5_context a krb5 context object. * \param out_krb5_principal on exit, a krb5_principal representation of \a in_identity - * allocated with \a in_krb5_context. Must be freed with + * allocated with \a in_krb5_context. Must be freed with * krb5_free_principal() using \a in_krb5_context. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the krb5_principal representation of an identity. @@ -266,8 +266,8 @@ kim_error kim_identity_get_krb5_principal (kim_identity in_identity, * \param in_identity an identity object whose password will be changed. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Change the password for an identity. - * \note kim_identity_change_password() will acquire a temporary credential to change - * the password. + * \note kim_identity_change_password() will acquire a temporary credential to change + * the password. */ kim_error kim_identity_change_password (kim_identity in_identity); diff --git a/src/include/kim/kim_library.h b/src/include/kim/kim_library.h index 681f58e79..fe351f7fc 100644 --- a/src/include/kim/kim_library.h +++ b/src/include/kim/kim_library.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/include/kim/kim_options.h b/src/include/kim/kim_options.h index d36aa0c02..85facfbbc 100644 --- a/src/include/kim/kim_options.h +++ b/src/include/kim/kim_options.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -28,9 +28,9 @@ #ifdef __cplusplus extern "C" { #endif - + #include - + /*! * \addtogroup kim_types_reference * @{ @@ -56,39 +56,39 @@ extern "C" { * Kerberos Identity Management Options (kim_options_t) allows you to control how * the Kerberos library obtains credentials. When the options structure is initialized with * #kim_options_create(), each option is filled in with a default value which can then be modified - * with the kim_options_set_*() APIs. If you only want to use the default values, you may pass + * with the kim_options_set_*() APIs. If you only want to use the default values, you may pass * #KIM_OPTIONS_DEFAULT into any KIM function that takes a kim_options_t. - * - * KIM options fall into two major categories: options for controlling how credentials are + * + * KIM options fall into two major categories: options for controlling how credentials are * acquired and options for controlling what properties the newly acquired credentials will have: * * \section kim_options_credential_properties Options for Controlling Credential Properties * * Kerberos credentials have a number of different properties which can be requested - * when credentials are acquired. These properties control when and for how long the - * credentials are valid and what you can do with them. - - * Note that setting these properties in the KIM options only changes what the Kerberos - * libraries \em request from the KDC. The KDC itself may choose not to honor your - * requested properties if they violate the site security policy. For example, most sites - * place an upper bound on how long credentials may be valid. If you request a credential - * lifetime longer than this upper bound, the KDC may return credentials with a shorter + * when credentials are acquired. These properties control when and for how long the + * credentials are valid and what you can do with them. + + * Note that setting these properties in the KIM options only changes what the Kerberos + * libraries \em request from the KDC. The KDC itself may choose not to honor your + * requested properties if they violate the site security policy. For example, most sites + * place an upper bound on how long credentials may be valid. If you request a credential + * lifetime longer than this upper bound, the KDC may return credentials with a shorter * lifetime than you requested. * * \subsection kim_options_lifetimes Credential Lifetime * - * Kerberos credentials have start time and a lifetime during which they are valid. - * Once the lifetime has passed, credentials "expire" and can no longer be used. + * Kerberos credentials have start time and a lifetime during which they are valid. + * Once the lifetime has passed, credentials "expire" and can no longer be used. * - * The requested credential start time can be set with #kim_options_set_start_time() + * The requested credential start time can be set with #kim_options_set_start_time() * and examined with #kim_options_get_start_time(). The requested credential * lifetime can be set with #kim_options_set_lifetime() and examined with * #kim_options_get_lifetime(). - * + * * \subsection kim_options_renewable Renewable Credentials * * Credentials with very long lifetimes are more convenient since the user does not - * have authenticate as often. Unfortunately they are also a higher security + * have authenticate as often. Unfortunately they are also a higher security * risk: if credentials are stolen they can be used until they expire. * Credential renewal exists to compromise between these two conflicting goals. * @@ -101,45 +101,45 @@ extern "C" { * the end of the renewal lifetime, their lifetime will be capped to the end of the * renewal lifetime. * - * Note that credentials must be valid to be renewed and therefore may not be + * Note that credentials must be valid to be renewed and therefore may not be * an appropriate solution for all use cases. Sites which use renewable - * credentials often create helper processes running as the user which will + * credentials often create helper processes running as the user which will * automatically renew the user's credentials when they get close to expiration. - * + * * Use #kim_options_set_renewable() to change whether or not the Kerberos libraries - * request renewable credentials and #kim_options_get_renewable() to find out the + * request renewable credentials and #kim_options_get_renewable() to find out the * current setting. Use #kim_options_set_renewal_lifetime() to change the requested - * renewal lifetime and #kim_options_get_renewal_lifetime() to find out the current + * renewal lifetime and #kim_options_get_renewal_lifetime() to find out the current * value. * * \subsection kim_options_addressless Addressless Credentials * - * Traditionally Kerberos used the host's IP address as a mechanism to restrict - * the user's credentials to a specific host, thus making it harder to use stolen + * Traditionally Kerberos used the host's IP address as a mechanism to restrict + * the user's credentials to a specific host, thus making it harder to use stolen * credentials. When authenticating to a remote service with credentials containing - * addresses, the remote service verifies that the client's IP address is one of the - * addresses listed in the credential. Unfortunately, modern network technologies - * such as NAT rewrite the IP address in transit, making it difficult to use - * credentials with addresses in them. As a result, most Kerberos sites now obtain - * addressless credentials. + * addresses, the remote service verifies that the client's IP address is one of the + * addresses listed in the credential. Unfortunately, modern network technologies + * such as NAT rewrite the IP address in transit, making it difficult to use + * credentials with addresses in them. As a result, most Kerberos sites now obtain + * addressless credentials. * * Use #kim_options_set_addressless() to change whether or not the Kerberos libraries - * request addressless credentials. Use #kim_options_get_addressless() to find out the + * request addressless credentials. Use #kim_options_get_addressless() to find out the * current setting. * * \subsection kim_options_forwardable Forwardable Credentials * - * Forwardable credentials are TGT credentials which can be forwarded to a service - * you have authenticated to. If the credentials contain IP addresses, the addresses - * are changed to reflect the service's IP address. Credential forwarding is most - * commonly used for Kerberos-authenticated remote login services. By forwarding - * TGT credentials through the remote login service, the user's credentials will - * appear on the remote host when the user logs in. + * Forwardable credentials are TGT credentials which can be forwarded to a service + * you have authenticated to. If the credentials contain IP addresses, the addresses + * are changed to reflect the service's IP address. Credential forwarding is most + * commonly used for Kerberos-authenticated remote login services. By forwarding + * TGT credentials through the remote login service, the user's credentials will + * appear on the remote host when the user logs in. * * The forwardable flag only applies to TGT credentials. * * Use #kim_options_set_forwardable() to change whether or not the Kerberos libraries - * request forwardable credentials. Use #kim_options_get_forwardable() to find out the + * request forwardable credentials. Use #kim_options_get_forwardable() to find out the * current setting. * * \subsection kim_options_proxiable Proxiable Credentials @@ -147,29 +147,29 @@ extern "C" { * Proxiable credentials are similar to forwardable credentials except that instead of * forwarding the a TGT credential itself, a service credential is forwarded * instead. Using proxiable credentials, a user can permit a service to perform - * a specific task as the user using one of the user's service credentials. + * a specific task as the user using one of the user's service credentials. * * Like forwardability, the proxiable flag only applies to TGT credentials. Unlike - * forwarded credentials, the IP address of proxiable credentials are not modified for + * forwarded credentials, the IP address of proxiable credentials are not modified for * the service when being proxied. This can be solved by also requesting addressless * credentials. * * Use #kim_options_set_proxiable() to change whether or not the Kerberos libraries - * request proxiable credentials. Use #kim_options_get_proxiable() to find out the + * request proxiable credentials. Use #kim_options_get_proxiable() to find out the * current setting. * * \subsection kim_options_service_name Service Name * - * Normally users acquire TGT credentials (ie "ticket granting tickets") and then - * use those credentials to acquire service credentials. This allows Kerberos to - * provide single sign-on while still providing mutual authentication to services. - * However, sometimes you just want an initial credential for a service. KIM - * options allows you to set the service name with - * #kim_options_set_service_name() and query it with + * Normally users acquire TGT credentials (ie "ticket granting tickets") and then + * use those credentials to acquire service credentials. This allows Kerberos to + * provide single sign-on while still providing mutual authentication to services. + * However, sometimes you just want an initial credential for a service. KIM + * options allows you to set the service name with + * #kim_options_set_service_name() and query it with * #kim_options_get_service_name(). * * See \ref kim_options_reference for information on specific APIs. - */ + */ /*! * \defgroup kim_options_reference KIM Options Reference Documentation @@ -184,10 +184,10 @@ extern "C" { kim_error kim_options_create (kim_options *out_options); /*! - * \param out_options on exit, a new options object which is a copy of \a in_options. + * \param out_options on exit, a new options object which is a copy of \a in_options. * Must be freed with kim_options_free(). If passed KIM_OPTIONS_DEFAULT * will set \a out_options to KIM_OPTIONS_DEFAULT. - * \param in_options a options object. + * \param in_options a options object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Copy options. */ @@ -196,13 +196,13 @@ kim_error kim_options_copy (kim_options *out_options, /*! * \param io_options an options object to modify. - * \param in_start_time a start date (in seconds since January 1, 1970). Set to - * #KIM_OPTIONS_START_IMMEDIATELY for the acquired credential to be valid + * \param in_start_time a start date (in seconds since January 1, 1970). Set to + * #KIM_OPTIONS_START_IMMEDIATELY for the acquired credential to be valid * immediately. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set the date when a credential should become valid. - * \note When using a start time in the future, once the start time has been reached the credential - * must be validated before it can be used. + * \note When using a start time in the future, once the start time has been reached the credential + * must be validated before it can be used. * \par Default value * 0, indicating "now". The credential will be valid immediately. * \sa kim_options_get_start_time(), kim_credential_validate(), kim_ccache_validate(), kim_identity_validate() @@ -212,12 +212,12 @@ kim_error kim_options_set_start_time (kim_options io_options, /*! * \param in_options an options object. - * \param out_start_time on exit, the start date (in seconds since January 1, 1970) specified by + * \param out_start_time on exit, the start date (in seconds since January 1, 1970) specified by * \a in_options. #KIM_OPTIONS_START_IMMEDIATELY indicates the credential * will be valid immediately. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the date when a credential should become valid. - * \note When using a start time in the future, once the start time has been reached the credential + * \note When using a start time in the future, once the start time has been reached the credential * must be validated before it can be used. * \par Default value * 0, indicating "now". The credential will be valid immediately. @@ -258,7 +258,7 @@ kim_error kim_options_get_lifetime (kim_options in_options, /*! * \param io_options an options object to modify. - * \param in_renewable a boolean value indicating whether or not to request a renewable + * \param in_renewable a boolean value indicating whether or not to request a renewable * credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set whether or not to request a renewable credential. @@ -271,7 +271,7 @@ kim_error kim_options_set_renewable (kim_options io_options, /*! * \param in_options an options object. - * \param out_renewable on exit, a boolean value indicating whether or \a in_options will + * \param out_renewable on exit, a boolean value indicating whether or \a in_options will * request a renewable credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get whether or not to request a renewable credential. @@ -299,7 +299,7 @@ kim_error kim_options_set_renewal_lifetime (kim_options io_options, /*! * \param in_options an options object. - * \param out_renewal_lifetime on exit, the renewal lifetime duration (in seconds) specified + * \param out_renewal_lifetime on exit, the renewal lifetime duration (in seconds) specified * in \a in_options. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the duration during which a valid credential should be renewable. @@ -315,7 +315,7 @@ kim_error kim_options_get_renewal_lifetime (kim_options in_options, /*! * \param io_options an options object to modify. - * \param in_forwardable a boolean value indicating whether or not to request a forwardable + * \param in_forwardable a boolean value indicating whether or not to request a forwardable * credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set whether or not to request a forwardable credential. @@ -328,7 +328,7 @@ kim_error kim_options_set_forwardable (kim_options io_options, /*! * \param in_options an options object. - * \param out_forwardable on exit, a boolean value indicating whether or \a in_options will + * \param out_forwardable on exit, a boolean value indicating whether or \a in_options will * request a forwardable credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get whether or not to request a forwardable credential. @@ -341,7 +341,7 @@ kim_error kim_options_get_forwardable (kim_options in_options, /*! * \param io_options an options object to modify. - * \param in_proxiable a boolean value indicating whether or not to request a proxiable + * \param in_proxiable a boolean value indicating whether or not to request a proxiable * credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set whether or not to request a proxiable credential. @@ -354,7 +354,7 @@ kim_error kim_options_set_proxiable (kim_options io_options, /*! * \param in_options an options object. - * \param out_proxiable on exit, a boolean value indicating whether or \a in_options will + * \param out_proxiable on exit, a boolean value indicating whether or \a in_options will * request a proxiable credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get whether or not to request a proxiable credential. @@ -367,7 +367,7 @@ kim_error kim_options_get_proxiable (kim_options in_options, /*! * \param io_options an options object to modify. - * \param in_addressless a boolean value indicating whether or not to request an addressless + * \param in_addressless a boolean value indicating whether or not to request an addressless * credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set whether or not to request an addressless credential. @@ -380,7 +380,7 @@ kim_error kim_options_set_addressless (kim_options io_options, /*! * \param in_options an options object. - * \param out_addressless on exit, a boolean value indicating whether or \a in_options will + * \param out_addressless on exit, a boolean value indicating whether or \a in_options will * request an addressless credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get whether or not to request an addressless credential. diff --git a/src/include/kim/kim_preferences.h b/src/include/kim/kim_preferences.h index d7970ba04..77edde462 100644 --- a/src/include/kim/kim_preferences.h +++ b/src/include/kim/kim_preferences.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -30,20 +30,20 @@ extern "C" { #endif #include - + /*! * \page kim_preferences_overview KIM Preferences Overview * * \section kim_preferences_introduction Introduction * * In addition to the site preferences stored in the Kerberos configuration, users may also - * want to have their own personal preferences for controlling credential acquisition. - * As a result, KIM provides user preferences for initial credential options and + * want to have their own personal preferences for controlling credential acquisition. + * As a result, KIM provides user preferences for initial credential options and * user interface behavior such as the default client identity and the favorite identities list. * * \section kim_preferences_edit Viewing and Editing the Preferences - * - * In order to view and edit the user's preferences, call #kim_preferences_create() to acquire a + * + * In order to view and edit the user's preferences, call #kim_preferences_create() to acquire a * preferences object containing the user's preferences. You can examine preferences * with the functions starting with "kim_preferences_get_" and change preferences with * the functions starting with "kim_preferences_set_". Once you are done making changes, @@ -56,88 +56,88 @@ extern "C" { * \section kim_preferences_options Initial Credential Options Preferences * * KIM provides user preferences for initial credential options. These - * are the options #kim_options_create() will use when creating a new KIM + * are the options #kim_options_create() will use when creating a new KIM * options object. They are also the options specified by KIM_OPTIONS_DEFAULT. - * You can view and edit the initial credential options using - * #kim_preferences_get_options() and #kim_preferences_set_options(). + * You can view and edit the initial credential options using + * #kim_preferences_get_options() and #kim_preferences_set_options(). * - * \note Not all credential options in the kim_options_t object have corresponding + * \note Not all credential options in the kim_options_t object have corresponding * user preferences. For example, the prompt callback function is not stored - * in the user preferences since it has no meaning outside of the current + * in the user preferences since it has no meaning outside of the current * application. Some options which are not currently stored in the - * preferences may be stored there in the future. + * preferences may be stored there in the future. * - * If you are implementing a user interface for credentials acquisition, + * If you are implementing a user interface for credentials acquisition, * you should be aware that KIM has a user preference to manage the initial - * credential options preferences. If the user successfully acquires credentials - * with non-default options and #kim_preferences_get_remember_options() is set - * to TRUE, you should store the options used to get credentials with - * #kim_preferences_set_options(). + * credential options preferences. If the user successfully acquires credentials + * with non-default options and #kim_preferences_get_remember_options() is set + * to TRUE, you should store the options used to get credentials with + * #kim_preferences_set_options(). * * \section kim_preferences_client_identity Client Identity Preferences * - * KIM also provides user preferences for the default client identity. + * KIM also provides user preferences for the default client identity. * This identity is used whenever KIM needs to display a graphical dialog for * credential acquisition but does not know what client identity to use. - * You can view and edit the default client identity using - * #kim_preferences_get_client_identity() and - * #kim_preferences_set_client_identity(). + * You can view and edit the default client identity using + * #kim_preferences_get_client_identity() and + * #kim_preferences_set_client_identity(). * - * If you are implementing a user interface for credentials acquisition, - * you should be aware that KIM has a user preference to manage - * the client identity preferences. If the user successfully acquires credentials - * with non-default options and #kim_preferences_get_remember_client_identity() is + * If you are implementing a user interface for credentials acquisition, + * you should be aware that KIM has a user preference to manage + * the client identity preferences. If the user successfully acquires credentials + * with non-default options and #kim_preferences_get_remember_client_identity() is * set to TRUE, you should store the client identity for which credentials were - * acquired using #kim_preferences_set_client_identity(). - * + * acquired using #kim_preferences_set_client_identity(). + * * \section kim_preferences_favorite_identities Favorite Identities Preferences * * As Kerberos becomes more widespread, the number of possible Kerberos * identities and realms a user might want to use will become very large. - * Sites may list hundreds of realms in their Kerberos configuration files. + * Sites may list hundreds of realms in their Kerberos configuration files. * In addition, sites may wish to use DNS SRV records to avoid having to list - * all the realms they use in their Kerberos configuration. As a result, the - * list of realms in the Kerberos configuration may be exceedingly large and/or + * all the realms they use in their Kerberos configuration. As a result, the + * list of realms in the Kerberos configuration may be exceedingly large and/or * incomplete. Users may also use multiple identities from the same realm. * * On platforms which use a GUI to acquire credentials, the KIM would like - * to to display a list of identities for the user to select from. Depending on - * what is appropriate for the platform, identities may be displayed in a popup - * menu or other list. + * to to display a list of identities for the user to select from. Depending on + * what is appropriate for the platform, identities may be displayed in a popup + * menu or other list. * - * To solve this problem, the KIM maintains a list of favorite identities - * specifically for identity selection. This list is a set of unique identities - * in alphabetical order (as appropriate for the user's language localization). + * To solve this problem, the KIM maintains a list of favorite identities + * specifically for identity selection. This list is a set of unique identities + * in alphabetical order (as appropriate for the user's language localization). * * Each identity may optionally have its own options for ticket acquisition. * This allows KIM UIs to remember what ticket options worked for a specific * identity. For example if the user normally wants renewable tickets but * they have one identity at a KDC which rejects requests for renewable tickets, - * the "not renewable" option can be associated with that identity without + * the "not renewable" option can be associated with that identity without * changing the user's default preference to get renewable tickets. If an * identity should use the default options, just pass KIM_OPTIONS_DEFAULT. * * Most callers will not need to use the favorite identities APIs. However if you - * are implementing your own graphical prompt callback or a credential management + * are implementing your own graphical prompt callback or a credential management * application, you may to view and/or edit the user's favorite identities. * * \section kim_favorite_identities_edit Viewing and Editing the Favorite Identities - * + * * First, you need to acquire the Favorite Identities stored in the user's * preferences using #kim_preferences_create(). - * - * Then use #kim_preferences_get_number_of_favorite_identities() and - * #kim_preferences_get_favorite_identity_at_index() to display the identities list. - * Use #kim_preferences_add_favorite_identity() and #kim_preferences_remove_favorite_identity() + * + * Then use #kim_preferences_get_number_of_favorite_identities() and + * #kim_preferences_get_favorite_identity_at_index() to display the identities list. + * Use #kim_preferences_add_favorite_identity() and #kim_preferences_remove_favorite_identity() * to change which identities are in the identities list. Identities are always stored in * alphabetical order and duplicate identities are not permitted, so when you add or remove a * identity you should redisplay the entire list. If you wish to replace the * identities list entirely, use #kim_preferences_remove_all_favorite_identities() * to clear the list before adding your identities. * - * Once you are done editing the favorite identities list, store changes in the + * Once you are done editing the favorite identities list, store changes in the * user's preference file using #kim_preferences_synchronize(). - * + * * See \ref kim_preferences_reference for information on specific APIs. */ @@ -147,7 +147,7 @@ extern "C" { */ /*! - * \param out_preferences on exit, a new preferences object. + * \param out_preferences on exit, a new preferences object. * Must be freed with kim_preferences_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Create a new preferences object from the current user's preferences. @@ -155,9 +155,9 @@ extern "C" { kim_error kim_preferences_create (kim_preferences *out_preferences); /*! - * \param out_preferences on exit, a new preferences object which is a copy of in_preferences. + * \param out_preferences on exit, a new preferences object which is a copy of in_preferences. * Must be freed with kim_preferences_free(). - * \param in_preferences a preferences object. + * \param in_preferences a preferences object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Copy a preferences object. */ @@ -188,7 +188,7 @@ kim_error kim_preferences_get_options (kim_preferences in_preferences, /*! * \param io_preferences a preferences object to modify. - * \param in_remember_options a boolean value indicating whether or not to remember the last + * \param in_remember_options a boolean value indicating whether or not to remember the last * options used to acquire a credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set whether or not to remember the last options the user used to acquire a credential. @@ -199,7 +199,7 @@ kim_error kim_preferences_set_remember_options (kim_preferences io_preferences, /*! * \param in_preferences a preferences object. - * \param out_remember_options on exit, a boolean value indicating whether or \a in_preferences will + * \param out_remember_options on exit, a boolean value indicating whether or \a in_preferences will * remember the last options used to acquire a credential. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get whether or not to remember the last options the user used to acquire a credential. @@ -231,7 +231,7 @@ kim_error kim_preferences_get_client_identity (kim_preferences in_preferences, /*! * \param io_preferences a preferences object to modify. - * \param in_remember_client_identity a boolean value indicating whether or not to remember the last + * \param in_remember_client_identity a boolean value indicating whether or not to remember the last * client identity for which a credential was acquired. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set whether or not to remember the last client identity the user acquired a credential for. @@ -242,7 +242,7 @@ kim_error kim_preferences_set_remember_client_identity (kim_preferences io_prefe /*! * \param in_preferences a preferences object. - * \param out_remember_client_identity on exit, a boolean value indicating whether or \a in_preferences will + * \param out_remember_client_identity on exit, a boolean value indicating whether or \a in_preferences will * remember the last client identity for which a credential was acquired. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get whether or not to remember the last client identity the user acquired a credential for. @@ -264,7 +264,7 @@ kim_error kim_preferences_set_minimum_lifetime (kim_preferences io_preferences, /*! * \param in_preferences a preferences object. - * \param out_minimum_lifetime on exit, the minimum lifetime that GUI tools will + * \param out_minimum_lifetime on exit, the minimum lifetime that GUI tools will * allow the user to specify for credentials. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the minimum credential lifetime for GUI credential lifetime controls. @@ -286,7 +286,7 @@ kim_error kim_preferences_set_maximum_lifetime (kim_preferences io_preferences, /*! * \param in_preferences a preferences object. - * \param out_maximum_lifetime on exit, the maximum lifetime that GUI tools will + * \param out_maximum_lifetime on exit, the maximum lifetime that GUI tools will * allow the user to specify for credentials. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the maximum credential lifetime for GUI credential lifetime controls. @@ -298,7 +298,7 @@ kim_error kim_preferences_get_maximum_lifetime (kim_preferences in_preferences, /*! * \param io_preferences a preferences object to modify. * \param in_minimum_renewal_lifetime a minimum lifetime indicating how small a lifetime the - * GUI tools should allow the user to specify for + * GUI tools should allow the user to specify for * credential renewal. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set the minimum credential renewal lifetime for GUI credential lifetime controls. @@ -309,7 +309,7 @@ kim_error kim_preferences_set_minimum_renewal_lifetime (kim_preferences io_prefe /*! * \param in_preferences a preferences object. - * \param out_minimum_renewal_lifetime on exit, the minimum lifetime that GUI tools will + * \param out_minimum_renewal_lifetime on exit, the minimum lifetime that GUI tools will * allow the user to specify for credential renewal. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the minimum credential renewal lifetime for GUI credential lifetime controls. @@ -321,7 +321,7 @@ kim_error kim_preferences_get_minimum_renewal_lifetime (kim_preferences in_pref /*! * \param io_preferences a preferences object to modify. * \param in_maximum_renewal_lifetime a maximum lifetime indicating how large a lifetime the - * GUI tools should allow the user to specify for + * GUI tools should allow the user to specify for * credential renewal. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set the maximum credential renewal lifetime for GUI credential lifetime controls. @@ -332,7 +332,7 @@ kim_error kim_preferences_set_maximum_renewal_lifetime (kim_preferences io_prefe /*! * \param in_preferences a preferences object. - * \param out_maximum_renewal_lifetime on exit, the maximum lifetime that GUI tools will + * \param out_maximum_renewal_lifetime on exit, the maximum lifetime that GUI tools will * allow the user to specify for credential renewal. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Get the maximum credential renewal lifetime for GUI credential lifetime controls. @@ -355,7 +355,7 @@ kim_error kim_preferences_get_number_of_favorite_identities (kim_preferences in * \param in_index a index into the identities list (starting at 0). * \param out_identity on exit, the identity at \a in_index in \a in_preferences. * Must be freed with kim_string_free(). - * \param out_options on exit, the options associated with identity at \a in_index + * \param out_options on exit, the options associated with identity at \a in_index * in \a in_favorite_identities. May be KIM_OPTIONS_DEFAULT. * Pass NULL if you do not want the options associated with the identity. * Must be freed with kim_options_free(). diff --git a/src/include/kim/kim_selection_hints.h b/src/include/kim/kim_selection_hints.h index 1abbd0211..20af083a9 100644 --- a/src/include/kim/kim_selection_hints.h +++ b/src/include/kim/kim_selection_hints.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -30,63 +30,63 @@ extern "C" { #endif #include - + /*! * \page kim_selection_hints_overview KIM Selection Hints Overview * * \section kim_selection_hints_introduction Introduction * * Most users belong to multiple organizations and thus need - * to authenticate to multiple Kerberos realms. Traditionally Kerberos sites - * solved this problem by setting up a cross-realm relationship, which allowed - * the user to use TGT credentials for their client identity in one realm - * to obtain credentials in another realm via cross-realm authentication. As a - * result users could acquire credentials for a single client identity and use + * to authenticate to multiple Kerberos realms. Traditionally Kerberos sites + * solved this problem by setting up a cross-realm relationship, which allowed + * the user to use TGT credentials for their client identity in one realm + * to obtain credentials in another realm via cross-realm authentication. As a + * result users could acquire credentials for a single client identity and use * them everywhere. * - * Setting up cross-realm requires that realms share a secret, so sites must - * coordinate with one another to set up a cross-realm relationship. In - * addition, sites must set up authorization policies for users from other - * realms. As Kerberos becomes increasingly wide-spread, many realms will - * not have cross-realm relationships, and users will need to + * Setting up cross-realm requires that realms share a secret, so sites must + * coordinate with one another to set up a cross-realm relationship. In + * addition, sites must set up authorization policies for users from other + * realms. As Kerberos becomes increasingly wide-spread, many realms will + * not have cross-realm relationships, and users will need to * manually obtain credentials for their client identity at each realm - * (eg: "user@BANK.COM", "user@UNIVERSITY.EDU", etc). As a result, users + * (eg: "user@BANK.COM", "user@UNIVERSITY.EDU", etc). As a result, users * will often have multiple credentials caches, one for each client identity. * * Unfortunately this presents a problem for applications which need to obtain - * service credentials. Which client identity should they use? + * service credentials. Which client identity should they use? * Rather than having each application to manually search the cache collection, - * KIM provides a selection hints API for choosing the best client identity. - * This API is intended to simplify the process of choosing credentials + * KIM provides a selection hints API for choosing the best client identity. + * This API is intended to simplify the process of choosing credentials * and provide consistent behavior across all applications. * * Searching the cache collection for credentials may be expensive if there - * are a large number of caches. If credentials for the client identity + * are a large number of caches. If credentials for the client identity * are expired or not present, KIM may also wish to prompt the user for - * new credentials for the appropriate client identity. As a result, + * new credentials for the appropriate client identity. As a result, * applications might want to remember which client identity worked in - * the past and always request credentials using that identity. - * + * the past and always request credentials using that identity. + * * * \section kim_selection_hints_creating Creating KIM Selection Hints - * - * A KIM selection hints object consists of an application identifier and one or - * more pieces of information about the service the client application will be - * contacting. The application identifier is used by user preferences + * + * A KIM selection hints object consists of an application identifier and one or + * more pieces of information about the service the client application will be + * contacting. The application identifier is used by user preferences * to control how applications share cache entries. It is important to be - * consistent about what application identifier you provide. Java-style + * consistent about what application identifier you provide. Java-style * identifiers are recommended to avoid collisions. * * \section kim_selection_hints_searching Selection Hint Search Behavior * - * When using selection hints to search for an appropriate client identity, - * KIM uses a consistent hint search order. This allows applications to specify - * potentially contradictory information without preventing KIM from locating a - * single ccache. In addition the selection hint search order may change, - * especially if more hints are added. + * When using selection hints to search for an appropriate client identity, + * KIM uses a consistent hint search order. This allows applications to specify + * potentially contradictory information without preventing KIM from locating a + * single ccache. In addition the selection hint search order may change, + * especially if more hints are added. * - * As a result, callers are encouraged to provide all relevant search hints, - * even if only a subset of those search hints are necessary to get reasonable + * As a result, callers are encouraged to provide all relevant search hints, + * even if only a subset of those search hints are necessary to get reasonable * behavior in the current implementation. Doing so will provide the most * user-friendly selection experience. * @@ -99,14 +99,14 @@ extern "C" { * \li Client Realm A client identity in this realm. * \li User A client identity whose first component is this user string. * - * For example, if you specify a service identity and a credential for - * that identity already exists in the ccache collection, KIM may use that - * ccache, even if your user and client realm entries in the selection hints would + * For example, if you specify a service identity and a credential for + * that identity already exists in the ccache collection, KIM may use that + * ccache, even if your user and client realm entries in the selection hints would * lead it to choose a different ccache. If no credentials for the service identity * exist then KIM will fall back on the user and realm hints. * - * \note Due to performance and information exposure concerns, currently all - * searching is done by examining the cache collection. In the future the KIM + * \note Due to performance and information exposure concerns, currently all + * searching is done by examining the cache collection. In the future the KIM * may also make network requests as part of its search algorithm. For example * it might check to see if the TGT credentials in each ccache can obtain * credentials for the service identity specified by the selection hints. @@ -114,56 +114,56 @@ extern "C" { * \section kim_selection_hints_selecting Selecting an Identity Using Selection Hints * * Once you have provided search criteria for selecting an identity, use - * #kim_selection_hints_get_identity() to obtain an identity object. + * #kim_selection_hints_get_identity() to obtain an identity object. * You can then use #kim_identity_get_string() to obtain a krb5 principal - * string for use with gss_import_name() and gss_acquire_cred(). Alternatively, - * you can use #kim_ccache_create_from_client_identity() to obtain a ccache + * string for use with gss_import_name() and gss_acquire_cred(). Alternatively, + * you can use #kim_ccache_create_from_client_identity() to obtain a ccache * containing credentials for the identity. * * \note #kim_selection_hints_get_identity() obtains an identity based on - * the current state of the selection hints object. If you change the + * the current state of the selection hints object. If you change the * selection hints object you must call #kim_selection_hints_get_identity() * again. * * \section kim_selection_hints_caching Selection Hint Caching Behavior - * + * * In addition to using selection hints to search for an appropriate client - * identity, KIM can also use them to remember which client identity worked. + * identity, KIM can also use them to remember which client identity worked. * KIM maintains a per-user cache mapping selection hints to identities so - * that applications do not have to maintain their own caches or present + * that applications do not have to maintain their own caches or present * user interface for selecting which cache to use. * * When #kim_selection_hints_get_identity() is called KIM looks up in the - * cache and returns the identity which the selection hints map to. If - * there is not a preexisting cache entry for the selection hints then + * cache and returns the identity which the selection hints map to. If + * there is not a preexisting cache entry for the selection hints then * #kim_selection_hints_get_identity() will search for an identity and - * prompt the user if it cannot find an appropriate one. - * - * If the client identity returned by KIM authenticates and passes + * prompt the user if it cannot find an appropriate one. + * + * If the client identity returned by KIM authenticates and passes * authorization checks, you should tell KIM to cache the identity by calling * #kim_selection_hints_remember_identity(). This will create a cache entry - * for the mapping between your selection hints and the identity so that - * subsequent calls to #kim_selection_hints_get_identity() do not need to - * prompt the user. + * for the mapping between your selection hints and the identity so that + * subsequent calls to #kim_selection_hints_get_identity() do not need to + * prompt the user. * * If the client identity returned by KIM fails to authenticate or fails - * authorization checks, you must call #kim_selection_hints_forget_identity() + * authorization checks, you must call #kim_selection_hints_forget_identity() * to remove any mapping that already exists. After this function is called, - * future calls to #kim_selection_hints_get_identity() will search for an - * identity again. You may also wish to call this function if the user - * changes your application preferences such that the identity might be + * future calls to #kim_selection_hints_get_identity() will search for an + * identity again. You may also wish to call this function if the user + * changes your application preferences such that the identity might be * invalidated. - * + * * \note It is very important that you call #kim_selection_hints_forget_identity() * if your application fails to successfully establish a connection with the - * server. Otherwise the user can get "stuck" using the same non-working - * identity if they chose the wrong one accidentally or if their identity - * information changes. Because only your application understands the + * server. Otherwise the user can get "stuck" using the same non-working + * identity if they chose the wrong one accidentally or if their identity + * information changes. Because only your application understands the * authorization checksof the protocol it uses, KIM cannot tell whether or not * the identity worked. - * + * * If you wish to search and prompt for an identity without using - * the cached mappings, you can turn off the cached mapping lookups using + * the cached mappings, you can turn off the cached mapping lookups using * #kim_selection_hints_set_remember_identity(). This is not recommended * for most applications since it will result in a lot of unnecessary * searching and prompting for identities. @@ -173,40 +173,40 @@ extern "C" { * service. Otherwise KIM will not always find the cache entries. * * \section kim_selection_hints_prompt Selection Hint Prompting Behavior - * + * * If valid credentials for identity in the selection hints cache are * unavailable or if no identity could be found using searching or caching - * when #kim_selection_hints_get_identity() is called, KIM may present a - * GUI to ask the user to select an identity or acquire credentials for - * an identity. - * - * \note Because of the caching behavior described above the user will - * only be prompted to choose an identity when setting up the application - * or when their identity stops working. - * - * In order to let the user know why Kerberos needs their assistance, KIM - * displays the name of the application which requested the identity - * selection. Unfortunately, some platforms do not provide a runtime - * mechanism for determining the name of the calling process. If your - * application runs on one of these platforms (or is cross-platform) - * you should provide a localized version of its name with + * when #kim_selection_hints_get_identity() is called, KIM may present a + * GUI to ask the user to select an identity or acquire credentials for + * an identity. + * + * \note Because of the caching behavior described above the user will + * only be prompted to choose an identity when setting up the application + * or when their identity stops working. + * + * In order to let the user know why Kerberos needs their assistance, KIM + * displays the name of the application which requested the identity + * selection. Unfortunately, some platforms do not provide a runtime + * mechanism for determining the name of the calling process. If your + * application runs on one of these platforms (or is cross-platform) + * you should provide a localized version of its name with * the private function #kim_library_set_application_name(). * - * In many cases a single application may select different identities for - * different purposes. For example an email application might use different - * identities to check mail for different accounts. If your application - * has this property you may need to provide the user with a localized - * string describing how the identity will be used. You can specify - * this string with #kim_selection_hints_get_explanation(). You can find + * In many cases a single application may select different identities for + * different purposes. For example an email application might use different + * identities to check mail for different accounts. If your application + * has this property you may need to provide the user with a localized + * string describing how the identity will be used. You can specify + * this string with #kim_selection_hints_get_explanation(). You can find * out what string will be used with kim_selection_hints_set_explanation(). * * Since the user may choose to acquire credentials when selection an - * identity, KIM also provides #kim_selection_hints_set_options() to - * set what credential acquisition options are used. - * #kim_selection_hints_get_options() returns the options which will be used. + * identity, KIM also provides #kim_selection_hints_set_options() to + * set what credential acquisition options are used. + * #kim_selection_hints_get_options() returns the options which will be used. * - * If you need to disable user interaction, use - * #kim_selection_hints_set_allow_user_interaction(). Use + * If you need to disable user interaction, use + * #kim_selection_hints_set_allow_user_interaction(). Use * #kim_selection_hints_get_allow_user_interaction() to find out whether or * not user interaction is enabled. User interaction is enabled by default. * @@ -218,11 +218,11 @@ extern "C" { * @{ */ -/*! A client identity in this realm. +/*! A client identity in this realm. * See \ref kim_selection_hints_overview for more information */ #define kim_hint_key_client_realm "kim_hint_key_client_realm" -/*! A client identity whose first component is this user string. +/*! A client identity whose first component is this user string. * See \ref kim_selection_hints_overview for more information */ #define kim_hint_key_user "kim_hint_key_user" @@ -230,7 +230,7 @@ extern "C" { * See \ref kim_selection_hints_overview for more information */ #define kim_hint_key_service_realm "kim_hint_key_service_realm" -/*! A client identity which has obtained a service credential for this service. +/*! A client identity which has obtained a service credential for this service. * See \ref kim_selection_hints_overview for more information */ #define kim_hint_key_service "kim_hint_key_service" @@ -238,14 +238,14 @@ extern "C" { * See \ref kim_selection_hints_overview for more information */ #define kim_hint_key_server "kim_hint_key_server" -/*! The client identity which has obtained a service credential for this service identity. +/*! The client identity which has obtained a service credential for this service identity. * See \ref kim_selection_hints_overview for more information */ #define kim_hint_key_service_identity "kim_hint_key_service_identity" - + /*! - * \param out_selection_hints on exit, a new selection hints object. + * \param out_selection_hints on exit, a new selection hints object. * Must be freed with kim_selection_hints_free(). - * \param in_application_identifier an application identifier string. Java-style identifiers are recommended + * \param in_application_identifier an application identifier string. Java-style identifiers are recommended * to avoid cache entry collisions (eg: "com.example.MyApplication") * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Create a new selection hints object. @@ -254,9 +254,9 @@ kim_error kim_selection_hints_create (kim_selection_hints *out_selection_hints, kim_string in_application_identifier); /*! - * \param out_selection_hints on exit, a new selection hints object which is a copy of in_selection_hints. + * \param out_selection_hints on exit, a new selection hints object which is a copy of in_selection_hints. * Must be freed with kim_selection_hints_free(). - * \param in_selection_hints a selection hints object. + * \param in_selection_hints a selection hints object. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Copy a selection hints object. */ @@ -278,9 +278,9 @@ kim_error kim_selection_hints_set_hint (kim_selection_hints io_selection_hints, /*! * \param in_selection_hints a selection hints object. - * \param in_hint_key A string representing the type of hint to + * \param in_hint_key A string representing the type of hint to * obtain. - * \param out_hint_string On exit, a string representation of the hint + * \param out_hint_string On exit, a string representation of the hint * \a in_hint_key in \a in_selection_hints. * If the hint is not set, sets the value pointed * to by \a out_hint_string to NULL; @@ -296,7 +296,7 @@ kim_error kim_selection_hints_get_hint (kim_selection_hints in_selection_hints, /*! * \param io_selection_hints a selection hints object to modify. * \param in_explanation a localized string describing why the caller needs the identity. - * \note If the application only does one thing (the reason it needs an identity is obvious) + * \note If the application only does one thing (the reason it needs an identity is obvious) * then you may not need to call this function. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set the strings used to prompt the user to select the identity. @@ -320,7 +320,7 @@ kim_error kim_selection_hints_get_explanation (kim_selection_hints in_selection /*! * \param io_selection_hints a selection hints object to modify. - * \param in_options options to control credential acquisition. + * \param in_options options to control credential acquisition. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Set the options which will be used if credentials need to be acquired. * \sa kim_selection_hints_get_options() @@ -330,7 +330,7 @@ kim_error kim_selection_hints_set_options (kim_selection_hints io_selection_hint /*! * \param in_selection_hints a selection hints object. - * \param out_options on exit, the options to control credential acquisition + * \param out_options on exit, the options to control credential acquisition * specified in \a in_selection_hints. May be KIM_OPTIONS_DEFAULT. * If not, must be freed with kim_options_free(). * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -354,8 +354,8 @@ kim_error kim_selection_hints_set_allow_user_interaction (kim_selection_hints in /*! * \param in_selection_hints a selection hints object to modify - * \param out_allow_user_interaction on exit, a boolean value specifying whether or not KIM - * should ask the user to select an identity for + * \param out_allow_user_interaction on exit, a boolean value specifying whether or not KIM + * should ask the user to select an identity for * \a in_selection_hints. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \note This setting defaults to TRUE. @@ -379,7 +379,7 @@ kim_error kim_selection_hints_set_remember_identity (kim_selection_hints in_sele /*! * \param in_selection_hints a selection hints object to modify - * \param out_remember_identity on exit, a boolean value specifying whether or not KIM will use a + * \param out_remember_identity on exit, a boolean value specifying whether or not KIM will use a * cached mapping between \a in_selection_hints and a Kerberos identity. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \note This setting defaults to TRUE. @@ -407,7 +407,7 @@ kim_error kim_selection_hints_get_identity (kim_selection_hints in_selection_hin * \param in_selection_hints the selection hints to add to the cache. * \param in_identity the Kerberos identity \a in_selection_hints maps to. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. - * \brief Add an entry for the selection hints to the selection hints cache, + * \brief Add an entry for the selection hints to the selection hints cache, * replacing any existing entry. */ diff --git a/src/include/kim/kim_string.h b/src/include/kim/kim_string.h index f68f4a409..283a49742 100644 --- a/src/include/kim/kim_string.h +++ b/src/include/kim/kim_string.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -34,8 +34,8 @@ extern "C" { /*! * \page kim_string_overview KIM String Overview * - * A UTF8 string. - * + * A UTF8 string. + * * Memory management routines are provided for runtime consistency on * operating systems with shared libraries and multiple runtimes. * @@ -43,21 +43,21 @@ extern "C" { * * Like most C APIs, the KIM API returns numeric error codes. These error * codes may come from KIM, krb5 or GSS APIs. In most cases the caller will - * want to handle these error programmatically. However, in some circumstances - * the caller may wish to print an error string to the user. + * want to handle these error programmatically. However, in some circumstances + * the caller may wish to print an error string to the user. * * One problem with just printing the error code to the user is that frequently - * the context behind the error has been lost. For example if KIM is trying to + * the context behind the error has been lost. For example if KIM is trying to * obtain credentials via referrals, it may fail partway through the process. * In this case the error code will be KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, which * maps to "Client not found in Kerberos database". Unfortunately this error * isn't terribly helpful because it doesn't tell the user whether they typoed - * their principal name or if referrals failed. + * their principal name or if referrals failed. * - * To avoid this problem, KIM maintains an explanatory string for the last + * To avoid this problem, KIM maintains an explanatory string for the last * error seen in each thread calling into KIM. If a caller wishes to display * an error to the user, immediately after getting the error the caller should - * call #kim_string_create_for_last_error() to obtain a copy of the + * call #kim_string_create_for_last_error() to obtain a copy of the * descriptive error message. * * See \ref kim_string_reference for information on specific APIs. @@ -69,24 +69,24 @@ extern "C" { */ /*! - * \param out_string On success, a human-readable UTF-8 string describing the + * \param out_string On success, a human-readable UTF-8 string describing the * error representedby \a in_error. Must be freed with * kim_string_free(). * \param in_error an error code. Used to verify that the correct error * string will be returned (see note below). - * \return On success, KIM_NO_ERROR. - * \note This API is implemented using thread local storage. It should be + * \return On success, KIM_NO_ERROR. + * \note This API is implemented using thread local storage. It should be * called immediately after a KIM API returns an error code so that the correct - * string is returned. The returned copy may then be held by the caller until + * string is returned. The returned copy may then be held by the caller until * needed. If \a in_error does not match the last saved error KIM may return * a less descriptive string. * \brief Get a text description of an error suitable for display to the user. */ kim_error kim_string_create_for_last_error (kim_string *out_string, kim_error in_error); - + /*! - * \param out_string on exit, a new string object which is a copy of \a in_string. + * \param out_string on exit, a new string object which is a copy of \a in_string. Must be freed with kim_string_free(). * \param in_string the string to copy. * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. @@ -103,10 +103,10 @@ kim_error kim_string_copy (kim_string *out_string, * \return On success, #KIM_NO_ERROR. On failure, an error code representing the failure. * \brief Compare two strings. */ -kim_error kim_string_compare (kim_string in_string, +kim_error kim_string_compare (kim_string in_string, kim_string in_compare_to_string, kim_comparison *out_comparison); - + /*! * \param io_string a string to be freed. Set to NULL on exit. * \brief Free memory associated with a string. diff --git a/src/include/kim/kim_types.h b/src/include/kim/kim_types.h index a871410bb..7723407cf 100644 --- a/src/include/kim/kim_types.h +++ b/src/include/kim/kim_types.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -42,7 +42,7 @@ extern "C" { typedef int32_t kim_error; /*! - * No error value for the kim_error type. + * No error value for the kim_error type. */ #define KIM_NO_ERROR ((kim_error) 0) @@ -73,7 +73,7 @@ typedef int kim_boolean; * \li Greater than 0 means the first object is greater than the second. * \note Convenience macros are provided for interpreting #kim_comparison * values to improve code readability. - * See #kim_comparison_is_less_than(), #kim_comparison_is_equal_to() and + * See #kim_comparison_is_less_than(), #kim_comparison_is_equal_to() and * #kim_comparison_is_greater_than() */ typedef int kim_comparison; @@ -86,7 +86,7 @@ typedef int kim_comparison; /*! * Convenience macro for interpreting #kim_comparison. */ -#define kim_comparison_is_equal_to(c) (c == 0) +#define kim_comparison_is_equal_to(c) (c == 0) /*! * Convenience macro for interpreting #kim_comparison. diff --git a/src/include/kim/kim_ui_plugin.h b/src/include/kim/kim_ui_plugin.h index a15aa419a..d5a08a87d 100644 --- a/src/include/kim/kim_ui_plugin.h +++ b/src/include/kim/kim_ui_plugin.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -43,38 +43,38 @@ enum kim_prompt_type_enum { /* * Plugins for Controlling Identity Selection and Credential Acquisition - * + * * In order to acquire credentials, Kerberos needs to obtain one or more secrets from the user. - * These secrets may be a certificate, password, SecurID pin, or information from a smart card. + * These secrets may be a certificate, password, SecurID pin, or information from a smart card. * If obtaining the secret requires interaction with the user, the Kerberos libraries call a * "prompter callback" to display a dialog or command line prompt to request information from - * the user. If you want to provide your own custom dialogs or command line prompts, - * the KIM APIs provide a plugin mechanism for replacing the default prompt ui with your own. + * the user. If you want to provide your own custom dialogs or command line prompts, + * the KIM APIs provide a plugin mechanism for replacing the default prompt ui with your own. * - * The function table / structure which a KIM ui plugin module must export - * as "kim_ui_0". If the interfaces work correctly, future versions of the - * table will add either more callbacks or more arguments to callbacks, and + * The function table / structure which a KIM ui plugin module must export + * as "kim_ui_0". If the interfaces work correctly, future versions of the + * table will add either more callbacks or more arguments to callbacks, and * in both cases we'll be able to wrap the v0 functions. */ /* extern kim_ui_plugin_ftable_v0 kim_ui_0; */ - + typedef struct kim_ui_plugin_ftable_v0 { int minor_version; /* currently 0 */ - + /* Called before other calls to allow the UI to initialize. - * Return an error if you can't display your UI in this environment. + * Return an error if you can't display your UI in this environment. * To allow your plugin to be called from multiple threads, pass back - * state associated with this instance of your UI in out_context. + * state associated with this instance of your UI in out_context. * The same context pointer will be provided to all plugin calls for * this ui. */ kim_error (*init) (void **out_context); - + /* Present UI which allows the user to enter a new identity. - * This is typically called when the user selects a "new tickets" + * This is typically called when the user selects a "new tickets" * control or menu item from a ticket management utility. - * If this UI calls into KIM to get new credentials it may - * call auth_prompt below. + * If this UI calls into KIM to get new credentials it may + * call auth_prompt below. * If out_change_password is set to TRUE, KIM will call change_password * on the identity and then call enter_identity again, allowing you * to have a change password option on your UI. */ @@ -82,12 +82,12 @@ typedef struct kim_ui_plugin_ftable_v0 { kim_options io_options, kim_identity *out_identity, kim_boolean *out_change_password); - + /* Present UI to select which identity to use. * This is typically called the first time an application tries to use * Kerberos and is used to establish a hints preference for the application. - * If this UI calls into KIM to get new credentials it may - * call auth_prompt below. + * If this UI calls into KIM to get new credentials it may + * call auth_prompt below. * If out_change_password is set to TRUE, KIM will call change_password * on the identity and then call select_identity again, allowing you * to have a change password option on your UI. */ @@ -95,7 +95,7 @@ typedef struct kim_ui_plugin_ftable_v0 { kim_selection_hints io_hints, kim_identity *out_identity, kim_boolean *out_change_password); - + /* Present UI to display authentication to the user */ /* If in_allow_save_reply is FALSE do not display UI to allow the user * to save their password. In this case the value of out_save_reply will @@ -103,17 +103,17 @@ typedef struct kim_ui_plugin_ftable_v0 { kim_error (*auth_prompt) (void *in_context, kim_identity in_identity, kim_prompt_type in_type, - kim_boolean in_allow_save_reply, - kim_boolean in_hide_reply, + kim_boolean in_allow_save_reply, + kim_boolean in_hide_reply, kim_string in_title, kim_string in_message, kim_string in_description, char **out_reply, kim_boolean *out_save_reply); - - /* Prompt to change the identity's password. + + /* Prompt to change the identity's password. * May be combined with an auth_prompt if additional auth is required, - * eg: SecurID pin. + * eg: SecurID pin. * If in_old_password_expired is true, this callback is in response * to an expired password error. If this is the case the same context * which generated the error will be used for this callback. */ @@ -123,28 +123,28 @@ typedef struct kim_ui_plugin_ftable_v0 { char **out_old_password, char **out_new_password, char **out_verify_password); - + /* Display an error to the user; may be called after any of the prompts */ kim_error (*handle_error) (void *in_context, kim_identity in_identity, kim_error in_error, kim_string in_error_message, kim_string in_error_description); - + /* Free strings returned by the UI. Will be called once for each string * returned from a plugin callback. If you have returned a string twice * just make sure your free function checks for NULL and sets the pointer * to NULL when done freeing memory. */ void (*free_string) (void *in_context, char **io_string); - + /* Called after the last prompt (even on error) to allow the UI to * free allocated resources associated with its context. */ kim_error (*fini) (void *io_context); } kim_ui_plugin_ftable_v0; - + #ifdef __cplusplus } #endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index e0128d058..464f3fa30 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +22,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * General definitions for Kerberos version 5. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -162,7 +162,7 @@ typedef unsigned short krb5_ui_4; indicator */ #define KRB5_INT32_MIN (-KRB5_INT32_MAX-1) -#define KRB5_INT16_MAX 65535 +#define KRB5_INT16_MAX 65535 /* this strange form is necessary since - is a unary operator, not a sign indicator */ #define KRB5_INT16_MIN (-KRB5_INT16_MAX-1) @@ -187,8 +187,8 @@ typedef unsigned short krb5_ui_4; #endif typedef unsigned int krb5_boolean; -typedef unsigned int krb5_msgtype; -typedef unsigned int krb5_kvno; +typedef unsigned int krb5_msgtype; +typedef unsigned int krb5_kvno; typedef krb5_int32 krb5_addrtype; typedef krb5_int32 krb5_enctype; @@ -217,9 +217,9 @@ typedef struct _krb5_octet_data { krb5_octet *data; } krb5_octet_data; -/* +/* * Hack length for crypto library to use the afs_string_to_key It is - * equivalent to -1 without possible sign extension + * equivalent to -1 without possible sign extension * We also overload for an unset salt type length - which is also -1, but * hey, why not.... */ @@ -548,9 +548,9 @@ krb5_error_code KRB5_CALLCONV (krb5_context context, krb5_data *data); /* -* Collect entropy from the OS if possible. strong requests that as strong -* of a source of entropy as available be used. Setting strong may -* increase the probability of blocking and should not be used for normal +* Collect entropy from the OS if possible. strong requests that as strong +* of a source of entropy as available be used. Setting strong may +* increase the probability of blocking and should not be used for normal * applications. Good uses include seeding the PRNG for kadmind * and realm setup. * If successful is non-null, then successful is set to 1 if the OS provided @@ -587,15 +587,15 @@ krb5_error_code KRB5_CALLCONV (krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *input, krb5_checksum *cksum); - + krb5_error_code KRB5_CALLCONV krb5_c_verify_checksum - (krb5_context context, + (krb5_context context, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *data, const krb5_checksum *cksum, krb5_boolean *valid); - + krb5_error_code KRB5_CALLCONV krb5_c_checksum_length (krb5_context context, krb5_cksumtype cksumtype, @@ -603,7 +603,7 @@ krb5_error_code KRB5_CALLCONV krb5_error_code KRB5_CALLCONV krb5_c_keyed_checksum_types - (krb5_context context, krb5_enctype enctype, + (krb5_context context, krb5_enctype enctype, unsigned int *count, krb5_cksumtype **cksumtypes); #define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS 1 @@ -683,7 +683,7 @@ krb5_error_code KRB5_CALLCONV krb5_error_code KRB5_CALLCONV krb5_c_verify_checksum_iov - (krb5_context context, + (krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock *key, krb5_keyusage usage, const krb5_crypto_iov *data, size_t num_data, @@ -896,7 +896,7 @@ krb5_error_code KRB5_CALLCONV krb5_verify_checksum /* * Mask of ticket flags in the TGT which should be converted into KDC * options when using the TGT to get derivitive tickets. - * + * * New mask = KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | * KDC_OPT_ALLOW_POSTDATE | KDC_OPT_RENEWABLE */ @@ -1113,7 +1113,7 @@ krb5_error_code KRB5_CALLCONV krb5_verify_checksum /* Time set */ typedef struct _krb5_ticket_times { krb5_timestamp authtime; /* XXX ? should ktime in KDC_REP == authtime - in ticket? otherwise client can't get this */ + in ticket? otherwise client can't get this */ krb5_timestamp starttime; /* optional in ticket, if not present, use authtime */ krb5_timestamp endtime; @@ -1330,7 +1330,7 @@ typedef struct _krb5_cred_enc_part { krb5_address *s_address; /* sender address, optional */ krb5_address *r_address; /* recipient address, optional */ krb5_cred_info **ticket_info; -} krb5_cred_enc_part; +} krb5_cred_enc_part; typedef struct _krb5_cred { krb5_magic magic; @@ -1385,11 +1385,11 @@ typedef struct _krb5_pa_pac_req { #define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008 #define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010 #define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020 - -typedef struct krb5_replay_data { - krb5_timestamp timestamp; + +typedef struct krb5_replay_data { + krb5_timestamp timestamp; krb5_int32 usec; - krb5_ui_4 seq; + krb5_ui_4 seq; } krb5_replay_data; /* flags for krb5_auth_con_genaddrs() */ @@ -1401,7 +1401,7 @@ typedef struct krb5_replay_data { /* type of function used as a callback to generate checksum data for * mk_req */ -typedef krb5_error_code +typedef krb5_error_code (KRB5_CALLCONV * krb5_mk_req_checksum_func) (krb5_context, krb5_auth_context , void *, krb5_data **); @@ -1502,8 +1502,8 @@ krb5_cc_move (krb5_context context, krb5_ccache src, krb5_ccache dst); krb5_error_code KRB5_CALLCONV krb5_cc_last_change_time ( - krb5_context context, - krb5_ccache ccache, + krb5_context context, + krb5_ccache ccache, krb5_timestamp *change_time); krb5_error_code KRB5_CALLCONV @@ -1615,7 +1615,7 @@ void KRB5_CALLCONV krb5_free_context krb5_error_code KRB5_CALLCONV krb5_copy_context (krb5_context, krb5_context *); -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_set_default_tgs_enctypes (krb5_context, const krb5_enctype *); @@ -1792,7 +1792,7 @@ krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags int); krb5_error_code KRB5_CALLCONV krb5_init_keyblock (krb5_context, krb5_enctype enctype, - size_t length, krb5_keyblock **out); + size_t length, krb5_keyblock **out); /* Initialize a new keyblock and allocate storage * for the contents of the key, which will be freed along * with the keyblock when krb5_free_keyblock is called. @@ -1875,7 +1875,7 @@ krb5_error_code KRB5_CALLCONV krb5_425_conv_principal krb5_principal *princ); krb5_error_code KRB5_CALLCONV krb5_524_conv_principal - (krb5_context context, krb5_const_principal princ, + (krb5_context context, krb5_const_principal princ, char *name, char *inst, char *realm); struct credentials; @@ -2102,7 +2102,7 @@ krb5_error_code KRB5_CALLCONV krb5_mk_priv krb5_data *, krb5_replay_data *); -krb5_error_code KRB5_CALLCONV krb5_sendauth +krb5_error_code KRB5_CALLCONV krb5_sendauth (krb5_context, krb5_auth_context *, krb5_pointer, @@ -2116,14 +2116,14 @@ krb5_error_code KRB5_CALLCONV krb5_sendauth krb5_error **, krb5_ap_rep_enc_part **, krb5_creds **); - + krb5_error_code KRB5_CALLCONV krb5_recvauth (krb5_context, krb5_auth_context *, krb5_pointer, char *, krb5_principal, - krb5_int32, + krb5_int32, krb5_keytab, krb5_ticket **); krb5_error_code KRB5_CALLCONV krb5_recvauth_version @@ -2131,7 +2131,7 @@ krb5_error_code KRB5_CALLCONV krb5_recvauth_version krb5_auth_context *, krb5_pointer, krb5_principal, - krb5_int32, + krb5_int32, krb5_keytab, krb5_ticket **, krb5_data *); @@ -2158,14 +2158,14 @@ krb5_error_code KRB5_CALLCONV krb5_rd_cred krb5_replay_data *); krb5_error_code KRB5_CALLCONV krb5_fwd_tgt_creds - (krb5_context, + (krb5_context, krb5_auth_context, char *, - krb5_principal, - krb5_principal, + krb5_principal, + krb5_principal, krb5_ccache, int forwardable, - krb5_data *); + krb5_data *); krb5_error_code KRB5_CALLCONV krb5_auth_con_init (krb5_context, @@ -2564,13 +2564,13 @@ krb5_get_renewed_creds krb5_error_code KRB5_CALLCONV krb5_decode_ticket -(const krb5_data *code, +(const krb5_data *code, krb5_ticket **rep); void KRB5_CALLCONV krb5_appdefault_string (krb5_context context, - const char *appname, + const char *appname, const krb5_data *realm, const char *option, const char *default_value, @@ -2579,7 +2579,7 @@ krb5_appdefault_string void KRB5_CALLCONV krb5_appdefault_boolean (krb5_context context, - const char *appname, + const char *appname, const krb5_data *realm, const char *option, int default_value, diff --git a/src/include/krb5/locate_plugin.h b/src/include/krb5/locate_plugin.h index f9f29baf7..8496f276b 100644 --- a/src/include/krb5/locate_plugin.h +++ b/src/include/krb5/locate_plugin.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Service location plugin definitions for Kerberos 5. */ diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h index e11913e3f..dd0820af1 100644 --- a/src/include/krb5/preauth_plugin.h +++ b/src/include/krb5/preauth_plugin.h @@ -367,7 +367,7 @@ typedef void /* Return the flags which the KDC should use for this module. This is a * callback instead of a static value because the module may or may not - * wish to count itself as a hardware preauthentication module (in other + * wish to count itself as a hardware preauthentication module (in other * words, the flags may be affected by the configuration, for example if a * site administrator can force a particular preauthentication type to be * supported using only hardware). This function is called for each entry diff --git a/src/include/krb54proto.h b/src/include/krb54proto.h index d1d16e1ba..65cf5f939 100644 --- a/src/include/krb54proto.h +++ b/src/include/krb54proto.h @@ -9,10 +9,9 @@ extern krb5_error_code krb54_get_service_keyblock extern int decomp_tkt_krb5 (KTEXT tkt, unsigned char *flags, char *pname, char *pinstance, char *prealm, unsigned KRB4_32 *paddress, - des_cblock session, int *life, unsigned KRB4_32 *time_sec, + des_cblock session, int *life, unsigned KRB4_32 *time_sec, char *sname, char *sinstance, krb5_keyblock *k5key); extern int krb_set_key_krb5 (krb5_context ctx, krb5_keyblock *key); void krb_clear_key_krb5 (krb5_context ctx); - diff --git a/src/include/osconf.hin b/src/include/osconf.hin index 339e4b228..dd3f976c7 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Site- and OS- dependant configuration. */ diff --git a/src/include/pkinit_apple_utils.h b/src/include/pkinit_apple_utils.h index 313955f39..857b1685c 100644 --- a/src/include/pkinit_apple_utils.h +++ b/src/include/pkinit_apple_utils.h @@ -28,7 +28,7 @@ * * Created 19 May 2004 by Doug Mitchell. */ - + #ifndef _PKINIT_APPLE_UTILS_H_ #define _PKINIT_APPLE_UTILS_H_ @@ -70,7 +70,7 @@ CSSM_CL_HANDLE pkiClStartup(void); * CSSM_DATA <--> krb5_ui_4 */ krb5_error_code pkiDataToInt( - const CSSM_DATA *cdata, + const CSSM_DATA *cdata, krb5_int32 *i); /* RETURNED */ krb5_error_code pkiIntToData( @@ -86,13 +86,13 @@ krb5_error_code pkiDataToKrb5Data( unsigned dataLen, krb5_data *kd); /* content mallocd and RETURNED */ -/* +/* * CSSM_DATA <--> krb5_data * * CSSM_DATA data is managed by a SecAsn1CoderRef; krb5_data.data is mallocd. */ krb5_error_code pkiCssmDataToKrb5Data( - const CSSM_DATA *cd, + const CSSM_DATA *cd, krb5_data *kd); /* content mallocd and RETURNED */ @@ -101,13 +101,13 @@ krb5_error_code pkiKrb5DataToCssm( CSSM_DATA *cdata, /* allocated in coder space and RETURNED */ SecAsn1CoderRef coder); -/* +/* * CFDataRef --> krb5_data, mallocing the destination contents. */ krb5_error_code pkiCfDataToKrb5Data( CFDataRef cfData, krb5_data *kd); /* content mallocd and RETURNED */ - + /* * Non-mallocing conversion between CSSM_DATA and krb5_data */ @@ -126,7 +126,7 @@ krb5_boolean pkiCompareCssmData( const CSSM_DATA *d1, const CSSM_DATA *d2); -/* +/* * krb5_timestamp <--> a mallocd string in generalized format */ krb5_error_code pkiKrbTimestampToStr( diff --git a/src/include/pkinit_asn1.h b/src/include/pkinit_asn1.h index b90ae5960..8e33a69a6 100644 --- a/src/include/pkinit_asn1.h +++ b/src/include/pkinit_asn1.h @@ -28,7 +28,7 @@ * * Created 18 May 2004 by Doug Mitchell. */ - + #ifndef _PKINIT_ASN1_H_ #define _PKINIT_ASN1_H_ @@ -44,18 +44,18 @@ typedef struct { krb5_data parameters; /* ASN_ANY, defined by algorithm */ } krb5int_algorithm_id; -/* +/* * Encode and decode AuthPack, public key version (no Diffie-Hellman components). */ krb5_error_code krb5int_pkinit_auth_pack_encode( - krb5_timestamp kctime, + krb5_timestamp kctime, krb5_int32 cusec, /* microseconds */ krb5_ui_4 nonce, const krb5_checksum *pa_checksum, const krb5int_algorithm_id *cms_types, /* optional */ krb5_ui_4 num_cms_types, krb5_data *auth_pack); /* mallocd and RETURNED */ - + /* all returned values are optional - pass NULL if you don't want them */ krb5_error_code krb5int_pkinit_auth_pack_decode( const krb5_data *auth_pack, /* DER encoded */ @@ -65,10 +65,10 @@ krb5_error_code krb5int_pkinit_auth_pack_decode( krb5_checksum *pa_checksum, /* contents mallocd and RETURNED */ krb5int_algorithm_id **cms_types, /* mallocd and RETURNED */ krb5_ui_4 *num_cms_types); /* RETURNED */ - - + + /* - * Given DER-encoded issuer and serial number, create an encoded + * Given DER-encoded issuer and serial number, create an encoded * IssuerAndSerialNumber. */ krb5_error_code krb5int_pkinit_issuer_serial_encode( @@ -85,9 +85,9 @@ krb5_error_code krb5int_pkinit_issuer_serial_decode( krb5_data *serial_num); /* RETURNED */ /* - * Top-level encode for PA-PK-AS-REQ. + * Top-level encode for PA-PK-AS-REQ. * The signed_auth_pack field is wrapped in an OCTET STRING, content - * specific tag 0, during encode. + * specific tag 0, during encode. */ krb5_error_code krb5int_pkinit_pa_pk_as_req_encode( const krb5_data *signed_auth_pack, /* DER encoded ContentInfo */ @@ -98,24 +98,24 @@ krb5_error_code krb5int_pkinit_pa_pk_as_req_encode( krb5_data *pa_pk_as_req); /* mallocd and RETURNED */ /* - * Top-level decode for PA-PK-AS-REQ. Does not perform cert verification on the + * Top-level decode for PA-PK-AS-REQ. Does not perform cert verification on the * ContentInfo; that is returned in BER-encoded form and processed elsewhere. - * The OCTET STRING wrapping the signed_auth_pack field is removed during the + * The OCTET STRING wrapping the signed_auth_pack field is removed during the * decode. */ krb5_error_code krb5int_pkinit_pa_pk_as_req_decode( const krb5_data *pa_pk_as_req, krb5_data *signed_auth_pack, /* DER encoded ContentInfo, RETURNED */ - /* - * Remainder are optionally RETURNED (specify NULL for pointers to + /* + * Remainder are optionally RETURNED (specify NULL for pointers to * items you're not interested in). */ krb5_ui_4 *num_trusted_CAs, /* sizeof trusted_CAs */ - krb5_data **trusted_CAs, /* mallocd array of DER-encoded TrustedCAs + krb5_data **trusted_CAs, /* mallocd array of DER-encoded TrustedCAs * issuer/serial */ krb5_data *kdc_cert); /* DER encoded issuer/serial */ -/* +/* * Encode a ReplyKeyPack. The result is used as the Content of a SignedData. */ krb5_error_code krb5int_pkinit_reply_key_pack_encode( @@ -123,7 +123,7 @@ krb5_error_code krb5int_pkinit_reply_key_pack_encode( const krb5_checksum *checksum, krb5_data *reply_key_pack); /* mallocd and RETURNED */ -/* +/* * Decode a ReplyKeyPack. */ krb5_error_code krb5int_pkinit_reply_key_pack_decode( @@ -131,31 +131,31 @@ krb5_error_code krb5int_pkinit_reply_key_pack_decode( krb5_keyblock *key_block, /* RETURNED */ krb5_checksum *checksum); /* contents mallocd and RETURNED */ -/* +/* * Encode a PA-PK-AS-REP. * Exactly one of {dh_signed_data, enc_key_pack} is non-NULL on entry; - * each is a previously encoded item. + * each is a previously encoded item. * * dh_signed_data, if specified, is an encoded DHRepInfo. * enc_key_pack, if specified, is EnvelopedData(signedData(ReplyKeyPack) */ krb5_error_code krb5int_pkinit_pa_pk_as_rep_encode( - const krb5_data *dh_signed_data, + const krb5_data *dh_signed_data, const krb5_data *enc_key_pack, /* EnvelopedData(signedData(ReplyKeyPack) */ krb5_data *pa_pk_as_rep); /* mallocd and RETURNED */ -/* +/* * Decode a PA-PK-AS-REP. * On successful return, exactly one of {dh_signed_data, enc_key_pack} * will be non-NULL, each of which is mallocd and must be freed by - * caller. + * caller. * * dh_signed_data, if returned, is an encoded DHRepInfo. * enc_key_pack, if specified, is EnvelopedData(signedData(ReplyKeyPack) */ krb5_error_code krb5int_pkinit_pa_pk_as_rep_decode( const krb5_data *pa_pk_as_rep, - krb5_data *dh_signed_data, + krb5_data *dh_signed_data, krb5_data *enc_key_pack); /* diff --git a/src/include/pkinit_cert_store.h b/src/include/pkinit_cert_store.h index 6811d5a72..b7f70d388 100644 --- a/src/include/pkinit_cert_store.h +++ b/src/include/pkinit_cert_store.h @@ -28,7 +28,7 @@ * * Created 26 May 2004 by Doug Mitchell at Apple. */ - + #ifndef _PKINIT_CERT_STORE_H_ #define _PKINIT_CERT_STORE_H_ @@ -50,13 +50,13 @@ typedef void *krb5_pkinit_signing_cert_t; */ typedef void *krb5_pkinit_cert_t; -/* - * Opaque reference to a database in which PKINIT-related certificates are stored. +/* + * Opaque reference to a database in which PKINIT-related certificates are stored. */ typedef void *krb5_pkinit_cert_db_t; /* - * Obtain signing cert for specified principal. On successful return, + * Obtain signing cert for specified principal. On successful return, * caller must eventually release the cert with krb5_pkinit_release_cert(). * * Returns KRB5_PRINC_NOMATCH if client cert not found. @@ -64,8 +64,8 @@ typedef void *krb5_pkinit_cert_db_t; krb5_error_code krb5_pkinit_get_client_cert( const char *principal, /* full principal string */ krb5_pkinit_signing_cert_t *client_cert); /* RETURNED */ - -/* + +/* * Determine if the specified client has a signing cert. Returns TRUE * if so, else returns FALSE. */ @@ -85,7 +85,7 @@ krb5_error_code krb5_pkinit_set_client_cert( const char *principal, /* full principal string */ krb5_pkinit_cert_t client_cert); -/* +/* * Obtain a reference to the client's cert database. Specify either principal * name or client_cert as obtained from krb5_pkinit_get_client_cert(). */ @@ -100,10 +100,10 @@ krb5_error_code krb5_pkinit_get_client_cert_db( * * The client_spec argument is typically provided by the client as kdcPkId. * - * If trusted_CAs and client_spec are NULL, a platform-dependent preferred - * KDC signing cert is returned, if one exists. + * If trusted_CAs and client_spec are NULL, a platform-dependent preferred + * KDC signing cert is returned, if one exists. * - * On successful return, caller must eventually release the cert with + * On successful return, caller must eventually release the cert with * krb5_pkinit_release_cert(). Outside of an unusual test configuration this = * * Returns KRB5_PRINC_NOMATCH if KDC cert not found. @@ -115,7 +115,7 @@ krb5_error_code krb5_pkinit_get_kdc_cert( krb5_data *client_spec, /* optional */ krb5_pkinit_signing_cert_t *kdc_cert); /* RETURNED */ -/* +/* * Obtain a reference to the KDC's cert database. */ krb5_error_code krb5_pkinit_get_kdc_cert_db( @@ -127,27 +127,27 @@ krb5_error_code krb5_pkinit_get_kdc_cert_db( */ extern void krb5_pkinit_release_cert( krb5_pkinit_signing_cert_t cert); - + /* * Release database references obtained via krb5_pkinit_get_client_cert_db() and * krb5_pkinit_get_kdc_cert_db(). */ extern void krb5_pkinit_release_cert_db( krb5_pkinit_cert_db_t cert_db); - -/* - * Obtain a mallocd C-string representation of a certificate's SHA1 digest. - * Only error is a NULL return indicating memory failure. + +/* + * Obtain a mallocd C-string representation of a certificate's SHA1 digest. + * Only error is a NULL return indicating memory failure. * Caller must free the returned string. */ char *krb5_pkinit_cert_hash_str( const krb5_data *cert); - -/* + +/* * Obtain a client's optional list of trusted KDC CA certs (trustedCertifiers) - * and/or trusted KDC cert (kdcPkId) for a given client and server. - * All returned values are mallocd and must be freed by caller; the contents - * of the krb5_datas are DER-encoded certificates. + * and/or trusted KDC cert (kdcPkId) for a given client and server. + * All returned values are mallocd and must be freed by caller; the contents + * of the krb5_datas are DER-encoded certificates. */ krb5_error_code krb5_pkinit_get_server_certs( const char *client_principal, diff --git a/src/include/pkinit_client.h b/src/include/pkinit_client.h index 31951caaf..3b9a841ba 100644 --- a/src/include/pkinit_client.h +++ b/src/include/pkinit_client.h @@ -45,27 +45,27 @@ extern "C" { */ krb5_error_code krb5int_pkinit_as_req_create( krb5_context context, - krb5_timestamp kctime, + krb5_timestamp kctime, krb5_int32 cusec, /* microseconds */ krb5_ui_4 nonce, const krb5_checksum *cksum, krb5_pkinit_signing_cert_t client_cert, /* required! */ - - /* + + /* * trusted_CAs correponds to PA-PK-AS-REQ.trustedCertifiers. - * Expressed here as an optional list of DER-encoded certs. + * Expressed here as an optional list of DER-encoded certs. */ - const krb5_data *trusted_CAs, + const krb5_data *trusted_CAs, krb5_ui_4 num_trusted_CAs, - - /* optional PA-PK-AS-REQ.kdcPkId, expressed here as a + + /* optional PA-PK-AS-REQ.kdcPkId, expressed here as a * DER-encoded cert */ - const krb5_data *kdc_cert, + const krb5_data *kdc_cert, krb5_data *as_req); /* mallocd and RETURNED */ /* - * Parse PA-PK-AS-REP message. Optionally evaluates the message's certificate chain. - * Optionally returns various components. + * Parse PA-PK-AS-REP message. Optionally evaluates the message's certificate chain. + * Optionally returns various components. */ krb5_error_code krb5int_pkinit_as_rep_parse( krb5_context context, @@ -81,7 +81,7 @@ krb5_error_code krb5int_pkinit_as_rep_parse( * * signer_cert is the DER-encoded leaf cert from the incoming SignedData. * all_certs is an array of all of the certs in the incoming SignedData, - * in full DER-encoded form. + * in full DER-encoded form. */ krb5_data *signer_cert, /* content mallocd */ unsigned *num_all_certs, /* sizeof *all_certs */ diff --git a/src/include/pkinit_cms.h b/src/include/pkinit_cms.h index 6e5fb96ce..accf8bfb3 100644 --- a/src/include/pkinit_cms.h +++ b/src/include/pkinit_cms.h @@ -45,27 +45,27 @@ extern "C" { */ enum { /* normal CMS ContentTypes */ - ECT_Data, + ECT_Data, ECT_SignedData, ECT_EnvelopedData, ECT_EncryptedData, - + /* * For SignedAuthPack * pkauthdata: { iso (1) org (3) dod (6) internet (1) * security (5) kerberosv5 (2) pkinit (3) pkauthdata (1)} */ ECT_PkAuthData, - + /* * For ReplyKeyPack * pkrkeydata: { iso (1) org (3) dod (6) internet (1) * security (5) kerberosv5 (2) pkinit (3) pkrkeydata (3) } */ ECT_PkReplyKeyKata, - + /* - * Other - i.e., unrecognized ContentType on decode. + * Other - i.e., unrecognized ContentType on decode. */ ECT_Other }; @@ -96,7 +96,7 @@ enum { typedef krb5_int32 krb5int_cert_sig_status; /* - * Create a CMS message: either encrypted (EnvelopedData), signed + * Create a CMS message: either encrypted (EnvelopedData), signed * (SignedData), or both (EnvelopedData(SignedData(content)). * * The message is signed iff signing_cert is non-NULL. @@ -107,8 +107,8 @@ typedef krb5_int32 krb5int_cert_sig_status; * if the message is not to be signed. * * The cms_types argument optionally specifies a list, in order - * of decreasing preference, of CMS algorithms to use in the - * creation of the CMS message. + * of decreasing preference, of CMS algorithms to use in the + * creation of the CMS message. */ krb5_error_code krb5int_pkinit_create_cms_msg( const krb5_data *content, /* Content */ @@ -120,19 +120,19 @@ krb5_error_code krb5int_pkinit_create_cms_msg( krb5_data *content_info); /* contents mallocd and RETURNED */ /* - * Parse a ContentInfo as best we can. All returned fields are optional - - * pass NULL for values you don't need. + * Parse a ContentInfo as best we can. All returned fields are optional - + * pass NULL for values you don't need. * - * If signer_cert_status is NULL on entry, NO signature or cert evaluation - * will be performed. + * If signer_cert_status is NULL on entry, NO signature or cert evaluation + * will be performed. * * The is_client_msg argument indicates whether the CMS message originated * from the client (TRUE) or server (FALSE) and may be used in platform- - * dependent certificate evaluation. + * dependent certificate evaluation. * * Note that signature and certificate verification errors do NOT cause - * this routine itself to return an error; caller is reponsible for - * handling such errors per the signer_cert_status out parameter. + * this routine itself to return an error; caller is reponsible for + * handling such errors per the signer_cert_status out parameter. */ krb5_error_code krb5int_pkinit_parse_cms_msg( const krb5_data *content_info, @@ -150,14 +150,14 @@ krb5_error_code krb5int_pkinit_parse_cms_msg( unsigned *num_all_certs, /* size of *all_certs RETURNED */ krb5_data **all_certs); /* entire cert chain RETURNED */ -/* - * An AuthPack contains an optional set of AlgorithmIdentifiers - * which define the CMS algorithms supported by the client, in - * order of decreasing preference. +/* + * An AuthPack contains an optional set of AlgorithmIdentifiers + * which define the CMS algorithms supported by the client, in + * order of decreasing preference. * * krb5int_pkinit_get_cms_types() is a CMS-implementation-dependent * function returning supported CMS algorithms in the form of a - * pointer and a length suitable for passing to + * pointer and a length suitable for passing to * krb5int_pkinit_auth_pack_encode. If no preference is to be expressed, * this function returns NULL/0 (without returning a nonzero krb5_error_code). * @@ -167,7 +167,7 @@ krb5_error_code krb5int_pkinit_parse_cms_msg( krb5_error_code krb5int_pkinit_get_cms_types( krb5int_algorithm_id **supported_cms_types, /* RETURNED */ krb5_ui_4 *num_supported_cms_types); /* RETURNED */ - + krb5_error_code krb5int_pkinit_free_cms_types( krb5int_algorithm_id *supported_cms_types, krb5_ui_4 num_supported_cms_types); diff --git a/src/include/socket-utils.h b/src/include/socket-utils.h index 070bb2ff1..d87405801 100644 --- a/src/include/socket-utils.h +++ b/src/include/socket-utils.h @@ -1,42 +1,42 @@ /* * Copyright (C) 2001,2005 by the Massachusetts Institute of Technology, * Cambridge, MA, USA. All Rights Reserved. - * - * This software is being provided to you, the LICENSEE, by the - * Massachusetts Institute of Technology (M.I.T.) under the following - * license. By obtaining, using and/or copying this software, you agree - * that you have read, understood, and will comply with these terms and - * conditions: - * + * + * This software is being provided to you, the LICENSEE, by the + * Massachusetts Institute of Technology (M.I.T.) under the following + * license. By obtaining, using and/or copying this software, you agree + * that you have read, understood, and will comply with these terms and + * conditions: + * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute - * this software and its documentation for any purpose and without fee or - * royalty is hereby granted, provided that you agree to comply with the - * following copyright notice and statements, including the disclaimer, and - * that the same appear on ALL copies of the software and documentation, - * including modifications that you make for internal use or for + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute + * this software and its documentation for any purpose and without fee or + * royalty is hereby granted, provided that you agree to comply with the + * following copyright notice and statements, including the disclaimer, and + * that the same appear on ALL copies of the software and documentation, + * including modifications that you make for internal use or for * distribution: - * - * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS - * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not - * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF - * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF - * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY - * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. - * - * The name of the Massachusetts Institute of Technology or M.I.T. may NOT - * be used in advertising or publicity pertaining to distribution of the - * software. Title to copyright in this software and any associated - * documentation shall at all times remain with M.I.T., and USER agrees to + * + * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS + * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF + * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY + * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. + * + * The name of the Massachusetts Institute of Technology or M.I.T. may NOT + * be used in advertising or publicity pertaining to distribution of the + * software. Title to copyright in this software and any associated + * documentation shall at all times remain with M.I.T., and USER agrees to * preserve same. * * Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. + * fashion that it might be confused with the original M.I.T. software. */ #ifndef SOCKET_UTILS_H diff --git a/src/include/spnego-asn1.h b/src/include/spnego-asn1.h index 8070a9f99..211ba37d8 100644 --- a/src/include/spnego-asn1.h +++ b/src/include/spnego-asn1.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,9 +22,9 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * * - * This file contains structure definitions + * + * This file contains structure definitions * for the SPNEGO GSSAPI mechanism (RFC 2478). This file is *an internal interface between the GSSAPI library and the ASN.1 *encoders/decoders for the SPNEGO structures in the krb5 library. diff --git a/src/include/win-mac.h b/src/include/win-mac.h index f77cd2b41..408648765 100644 --- a/src/include/win-mac.h +++ b/src/include/win-mac.h @@ -25,8 +25,8 @@ #else /* ! RES_ONLY */ -/* To ensure backward compatibility of the ABI use 32-bit time_t on - * 32-bit Windows. +/* To ensure backward compatibility of the ABI use 32-bit time_t on + * 32-bit Windows. */ #ifdef _KRB5_INT_H #ifdef KRB5_GENERAL__ @@ -37,7 +37,7 @@ #error time_t has been defined as a 64-bit integer which is incompatible with Kerberos on this platform. #endif /* _TIME_T_DEFINED */ #define _USE_32BIT_TIME_T -#endif +#endif #endif #define SIZEOF_INT 4 @@ -102,7 +102,7 @@ typedef _W64 int ssize_t; #define HAVE_NETINET_IN_H #define MSDOS_FILESYSTEM -#define HAVE_STRING_H +#define HAVE_STRING_H #define HAVE_SRAND #define HAVE_ERRNO #define HAVE_STRDUP @@ -154,7 +154,7 @@ typedef _W64 int ssize_t; #endif #define INI_KRB_REALMS "krb.realms" /* Location of krb.realms file */ #define DEF_KRB_REALMS "krb.realms" /* Default name for krb.realms file */ -#define INI_RECENT_LOGINS "Recent Logins" +#define INI_RECENT_LOGINS "Recent Logins" #define INI_LOGIN "Login" #define HAS_VOID_TYPE @@ -176,7 +176,7 @@ typedef _W64 int ssize_t; /* Ugly. Microsoft, in stdc mode, doesn't support the low-level i/o * routines directly. Rather, they only export the _ version. - * The following defines works around this problem. + * The following defines works around this problem. */ #include #include diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 22a67ab15..c8cb3fb58 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1994, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -60,22 +60,22 @@ struct pflag { }; static struct pflag flags[] = { -{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1 }, -{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1 }, -{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1 }, -{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1 }, -{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1 }, -{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1 }, -{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1 }, -{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0 }, -{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0 }, -{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0 }, -{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1 }, -{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, -{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }, -{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 }, -{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0 }, + {"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1 }, + {"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1 }, + {"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1 }, + {"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1 }, + {"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1 }, + {"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1 }, + {"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1 }, + {"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0 }, + {"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0 }, + {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0 }, + {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1 }, + {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, + {"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, + {"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }, + {"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 }, + {"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0 }, }; static char *prflags[] = { @@ -1036,7 +1036,7 @@ kadmin_addprinc_usage() #if APPLE_PKINIT "\t\t[-certhash hash_string]\n" #endif /* APPLE_PKINIT */ - ); + ); fprintf(stderr, "\tattributes are:\n"); fprintf(stderr, "%s%s%s", "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", @@ -1061,7 +1061,7 @@ kadmin_modprinc_usage() "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n" - ); + ); } /* Create a dummy password for old-style (pre-1.8) randkey creation. */ @@ -1111,7 +1111,7 @@ kadmin_addprinc(int argc, char *argv[]) #if APPLE_PKINIT if(cert_hash != NULL) { fprintf(stderr, - "add_principal: -certhash not allowed; use modify_principal\n"); + "add_principal: -certhash not allowed; use modify_principal\n"); goto cleanup; } #endif /* APPLE_PKINIT */ @@ -1643,9 +1643,9 @@ kadmin_getpol(int argc, char *argv[]) printf("Maximum password failures before lockout: %lu\n", (unsigned long)policy.pw_max_fail); printf("Password failure count reset interval: %ld\n", - (long)policy.pw_failcnt_interval); + (long)policy.pw_failcnt_interval); printf("Password lockout duration: %ld\n", - (long)policy.pw_lockout_duration); + (long)policy.pw_lockout_duration); } else { printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%lu\t%ld\t%ld\n", policy.policy, policy.pw_max_life, policy.pw_min_life, diff --git a/src/kadmin/cli/kadmin.h b/src/kadmin/cli/kadmin.h index 745ebcb2b..5c9decc7d 100644 --- a/src/kadmin/cli/kadmin.h +++ b/src/kadmin/cli/kadmin.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/cli/kadmin.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Prototypes for kadmin functions called from SS library. */ @@ -67,9 +68,8 @@ extern time_t get_date(char *); /* Yucky global variables */ extern krb5_context context; -extern char *krb5_defkeyname; +extern char *krb5_defkeyname; extern char *whoami; extern void *handle; #endif /* __KADMIN_H__ */ - diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c index fa2de42a8..8d14f860a 100644 --- a/src/kadmin/cli/keytab.c +++ b/src/kadmin/cli/keytab.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * @@ -285,11 +285,11 @@ add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys); else #endif - if (keepold || ks_tuple != NULL) { - code = kadm5_randkey_principal_3(lhandle, princ, keepold, - n_ks_tuple, ks_tuple, &keys, &nkeys); - } else - code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys); + if (keepold || ks_tuple != NULL) { + code = kadm5_randkey_principal_3(lhandle, princ, keepold, + n_ks_tuple, ks_tuple, &keys, &nkeys); + } else + code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys); if (code != 0) { if (code == KADM5_UNK_PRINC) { fprintf(stderr, "%s: Principal %s does not exist.\n", diff --git a/src/kadmin/cli/keytab_local.c b/src/kadmin/cli/keytab_local.c index 1f029a7a9..bb9cd88df 100644 --- a/src/kadmin/cli/keytab_local.c +++ b/src/kadmin/cli/keytab_local.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * A wrapper around keytab.c used by kadmin.local to expose the -norandkey * flag. This avoids building two object files from the same source file, diff --git a/src/kadmin/cli/ss_wrapper.c b/src/kadmin/cli/ss_wrapper.c index 93cf1dc7d..92ea16a54 100644 --- a/src/kadmin/cli/ss_wrapper.c +++ b/src/kadmin/cli/ss_wrapper.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1994 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -7,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +21,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * ss wrapper for kadmin */ @@ -52,12 +52,12 @@ main(int argc, char *argv[]) exit(1); } if (request) { - code = ss_execute_line(sci_idx, request); - if (code != 0) { - ss_perror(sci_idx, code, request); - exit_status++; - } + code = ss_execute_line(sci_idx, request); + if (code != 0) { + ss_perror(sci_idx, code, request); + exit_status++; + } } else - retval = ss_listen(sci_idx); + retval = ss_listen(sci_idx); return quit() ? 1 : exit_status; } diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index c03e88d12..636127184 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/dbutil/dump.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Dump a KDC database */ @@ -40,240 +41,240 @@ #include "kdb5_util.h" #if defined(HAVE_REGEX_H) && defined(HAVE_REGCOMP) #include -#endif /* HAVE_REGEX_H */ +#endif /* HAVE_REGEX_H */ /* * Needed for master key conversion. */ -static int mkey_convert; -krb5_keyblock new_master_keyblock; +static int mkey_convert; +krb5_keyblock new_master_keyblock; krb5_kvno new_mkvno; -static int backwards; -static int recursive; +static int backwards; +static int recursive; /* * Use compile(3) if no regcomp present. */ -#if !defined(HAVE_REGCOMP) && defined(HAVE_REGEXP_H) -#define INIT char *sp = instring; -#define GETC() (*sp++) -#define PEEKC() (*sp) -#define UNGETC(c) (--sp) -#define RETURN(c) return(c) -#define ERROR(c) -#define RE_BUF_SIZE 1024 +#if !defined(HAVE_REGCOMP) && defined(HAVE_REGEXP_H) +#define INIT char *sp = instring; +#define GETC() (*sp++) +#define PEEKC() (*sp) +#define UNGETC(c) (--sp) +#define RETURN(c) return(c) +#define ERROR(c) +#define RE_BUF_SIZE 1024 #include -#endif /* !HAVE_REGCOMP && HAVE_REGEXP_H */ +#endif /* !HAVE_REGCOMP && HAVE_REGEXP_H */ -#define FLAG_VERBOSE 0x1 /* be verbose */ -#define FLAG_UPDATE 0x2 /* processing an update */ -#define FLAG_OMIT_NRA 0x4 /* avoid dumping non-replicated attrs */ +#define FLAG_VERBOSE 0x1 /* be verbose */ +#define FLAG_UPDATE 0x2 /* processing an update */ +#define FLAG_OMIT_NRA 0x4 /* avoid dumping non-replicated attrs */ struct dump_args { - char *programname; - FILE *ofile; - krb5_context kcontext; - char **names; - int nnames; - int flags; + char *programname; + FILE *ofile; + krb5_context kcontext; + char **names; + int nnames; + int flags; }; static krb5_error_code dump_k5beta_iterator (krb5_pointer, - krb5_db_entry *); + krb5_db_entry *); static krb5_error_code dump_k5beta6_iterator (krb5_pointer, - krb5_db_entry *); + krb5_db_entry *); static krb5_error_code dump_k5beta6_iterator_ext (krb5_pointer, - krb5_db_entry *, - int); + krb5_db_entry *, + int); static krb5_error_code dump_k5beta7_princ (krb5_pointer, - krb5_db_entry *); + krb5_db_entry *); static krb5_error_code dump_k5beta7_princ_ext (krb5_pointer, - krb5_db_entry *, - int); + krb5_db_entry *, + int); static krb5_error_code dump_k5beta7_princ_withpolicy - (krb5_pointer, krb5_db_entry *); +(krb5_pointer, krb5_db_entry *); static krb5_error_code dump_ov_princ (krb5_pointer, - krb5_db_entry *); + krb5_db_entry *); static void dump_k5beta7_policy (void *, osa_policy_ent_t); static void dump_r1_8_policy (void *, osa_policy_ent_t); typedef krb5_error_code (*dump_func)(krb5_pointer, - krb5_db_entry *); + krb5_db_entry *); static int process_k5beta_record (char *, krb5_context, - FILE *, int, int *); + FILE *, int, int *); static int process_k5beta6_record (char *, krb5_context, - FILE *, int, int *); + FILE *, int, int *); static int process_k5beta7_record (char *, krb5_context, - FILE *, int, int *); + FILE *, int, int *); static int process_r1_8_record (char *, krb5_context, - FILE *, int, int *); + FILE *, int, int *); static int process_ov_record (char *, krb5_context, - FILE *, int, int *); + FILE *, int, int *); typedef krb5_error_code (*load_func)(char *, krb5_context, - FILE *, int, int *); + FILE *, int, int *); typedef struct _dump_version { - char *name; - char *header; - int updateonly; - int create_kadm5; - dump_func dump_princ; - osa_adb_iter_policy_func dump_policy; - load_func load_record; + char *name; + char *header; + int updateonly; + int create_kadm5; + dump_func dump_princ; + osa_adb_iter_policy_func dump_policy; + load_func load_record; } dump_version; dump_version old_version = { - "Kerberos version 5 old format", - "kdb5_edit load_dump version 2.0\n", - 0, - 1, - dump_k5beta_iterator, - NULL, - process_k5beta_record, + "Kerberos version 5 old format", + "kdb5_edit load_dump version 2.0\n", + 0, + 1, + dump_k5beta_iterator, + NULL, + process_k5beta_record, }; dump_version beta6_version = { - "Kerberos version 5 beta 6 format", - "kdb5_edit load_dump version 3.0\n", - 0, - 1, - dump_k5beta6_iterator, - NULL, - process_k5beta6_record, + "Kerberos version 5 beta 6 format", + "kdb5_edit load_dump version 3.0\n", + 0, + 1, + dump_k5beta6_iterator, + NULL, + process_k5beta6_record, }; dump_version beta7_version = { - "Kerberos version 5", - "kdb5_util load_dump version 4\n", - 0, - 0, - dump_k5beta7_princ, - dump_k5beta7_policy, - process_k5beta7_record, + "Kerberos version 5", + "kdb5_util load_dump version 4\n", + 0, + 0, + dump_k5beta7_princ, + dump_k5beta7_policy, + process_k5beta7_record, }; dump_version iprop_version = { - "Kerberos iprop version", - "iprop", - 0, - 0, - dump_k5beta7_princ_withpolicy, - dump_k5beta7_policy, - process_k5beta7_record, + "Kerberos iprop version", + "iprop", + 0, + 0, + dump_k5beta7_princ_withpolicy, + dump_k5beta7_policy, + process_k5beta7_record, }; dump_version ov_version = { - "OpenV*Secure V1.0", - "OpenV*Secure V1.0\t", - 1, - 1, - dump_ov_princ, - dump_k5beta7_policy, - process_ov_record + "OpenV*Secure V1.0", + "OpenV*Secure V1.0\t", + 1, + 1, + dump_ov_princ, + dump_k5beta7_policy, + process_ov_record }; dump_version r1_3_version = { - "Kerberos version 5 release 1.3", - "kdb5_util load_dump version 5\n", - 0, - 0, - dump_k5beta7_princ_withpolicy, - dump_k5beta7_policy, - process_k5beta7_record, + "Kerberos version 5 release 1.3", + "kdb5_util load_dump version 5\n", + 0, + 0, + dump_k5beta7_princ_withpolicy, + dump_k5beta7_policy, + process_k5beta7_record, }; dump_version r1_8_version = { - "Kerberos version 5 release 1.8", - "kdb5_util load_dump version 6\n", - 0, - 0, - dump_k5beta7_princ_withpolicy, - dump_r1_8_policy, - process_r1_8_record, + "Kerberos version 5 release 1.8", + "kdb5_util load_dump version 6\n", + 0, + 0, + dump_k5beta7_princ_withpolicy, + dump_r1_8_policy, + process_r1_8_record, }; dump_version ipropx_1_version = { - "Kerberos iprop extensible version", - "ipropx", - 0, - 0, - dump_k5beta7_princ_withpolicy, - dump_r1_8_policy, - process_r1_8_record, + "Kerberos iprop extensible version", + "ipropx", + 0, + 0, + dump_k5beta7_princ_withpolicy, + dump_r1_8_policy, + process_r1_8_record, }; /* External data */ -extern char *current_dbname; -extern krb5_boolean dbactive; -extern int exit_status; -extern krb5_context util_context; +extern char *current_dbname; +extern krb5_boolean dbactive; +extern int exit_status; +extern krb5_context util_context; extern kadm5_config_params global_params; extern krb5_db_entry master_entry; /* Strings */ -#define k5beta_dump_header "kdb5_edit load_dump version 2.0\n" +#define k5beta_dump_header "kdb5_edit load_dump version 2.0\n" static const char null_mprinc_name[] = "kdb5_dump@MISSING"; /* Message strings */ -#define regex_err "%s: regular expression error - %s\n" -#define regex_merr "%s: regular expression match error - %s\n" -#define pname_unp_err "%s: cannot unparse principal name (%s)\n" -#define mname_unp_err "%s: cannot unparse modifier name (%s)\n" -#define nokeys_err "%s: cannot find any standard key for %s\n" -#define sdump_tl_inc_err "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n" -#define stand_fmt_name "Kerberos version 5" -#define old_fmt_name "Kerberos version 5 old format" -#define b6_fmt_name "Kerberos version 5 beta 6 format" -#define r1_3_fmt_name "Kerberos version 5 release 1.3 format" -#define ofopen_error "%s: cannot open %s for writing (%s)\n" -#define oflock_error "%s: cannot lock %s (%s)\n" -#define dumprec_err "%s: error performing %s dump (%s)\n" -#define dumphdr_err "%s: error dumping %s header (%s)\n" -#define trash_end_fmt "%s(%d): ignoring trash at end of line: " -#define read_name_string "name string" -#define read_key_type "key type" -#define read_key_data "key data" -#define read_pr_data1 "first set of principal attributes" -#define read_mod_name "modifier name" -#define read_pr_data2 "second set of principal attributes" -#define read_salt_data "salt data" -#define read_akey_type "alternate key type" -#define read_akey_data "alternate key data" -#define read_asalt_type "alternate salt type" -#define read_asalt_data "alternate salt data" -#define read_exp_data "expansion data" -#define store_err_fmt "%s(%d): cannot store %s(%s)\n" -#define add_princ_fmt "%s\n" -#define parse_err_fmt "%s(%d): cannot parse %s (%s)\n" -#define read_err_fmt "%s(%d): cannot read %s\n" -#define no_mem_fmt "%s(%d): no memory for buffers\n" -#define rhead_err_fmt "%s(%d): cannot match size tokens\n" -#define err_line_fmt "%s: error processing line %d of %s\n" -#define head_bad_fmt "%s: dump header bad in %s\n" -#define read_bytecnt "record byte count" -#define read_encdata "encoded data" -#define n_name_unp_fmt "%s(%s): cannot unparse name\n" -#define n_dec_cont_fmt "%s(%s): cannot decode contents\n" -#define read_nint_data "principal static attributes" -#define read_tcontents "tagged data contents" -#define read_ttypelen "tagged data type and length" -#define read_kcontents "key data contents" -#define read_ktypelen "key data type and length" -#define read_econtents "extra data contents" -#define k5beta_fmt_name "Kerberos version 5 old format" -#define standard_fmt_name "Kerberos version 5 format" -#define no_name_mem_fmt "%s: cannot get memory for temporary name\n" -#define ctx_err_fmt "%s: cannot initialize Kerberos context\n" -#define stdin_name "standard input" -#define remaster_err_fmt "while re-encoding keys for principal %s with new master key" -#define restfail_fmt "%s: %s restore failed\n" -#define close_err_fmt "%s: cannot close database (%s)\n" -#define dbinit_err_fmt "%s: cannot initialize database (%s)\n" -#define dblock_err_fmt "%s: cannot initialize database lock (%s)\n" -#define dbname_err_fmt "%s: cannot set database name to %s (%s)\n" -#define dbdelerr_fmt "%s: cannot delete bad database %s (%s)\n" -#define dbunlockerr_fmt "%s: cannot unlock database %s (%s)\n" -#define dbrenerr_fmt "%s: cannot rename database %s to %s (%s)\n" -#define dbcreaterr_fmt "%s: cannot create database %s (%s)\n" -#define dfile_err_fmt "%s: cannot open %s (%s)\n" +#define regex_err "%s: regular expression error - %s\n" +#define regex_merr "%s: regular expression match error - %s\n" +#define pname_unp_err "%s: cannot unparse principal name (%s)\n" +#define mname_unp_err "%s: cannot unparse modifier name (%s)\n" +#define nokeys_err "%s: cannot find any standard key for %s\n" +#define sdump_tl_inc_err "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n" +#define stand_fmt_name "Kerberos version 5" +#define old_fmt_name "Kerberos version 5 old format" +#define b6_fmt_name "Kerberos version 5 beta 6 format" +#define r1_3_fmt_name "Kerberos version 5 release 1.3 format" +#define ofopen_error "%s: cannot open %s for writing (%s)\n" +#define oflock_error "%s: cannot lock %s (%s)\n" +#define dumprec_err "%s: error performing %s dump (%s)\n" +#define dumphdr_err "%s: error dumping %s header (%s)\n" +#define trash_end_fmt "%s(%d): ignoring trash at end of line: " +#define read_name_string "name string" +#define read_key_type "key type" +#define read_key_data "key data" +#define read_pr_data1 "first set of principal attributes" +#define read_mod_name "modifier name" +#define read_pr_data2 "second set of principal attributes" +#define read_salt_data "salt data" +#define read_akey_type "alternate key type" +#define read_akey_data "alternate key data" +#define read_asalt_type "alternate salt type" +#define read_asalt_data "alternate salt data" +#define read_exp_data "expansion data" +#define store_err_fmt "%s(%d): cannot store %s(%s)\n" +#define add_princ_fmt "%s\n" +#define parse_err_fmt "%s(%d): cannot parse %s (%s)\n" +#define read_err_fmt "%s(%d): cannot read %s\n" +#define no_mem_fmt "%s(%d): no memory for buffers\n" +#define rhead_err_fmt "%s(%d): cannot match size tokens\n" +#define err_line_fmt "%s: error processing line %d of %s\n" +#define head_bad_fmt "%s: dump header bad in %s\n" +#define read_bytecnt "record byte count" +#define read_encdata "encoded data" +#define n_name_unp_fmt "%s(%s): cannot unparse name\n" +#define n_dec_cont_fmt "%s(%s): cannot decode contents\n" +#define read_nint_data "principal static attributes" +#define read_tcontents "tagged data contents" +#define read_ttypelen "tagged data type and length" +#define read_kcontents "key data contents" +#define read_ktypelen "key data type and length" +#define read_econtents "extra data contents" +#define k5beta_fmt_name "Kerberos version 5 old format" +#define standard_fmt_name "Kerberos version 5 format" +#define no_name_mem_fmt "%s: cannot get memory for temporary name\n" +#define ctx_err_fmt "%s: cannot initialize Kerberos context\n" +#define stdin_name "standard input" +#define remaster_err_fmt "while re-encoding keys for principal %s with new master key" +#define restfail_fmt "%s: %s restore failed\n" +#define close_err_fmt "%s: cannot close database (%s)\n" +#define dbinit_err_fmt "%s: cannot initialize database (%s)\n" +#define dblock_err_fmt "%s: cannot initialize database lock (%s)\n" +#define dbname_err_fmt "%s: cannot set database name to %s (%s)\n" +#define dbdelerr_fmt "%s: cannot delete bad database %s (%s)\n" +#define dbunlockerr_fmt "%s: cannot unlock database %s (%s)\n" +#define dbrenerr_fmt "%s: cannot rename database %s to %s (%s)\n" +#define dbcreaterr_fmt "%s: cannot create database %s (%s)\n" +#define dfile_err_fmt "%s: cannot open %s (%s)\n" static const char oldoption[] = "-old"; static const char b6option[] = "-b6"; @@ -290,15 +291,15 @@ static const char dump_tmptrail[] = "~"; * Re-encrypt the key_data with the new master key... */ krb5_error_code master_key_convert(context, db_entry) - krb5_context context; - krb5_db_entry * db_entry; + krb5_context context; + krb5_db_entry * db_entry; { - krb5_error_code retval; - krb5_keyblock v5plainkey, *key_ptr; - krb5_keysalt keysalt; - int i, j; - krb5_key_data new_key_data, *key_data; - krb5_boolean is_mkey; + krb5_error_code retval; + krb5_keyblock v5plainkey, *key_ptr; + krb5_keysalt keysalt; + int i, j; + krb5_key_data new_key_data, *key_data; + krb5_boolean is_mkey; krb5_kvno kvno; is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ); @@ -321,7 +322,7 @@ krb5_error_code master_key_convert(context, db_entry) key_data, &v5plainkey, &keysalt); if (retval) - return retval; + return retval; memset(&new_key_data, 0, sizeof(new_key_data)); @@ -333,7 +334,7 @@ krb5_error_code master_key_convert(context, db_entry) (int) kvno, &new_key_data); if (retval) - return retval; + return retval; krb5_free_keyblock_contents(context, &v5plainkey); for (j = 0; j < key_data->key_data_ver; j++) { if (key_data->key_data_length[j]) { @@ -342,10 +343,10 @@ krb5_error_code master_key_convert(context, db_entry) } *key_data = new_key_data; } - assert(new_mkvno > 0); + assert(new_mkvno > 0); retval = krb5_dbe_update_mkvno(context, db_entry, new_mkvno); if (retval) - return retval; + return retval; } return 0; } @@ -354,173 +355,173 @@ krb5_error_code master_key_convert(context, db_entry) * Update the "ok" file. */ void update_ok_file (file_name) - char *file_name; + char *file_name; { - /* handle slave locking/failure stuff */ - char *file_ok; - int fd; - static char ok[]=".dump_ok"; - - if (asprintf(&file_ok, "%s%s", file_name, ok) < 0) { - com_err(progname, ENOMEM, - "while allocating filename for update_ok_file"); - exit_status++; - return; - } - if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { - com_err(progname, errno, "while creating 'ok' file, '%s'", - file_ok); - exit_status++; - free(file_ok); - return; - } - if (write(fd, "", 1) != 1) { - com_err(progname, errno, "while writing to 'ok' file, '%s'", - file_ok); - exit_status++; - free(file_ok); - return; - } - - free(file_ok); - close(fd); - return; + /* handle slave locking/failure stuff */ + char *file_ok; + int fd; + static char ok[]=".dump_ok"; + + if (asprintf(&file_ok, "%s%s", file_name, ok) < 0) { + com_err(progname, ENOMEM, + "while allocating filename for update_ok_file"); + exit_status++; + return; + } + if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { + com_err(progname, errno, "while creating 'ok' file, '%s'", + file_ok); + exit_status++; + free(file_ok); + return; + } + if (write(fd, "", 1) != 1) { + com_err(progname, errno, "while writing to 'ok' file, '%s'", + file_ok); + exit_status++; + free(file_ok); + return; + } + + free(file_ok); + close(fd); + return; } /* - * name_matches() - See if a principal name matches a regular expression - * or string. + * name_matches() - See if a principal name matches a regular expression + * or string. */ static int name_matches(name, arglist) - char *name; - struct dump_args *arglist; + char *name; + struct dump_args *arglist; { -#if HAVE_REGCOMP - regex_t match_exp; - regmatch_t match_match; - int match_error; - char match_errmsg[BUFSIZ]; - size_t errmsg_size; -#elif HAVE_REGEXP_H - char regexp_buffer[RE_BUF_SIZE]; -#elif HAVE_RE_COMP - extern char *re_comp(); - char *re_result; -#endif /* HAVE_RE_COMP */ - int i, match; +#if HAVE_REGCOMP + regex_t match_exp; + regmatch_t match_match; + int match_error; + char match_errmsg[BUFSIZ]; + size_t errmsg_size; +#elif HAVE_REGEXP_H + char regexp_buffer[RE_BUF_SIZE]; +#elif HAVE_RE_COMP + extern char *re_comp(); + char *re_result; +#endif /* HAVE_RE_COMP */ + int i, match; /* * Plow, brute force, through the list of names/regular expressions. */ match = (arglist->nnames) ? 0 : 1; for (i=0; innames; i++) { -#if HAVE_REGCOMP - /* - * Compile the regular expression. - */ - match_error = regcomp(&match_exp, arglist->names[i], REG_EXTENDED); - if (match_error) { - errmsg_size = regerror(match_error, - &match_exp, - match_errmsg, - sizeof(match_errmsg)); - fprintf(stderr, regex_err, arglist->programname, match_errmsg); - break; - } - /* - * See if we have a match. - */ - match_error = regexec(&match_exp, name, 1, &match_match, 0); - if (match_error) { - if (match_error != REG_NOMATCH) { - errmsg_size = regerror(match_error, - &match_exp, - match_errmsg, - sizeof(match_errmsg)); - fprintf(stderr, regex_merr, - arglist->programname, match_errmsg); - break; - } - } - else { - /* - * We have a match. See if it matches the whole - * name. - */ - if ((match_match.rm_so == 0) && - (match_match.rm_eo == strlen(name))) - match = 1; - } - regfree(&match_exp); -#elif HAVE_REGEXP_H - /* - * Compile the regular expression. - */ - compile(arglist->names[i], - regexp_buffer, - ®exp_buffer[RE_BUF_SIZE], - '\0'); - if (step(name, regexp_buffer)) { - if ((loc1 == name) && - (loc2 == &name[strlen(name)])) - match = 1; - } -#elif HAVE_RE_COMP - /* - * Compile the regular expression. - */ - if (re_result = re_comp(arglist->names[i])) { - fprintf(stderr, regex_err, arglist->programname, re_result); - break; - } - if (re_exec(name)) - match = 1; -#else /* HAVE_RE_COMP */ - /* - * If no regular expression support, then just compare the strings. - */ - if (!strcmp(arglist->names[i], name)) - match = 1; -#endif /* HAVE_REGCOMP */ - if (match) - break; +#if HAVE_REGCOMP + /* + * Compile the regular expression. + */ + match_error = regcomp(&match_exp, arglist->names[i], REG_EXTENDED); + if (match_error) { + errmsg_size = regerror(match_error, + &match_exp, + match_errmsg, + sizeof(match_errmsg)); + fprintf(stderr, regex_err, arglist->programname, match_errmsg); + break; + } + /* + * See if we have a match. + */ + match_error = regexec(&match_exp, name, 1, &match_match, 0); + if (match_error) { + if (match_error != REG_NOMATCH) { + errmsg_size = regerror(match_error, + &match_exp, + match_errmsg, + sizeof(match_errmsg)); + fprintf(stderr, regex_merr, + arglist->programname, match_errmsg); + break; + } + } + else { + /* + * We have a match. See if it matches the whole + * name. + */ + if ((match_match.rm_so == 0) && + (match_match.rm_eo == strlen(name))) + match = 1; + } + regfree(&match_exp); +#elif HAVE_REGEXP_H + /* + * Compile the regular expression. + */ + compile(arglist->names[i], + regexp_buffer, + ®exp_buffer[RE_BUF_SIZE], + '\0'); + if (step(name, regexp_buffer)) { + if ((loc1 == name) && + (loc2 == &name[strlen(name)])) + match = 1; + } +#elif HAVE_RE_COMP + /* + * Compile the regular expression. + */ + if (re_result = re_comp(arglist->names[i])) { + fprintf(stderr, regex_err, arglist->programname, re_result); + break; + } + if (re_exec(name)) + match = 1; +#else /* HAVE_RE_COMP */ + /* + * If no regular expression support, then just compare the strings. + */ + if (!strcmp(arglist->names[i], name)) + match = 1; +#endif /* HAVE_REGCOMP */ + if (match) + break; } return(match); } static krb5_error_code find_enctype(dbentp, enctype, salttype, kentp) - krb5_db_entry *dbentp; - krb5_enctype enctype; - krb5_int32 salttype; - krb5_key_data **kentp; + krb5_db_entry *dbentp; + krb5_enctype enctype; + krb5_int32 salttype; + krb5_key_data **kentp; { - int i; - int maxkvno; - krb5_key_data *datap; + int i; + int maxkvno; + krb5_key_data *datap; maxkvno = -1; datap = (krb5_key_data *) NULL; for (i=0; in_key_data; i++) { - if (( (krb5_enctype)dbentp->key_data[i].key_data_type[0] == enctype) && - ((dbentp->key_data[i].key_data_type[1] == salttype) || - (salttype < 0))) { - maxkvno = dbentp->key_data[i].key_data_kvno; - datap = &dbentp->key_data[i]; - } + if (( (krb5_enctype)dbentp->key_data[i].key_data_type[0] == enctype) && + ((dbentp->key_data[i].key_data_type[1] == salttype) || + (salttype < 0))) { + maxkvno = dbentp->key_data[i].key_data_kvno; + datap = &dbentp->key_data[i]; + } } if (maxkvno >= 0) { - *kentp = datap; - return(0); + *kentp = datap; + return(0); } - return(ENOENT); + return(ENOENT); } #if 0 /* - * dump_k5beta_header() - Make a dump header that is recognizable by Kerberos - * Version 5 Beta 5 and previous releases. + * dump_k5beta_header() - Make a dump header that is recognizable by Kerberos + * Version 5 Beta 5 and previous releases. */ static krb5_error_code dump_k5beta_header(arglist) @@ -533,22 +534,22 @@ dump_k5beta_header(arglist) #endif /* - * dump_k5beta_iterator() - Dump an entry in a format that is usable - * by Kerberos Version 5 Beta 5 and previous - * releases. + * dump_k5beta_iterator() - Dump an entry in a format that is usable + * by Kerberos Version 5 Beta 5 and previous + * releases. */ static krb5_error_code dump_k5beta_iterator(ptr, entry) - krb5_pointer ptr; - krb5_db_entry *entry; + krb5_pointer ptr; + krb5_db_entry *entry; { - krb5_error_code retval; - struct dump_args *arg; - char *name, *mod_name; - krb5_principal mod_princ; - krb5_key_data *pkey, *akey, nullkey; - krb5_timestamp mod_date, last_pwd_change; - int i; + krb5_error_code retval; + struct dump_args *arg; + char *name, *mod_name; + krb5_principal mod_princ; + krb5_key_data *pkey, *akey, nullkey; + krb5_timestamp mod_date, last_pwd_change; + int i; /* Initialize */ arg = (struct dump_args *) ptr; @@ -560,177 +561,177 @@ dump_k5beta_iterator(ptr, entry) * Flatten the principal name. */ if ((retval = krb5_unparse_name(arg->kcontext, - entry->princ, - &name))) { - fprintf(stderr, pname_unp_err, - arg->programname, error_message(retval)); - return(retval); + entry->princ, + &name))) { + fprintf(stderr, pname_unp_err, + arg->programname, error_message(retval)); + return(retval); } /* * Re-encode the keys in the new master key, if necessary. */ if (mkey_convert) { - retval = master_key_convert(arg->kcontext, entry); - if (retval) { - com_err(arg->programname, retval, remaster_err_fmt, name); - return retval; - } + retval = master_key_convert(arg->kcontext, entry); + if (retval) { + com_err(arg->programname, retval, remaster_err_fmt, name); + return retval; + } } - + /* * If we don't have any match strings, or if our name matches, then * proceed with the dump, otherwise, just forget about it. */ if (!arg->nnames || name_matches(name, arg)) { - /* - * Deserialize the modifier record. - */ - mod_name = (char *) NULL; - mod_princ = NULL; - last_pwd_change = mod_date = 0; - pkey = akey = (krb5_key_data *) NULL; - if (!(retval = krb5_dbe_lookup_mod_princ_data(arg->kcontext, - entry, - &mod_date, - &mod_princ))) { - if (mod_princ) { - /* - * Flatten the modifier name. - */ - if ((retval = krb5_unparse_name(arg->kcontext, - mod_princ, - &mod_name))) - fprintf(stderr, mname_unp_err, arg->programname, - error_message(retval)); - krb5_free_principal(arg->kcontext, mod_princ); - } - } - if (!mod_name) - mod_name = strdup(null_mprinc_name); - - /* - * Find the last password change record and set it straight. - */ - if ((retval = - krb5_dbe_lookup_last_pwd_change(arg->kcontext, entry, - &last_pwd_change))) { - fprintf(stderr, nokeys_err, arg->programname, name); - free(mod_name); - free(name); - return(retval); - } - - /* - * Find the 'primary' key and the 'alternate' key. - */ - if ((retval = find_enctype(entry, - ENCTYPE_DES_CBC_CRC, - KRB5_KDB_SALTTYPE_NORMAL, - &pkey)) && - (retval = find_enctype(entry, - ENCTYPE_DES_CBC_CRC, - KRB5_KDB_SALTTYPE_V4, - &akey))) { - fprintf(stderr, nokeys_err, arg->programname, name); - free(mod_name); - free(name); - return(retval); - } - - /* If we only have one type, then ship it out as the primary. */ - if (!pkey && akey) { - pkey = akey; - akey = &nullkey; - } - else { - if (!akey) - akey = &nullkey; - } - - /* - * First put out strings representing the length of the variable - * length data in this record, then the name and the primary key type. - */ - fprintf(arg->ofile, "%lu\t%lu\t%d\t%d\t%d\t%d\t%s\t%d\t", - (unsigned long) strlen(name), - (unsigned long) strlen(mod_name), - (krb5_int32) pkey->key_data_length[0], - (krb5_int32) akey->key_data_length[0], - (krb5_int32) pkey->key_data_length[1], - (krb5_int32) akey->key_data_length[1], - name, - (krb5_int32) pkey->key_data_type[0]); - for (i=0; ikey_data_length[0]; i++) { - fprintf(arg->ofile, "%02x", pkey->key_data_contents[0][i]); - } - /* - * Second, print out strings representing the standard integer - * data in this record. - */ - fprintf(arg->ofile, - "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t", - (krb5_int32) pkey->key_data_kvno, - entry->max_life, entry->max_renewable_life, - 1 /* Fake mkvno */, entry->expiration, entry->pw_expiration, - last_pwd_change, - (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->last_success, - (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->last_failed, - (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->fail_auth_count, - mod_name, mod_date, - entry->attributes, pkey->key_data_type[1]); - - /* Pound out the salt data, if present. */ - for (i=0; ikey_data_length[1]; i++) { - fprintf(arg->ofile, "%02x", pkey->key_data_contents[1][i]); - } - /* Pound out the alternate key type and contents */ - fprintf(arg->ofile, "\t%u\t", akey->key_data_type[0]); - for (i=0; ikey_data_length[0]; i++) { - fprintf(arg->ofile, "%02x", akey->key_data_contents[0][i]); - } - /* Pound out the alternate salt type and contents */ - fprintf(arg->ofile, "\t%u\t", akey->key_data_type[1]); - for (i=0; ikey_data_length[1]; i++) { - fprintf(arg->ofile, "%02x", akey->key_data_contents[1][i]); - } - /* Pound out the expansion data. (is null) */ - for (i=0; i < 8; i++) { - fprintf(arg->ofile, "\t%u", 0); - } - fprintf(arg->ofile, ";\n"); - /* If we're blabbing, do it */ - if (arg->flags & FLAG_VERBOSE) - fprintf(stderr, "%s\n", name); - free(mod_name); + /* + * Deserialize the modifier record. + */ + mod_name = (char *) NULL; + mod_princ = NULL; + last_pwd_change = mod_date = 0; + pkey = akey = (krb5_key_data *) NULL; + if (!(retval = krb5_dbe_lookup_mod_princ_data(arg->kcontext, + entry, + &mod_date, + &mod_princ))) { + if (mod_princ) { + /* + * Flatten the modifier name. + */ + if ((retval = krb5_unparse_name(arg->kcontext, + mod_princ, + &mod_name))) + fprintf(stderr, mname_unp_err, arg->programname, + error_message(retval)); + krb5_free_principal(arg->kcontext, mod_princ); + } + } + if (!mod_name) + mod_name = strdup(null_mprinc_name); + + /* + * Find the last password change record and set it straight. + */ + if ((retval = + krb5_dbe_lookup_last_pwd_change(arg->kcontext, entry, + &last_pwd_change))) { + fprintf(stderr, nokeys_err, arg->programname, name); + free(mod_name); + free(name); + return(retval); + } + + /* + * Find the 'primary' key and the 'alternate' key. + */ + if ((retval = find_enctype(entry, + ENCTYPE_DES_CBC_CRC, + KRB5_KDB_SALTTYPE_NORMAL, + &pkey)) && + (retval = find_enctype(entry, + ENCTYPE_DES_CBC_CRC, + KRB5_KDB_SALTTYPE_V4, + &akey))) { + fprintf(stderr, nokeys_err, arg->programname, name); + free(mod_name); + free(name); + return(retval); + } + + /* If we only have one type, then ship it out as the primary. */ + if (!pkey && akey) { + pkey = akey; + akey = &nullkey; + } + else { + if (!akey) + akey = &nullkey; + } + + /* + * First put out strings representing the length of the variable + * length data in this record, then the name and the primary key type. + */ + fprintf(arg->ofile, "%lu\t%lu\t%d\t%d\t%d\t%d\t%s\t%d\t", + (unsigned long) strlen(name), + (unsigned long) strlen(mod_name), + (krb5_int32) pkey->key_data_length[0], + (krb5_int32) akey->key_data_length[0], + (krb5_int32) pkey->key_data_length[1], + (krb5_int32) akey->key_data_length[1], + name, + (krb5_int32) pkey->key_data_type[0]); + for (i=0; ikey_data_length[0]; i++) { + fprintf(arg->ofile, "%02x", pkey->key_data_contents[0][i]); + } + /* + * Second, print out strings representing the standard integer + * data in this record. + */ + fprintf(arg->ofile, + "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t", + (krb5_int32) pkey->key_data_kvno, + entry->max_life, entry->max_renewable_life, + 1 /* Fake mkvno */, entry->expiration, entry->pw_expiration, + last_pwd_change, + (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->last_success, + (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->last_failed, + (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->fail_auth_count, + mod_name, mod_date, + entry->attributes, pkey->key_data_type[1]); + + /* Pound out the salt data, if present. */ + for (i=0; ikey_data_length[1]; i++) { + fprintf(arg->ofile, "%02x", pkey->key_data_contents[1][i]); + } + /* Pound out the alternate key type and contents */ + fprintf(arg->ofile, "\t%u\t", akey->key_data_type[0]); + for (i=0; ikey_data_length[0]; i++) { + fprintf(arg->ofile, "%02x", akey->key_data_contents[0][i]); + } + /* Pound out the alternate salt type and contents */ + fprintf(arg->ofile, "\t%u\t", akey->key_data_type[1]); + for (i=0; ikey_data_length[1]; i++) { + fprintf(arg->ofile, "%02x", akey->key_data_contents[1][i]); + } + /* Pound out the expansion data. (is null) */ + for (i=0; i < 8; i++) { + fprintf(arg->ofile, "\t%u", 0); + } + fprintf(arg->ofile, ";\n"); + /* If we're blabbing, do it */ + if (arg->flags & FLAG_VERBOSE) + fprintf(stderr, "%s\n", name); + free(mod_name); } free(name); return(0); } /* - * dump_k5beta6_iterator() - Output a dump record in krb5b6 format. + * dump_k5beta6_iterator() - Output a dump record in krb5b6 format. */ static krb5_error_code dump_k5beta6_iterator(ptr, entry) - krb5_pointer ptr; - krb5_db_entry *entry; + krb5_pointer ptr; + krb5_db_entry *entry; { return dump_k5beta6_iterator_ext(ptr, entry, 0); } static krb5_error_code dump_k5beta6_iterator_ext(ptr, entry, kadm) - krb5_pointer ptr; - krb5_db_entry *entry; - int kadm; + krb5_pointer ptr; + krb5_db_entry *entry; + int kadm; { - krb5_error_code retval; - struct dump_args *arg; - char *name; - krb5_tl_data *tlp; - krb5_key_data *kdata; - int counter, skip, i, j; + krb5_error_code retval; + struct dump_args *arg; + char *name; + krb5_tl_data *tlp; + krb5_key_data *kdata; + int counter, skip, i, j; /* Initialize */ arg = (struct dump_args *) ptr; @@ -740,274 +741,274 @@ dump_k5beta6_iterator_ext(ptr, entry, kadm) * Flatten the principal name. */ if ((retval = krb5_unparse_name(arg->kcontext, - entry->princ, - &name))) { - fprintf(stderr, pname_unp_err, - arg->programname, error_message(retval)); - return(retval); + entry->princ, + &name))) { + fprintf(stderr, pname_unp_err, + arg->programname, error_message(retval)); + return(retval); } /* * Re-encode the keys in the new master key, if necessary. */ if (mkey_convert) { - retval = master_key_convert(arg->kcontext, entry); - if (retval) { - com_err(arg->programname, retval, remaster_err_fmt, name); - return retval; - } + retval = master_key_convert(arg->kcontext, entry); + if (retval) { + com_err(arg->programname, retval, remaster_err_fmt, name); + return retval; + } } - + /* * If we don't have any match strings, or if our name matches, then * proceed with the dump, otherwise, just forget about it. */ if (!arg->nnames || name_matches(name, arg)) { - /* - * We'd like to just blast out the contents as they would appear in - * the database so that we can just suck it back in, but it doesn't - * lend itself to easy editing. - */ - - /* - * The dump format is as follows: - * len strlen(name) n_tl_data n_key_data e_length - * name - * attributes max_life max_renewable_life expiration - * pw_expiration last_success last_failed fail_auth_count - * n_tl_data*[type length ] - * n_key_data*[ver kvno ver*(type length )] - * - * Fields which are not encapsulated by angle-brackets are to appear - * verbatim. A bracketed field's absence is indicated by a -1 in its - * place - */ - - /* - * Make sure that the tagged list is reasonably correct. - */ - counter = skip = 0; - for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) { - /* - * don't dump tl data types we know aren't understood by - * earlier revisions [krb5-admin/89] - */ - switch (tlp->tl_data_type) { - case KRB5_TL_KADM_DATA: - if (kadm) - counter++; - else - skip++; - break; - default: - counter++; - break; - } - } - - if (counter + skip == entry->n_tl_data) { - /* Pound out header */ - fprintf(arg->ofile, "%d\t%lu\t%d\t%d\t%d\t%s\t", - (int) entry->len, - (unsigned long) strlen(name), - counter, - (int) entry->n_key_data, - (int) entry->e_length, - name); - fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", - entry->attributes, - entry->max_life, - entry->max_renewable_life, - entry->expiration, - entry->pw_expiration, - (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->last_success, - (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->last_failed, - (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->fail_auth_count); - /* Pound out tagged data. */ - for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) { - if (tlp->tl_data_type == KRB5_TL_KADM_DATA && !kadm) - continue; /* see above, [krb5-admin/89] */ - - fprintf(arg->ofile, "%d\t%d\t", - (int) tlp->tl_data_type, - (int) tlp->tl_data_length); - if (tlp->tl_data_length) - for (i=0; itl_data_length; i++) - fprintf(arg->ofile, "%02x", tlp->tl_data_contents[i]); - else - fprintf(arg->ofile, "%d", -1); - fprintf(arg->ofile, "\t"); - } - - /* Pound out key data */ - for (counter=0; countern_key_data; counter++) { - kdata = &entry->key_data[counter]; - fprintf(arg->ofile, "%d\t%d\t", - (int) kdata->key_data_ver, - (int) kdata->key_data_kvno); - for (i=0; ikey_data_ver; i++) { - fprintf(arg->ofile, "%d\t%d\t", - kdata->key_data_type[i], - kdata->key_data_length[i]); - if (kdata->key_data_length[i]) - for (j=0; jkey_data_length[i]; j++) - fprintf(arg->ofile, "%02x", - kdata->key_data_contents[i][j]); - else - fprintf(arg->ofile, "%d", -1); - fprintf(arg->ofile, "\t"); - } - } - - /* Pound out extra data */ - if (entry->e_length) - for (i=0; ie_length; i++) - fprintf(arg->ofile, "%02x", entry->e_data[i]); - else - fprintf(arg->ofile, "%d", -1); - - /* Print trailer */ - fprintf(arg->ofile, ";\n"); - - if (arg->flags & FLAG_VERBOSE) - fprintf(stderr, "%s\n", name); - } - else { - fprintf(stderr, sdump_tl_inc_err, - arg->programname, name, counter+skip, - (int) entry->n_tl_data); - retval = EINVAL; - } + /* + * We'd like to just blast out the contents as they would appear in + * the database so that we can just suck it back in, but it doesn't + * lend itself to easy editing. + */ + + /* + * The dump format is as follows: + * len strlen(name) n_tl_data n_key_data e_length + * name + * attributes max_life max_renewable_life expiration + * pw_expiration last_success last_failed fail_auth_count + * n_tl_data*[type length ] + * n_key_data*[ver kvno ver*(type length )] + * + * Fields which are not encapsulated by angle-brackets are to appear + * verbatim. A bracketed field's absence is indicated by a -1 in its + * place + */ + + /* + * Make sure that the tagged list is reasonably correct. + */ + counter = skip = 0; + for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) { + /* + * don't dump tl data types we know aren't understood by + * earlier revisions [krb5-admin/89] + */ + switch (tlp->tl_data_type) { + case KRB5_TL_KADM_DATA: + if (kadm) + counter++; + else + skip++; + break; + default: + counter++; + break; + } + } + + if (counter + skip == entry->n_tl_data) { + /* Pound out header */ + fprintf(arg->ofile, "%d\t%lu\t%d\t%d\t%d\t%s\t", + (int) entry->len, + (unsigned long) strlen(name), + counter, + (int) entry->n_key_data, + (int) entry->e_length, + name); + fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", + entry->attributes, + entry->max_life, + entry->max_renewable_life, + entry->expiration, + entry->pw_expiration, + (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->last_success, + (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->last_failed, + (arg->flags & FLAG_OMIT_NRA) ? 0 : entry->fail_auth_count); + /* Pound out tagged data. */ + for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) { + if (tlp->tl_data_type == KRB5_TL_KADM_DATA && !kadm) + continue; /* see above, [krb5-admin/89] */ + + fprintf(arg->ofile, "%d\t%d\t", + (int) tlp->tl_data_type, + (int) tlp->tl_data_length); + if (tlp->tl_data_length) + for (i=0; itl_data_length; i++) + fprintf(arg->ofile, "%02x", tlp->tl_data_contents[i]); + else + fprintf(arg->ofile, "%d", -1); + fprintf(arg->ofile, "\t"); + } + + /* Pound out key data */ + for (counter=0; countern_key_data; counter++) { + kdata = &entry->key_data[counter]; + fprintf(arg->ofile, "%d\t%d\t", + (int) kdata->key_data_ver, + (int) kdata->key_data_kvno); + for (i=0; ikey_data_ver; i++) { + fprintf(arg->ofile, "%d\t%d\t", + kdata->key_data_type[i], + kdata->key_data_length[i]); + if (kdata->key_data_length[i]) + for (j=0; jkey_data_length[i]; j++) + fprintf(arg->ofile, "%02x", + kdata->key_data_contents[i][j]); + else + fprintf(arg->ofile, "%d", -1); + fprintf(arg->ofile, "\t"); + } + } + + /* Pound out extra data */ + if (entry->e_length) + for (i=0; ie_length; i++) + fprintf(arg->ofile, "%02x", entry->e_data[i]); + else + fprintf(arg->ofile, "%d", -1); + + /* Print trailer */ + fprintf(arg->ofile, ";\n"); + + if (arg->flags & FLAG_VERBOSE) + fprintf(stderr, "%s\n", name); + } + else { + fprintf(stderr, sdump_tl_inc_err, + arg->programname, name, counter+skip, + (int) entry->n_tl_data); + retval = EINVAL; + } } free(name); return(retval); } /* - * dump_k5beta7_iterator() - Output a dump record in krb5b7 format. + * dump_k5beta7_iterator() - Output a dump record in krb5b7 format. */ static krb5_error_code dump_k5beta7_princ(ptr, entry) - krb5_pointer ptr; - krb5_db_entry *entry; + krb5_pointer ptr; + krb5_db_entry *entry; { return dump_k5beta7_princ_ext(ptr, entry, 0); } static krb5_error_code dump_k5beta7_princ_ext(ptr, entry, kadm) - krb5_pointer ptr; - krb5_db_entry *entry; - int kadm; + krb5_pointer ptr; + krb5_db_entry *entry; + int kadm; { - krb5_error_code retval; - struct dump_args *arg; - char *name; - int tmp_nnames; - - /* Initialize */ - arg = (struct dump_args *) ptr; - name = (char *) NULL; - - /* - * Flatten the principal name. - */ - if ((retval = krb5_unparse_name(arg->kcontext, - entry->princ, - &name))) { - fprintf(stderr, pname_unp_err, - arg->programname, error_message(retval)); - return(retval); - } - /* - * If we don't have any match strings, or if our name matches, then - * proceed with the dump, otherwise, just forget about it. - */ - if (!arg->nnames || name_matches(name, arg)) { - fprintf(arg->ofile, "princ\t"); - - /* save the callee from matching the name again */ - tmp_nnames = arg->nnames; - arg->nnames = 0; - retval = dump_k5beta6_iterator_ext(ptr, entry, kadm); - arg->nnames = tmp_nnames; - } - - free(name); - return retval; + krb5_error_code retval; + struct dump_args *arg; + char *name; + int tmp_nnames; + + /* Initialize */ + arg = (struct dump_args *) ptr; + name = (char *) NULL; + + /* + * Flatten the principal name. + */ + if ((retval = krb5_unparse_name(arg->kcontext, + entry->princ, + &name))) { + fprintf(stderr, pname_unp_err, + arg->programname, error_message(retval)); + return(retval); + } + /* + * If we don't have any match strings, or if our name matches, then + * proceed with the dump, otherwise, just forget about it. + */ + if (!arg->nnames || name_matches(name, arg)) { + fprintf(arg->ofile, "princ\t"); + + /* save the callee from matching the name again */ + tmp_nnames = arg->nnames; + arg->nnames = 0; + retval = dump_k5beta6_iterator_ext(ptr, entry, kadm); + arg->nnames = tmp_nnames; + } + + free(name); + return retval; } static krb5_error_code dump_k5beta7_princ_withpolicy(ptr, entry) - krb5_pointer ptr; - krb5_db_entry *entry; + krb5_pointer ptr; + krb5_db_entry *entry; { return dump_k5beta7_princ_ext(ptr, entry, 1); } void dump_k5beta7_policy(void *data, osa_policy_ent_t entry) { - struct dump_args *arg; + struct dump_args *arg; - arg = (struct dump_args *) data; - fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\n", entry->name, - entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, - entry->pw_min_classes, entry->pw_history_num, - entry->policy_refcnt); + arg = (struct dump_args *) data; + fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\n", entry->name, + entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, + entry->pw_min_classes, entry->pw_history_num, + entry->policy_refcnt); } void dump_r1_8_policy(void *data, osa_policy_ent_t entry) { - struct dump_args *arg; - - arg = (struct dump_args *) data; - fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n", - entry->name, - entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, - entry->pw_min_classes, entry->pw_history_num, - entry->policy_refcnt, entry->pw_max_fail, - entry->pw_failcnt_interval, entry->pw_lockout_duration); + struct dump_args *arg; + + arg = (struct dump_args *) data; + fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n", + entry->name, + entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, + entry->pw_min_classes, entry->pw_history_num, + entry->policy_refcnt, entry->pw_max_fail, + entry->pw_failcnt_interval, entry->pw_lockout_duration); } static void print_key_data(FILE *f, krb5_key_data *key_data) { - int c; - - fprintf(f, "%d\t%d\t", key_data->key_data_type[0], - key_data->key_data_length[0]); - for(c = 0; c < key_data->key_data_length[0]; c++) - fprintf(f, "%02x ", - key_data->key_data_contents[0][c]); + int c; + + fprintf(f, "%d\t%d\t", key_data->key_data_type[0], + key_data->key_data_length[0]); + for(c = 0; c < key_data->key_data_length[0]; c++) + fprintf(f, "%02x ", + key_data->key_data_contents[0][c]); } /* * Function: print_princ - * + * * Purpose: output osa_adb_princ_ent data in a human - * readable format (which is a format suitable for - * ovsec_adm_import consumption) + * readable format (which is a format suitable for + * ovsec_adm_import consumption) * * Arguments: - * data (input) pointer to a structure containing a FILE * - * and a record counter. - * entry (input) entry to get dumped. - * void + * data (input) pointer to a structure containing a FILE * + * and a record counter. + * entry (input) entry to get dumped. + * void * * Requires: - * nuttin - * + * nuttin + * * Effects: - * writes data to the specified file pointerp. + * writes data to the specified file pointerp. * * Modifies: - * nuttin - * + * nuttin + * */ static krb5_error_code dump_ov_princ(krb5_pointer ptr, krb5_db_entry *kdb) { char *princstr; unsigned int x; - int y, foundcrc; + int y, foundcrc; struct dump_args *arg; krb5_tl_data tl_data; osa_princ_ent_rec adb; @@ -1026,49 +1027,49 @@ static krb5_error_code dump_ov_princ(krb5_pointer ptr, krb5_db_entry *kdb) */ tl_data.tl_data_type = KRB5_TL_KADM_DATA; if (krb5_dbe_lookup_tl_data(arg->kcontext, kdb, &tl_data) - || (tl_data.tl_data_length == 0)) - return 0; + || (tl_data.tl_data_length == 0)) + return 0; memset(&adb, 0, sizeof(adb)); xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, - tl_data.tl_data_length, XDR_DECODE); + tl_data.tl_data_length, XDR_DECODE); if (! xdr_osa_princ_ent_rec(&xdrs, &adb)) { - xdr_destroy(&xdrs); - return(KADM5_XDR_FAILURE); + xdr_destroy(&xdrs); + return(KADM5_XDR_FAILURE); } xdr_destroy(&xdrs); - + krb5_unparse_name(arg->kcontext, kdb->princ, &princstr); fprintf(arg->ofile, "princ\t%s\t", princstr); if(adb.policy == NULL) - fputc('\t', arg->ofile); + fputc('\t', arg->ofile); else - fprintf(arg->ofile, "%s\t", adb.policy); + fprintf(arg->ofile, "%s\t", adb.policy); fprintf(arg->ofile, "%lx\t%d\t%d\t%d", adb.aux_attributes, - adb.old_key_len,adb.old_key_next, adb.admin_history_kvno); + adb.old_key_len,adb.old_key_next, adb.admin_history_kvno); for (x = 0; x < adb.old_key_len; x++) { - foundcrc = 0; - for (y = 0; y < adb.old_keys[x].n_key_data; y++) { - krb5_key_data *key_data = &adb.old_keys[x].key_data[y]; - - if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC) - continue; - if (foundcrc) { - fprintf(stderr, "Warning! Multiple DES-CBC-CRC keys " - "for principal %s; skipping duplicates.\n", - princstr); - continue; - } - foundcrc++; - - fputc('\t', arg->ofile); - print_key_data(arg->ofile, key_data); - } - if (!foundcrc) - fprintf(stderr, "Warning! No DES-CBC-CRC key for principal " - "%s, cannot generate OV-compatible record; skipping\n", - princstr); + foundcrc = 0; + for (y = 0; y < adb.old_keys[x].n_key_data; y++) { + krb5_key_data *key_data = &adb.old_keys[x].key_data[y]; + + if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC) + continue; + if (foundcrc) { + fprintf(stderr, "Warning! Multiple DES-CBC-CRC keys " + "for principal %s; skipping duplicates.\n", + princstr); + continue; + } + foundcrc++; + + fputc('\t', arg->ofile); + print_key_data(arg->ofile, key_data); + } + if (!foundcrc) + fprintf(stderr, "Warning! No DES-CBC-CRC key for principal " + "%s, cannot generate OV-compatible record; skipping\n", + princstr); } fputc('\n', arg->ofile); @@ -1078,27 +1079,27 @@ static krb5_error_code dump_ov_princ(krb5_pointer ptr, krb5_db_entry *kdb) /* * usage is: - * dump_db [-old] [-b6] [-b7] [-ov] [-r13] [-verbose] [-mkey_convert] - * [-new_mkey_file mkey_file] [-rev] [-recurse] - * [filename [principals...]] + * dump_db [-old] [-b6] [-b7] [-ov] [-r13] [-verbose] [-mkey_convert] + * [-new_mkey_file mkey_file] [-rev] [-recurse] + * [filename [principals...]] */ void dump_db(argc, argv) - int argc; - char **argv; + int argc; + char **argv; { - FILE *f; - struct dump_args arglist; - char *ofile; - krb5_error_code kret, retval; - dump_version *dump; - int aindex; - krb5_boolean locked; - char *new_mkey_file = 0; - bool_t dump_sno = FALSE; - kdb_log_context *log_ctx; - char **db_args = 0; /* XXX */ - unsigned int ipropx_version = IPROPX_VERSION_0; + FILE *f; + struct dump_args arglist; + char *ofile; + krb5_error_code kret, retval; + dump_version *dump; + int aindex; + krb5_boolean locked; + char *new_mkey_file = 0; + bool_t dump_sno = FALSE; + kdb_log_context *log_ctx; + char **db_args = 0; /* XXX */ + unsigned int ipropx_version = IPROPX_VERSION_0; /* * Parse the arguments. @@ -1116,62 +1117,62 @@ dump_db(argc, argv) * Parse the qualifiers. */ for (aindex = 1; aindex < argc; aindex++) { - if (!strcmp(argv[aindex], oldoption)) - dump = &old_version; - else if (!strcmp(argv[aindex], b6option)) - dump = &beta6_version; - else if (!strcmp(argv[aindex], b7option)) - dump = &beta7_version; - else if (!strcmp(argv[aindex], ovoption)) - dump = &ov_version; - else if (!strcmp(argv[aindex], r13option)) - dump = &r1_3_version; - else if (!strncmp(argv[aindex], ipropoption, sizeof(ipropoption) - 1)) { - if (log_ctx && log_ctx->iproprole) { - /* Note: ipropx_version is the maximum version acceptable */ - ipropx_version = atoi(argv[aindex] + sizeof(ipropoption) - 1); - dump = ipropx_version ? &ipropx_1_version : &iprop_version; - /* - * dump_sno is used to indicate if the serial - * # should be populated in the output - * file to be used later by iprop for updating - * the slave's update log when loading - */ - dump_sno = TRUE; - /* - * FLAG_OMIT_NRA is set to indicate that non-replicated - * attributes should be omitted. - */ - arglist.flags |= FLAG_OMIT_NRA; - } else { - fprintf(stderr, _("Iprop not enabled\n")); - exit_status++; - return; - } - } else if (!strcmp(argv[aindex], verboseoption)) - arglist.flags |= FLAG_VERBOSE; - else if (!strcmp(argv[aindex], "-mkey_convert")) - mkey_convert = 1; - else if (!strcmp(argv[aindex], "-new_mkey_file")) { - new_mkey_file = argv[++aindex]; - mkey_convert = 1; + if (!strcmp(argv[aindex], oldoption)) + dump = &old_version; + else if (!strcmp(argv[aindex], b6option)) + dump = &beta6_version; + else if (!strcmp(argv[aindex], b7option)) + dump = &beta7_version; + else if (!strcmp(argv[aindex], ovoption)) + dump = &ov_version; + else if (!strcmp(argv[aindex], r13option)) + dump = &r1_3_version; + else if (!strncmp(argv[aindex], ipropoption, sizeof(ipropoption) - 1)) { + if (log_ctx && log_ctx->iproprole) { + /* Note: ipropx_version is the maximum version acceptable */ + ipropx_version = atoi(argv[aindex] + sizeof(ipropoption) - 1); + dump = ipropx_version ? &ipropx_1_version : &iprop_version; + /* + * dump_sno is used to indicate if the serial + * # should be populated in the output + * file to be used later by iprop for updating + * the slave's update log when loading + */ + dump_sno = TRUE; + /* + * FLAG_OMIT_NRA is set to indicate that non-replicated + * attributes should be omitted. + */ + arglist.flags |= FLAG_OMIT_NRA; + } else { + fprintf(stderr, _("Iprop not enabled\n")); + exit_status++; + return; + } + } else if (!strcmp(argv[aindex], verboseoption)) + arglist.flags |= FLAG_VERBOSE; + else if (!strcmp(argv[aindex], "-mkey_convert")) + mkey_convert = 1; + else if (!strcmp(argv[aindex], "-new_mkey_file")) { + new_mkey_file = argv[++aindex]; + mkey_convert = 1; } else if (!strcmp(argv[aindex], "-rev")) - backwards = 1; - else if (!strcmp(argv[aindex], "-recurse")) - recursive = 1; - else - break; + backwards = 1; + else if (!strcmp(argv[aindex], "-recurse")) + recursive = 1; + else + break; } arglist.names = (char **) NULL; arglist.nnames = 0; if (aindex < argc) { - ofile = argv[aindex]; - aindex++; - if (aindex < argc) { - arglist.names = &argv[aindex]; - arglist.nnames = argc - aindex; - } + ofile = argv[aindex]; + aindex++; + if (aindex < argc) { + arglist.names = &argv[aindex]; + arglist.nnames = argc - aindex; + } } /* @@ -1179,183 +1180,183 @@ dump_db(argc, argv) * to be opened if we try a dump that uses it. */ if (!dbactive) { - com_err(progname, 0, Err_no_database); - exit_status++; - return; + com_err(progname, 0, Err_no_database); + exit_status++; + return; } /* * If we're doing a master key conversion, set up for it. */ if (mkey_convert) { - if (!valid_master_key) { - /* TRUE here means read the keyboard, but only once */ - retval = krb5_db_fetch_mkey(util_context, - master_princ, - master_keyblock.enctype, - TRUE, FALSE, - (char *) NULL, - NULL, NULL, - &master_keyblock); - if (retval) { - com_err(progname, retval, - "while reading master key"); - exit(1); - } - retval = krb5_db_verify_master_key(util_context, - master_princ, - IGNORE_VNO, - &master_keyblock); - if (retval) { - com_err(progname, retval, - "while verifying master key"); - exit(1); - } - } - new_master_keyblock.enctype = global_params.enctype; - if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN) - new_master_keyblock.enctype = DEFAULT_KDC_ENCTYPE; - - if (new_mkey_file) { - krb5_kvno kt_kvno; - - if (global_params.mask & KADM5_CONFIG_KVNO) - kt_kvno = global_params.kvno; - else - kt_kvno = IGNORE_VNO; - - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, - new_master_keyblock.enctype, - FALSE, - FALSE, - new_mkey_file, - &kt_kvno, - NULL, - &new_master_keyblock))) { - com_err(progname, retval, "while reading new master key"); - exit(1); - } - } else { - printf("Please enter new master key....\n"); - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, - new_master_keyblock.enctype, - TRUE, - TRUE, - NULL, NULL, NULL, - &new_master_keyblock))) { - com_err(progname, retval, "while reading new master key"); - exit(1); - } - } - /* - * get new master key vno that will be used to protect princs, used - * later on. - */ - new_mkvno = get_next_kvno(util_context, &master_entry); + if (!valid_master_key) { + /* TRUE here means read the keyboard, but only once */ + retval = krb5_db_fetch_mkey(util_context, + master_princ, + master_keyblock.enctype, + TRUE, FALSE, + (char *) NULL, + NULL, NULL, + &master_keyblock); + if (retval) { + com_err(progname, retval, + "while reading master key"); + exit(1); + } + retval = krb5_db_verify_master_key(util_context, + master_princ, + IGNORE_VNO, + &master_keyblock); + if (retval) { + com_err(progname, retval, + "while verifying master key"); + exit(1); + } + } + new_master_keyblock.enctype = global_params.enctype; + if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN) + new_master_keyblock.enctype = DEFAULT_KDC_ENCTYPE; + + if (new_mkey_file) { + krb5_kvno kt_kvno; + + if (global_params.mask & KADM5_CONFIG_KVNO) + kt_kvno = global_params.kvno; + else + kt_kvno = IGNORE_VNO; + + if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + new_master_keyblock.enctype, + FALSE, + FALSE, + new_mkey_file, + &kt_kvno, + NULL, + &new_master_keyblock))) { + com_err(progname, retval, "while reading new master key"); + exit(1); + } + } else { + printf("Please enter new master key....\n"); + if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + new_master_keyblock.enctype, + TRUE, + TRUE, + NULL, NULL, NULL, + &new_master_keyblock))) { + com_err(progname, retval, "while reading new master key"); + exit(1); + } + } + /* + * get new master key vno that will be used to protect princs, used + * later on. + */ + new_mkvno = get_next_kvno(util_context, &master_entry); } kret = 0; locked = 0; if (ofile && strcmp(ofile, "-")) { - /* - * Discourage accidental dumping to filenames beginning with '-'. - */ - if (ofile[0] == '-') - usage(); - /* - * Make sure that we don't open and truncate on the fopen, - * since that may hose an on-going kprop process. - * - * We could also control this by opening for read and - * write, doing an flock with LOCK_EX, and then - * truncating the file once we have gotten the lock, - * but that would involve more OS dependencies than I - * want to get into. - */ - unlink(ofile); - if (!(f = fopen(ofile, "w"))) { - fprintf(stderr, ofopen_error, - progname, ofile, error_message(errno)); - exit_status++; - return; - } - if ((kret = krb5_lock_file(util_context, - fileno(f), - KRB5_LOCKMODE_EXCLUSIVE))) { - fprintf(stderr, oflock_error, - progname, ofile, error_message(kret)); - exit_status++; - } - else - locked = 1; + /* + * Discourage accidental dumping to filenames beginning with '-'. + */ + if (ofile[0] == '-') + usage(); + /* + * Make sure that we don't open and truncate on the fopen, + * since that may hose an on-going kprop process. + * + * We could also control this by opening for read and + * write, doing an flock with LOCK_EX, and then + * truncating the file once we have gotten the lock, + * but that would involve more OS dependencies than I + * want to get into. + */ + unlink(ofile); + if (!(f = fopen(ofile, "w"))) { + fprintf(stderr, ofopen_error, + progname, ofile, error_message(errno)); + exit_status++; + return; + } + if ((kret = krb5_lock_file(util_context, + fileno(f), + KRB5_LOCKMODE_EXCLUSIVE))) { + fprintf(stderr, oflock_error, + progname, ofile, error_message(kret)); + exit_status++; + } + else + locked = 1; } else { - f = stdout; + f = stdout; } if (f && !(kret)) { - arglist.programname = progname; - arglist.ofile = f; - arglist.kcontext = util_context; - fprintf(arglist.ofile, "%s", dump->header); - - if (dump_sno) { - if (ulog_map(util_context, global_params.iprop_logfile, - global_params.iprop_ulogsize, FKCOMMAND, db_args)) { - fprintf(stderr, - _("%s: Could not map log\n"), progname); - exit_status++; - goto unlock_and_return; - } - - /* - * We grab the lock twice (once again in the iterator call), - * but that's ok since the lock func handles incr locks held. - */ - if (krb5_db_lock(util_context, KRB5_LOCKMODE_SHARED)) { - fprintf(stderr, - _("%s: Couldn't grab lock\n"), progname); - exit_status++; - goto unlock_and_return; - } - - if (ipropx_version) - fprintf(f, " %u", IPROPX_VERSION); - fprintf(f, " %u", log_ctx->ulog->kdb_last_sno); - fprintf(f, " %u", log_ctx->ulog->kdb_last_time.seconds); - fprintf(f, " %u", log_ctx->ulog->kdb_last_time.useconds); - } - - if (dump->header[strlen(dump->header)-1] != '\n') - fputc('\n', arglist.ofile); - - if ((kret = krb5_db_iterate(util_context, - NULL, - dump->dump_princ, - (krb5_pointer) &arglist))) { /* TBD: backwards and recursive not supported */ - fprintf(stderr, dumprec_err, - progname, dump->name, error_message(kret)); - exit_status++; - if (dump_sno) - (void) krb5_db_unlock(util_context); - } - if (dump->dump_policy && - (kret = krb5_db_iter_policy( util_context, "*", dump->dump_policy, - &arglist))) { - fprintf(stderr, dumprec_err, progname, dump->name, - error_message(kret)); - exit_status++; - } - if (ofile && f != stdout && !exit_status) { - if (locked) { - (void) krb5_lock_file(util_context, fileno(f), KRB5_LOCKMODE_UNLOCK); - locked = 0; - } - fclose(f); - update_ok_file(ofile); - } + arglist.programname = progname; + arglist.ofile = f; + arglist.kcontext = util_context; + fprintf(arglist.ofile, "%s", dump->header); + + if (dump_sno) { + if (ulog_map(util_context, global_params.iprop_logfile, + global_params.iprop_ulogsize, FKCOMMAND, db_args)) { + fprintf(stderr, + _("%s: Could not map log\n"), progname); + exit_status++; + goto unlock_and_return; + } + + /* + * We grab the lock twice (once again in the iterator call), + * but that's ok since the lock func handles incr locks held. + */ + if (krb5_db_lock(util_context, KRB5_LOCKMODE_SHARED)) { + fprintf(stderr, + _("%s: Couldn't grab lock\n"), progname); + exit_status++; + goto unlock_and_return; + } + + if (ipropx_version) + fprintf(f, " %u", IPROPX_VERSION); + fprintf(f, " %u", log_ctx->ulog->kdb_last_sno); + fprintf(f, " %u", log_ctx->ulog->kdb_last_time.seconds); + fprintf(f, " %u", log_ctx->ulog->kdb_last_time.useconds); + } + + if (dump->header[strlen(dump->header)-1] != '\n') + fputc('\n', arglist.ofile); + + if ((kret = krb5_db_iterate(util_context, + NULL, + dump->dump_princ, + (krb5_pointer) &arglist))) { /* TBD: backwards and recursive not supported */ + fprintf(stderr, dumprec_err, + progname, dump->name, error_message(kret)); + exit_status++; + if (dump_sno) + (void) krb5_db_unlock(util_context); + } + if (dump->dump_policy && + (kret = krb5_db_iter_policy( util_context, "*", dump->dump_policy, + &arglist))) { + fprintf(stderr, dumprec_err, progname, dump->name, + error_message(kret)); + exit_status++; + } + if (ofile && f != stdout && !exit_status) { + if (locked) { + (void) krb5_lock_file(util_context, fileno(f), KRB5_LOCKMODE_UNLOCK); + locked = 0; + } + fclose(f); + update_ok_file(ofile); + } } unlock_and_return: if (locked) - (void) krb5_lock_file(util_context, fileno(f), KRB5_LOCKMODE_UNLOCK); + (void) krb5_lock_file(util_context, fileno(f), KRB5_LOCKMODE_UNLOCK); } /* @@ -1363,24 +1364,24 @@ unlock_and_return: */ static int read_string(f, buf, len, lp) - FILE *f; - char *buf; - int len; - int *lp; + FILE *f; + char *buf; + int len; + int *lp; { int c; int i, retval; retval = 0; for (i=0; itl_data; - (pwchg) && (pwchg->tl_data_type != KRB5_TL_LAST_PWD_CHANGE); - pwchg = pwchg->tl_data_next); - - /* Check to see if we found one. */ - linked = 0; - if (!pwchg) { - /* No, allocate a new one */ - if ((pwchg = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) { - memset(pwchg, 0, sizeof(krb5_tl_data)); - if (!(pwchg->tl_data_contents = - (krb5_octet *) malloc(sizeof(krb5_timestamp)))) { - free(pwchg); - pwchg = (krb5_tl_data *) NULL; - } - else { - pwchg->tl_data_type = KRB5_TL_LAST_PWD_CHANGE; - pwchg->tl_data_length = - (krb5_int16) sizeof(krb5_timestamp); - } - } - } - else - linked = 1; - - /* Do we have an entry? */ - if (pwchg && pwchg->tl_data_contents) { - /* Encode it */ - krb5_kdb_encode_int32(last_pwd_change, pwchg->tl_data_contents); - /* Link it in if necessary */ - if (!linked) { - pwchg->tl_data_next = dbentp->tl_data; - dbentp->tl_data = pwchg; - dbentp->n_tl_data++; - } - } - else - kret = ENOMEM; + krb5_tl_data *pwchg; + krb5_boolean linked; + + /* Find a previously existing entry */ + for (pwchg = dbentp->tl_data; + (pwchg) && (pwchg->tl_data_type != KRB5_TL_LAST_PWD_CHANGE); + pwchg = pwchg->tl_data_next); + + /* Check to see if we found one. */ + linked = 0; + if (!pwchg) { + /* No, allocate a new one */ + if ((pwchg = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) { + memset(pwchg, 0, sizeof(krb5_tl_data)); + if (!(pwchg->tl_data_contents = + (krb5_octet *) malloc(sizeof(krb5_timestamp)))) { + free(pwchg); + pwchg = (krb5_tl_data *) NULL; + } + else { + pwchg->tl_data_type = KRB5_TL_LAST_PWD_CHANGE; + pwchg->tl_data_length = + (krb5_int16) sizeof(krb5_timestamp); + } + } + } + else + linked = 1; + + /* Do we have an entry? */ + if (pwchg && pwchg->tl_data_contents) { + /* Encode it */ + krb5_kdb_encode_int32(last_pwd_change, pwchg->tl_data_contents); + /* Link it in if necessary */ + if (!linked) { + pwchg->tl_data_next = dbentp->tl_data; + dbentp->tl_data = pwchg; + dbentp->n_tl_data++; + } + } + else + kret = ENOMEM; } return(kret); @@ -1518,33 +1519,33 @@ update_tl_data(kcontext, dbentp, mod_name, mod_date, last_pwd_change) #endif /* - * process_k5beta_record() - Handle a dump record in old format. + * process_k5beta_record() - Handle a dump record in old format. * * Returns -1 for end of file, 0 for success and 1 for failure. */ static int process_k5beta_record(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; + char *fname; + krb5_context kcontext; + FILE *filep; + int flags; + int *linenop; { - int nmatched; - int retval; - krb5_db_entry dbent; - int name_len, mod_name_len, key_len; - int alt_key_len, salt_len, alt_salt_len; - char *name; - char *mod_name; - int tmpint1, tmpint2, tmpint3; - int error; - const char *try2read; - int i; - krb5_key_data *pkey, *akey; - krb5_timestamp last_pwd_change, mod_date; - krb5_principal mod_princ; - krb5_error_code kret; + int nmatched; + int retval; + krb5_db_entry dbent; + int name_len, mod_name_len, key_len; + int alt_key_len, salt_len, alt_salt_len; + char *name; + char *mod_name; + int tmpint1, tmpint2, tmpint3; + int error; + const char *try2read; + int i; + krb5_key_data *pkey, *akey; + krb5_timestamp last_pwd_change, mod_date; + krb5_principal mod_princ; + krb5_error_code kret; try2read = (char *) NULL; (*linenop)++; @@ -1553,9 +1554,9 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) /* Make sure we've got key_data entries */ if (krb5_dbe_create_key_data(kcontext, &dbent) || - krb5_dbe_create_key_data(kcontext, &dbent)) { - krb5_db_free_principal(kcontext, &dbent, 1); - return(1); + krb5_dbe_create_key_data(kcontext, &dbent)) { + krb5_db_free_principal(kcontext, &dbent, 1); + return(1); } pkey = &dbent.key_data[0]; akey = &dbent.key_data[1]; @@ -1564,290 +1565,290 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) * Match the sizes. 6 tokens to match. */ nmatched = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t", - &name_len, &mod_name_len, &key_len, - &alt_key_len, &salt_len, &alt_salt_len); + &name_len, &mod_name_len, &key_len, + &alt_key_len, &salt_len, &alt_salt_len); if (nmatched == 6) { pkey->key_data_length[0] = key_len; - akey->key_data_length[0] = alt_key_len; - pkey->key_data_length[1] = salt_len; - akey->key_data_length[1] = alt_salt_len; - name = (char *) NULL; - mod_name = (char *) NULL; - /* - * Get the memory for the variable length fields. - */ - if ((name = (char *) malloc((size_t) (name_len + 1))) && - (mod_name = (char *) malloc((size_t) (mod_name_len + 1))) && - (!key_len || - (pkey->key_data_contents[0] = - (krb5_octet *) malloc((size_t) (key_len + 1)))) && - (!alt_key_len || - (akey->key_data_contents[0] = - (krb5_octet *) malloc((size_t) (alt_key_len + 1)))) && - (!salt_len || - (pkey->key_data_contents[1] = - (krb5_octet *) malloc((size_t) (salt_len + 1)))) && - (!alt_salt_len || - (akey->key_data_contents[1] = - (krb5_octet *) malloc((size_t) (alt_salt_len + 1)))) - ) { - error = 0; - - /* Read the principal name */ - if (read_string(filep, name, name_len, linenop)) { - try2read = read_name_string; - error++; - } - /* Read the key type */ - if (!error && (fscanf(filep, "\t%d\t", &tmpint1) != 1)) { - try2read = read_key_type; - error++; - } - pkey->key_data_type[0] = tmpint1; - /* Read the old format key */ - if (!error && read_octet_string(filep, - pkey->key_data_contents[0], - pkey->key_data_length[0])) { - try2read = read_key_data; - error++; - } - /* convert to a new format key */ - /* the encrypted version is stored as the unencrypted key length - (4 bytes, MSB first) followed by the encrypted key. */ - if ((pkey->key_data_length[0] > 4) - && (pkey->key_data_contents[0][0] == 0) - && (pkey->key_data_contents[0][1] == 0)) { - /* this really does look like an old key, so drop and swap */ - /* the *new* length is 2 bytes, LSB first, sigh. */ - size_t shortlen = pkey->key_data_length[0]-4+2; - krb5_octet *shortcopy = (krb5_octet *) malloc(shortlen); - krb5_octet *origdata = pkey->key_data_contents[0]; - shortcopy[0] = origdata[3]; - shortcopy[1] = origdata[2]; - memcpy(shortcopy+2,origdata+4,shortlen-2); - free(origdata); - pkey->key_data_length[0] = shortlen; - pkey->key_data_contents[0] = shortcopy; - } - - /* Read principal attributes */ - if (!error && (fscanf(filep, - "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t", - &tmpint1, &dbent.max_life, - &dbent.max_renewable_life, - &tmpint2, &dbent.expiration, - &dbent.pw_expiration, &last_pwd_change, - &dbent.last_success, &dbent.last_failed, - &tmpint3) != 10)) { - try2read = read_pr_data1; - error++; - } - pkey->key_data_kvno = tmpint1; - dbent.fail_auth_count = tmpint3; - /* Read modifier name */ - if (!error && read_string(filep, - mod_name, - mod_name_len, - linenop)) { - try2read = read_mod_name; - error++; - } - /* Read second set of attributes */ - if (!error && (fscanf(filep, "\t%u\t%u\t%u\t", - &mod_date, &dbent.attributes, - &tmpint1) != 3)) { - try2read = read_pr_data2; - error++; - } - pkey->key_data_type[1] = tmpint1; - /* Read salt data */ - if (!error && read_octet_string(filep, - pkey->key_data_contents[1], - pkey->key_data_length[1])) { - try2read = read_salt_data; - error++; - } - /* Read alternate key type */ - if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) { - try2read = read_akey_type; - error++; - } - akey->key_data_type[0] = tmpint1; - /* Read alternate key */ - if (!error && read_octet_string(filep, - akey->key_data_contents[0], - akey->key_data_length[0])) { - try2read = read_akey_data; - error++; - } - - /* convert to a new format key */ - /* the encrypted version is stored as the unencrypted key length - (4 bytes, MSB first) followed by the encrypted key. */ - if ((akey->key_data_length[0] > 4) - && (akey->key_data_contents[0][0] == 0) - && (akey->key_data_contents[0][1] == 0)) { - /* this really does look like an old key, so drop and swap */ - /* the *new* length is 2 bytes, LSB first, sigh. */ - size_t shortlen = akey->key_data_length[0]-4+2; - krb5_octet *shortcopy = (krb5_octet *) malloc(shortlen); - krb5_octet *origdata = akey->key_data_contents[0]; - shortcopy[0] = origdata[3]; - shortcopy[1] = origdata[2]; - memcpy(shortcopy+2,origdata+4,shortlen-2); - free(origdata); - akey->key_data_length[0] = shortlen; - akey->key_data_contents[0] = shortcopy; - } - - /* Read alternate salt type */ - if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) { - try2read = read_asalt_type; - error++; - } - akey->key_data_type[1] = tmpint1; - /* Read alternate salt data */ - if (!error && read_octet_string(filep, - akey->key_data_contents[1], - akey->key_data_length[1])) { - try2read = read_asalt_data; - error++; - } - /* Read expansion data - discard it */ - if (!error) { - for (i=0; i<8; i++) { - if (fscanf(filep, "\t%u", &tmpint1) != 1) { - try2read = read_exp_data; - error++; - break; - } - } - if (!error) - find_record_end(filep, fname, *linenop); - } - - /* - * If no error, then we're done reading. Now parse the names - * and store the database dbent. - */ - if (!error) { - if (!(kret = krb5_parse_name(kcontext, - name, - &dbent.princ))) { - if (!(kret = krb5_parse_name(kcontext, - mod_name, - &mod_princ))) { - if (!(kret = - krb5_dbe_update_mod_princ_data(kcontext, - &dbent, - mod_date, - mod_princ)) && - !(kret = - krb5_dbe_update_last_pwd_change(kcontext, - &dbent, - last_pwd_change))) { - int one = 1; - - dbent.len = KRB5_KDB_V1_BASE_LENGTH; - pkey->key_data_ver = (pkey->key_data_type[1] || pkey->key_data_length[1]) ? - 2 : 1; - akey->key_data_ver = (akey->key_data_type[1] || akey->key_data_length[1]) ? - 2 : 1; - if ((pkey->key_data_type[0] == - akey->key_data_type[0]) && - (pkey->key_data_type[1] == - akey->key_data_type[1])) - dbent.n_key_data--; - else if ((akey->key_data_type[0] == 0) - && (akey->key_data_length[0] == 0) - && (akey->key_data_type[1] == 0) - && (akey->key_data_length[1] == 0)) - dbent.n_key_data--; - - dbent.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | - KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_KEY_DATA | - KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | - KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT; - - if ((kret = krb5_db_put_principal(kcontext, - &dbent, - &one)) || - (one != 1)) { - fprintf(stderr, store_err_fmt, - fname, *linenop, name, - error_message(kret)); - error++; - } - else { - if (flags & FLAG_VERBOSE) - fprintf(stderr, add_princ_fmt, name); - retval = 0; - } - dbent.n_key_data = 2; - } - krb5_free_principal(kcontext, mod_princ); - } - else { - fprintf(stderr, parse_err_fmt, - fname, *linenop, mod_name, - error_message(kret)); - error++; - } - } - else { - fprintf(stderr, parse_err_fmt, - fname, *linenop, name, error_message(kret)); - error++; - } - } - else { - fprintf(stderr, read_err_fmt, fname, *linenop, try2read); - } - } - else { - fprintf(stderr, no_mem_fmt, fname, *linenop); - } - - krb5_db_free_principal(kcontext, &dbent, 1); - if (mod_name) - free(mod_name); - if (name) - free(name); + akey->key_data_length[0] = alt_key_len; + pkey->key_data_length[1] = salt_len; + akey->key_data_length[1] = alt_salt_len; + name = (char *) NULL; + mod_name = (char *) NULL; + /* + * Get the memory for the variable length fields. + */ + if ((name = (char *) malloc((size_t) (name_len + 1))) && + (mod_name = (char *) malloc((size_t) (mod_name_len + 1))) && + (!key_len || + (pkey->key_data_contents[0] = + (krb5_octet *) malloc((size_t) (key_len + 1)))) && + (!alt_key_len || + (akey->key_data_contents[0] = + (krb5_octet *) malloc((size_t) (alt_key_len + 1)))) && + (!salt_len || + (pkey->key_data_contents[1] = + (krb5_octet *) malloc((size_t) (salt_len + 1)))) && + (!alt_salt_len || + (akey->key_data_contents[1] = + (krb5_octet *) malloc((size_t) (alt_salt_len + 1)))) + ) { + error = 0; + + /* Read the principal name */ + if (read_string(filep, name, name_len, linenop)) { + try2read = read_name_string; + error++; + } + /* Read the key type */ + if (!error && (fscanf(filep, "\t%d\t", &tmpint1) != 1)) { + try2read = read_key_type; + error++; + } + pkey->key_data_type[0] = tmpint1; + /* Read the old format key */ + if (!error && read_octet_string(filep, + pkey->key_data_contents[0], + pkey->key_data_length[0])) { + try2read = read_key_data; + error++; + } + /* convert to a new format key */ + /* the encrypted version is stored as the unencrypted key length + (4 bytes, MSB first) followed by the encrypted key. */ + if ((pkey->key_data_length[0] > 4) + && (pkey->key_data_contents[0][0] == 0) + && (pkey->key_data_contents[0][1] == 0)) { + /* this really does look like an old key, so drop and swap */ + /* the *new* length is 2 bytes, LSB first, sigh. */ + size_t shortlen = pkey->key_data_length[0]-4+2; + krb5_octet *shortcopy = (krb5_octet *) malloc(shortlen); + krb5_octet *origdata = pkey->key_data_contents[0]; + shortcopy[0] = origdata[3]; + shortcopy[1] = origdata[2]; + memcpy(shortcopy+2,origdata+4,shortlen-2); + free(origdata); + pkey->key_data_length[0] = shortlen; + pkey->key_data_contents[0] = shortcopy; + } + + /* Read principal attributes */ + if (!error && (fscanf(filep, + "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t", + &tmpint1, &dbent.max_life, + &dbent.max_renewable_life, + &tmpint2, &dbent.expiration, + &dbent.pw_expiration, &last_pwd_change, + &dbent.last_success, &dbent.last_failed, + &tmpint3) != 10)) { + try2read = read_pr_data1; + error++; + } + pkey->key_data_kvno = tmpint1; + dbent.fail_auth_count = tmpint3; + /* Read modifier name */ + if (!error && read_string(filep, + mod_name, + mod_name_len, + linenop)) { + try2read = read_mod_name; + error++; + } + /* Read second set of attributes */ + if (!error && (fscanf(filep, "\t%u\t%u\t%u\t", + &mod_date, &dbent.attributes, + &tmpint1) != 3)) { + try2read = read_pr_data2; + error++; + } + pkey->key_data_type[1] = tmpint1; + /* Read salt data */ + if (!error && read_octet_string(filep, + pkey->key_data_contents[1], + pkey->key_data_length[1])) { + try2read = read_salt_data; + error++; + } + /* Read alternate key type */ + if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) { + try2read = read_akey_type; + error++; + } + akey->key_data_type[0] = tmpint1; + /* Read alternate key */ + if (!error && read_octet_string(filep, + akey->key_data_contents[0], + akey->key_data_length[0])) { + try2read = read_akey_data; + error++; + } + + /* convert to a new format key */ + /* the encrypted version is stored as the unencrypted key length + (4 bytes, MSB first) followed by the encrypted key. */ + if ((akey->key_data_length[0] > 4) + && (akey->key_data_contents[0][0] == 0) + && (akey->key_data_contents[0][1] == 0)) { + /* this really does look like an old key, so drop and swap */ + /* the *new* length is 2 bytes, LSB first, sigh. */ + size_t shortlen = akey->key_data_length[0]-4+2; + krb5_octet *shortcopy = (krb5_octet *) malloc(shortlen); + krb5_octet *origdata = akey->key_data_contents[0]; + shortcopy[0] = origdata[3]; + shortcopy[1] = origdata[2]; + memcpy(shortcopy+2,origdata+4,shortlen-2); + free(origdata); + akey->key_data_length[0] = shortlen; + akey->key_data_contents[0] = shortcopy; + } + + /* Read alternate salt type */ + if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) { + try2read = read_asalt_type; + error++; + } + akey->key_data_type[1] = tmpint1; + /* Read alternate salt data */ + if (!error && read_octet_string(filep, + akey->key_data_contents[1], + akey->key_data_length[1])) { + try2read = read_asalt_data; + error++; + } + /* Read expansion data - discard it */ + if (!error) { + for (i=0; i<8; i++) { + if (fscanf(filep, "\t%u", &tmpint1) != 1) { + try2read = read_exp_data; + error++; + break; + } + } + if (!error) + find_record_end(filep, fname, *linenop); + } + + /* + * If no error, then we're done reading. Now parse the names + * and store the database dbent. + */ + if (!error) { + if (!(kret = krb5_parse_name(kcontext, + name, + &dbent.princ))) { + if (!(kret = krb5_parse_name(kcontext, + mod_name, + &mod_princ))) { + if (!(kret = + krb5_dbe_update_mod_princ_data(kcontext, + &dbent, + mod_date, + mod_princ)) && + !(kret = + krb5_dbe_update_last_pwd_change(kcontext, + &dbent, + last_pwd_change))) { + int one = 1; + + dbent.len = KRB5_KDB_V1_BASE_LENGTH; + pkey->key_data_ver = (pkey->key_data_type[1] || pkey->key_data_length[1]) ? + 2 : 1; + akey->key_data_ver = (akey->key_data_type[1] || akey->key_data_length[1]) ? + 2 : 1; + if ((pkey->key_data_type[0] == + akey->key_data_type[0]) && + (pkey->key_data_type[1] == + akey->key_data_type[1])) + dbent.n_key_data--; + else if ((akey->key_data_type[0] == 0) + && (akey->key_data_length[0] == 0) + && (akey->key_data_type[1] == 0) + && (akey->key_data_length[1] == 0)) + dbent.n_key_data--; + + dbent.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | + KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_KEY_DATA | + KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | + KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT; + + if ((kret = krb5_db_put_principal(kcontext, + &dbent, + &one)) || + (one != 1)) { + fprintf(stderr, store_err_fmt, + fname, *linenop, name, + error_message(kret)); + error++; + } + else { + if (flags & FLAG_VERBOSE) + fprintf(stderr, add_princ_fmt, name); + retval = 0; + } + dbent.n_key_data = 2; + } + krb5_free_principal(kcontext, mod_princ); + } + else { + fprintf(stderr, parse_err_fmt, + fname, *linenop, mod_name, + error_message(kret)); + error++; + } + } + else { + fprintf(stderr, parse_err_fmt, + fname, *linenop, name, error_message(kret)); + error++; + } + } + else { + fprintf(stderr, read_err_fmt, fname, *linenop, try2read); + } + } + else { + fprintf(stderr, no_mem_fmt, fname, *linenop); + } + + krb5_db_free_principal(kcontext, &dbent, 1); + if (mod_name) + free(mod_name); + if (name) + free(name); } else { - if (nmatched != EOF) - fprintf(stderr, rhead_err_fmt, fname, *linenop); - else - retval = -1; + if (nmatched != EOF) + fprintf(stderr, rhead_err_fmt, fname, *linenop); + else + retval = -1; } return(retval); } /* - * process_k5beta6_record() - Handle a dump record in krb5b6 format. + * process_k5beta6_record() - Handle a dump record in krb5b6 format. * * Returns -1 for end of file, 0 for success and 1 for failure. */ static int process_k5beta6_record(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; + char *fname; + krb5_context kcontext; + FILE *filep; + int flags; + int *linenop; { - int retval; - krb5_db_entry dbentry; - krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9; - int nread; - int error; - int i, j, one; - char *name; - krb5_key_data *kp, *kdatap; - krb5_tl_data **tlp, *tl; - krb5_octet *op; - krb5_error_code kret; - const char *try2read; + int retval; + krb5_db_entry dbentry; + krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9; + int nread; + int error; + int i, j, one; + char *name; + krb5_key_data *kp, *kdatap; + krb5_tl_data **tlp, *tl; + krb5_octet *op; + krb5_error_code kret; + const char *try2read; try2read = (char *) NULL; memset(&dbentry, 0, sizeof(dbentry)); @@ -1860,269 +1861,269 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) kret = 0; nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t", &t1, &t2, &t3, &t4, &t5); if (nread == 5) { - /* Get memory for flattened principal name */ - if (!(name = (char *) malloc((size_t) t2 + 1))) - error++; - - /* Get memory for and form tagged data linked list */ - tlp = &dbentry.tl_data; - for (i=0; itl_data_next); - dbentry.n_tl_data++; - } - else { - error++; - break; - } - } - - /* Get memory for key list */ - if (t4 && !(kp = (krb5_key_data *) malloc((size_t) - (t4*sizeof(krb5_key_data))))) - error++; - - /* Get memory for extra data */ - if (t5 && !(op = (krb5_octet *) malloc((size_t) t5))) - error++; - - if (!error) { - dbentry.len = t1; - dbentry.n_key_data = t4; - dbentry.e_length = t5; - if (kp) { - memset(kp, 0, (size_t) (t4*sizeof(krb5_key_data))); - dbentry.key_data = kp; - kp = (krb5_key_data *) NULL; - } - if (op) { - memset(op, 0, (size_t) t5); - dbentry.e_data = op; - op = (krb5_octet *) NULL; - } - - /* Read in and parse the principal name */ - if (!read_string(filep, name, t2, linenop) && - !(kret = krb5_parse_name(kcontext, name, &dbentry.princ))) { - - /* Get the fixed principal attributes */ - nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", - &t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9); - if (nread == 8) { - dbentry.attributes = (krb5_flags) t2; - dbentry.max_life = (krb5_deltat) t3; - dbentry.max_renewable_life = (krb5_deltat) t4; - dbentry.expiration = (krb5_timestamp) t5; - dbentry.pw_expiration = (krb5_timestamp) t6; - dbentry.last_success = (krb5_timestamp) t7; - dbentry.last_failed = (krb5_timestamp) t8; - dbentry.fail_auth_count = (krb5_kvno) t9; - dbentry.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | - KADM5_MAX_LIFE | KADM5_MAX_RLIFE | - KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | - KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT; - } else { - try2read = read_nint_data; - error++; - } - - /* - * Get the tagged data. - * - * Really, this code ought to discard tl data types - * that it knows are special to the current version - * and were not supported in the previous version. - * But it's a pain to implement that here, and doing - * it at dump time has almost as good an effect, so - * that's what I did. [krb5-admin/89] - */ - if (!error && dbentry.n_tl_data) { - for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) { - nread = fscanf(filep, "%d\t%d\t", &t1, &t2); - if (nread == 2) { - tl->tl_data_type = (krb5_int16) t1; - tl->tl_data_length = (krb5_int16) t2; - if (tl->tl_data_length) { - if (!(tl->tl_data_contents = - (krb5_octet *) malloc((size_t) t2+1)) || - read_octet_string(filep, - tl->tl_data_contents, - t2)) { - try2read = read_tcontents; - error++; - break; - } - /* test to set mask fields */ - if (t1 == KRB5_TL_KADM_DATA) { - XDR xdrs; - osa_princ_ent_rec osa_princ_ent; - - /* - * Assuming aux_attributes will always be - * there - */ - dbentry.mask |= KADM5_AUX_ATTRIBUTES; - - /* test for an actual policy reference */ - memset(&osa_princ_ent, 0, sizeof(osa_princ_ent)); - xdrmem_create(&xdrs, (char *)tl->tl_data_contents, - tl->tl_data_length, XDR_DECODE); - if (xdr_osa_princ_ent_rec(&xdrs, &osa_princ_ent) && - (osa_princ_ent.aux_attributes & KADM5_POLICY) && - osa_princ_ent.policy != NULL) { - - dbentry.mask |= KADM5_POLICY; - kdb_free_entry(NULL, NULL, &osa_princ_ent); - } - xdr_destroy(&xdrs); - } - } - else { - /* Should be a null field */ - nread = fscanf(filep, "%d", &t9); - if ((nread != 1) || (t9 != -1)) { - error++; - try2read = read_tcontents; - break; - } - } - } - else { - try2read = read_ttypelen; - error++; - break; - } - } - if (!error) - dbentry.mask |= KADM5_TL_DATA; - } - - /* Get the key data */ - if (!error && dbentry.n_key_data) { - for (i=0; !error && (ikey_data_ver = (krb5_int16) t1; - kdatap->key_data_kvno = (krb5_int16) t2; - - for (j=0; jkey_data_type[j] = t3; - kdatap->key_data_length[j] = t4; - if (t4) { - if (!(kdatap->key_data_contents[j] = - (krb5_octet *) - malloc((size_t) t4+1)) || - read_octet_string(filep, - kdatap->key_data_contents[j], - t4)) { - try2read = read_kcontents; - error++; - break; - } - } - else { - /* Should be a null field */ - nread = fscanf(filep, "%d", &t9); - if ((nread != 1) || (t9 != -1)) { - error++; - try2read = read_kcontents; - break; - } - } - } - else { - try2read = read_ktypelen; - error++; - break; - } - } - } - } - if (!error) - dbentry.mask |= KADM5_KEY_DATA; - } - - /* Get the extra data */ - if (!error && dbentry.e_length) { - if (read_octet_string(filep, - dbentry.e_data, - (int) dbentry.e_length)) { - try2read = read_econtents; - error++; - } - } - else { - nread = fscanf(filep, "%d", &t9); - if ((nread != 1) || (t9 != -1)) { - error++; - try2read = read_econtents; - } - } - - /* Finally, find the end of the record. */ - if (!error) - find_record_end(filep, fname, *linenop); - - /* - * We have either read in all the data or choked. - */ - if (!error) { - one = 1; - if ((kret = krb5_db_put_principal(kcontext, - &dbentry, - &one))) { - fprintf(stderr, store_err_fmt, - fname, *linenop, - name, error_message(kret)); - } - else { - if (flags & FLAG_VERBOSE) - fprintf(stderr, add_princ_fmt, name); - retval = 0; - } - } - else { - fprintf(stderr, read_err_fmt, fname, *linenop, try2read); - } - } - else { - if (kret) - fprintf(stderr, parse_err_fmt, - fname, *linenop, name, error_message(kret)); - else - fprintf(stderr, no_mem_fmt, fname, *linenop); - } - } - else { - fprintf(stderr, rhead_err_fmt, fname, *linenop); - } - - if (op) - free(op); - if (kp) - free(kp); - if (name) - free(name); - krb5_db_free_principal(kcontext, &dbentry, 1); + /* Get memory for flattened principal name */ + if (!(name = (char *) malloc((size_t) t2 + 1))) + error++; + + /* Get memory for and form tagged data linked list */ + tlp = &dbentry.tl_data; + for (i=0; itl_data_next); + dbentry.n_tl_data++; + } + else { + error++; + break; + } + } + + /* Get memory for key list */ + if (t4 && !(kp = (krb5_key_data *) malloc((size_t) + (t4*sizeof(krb5_key_data))))) + error++; + + /* Get memory for extra data */ + if (t5 && !(op = (krb5_octet *) malloc((size_t) t5))) + error++; + + if (!error) { + dbentry.len = t1; + dbentry.n_key_data = t4; + dbentry.e_length = t5; + if (kp) { + memset(kp, 0, (size_t) (t4*sizeof(krb5_key_data))); + dbentry.key_data = kp; + kp = (krb5_key_data *) NULL; + } + if (op) { + memset(op, 0, (size_t) t5); + dbentry.e_data = op; + op = (krb5_octet *) NULL; + } + + /* Read in and parse the principal name */ + if (!read_string(filep, name, t2, linenop) && + !(kret = krb5_parse_name(kcontext, name, &dbentry.princ))) { + + /* Get the fixed principal attributes */ + nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", + &t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9); + if (nread == 8) { + dbentry.attributes = (krb5_flags) t2; + dbentry.max_life = (krb5_deltat) t3; + dbentry.max_renewable_life = (krb5_deltat) t4; + dbentry.expiration = (krb5_timestamp) t5; + dbentry.pw_expiration = (krb5_timestamp) t6; + dbentry.last_success = (krb5_timestamp) t7; + dbentry.last_failed = (krb5_timestamp) t8; + dbentry.fail_auth_count = (krb5_kvno) t9; + dbentry.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | + KADM5_MAX_LIFE | KADM5_MAX_RLIFE | + KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | + KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT; + } else { + try2read = read_nint_data; + error++; + } + + /* + * Get the tagged data. + * + * Really, this code ought to discard tl data types + * that it knows are special to the current version + * and were not supported in the previous version. + * But it's a pain to implement that here, and doing + * it at dump time has almost as good an effect, so + * that's what I did. [krb5-admin/89] + */ + if (!error && dbentry.n_tl_data) { + for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) { + nread = fscanf(filep, "%d\t%d\t", &t1, &t2); + if (nread == 2) { + tl->tl_data_type = (krb5_int16) t1; + tl->tl_data_length = (krb5_int16) t2; + if (tl->tl_data_length) { + if (!(tl->tl_data_contents = + (krb5_octet *) malloc((size_t) t2+1)) || + read_octet_string(filep, + tl->tl_data_contents, + t2)) { + try2read = read_tcontents; + error++; + break; + } + /* test to set mask fields */ + if (t1 == KRB5_TL_KADM_DATA) { + XDR xdrs; + osa_princ_ent_rec osa_princ_ent; + + /* + * Assuming aux_attributes will always be + * there + */ + dbentry.mask |= KADM5_AUX_ATTRIBUTES; + + /* test for an actual policy reference */ + memset(&osa_princ_ent, 0, sizeof(osa_princ_ent)); + xdrmem_create(&xdrs, (char *)tl->tl_data_contents, + tl->tl_data_length, XDR_DECODE); + if (xdr_osa_princ_ent_rec(&xdrs, &osa_princ_ent) && + (osa_princ_ent.aux_attributes & KADM5_POLICY) && + osa_princ_ent.policy != NULL) { + + dbentry.mask |= KADM5_POLICY; + kdb_free_entry(NULL, NULL, &osa_princ_ent); + } + xdr_destroy(&xdrs); + } + } + else { + /* Should be a null field */ + nread = fscanf(filep, "%d", &t9); + if ((nread != 1) || (t9 != -1)) { + error++; + try2read = read_tcontents; + break; + } + } + } + else { + try2read = read_ttypelen; + error++; + break; + } + } + if (!error) + dbentry.mask |= KADM5_TL_DATA; + } + + /* Get the key data */ + if (!error && dbentry.n_key_data) { + for (i=0; !error && (ikey_data_ver = (krb5_int16) t1; + kdatap->key_data_kvno = (krb5_int16) t2; + + for (j=0; jkey_data_type[j] = t3; + kdatap->key_data_length[j] = t4; + if (t4) { + if (!(kdatap->key_data_contents[j] = + (krb5_octet *) + malloc((size_t) t4+1)) || + read_octet_string(filep, + kdatap->key_data_contents[j], + t4)) { + try2read = read_kcontents; + error++; + break; + } + } + else { + /* Should be a null field */ + nread = fscanf(filep, "%d", &t9); + if ((nread != 1) || (t9 != -1)) { + error++; + try2read = read_kcontents; + break; + } + } + } + else { + try2read = read_ktypelen; + error++; + break; + } + } + } + } + if (!error) + dbentry.mask |= KADM5_KEY_DATA; + } + + /* Get the extra data */ + if (!error && dbentry.e_length) { + if (read_octet_string(filep, + dbentry.e_data, + (int) dbentry.e_length)) { + try2read = read_econtents; + error++; + } + } + else { + nread = fscanf(filep, "%d", &t9); + if ((nread != 1) || (t9 != -1)) { + error++; + try2read = read_econtents; + } + } + + /* Finally, find the end of the record. */ + if (!error) + find_record_end(filep, fname, *linenop); + + /* + * We have either read in all the data or choked. + */ + if (!error) { + one = 1; + if ((kret = krb5_db_put_principal(kcontext, + &dbentry, + &one))) { + fprintf(stderr, store_err_fmt, + fname, *linenop, + name, error_message(kret)); + } + else { + if (flags & FLAG_VERBOSE) + fprintf(stderr, add_princ_fmt, name); + retval = 0; + } + } + else { + fprintf(stderr, read_err_fmt, fname, *linenop, try2read); + } + } + else { + if (kret) + fprintf(stderr, parse_err_fmt, + fname, *linenop, name, error_message(kret)); + else + fprintf(stderr, no_mem_fmt, fname, *linenop); + } + } + else { + fprintf(stderr, rhead_err_fmt, fname, *linenop); + } + + if (op) + free(op); + if (kp) + free(kp); + if (name) + free(name); + krb5_db_free_principal(kcontext, &dbentry, 1); } else { - if (nread == EOF) - retval = -1; + if (nread == EOF) + retval = -1; } return(retval); } -static int +static int process_k5beta7_policy(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; + char *fname; + krb5_context kcontext; + FILE *filep; + int flags; + int *linenop; { osa_policy_ent_rec rec; char namebuf[1024]; @@ -2134,38 +2135,38 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop) rec.name = namebuf; nread = fscanf(filep, "%1024s\t%d\t%d\t%d\t%d\t%d\t%d", rec.name, - &rec.pw_min_life, &rec.pw_max_life, - &rec.pw_min_length, &rec.pw_min_classes, - &rec.pw_history_num, &rec.policy_refcnt); + &rec.pw_min_life, &rec.pw_max_life, + &rec.pw_min_length, &rec.pw_min_classes, + &rec.pw_history_num, &rec.policy_refcnt); if (nread == EOF) - return -1; + return -1; else if (nread != 7) { - fprintf(stderr, "cannot parse policy on line %d (%d read)\n", - *linenop, nread); - return 1; + fprintf(stderr, "cannot parse policy on line %d (%d read)\n", + *linenop, nread); + return 1; } if ((ret = krb5_db_create_policy(kcontext, &rec))) { - if (ret && - ((ret = krb5_db_put_policy(kcontext, &rec)))) { - fprintf(stderr, "cannot create policy on line %d: %s\n", - *linenop, error_message(ret)); - return 1; - } + if (ret && + ((ret = krb5_db_put_policy(kcontext, &rec)))) { + fprintf(stderr, "cannot create policy on line %d: %s\n", + *linenop, error_message(ret)); + return 1; + } } if (flags & FLAG_VERBOSE) - fprintf(stderr, "created policy %s\n", rec.name); - + fprintf(stderr, "created policy %s\n", rec.name); + return 0; } static int process_r1_8_policy(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; + char *fname; + krb5_context kcontext; + FILE *filep; + int flags; + int *linenop; { osa_policy_ent_rec rec; char namebuf[1024]; @@ -2181,158 +2182,158 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop) * ignore any additional values. */ nread = fscanf(filep, "%1024s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", - rec.name, - &rec.pw_min_life, &rec.pw_max_life, - &rec.pw_min_length, &rec.pw_min_classes, - &rec.pw_history_num, &rec.policy_refcnt, - &rec.pw_max_fail, &rec.pw_failcnt_interval, - &rec.pw_lockout_duration); + rec.name, + &rec.pw_min_life, &rec.pw_max_life, + &rec.pw_min_length, &rec.pw_min_classes, + &rec.pw_history_num, &rec.policy_refcnt, + &rec.pw_max_fail, &rec.pw_failcnt_interval, + &rec.pw_lockout_duration); if (nread == EOF) - return -1; + return -1; else if (nread < 10) { - fprintf(stderr, "cannot parse policy on line %d (%d read)\n", - *linenop, nread); - return 1; + fprintf(stderr, "cannot parse policy on line %d (%d read)\n", + *linenop, nread); + return 1; } if ((ret = krb5_db_create_policy(kcontext, &rec))) { - if (ret && - ((ret = krb5_db_put_policy(kcontext, &rec)))) { - fprintf(stderr, "cannot create policy on line %d: %s\n", - *linenop, error_message(ret)); - return 1; - } + if (ret && + ((ret = krb5_db_put_policy(kcontext, &rec)))) { + fprintf(stderr, "cannot create policy on line %d: %s\n", + *linenop, error_message(ret)); + return 1; + } } if (flags & FLAG_VERBOSE) - fprintf(stderr, "created policy %s\n", rec.name); + fprintf(stderr, "created policy %s\n", rec.name); return 0; } /* - * process_k5beta7_record() - Handle a dump record in krb5b7 format. + * process_k5beta7_record() - Handle a dump record in krb5b7 format. * * Returns -1 for end of file, 0 for success and 1 for failure. */ static int process_k5beta7_record(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; + char *fname; + krb5_context kcontext; + FILE *filep; + int flags; + int *linenop; { - int nread; - char rectype[100]; - - nread = fscanf(filep, "%100s\t", rectype); - if (nread == EOF) - return -1; - else if (nread != 1) - return 1; - if (strcmp(rectype, "princ") == 0) - process_k5beta6_record(fname, kcontext, filep, flags, - linenop); - else if (strcmp(rectype, "policy") == 0) - process_k5beta7_policy(fname, kcontext, filep, flags, - linenop); - else { - fprintf(stderr, "unknown record type \"%s\" on line %d\n", - rectype, *linenop); - return 1; - } - - return 0; + int nread; + char rectype[100]; + + nread = fscanf(filep, "%100s\t", rectype); + if (nread == EOF) + return -1; + else if (nread != 1) + return 1; + if (strcmp(rectype, "princ") == 0) + process_k5beta6_record(fname, kcontext, filep, flags, + linenop); + else if (strcmp(rectype, "policy") == 0) + process_k5beta7_policy(fname, kcontext, filep, flags, + linenop); + else { + fprintf(stderr, "unknown record type \"%s\" on line %d\n", + rectype, *linenop); + return 1; + } + + return 0; } /* - * process_ov_record() - Handle a dump record in OpenV*Secure 1.0 format. + * process_ov_record() - Handle a dump record in OpenV*Secure 1.0 format. * * Returns -1 for end of file, 0 for success and 1 for failure. */ static int process_ov_record(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; + char *fname; + krb5_context kcontext; + FILE *filep; + int flags; + int *linenop; { - int nread; - char rectype[100]; - - nread = fscanf(filep, "%100s\t", rectype); - if (nread == EOF) - return -1; - else if (nread != 1) - return 1; - if (strcmp(rectype, "princ") == 0) - process_ov_principal(fname, kcontext, filep, flags, - linenop); - else if (strcmp(rectype, "policy") == 0) - process_k5beta7_policy(fname, kcontext, filep, flags, - linenop); - else if (strcmp(rectype, "End") == 0) - return -1; - else { - fprintf(stderr, "unknown record type \"%s\" on line %d\n", - rectype, *linenop); - return 1; - } - - return 0; + int nread; + char rectype[100]; + + nread = fscanf(filep, "%100s\t", rectype); + if (nread == EOF) + return -1; + else if (nread != 1) + return 1; + if (strcmp(rectype, "princ") == 0) + process_ov_principal(fname, kcontext, filep, flags, + linenop); + else if (strcmp(rectype, "policy") == 0) + process_k5beta7_policy(fname, kcontext, filep, flags, + linenop); + else if (strcmp(rectype, "End") == 0) + return -1; + else { + fprintf(stderr, "unknown record type \"%s\" on line %d\n", + rectype, *linenop); + return 1; + } + + return 0; } /* - * process_r1_8_record() - Handle a dump record in krb5 1.8 format. + * process_r1_8_record() - Handle a dump record in krb5 1.8 format. * * Returns -1 for end of file, 0 for success and 1 for failure. */ static int process_r1_8_record(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; + char *fname; + krb5_context kcontext; + FILE *filep; + int flags; + int *linenop; { - int nread; - char rectype[100]; - - nread = fscanf(filep, "%100s\t", rectype); - if (nread == EOF) - return -1; - else if (nread != 1) - return 1; - if (strcmp(rectype, "princ") == 0) - process_k5beta6_record(fname, kcontext, filep, flags, - linenop); - else if (strcmp(rectype, "policy") == 0) - process_r1_8_policy(fname, kcontext, filep, flags, - linenop); - else { - fprintf(stderr, "unknown record type \"%s\" on line %d\n", - rectype, *linenop); - return 1; - } - - return 0; + int nread; + char rectype[100]; + + nread = fscanf(filep, "%100s\t", rectype); + if (nread == EOF) + return -1; + else if (nread != 1) + return 1; + if (strcmp(rectype, "princ") == 0) + process_k5beta6_record(fname, kcontext, filep, flags, + linenop); + else if (strcmp(rectype, "policy") == 0) + process_r1_8_policy(fname, kcontext, filep, flags, + linenop); + else { + fprintf(stderr, "unknown record type \"%s\" on line %d\n", + rectype, *linenop); + return 1; + } + + return 0; } /* - * restore_dump() - Restore the database from any version dump file. + * restore_dump() - Restore the database from any version dump file. */ static int restore_dump(programname, kcontext, dumpfile, f, flags, dump) - char *programname; - krb5_context kcontext; - char *dumpfile; - FILE *f; - int flags; - dump_version *dump; + char *programname; + krb5_context kcontext; + char *dumpfile; + FILE *f; + int flags; + dump_version *dump; { - int error; - int lineno; + int error; + int lineno; error = 0; lineno = 1; @@ -2341,15 +2342,15 @@ restore_dump(programname, kcontext, dumpfile, f, flags, dump) * Process the records. */ while (!(error = (*dump->load_record)(dumpfile, - kcontext, - f, - flags, - &lineno))) - ; + kcontext, + f, + flags, + &lineno))) + ; if (error != -1) - fprintf(stderr, err_line_fmt, programname, lineno, dumpfile); + fprintf(stderr, err_line_fmt, programname, lineno, dumpfile); else - error = 0; + error = 0; return(error); } @@ -2360,28 +2361,28 @@ restore_dump(programname, kcontext, dumpfile, f, flags, dump) */ void load_db(argc, argv) - int argc; - char **argv; + int argc; + char **argv; { kadm5_config_params newparams; - krb5_error_code kret; - krb5_context kcontext; - FILE *f; - extern char *optarg; - extern int optind; - char *dumpfile; - char *dbname; - char *dbname_tmp; - char buf[BUFSIZ]; - dump_version *load; - int flags; - krb5_int32 crflags; - int aindex; - int db_locked = 0; - char iheader[MAX_HEADER]; - kdb_log_context *log_ctx; - krb5_boolean add_update = TRUE; - uint32_t caller, last_sno, last_seconds, last_useconds; + krb5_error_code kret; + krb5_context kcontext; + FILE *f; + extern char *optarg; + extern int optind; + char *dumpfile; + char *dbname; + char *dbname_tmp; + char buf[BUFSIZ]; + dump_version *load; + int flags; + krb5_int32 crflags; + int aindex; + int db_locked = 0; + char iheader[MAX_HEADER]; + kdb_log_context *log_ctx; + krb5_boolean add_update = TRUE; + uint32_t caller, last_sno, last_seconds, last_useconds; /* * Parse the arguments. @@ -2396,89 +2397,89 @@ load_db(argc, argv) log_ctx = util_context->kdblog_context; for (aindex = 1; aindex < argc; aindex++) { - if (!strcmp(argv[aindex], oldoption)) - load = &old_version; - else if (!strcmp(argv[aindex], b6option)) - load = &beta6_version; - else if (!strcmp(argv[aindex], b7option)) - load = &beta7_version; - else if (!strcmp(argv[aindex], ovoption)) - load = &ov_version; - else if (!strcmp(argv[aindex], r13option)) - load = &r1_3_version; - else if (!strcmp(argv[aindex], ipropoption)) { - if (log_ctx && log_ctx->iproprole) { - load = &iprop_version; - add_update = FALSE; - } else { - fprintf(stderr, _("Iprop not enabled\n")); - exit_status++; - return; - } - } else if (!strcmp(argv[aindex], verboseoption)) - flags |= FLAG_VERBOSE; - else if (!strcmp(argv[aindex], updateoption)) - flags |= FLAG_UPDATE; - else if (!strcmp(argv[aindex], hashoption)) { - if (!add_db_arg("hash=true")) { - com_err(progname, ENOMEM, "while parsing command arguments\n"); - exit(1); - } - } else - break; + if (!strcmp(argv[aindex], oldoption)) + load = &old_version; + else if (!strcmp(argv[aindex], b6option)) + load = &beta6_version; + else if (!strcmp(argv[aindex], b7option)) + load = &beta7_version; + else if (!strcmp(argv[aindex], ovoption)) + load = &ov_version; + else if (!strcmp(argv[aindex], r13option)) + load = &r1_3_version; + else if (!strcmp(argv[aindex], ipropoption)) { + if (log_ctx && log_ctx->iproprole) { + load = &iprop_version; + add_update = FALSE; + } else { + fprintf(stderr, _("Iprop not enabled\n")); + exit_status++; + return; + } + } else if (!strcmp(argv[aindex], verboseoption)) + flags |= FLAG_VERBOSE; + else if (!strcmp(argv[aindex], updateoption)) + flags |= FLAG_UPDATE; + else if (!strcmp(argv[aindex], hashoption)) { + if (!add_db_arg("hash=true")) { + com_err(progname, ENOMEM, "while parsing command arguments\n"); + exit(1); + } + } else + break; } if ((argc - aindex) != 1) { - usage(); - return; + usage(); + return; } dumpfile = argv[aindex]; if (asprintf(&dbname_tmp, "%s%s", dbname, dump_tmptrail) < 0) { - fprintf(stderr, no_name_mem_fmt, progname); - exit_status++; - return; + fprintf(stderr, no_name_mem_fmt, progname); + exit_status++; + return; } /* * Initialize the Kerberos context and error tables. */ if ((kret = kadm5_init_krb5_context(&kcontext))) { - fprintf(stderr, ctx_err_fmt, progname); - free(dbname_tmp); - exit_status++; - return; + fprintf(stderr, ctx_err_fmt, progname); + free(dbname_tmp); + exit_status++; + return; } if( (kret = krb5_set_default_realm(kcontext, util_context->default_realm)) ) { - fprintf(stderr, "%s: Unable to set the default realm\n", progname); - free(dbname_tmp); - exit_status++; - return; + fprintf(stderr, "%s: Unable to set the default realm\n", progname); + free(dbname_tmp); + exit_status++; + return; } if (log_ctx && log_ctx->iproprole) - kcontext->kdblog_context = log_ctx; + kcontext->kdblog_context = log_ctx; /* * Open the dumpfile */ if (dumpfile) { - if ((f = fopen(dumpfile, "r")) == NULL) { - fprintf(stderr, dfile_err_fmt, progname, dumpfile, - error_message(errno)); - exit_status++; - return; - } - if ((kret = krb5_lock_file(kcontext, fileno(f), - KRB5_LOCKMODE_SHARED))) { - fprintf(stderr, "%s: Cannot lock %s: %s\n", progname, - dumpfile, error_message(errno)); - exit_status++; - return; - } + if ((f = fopen(dumpfile, "r")) == NULL) { + fprintf(stderr, dfile_err_fmt, progname, dumpfile, + error_message(errno)); + exit_status++; + return; + } + if ((kret = krb5_lock_file(kcontext, fileno(f), + KRB5_LOCKMODE_SHARED))) { + fprintf(stderr, "%s: Cannot lock %s: %s\n", progname, + dumpfile, error_message(errno)); + exit_status++; + return; + } } else - f = stdin; + f = stdin; /* * Auto-detect dump version if we weren't told, verify if we @@ -2486,41 +2487,41 @@ load_db(argc, argv) */ fgets(buf, sizeof(buf), f); if (load) { - /* only check what we know; some headers only contain a prefix */ - /* NB: this should work for ipropx even though load is iprop */ - if (strncmp(buf, load->header, strlen(load->header)) != 0) { - fprintf(stderr, head_bad_fmt, progname, dumpfile); - exit_status++; - if (dumpfile) fclose(f); - return; - } + /* only check what we know; some headers only contain a prefix */ + /* NB: this should work for ipropx even though load is iprop */ + if (strncmp(buf, load->header, strlen(load->header)) != 0) { + fprintf(stderr, head_bad_fmt, progname, dumpfile); + exit_status++; + if (dumpfile) fclose(f); + return; + } } else { - /* perhaps this should be in an array, but so what? */ - if (strcmp(buf, old_version.header) == 0) - load = &old_version; - else if (strcmp(buf, beta6_version.header) == 0) - load = &beta6_version; - else if (strcmp(buf, beta7_version.header) == 0) - load = &beta7_version; - else if (strcmp(buf, r1_3_version.header) == 0) - load = &r1_3_version; - else if (strcmp(buf, r1_8_version.header) == 0) - load = &r1_8_version; - else if (strncmp(buf, ov_version.header, - strlen(ov_version.header)) == 0) - load = &ov_version; - else { - fprintf(stderr, head_bad_fmt, progname, dumpfile); - exit_status++; - if (dumpfile) fclose(f); - return; - } + /* perhaps this should be in an array, but so what? */ + if (strcmp(buf, old_version.header) == 0) + load = &old_version; + else if (strcmp(buf, beta6_version.header) == 0) + load = &beta6_version; + else if (strcmp(buf, beta7_version.header) == 0) + load = &beta7_version; + else if (strcmp(buf, r1_3_version.header) == 0) + load = &r1_3_version; + else if (strcmp(buf, r1_8_version.header) == 0) + load = &r1_8_version; + else if (strncmp(buf, ov_version.header, + strlen(ov_version.header)) == 0) + load = &ov_version; + else { + fprintf(stderr, head_bad_fmt, progname, dumpfile); + exit_status++; + if (dumpfile) fclose(f); + return; + } } if (load->updateonly && !(flags & FLAG_UPDATE)) { - fprintf(stderr, "%s: dump version %s can only be loaded with the " - "-update flag\n", progname, load->name); - exit_status++; - return; + fprintf(stderr, "%s: dump version %s can only be loaded with the " + "-update flag\n", progname, load->name); + exit_status++; + return; } /* @@ -2530,74 +2531,74 @@ load_db(argc, argv) */ newparams = global_params; if (! (flags & FLAG_UPDATE)) { - newparams.mask |= KADM5_CONFIG_DBNAME; - newparams.dbname = dbname_tmp; - - if ((kret = kadm5_get_config_params(kcontext, 1, - &newparams, &newparams))) { - com_err(progname, kret, - "while retreiving new configuration parameters"); - exit_status++; - return; - } - - if (!add_db_arg("temporary")) { - com_err(progname, ENOMEM, "computing parameters for database"); - exit(1); - } - - if (!add_update && !add_db_arg("merge_nra")) { - com_err(progname, ENOMEM, "computing parameters for database"); - exit(1); - } + newparams.mask |= KADM5_CONFIG_DBNAME; + newparams.dbname = dbname_tmp; + + if ((kret = kadm5_get_config_params(kcontext, 1, + &newparams, &newparams))) { + com_err(progname, kret, + "while retreiving new configuration parameters"); + exit_status++; + return; + } + + if (!add_db_arg("temporary")) { + com_err(progname, ENOMEM, "computing parameters for database"); + exit(1); + } + + if (!add_update && !add_db_arg("merge_nra")) { + com_err(progname, ENOMEM, "computing parameters for database"); + exit(1); + } } - + /* * If not an update restoration, create the database. otherwise open */ if (!(flags & FLAG_UPDATE)) { - if((kret = krb5_db_create(kcontext, db5util_db_args))) { - const char *emsg = krb5_get_error_message(kcontext, kret); - /* - * See if something (like DAL KDB plugin) has set a specific error - * message and use that otherwise use default. - */ - - if (emsg != NULL) { - fprintf(stderr, "%s: %s\n", progname, emsg); - krb5_free_error_message (kcontext, emsg); - } else { - fprintf(stderr, dbcreaterr_fmt, - progname, dbname, error_message(kret)); - } - exit_status++; - kadm5_free_config_params(kcontext, &newparams); - if (dumpfile) fclose(f); - return; - } + if((kret = krb5_db_create(kcontext, db5util_db_args))) { + const char *emsg = krb5_get_error_message(kcontext, kret); + /* + * See if something (like DAL KDB plugin) has set a specific error + * message and use that otherwise use default. + */ + + if (emsg != NULL) { + fprintf(stderr, "%s: %s\n", progname, emsg); + krb5_free_error_message (kcontext, emsg); + } else { + fprintf(stderr, dbcreaterr_fmt, + progname, dbname, error_message(kret)); + } + exit_status++; + kadm5_free_config_params(kcontext, &newparams); + if (dumpfile) fclose(f); + return; + } } else { - /* - * Initialize the database. - */ - if ((kret = krb5_db_open(kcontext, db5util_db_args, - KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN))) { - const char *emsg = krb5_get_error_message(kcontext, kret); - /* - * See if something (like DAL KDB plugin) has set a specific - * error message and use that otherwise use default. - */ - - if (emsg != NULL) { - fprintf(stderr, "%s: %s\n", progname, emsg); - krb5_free_error_message (kcontext, emsg); - } else { - fprintf(stderr, dbinit_err_fmt, - progname, error_message(kret)); - } - exit_status++; - goto error; - } + /* + * Initialize the database. + */ + if ((kret = krb5_db_open(kcontext, db5util_db_args, + KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN))) { + const char *emsg = krb5_get_error_message(kcontext, kret); + /* + * See if something (like DAL KDB plugin) has set a specific + * error message and use that otherwise use default. + */ + + if (emsg != NULL) { + fprintf(stderr, "%s: %s\n", progname, emsg); + krb5_free_error_message (kcontext, emsg); + } else { + fprintf(stderr, dbinit_err_fmt, + progname, error_message(kret)); + } + exit_status++; + goto error; + } } @@ -2606,132 +2607,132 @@ load_db(argc, argv) * the update fails. */ if ((kret = krb5_db_lock(kcontext, - (flags & FLAG_UPDATE) ? - KRB5_DB_LOCKMODE_PERMANENT : - KRB5_DB_LOCKMODE_EXCLUSIVE))) { - /* - * Ignore a not supported error since there is nothing to do about it - * anyway. - */ - if (kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, "%s: %s while permanently locking database\n", - progname, error_message(kret)); - exit_status++; - goto error; - } + (flags & FLAG_UPDATE) ? + KRB5_DB_LOCKMODE_PERMANENT : + KRB5_DB_LOCKMODE_EXCLUSIVE))) { + /* + * Ignore a not supported error since there is nothing to do about it + * anyway. + */ + if (kret != KRB5_PLUGIN_OP_NOTSUPP) { + fprintf(stderr, "%s: %s while permanently locking database\n", + progname, error_message(kret)); + exit_status++; + goto error; + } } else - db_locked = 1; - + db_locked = 1; + if (log_ctx && log_ctx->iproprole) { - if (add_update) - caller = FKCOMMAND; - else - caller = FKPROPD; - - if (ulog_map(kcontext, global_params.iprop_logfile, - global_params.iprop_ulogsize, caller, db5util_db_args)) { - fprintf(stderr, _("%s: Could not map log\n"), - progname); - exit_status++; - goto error; - } - - /* - * We don't want to take out the ulog out from underneath - * kadmind so we reinit the header log. - * - * We also don't want to add to the update log since we - * are doing a whole sale replace of the db, because: - * we could easily exceed # of update entries - * we could implicity delete db entries during a replace - * no advantage in incr updates when entire db is replaced - */ - if (!(flags & FLAG_UPDATE)) { - memset(log_ctx->ulog, 0, sizeof (kdb_hlog_t)); - - log_ctx->ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; - log_ctx->ulog->db_version_num = KDB_VERSION; - log_ctx->ulog->kdb_state = KDB_STABLE; - log_ctx->ulog->kdb_block = ULOG_BLOCK; - - log_ctx->iproprole = IPROP_NULL; - - if (!add_update) { - unsigned int ipropx_version = IPROPX_VERSION_0; - - if (!strncmp(buf, "ipropx ", sizeof("ipropx ") - 1)) - sscanf(buf, "%s %u %u %u %u", iheader, - &ipropx_version, &last_sno, - &last_seconds, &last_useconds); - else - sscanf(buf, "%s %u %u %u", iheader, &last_sno, - &last_seconds, &last_useconds); - - switch (ipropx_version) { - case IPROPX_VERSION_0: - load = &iprop_version; - break; - case IPROPX_VERSION_1: - load = &ipropx_1_version; - break; - default: - fprintf(stderr, _("%s: Unknown iprop dump version %d\n"), - progname, ipropx_version); - exit_status++; - goto error; - } - - log_ctx->ulog->kdb_last_sno = last_sno; - log_ctx->ulog->kdb_last_time.seconds = - last_seconds; - log_ctx->ulog->kdb_last_time.useconds = - last_useconds; - } - } + if (add_update) + caller = FKCOMMAND; + else + caller = FKPROPD; + + if (ulog_map(kcontext, global_params.iprop_logfile, + global_params.iprop_ulogsize, caller, db5util_db_args)) { + fprintf(stderr, _("%s: Could not map log\n"), + progname); + exit_status++; + goto error; + } + + /* + * We don't want to take out the ulog out from underneath + * kadmind so we reinit the header log. + * + * We also don't want to add to the update log since we + * are doing a whole sale replace of the db, because: + * we could easily exceed # of update entries + * we could implicity delete db entries during a replace + * no advantage in incr updates when entire db is replaced + */ + if (!(flags & FLAG_UPDATE)) { + memset(log_ctx->ulog, 0, sizeof (kdb_hlog_t)); + + log_ctx->ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; + log_ctx->ulog->db_version_num = KDB_VERSION; + log_ctx->ulog->kdb_state = KDB_STABLE; + log_ctx->ulog->kdb_block = ULOG_BLOCK; + + log_ctx->iproprole = IPROP_NULL; + + if (!add_update) { + unsigned int ipropx_version = IPROPX_VERSION_0; + + if (!strncmp(buf, "ipropx ", sizeof("ipropx ") - 1)) + sscanf(buf, "%s %u %u %u %u", iheader, + &ipropx_version, &last_sno, + &last_seconds, &last_useconds); + else + sscanf(buf, "%s %u %u %u", iheader, &last_sno, + &last_seconds, &last_useconds); + + switch (ipropx_version) { + case IPROPX_VERSION_0: + load = &iprop_version; + break; + case IPROPX_VERSION_1: + load = &ipropx_1_version; + break; + default: + fprintf(stderr, _("%s: Unknown iprop dump version %d\n"), + progname, ipropx_version); + exit_status++; + goto error; + } + + log_ctx->ulog->kdb_last_sno = last_sno; + log_ctx->ulog->kdb_last_time.seconds = + last_seconds; + log_ctx->ulog->kdb_last_time.useconds = + last_useconds; + } + } } if (restore_dump(progname, kcontext, (dumpfile) ? dumpfile : stdin_name, - f, flags, load)) { - fprintf(stderr, restfail_fmt, - progname, load->name); - exit_status++; + f, flags, load)) { + fprintf(stderr, restfail_fmt, + progname, load->name); + exit_status++; } if (!(flags & FLAG_UPDATE) && load->create_kadm5 && - ((kret = kadm5_create_magic_princs(&newparams, kcontext)))) { - /* error message printed by create_magic_princs */ - exit_status++; + ((kret = kadm5_create_magic_princs(&newparams, kcontext)))) { + /* error message printed by create_magic_princs */ + exit_status++; } - + if (db_locked && (kret = krb5_db_unlock(kcontext))) { - /* change this error? */ - fprintf(stderr, dbunlockerr_fmt, - progname, dbname, error_message(kret)); - exit_status++; + /* change this error? */ + fprintf(stderr, dbunlockerr_fmt, + progname, dbname, error_message(kret)); + exit_status++; } #if 0 if ((kret = krb5_db_fini(kcontext))) { - fprintf(stderr, close_err_fmt, - progname, error_message(kret)); - exit_status++; + fprintf(stderr, close_err_fmt, + progname, error_message(kret)); + exit_status++; } #endif /* close policy db below */ if (exit_status == 0 && !(flags & FLAG_UPDATE)) { - kret = krb5_db_promote(kcontext, db5util_db_args); - /* - * Ignore a not supported error since there is nothing to do about it - * anyway. - */ - if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, "%s: cannot make newly loaded database live (%s)\n", - progname, error_message(kret)); - exit_status++; - } + kret = krb5_db_promote(kcontext, db5util_db_args); + /* + * Ignore a not supported error since there is nothing to do about it + * anyway. + */ + if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { + fprintf(stderr, "%s: cannot make newly loaded database live (%s)\n", + progname, error_message(kret)); + exit_status++; + } } error: @@ -2742,26 +2743,26 @@ error: * If an update: if there was no error, unlock the database. */ if (!(flags & FLAG_UPDATE)) { - if (exit_status) { - kret = krb5_db_destroy(kcontext, db5util_db_args); - /* - * Ignore a not supported error since there is nothing to do about - * it anyway. - */ - if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, dbdelerr_fmt, - progname, dbname, error_message(kret)); - exit_status++; - } - } + if (exit_status) { + kret = krb5_db_destroy(kcontext, db5util_db_args); + /* + * Ignore a not supported error since there is nothing to do about + * it anyway. + */ + if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { + fprintf(stderr, dbdelerr_fmt, + progname, dbname, error_message(kret)); + exit_status++; + } + } } if (dumpfile) { - (void) krb5_lock_file(kcontext, fileno(f), KRB5_LOCKMODE_UNLOCK); - fclose(f); + (void) krb5_lock_file(kcontext, fileno(f), KRB5_LOCKMODE_UNLOCK); + fclose(f); } if (dbname_tmp) - free(dbname_tmp); + free(dbname_tmp); krb5_free_context(kcontext); } diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c index a232babd1..5cce78cb8 100644 --- a/src/kadmin/dbutil/kadm5_create.c +++ b/src/kadmin/dbutil/kadm5_create.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * @@ -6,14 +7,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -24,7 +25,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -49,7 +50,7 @@ #include "kdb5_util.h" static int add_admin_princ(void *handle, krb5_context context, - char *name, char *realm, int attrs, int lifetime); + char *name, char *realm, int attrs, int lifetime); static int add_admin_princs(void *handle, krb5_context context, char *realm); #define ERR 1 @@ -63,65 +64,65 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm); * * Purpose: create admin principals in KDC database * - * Arguments: params (r) configuration parameters to use - * + * Arguments: params (r) configuration parameters to use + * * Effects: Creates KADM5_ADMIN_SERVICE and KADM5_CHANGEPW_SERVICE * principals in the KDC database and sets their attributes * appropriately. */ int kadm5_create(kadm5_config_params *params) { - int retval; - krb5_context context; + int retval; + krb5_context context; - kadm5_config_params lparams; + kadm5_config_params lparams; - if ((retval = kadm5_init_krb5_context(&context))) - exit(ERR); + if ((retval = kadm5_init_krb5_context(&context))) + exit(ERR); - /* - * The lock file has to exist before calling kadm5_init, but - * params->admin_lockfile may not be set yet... - */ - if ((retval = kadm5_get_config_params(context, 1, - params, &lparams))) { - com_err(progname, retval, "while looking up the Kerberos configuration"); - return 1; - } + /* + * The lock file has to exist before calling kadm5_init, but + * params->admin_lockfile may not be set yet... + */ + if ((retval = kadm5_get_config_params(context, 1, + params, &lparams))) { + com_err(progname, retval, "while looking up the Kerberos configuration"); + return 1; + } - retval = kadm5_create_magic_princs(&lparams, context); + retval = kadm5_create_magic_princs(&lparams, context); - kadm5_free_config_params(context, &lparams); - krb5_free_context(context); + kadm5_free_config_params(context, &lparams); + krb5_free_context(context); - return retval; + return retval; } int kadm5_create_magic_princs(kadm5_config_params *params, - krb5_context context) + krb5_context context) { - int retval; - void *handle; - - retval = krb5_klog_init(context, "admin_server", progname, 0); - if (retval) - return retval; - if ((retval = kadm5_init(context, progname, NULL, NULL, params, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_3, - db5util_db_args, - &handle))) { - com_err(progname, retval, "while initializing the Kerberos admin interface"); - return retval; - } - - retval = add_admin_princs(handle, context, params->realm); - - kadm5_destroy(handle); - - krb5_klog_close(context); - - return retval; + int retval; + void *handle; + + retval = krb5_klog_init(context, "admin_server", progname, 0); + if (retval) + return retval; + if ((retval = kadm5_init(context, progname, NULL, NULL, params, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_3, + db5util_db_args, + &handle))) { + com_err(progname, retval, "while initializing the Kerberos admin interface"); + return retval; + } + + retval = add_admin_princs(handle, context, params->realm); + + kadm5_destroy(handle); + + krb5_klog_close(context); + + return retval; } /* @@ -131,22 +132,22 @@ int kadm5_create_magic_princs(kadm5_config_params *params, * * Arguments: * - * name (input) the name - * realm (input) the realm + * name (input) the name + * realm (input) the realm * * Returns: * - * pointer to name@realm, in allocated memory, or NULL if it - * cannot be allocated + * pointer to name@realm, in allocated memory, or NULL if it + * cannot be allocated * * Requires: both strings are null-terminated */ static char *build_name_with_realm(char *name, char *realm) { - char *n; + char *n; - asprintf(&n, "%s@%s", name, realm); - return n; + asprintf(&n, "%s@%s", name, realm); + return n; } /* @@ -156,14 +157,14 @@ static char *build_name_with_realm(char *name, char *realm) * * Arguments: * - * rseed (input) random seed - * realm (input) realm, or NULL for default realm + * rseed (input) random seed + * realm (input) realm, or NULL for default realm * (output) status, 0 for success, 1 for serious error - * + * * Requires: - * + * * Effects: - * + * * add_admin_princs creates KADM5_ADMIN_SERVICE, * KADM5_CHANGEPW_SERVICE. If any of these exist a message is * printed. If any of these existing principal do not have the proper @@ -171,79 +172,79 @@ static char *build_name_with_realm(char *name, char *realm) */ static int add_admin_princs(void *handle, krb5_context context, char *realm) { - krb5_error_code ret = 0; - char *service_name = 0, *p; - char localname[MAXHOSTNAMELEN]; - struct addrinfo *ai, ai_hints; - int gai_error; - - if (gethostname(localname, MAXHOSTNAMELEN)) { - ret = errno; - perror("gethostname"); - goto clean_and_exit; - } - memset(&ai_hints, 0, sizeof(ai_hints)); - ai_hints.ai_flags = AI_CANONNAME; - gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); - if (gai_error) { - ret = EINVAL; - fprintf(stderr, "getaddrinfo(%s): %s\n", localname, - gai_strerror(gai_error)); - goto clean_and_exit; - } - if (ai->ai_canonname == NULL) { - ret = EINVAL; - fprintf(stderr, - "getaddrinfo(%s): Cannot determine canonical hostname.\n", - localname); - freeaddrinfo(ai); - goto clean_and_exit; - } - for (p = ai->ai_canonname; *p; p++) { + krb5_error_code ret = 0; + char *service_name = 0, *p; + char localname[MAXHOSTNAMELEN]; + struct addrinfo *ai, ai_hints; + int gai_error; + + if (gethostname(localname, MAXHOSTNAMELEN)) { + ret = errno; + perror("gethostname"); + goto clean_and_exit; + } + memset(&ai_hints, 0, sizeof(ai_hints)); + ai_hints.ai_flags = AI_CANONNAME; + gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); + if (gai_error) { + ret = EINVAL; + fprintf(stderr, "getaddrinfo(%s): %s\n", localname, + gai_strerror(gai_error)); + goto clean_and_exit; + } + if (ai->ai_canonname == NULL) { + ret = EINVAL; + fprintf(stderr, + "getaddrinfo(%s): Cannot determine canonical hostname.\n", + localname); + freeaddrinfo(ai); + goto clean_and_exit; + } + for (p = ai->ai_canonname; *p; p++) { #ifdef isascii - if (!isascii(*p)) - continue; + if (!isascii(*p)) + continue; #else - if (*p < ' ') - continue; - if (*p > '~') - continue; + if (*p < ' ') + continue; + if (*p > '~') + continue; #endif - if (!isupper(*p)) - continue; - *p = tolower(*p); - } - if (asprintf(&service_name, "kadmin/%s", ai->ai_canonname) < 0) { - ret = ENOMEM; - fprintf(stderr, "Out of memory\n"); - freeaddrinfo(ai); - goto clean_and_exit; - } - freeaddrinfo(ai); - - if ((ret = add_admin_princ(handle, context, - service_name, realm, - KRB5_KDB_DISALLOW_TGT_BASED, - ADMIN_LIFETIME))) - goto clean_and_exit; - - if ((ret = add_admin_princ(handle, context, - KADM5_ADMIN_SERVICE, realm, - KRB5_KDB_DISALLOW_TGT_BASED, - ADMIN_LIFETIME))) - goto clean_and_exit; - - if ((ret = add_admin_princ(handle, context, - KADM5_CHANGEPW_SERVICE, realm, - KRB5_KDB_DISALLOW_TGT_BASED | - KRB5_KDB_PWCHANGE_SERVICE, - CHANGEPW_LIFETIME))) - goto clean_and_exit; - + if (!isupper(*p)) + continue; + *p = tolower(*p); + } + if (asprintf(&service_name, "kadmin/%s", ai->ai_canonname) < 0) { + ret = ENOMEM; + fprintf(stderr, "Out of memory\n"); + freeaddrinfo(ai); + goto clean_and_exit; + } + freeaddrinfo(ai); + + if ((ret = add_admin_princ(handle, context, + service_name, realm, + KRB5_KDB_DISALLOW_TGT_BASED, + ADMIN_LIFETIME))) + goto clean_and_exit; + + if ((ret = add_admin_princ(handle, context, + KADM5_ADMIN_SERVICE, realm, + KRB5_KDB_DISALLOW_TGT_BASED, + ADMIN_LIFETIME))) + goto clean_and_exit; + + if ((ret = add_admin_princ(handle, context, + KADM5_CHANGEPW_SERVICE, realm, + KRB5_KDB_DISALLOW_TGT_BASED | + KRB5_KDB_PWCHANGE_SERVICE, + CHANGEPW_LIFETIME))) + goto clean_and_exit; + clean_and_exit: - free(service_name); + free(service_name); - return ret; + return ret; } /* @@ -251,23 +252,23 @@ clean_and_exit: * * Arguments: * - * creator (r) principal to use as "mod_by" - * rseed (r) seed for random key generator - * name (r) principal name - * realm (r) realm name for principal - * attrs (r) principal's attributes - * lifetime (r) principal's max life, or 0 - * not_unique (r) error message for multiple entries, never used - * exists (r) warning message for principal exists - * wrong_attrs (r) warning message for wrong attributes + * creator (r) principal to use as "mod_by" + * rseed (r) seed for random key generator + * name (r) principal name + * realm (r) realm name for principal + * attrs (r) principal's attributes + * lifetime (r) principal's max life, or 0 + * not_unique (r) error message for multiple entries, never used + * exists (r) warning message for principal exists + * wrong_attrs (r) warning message for wrong attributes * * Returns: * - * OK on success - * ERR on serious errors + * OK on success + * ERR on serious errors * * Effects: - * + * * If the principal is not unique, not_unique is printed (but this * never happens). If the principal exists, then exists is printed * and if the principals attributes != attrs, wrong_attrs is printed. @@ -276,56 +277,56 @@ clean_and_exit: */ int add_admin_princ(void *handle, krb5_context context, - char *name, char *realm, int attrs, int lifetime) + char *name, char *realm, int attrs, int lifetime) { - char *fullname; - krb5_error_code ret; - kadm5_principal_ent_rec ent; - - memset(&ent, 0, sizeof(ent)); - - fullname = build_name_with_realm(name, realm); - ret = krb5_parse_name(context, fullname, &ent.principal); - if (ret) { - com_err(progname, ret, str_PARSE_NAME); - return(ERR); - } - ent.max_life = lifetime; - ent.attributes = attrs | KRB5_KDB_DISALLOW_ALL_TIX; - - ret = kadm5_create_principal(handle, &ent, - (KADM5_PRINCIPAL | KADM5_MAX_LIFE | - KADM5_ATTRIBUTES), - "to-be-random"); - if (ret) { - if (ret != KADM5_DUP) { - com_err(progname, ret, str_PUT_PRINC, fullname); - krb5_free_principal(context, ent.principal); - free(fullname); - return ERR; - } - } else { - /* only randomize key if we created the principal */ - ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL); - if (ret) { - com_err(progname, ret, str_RANDOM_KEY, fullname); - krb5_free_principal(context, ent.principal); - free(fullname); - return ERR; - } - - ent.attributes = attrs; - ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES); - if (ret) { - com_err(progname, ret, str_PUT_PRINC, fullname); - krb5_free_principal(context, ent.principal); - free(fullname); - return ERR; - } - } - - krb5_free_principal(context, ent.principal); - free(fullname); - - return OK; + char *fullname; + krb5_error_code ret; + kadm5_principal_ent_rec ent; + + memset(&ent, 0, sizeof(ent)); + + fullname = build_name_with_realm(name, realm); + ret = krb5_parse_name(context, fullname, &ent.principal); + if (ret) { + com_err(progname, ret, str_PARSE_NAME); + return(ERR); + } + ent.max_life = lifetime; + ent.attributes = attrs | KRB5_KDB_DISALLOW_ALL_TIX; + + ret = kadm5_create_principal(handle, &ent, + (KADM5_PRINCIPAL | KADM5_MAX_LIFE | + KADM5_ATTRIBUTES), + "to-be-random"); + if (ret) { + if (ret != KADM5_DUP) { + com_err(progname, ret, str_PUT_PRINC, fullname); + krb5_free_principal(context, ent.principal); + free(fullname); + return ERR; + } + } else { + /* only randomize key if we created the principal */ + ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL); + if (ret) { + com_err(progname, ret, str_RANDOM_KEY, fullname); + krb5_free_principal(context, ent.principal); + free(fullname); + return ERR; + } + + ent.attributes = attrs; + ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES); + if (ret) { + com_err(progname, ret, str_PUT_PRINC, fullname); + krb5_free_principal(context, ent.principal); + free(fullname); + return ERR; + } + } + + krb5_free_principal(context, ent.principal); + free(fullname); + + return OK; } diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c index 3cf84fee0..358577180 100644 --- a/src/kadmin/dbutil/kdb5_create.c +++ b/src/kadmin/dbutil/kdb5_create.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/dbutil/kdb5_create.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +23,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Generate (from scratch) a Kerberos KDC database. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +48,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -66,9 +67,9 @@ #include "kdb5_util.h" enum ap_op { - NULL_KEY, /* setup null keys */ - MASTER_KEY, /* use master key as new key */ - TGT_KEY /* special handling for tgt key */ + NULL_KEY, /* setup null keys */ + MASTER_KEY, /* use master key as new key */ + TGT_KEY /* special handling for tgt key */ }; krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL }; @@ -92,16 +93,16 @@ struct realm_info { }; struct iterate_args { - krb5_context ctx; - struct realm_info *rblock; - krb5_db_entry *dbentp; + krb5_context ctx; + struct realm_info *rblock; + krb5_db_entry *dbentp; }; -static krb5_error_code add_principal - (krb5_context, - krb5_principal, - enum ap_op, - struct realm_info *); +static krb5_error_code add_principal +(krb5_context, + krb5_principal, + enum ap_op, + struct realm_info *); /* * Steps in creating a database: @@ -122,28 +123,28 @@ extern krb5_principal master_princ; krb5_data master_salt; krb5_data tgt_princ_entries[] = { - {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME}, - {0, 0, 0} }; + {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME}, + {0, 0, 0} }; krb5_data db_creator_entries[] = { - {0, sizeof("db_creation")-1, "db_creation"} }; + {0, sizeof("db_creation")-1, "db_creation"} }; /* XXX knows about contents of krb5_principal, and that tgt names - are of form TGT/REALM@REALM */ + are of form TGT/REALM@REALM */ krb5_principal_data tgt_princ = { - 0, /* magic number */ - {0, 0, 0}, /* krb5_data realm */ - tgt_princ_entries, /* krb5_data *data */ - 2, /* int length */ - KRB5_NT_SRV_INST /* int type */ + 0, /* magic number */ + {0, 0, 0}, /* krb5_data realm */ + tgt_princ_entries, /* krb5_data *data */ + 2, /* int length */ + KRB5_NT_SRV_INST /* int type */ }; krb5_principal_data db_create_princ = { - 0, /* magic number */ - {0, 0, 0}, /* krb5_data realm */ - db_creator_entries, /* krb5_data *data */ - 1, /* int length */ - KRB5_NT_SRV_INST /* int type */ + 0, /* magic number */ + {0, 0, 0}, /* krb5_data realm */ + db_creator_entries, /* krb5_data *data */ + 1, /* int length */ + KRB5_NT_SRV_INST /* int type */ }; extern char *mkey_password; @@ -154,8 +155,8 @@ extern kadm5_config_params global_params; extern krb5_context util_context; void kdb5_create(argc, argv) - int argc; - char *argv[]; + int argc; + char *argv[]; { int optchar; @@ -168,26 +169,26 @@ void kdb5_create(argc, argv) kdb_log_context *log_ctx; krb5_kvno mkey_kvno; int strong_random = 1; - + while ((optchar = getopt(argc, argv, "sW")) != -1) { - switch(optchar) { - case 's': - do_stash++; - break; - case 'h': - if (!add_db_arg("hash=true")) { - com_err(progname, ENOMEM, "while parsing command arguments\n"); - exit(1); - } - break; - case 'W': - strong_random = 0; - break; - case '?': - default: - usage(); - return; - } + switch(optchar) { + case 's': + do_stash++; + break; + case 'h': + if (!add_db_arg("hash=true")) { + com_err(progname, ENOMEM, "while parsing command arguments\n"); + exit(1); + } + break; + case 'W': + strong_random = 0; + break; + case '?': + default: + usage(); + return; + } } rblock.max_life = global_params.max_life; @@ -202,18 +203,18 @@ void kdb5_create(argc, argv) printf ("Loading random data\n"); retval = krb5_c_random_os_entropy (util_context, strong_random, NULL); if (retval) { - com_err (progname, retval, "Loading random data"); - exit_status++; return; + com_err (progname, retval, "Loading random data"); + exit_status++; return; } - + /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, - global_params.mkey_name, - global_params.realm, - &mkey_fullname, &master_princ))) { - com_err(progname, retval, "while setting up master key name"); - exit_status++; return; + global_params.mkey_name, + global_params.realm, + &mkey_fullname, &master_princ))) { + com_err(progname, retval, "while setting up master key name"); + exit_status++; return; } krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm); @@ -225,42 +226,42 @@ void kdb5_create(argc, argv) printf("Initializing database '%s' for realm '%s',\n\ master key name '%s'\n", - global_params.dbname, global_params.realm, mkey_fullname); + global_params.dbname, global_params.realm, mkey_fullname); if (!mkey_password) { - printf("You will be prompted for the database Master Password.\n"); - printf("It is important that you NOT FORGET this password.\n"); - fflush(stdout); - - pw_size = 1024; - pw_str = malloc(pw_size); - if (pw_str == NULL) { - com_err(progname, ENOMEM, "while creating new master key"); - exit_status++; return; - } - - retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, - pw_str, &pw_size); - if (retval) { - com_err(progname, retval, "while reading master key from keyboard"); - exit_status++; return; - } - mkey_password = pw_str; + printf("You will be prompted for the database Master Password.\n"); + printf("It is important that you NOT FORGET this password.\n"); + fflush(stdout); + + pw_size = 1024; + pw_str = malloc(pw_size); + if (pw_str == NULL) { + com_err(progname, ENOMEM, "while creating new master key"); + exit_status++; return; + } + + retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, + pw_str, &pw_size); + if (retval) { + com_err(progname, retval, "while reading master key from keyboard"); + exit_status++; return; + } + mkey_password = pw_str; } pwd.data = mkey_password; pwd.length = strlen(mkey_password); retval = krb5_principal2salt(util_context, master_princ, &master_salt); if (retval) { - com_err(progname, retval, "while calculating master key salt"); - exit_status++; return; + com_err(progname, retval, "while calculating master key salt"); + exit_status++; return; } - retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, - &pwd, &master_salt, &master_keyblock); + retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, + &pwd, &master_salt, &master_keyblock); if (retval) { - com_err(progname, retval, "while transforming master key from password"); - exit_status++; return; + com_err(progname, retval, "while transforming master key from password"); + exit_status++; return; } rblock.key = &master_keyblock; @@ -269,59 +270,59 @@ master key name '%s'\n", seed.data = master_keyblock.contents; if ((retval = krb5_c_random_seed(util_context, &seed))) { - com_err(progname, retval, "while initializing random key generator"); - exit_status++; return; + com_err(progname, retval, "while initializing random key generator"); + exit_status++; return; } if ((retval = krb5_db_create(util_context, - db5util_db_args))) { - com_err(progname, retval, "while creating database '%s'", - global_params.dbname); - exit_status++; return; + db5util_db_args))) { + com_err(progname, retval, "while creating database '%s'", + global_params.dbname); + exit_status++; return; } /* if ((retval = krb5_db_fini(util_context))) { */ /* com_err(progname, retval, "while closing current database"); */ /* exit_status++; return; */ /* } */ /* if ((retval = krb5_db_open(util_context, db5util_db_args, KRB5_KDB_OPEN_RW))) { */ -/* com_err(progname, retval, "while initializing the database '%s'", */ -/* global_params.dbname); */ -/* exit_status++; return; */ +/* com_err(progname, retval, "while initializing the database '%s'", */ +/* global_params.dbname); */ +/* exit_status++; return; */ /* } */ if (log_ctx && log_ctx->iproprole) { - if ((retval = ulog_map(util_context, global_params.iprop_logfile, - global_params.iprop_ulogsize, FKCOMMAND, - db5util_db_args))) { - com_err(argv[0], retval, - _("while creating update log")); - exit_status++; - return; - } - - /* - * We're reinitializing the update log in case one already - * existed, but this should never happen. - */ - (void) memset(log_ctx->ulog, 0, sizeof (kdb_hlog_t)); - - log_ctx->ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; - log_ctx->ulog->db_version_num = KDB_VERSION; - log_ctx->ulog->kdb_state = KDB_STABLE; - log_ctx->ulog->kdb_block = ULOG_BLOCK; - - /* - * Since we're creating a new db we shouldn't worry about - * adding the initial principals since any slave might as well - * do full resyncs from this newly created db. - */ - log_ctx->iproprole = IPROP_NULL; + if ((retval = ulog_map(util_context, global_params.iprop_logfile, + global_params.iprop_ulogsize, FKCOMMAND, + db5util_db_args))) { + com_err(argv[0], retval, + _("while creating update log")); + exit_status++; + return; + } + + /* + * We're reinitializing the update log in case one already + * existed, but this should never happen. + */ + (void) memset(log_ctx->ulog, 0, sizeof (kdb_hlog_t)); + + log_ctx->ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; + log_ctx->ulog->db_version_num = KDB_VERSION; + log_ctx->ulog->kdb_state = KDB_STABLE; + log_ctx->ulog->kdb_block = ULOG_BLOCK; + + /* + * Since we're creating a new db we shouldn't worry about + * adding the initial principals since any slave might as well + * do full resyncs from this newly created db. + */ + log_ctx->iproprole = IPROP_NULL; } if ((retval = add_principal(util_context, master_princ, MASTER_KEY, &rblock)) || - (retval = add_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { - (void) krb5_db_fini(util_context); - com_err(progname, retval, "while adding entries to the database"); - exit_status++; return; + (retval = add_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { + (void) krb5_db_fini(util_context); + com_err(progname, retval, "while adding entries to the database"); + exit_status++; return; } @@ -342,29 +343,29 @@ master key name '%s'\n", mkey_kvno = 1; /* Default */ retval = krb5_db_store_master_key(util_context, - global_params.stash_file, - master_princ, - mkey_kvno, - &master_keyblock, - mkey_password); + global_params.stash_file, + master_princ, + mkey_kvno, + &master_keyblock, + mkey_password); if (retval) { - com_err(progname, errno, "while storing key"); - printf("Warning: couldn't stash master key.\n"); + com_err(progname, errno, "while storing key"); + printf("Warning: couldn't stash master key.\n"); } /* clean up */ (void) krb5_db_fini(util_context); memset(master_keyblock.contents, 0, master_keyblock.length); free(master_keyblock.contents); if (pw_str) { - memset(pw_str, 0, pw_size); - free(pw_str); + memset(pw_str, 0, pw_size); + free(pw_str); } free(master_salt.data); if (kadm5_create(&global_params)) { - if (!do_stash) unlink(global_params.stash_file); - exit_status++; - return; + if (!do_stash) unlink(global_params.stash_file); + exit_status++; + return; } if (!do_stash) unlink(global_params.stash_file); @@ -373,15 +374,15 @@ master key name '%s'\n", static krb5_error_code tgt_keysalt_iterate(ksent, ptr) - krb5_key_salt_tuple *ksent; - krb5_pointer ptr; + krb5_key_salt_tuple *ksent; + krb5_pointer ptr; { - krb5_context context; - krb5_error_code kret; - struct iterate_args *iargs; - krb5_keyblock key; - krb5_int32 ind; - krb5_data pwd; + krb5_context context; + krb5_error_code kret; + struct iterate_args *iargs; + krb5_keyblock key; + krb5_int32 ind; + krb5_data pwd; iargs = (struct iterate_args *) ptr; kret = 0; @@ -396,20 +397,20 @@ tgt_keysalt_iterate(ksent, ptr) pwd.length = strlen(mkey_password); kret = krb5_c_random_seed(context, &pwd); if (kret) - return kret; + return kret; if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) { - ind = iargs->dbentp->n_key_data-1; - if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype, - &key))) { - kret = krb5_dbekd_encrypt_key_data(context, - iargs->rblock->key, - &key, - NULL, - 1, - &iargs->dbentp->key_data[ind]); - krb5_free_keyblock_contents(context, &key); - } + ind = iargs->dbentp->n_key_data-1; + if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype, + &key))) { + kret = krb5_dbekd_encrypt_key_data(context, + iargs->rblock->key, + &key, + NULL, + 1, + &iargs->dbentp->key_data[ind]); + krb5_free_keyblock_contents(context, &key); + } } return(kret); @@ -422,12 +423,12 @@ add_principal(context, princ, op, pblock) enum ap_op op; struct realm_info *pblock; { - krb5_error_code retval; - krb5_db_entry entry; + krb5_error_code retval; + krb5_db_entry entry; krb5_kvno mkey_kvno; - krb5_timestamp now; - struct iterate_args iargs; - int nentries = 1; + krb5_timestamp now; + struct iterate_args iargs; + int nentries = 1; krb5_actkvno_node actkvno; memset(&entry, 0, sizeof(entry)); @@ -439,32 +440,32 @@ add_principal(context, princ, op, pblock) entry.expiration = pblock->expiration; if ((retval = krb5_copy_principal(context, princ, &entry.princ))) - goto error_out; + goto error_out; if ((retval = krb5_timeofday(context, &now))) - goto error_out; + goto error_out; if ((retval = krb5_dbe_update_mod_princ_data(context, &entry, - now, &db_create_princ))) - goto error_out; + now, &db_create_princ))) + goto error_out; switch (op) { case MASTER_KEY: - if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data))) - == NULL) - goto error_out; - memset(entry.key_data, 0, sizeof(krb5_key_data)); - entry.n_key_data = 1; + if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data))) + == NULL) + goto error_out; + memset(entry.key_data, 0, sizeof(krb5_key_data)); + entry.n_key_data = 1; if (global_params.mask & KADM5_CONFIG_KVNO) mkey_kvno = global_params.kvno; /* user specified */ else mkey_kvno = 1; /* Default */ - entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->key, - &master_keyblock, NULL, - mkey_kvno, entry.key_data))) - return retval; + entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; + if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->key, + &master_keyblock, NULL, + mkey_kvno, entry.key_data))) + return retval; /* * There should always be at least one "active" mkey so creating the * KRB5_TL_ACTKVNO entry now so the initial mkey is active. @@ -480,30 +481,30 @@ add_principal(context, princ, op, pblock) if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno))) return retval; - break; + break; case TGT_KEY: - iargs.ctx = context; - iargs.rblock = pblock; - iargs.dbentp = &entry; - /* - * Iterate through the key/salt list, ignoring salt types. - */ - if ((retval = krb5_keysalt_iterate(pblock->kslist, - pblock->nkslist, - 1, - tgt_keysalt_iterate, - (krb5_pointer) &iargs))) - return retval; - break; + iargs.ctx = context; + iargs.rblock = pblock; + iargs.dbentp = &entry; + /* + * Iterate through the key/salt list, ignoring salt types. + */ + if ((retval = krb5_keysalt_iterate(pblock->kslist, + pblock->nkslist, + 1, + tgt_keysalt_iterate, + (krb5_pointer) &iargs))) + return retval; + break; case NULL_KEY: - return EOPNOTSUPP; + return EOPNOTSUPP; default: - break; + break; } entry.mask = (KADM5_KEY_DATA | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | - KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA | - KADM5_PRINC_EXPIRE_TIME); + KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA | + KADM5_PRINC_EXPIRE_TIME); retval = krb5_db_put_principal(context, &entry, &nentries); diff --git a/src/kadmin/dbutil/kdb5_destroy.c b/src/kadmin/dbutil/kdb5_destroy.c index 9640286ae..d5e8e9e43 100644 --- a/src/kadmin/dbutil/kdb5_destroy.c +++ b/src/kadmin/dbutil/kdb5_destroy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * admin/destroy/kdb5_destroy.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * kdb_dest(roy): destroy the named database. * @@ -40,8 +41,8 @@ extern int exit_status; extern krb5_boolean dbactive; extern kadm5_config_params global_params; -char *yes = "yes\n"; /* \n to compare against result of - fgets */ +char *yes = "yes\n"; /* \n to compare against result of + fgets */ void kdb5_destroy(argc, argv) @@ -60,51 +61,51 @@ kdb5_destroy(argc, argv) retval1 = kadm5_init_krb5_context(&context); if( retval1 ) { - com_err(progname, retval1, "while initializing krb5_context"); - exit(1); + com_err(progname, retval1, "while initializing krb5_context"); + exit(1); } if ((retval1 = krb5_set_default_realm(context, - util_context->default_realm))) { - com_err(progname, retval1, "while setting default realm name"); - exit(1); + util_context->default_realm))) { + com_err(progname, retval1, "while setting default realm name"); + exit(1); } - + dbname = global_params.dbname; optind = 1; while ((optchar = getopt(argc, argv, "f")) != -1) { - switch(optchar) { - case 'f': - force++; - break; - case '?': - default: - usage(); - return; - /*NOTREACHED*/ - } + switch(optchar) { + case 'f': + force++; + break; + case '?': + default: + usage(); + return; + /*NOTREACHED*/ + } } if (!force) { - printf("Deleting KDC database stored in '%s', are you sure?\n", dbname); - printf("(type 'yes' to confirm)? "); - if (fgets(buf, sizeof(buf), stdin) == NULL) { - exit_status++; return; + printf("Deleting KDC database stored in '%s', are you sure?\n", dbname); + printf("(type 'yes' to confirm)? "); + if (fgets(buf, sizeof(buf), stdin) == NULL) { + exit_status++; return; } - if (strcmp(buf, yes)) { - exit_status++; return; + if (strcmp(buf, yes)) { + exit_status++; return; } - printf("OK, deleting database '%s'...\n", dbname); + printf("OK, deleting database '%s'...\n", dbname); } retval1 = krb5_db_destroy(context, db5util_db_args); if (retval1) { - com_err(progname, retval1, "deleting database '%s'",dbname); - exit_status++; return; + com_err(progname, retval1, "deleting database '%s'",dbname); + exit_status++; return; } if (global_params.iprop_enabled) { - (void) unlink(global_params.iprop_logfile); + (void) unlink(global_params.iprop_logfile); } dbactive = FALSE; diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 7827b2959..a5be00199 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. @@ -23,10 +23,10 @@ #error I cannot find any regexp functions #endif #ifdef SOLARIS_REGEXPS -#include +#include #endif #ifdef POSIX_REGEXPS -#include +#include #endif extern krb5_keyblock master_keyblock; /* current mkey */ @@ -106,7 +106,7 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, /* Note, mkey does not have salt */ /* add new mkey encrypted with itself to mkey princ entry */ if ((retval = krb5_dbekd_encrypt_key_data(context, new_mkey, - new_mkey, NULL, + new_mkey, NULL, (int) new_mkey_kvno, &master_entry->key_data[0]))) { return (retval); @@ -234,7 +234,7 @@ kdb5_add_mkey(int argc, char *argv[]) case '?': default: usage(); - return; + return; } } @@ -244,7 +244,7 @@ kdb5_add_mkey(int argc, char *argv[]) /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, - global_params.realm, + global_params.realm, &mkey_fullname, &master_princ))) { com_err(progname, retval, "while setting up master key name"); exit_status++; @@ -274,7 +274,7 @@ kdb5_add_mkey(int argc, char *argv[]) } printf("Creating new master key for master key principal '%s'\n", - mkey_fullname); + mkey_fullname); printf("You will be prompted for a new database Master Password.\n"); printf("It is important that you NOT FORGET this password.\n"); @@ -306,7 +306,7 @@ kdb5_add_mkey(int argc, char *argv[]) goto cleanup_return; } - retval = krb5_c_string_to_key(util_context, new_master_enctype, + retval = krb5_c_string_to_key(util_context, new_master_enctype, &pwd, &master_salt, &new_mkeyblock); if (retval) { com_err(progname, retval, "while transforming master key from password"); @@ -378,7 +378,7 @@ kdb5_use_mkey(int argc, char *argv[]) krb5_kvno use_kvno; krb5_timestamp now, start_time; krb5_actkvno_node *actkvno_list = NULL, *new_actkvno = NULL, - *prev_actkvno, *cur_actkvno; + *prev_actkvno, *cur_actkvno; krb5_db_entry master_entry; int nentries = 0; krb5_boolean more = FALSE; @@ -443,7 +443,7 @@ kdb5_use_mkey(int argc, char *argv[]) /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, - global_params.realm, + global_params.realm, &mkey_fullname, &master_princ))) { com_err(progname, retval, "while setting up master key name"); exit_status++; @@ -609,7 +609,7 @@ kdb5_list_mkeys(int argc, char *argv[]) /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, - global_params.realm, + global_params.realm, &mkey_fullname, &master_princ))) { com_err(progname, retval, "while setting up master key name"); exit_status++; @@ -752,9 +752,9 @@ struct update_enc_mkvno { * * Arguments: * - * glob (r) the shell-style glob (?*[]) to convert - * realm (r) the default realm to append, or NULL - * regexp (w) the ed-style regexp created from glob + * glob (r) the shell-style glob (?*[]) to convert + * realm (r) the default realm to append, or NULL + * regexp (w) the ed-style regexp created from glob * * Effects: * @@ -765,69 +765,69 @@ struct update_enc_mkvno { * * Conversion algorithm: * - * quoted characters are copied quoted - * ? is converted to . - * * is converted to .* - * active characters are quoted: ^, $, . - * [ and ] are active but supported and have the same meaning, so - * they are copied - * other characters are copied - * regexp is anchored with ^ and $ + * quoted characters are copied quoted + * ? is converted to . + * * is converted to .* + * active characters are quoted: ^, $, . + * [ and ] are active but supported and have the same meaning, so + * they are copied + * other characters are copied + * regexp is anchored with ^ and $ */ static int glob_to_regexp(char *glob, char *realm, char **regexp) { - int append_realm; - char *p; - - /* validate the glob */ - if (glob[strlen(glob)-1] == '\\') - return EINVAL; - - /* A character of glob can turn into two in regexp, plus ^ and $ */ - /* and trailing null. If glob has no @, also allocate space for */ - /* the realm. */ - append_realm = (realm != NULL) && (strchr(glob, '@') == NULL); - p = (char *) malloc(strlen(glob)*2+ 3 + (append_realm ? 3 : 0)); - if (p == NULL) - return ENOMEM; - *regexp = p; - - *p++ = '^'; - while (*glob) { - switch (*glob) { - case '?': - *p++ = '.'; - break; - case '*': - *p++ = '.'; - *p++ = '*'; - break; - case '.': - case '^': - case '$': - *p++ = '\\'; - *p++ = *glob; - break; - case '\\': - *p++ = '\\'; - *p++ = *++glob; - break; - default: - *p++ = *glob; - break; - } - glob++; - } - - if (append_realm) { - *p++ = '@'; - *p++ = '.'; - *p++ = '*'; - } - - *p++ = '$'; - *p++ = '\0'; - return 0; + int append_realm; + char *p; + + /* validate the glob */ + if (glob[strlen(glob)-1] == '\\') + return EINVAL; + + /* A character of glob can turn into two in regexp, plus ^ and $ */ + /* and trailing null. If glob has no @, also allocate space for */ + /* the realm. */ + append_realm = (realm != NULL) && (strchr(glob, '@') == NULL); + p = (char *) malloc(strlen(glob)*2+ 3 + (append_realm ? 3 : 0)); + if (p == NULL) + return ENOMEM; + *regexp = p; + + *p++ = '^'; + while (*glob) { + switch (*glob) { + case '?': + *p++ = '.'; + break; + case '*': + *p++ = '.'; + *p++ = '*'; + break; + case '.': + case '^': + case '$': + *p++ = '\\'; + *p++ = *glob; + break; + case '\\': + *p++ = '\\'; + *p++ = *++glob; + break; + default: + *p++ = *glob; + break; + } + glob++; + } + + if (append_realm) { + *p++ = '@'; + *p++ = '.'; + *p++ = '*'; + } + + *p++ = '$'; + *p++ = '\0'; + return 0; } static int @@ -1029,7 +1029,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) #ifdef BSD_REGEXPS ((msg = (char *) re_comp(regexp)) != NULL) #endif - ) { + ) { /* XXX syslog msg or regerr(regerrno) */ com_err(progname, 0, "error compiling converted regexp '%s'", regexp); exit_status++; @@ -1189,14 +1189,14 @@ kdb5_purge_mkeys(int argc, char *argv[]) case '?': default: usage(); - return; + return; } } /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, - global_params.realm, + global_params.realm, &mkey_fullname, &master_princ))) { com_err(progname, retval, "while setting up master key name"); exit_status++; diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c index cdd947ac4..3f42134ae 100644 --- a/src/kadmin/dbutil/kdb5_stash.c +++ b/src/kadmin/dbutil/kdb5_stash.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * admin/stash/kdb5_stash.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +23,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Store the master database key in a file. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +48,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -87,14 +88,14 @@ kdb5_stash(argc, argv) retval = kadm5_init_krb5_context(&context); if( retval ) { - com_err(progname, retval, "while initializing krb5_context"); - exit(1); + com_err(progname, retval, "while initializing krb5_context"); + exit(1); } if ((retval = krb5_set_default_realm(context, - util_context->default_realm))) { - com_err(progname, retval, "while setting default realm name"); - exit(1); + util_context->default_realm))) { + com_err(progname, retval, "while setting default realm name"); + exit(1); } dbname = global_params.dbname; @@ -104,41 +105,41 @@ kdb5_stash(argc, argv) optind = 1; while ((optchar = getopt(argc, argv, "f:")) != -1) { - switch(optchar) { - case 'f': - keyfile = optarg; - break; - case '?': - default: - usage(); - return; - } + switch(optchar) { + case 'f': + keyfile = optarg; + break; + case '?': + default: + usage(); + return; + } } if (!krb5_c_valid_enctype(master_keyblock.enctype)) { - char tmp[32]; - if (krb5_enctype_to_string(master_keyblock.enctype, tmp, sizeof(tmp))) - com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, - "while setting up enctype %d", master_keyblock.enctype); - else - com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, tmp); - exit_status++; return; + char tmp[32]; + if (krb5_enctype_to_string(master_keyblock.enctype, tmp, sizeof(tmp))) + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, + "while setting up enctype %d", master_keyblock.enctype); + else + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, tmp); + exit_status++; return; } /* assemble & parse the master key name */ - retval = krb5_db_setup_mkey_name(context, mkey_name, realm, - &mkey_fullname, &master_princ); + retval = krb5_db_setup_mkey_name(context, mkey_name, realm, + &mkey_fullname, &master_princ); if (retval) { - com_err(progname, retval, "while setting up master key name"); - exit_status++; return; + com_err(progname, retval, "while setting up master key name"); + exit_status++; return; } - retval = krb5_db_open(context, db5util_db_args, - KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_OTHER); + retval = krb5_db_open(context, db5util_db_args, + KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_OTHER); if (retval) { - com_err(progname, retval, "while initializing the database '%s'", - dbname); - exit_status++; return; + com_err(progname, retval, "while initializing the database '%s'", + dbname); + exit_status++; return; } if (global_params.mask & KADM5_CONFIG_KVNO) @@ -147,45 +148,45 @@ kdb5_stash(argc, argv) mkey_kvno = IGNORE_VNO; /* use whatever krb5_db_fetch_mkey finds */ if (!valid_master_key) { - /* TRUE here means read the keyboard, but only once */ - retval = krb5_db_fetch_mkey(context, master_princ, - master_keyblock.enctype, - TRUE, FALSE, (char *) NULL, - &mkey_kvno, - NULL, &master_keyblock); - if (retval) { - com_err(progname, retval, "while reading master key"); - (void) krb5_db_fini(context); - exit_status++; return; - } - - retval = krb5_db_fetch_mkey_list(context, master_princ, - &master_keyblock, mkey_kvno, - &master_keylist); - if (retval) { - com_err(progname, retval, "while getting master key list"); - (void) krb5_db_fini(context); - exit_status++; return; - } + /* TRUE here means read the keyboard, but only once */ + retval = krb5_db_fetch_mkey(context, master_princ, + master_keyblock.enctype, + TRUE, FALSE, (char *) NULL, + &mkey_kvno, + NULL, &master_keyblock); + if (retval) { + com_err(progname, retval, "while reading master key"); + (void) krb5_db_fini(context); + exit_status++; return; + } + + retval = krb5_db_fetch_mkey_list(context, master_princ, + &master_keyblock, mkey_kvno, + &master_keylist); + if (retval) { + com_err(progname, retval, "while getting master key list"); + (void) krb5_db_fini(context); + exit_status++; return; + } } else { - printf("Using existing stashed keys to update stash file.\n"); + printf("Using existing stashed keys to update stash file.\n"); } - retval = krb5_db_store_master_key_list(context, keyfile, master_princ, - master_keylist, NULL); + retval = krb5_db_store_master_key_list(context, keyfile, master_princ, + master_keylist, NULL); if (retval) { - com_err(progname, errno, "while storing key"); - (void) krb5_db_fini(context); - exit_status++; return; + com_err(progname, errno, "while storing key"); + (void) krb5_db_fini(context); + exit_status++; return; } retval = krb5_db_fini(context); if (retval) { - com_err(progname, retval, "closing database '%s'", dbname); - exit_status++; return; + com_err(progname, retval, "closing database '%s'", dbname); + exit_status++; return; } krb5_free_context(context); exit_status = 0; - return; + return; } diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index a4b2e686d..ed6ce65c2 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * admin/edit/kdb5_edit.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +23,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Edit a KDC database. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +48,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -65,8 +66,8 @@ #include #include "kdb5_util.h" -char *Err_no_master_msg = "Master key not entered!\n"; -char *Err_no_database = "Database not currently opened!\n"; +char *Err_no_master_msg = "Master key not entered!\n"; +char *Err_no_database = "Database not currently opened!\n"; /* * XXX Ick, ick, ick. These global variables shouldn't be global.... @@ -84,28 +85,28 @@ kadm5_config_params global_params; void usage() { - fprintf(stderr, "Usage: " - "kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n" - "\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n" - "\tcreate [-s]\n" - "\tdestroy [-f]\n" - "\tstash [-f keyfile]\n" - "\tdump [-old|-ov|-b6|-b7|-r13] [-verbose]\n" - "\t [-mkey_convert] [-new_mkey_file mkey_file]\n" - "\t [-rev] [-recurse] [filename [princs...]]\n" - "\tload [-old|-ov|-b6|-b7|-r13] [-verbose] [-update] filename\n" - "\tark [-e etype_list] principal\n" - "\tadd_mkey [-e etype] [-s]\n" - "\tuse_mkey kvno [time]\n" - "\tlist_mkeys\n" - ); - /* avoid a string length compiler warning */ - fprintf(stderr, - "\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n" - "\tpurge_mkeys [-f] [-n] [-v]\n" - "\nwhere,\n\t[-x db_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n"); - exit(1); + fprintf(stderr, "Usage: " + "kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n" + "\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n" + "\tcreate [-s]\n" + "\tdestroy [-f]\n" + "\tstash [-f keyfile]\n" + "\tdump [-old|-ov|-b6|-b7|-r13] [-verbose]\n" + "\t [-mkey_convert] [-new_mkey_file mkey_file]\n" + "\t [-rev] [-recurse] [filename [princs...]]\n" + "\tload [-old|-ov|-b6|-b7|-r13] [-verbose] [-update] filename\n" + "\tark [-e etype_list] principal\n" + "\tadd_mkey [-e etype] [-s]\n" + "\tuse_mkey kvno [time]\n" + "\tlist_mkeys\n" + ); + /* avoid a string length compiler warning */ + fprintf(stderr, + "\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n" + "\tpurge_mkeys [-f] [-n] [-v]\n" + "\nwhere,\n\t[-x db_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n"); + exit(1); } extern krb5_keyblock master_keyblock; @@ -113,7 +114,7 @@ krb5_kvno master_kvno; /* fetched */ extern krb5_keylist_node *master_keylist; extern krb5_principal master_princ; krb5_db_entry master_entry; -int valid_master_key = 0; +int valid_master_key = 0; char *progname; krb5_boolean manual_mkey = FALSE; @@ -122,57 +123,57 @@ krb5_boolean dbactive = FALSE; static int open_db_and_mkey(void); static void add_random_key(int, char **); - + typedef void (*cmd_func)(int, char **); struct _cmd_table { - char *name; - cmd_func func; - int opendb; + char *name; + cmd_func func; + int opendb; } cmd_table[] = { - {"create", kdb5_create, 0}, - {"destroy", kdb5_destroy, 1}, /* 1 opens the kdb */ - {"stash", kdb5_stash, 1}, - {"dump", dump_db, 1}, - {"load", load_db, 0}, - {"ark", add_random_key, 1}, - {"add_mkey", kdb5_add_mkey, 1}, - {"use_mkey", kdb5_use_mkey, 1}, - {"list_mkeys", kdb5_list_mkeys, 1}, - {"update_princ_encryption", kdb5_update_princ_encryption, 1}, - {"purge_mkeys", kdb5_purge_mkeys, 1}, - {NULL, NULL, 0}, + {"create", kdb5_create, 0}, + {"destroy", kdb5_destroy, 1}, /* 1 opens the kdb */ + {"stash", kdb5_stash, 1}, + {"dump", dump_db, 1}, + {"load", load_db, 0}, + {"ark", add_random_key, 1}, + {"add_mkey", kdb5_add_mkey, 1}, + {"use_mkey", kdb5_use_mkey, 1}, + {"list_mkeys", kdb5_list_mkeys, 1}, + {"update_princ_encryption", kdb5_update_princ_encryption, 1}, + {"purge_mkeys", kdb5_purge_mkeys, 1}, + {NULL, NULL, 0}, }; static struct _cmd_table *cmd_lookup(name) - char *name; + char *name; { - struct _cmd_table *cmd = cmd_table; - while (cmd->name) { - if (strcmp(cmd->name, name) == 0) - return cmd; - else - cmd++; - } - - return NULL; + struct _cmd_table *cmd = cmd_table; + while (cmd->name) { + if (strcmp(cmd->name, name) == 0) + return cmd; + else + cmd++; + } + + return NULL; } #define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(usage(), NULL)) char **db5util_db_args = NULL; int db5util_db_args_size = 0; - + static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) + const char *fmt, va_list args) { const char *emsg; if (code) { - emsg = krb5_get_error_message (util_context, code); - fprintf (stderr, "%s: %s ", myprog, emsg); - krb5_free_error_message (util_context, emsg); + emsg = krb5_get_error_message (util_context, code); + fprintf (stderr, "%s: %s ", myprog, emsg); + krb5_free_error_message (util_context, emsg); } else { - fprintf (stderr, "%s: ", myprog); + fprintf (stderr, "%s: ", myprog); } vfprintf (stderr, fmt, args); fprintf (stderr, "\n"); @@ -183,9 +184,9 @@ int add_db_arg(char *arg) char **temp; db5util_db_args_size++; temp = realloc(db5util_db_args, - sizeof(char *) * (db5util_db_args_size + 1)); + sizeof(char *) * (db5util_db_args_size + 1)); if (temp == NULL) - return 0; + return 0; db5util_db_args = temp; db5util_db_args[db5util_db_args_size-1] = arg; db5util_db_args[db5util_db_args_size] = NULL; @@ -197,7 +198,7 @@ int main(argc, argv) char *argv[]; { struct _cmd_table *cmd = NULL; - char *koptarg, **cmd_argv; + char *koptarg, **cmd_argv; char *db_name_tmp = NULL; int cmd_argc; krb5_error_code retval; @@ -208,111 +209,111 @@ int main(argc, argv) * Ensure that "progname" is set before calling com_err. */ progname = (strrchr(argv[0], '/') ? - strrchr(argv[0], '/') + 1 : argv[0]); + strrchr(argv[0], '/') + 1 : argv[0]); retval = kadm5_init_krb5_context(&util_context); if (retval) { - com_err (progname, retval, "while initializing Kerberos code"); - exit(1); + com_err (progname, retval, "while initializing Kerberos code"); + exit(1); } cmd_argv = (char **) malloc(sizeof(char *)*argc); if (cmd_argv == NULL) { - com_err(progname, ENOMEM, "while creating sub-command arguments"); - exit(1); + com_err(progname, ENOMEM, "while creating sub-command arguments"); + exit(1); } memset(cmd_argv, 0, sizeof(char *)*argc); cmd_argc = 1; argv++; argc--; while (*argv) { - if (strcmp(*argv, "-P") == 0 && ARG_VAL) { - mkey_password = koptarg; - manual_mkey = TRUE; - } else if (strcmp(*argv, "-d") == 0 && ARG_VAL) { - global_params.dbname = koptarg; - global_params.mask |= KADM5_CONFIG_DBNAME; - - if (asprintf(&db_name_tmp, "dbname=%s", global_params.dbname) < 0) - { - com_err(progname, ENOMEM, "while parsing command arguments"); - exit(1); - } - - if (!add_db_arg(db_name_tmp)) { - com_err(progname, ENOMEM, "while parsing command arguments\n"); - exit(1); - } - - } else if (strcmp(*argv, "-x") == 0 && ARG_VAL) { - if (!add_db_arg(koptarg)) { - com_err(progname, ENOMEM, "while parsing command arguments\n"); - exit(1); - } - - } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) { - global_params.realm = koptarg; - global_params.mask |= KADM5_CONFIG_REALM; - /* not sure this is really necessary */ - if ((retval = krb5_set_default_realm(util_context, - global_params.realm))) { - com_err(progname, retval, "while setting default realm name"); - exit(1); - } - } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { - if (krb5_string_to_enctype(koptarg, &global_params.enctype)) { - com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg); + if (strcmp(*argv, "-P") == 0 && ARG_VAL) { + mkey_password = koptarg; + manual_mkey = TRUE; + } else if (strcmp(*argv, "-d") == 0 && ARG_VAL) { + global_params.dbname = koptarg; + global_params.mask |= KADM5_CONFIG_DBNAME; + + if (asprintf(&db_name_tmp, "dbname=%s", global_params.dbname) < 0) + { + com_err(progname, ENOMEM, "while parsing command arguments"); + exit(1); + } + + if (!add_db_arg(db_name_tmp)) { + com_err(progname, ENOMEM, "while parsing command arguments\n"); + exit(1); + } + + } else if (strcmp(*argv, "-x") == 0 && ARG_VAL) { + if (!add_db_arg(koptarg)) { + com_err(progname, ENOMEM, "while parsing command arguments\n"); + exit(1); + } + + } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) { + global_params.realm = koptarg; + global_params.mask |= KADM5_CONFIG_REALM; + /* not sure this is really necessary */ + if ((retval = krb5_set_default_realm(util_context, + global_params.realm))) { + com_err(progname, retval, "while setting default realm name"); + exit(1); + } + } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { + if (krb5_string_to_enctype(koptarg, &global_params.enctype)) { + com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg); exit(1); } else - global_params.mask |= KADM5_CONFIG_ENCTYPE; - } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) { - global_params.kvno = (krb5_kvno) atoi(koptarg); + global_params.mask |= KADM5_CONFIG_ENCTYPE; + } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) { + global_params.kvno = (krb5_kvno) atoi(koptarg); if (global_params.kvno == IGNORE_VNO) { com_err(progname, EINVAL, ": %s is an invalid mkeyVNO", koptarg); exit(1); } else global_params.mask |= KADM5_CONFIG_KVNO; - } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { - global_params.mkey_name = koptarg; - global_params.mask |= KADM5_CONFIG_MKEY_NAME; - } else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) { - global_params.stash_file = koptarg; - global_params.mask |= KADM5_CONFIG_STASH_FILE; - } else if (strcmp(*argv, "-m") == 0) { - manual_mkey = TRUE; - global_params.mkey_from_kbd = 1; - global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - } else if (cmd_lookup(*argv) != NULL) { - if (cmd_argv[0] == NULL) - cmd_argv[0] = *argv; - else - usage(); - } else { - cmd_argv[cmd_argc++] = *argv; - } - argv++; argc--; + } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { + global_params.mkey_name = koptarg; + global_params.mask |= KADM5_CONFIG_MKEY_NAME; + } else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) { + global_params.stash_file = koptarg; + global_params.mask |= KADM5_CONFIG_STASH_FILE; + } else if (strcmp(*argv, "-m") == 0) { + manual_mkey = TRUE; + global_params.mkey_from_kbd = 1; + global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + } else if (cmd_lookup(*argv) != NULL) { + if (cmd_argv[0] == NULL) + cmd_argv[0] = *argv; + else + usage(); + } else { + cmd_argv[cmd_argc++] = *argv; + } + argv++; argc--; } if (cmd_argv[0] == NULL) - usage(); - + usage(); + if( !util_context->default_realm ) { - char *temp = NULL; - retval = krb5_get_default_realm(util_context, &temp); - if( retval ) - { - com_err (progname, retval, "while getting default realm"); - exit(1); - } - util_context->default_realm = temp; + char *temp = NULL; + retval = krb5_get_default_realm(util_context, &temp); + if( retval ) + { + com_err (progname, retval, "while getting default realm"); + exit(1); + } + util_context->default_realm = temp; } retval = kadm5_get_config_params(util_context, 1, - &global_params, &global_params); + &global_params, &global_params); if (retval) { - com_err(progname, retval, "while retreiving configuration parameters"); - exit(1); + com_err(progname, retval, "while retreiving configuration parameters"); + exit(1); } /* @@ -323,27 +324,27 @@ int main(argc, argv) master_keyblock.enctype = global_params.enctype; if ((master_keyblock.enctype != ENCTYPE_UNKNOWN) && - (!krb5_c_valid_enctype(master_keyblock.enctype))) { - com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, - "while setting up enctype %d", master_keyblock.enctype); + (!krb5_c_valid_enctype(master_keyblock.enctype))) { + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, + "while setting up enctype %d", master_keyblock.enctype); } cmd = cmd_lookup(cmd_argv[0]); if (cmd->opendb && open_db_and_mkey()) - return exit_status; + return exit_status; if (global_params.iprop_enabled == TRUE) - ulog_set_role(util_context, IPROP_MASTER); + ulog_set_role(util_context, IPROP_MASTER); else - ulog_set_role(util_context, IPROP_NULL); + ulog_set_role(util_context, IPROP_NULL); (*cmd->func)(cmd_argc, cmd_argv); if( db_name_tmp ) - free( db_name_tmp ); + free( db_name_tmp ); if( db5util_db_args ) - free(db5util_db_args); + free(db5util_db_args); kadm5_free_config_params(util_context, &global_params); krb5_free_context(util_context); @@ -362,24 +363,24 @@ void set_dbname(argc, argv) krb5_error_code retval; if (argc < 3) { - com_err(argv[0], 0, "Too few arguments"); - com_err(progname, 0, "Usage: %s dbpathname realmname", argv[0]); - exit_status++; - return; + com_err(argv[0], 0, "Too few arguments"); + com_err(progname, 0, "Usage: %s dbpathname realmname", argv[0]); + exit_status++; + return; } if (dbactive) { - if ((retval = krb5_db_fini(util_context)) && retval!= KRB5_KDB_DBNOTINITED) { - com_err(progname, retval, "while closing previous database"); - exit_status++; - return; - } - if (valid_master_key) { - krb5_free_keyblock_contents(util_context, &master_keyblock); - master_keyblock.contents = NULL; - valid_master_key = 0; - } - krb5_free_principal(util_context, master_princ); - dbactive = FALSE; + if ((retval = krb5_db_fini(util_context)) && retval!= KRB5_KDB_DBNOTINITED) { + com_err(progname, retval, "while closing previous database"); + exit_status++; + return; + } + if (valid_master_key) { + krb5_free_keyblock_contents(util_context, &master_keyblock); + master_keyblock.contents = NULL; + valid_master_key = 0; + } + krb5_free_principal(util_context, master_princ); + dbactive = FALSE; } (void) set_dbname_help(progname, argv[1]); @@ -406,41 +407,41 @@ static int open_db_and_mkey() dbactive = FALSE; valid_master_key = 0; - if ((retval = krb5_db_open(util_context, db5util_db_args, - KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN))) { - com_err(progname, retval, "while initializing database"); - exit_status++; - return(1); + if ((retval = krb5_db_open(util_context, db5util_db_args, + KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN))) { + com_err(progname, retval, "while initializing database"); + exit_status++; + return(1); } - /* assemble & parse the master key name */ + /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, - global_params.mkey_name, - global_params.realm, - 0, &master_princ))) { - com_err(progname, retval, "while setting up master key name"); - exit_status++; - return(1); + global_params.mkey_name, + global_params.realm, + 0, &master_princ))) { + com_err(progname, retval, "while setting up master key name"); + exit_status++; + return(1); } nentries = 1; - if ((retval = krb5_db_get_principal(util_context, master_princ, - &master_entry, &nentries, &more))) { - com_err(progname, retval, "while retrieving master entry"); - exit_status++; - (void) krb5_db_fini(util_context); - return(1); + if ((retval = krb5_db_get_principal(util_context, master_princ, + &master_entry, &nentries, &more))) { + com_err(progname, retval, "while retrieving master entry"); + exit_status++; + (void) krb5_db_fini(util_context); + return(1); } else if (more) { - com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, - "while retrieving master entry"); - exit_status++; - (void) krb5_db_fini(util_context); - return(1); + com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, + "while retrieving master entry"); + exit_status++; + (void) krb5_db_fini(util_context); + return(1); } else if (!nentries) { - com_err(progname, KRB5_KDB_NOENTRY, "while retrieving master entry"); - exit_status++; - (void) krb5_db_fini(util_context); - return(1); + com_err(progname, KRB5_KDB_NOENTRY, "while retrieving master entry"); + exit_status++; + (void) krb5_db_fini(util_context); + return(1); } if (global_params.mask & KADM5_CONFIG_KVNO) @@ -450,43 +451,43 @@ static int open_db_and_mkey() /* the databases are now open, and the master principal exists */ dbactive = TRUE; - + if (mkey_password) { - pwd.data = mkey_password; - pwd.length = strlen(mkey_password); - retval = krb5_principal2salt(util_context, master_princ, &scratch); - if (retval) { - com_err(progname, retval, "while calculated master key salt"); - exit_status++; - return(1); - } - - /* If no encryption type is set, use the default */ - if (master_keyblock.enctype == ENCTYPE_UNKNOWN) - master_keyblock.enctype = DEFAULT_KDC_ENCTYPE; + pwd.data = mkey_password; + pwd.length = strlen(mkey_password); + retval = krb5_principal2salt(util_context, master_princ, &scratch); + if (retval) { + com_err(progname, retval, "while calculated master key salt"); + exit_status++; + return(1); + } + + /* If no encryption type is set, use the default */ + if (master_keyblock.enctype == ENCTYPE_UNKNOWN) + master_keyblock.enctype = DEFAULT_KDC_ENCTYPE; if (!krb5_c_valid_enctype(master_keyblock.enctype)) com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, "while setting up enctype %d", master_keyblock.enctype); - retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, - &pwd, &scratch, &master_keyblock); - if (retval) { - com_err(progname, retval, - "while transforming master key from password"); - exit_status++; - return(1); - } - free(scratch.data); - mkey_password = 0; + retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, + &pwd, &scratch, &master_keyblock); + if (retval) { + com_err(progname, retval, + "while transforming master key from password"); + exit_status++; + return(1); + } + free(scratch.data); + mkey_password = 0; } else { - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, - master_keyblock.enctype, - manual_mkey, FALSE, - global_params.stash_file, - &master_kvno, - 0, &master_keyblock))) { + if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + master_keyblock.enctype, + manual_mkey, FALSE, + global_params.stash_file, + &master_kvno, + 0, &master_keyblock))) { com_err(progname, retval, "while reading master key"); com_err(progname, 0, "Warning: proceeding without master key"); exit_status++; @@ -495,34 +496,34 @@ static int open_db_and_mkey() } #if 0 /************** Begin IFDEF'ed OUT *******************************/ /* krb5_db_fetch_mkey_list will verify the mkey */ - if ((retval = krb5_db_verify_master_key(util_context, master_princ, - master_kvno, &master_keyblock))) { - com_err(progname, retval, "while verifying master key"); - exit_status++; - krb5_free_keyblock_contents(util_context, &master_keyblock); - return(1); + if ((retval = krb5_db_verify_master_key(util_context, master_princ, + master_kvno, &master_keyblock))) { + com_err(progname, retval, "while verifying master key"); + exit_status++; + krb5_free_keyblock_contents(util_context, &master_keyblock); + return(1); } #endif /**************** END IFDEF'ed OUT *******************************/ if ((retval = krb5_db_fetch_mkey_list(util_context, master_princ, - &master_keyblock, master_kvno, + &master_keyblock, master_kvno, &master_keylist))) { - com_err(progname, retval, "while getting master key list"); - com_err(progname, 0, "Warning: proceeding without master key list"); - exit_status++; - return(0); + com_err(progname, retval, "while getting master key list"); + com_err(progname, 0, "Warning: proceeding without master key list"); + exit_status++; + return(0); } seed.length = master_keyblock.length; seed.data = (char *) master_keyblock.contents; if ((retval = krb5_c_random_seed(util_context, &seed))) { - com_err(progname, retval, "while seeding random number generator"); - exit_status++; - memset(master_keyblock.contents, 0, master_keyblock.length); - krb5_free_keyblock_contents(util_context, &master_keyblock); + com_err(progname, retval, "while seeding random number generator"); + exit_status++; + memset(master_keyblock.contents, 0, master_keyblock.length); + krb5_free_keyblock_contents(util_context, &master_keyblock); krb5_db_free_mkey_list(util_context, master_keylist); - return(1); + return(1); } valid_master_key = 1; @@ -534,22 +535,22 @@ static int open_db_and_mkey() #undef getwd #endif -int +int quit() { krb5_error_code retval; static krb5_boolean finished = 0; if (finished) - return 0; + return 0; krb5_db_free_mkey_list(util_context, master_keylist); retval = krb5_db_fini(util_context); memset(master_keyblock.contents, 0, master_keyblock.length); finished = TRUE; if (retval && retval != KRB5_KDB_DBNOTINITED) { - com_err(progname, retval, "while closing database"); - exit_status++; - return 1; + com_err(progname, retval, "while closing database"); + exit_status++; + return 1; } return 0; } @@ -576,99 +577,99 @@ add_random_key(argc, argv) krb5_keyblock *tmp_mkey; if (argc < 2) - usage(); + usage(); for (argv++, argc--; *argv; argv++, argc--) { - if (!strcmp(*argv, "-e")) { - argv++; argc--; - ks_str = *argv; - continue; - } else - break; + if (!strcmp(*argv, "-e")) { + argv++; argc--; + ks_str = *argv; + continue; + } else + break; } if (argc < 1) - usage(); + usage(); pr_str = *argv; ret = krb5_parse_name(util_context, pr_str, &princ); if (ret) { - com_err(me, ret, "while parsing principal name %s", pr_str); - exit_status++; - return; + com_err(me, ret, "while parsing principal name %s", pr_str); + exit_status++; + return; } n = 1; ret = krb5_db_get_principal(util_context, princ, &dbent, - &n, &more); + &n, &more); if (ret) { - com_err(me, ret, "while fetching principal %s", pr_str); - exit_status++; - return; + com_err(me, ret, "while fetching principal %s", pr_str); + exit_status++; + return; } if (n != 1) { - fprintf(stderr, "principal %s not found\n", pr_str); - exit_status++; - return; + fprintf(stderr, "principal %s not found\n", pr_str); + exit_status++; + return; } if (more) { - fprintf(stderr, "principal %s not unique\n", pr_str); - krb5_db_free_principal(util_context, &dbent, 1); - exit_status++; - return; + fprintf(stderr, "principal %s not unique\n", pr_str); + krb5_db_free_principal(util_context, &dbent, 1); + exit_status++; + return; } ret = krb5_string_to_keysalts(ks_str, - ", \t", ":.-", 0, - &keysalts, - &num_keysalts); + ", \t", ":.-", 0, + &keysalts, + &num_keysalts); if (ret) { - com_err(me, ret, "while parsing keysalts %s", ks_str); - exit_status++; - return; + com_err(me, ret, "while parsing keysalts %s", ks_str); + exit_status++; + return; } if (!num_keysalts || keysalts == NULL) { - num_keysalts = global_params.num_keysalts; - keysalts = global_params.keysalts; - free_keysalts = 0; + num_keysalts = global_params.num_keysalts; + keysalts = global_params.keysalts; + free_keysalts = 0; } else - free_keysalts = 1; + free_keysalts = 1; /* Find the mkey used to protect the existing keys */ ret = krb5_dbe_find_mkey(util_context, master_keylist, &dbent, &tmp_mkey); if (ret) { - com_err(me, ret, "while finding mkey"); - exit_status++; - return; + com_err(me, ret, "while finding mkey"); + exit_status++; + return; } ret = krb5_dbe_ark(util_context, tmp_mkey, - keysalts, num_keysalts, - &dbent); + keysalts, num_keysalts, + &dbent); if (free_keysalts) - free(keysalts); + free(keysalts); if (ret) { - com_err(me, ret, "while randomizing principal %s", pr_str); - krb5_db_free_principal(util_context, &dbent, 1); - exit_status++; - return; + com_err(me, ret, "while randomizing principal %s", pr_str); + krb5_db_free_principal(util_context, &dbent, 1); + exit_status++; + return; } dbent.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; ret = krb5_timeofday(util_context, &now); if (ret) { - com_err(me, ret, "while getting time"); - krb5_db_free_principal(util_context, &dbent, 1); - exit_status++; - return; + com_err(me, ret, "while getting time"); + krb5_db_free_principal(util_context, &dbent, 1); + exit_status++; + return; } ret = krb5_dbe_update_last_pwd_change(util_context, &dbent, now); if (ret) { - com_err(me, ret, "while setting changetime"); - krb5_db_free_principal(util_context, &dbent, 1); - exit_status++; - return; + com_err(me, ret, "while setting changetime"); + krb5_db_free_principal(util_context, &dbent, 1); + exit_status++; + return; } ret = krb5_db_put_principal(util_context, &dbent, &n); krb5_db_free_principal(util_context, &dbent, 1); if (ret) { - com_err(me, ret, "while saving principal %s", pr_str); - exit_status++; - return; + com_err(me, ret, "while saving principal %s", pr_str); + exit_status++; + return; } printf("%s changed\n", pr_str); } diff --git a/src/kadmin/dbutil/kdb5_util.h b/src/kadmin/dbutil/kdb5_util.h index 6e99ac378..26a6a4168 100644 --- a/src/kadmin/dbutil/kdb5_util.h +++ b/src/kadmin/dbutil/kdb5_util.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * admin/edit/kdb5_edit.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,14 +23,14 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include -#define MAX_HEADER 1024 -#define REALM_SEP '@' -#define REALM_SEP_STR "@" +#define MAX_HEADER 1024 +#define REALM_SEP '@' +#define REALM_SEP_STR "@" extern char *progname; extern char *Err_no_database; @@ -52,31 +53,31 @@ extern int add_db_arg(char *arg); extern void usage(void); -extern void add_key - (char const *, char const *, - krb5_const_principal, const krb5_keyblock *, - krb5_kvno, krb5_keysalt *); +extern void add_key +(char const *, char const *, + krb5_const_principal, const krb5_keyblock *, + krb5_kvno, krb5_keysalt *); extern int set_dbname_help - (char *, char *); +(char *, char *); extern char *kdb5_util_Init (int, char **); extern int quit (void); extern int check_for_match - (char *, int, krb5_db_entry *, int, int); +(char *, int, krb5_db_entry *, int, int); extern void parse_token - (char *, int *, int *, char *); +(char *, int *, int *, char *); extern int create_db_entry (krb5_principal, krb5_db_entry *); extern int kadm5_create_magic_princs (kadm5_config_params *params, - krb5_context context); + krb5_context context); -extern int process_ov_principal (char *fname, krb5_context kcontext, - FILE *filep, int verbose, - int *linenop); +extern int process_ov_principal (char *fname, krb5_context kcontext, + FILE *filep, int verbose, + int *linenop); extern void load_db (int argc, char **argv); extern void dump_db (int argc, char **argv); @@ -88,7 +89,7 @@ extern void kdb5_use_mkey (int argc, char **argv); extern void kdb5_list_mkeys (int argc, char **argv); extern void kdb5_update_princ_encryption (int argc, char **argv); extern krb5_error_code master_key_convert(krb5_context context, - krb5_db_entry *db_entry); + krb5_db_entry *db_entry); extern void kdb5_purge_mkeys (int argc, char **argv); extern void update_ok_file (char *file_name); @@ -101,4 +102,3 @@ extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *, extern krb5_kvno get_next_kvno(krb5_context, krb5_db_entry *); void usage (void); - diff --git a/src/kadmin/dbutil/nstrtok.h b/src/kadmin/dbutil/nstrtok.h index f7f0d4a69..3ee8f634c 100644 --- a/src/kadmin/dbutil/nstrtok.h +++ b/src/kadmin/dbutil/nstrtok.h @@ -1,3 +1,3 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* Prototype for nstrtok */ char *nstrtok(char *, const char *delim); - diff --git a/src/kadmin/dbutil/ovload.c b/src/kadmin/dbutil/ovload.c index 46036478f..e2afd5844 100644 --- a/src/kadmin/dbutil/ovload.c +++ b/src/kadmin/dbutil/ovload.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include @@ -14,172 +15,172 @@ #include "kdb5_util.h" #include "nstrtok.h" -#define LINESIZE 32768 /* XXX */ +#define LINESIZE 32768 /* XXX */ static int parse_pw_hist_ent(current, hist) - char *current; - osa_pw_hist_ent *hist; + char *current; + osa_pw_hist_ent *hist; { - int tmp, i, j, ret; - char *cp; - - ret = 0; - hist->n_key_data = 1; - - hist->key_data = (krb5_key_data *) malloc(hist->n_key_data * - sizeof(krb5_key_data)); - if (hist->key_data == NULL) - return ENOMEM; - memset(hist->key_data, 0, sizeof(krb5_key_data)*hist->n_key_data); - - for (i = 0; i < hist->n_key_data; i++) { - krb5_key_data *key_data = &hist->key_data[i]; - - key_data->key_data_ver = 1; - - if((cp = nstrtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - key_data->key_data_type[0] = atoi(cp); - - if((cp = nstrtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - key_data->key_data_length[0] = atoi(cp); - - if((cp = nstrtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - if(!(key_data->key_data_contents[0] = - (krb5_octet *) malloc(key_data->key_data_length[0]+1))) { - ret = ENOMEM; - goto done; - } - for(j = 0; j < key_data->key_data_length[0]; j++) { - if(sscanf(cp, "%02x", &tmp) != 1) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - key_data->key_data_contents[0][j] = tmp; - cp = strchr(cp, ' ') + 1; - } - } - + int tmp, i, j, ret; + char *cp; + + ret = 0; + hist->n_key_data = 1; + + hist->key_data = (krb5_key_data *) malloc(hist->n_key_data * + sizeof(krb5_key_data)); + if (hist->key_data == NULL) + return ENOMEM; + memset(hist->key_data, 0, sizeof(krb5_key_data)*hist->n_key_data); + + for (i = 0; i < hist->n_key_data; i++) { + krb5_key_data *key_data = &hist->key_data[i]; + + key_data->key_data_ver = 1; + + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + key_data->key_data_type[0] = atoi(cp); + + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + key_data->key_data_length[0] = atoi(cp); + + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + if(!(key_data->key_data_contents[0] = + (krb5_octet *) malloc(key_data->key_data_length[0]+1))) { + ret = ENOMEM; + goto done; + } + for(j = 0; j < key_data->key_data_length[0]; j++) { + if(sscanf(cp, "%02x", &tmp) != 1) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + key_data->key_data_contents[0][j] = tmp; + cp = strchr(cp, ' ') + 1; + } + } + done: - return ret; + return ret; } /* * Function: parse_principal - * + * * Purpose: parse principal line in db dump file * * Arguments: - * 0 on success, error code on failure + * 0 on success, error code on failure * * Requires: - * principal database to be opened. - * nstrtok(3) to have a valid buffer in memory. - * + * principal database to be opened. + * nstrtok(3) to have a valid buffer in memory. + * * Effects: - * [effects] + * [effects] * * Modifies: - * [modifies] - * + * [modifies] + * */ int process_ov_principal(fname, kcontext, filep, verbose, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int verbose; - int *linenop; + char *fname; + krb5_context kcontext; + FILE *filep; + int verbose; + int *linenop; { - XDR xdrs; - osa_princ_ent_t rec; - krb5_error_code ret; - krb5_tl_data tl_data; - krb5_principal princ; - krb5_db_entry kdb; - char *current = 0; - char *cp; - int x, one; - krb5_boolean more; - char line[LINESIZE]; + XDR xdrs; + osa_princ_ent_t rec; + krb5_error_code ret; + krb5_tl_data tl_data; + krb5_principal princ; + krb5_db_entry kdb; + char *current = 0; + char *cp; + int x, one; + krb5_boolean more; + char line[LINESIZE]; if (fgets(line, LINESIZE, filep) == (char *) NULL) { - return IMPORT_BAD_FILE; + return IMPORT_BAD_FILE; } if((cp = nstrtok(line, "\t")) == NULL) - return IMPORT_BAD_FILE; + return IMPORT_BAD_FILE; if((rec = (osa_princ_ent_t) malloc(sizeof(osa_princ_ent_rec))) == NULL) - return ENOMEM; + return ENOMEM; memset(rec, 0, sizeof(osa_princ_ent_rec)); - if((ret = krb5_parse_name(kcontext, cp, &princ))) - goto done; + if((ret = krb5_parse_name(kcontext, cp, &princ))) + goto done; krb5_unparse_name(kcontext, princ, ¤t); if((cp = nstrtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; } else { - if(strcmp(cp, "")) { - if((rec->policy = strdup(cp)) == NULL) { - ret = ENOMEM; - goto done; - } - } else rec->policy = NULL; + if(strcmp(cp, "")) { + if((rec->policy = strdup(cp)) == NULL) { + ret = ENOMEM; + goto done; + } + } else rec->policy = NULL; } if((cp = nstrtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; } rec->aux_attributes = strtol(cp, (char **)NULL, 16); if((cp = nstrtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; } rec->old_key_len = atoi(cp); if((cp = nstrtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; } rec->old_key_next = atoi(cp); if((cp = nstrtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; } rec->admin_history_kvno = atoi(cp); if (! rec->old_key_len) { - rec->old_keys = NULL; + rec->old_keys = NULL; } else { - if(!(rec->old_keys = (osa_pw_hist_ent *) - malloc(sizeof(osa_pw_hist_ent) * rec->old_key_len))) { - ret = ENOMEM; - goto done; - } - memset(rec->old_keys,0, - sizeof(osa_pw_hist_ent) * rec->old_key_len); - for(x = 0; x < rec->old_key_len; x++) - parse_pw_hist_ent(current, &rec->old_keys[x]); + if(!(rec->old_keys = (osa_pw_hist_ent *) + malloc(sizeof(osa_pw_hist_ent) * rec->old_key_len))) { + ret = ENOMEM; + goto done; + } + memset(rec->old_keys,0, + sizeof(osa_pw_hist_ent) * rec->old_key_len); + for(x = 0; x < rec->old_key_len; x++) + parse_pw_hist_ent(current, &rec->old_keys[x]); } xdralloc_create(&xdrs, XDR_ENCODE); if (! xdr_osa_princ_ent_rec(&xdrs, rec)) { - xdr_destroy(&xdrs); - ret = KADM5_XDR_FAILURE; - goto done; + xdr_destroy(&xdrs); + ret = KADM5_XDR_FAILURE; + goto done; } tl_data.tl_data_type = KRB5_TL_KADM_DATA; @@ -189,15 +190,15 @@ int process_ov_principal(fname, kcontext, filep, verbose, linenop) one = 1; ret = krb5_db_get_principal(kcontext, princ, &kdb, &one, &more); if (ret) - goto done; - + goto done; + ret = krb5_dbe_update_tl_data(kcontext, &kdb, &tl_data); if (ret) - goto done; + goto done; ret = krb5_db_put_principal(kcontext, &kdb, &one); if (ret) - goto done; + goto done; xdr_destroy(&xdrs); diff --git a/src/kadmin/dbutil/string_table.c b/src/kadmin/dbutil/string_table.c index 1caa1402e..27def9d75 100644 --- a/src/kadmin/dbutil/string_table.c +++ b/src/kadmin/dbutil/string_table.c @@ -1,6 +1,7 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. - * + * */ /* String table of messages for kadm5_create */ @@ -15,36 +16,36 @@ char *str_CHANGEPW_PRINC_EXISTS = "Warning! Changepw principal already exists."; char *str_HISTORY_PRINC_EXISTS = "Warning! Admin history principal already exists."; -char *str_ADMIN_PRINC_WRONG_ATTRS = +char *str_ADMIN_PRINC_WRONG_ATTRS = "Warning! Admin principal has incorrect attributes.\n" "\tDISALLOW_TGT should be set, and max_life should be three hours.\n" "\tThis program will leave them as-is, but beware!."; -char *str_CHANGEPW_PRINC_WRONG_ATTRS = +char *str_CHANGEPW_PRINC_WRONG_ATTRS = "Warning! Changepw principal has incorrect attributes.\n" "\tDISALLOW_TGT and PW_CHANGE_SERVICE should both be set, and " - "max_life should be five minutes.\n" + "max_life should be five minutes.\n" "\tThis program will leave them as-is, but beware!."; -char *str_HISTORY_PRINC_WRONG_ATTRS = +char *str_HISTORY_PRINC_WRONG_ATTRS = "Warning! Admin history principal has incorrect attributes.\n" - "\tDISALLOW_ALL_TIX should be set.\n" + "\tDISALLOW_ALL_TIX should be set.\n" "\tThis program will leave it as-is, but beware!."; char *str_CREATED_PRINC_DB = - "%s: Admin principal database created (or it already existed).\n"; /* whoami */ + "%s: Admin principal database created (or it already existed).\n"; /* whoami */ char *str_CREATED_POLICY_DB = - "%s: Admin policy database created (or it already existed).\n"; /* whoami */ + "%s: Admin policy database created (or it already existed).\n"; /* whoami */ char *str_RANDOM_KEY = - "while calling random key for %s."; /* principal name */ + "while calling random key for %s."; /* principal name */ char *str_ENCRYPT_KEY = - "while calling encrypt key for %s."; /* principal name */ + "while calling encrypt key for %s."; /* principal name */ char *str_PUT_PRINC = - "while storing %s in Kerberos database."; /* principal name */ + "while storing %s in Kerberos database."; /* principal name */ char *str_CREATING_POLICY_DB = "while creating/opening admin policy database."; @@ -55,7 +56,7 @@ char *str_CREATING_PRINC_DB = "while creating/opening admin principal database." char *str_CLOSING_PRINC_DB = "while closing admin principal database."; char *str_CREATING_PRINC_ENTRY = - "while creating admin principal database entry for %s."; /* princ_name */ + "while creating admin principal database entry for %s."; /* princ_name */ char *str_A_PRINC = "a principal"; @@ -65,20 +66,20 @@ char *str_CREATED_PRINC = "%s: Created %s principal.\n"; /* whoami, princ_name * char *str_INIT_KDB = "while initializing kdb."; -char *str_NO_KDB = -"while initializing kdb.\nThe Kerberos KDC database needs to exist in /krb5.\n\ +char *str_NO_KDB = + "while initializing kdb.\nThe Kerberos KDC database needs to exist in /krb5.\n\ If you haven't run kdb5_create you need to do so before running this command."; char *str_INIT_RANDOM_KEY = "while initializing random key generator."; -char *str_TOO_MANY_ADMIN_PRINC = - "while fetching admin princ. Can only have one admin principal."; +char *str_TOO_MANY_ADMIN_PRINC = + "while fetching admin princ. Can only have one admin principal."; -char *str_TOO_MANY_CHANGEPW_PRINC = - "while fetching changepw princ. Can only have one changepw principal."; +char *str_TOO_MANY_CHANGEPW_PRINC = + "while fetching changepw princ. Can only have one changepw principal."; -char *str_TOO_MANY_HIST_PRINC = - "while fetching history princ. Can only have one history principal."; +char *str_TOO_MANY_HIST_PRINC = + "while fetching history princ. Can only have one history principal."; char *str_WHILE_DESTROYING_ADMIN_SESSION = "while closing session with admin server and destroying tickets."; diff --git a/src/kadmin/dbutil/string_table.h b/src/kadmin/dbutil/string_table.h index b89b9f1fa..83acfefd2 100644 --- a/src/kadmin/dbutil/string_table.h +++ b/src/kadmin/dbutil/string_table.h @@ -1,12 +1,13 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Header$ - * - */ - + * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. + * + * $Header$ + * + */ + #ifndef _OVSEC_ADM_STRINGS_ - + extern char *str_PARSE_NAME; extern char *str_HISTORY_PARSE_NAME; extern char *str_ADMIN_PRINC_EXISTS; @@ -35,5 +36,5 @@ extern char *str_TOO_MANY_ADMIN_PRINC; extern char *str_TOO_MANY_CHANGEPW_PRINC; extern char *str_TOO_MANY_HIST_PRINC; extern char *str_WHILE_DESTROYING_ADMIN_SESSION; - + #endif /* _OVSEC_ADM_STRINGS_ */ diff --git a/src/kadmin/dbutil/strtok.c b/src/kadmin/dbutil/strtok.c index 80117a31b..0640c747e 100644 --- a/src/kadmin/dbutil/strtok.c +++ b/src/kadmin/dbutil/strtok.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -28,78 +29,77 @@ /* * Function: nstrtok - * + * * Purpose: the same as strtok ... just different. does not deal with - * multiple tokens in row. + * multiple tokens in row. * * Arguments: - * s (input) string to scan - * delim (input) list of delimiters - * string or null on error. + * s (input) string to scan + * delim (input) list of delimiters + * string or null on error. * * Requires: - * nuttin - * + * nuttin + * * Effects: - * sets last to string + * sets last to string * * Modifies: - * last - * + * last + * */ char * nstrtok(s, delim) - register char *s; - register const char *delim; + register char *s; + register const char *delim; { - register const char *spanp; - register int c, sc; - char *tok; - static char *last; + register const char *spanp; + register int c, sc; + char *tok; + static char *last; - if (s == NULL && (s = last) == NULL) - return (NULL); + if (s == NULL && (s = last) == NULL) + return (NULL); - /* - * Skip (span) leading delimiters (s += strspn(s, delim), sort of). - */ -#ifdef OLD + /* + * Skip (span) leading delimiters (s += strspn(s, delim), sort of). + */ +#ifdef OLD cont: - c = *s++; - for (spanp = delim; (sc = *spanp++) != 0;) { - if (c == sc) - goto cont; - } + c = *s++; + for (spanp = delim; (sc = *spanp++) != 0;) { + if (c == sc) + goto cont; + } - if (c == 0) { /* no non-delimiter characters */ - last = NULL; - return (NULL); - } - tok = s - 1; + if (c == 0) { /* no non-delimiter characters */ + last = NULL; + return (NULL); + } + tok = s - 1; #else - tok = s; -#endif + tok = s; +#endif - /* - * Scan token (scan for delimiters: s += strcspn(s, delim), sort of). - * Note that delim must have one NUL; we stop if we see that, too. - */ - for (;;) { - c = *s++; - spanp = delim; - do { - if ((sc = *spanp++) == c) { - if (c == 0) - s = NULL; - else - s[-1] = 0; - last = s; - return (tok); - } - } while (sc != 0); - } - /* NOTREACHED */ + /* + * Scan token (scan for delimiters: s += strcspn(s, delim), sort of). + * Note that delim must have one NUL; we stop if we see that, too. + */ + for (;;) { + c = *s++; + spanp = delim; + do { + if ((sc = *spanp++) == c) { + if (c == 0) + s = NULL; + else + s[-1] = 0; + last = s; + return (tok); + } + } while (sc != 0); + } + /* NOTREACHED */ } - diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c index 5a6ee783b..c5f0fe0af 100644 --- a/src/kadmin/ktutil/ktutil.c +++ b/src/kadmin/ktutil/ktutil.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ktutil/ktutil.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * SS user interface for ktutil. */ @@ -50,13 +51,13 @@ int main(argc, argv) retval = krb5_init_context(&kcontext); if (retval) { com_err(argv[0], retval, "while initializing krb5"); - exit(1); + exit(1); } sci_idx = ss_create_invocation("ktutil", "5.0", (char *)NULL, - &ktutil_cmds, &retval); + &ktutil_cmds, &retval); if (retval) { - ss_perror(sci_idx, retval, "creating invocation"); - exit(1); + ss_perror(sci_idx, retval, "creating invocation"); + exit(1); } retval = ss_listen(sci_idx); ktutil_free_kt_list(kcontext, ktlist); @@ -70,12 +71,12 @@ void ktutil_clear_list(argc, argv) krb5_error_code retval; if (argc != 1) { - fprintf(stderr, "%s: invalid arguments\n", argv[0]); - return; + fprintf(stderr, "%s: invalid arguments\n", argv[0]); + return; } retval = ktutil_free_kt_list(kcontext, ktlist); if (retval) - com_err(argv[0], retval, "while freeing ktlist"); + com_err(argv[0], retval, "while freeing ktlist"); ktlist = NULL; } @@ -86,12 +87,12 @@ void ktutil_read_v5(argc, argv) krb5_error_code retval; if (argc != 2) { - fprintf(stderr, "%s: must specify keytab to read\n", argv[0]); - return; + fprintf(stderr, "%s: must specify keytab to read\n", argv[0]); + return; } retval = ktutil_read_keytab(kcontext, argv[1], &ktlist); if (retval) - com_err(argv[0], retval, "while reading keytab \"%s\"", argv[1]); + com_err(argv[0], retval, "while reading keytab \"%s\"", argv[1]); } void ktutil_read_v4(argc, argv) @@ -101,12 +102,12 @@ void ktutil_read_v4(argc, argv) krb5_error_code retval; if (argc != 2) { - fprintf(stderr, "%s: must specify the srvtab to read\n", argv[0]); - return; + fprintf(stderr, "%s: must specify the srvtab to read\n", argv[0]); + return; } retval = ktutil_read_srvtab(kcontext, argv[1], &ktlist); if (retval) - com_err(argv[0], retval, "while reading srvtab \"%s\"", argv[1]); + com_err(argv[0], retval, "while reading srvtab \"%s\"", argv[1]); } void ktutil_write_v5(argc, argv) @@ -116,12 +117,12 @@ void ktutil_write_v5(argc, argv) krb5_error_code retval; if (argc != 2) { - fprintf(stderr, "%s: must specify keytab to write\n", argv[0]); - return; + fprintf(stderr, "%s: must specify keytab to write\n", argv[0]); + return; } retval = ktutil_write_keytab(kcontext, ktlist, argv[1]); if (retval) - com_err(argv[0], retval, "while writing keytab \"%s\"", argv[1]); + com_err(argv[0], retval, "while writing keytab \"%s\"", argv[1]); } void ktutil_write_v4(argc, argv) @@ -139,35 +140,35 @@ void ktutil_add_entry(argc, argv) char *princ = NULL; char *enctype = NULL; krb5_kvno kvno = 0; - int use_pass = 0, use_key = 0, i; + int use_pass = 0, use_key = 0, i; for (i = 1; i < argc; i++) { - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { - princ = argv[++i]; - continue; - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { - kvno = (krb5_kvno) atoi(argv[++i]); - continue; - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { - enctype = argv[++i]; - continue; - } - if ((strlen(argv[i]) == 9) && !strncmp(argv[i], "-password", 9)) { - use_pass++; - continue; - } - if ((strlen(argv[i]) == 4) && !strncmp(argv[i], "-key", 4)) { - use_key++; - continue; - } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { + princ = argv[++i]; + continue; + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { + kvno = (krb5_kvno) atoi(argv[++i]); + continue; + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { + enctype = argv[++i]; + continue; + } + if ((strlen(argv[i]) == 9) && !strncmp(argv[i], "-password", 9)) { + use_pass++; + continue; + } + if ((strlen(argv[i]) == 4) && !strncmp(argv[i], "-key", 4)) { + use_key++; + continue; + } } if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) { fprintf(stderr, "usage: %s (-key | -password) -p principal " - "-k kvno -e enctype\n", argv[0]); - return; + "-k kvno -e enctype\n", argv[0]); + return; } retval = ktutil_add(kcontext, &ktlist, princ, kvno, enctype, use_pass); @@ -182,12 +183,12 @@ void ktutil_delete_entry(argc, argv) krb5_error_code retval; if (argc != 2) { - fprintf(stderr, "%s: must specify entry to delete\n", argv[0]); - return; + fprintf(stderr, "%s: must specify entry to delete\n", argv[0]); + return; } retval = ktutil_delete(kcontext, &ktlist, atoi(argv[1])); if (retval) - com_err(argv[0], retval, "while deleting entry %d", atoi(argv[1])); + com_err(argv[0], retval, "while deleting entry %d", atoi(argv[1])); } void ktutil_list(argc, argv) @@ -201,80 +202,70 @@ void ktutil_list(argc, argv) char *pname; for (i = 1; i < argc; i++) { - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-t", 2)) { - show_time++; - continue; - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { - show_keys++; - continue; - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { - show_enctype++; - continue; - } - - fprintf(stderr, "%s: usage: %s [-t] [-k] [-e]\n", argv[0], argv[0]); - return; + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-t", 2)) { + show_time++; + continue; + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { + show_keys++; + continue; + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { + show_enctype++; + continue; + } + + fprintf(stderr, "%s: usage: %s [-t] [-k] [-e]\n", argv[0], argv[0]); + return; } if (show_time) { - printf("slot KVNO Timestamp Principal\n"); - printf("---- ---- ----------------- ---------------------------------------------------\n"); + printf("slot KVNO Timestamp Principal\n"); + printf("---- ---- ----------------- ---------------------------------------------------\n"); } else { - printf("slot KVNO Principal\n"); - printf("---- ---- ---------------------------------------------------------------------\n"); + printf("slot KVNO Principal\n"); + printf("---- ---- ---------------------------------------------------------------------\n"); } for (i = 1, lp = ktlist; lp; i++, lp = lp->next) { - retval = krb5_unparse_name(kcontext, lp->entry->principal, &pname); - if (retval) { - com_err(argv[0], retval, "while unparsing principal name"); - return; - } - printf("%4d %4d ", i, lp->entry->vno); - if (show_time) { - char fmtbuf[18]; - char fill; - time_t tstamp; - - tstamp = lp->entry->timestamp; - (void) localtime(&tstamp); - lp->entry->timestamp = tstamp; - fill = ' '; - if (!krb5_timestamp_to_sfstring((krb5_timestamp)lp->entry-> - timestamp, - fmtbuf, - sizeof(fmtbuf), - &fill)) - printf("%s ", fmtbuf); - } - printf("%40s", pname); - if (show_enctype) { - static char buf[256]; - if ((retval = krb5_enctype_to_string( - lp->entry->key.enctype, buf, 256))) { - com_err(argv[0], retval, "While converting enctype to string"); - return; - } - printf(" (%s) ", buf); - } - - if (show_keys) { - printf(" (0x"); - for (j = 0; j < lp->entry->key.length; j++) - printf("%02x", lp->entry->key.contents[j]); - printf(")"); - } - printf("\n"); - free(pname); + retval = krb5_unparse_name(kcontext, lp->entry->principal, &pname); + if (retval) { + com_err(argv[0], retval, "while unparsing principal name"); + return; + } + printf("%4d %4d ", i, lp->entry->vno); + if (show_time) { + char fmtbuf[18]; + char fill; + time_t tstamp; + + tstamp = lp->entry->timestamp; + (void) localtime(&tstamp); + lp->entry->timestamp = tstamp; + fill = ' '; + if (!krb5_timestamp_to_sfstring((krb5_timestamp)lp->entry-> + timestamp, + fmtbuf, + sizeof(fmtbuf), + &fill)) + printf("%s ", fmtbuf); + } + printf("%40s", pname); + if (show_enctype) { + static char buf[256]; + if ((retval = krb5_enctype_to_string( + lp->entry->key.enctype, buf, 256))) { + com_err(argv[0], retval, "While converting enctype to string"); + return; + } + printf(" (%s) ", buf); + } + + if (show_keys) { + printf(" (0x"); + for (j = 0; j < lp->entry->key.length; j++) + printf("%02x", lp->entry->key.contents[j]); + printf(")"); + } + printf("\n"); + free(pname); } } - - - - - - - - - - diff --git a/src/kadmin/ktutil/ktutil.h b/src/kadmin/ktutil/ktutil.h index 5ecc7d4ad..7a3c53e56 100644 --- a/src/kadmin/ktutil/ktutil.h +++ b/src/kadmin/ktutil/ktutil.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ktutil/ktutil.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ typedef struct _krb5_kt_list { @@ -35,23 +36,23 @@ krb5_error_code ktutil_free_kt_list (krb5_context, krb5_kt_list); krb5_error_code ktutil_delete (krb5_context, krb5_kt_list *, int); krb5_error_code ktutil_add (krb5_context, - krb5_kt_list *, - char *, - krb5_kvno, - char *, - int); + krb5_kt_list *, + char *, + krb5_kvno, + char *, + int); krb5_error_code ktutil_read_keytab (krb5_context, - char *, - krb5_kt_list *); + char *, + krb5_kt_list *); krb5_error_code ktutil_write_keytab (krb5_context, - krb5_kt_list, - char *); + krb5_kt_list, + char *); krb5_error_code ktutil_read_srvtab (krb5_context, - char *, - krb5_kt_list *); + char *, + krb5_kt_list *); void ktutil_add_entry (int, char *[]); diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c index e3e9204d9..1aa74dec8 100644 --- a/src/kadmin/ktutil/ktutil_funcs.c +++ b/src/kadmin/ktutil/ktutil_funcs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ktutil/ktutil_funcs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Utility functions for ktutil. */ @@ -42,13 +43,13 @@ krb5_error_code ktutil_free_kt_list(context, list) krb5_error_code retval = 0; for (lp = list; lp;) { - retval = krb5_kt_free_entry(context, lp->entry); - free(lp->entry); - if (retval) - break; - prev = lp; - lp = lp->next; - free(prev); + retval = krb5_kt_free_entry(context, lp->entry); + free(lp->entry); + if (retval) + break; + prev = lp; + lp = lp->next; + free(prev); } return retval; } @@ -66,14 +67,14 @@ krb5_error_code ktutil_delete(context, list, idx) int i; for (lp = *list, i = 1; lp; prev = lp, lp = lp->next, i++) { - if (i == idx) { - if (i == 1) - *list = lp->next; - else - prev->next = lp->next; - lp->next = NULL; - return ktutil_free_kt_list(context, lp); - } + if (i == idx) { + if (i == 1) + *list = lp->next; + else + prev->next = lp->next; + lp->next = NULL; + return ktutil_free_kt_list(context, lp); + } } return EINVAL; } @@ -85,7 +86,7 @@ krb5_error_code ktutil_delete(context, list, idx) * one first. */ krb5_error_code ktutil_add(context, list, princ_str, kvno, - enctype_str, use_pass) + enctype_str, use_pass) krb5_context context; krb5_kt_list *list; char *princ_str; @@ -117,7 +118,7 @@ krb5_error_code ktutil_add(context, list, princ_str, kvno, if (retval) return retval; retval = krb5_string_to_enctype(enctype_str, &enctype); - if (retval) + if (retval) return KRB5_BAD_ENCTYPE; retval = krb5_timeofday(context, &now); if (retval) @@ -133,93 +134,93 @@ krb5_error_code ktutil_add(context, list, princ_str, kvno, } memset(entry, 0, sizeof(*entry)); - if (!lp) { /* if list is empty, start one */ + if (!lp) { /* if list is empty, start one */ lp = (krb5_kt_list) malloc(sizeof(*lp)); - if (!lp) { - return ENOMEM; - } + if (!lp) { + return ENOMEM; + } } else { lp->next = (krb5_kt_list) malloc(sizeof(*lp)); - if (!lp->next) { - return ENOMEM; - } - prev = lp; - lp = lp->next; - } + if (!lp->next) { + return ENOMEM; + } + prev = lp; + lp = lp->next; + } lp->next = NULL; lp->entry = entry; if (use_pass) { password.length = pwsize; - password.data = (char *) malloc(pwsize); - if (!password.data) { - retval = ENOMEM; - goto cleanup; - } + password.data = (char *) malloc(pwsize); + if (!password.data) { + retval = ENOMEM; + goto cleanup; + } - snprintf(promptstr, sizeof(promptstr), "Password for %.1000s", - princ_str); + snprintf(promptstr, sizeof(promptstr), "Password for %.1000s", + princ_str); retval = krb5_read_password(context, promptstr, NULL, password.data, - &password.length); - if (retval) - goto cleanup; - retval = krb5_principal2salt(context, princ, &salt); - if (retval) - goto cleanup; - retval = krb5_c_string_to_key(context, enctype, &password, - &salt, &key); - if (retval) - goto cleanup; - memset(password.data, 0, password.length); - password.length = 0; - lp->entry->key = key; + &password.length); + if (retval) + goto cleanup; + retval = krb5_principal2salt(context, princ, &salt); + if (retval) + goto cleanup; + retval = krb5_c_string_to_key(context, enctype, &password, + &salt, &key); + if (retval) + goto cleanup; + memset(password.data, 0, password.length); + password.length = 0; + lp->entry->key = key; } else { printf("Key for %s (hex): ", princ_str); - fgets(buf, BUFSIZ, stdin); - /* - * We need to get rid of the trailing '\n' from fgets. - * If we have an even number of hex digits (as we should), - * write a '\0' over the '\n'. If for some reason we have - * an odd number of hex digits, force an even number of hex - * digits by writing a '0' into the last position (the string - * will still be null-terminated). - */ - buf[strlen(buf) - 1] = strlen(buf) % 2 ? '\0' : '0'; - if (strlen(buf) == 0) { - fprintf(stderr, "addent: Error reading key.\n"); - retval = 0; - goto cleanup; - } - + fgets(buf, BUFSIZ, stdin); + /* + * We need to get rid of the trailing '\n' from fgets. + * If we have an even number of hex digits (as we should), + * write a '\0' over the '\n'. If for some reason we have + * an odd number of hex digits, force an even number of hex + * digits by writing a '0' into the last position (the string + * will still be null-terminated). + */ + buf[strlen(buf) - 1] = strlen(buf) % 2 ? '\0' : '0'; + if (strlen(buf) == 0) { + fprintf(stderr, "addent: Error reading key.\n"); + retval = 0; + goto cleanup; + } + lp->entry->key.enctype = enctype; - lp->entry->key.contents = (krb5_octet *) malloc((strlen(buf) + 1) / 2); - if (!lp->entry->key.contents) { - retval = ENOMEM; - goto cleanup; - } + lp->entry->key.contents = (krb5_octet *) malloc((strlen(buf) + 1) / 2); + if (!lp->entry->key.contents) { + retval = ENOMEM; + goto cleanup; + } - i = 0; - for (cp = buf; *cp; cp += 2) { - if (!isxdigit((int) cp[0]) || !isxdigit((int) cp[1])) { - fprintf(stderr, "addent: Illegal character in key.\n"); - retval = 0; - goto cleanup; - } - sscanf(cp, "%02x", &tmp); - lp->entry->key.contents[i++] = (krb5_octet) tmp; - } - lp->entry->key.length = i; + i = 0; + for (cp = buf; *cp; cp += 2) { + if (!isxdigit((int) cp[0]) || !isxdigit((int) cp[1])) { + fprintf(stderr, "addent: Illegal character in key.\n"); + retval = 0; + goto cleanup; + } + sscanf(cp, "%02x", &tmp); + lp->entry->key.contents[i++] = (krb5_octet) tmp; + } + lp->entry->key.length = i; } lp->entry->principal = princ; lp->entry->vno = kvno; lp->entry->timestamp = now; if (!*list) - *list = lp; + *list = lp; return 0; - cleanup: +cleanup: if (prev) prev->next = NULL; ktutil_free_kt_list(context, lp); @@ -242,62 +243,62 @@ krb5_error_code ktutil_read_keytab(context, name, list) krb5_error_code retval = 0; if (*list) { - /* point lp at the tail of the list */ - for (lp = *list; lp->next; lp = lp->next); - back = lp; + /* point lp at the tail of the list */ + for (lp = *list; lp->next; lp = lp->next); + back = lp; } retval = krb5_kt_resolve(context, name, &kt); if (retval) - return retval; + return retval; retval = krb5_kt_start_seq_get(context, kt, &cursor); if (retval) - goto close_kt; + goto close_kt; for (;;) { - entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry)); - if (!entry) { - retval = ENOMEM; - break; - } - memset(entry, 0, sizeof (*entry)); - retval = krb5_kt_next_entry(context, kt, entry, &cursor); - if (retval) - break; + entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry)); + if (!entry) { + retval = ENOMEM; + break; + } + memset(entry, 0, sizeof (*entry)); + retval = krb5_kt_next_entry(context, kt, entry, &cursor); + if (retval) + break; - if (!lp) { /* if list is empty, start one */ - lp = (krb5_kt_list)malloc(sizeof (*lp)); - if (!lp) { - retval = ENOMEM; - break; - } - } else { - lp->next = (krb5_kt_list)malloc(sizeof (*lp)); - if (!lp->next) { - retval = ENOMEM; - break; - } - lp = lp->next; - } - if (!tail) - tail = lp; - lp->next = NULL; - lp->entry = entry; + if (!lp) { /* if list is empty, start one */ + lp = (krb5_kt_list)malloc(sizeof (*lp)); + if (!lp) { + retval = ENOMEM; + break; + } + } else { + lp->next = (krb5_kt_list)malloc(sizeof (*lp)); + if (!lp->next) { + retval = ENOMEM; + break; + } + lp = lp->next; + } + if (!tail) + tail = lp; + lp->next = NULL; + lp->entry = entry; } if (entry) - free(entry); + free(entry); if (retval) { - if (retval == KRB5_KT_END) - retval = 0; - else { - ktutil_free_kt_list(context, tail); - tail = NULL; - if (back) - back->next = NULL; - } + if (retval == KRB5_KT_END) + retval = 0; + else { + ktutil_free_kt_list(context, tail); + tail = NULL; + if (back) + back->next = NULL; + } } if (!*list) - *list = tail; + *list = tail; krb5_kt_end_seq_get(context, kt, &cursor); - close_kt: +close_kt: krb5_kt_close(context, kt); return retval; } @@ -318,14 +319,14 @@ krb5_error_code ktutil_write_keytab(context, list, name) result = snprintf(ktname, sizeof(ktname), "WRFILE:%s", name); if (SNPRINTF_OVERFLOW(result, sizeof(ktname))) - return ENAMETOOLONG; + return ENAMETOOLONG; retval = krb5_kt_resolve(context, ktname, &kt); if (retval) - return retval; + return retval; for (lp = list; lp; lp = lp->next) { - retval = krb5_kt_add_entry(context, kt, lp->entry); - if (retval) - break; + retval = krb5_kt_add_entry(context, kt, lp->entry); + if (retval) + break; } krb5_kt_close(context, kt); return retval; @@ -344,7 +345,7 @@ krb5_error_code ktutil_read_srvtab(context, name, list) krb5_error_code result; if (asprintf(&ktname, "SRVTAB:%s", name) < 0) - return ENOMEM; + return ENOMEM; result = ktutil_read_keytab(context, ktname, list); free(ktname); return result; diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index 68d8af497..9b556e925 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -28,7 +28,7 @@ static int check_rpcsec_auth(struct svc_req *); /* * Function: kadm_1 - * + * * Purpose: RPC proccessing procedure. * originally generated from rpcgen * @@ -79,36 +79,36 @@ void kadm_1(rqstp, transp) svcerr_weakauth(transp); return; } - + switch (rqstp->rq_proc) { case NULLPROC: (void) svc_sendreply(transp, xdr_void, (char *)NULL); return; - + case CREATE_PRINCIPAL: xdr_argument = xdr_cprinc_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) create_principal_2_svc; break; - + case DELETE_PRINCIPAL: xdr_argument = xdr_dprinc_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) delete_principal_2_svc; break; - + case MODIFY_PRINCIPAL: xdr_argument = xdr_mprinc_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) modify_principal_2_svc; break; - + case RENAME_PRINCIPAL: xdr_argument = xdr_rprinc_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) rename_principal_2_svc; break; - + case GET_PRINCIPAL: xdr_argument = xdr_gprinc_arg; xdr_result = xdr_gprinc_ret; @@ -120,7 +120,7 @@ void kadm_1(rqstp, transp) xdr_result = xdr_gprincs_ret; local = (char *(*)()) get_princs_2_svc; break; - + case CHPASS_PRINCIPAL: xdr_argument = xdr_chpass_arg; xdr_result = xdr_generic_ret; @@ -138,31 +138,31 @@ void kadm_1(rqstp, transp) xdr_result = xdr_generic_ret; local = (char *(*)()) setkey_principal_2_svc; break; - + case CHRAND_PRINCIPAL: xdr_argument = xdr_chrand_arg; xdr_result = xdr_chrand_ret; local = (char *(*)()) chrand_principal_2_svc; break; - + case CREATE_POLICY: xdr_argument = xdr_cpol_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) create_policy_2_svc; break; - + case DELETE_POLICY: xdr_argument = xdr_dpol_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) delete_policy_2_svc; break; - + case MODIFY_POLICY: xdr_argument = xdr_mpol_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) modify_policy_2_svc; break; - + case GET_POLICY: xdr_argument = xdr_gpol_arg; xdr_result = xdr_gpol_ret; @@ -174,7 +174,7 @@ void kadm_1(rqstp, transp) xdr_result = xdr_gpols_ret; local = (char *(*)()) get_pols_2_svc; break; - + case GET_PRIVS: xdr_argument = xdr_u_int32; xdr_result = xdr_getprivs_ret; diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c index 1725fbf7d..375fbd151 100644 --- a/src/kadmin/server/misc.c +++ b/src/kadmin/server/misc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -11,109 +12,109 @@ /* * Function: chpass_principal_wrapper_3 - * + * * Purpose: wrapper to kadm5_chpass_principal that checks to see if - * pw_min_life has been reached. if not it returns an error. - * otherwise it calls kadm5_chpass_principal + * pw_min_life has been reached. if not it returns an error. + * otherwise it calls kadm5_chpass_principal * * Arguments: - * principal (input) krb5_principals whose password we are - * changing - * keepold (input) whether to preserve old keys - * n_ks_tuple (input) the number of key-salt tuples in ks_tuple - * ks_tuple (input) array of tuples indicating the caller's - * requested enctypes/salttypes - * password (input) password we are going to change to. - * 0 on success error code on failure. + * principal (input) krb5_principals whose password we are + * changing + * keepold (input) whether to preserve old keys + * n_ks_tuple (input) the number of key-salt tuples in ks_tuple + * ks_tuple (input) array of tuples indicating the caller's + * requested enctypes/salttypes + * password (input) password we are going to change to. + * 0 on success error code on failure. * * Requires: - * kadm5_init to have been run. - * + * kadm5_init to have been run. + * * Effects: - * calls kadm5_chpass_principal which changes the kdb and the - * the admin db. + * calls kadm5_chpass_principal which changes the kdb and the + * the admin db. * */ kadm5_ret_t chpass_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *password) + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *password) { - kadm5_ret_t ret; + kadm5_ret_t ret; ret = check_min_life(server_handle, principal, NULL, 0); if (ret) - return ret; + return ret; return kadm5_chpass_principal_3(server_handle, principal, - keepold, n_ks_tuple, ks_tuple, - password); + keepold, n_ks_tuple, ks_tuple, + password); } /* * Function: randkey_principal_wrapper_3 - * + * * Purpose: wrapper to kadm5_randkey_principal which checks the - * password's min. life. + * password's min. life. * * Arguments: - * principal (input) krb5_principal whose password we are - * changing - * keepold (input) whether to preserve old keys - * n_ks_tuple (input) the number of key-salt tuples in ks_tuple - * ks_tuple (input) array of tuples indicating the caller's - * requested enctypes/salttypes - * key (output) new random key - * 0, error code on error. + * principal (input) krb5_principal whose password we are + * changing + * keepold (input) whether to preserve old keys + * n_ks_tuple (input) the number of key-salt tuples in ks_tuple + * ks_tuple (input) array of tuples indicating the caller's + * requested enctypes/salttypes + * key (output) new random key + * 0, error code on error. * * Requires: - * kadm5_init needs to be run - * + * kadm5_init needs to be run + * * Effects: - * calls kadm5_randkey_principal + * calls kadm5_randkey_principal * */ kadm5_ret_t randkey_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keys, int *n_keys) + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keys, int *n_keys) { - kadm5_ret_t ret; + kadm5_ret_t ret; ret = check_min_life(server_handle, principal, NULL, 0); if (ret) - return ret; + return ret; return kadm5_randkey_principal_3(server_handle, principal, - keepold, n_ks_tuple, ks_tuple, - keys, n_keys); + keepold, n_ks_tuple, ks_tuple, + keys, n_keys); } kadm5_ret_t schpw_util_wrapper(void *server_handle, - krb5_principal client, - krb5_principal target, - krb5_boolean initial_flag, - char *new_pw, char **ret_pw, - char *msg_ret, unsigned int msg_len) + krb5_principal client, + krb5_principal target, + krb5_boolean initial_flag, + char *new_pw, char **ret_pw, + char *msg_ret, unsigned int msg_len) { - kadm5_ret_t ret; - kadm5_server_handle_t handle = server_handle; - krb5_boolean access_granted; - krb5_boolean self; + kadm5_ret_t ret; + kadm5_server_handle_t handle = server_handle; + krb5_boolean access_granted; + krb5_boolean self; /* * If no target is explicitly provided, then the target principal * is the client principal. */ if (target == NULL) - target = client; + target = client; /* * A principal can always change its own password, as long as it @@ -122,32 +123,32 @@ schpw_util_wrapper(void *server_handle, */ self = krb5_principal_compare(handle->context, client, target); if (self) { - ret = check_min_life(server_handle, target, msg_ret, msg_len); - if (ret != 0) - return ret; + ret = check_min_life(server_handle, target, msg_ret, msg_len); + if (ret != 0) + return ret; - access_granted = initial_flag; + access_granted = initial_flag; } else - access_granted = FALSE; + access_granted = FALSE; if (!access_granted && - kadm5int_acl_check_krb(handle->context, client, - ACL_CHANGEPW, target, NULL)) { - /* - * Otherwise, principals with appropriate privileges can change - * any password - */ - access_granted = TRUE; + kadm5int_acl_check_krb(handle->context, client, + ACL_CHANGEPW, target, NULL)) { + /* + * Otherwise, principals with appropriate privileges can change + * any password + */ + access_granted = TRUE; } if (access_granted) { - ret = kadm5_chpass_principal_util(server_handle, - target, - new_pw, ret_pw, - msg_ret, msg_len); + ret = kadm5_chpass_principal_util(server_handle, + target, + new_pw, ret_pw, + msg_ret, msg_len); } else { - ret = KADM5_AUTH_CHANGEPW; - strlcpy(msg_ret, "Unauthorized request", msg_len); + ret = KADM5_AUTH_CHANGEPW; + strlcpy(msg_ret, "Unauthorized request", msg_len); } return ret; @@ -155,60 +156,60 @@ schpw_util_wrapper(void *server_handle, kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal, - char *msg_ret, unsigned int msg_len) + char *msg_ret, unsigned int msg_len) { - krb5_int32 now; - kadm5_ret_t ret; - kadm5_policy_ent_rec pol; - kadm5_principal_ent_rec princ; - kadm5_server_handle_t handle = server_handle; + krb5_int32 now; + kadm5_ret_t ret; + kadm5_policy_ent_rec pol; + kadm5_principal_ent_rec princ; + kadm5_server_handle_t handle = server_handle; if (msg_ret != NULL) - *msg_ret = '\0'; + *msg_ret = '\0'; ret = krb5_timeofday(handle->context, &now); if (ret) - return ret; + return ret; - ret = kadm5_get_principal(handle->lhandle, principal, - &princ, KADM5_PRINCIPAL_NORMAL_MASK); - if(ret) - return ret; + ret = kadm5_get_principal(handle->lhandle, principal, + &princ, KADM5_PRINCIPAL_NORMAL_MASK); + if(ret) + return ret; if(princ.aux_attributes & KADM5_POLICY) { - if((ret=kadm5_get_policy(handle->lhandle, - princ.policy, &pol)) != KADM5_OK) { - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return ret; - } - if((now - princ.last_pwd_change) < pol.pw_min_life && - !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - if (msg_ret != NULL) { - time_t until; - char *time_string, *ptr, *errstr; - - until = princ.last_pwd_change + pol.pw_min_life; - - time_string = ctime(&until); - errstr = error_message(CHPASS_UTIL_PASSWORD_TOO_SOON); - - if (strlen(errstr) + strlen(time_string) >= msg_len) { - *errstr = '\0'; - } else { - if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') - *ptr = '\0'; - snprintf(msg_ret, msg_len, errstr, time_string); - } - } - - (void) kadm5_free_policy_ent(handle->lhandle, &pol); - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return KADM5_PASS_TOOSOON; - } - - ret = kadm5_free_policy_ent(handle->lhandle, &pol); - if (ret) { - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return ret; + if((ret=kadm5_get_policy(handle->lhandle, + princ.policy, &pol)) != KADM5_OK) { + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return ret; + } + if((now - princ.last_pwd_change) < pol.pw_min_life && + !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + if (msg_ret != NULL) { + time_t until; + char *time_string, *ptr, *errstr; + + until = princ.last_pwd_change + pol.pw_min_life; + + time_string = ctime(&until); + errstr = error_message(CHPASS_UTIL_PASSWORD_TOO_SOON); + + if (strlen(errstr) + strlen(time_string) >= msg_len) { + *errstr = '\0'; + } else { + if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') + *ptr = '\0'; + snprintf(msg_ret, msg_len, errstr, time_string); + } + } + + (void) kadm5_free_policy_ent(handle->lhandle, &pol); + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return KADM5_PASS_TOOSOON; + } + + ret = kadm5_free_policy_ent(handle->lhandle, &pol); + if (ret) { + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return ret; } } diff --git a/src/kadmin/server/misc.h b/src/kadmin/server/misc.h index 073f6ff10..10e6054db 100644 --- a/src/kadmin/server/misc.h +++ b/src/kadmin/server/misc.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1994 OpenVision Technologies, Inc., All Rights Reserved * @@ -7,51 +8,51 @@ #define _MISC_H 1 typedef struct _krb5_fulladdr { - krb5_address * address; - krb5_ui_4 port; + krb5_address * address; + krb5_ui_4 port; } krb5_fulladdr; void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); + struct sockaddr_in *addr, char *data); int setup_gss_names(struct svc_req *, gss_buffer_desc *, - gss_buffer_desc *); + gss_buffer_desc *); kadm5_ret_t chpass_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *password); + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *password); kadm5_ret_t randkey_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keys, int *n_keys); + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keys, int *n_keys); kadm5_ret_t schpw_util_wrapper(void *server_handle, krb5_principal client, - krb5_principal target, krb5_boolean initial_flag, - char *new_pw, char **ret_pw, - char *msg_ret, unsigned int msg_len); + krb5_principal target, krb5_boolean initial_flag, + char *new_pw, char **ret_pw, + char *msg_ret, unsigned int msg_len); kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal, - char *msg_ret, unsigned int msg_len); + char *msg_ret, unsigned int msg_len); -krb5_error_code process_chpw_request(krb5_context context, - void *server_handle, - char *realm, - krb5_keytab keytab, - krb5_fulladdr *local_faddr, - krb5_fulladdr *remote_faddr, - krb5_data *req, krb5_data *rep); +krb5_error_code process_chpw_request(krb5_context context, + void *server_handle, + char *realm, + krb5_keytab keytab, + krb5_fulladdr *local_faddr, + krb5_fulladdr *remote_faddr, + krb5_data *req, krb5_data *rep); void kadm_1(struct svc_req *, SVCXPRT *); void krb5_iprop_prog_1(struct svc_req *, SVCXPRT *); @@ -60,7 +61,7 @@ void trunc_name(size_t *len, char **dots); int gss_to_krb5_name_1(struct svc_req *rqstp, krb5_context ctx, gss_name_t gss_name, - krb5_principal *princ, gss_buffer_t gss_str); + krb5_principal *princ, gss_buffer_t gss_str); extern volatile int signal_request_exit; @@ -69,7 +70,7 @@ extern volatile int signal_request_hup; void reset_db(void); void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); + struct sockaddr_in *addr, char *data); /* network.c */ krb5_error_code setup_network(void *handle, const char *prog); @@ -77,13 +78,13 @@ krb5_error_code listen_and_process(void *handle, const char *prog); krb5_error_code closedown_network(void *handle, const char *prog); -void +void krb5_iprop_prog_1(struct svc_req *rqstp, SVCXPRT *transp); -kadm5_ret_t +kadm5_ret_t kiprop_get_adm_host_srv_name(krb5_context, - const char *, - char **); + const char *, + char **); #endif /* _MISC_H */ diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c index df3f01cf0..5dd7f2e02 100644 --- a/src/kadmin/server/network.c +++ b/src/kadmin/server/network.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/server/network.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Network code for Kerberos v5 kadmin server (based on KDC code). */ @@ -61,7 +62,7 @@ #endif #ifdef HAVE_SYS_FILIO_H -#include /* FIONBIO */ +#include /* FIONBIO */ #endif #include "fake-addrinfo.h" @@ -75,15 +76,15 @@ set_sa_port(struct sockaddr *addr, int port) { switch (addr->sa_family) { case AF_INET: - sa2sin(addr)->sin_port = port; - break; + sa2sin(addr)->sin_port = port; + break; #ifdef KRB5_USE_INET6 case AF_INET6: - sa2sin6(addr)->sin6_port = port; - break; + sa2sin6(addr)->sin6_port = port; + break; #endif default: - break; + break; } } @@ -92,13 +93,13 @@ static int ipv6_enabled() #ifdef KRB5_USE_INET6 static int result = -1; if (result == -1) { - int s; - s = socket(AF_INET6, SOCK_STREAM, 0); - if (s >= 0) { - result = 1; - close(s); - } else - result = 0; + int s; + s = socket(AF_INET6, SOCK_STREAM, 0); + if (s >= 0) { + result = 1; + close(s); + } else + result = 0; } return result; #else @@ -139,21 +140,21 @@ set_pktinfo(int sock, int family) switch (family) { #if defined(IP_PKTINFO) && defined(HAVE_STRUCT_IN_PKTINFO) case AF_INET: - proto = IPPROTO_IP; - option = IP_RECVPKTINFO; - break; + proto = IPPROTO_IP; + option = IP_RECVPKTINFO; + break; #endif #if defined(IPV6_PKTINFO) && defined(HAVE_STRUCT_IN6_PKTINFO) case AF_INET6: - proto = IPPROTO_IPV6; - option = IPV6_RECVPKTINFO; - break; + proto = IPPROTO_IPV6; + option = IPV6_RECVPKTINFO; + break; #endif default: - return EINVAL; + return EINVAL; } if (setsockopt(sock, proto, option, &sockopt, sizeof(sockopt))) - return errno; + return errno; return 0; } @@ -163,17 +164,17 @@ static const char *paddr (struct sockaddr *sa) static char buf[100]; char portbuf[10]; if (getnameinfo(sa, socklen(sa), - buf, sizeof(buf), portbuf, sizeof(portbuf), - NI_NUMERICHOST|NI_NUMERICSERV)) - strlcpy(buf, "", sizeof(buf)); + buf, sizeof(buf), portbuf, sizeof(portbuf), + NI_NUMERICHOST|NI_NUMERICSERV)) + strlcpy(buf, "", sizeof(buf)); else { - unsigned int len = sizeof(buf) - strlen(buf); - char *p = buf + strlen(buf); - if (len > 2+strlen(portbuf)) { - *p++ = '.'; - len--; - strncpy(p, portbuf, len); - } + unsigned int len = sizeof(buf) - strlen(buf); + char *p = buf + strlen(buf); + if (len > 2+strlen(portbuf)) { + *p++ = '.'; + len--; + strncpy(p, portbuf, len); + } } return buf; } @@ -192,31 +193,31 @@ struct connection { enum conn_type type; void (*service)(void *handle, struct connection *, const char *, int); union { - /* Type-specific information. */ - struct { - /* connection */ - struct sockaddr_storage addr_s; - socklen_t addrlen; - char addrbuf[56]; - krb5_fulladdr faddr; - krb5_address kaddr; - /* incoming */ - size_t bufsiz; - size_t offset; - char *buffer; - size_t msglen; - /* outgoing */ - krb5_data *response; - unsigned char lenbuf[4]; - sg_buf sgbuf[2]; - sg_buf *sgp; - int sgnum; - /* crude denial-of-service avoidance support */ - time_t start_time; - } tcp; - struct { - SVCXPRT *transp; - } rpc; + /* Type-specific information. */ + struct { + /* connection */ + struct sockaddr_storage addr_s; + socklen_t addrlen; + char addrbuf[56]; + krb5_fulladdr faddr; + krb5_address kaddr; + /* incoming */ + size_t bufsiz; + size_t offset; + char *buffer; + size_t msglen; + /* outgoing */ + krb5_data *response; + unsigned char lenbuf[4]; + sg_buf sgbuf[2]; + sg_buf *sgp; + int sgnum; + /* crude denial-of-service avoidance support */ + time_t start_time; + } tcp; + struct { + SVCXPRT *transp; + } rpc; } u; }; @@ -226,47 +227,47 @@ struct connection { /* Start at the top and work down -- this should allow for deletions without disrupting the iteration, since we delete by overwriting the element to be removed with the last element. */ -#define FOREACH_ELT(set,idx,vvar) \ - for (idx = set.n-1; idx >= 0 && (vvar = set.data[idx], 1); idx--) - -#define GROW_SET(set, incr, tmpptr) \ - (((int)(set.max + incr) < set.max \ - || (((size_t)((int)(set.max + incr) * sizeof(set.data[0])) \ - / sizeof(set.data[0])) \ - != (set.max + incr))) \ - ? 0 /* overflow */ \ - : ((tmpptr = realloc(set.data, \ - (int)(set.max + incr) * sizeof(set.data[0]))) \ - ? (set.data = tmpptr, set.max += incr, 1) \ - : 0)) +#define FOREACH_ELT(set,idx,vvar) \ + for (idx = set.n-1; idx >= 0 && (vvar = set.data[idx], 1); idx--) + +#define GROW_SET(set, incr, tmpptr) \ + (((int)(set.max + incr) < set.max \ + || (((size_t)((int)(set.max + incr) * sizeof(set.data[0])) \ + / sizeof(set.data[0])) \ + != (set.max + incr))) \ + ? 0 /* overflow */ \ + : ((tmpptr = realloc(set.data, \ + (int)(set.max + incr) * sizeof(set.data[0]))) \ + ? (set.data = tmpptr, set.max += incr, 1) \ + : 0)) /* 1 = success, 0 = failure */ -#define ADD(set, val, tmpptr) \ - ((set.n < set.max || GROW_SET(set, 10, tmpptr)) \ - ? (set.data[set.n++] = val, 1) \ - : 0) +#define ADD(set, val, tmpptr) \ + ((set.n < set.max || GROW_SET(set, 10, tmpptr)) \ + ? (set.data[set.n++] = val, 1) \ + : 0) -#define DEL(set, idx) \ - (set.data[idx] = set.data[--set.n], 0) +#define DEL(set, idx) \ + (set.data[idx] = set.data[--set.n], 0) -#define FREE_SET_DATA(set) \ - (free(set.data), set.data = 0, set.max = 0, set.n = 0) +#define FREE_SET_DATA(set) \ + (free(set.data), set.data = 0, set.max = 0, set.n = 0) /* Set connections; */ static SET(struct connection *) connections; -#define n_sockets connections.n -#define conns connections.data +#define n_sockets connections.n +#define conns connections.data /* Set udp_port_data, tcp_port_data; */ static SET(u_short) udp_port_data, tcp_port_data; -struct rpc_svc_data { - u_short port; - u_long prognum; - u_long versnum; - void (*dispatch)(); -}; + struct rpc_svc_data { + u_short port; + u_long prognum; + u_long versnum; + void (*dispatch)(); + }; static SET(struct rpc_svc_data) rpc_svc_data; @@ -277,60 +278,60 @@ static fd_set rpc_listenfds; static krb5_error_code add_udp_port(int port) { - int i; + int i; void *tmp; u_short val; u_short s_port = port; if (s_port != port) - return EINVAL; + return EINVAL; FOREACH_ELT (udp_port_data, i, val) - if (s_port == val) - return 0; + if (s_port == val) + return 0; if (!ADD(udp_port_data, s_port, tmp)) - return ENOMEM; + return ENOMEM; return 0; } static krb5_error_code add_tcp_port(int port) { - int i; + int i; void *tmp; u_short val; u_short s_port = port; if (s_port != port) - return EINVAL; + return EINVAL; FOREACH_ELT (tcp_port_data, i, val) - if (s_port == val) - return 0; + if (s_port == val) + return 0; if (!ADD(tcp_port_data, s_port, tmp)) - return ENOMEM; + return ENOMEM; return 0; } static krb5_error_code add_rpc_service(int port, u_long prognum, u_long versnum, - void (*dispatch)()) + void (*dispatch)()) { - int i; + int i; void *tmp; struct rpc_svc_data svc, val; svc.port = port; if (svc.port != port) - return EINVAL; + return EINVAL; svc.prognum = prognum; svc.versnum = versnum; svc.dispatch = dispatch; FOREACH_ELT (rpc_svc_data, i, val) { - if (val.port == port) - return 0; + if (val.port == port) + return 0; } if (!ADD(rpc_svc_data, svc, tmp)) - return ENOMEM; + return ENOMEM; return 0; } @@ -351,31 +352,31 @@ struct socksetup { static struct connection * add_fd (struct socksetup *data, int sock, enum conn_type conntype, - void (*service)(void *handle, struct connection *, const char *, int)) + void (*service)(void *handle, struct connection *, const char *, int)) { struct connection *newconn; void *tmp; #ifndef _WIN32 if (sock >= FD_SETSIZE) { - data->retval = EMFILE; /* XXX */ - com_err(data->prog, 0, - "file descriptor number %d too high", sock); - return 0; + data->retval = EMFILE; /* XXX */ + com_err(data->prog, 0, + "file descriptor number %d too high", sock); + return 0; } #endif newconn = (struct connection *)malloc(sizeof(*newconn)); if (newconn == NULL) { - data->retval = ENOMEM; - com_err(data->prog, ENOMEM, - "cannot allocate storage for connection info"); - return 0; + data->retval = ENOMEM; + com_err(data->prog, ENOMEM, + "cannot allocate storage for connection info"); + return 0; } if (!ADD(connections, newconn, tmp)) { - data->retval = ENOMEM; - com_err(data->prog, ENOMEM, "cannot save socket info"); - free(newconn); - return 0; + data->retval = ENOMEM; + com_err(data->prog, ENOMEM, "cannot save socket info"); + free(newconn); + return 0; } memset(newconn, 0, sizeof(*newconn)); @@ -395,7 +396,7 @@ static struct connection * add_udp_fd (struct socksetup *data, int sock, int pktinfo) { return add_fd(data, sock, pktinfo ? CONN_UDP_PKTINFO : CONN_UDP, - process_packet); + process_packet); } static struct connection * @@ -417,10 +418,10 @@ delete_fd (struct connection *xconn) int i; FOREACH_ELT(connections, i, conn) - if (conn == xconn) { - DEL(connections, i); - break; - } + if (conn == xconn) { + DEL(connections, i); + break; + } free(xconn); } @@ -431,22 +432,22 @@ add_rpc_listener_fd (struct socksetup *data, struct rpc_svc_data *svc, int sock) conn = add_fd(data, sock, CONN_RPC_LISTENER, accept_rpc_connection); if (conn == NULL) - return NULL; + return NULL; conn->u.rpc.transp = svctcp_create(sock, 0, 0); if (conn->u.rpc.transp == NULL) { - krb5_klog_syslog(LOG_ERR, "Cannot create RPC service: %s; continuing", - strerror(errno)); - delete_fd(conn); - return NULL; + krb5_klog_syslog(LOG_ERR, "Cannot create RPC service: %s; continuing", + strerror(errno)); + delete_fd(conn); + return NULL; } if (!svc_register(conn->u.rpc.transp, svc->prognum, svc->versnum, - svc->dispatch, 0)) { - krb5_klog_syslog(LOG_ERR, "Cannot register RPC service: %s; continuing", - strerror(errno)); - delete_fd(conn); - return NULL; + svc->dispatch, 0)) { + krb5_klog_syslog(LOG_ERR, "Cannot register RPC service: %s; continuing", + strerror(errno)); + delete_fd(conn); + return NULL; } return conn; @@ -487,60 +488,60 @@ setup_a_tcp_listener(struct socksetup *data, struct sockaddr *addr) sock = socket(addr->sa_family, SOCK_STREAM, 0); if (sock == -1) { - com_err(data->prog, errno, "Cannot create TCP server socket on %s", - paddr(addr)); - return -1; + com_err(data->prog, errno, "Cannot create TCP server socket on %s", + paddr(addr)); + return -1; } set_cloexec_fd(sock); #ifndef _WIN32 if (sock >= FD_SETSIZE) { - close(sock); - com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high", - sock, paddr(addr)); - return -1; + close(sock); + com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high", + sock, paddr(addr)); + return -1; } #endif if (setreuseaddr(sock, 1) < 0) - com_err(data->prog, errno, - "Cannot enable SO_REUSEADDR on fd %d", sock); + com_err(data->prog, errno, + "Cannot enable SO_REUSEADDR on fd %d", sock); #ifdef KRB5_USE_INET6 if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY - if (setv6only(sock, 1)) - com_err(data->prog, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", - sock); - else - com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", - sock); + if (setv6only(sock, 1)) + com_err(data->prog, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", + sock); + else + com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", + sock); #else - krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); + krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ } #endif /* KRB5_USE_INET6 */ if (bind(sock, addr, socklen(addr)) == -1) { - com_err(data->prog, errno, - "Cannot bind TCP server socket on %s", paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, + "Cannot bind TCP server socket on %s", paddr(addr)); + close(sock); + return -1; } if (listen(sock, 5) < 0) { - com_err(data->prog, errno, "Cannot listen on TCP server socket on %s", - paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, "Cannot listen on TCP server socket on %s", + paddr(addr)); + close(sock); + return -1; } if (setnbio(sock)) { - com_err(data->prog, errno, - "cannot set listening tcp socket on %s non-blocking", - paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, + "cannot set listening tcp socket on %s non-blocking", + paddr(addr)); + close(sock); + return -1; } if (setnolinger(sock)) { - com_err(data->prog, errno, "disabling SO_LINGER on TCP socket on %s", - paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, "disabling SO_LINGER on TCP socket on %s", + paddr(addr)); + close(sock); + return -1; } return sock; } @@ -553,27 +554,27 @@ setup_a_rpc_listener(struct socksetup *data, struct sockaddr *addr) sock = socket(addr->sa_family, SOCK_STREAM, 0); if (sock == -1) { - com_err(data->prog, errno, "Cannot create RPC server socket on %s", - paddr(addr)); - return -1; + com_err(data->prog, errno, "Cannot create RPC server socket on %s", + paddr(addr)); + return -1; } set_cloexec_fd(sock); #ifndef _WIN32 if (sock >= FD_SETSIZE) { - close(sock); - com_err(data->prog, 0, "RPC socket fd number %d (for %s) too high", - sock, paddr(addr)); - return -1; + close(sock); + com_err(data->prog, 0, "RPC socket fd number %d (for %s) too high", + sock, paddr(addr)); + return -1; } #endif if (setreuseaddr(sock, 1) < 0) - com_err(data->prog, errno, - "Cannot enable SO_REUSEADDR on fd %d", sock); + com_err(data->prog, errno, + "Cannot enable SO_REUSEADDR on fd %d", sock); if (bind(sock, addr, socklen(addr)) == -1) { - com_err(data->prog, errno, - "Cannot bind RPC server socket on %s", paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, + "Cannot bind RPC server socket on %s", paddr(addr)); + close(sock); + return -1; } return sock; } @@ -604,58 +605,58 @@ setup_tcp_listener_ports(struct socksetup *data) #endif FOREACH_ELT (tcp_port_data, i, port) { - int s4, s6; - - set_sa_port((struct sockaddr *)&sin4, htons(port)); - if (!ipv6_enabled()) { - s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); - if (s4 < 0) - return -1; - s6 = -1; - } else { + int s4, s6; + + set_sa_port((struct sockaddr *)&sin4, htons(port)); + if (!ipv6_enabled()) { + s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); + if (s4 < 0) + return -1; + s6 = -1; + } else { #ifndef KRB5_USE_INET6 - abort(); + abort(); #else - s4 = s6 = -1; + s4 = s6 = -1; - set_sa_port((struct sockaddr *)&sin6, htons(port)); + set_sa_port((struct sockaddr *)&sin6, htons(port)); - s6 = setup_a_tcp_listener(data, (struct sockaddr *)&sin6); - if (s6 < 0) - return -1; + s6 = setup_a_tcp_listener(data, (struct sockaddr *)&sin6); + if (s6 < 0) + return -1; - s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); + s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); #endif /* KRB5_USE_INET6 */ - } - - /* Sockets are created, prepare to listen on them. */ - if (s4 >= 0) { - if (add_tcp_listener_fd(data, s4) == NULL) - close(s4); - else { - FD_SET(s4, &sstate.rfds); - if (s4 >= sstate.max) - sstate.max = s4 + 1; - krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", - s4, paddr((struct sockaddr *)&sin4)); - } - } + } + + /* Sockets are created, prepare to listen on them. */ + if (s4 >= 0) { + if (add_tcp_listener_fd(data, s4) == NULL) + close(s4); + else { + FD_SET(s4, &sstate.rfds); + if (s4 >= sstate.max) + sstate.max = s4 + 1; + krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", + s4, paddr((struct sockaddr *)&sin4)); + } + } #ifdef KRB5_USE_INET6 - if (s6 >= 0) { - if (add_tcp_listener_fd(data, s6) == NULL) { - close(s6); - s6 = -1; - } else { - FD_SET(s6, &sstate.rfds); - if (s6 >= sstate.max) - sstate.max = s6 + 1; - krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", - s6, paddr((struct sockaddr *)&sin6)); - } - if (s4 < 0) - krb5_klog_syslog(LOG_INFO, - "assuming IPv6 socket accepts IPv4"); - } + if (s6 >= 0) { + if (add_tcp_listener_fd(data, s6) == NULL) { + close(s6); + s6 = -1; + } else { + FD_SET(s6, &sstate.rfds); + if (s6 >= sstate.max) + sstate.max = s6 + 1; + krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", + s6, paddr((struct sockaddr *)&sin6)); + } + if (s4 < 0) + krb5_klog_syslog(LOG_INFO, + "assuming IPv6 socket accepts IPv4"); + } #endif } return 0; @@ -676,23 +677,23 @@ setup_rpc_listener_ports(struct socksetup *data) sin4.sin_addr.s_addr = INADDR_ANY; FOREACH_ELT (rpc_svc_data, i, svc) { - int s4; - - set_sa_port((struct sockaddr *)&sin4, htons(svc.port)); - s4 = setup_a_rpc_listener(data, (struct sockaddr *)&sin4); - if (s4 < 0) - return -1; - else { - if (add_rpc_listener_fd(data, &svc, s4) == NULL) - close(s4); - else { - FD_SET(s4, &sstate.rfds); - if (s4 >= sstate.max) - sstate.max = s4 + 1; - krb5_klog_syslog(LOG_INFO, "listening on fd %d: rpc %s", - s4, paddr((struct sockaddr *)&sin4)); - } - } + int s4; + + set_sa_port((struct sockaddr *)&sin4, htons(svc.port)); + s4 = setup_a_rpc_listener(data, (struct sockaddr *)&sin4); + if (s4 < 0) + return -1; + else { + if (add_rpc_listener_fd(data, &svc, s4) == NULL) + close(s4); + else { + FD_SET(s4, &sstate.rfds); + if (s4 >= sstate.max) + sstate.max = s4 + 1; + krb5_klog_syslog(LOG_INFO, "listening on fd %d: rpc %s", + s4, paddr((struct sockaddr *)&sin4)); + } + } } FD_ZERO(&rpc_listenfds); rpc_listenfds = svc_fdset; @@ -712,39 +713,39 @@ union pktinfo { static int setup_udp_port_1(struct socksetup *data, struct sockaddr *addr, - char *haddrbuf, int pktinfo); + char *haddrbuf, int pktinfo); static void setup_udp_pktinfo_ports(struct socksetup *data) { #ifdef IP_PKTINFO { - struct sockaddr_in sa; - int r; + struct sockaddr_in sa; + int r; - memset(&sa, 0, sizeof(sa)); - sa.sin_family = AF_INET; + memset(&sa, 0, sizeof(sa)); + sa.sin_family = AF_INET; #ifdef HAVE_SA_LEN - sa.sin_len = sizeof(sa); + sa.sin_len = sizeof(sa); #endif - r = setup_udp_port_1(data, (struct sockaddr *) &sa, "0.0.0.0", 4); - if (r == 0) - data->udp_flags &= ~UDP_DO_IPV4; + r = setup_udp_port_1(data, (struct sockaddr *) &sa, "0.0.0.0", 4); + if (r == 0) + data->udp_flags &= ~UDP_DO_IPV4; } #endif #ifdef IPV6_PKTINFO { - struct sockaddr_in6 sa; - int r; + struct sockaddr_in6 sa; + int r; - memset(&sa, 0, sizeof(sa)); - sa.sin6_family = AF_INET6; + memset(&sa, 0, sizeof(sa)); + sa.sin6_family = AF_INET6; #ifdef HAVE_SA_LEN - sa.sin6_len = sizeof(sa); + sa.sin6_len = sizeof(sa); #endif - r = setup_udp_port_1(data, (struct sockaddr *) &sa, "::", 6); - if (r == 0) - data->udp_flags &= ~UDP_DO_IPV6; + r = setup_udp_port_1(data, (struct sockaddr *) &sa, "::", 6); + if (r == 0) + data->udp_flags &= ~UDP_DO_IPV6; } #endif } @@ -757,67 +758,67 @@ setup_udp_pktinfo_ports(struct socksetup *data) static int setup_udp_port_1(struct socksetup *data, struct sockaddr *addr, - char *haddrbuf, int pktinfo) + char *haddrbuf, int pktinfo) { int sock = -1, i, r; u_short port; FOREACH_ELT (udp_port_data, i, port) { - sock = socket (addr->sa_family, SOCK_DGRAM, 0); - if (sock == -1) { - data->retval = errno; - com_err(data->prog, data->retval, - "Cannot create server socket for port %d address %s", - port, haddrbuf); - return 1; - } - set_cloexec_fd(sock); + sock = socket (addr->sa_family, SOCK_DGRAM, 0); + if (sock == -1) { + data->retval = errno; + com_err(data->prog, data->retval, + "Cannot create server socket for port %d address %s", + port, haddrbuf); + return 1; + } + set_cloexec_fd(sock); #ifdef KRB5_USE_INET6 - if (addr->sa_family == AF_INET6) { + if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY - if (setv6only(sock, 1)) - com_err(data->prog, errno, - "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); - else - com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", - sock); + if (setv6only(sock, 1)) + com_err(data->prog, errno, + "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); + else + com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", + sock); #else - krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); + krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ - } + } #endif - set_sa_port(addr, htons(port)); - if (bind (sock, (struct sockaddr *)addr, socklen (addr)) == -1) { - data->retval = errno; - com_err(data->prog, data->retval, - "Cannot bind server socket to port %d address %s", - port, haddrbuf); - close(sock); - return 1; - } + set_sa_port(addr, htons(port)); + if (bind (sock, (struct sockaddr *)addr, socklen (addr)) == -1) { + data->retval = errno; + com_err(data->prog, data->retval, + "Cannot bind server socket to port %d address %s", + port, haddrbuf); + close(sock); + return 1; + } #if !(defined(CMSG_SPACE) && defined(HAVE_STRUCT_CMSGHDR) && (defined(IP_PKTINFO) || defined(IPV6_PKTINFO))) - assert(pktinfo == 0); + assert(pktinfo == 0); #endif - if (pktinfo) { - r = set_pktinfo(sock, addr->sa_family); - if (r) { - com_err(data->prog, r, - "Cannot request packet info for udp socket address %s port %d", - haddrbuf, port); - close(sock); - return 1; - } - } - krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s%s", sock, - paddr((struct sockaddr *)addr), - pktinfo ? " (pktinfo)" : ""); - if (add_udp_fd (data, sock, pktinfo) == 0) { - close(sock); - return 1; - } - FD_SET (sock, &sstate.rfds); - if (sock >= sstate.max) - sstate.max = sock + 1; + if (pktinfo) { + r = set_pktinfo(sock, addr->sa_family); + if (r) { + com_err(data->prog, r, + "Cannot request packet info for udp socket address %s port %d", + haddrbuf, port); + close(sock); + return 1; + } + } + krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s%s", sock, + paddr((struct sockaddr *)addr), + pktinfo ? " (pktinfo)" : ""); + if (add_udp_fd (data, sock, pktinfo) == 0) { + close(sock); + return 1; + } + FD_SET (sock, &sstate.rfds); + if (sock >= sstate.max) + sstate.max = sock + 1; } return 0; } @@ -830,51 +831,51 @@ setup_udp_port(void *P_data, struct sockaddr *addr) int err; if (addr->sa_family == AF_INET && !(data->udp_flags & UDP_DO_IPV4)) - return 0; + return 0; #ifdef AF_INET6 if (addr->sa_family == AF_INET6 && !(data->udp_flags & UDP_DO_IPV6)) - return 0; + return 0; #endif err = getnameinfo(addr, socklen(addr), haddrbuf, sizeof(haddrbuf), - 0, 0, NI_NUMERICHOST); + 0, 0, NI_NUMERICHOST); if (err) - strlcpy(haddrbuf, "", sizeof(haddrbuf)); + strlcpy(haddrbuf, "", sizeof(haddrbuf)); switch (addr->sa_family) { case AF_INET: - break; + break; #ifdef AF_INET6 case AF_INET6: #ifdef KRB5_USE_INET6 - break; + break; #else - { - static int first = 1; - if (first) { - krb5_klog_syslog (LOG_INFO, "skipping local ipv6 addresses"); - first = 0; - } - return 0; - } + { + static int first = 1; + if (first) { + krb5_klog_syslog (LOG_INFO, "skipping local ipv6 addresses"); + first = 0; + } + return 0; + } #endif #endif #ifdef AF_LINK /* some BSD systems, AIX */ case AF_LINK: - return 0; + return 0; #endif #ifdef AF_DLI /* Direct Link Interface - DEC Ultrix/OSF1 link layer? */ case AF_DLI: - return 0; + return 0; #endif #ifdef AF_APPLETALK case AF_APPLETALK: - return 0; + return 0; #endif default: - krb5_klog_syslog (LOG_INFO, - "skipping unrecognized local address family %d", - addr->sa_family); - return 0; + krb5_klog_syslog (LOG_INFO, + "skipping unrecognized local address family %d", + addr->sa_family); + return 0; } return setup_udp_port_1(data, addr, haddrbuf, 0); } @@ -886,40 +887,40 @@ static void klog_handler(const void *data, size_t len) static int bufoffset; void *p; -#define flush_buf() \ - (bufoffset \ - ? (((buf[0] == 0 || buf[0] == '\n') \ - ? (fork()==0?abort():(void)0) \ - : (void)0), \ - krb5_klog_syslog(LOG_INFO, "%s", buf), \ - memset(buf, 0, sizeof(buf)), \ - bufoffset = 0) \ - : 0) +#define flush_buf() \ + (bufoffset \ + ? (((buf[0] == 0 || buf[0] == '\n') \ + ? (fork()==0?abort():(void)0) \ + : (void)0), \ + krb5_klog_syslog(LOG_INFO, "%s", buf), \ + memset(buf, 0, sizeof(buf)), \ + bufoffset = 0) \ + : 0) p = memchr(data, 0, len); if (p) - len = (const char *)p - (const char *)data; + len = (const char *)p - (const char *)data; scan_for_newlines: if (len == 0) - return; + return; p = memchr(data, '\n', len); if (p) { - if (p != data) - klog_handler(data, (size_t)((const char *)p - (const char *)data)); - flush_buf(); - len -= ((const char *)p - (const char *)data) + 1; - data = 1 + (const char *)p; - goto scan_for_newlines; + if (p != data) + klog_handler(data, (size_t)((const char *)p - (const char *)data)); + flush_buf(); + len -= ((const char *)p - (const char *)data) + 1; + data = 1 + (const char *)p; + goto scan_for_newlines; } else if (len > sizeof(buf) - 1 || len + bufoffset > sizeof(buf) - 1) { - size_t x = sizeof(buf) - len - 1; - klog_handler(data, x); - flush_buf(); - len -= x; - data = (const char *)data + x; - goto scan_for_newlines; + size_t x = sizeof(buf) - len - 1; + klog_handler(data, x); + flush_buf(); + len -= x; + data = (const char *)data + x; + goto scan_for_newlines; } else { - memcpy(buf + bufoffset, data, len); - bufoffset += len; + memcpy(buf + bufoffset, data, len); + bufoffset += len; } } #endif @@ -953,70 +954,70 @@ static char *rtm_type_name(int type) } static void process_routing_update(void *handle, struct connection *conn, - const char *prog, int selflags) + const char *prog, int selflags) { int n_read; struct rt_msghdr rtm; krb5_klog_syslog(LOG_INFO, "routing socket readable"); while ((n_read = read(conn->fd, &rtm, sizeof(rtm))) > 0) { - if (n_read < sizeof(rtm)) { - /* Quick hack to figure out if the interesting - fields are present in a short read. + if (n_read < sizeof(rtm)) { + /* Quick hack to figure out if the interesting + fields are present in a short read. - A short read seems to be normal for some message types. - Only complain if we don't have the critical initial - header fields. */ + A short read seems to be normal for some message types. + Only complain if we don't have the critical initial + header fields. */ #define RS(FIELD) (offsetof(struct rt_msghdr, FIELD) + sizeof(rtm.FIELD)) - if (n_read < RS(rtm_type) || - n_read < RS(rtm_version) || - n_read < RS(rtm_msglen)) { - krb5_klog_syslog(LOG_ERR, - "short read (%d/%d) from routing socket", - n_read, (int) sizeof(rtm)); - return; - } - } - krb5_klog_syslog(LOG_INFO, - "got routing msg type %d(%s) v%d", - rtm.rtm_type, rtm_type_name(rtm.rtm_type), - rtm.rtm_version); - if (rtm.rtm_msglen > sizeof(rtm)) { - /* It appears we get a partial message and the rest is - thrown away? */ - } else if (rtm.rtm_msglen != n_read) { - krb5_klog_syslog(LOG_ERR, - "read %d from routing socket but msglen is %d", - n_read, rtm.rtm_msglen); - } - switch (rtm.rtm_type) { - case RTM_ADD: - case RTM_DELETE: - case RTM_NEWADDR: - case RTM_DELADDR: - case RTM_IFINFO: - case RTM_OLDADD: - case RTM_OLDDEL: - krb5_klog_syslog(LOG_INFO, "reconfiguration needed"); - network_reconfiguration_needed = 1; - break; - case RTM_RESOLVE: + if (n_read < RS(rtm_type) || + n_read < RS(rtm_version) || + n_read < RS(rtm_msglen)) { + krb5_klog_syslog(LOG_ERR, + "short read (%d/%d) from routing socket", + n_read, (int) sizeof(rtm)); + return; + } + } + krb5_klog_syslog(LOG_INFO, + "got routing msg type %d(%s) v%d", + rtm.rtm_type, rtm_type_name(rtm.rtm_type), + rtm.rtm_version); + if (rtm.rtm_msglen > sizeof(rtm)) { + /* It appears we get a partial message and the rest is + thrown away? */ + } else if (rtm.rtm_msglen != n_read) { + krb5_klog_syslog(LOG_ERR, + "read %d from routing socket but msglen is %d", + n_read, rtm.rtm_msglen); + } + switch (rtm.rtm_type) { + case RTM_ADD: + case RTM_DELETE: + case RTM_NEWADDR: + case RTM_DELADDR: + case RTM_IFINFO: + case RTM_OLDADD: + case RTM_OLDDEL: + krb5_klog_syslog(LOG_INFO, "reconfiguration needed"); + network_reconfiguration_needed = 1; + break; + case RTM_RESOLVE: #ifdef RTM_NEWMADDR - case RTM_NEWMADDR: - case RTM_DELMADDR: + case RTM_NEWMADDR: + case RTM_DELMADDR: #endif - case RTM_MISS: - case RTM_REDIRECT: - case RTM_LOSING: - case RTM_GET: - /* Not interesting. */ - krb5_klog_syslog(LOG_DEBUG, "routing msg not interesting"); - break; - default: - krb5_klog_syslog(LOG_INFO, "unhandled routing message type, will reconfigure just for the fun of it"); - network_reconfiguration_needed = 1; - break; - } + case RTM_MISS: + case RTM_REDIRECT: + case RTM_LOSING: + case RTM_GET: + /* Not interesting. */ + krb5_klog_syslog(LOG_DEBUG, "routing msg not interesting"); + break; + default: + krb5_klog_syslog(LOG_INFO, "unhandled routing message type, will reconfigure just for the fun of it"); + network_reconfiguration_needed = 1; + break; + } } } @@ -1025,14 +1026,14 @@ setup_routing_socket(struct socksetup *data) { int sock = socket(PF_ROUTE, SOCK_RAW, 0); if (sock < 0) { - int e = errno; - krb5_klog_syslog(LOG_INFO, "couldn't set up routing socket: %s", - strerror(e)); + int e = errno; + krb5_klog_syslog(LOG_INFO, "couldn't set up routing socket: %s", + strerror(e)); } else { - krb5_klog_syslog(LOG_INFO, "routing socket is fd %d", sock); - add_fd(data, sock, CONN_ROUTING, process_routing_update); - setnbio(sock); - FD_SET(sock, &sstate.rfds); + krb5_klog_syslog(LOG_INFO, "routing socket is fd %d", sock); + add_fd(data, sock, CONN_ROUTING, process_routing_update); + setnbio(sock); + FD_SET(sock, &sstate.rfds); } } #endif @@ -1058,25 +1059,25 @@ setup_network(void *handle, const char *prog) retval = add_udp_port(server_handle->params.kpasswd_port); if (retval) - return retval; + return retval; retval = add_tcp_port(server_handle->params.kpasswd_port); if (retval) - return retval; + return retval; retval = add_rpc_service(server_handle->params.kadmind_port, - KADM, KADMVERS, - kadm_1); + KADM, KADMVERS, + kadm_1); if (retval) - return retval; + return retval; #ifndef DISABLE_IPROP if (server_handle->params.iprop_enabled) { - retval = add_rpc_service(server_handle->params.iprop_port, - KRB5_IPROP_PROG, KRB5_IPROP_VERS, - krb5_iprop_prog_1); - if (retval) - return retval; + retval = add_rpc_service(server_handle->params.iprop_port, + KRB5_IPROP_PROG, KRB5_IPROP_VERS, + krb5_iprop_prog_1); + if (retval) + return retval; } #endif /* DISABLE_IPROP */ @@ -1093,16 +1094,16 @@ setup_network(void *handle, const char *prog) setup_data.udp_flags = UDP_DO_IPV4 | UDP_DO_IPV6; setup_udp_pktinfo_ports(&setup_data); if (setup_data.udp_flags) { - if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { - return setup_data.retval; - } + if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { + return setup_data.retval; + } } setup_tcp_listener_ports(&setup_data); setup_rpc_listener_ports(&setup_data); krb5_klog_syslog (LOG_INFO, "set up %d sockets", n_sockets); if (n_sockets == 0) { - com_err(prog, 0, "no sockets set up?"); - exit (1); + com_err(prog, 0, "no sockets set up?"); + exit (1); } return 0; @@ -1112,45 +1113,45 @@ static void init_addr(krb5_fulladdr *faddr, struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET: - faddr->address->addrtype = ADDRTYPE_INET; - faddr->address->length = 4; - faddr->address->contents = (krb5_octet *) &sa2sin(sa)->sin_addr; - faddr->port = ntohs(sa2sin(sa)->sin_port); - break; + faddr->address->addrtype = ADDRTYPE_INET; + faddr->address->length = 4; + faddr->address->contents = (krb5_octet *) &sa2sin(sa)->sin_addr; + faddr->port = ntohs(sa2sin(sa)->sin_port); + break; #ifdef KRB5_USE_INET6 case AF_INET6: - if (IN6_IS_ADDR_V4MAPPED(&sa2sin6(sa)->sin6_addr)) { - faddr->address->addrtype = ADDRTYPE_INET; - faddr->address->length = 4; - faddr->address->contents = 12 + (krb5_octet *) &sa2sin6(sa)->sin6_addr; - } else { - faddr->address->addrtype = ADDRTYPE_INET6; - faddr->address->length = 16; - faddr->address->contents = (krb5_octet *) &sa2sin6(sa)->sin6_addr; - } - faddr->port = ntohs(sa2sin6(sa)->sin6_port); - break; + if (IN6_IS_ADDR_V4MAPPED(&sa2sin6(sa)->sin6_addr)) { + faddr->address->addrtype = ADDRTYPE_INET; + faddr->address->length = 4; + faddr->address->contents = 12 + (krb5_octet *) &sa2sin6(sa)->sin6_addr; + } else { + faddr->address->addrtype = ADDRTYPE_INET6; + faddr->address->length = 16; + faddr->address->contents = (krb5_octet *) &sa2sin6(sa)->sin6_addr; + } + faddr->port = ntohs(sa2sin6(sa)->sin6_port); + break; #endif default: - faddr->address->addrtype = -1; - faddr->address->length = 0; - faddr->address->contents = 0; - faddr->port = 0; - break; + faddr->address->addrtype = -1; + faddr->address->length = 0; + faddr->address->contents = 0; + faddr->port = 0; + break; } } static int recv_from_to(int s, void *buf, size_t len, int flags, - struct sockaddr *from, socklen_t *fromlen, - struct sockaddr *to, socklen_t *tolen) + struct sockaddr *from, socklen_t *fromlen, + struct sockaddr *to, socklen_t *tolen) { #if (!defined(IP_PKTINFO) && !defined(IPV6_PKTINFO)) || !defined(CMSG_SPACE) if (to && tolen) { - /* Clobber with something recognizeable in case we try to use - the address. */ - memset(to, 0x40, *tolen); - *tolen = 0; + /* Clobber with something recognizeable in case we try to use + the address. */ + memset(to, 0x40, *tolen); + *tolen = 0; } return recvfrom(s, buf, len, flags, from, fromlen); @@ -1162,7 +1163,7 @@ recv_from_to(int s, void *buf, size_t len, int flags, struct msghdr msg; if (!to || !tolen) - return recvfrom(s, buf, len, flags, from, fromlen); + return recvfrom(s, buf, len, flags, from, fromlen); /* Clobber with something recognizeable in case we can't extract the address but try to use it anyways. */ @@ -1180,7 +1181,7 @@ recv_from_to(int s, void *buf, size_t len, int flags, r = recvmsg(s, &msg, flags); if (r < 0) - return r; + return r; *fromlen = msg.msg_namelen; /* On Darwin (and presumably all *BSD with KAME stacks), @@ -1188,36 +1189,36 @@ recv_from_to(int s, void *buf, size_t len, int flags, 3542 recommends making this check, even though the (new) spec for CMSG_FIRSTHDR says it's supposed to do the check. */ if (msg.msg_controllen) { - cmsgptr = CMSG_FIRSTHDR(&msg); - while (cmsgptr) { + cmsgptr = CMSG_FIRSTHDR(&msg); + while (cmsgptr) { #ifdef IP_PKTINFO - if (cmsgptr->cmsg_level == IPPROTO_IP - && cmsgptr->cmsg_type == IP_PKTINFO - && *tolen >= sizeof(struct sockaddr_in)) { - struct in_pktinfo *pktinfo; - memset(to, 0, sizeof(struct sockaddr_in)); - pktinfo = (struct in_pktinfo *)CMSG_DATA(cmsgptr); - ((struct sockaddr_in *)to)->sin_addr = pktinfo->ipi_addr; - ((struct sockaddr_in *)to)->sin_family = AF_INET; - *tolen = sizeof(struct sockaddr_in); - return r; - } + if (cmsgptr->cmsg_level == IPPROTO_IP + && cmsgptr->cmsg_type == IP_PKTINFO + && *tolen >= sizeof(struct sockaddr_in)) { + struct in_pktinfo *pktinfo; + memset(to, 0, sizeof(struct sockaddr_in)); + pktinfo = (struct in_pktinfo *)CMSG_DATA(cmsgptr); + ((struct sockaddr_in *)to)->sin_addr = pktinfo->ipi_addr; + ((struct sockaddr_in *)to)->sin_family = AF_INET; + *tolen = sizeof(struct sockaddr_in); + return r; + } #endif #if defined(KRB5_USE_INET6) && defined(IPV6_PKTINFO)&& defined(HAVE_STRUCT_IN6_PKTINFO) - if (cmsgptr->cmsg_level == IPPROTO_IPV6 - && cmsgptr->cmsg_type == IPV6_PKTINFO - && *tolen >= sizeof(struct sockaddr_in6)) { - struct in6_pktinfo *pktinfo; - memset(to, 0, sizeof(struct sockaddr_in6)); - pktinfo = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); - ((struct sockaddr_in6 *)to)->sin6_addr = pktinfo->ipi6_addr; - ((struct sockaddr_in6 *)to)->sin6_family = AF_INET6; - *tolen = sizeof(struct sockaddr_in6); - return r; - } + if (cmsgptr->cmsg_level == IPPROTO_IPV6 + && cmsgptr->cmsg_type == IPV6_PKTINFO + && *tolen >= sizeof(struct sockaddr_in6)) { + struct in6_pktinfo *pktinfo; + memset(to, 0, sizeof(struct sockaddr_in6)); + pktinfo = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); + ((struct sockaddr_in6 *)to)->sin6_addr = pktinfo->ipi6_addr; + ((struct sockaddr_in6 *)to)->sin6_family = AF_INET6; + *tolen = sizeof(struct sockaddr_in6); + return r; + } #endif - cmsgptr = CMSG_NXTHDR(&msg, cmsgptr); - } + cmsgptr = CMSG_NXTHDR(&msg, cmsgptr); + } } /* No info about destination addr was available. */ *tolen = 0; @@ -1227,8 +1228,8 @@ recv_from_to(int s, void *buf, size_t len, int flags, static int send_to_from(int s, void *buf, size_t len, int flags, - const struct sockaddr *to, socklen_t tolen, - const struct sockaddr *from, socklen_t fromlen) + const struct sockaddr *to, socklen_t tolen, + const struct sockaddr *from, socklen_t fromlen) { #if (!defined(IP_PKTINFO) && !defined(IPV6_PKTINFO)) || !defined(CMSG_SPACE) return sendto(s, buf, len, flags, to, tolen); @@ -1240,14 +1241,14 @@ send_to_from(int s, void *buf, size_t len, int flags, if (from == 0 || fromlen == 0 || from->sa_family != to->sa_family) { use_sendto: - return sendto(s, buf, len, flags, to, tolen); + return sendto(s, buf, len, flags, to, tolen); } iov.iov_base = buf; iov.iov_len = len; /* Truncation? */ if (iov.iov_len != len) - return EINVAL; + return EINVAL; memset(cbuf, 0, sizeof(cbuf)); memset(&msg, 0, sizeof(msg)); msg.msg_name = (void *) to; @@ -1264,36 +1265,36 @@ send_to_from(int s, void *buf, size_t len, int flags, switch (from->sa_family) { #if defined(IP_PKTINFO) case AF_INET: - if (fromlen != sizeof(struct sockaddr_in)) - goto use_sendto; - cmsgptr->cmsg_level = IPPROTO_IP; - cmsgptr->cmsg_type = IP_PKTINFO; - cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); - { - struct in_pktinfo *p = (struct in_pktinfo *)CMSG_DATA(cmsgptr); - const struct sockaddr_in *from4 = (const struct sockaddr_in *)from; - p->ipi_spec_dst = from4->sin_addr; - } - msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); - break; + if (fromlen != sizeof(struct sockaddr_in)) + goto use_sendto; + cmsgptr->cmsg_level = IPPROTO_IP; + cmsgptr->cmsg_type = IP_PKTINFO; + cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + { + struct in_pktinfo *p = (struct in_pktinfo *)CMSG_DATA(cmsgptr); + const struct sockaddr_in *from4 = (const struct sockaddr_in *)from; + p->ipi_spec_dst = from4->sin_addr; + } + msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); + break; #endif #if defined(KRB5_USE_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_STRUCT_IN6_PKTINFO) case AF_INET6: - if (fromlen != sizeof(struct sockaddr_in6)) - goto use_sendto; - cmsgptr->cmsg_level = IPPROTO_IPV6; - cmsgptr->cmsg_type = IPV6_PKTINFO; - cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); - { - struct in6_pktinfo *p = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); - const struct sockaddr_in6 *from6 = (const struct sockaddr_in6 *)from; - p->ipi6_addr = from6->sin6_addr; - } - msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); - break; + if (fromlen != sizeof(struct sockaddr_in6)) + goto use_sendto; + cmsgptr->cmsg_level = IPPROTO_IPV6; + cmsgptr->cmsg_type = IPV6_PKTINFO; + cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + { + struct in6_pktinfo *p = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); + const struct sockaddr_in6 *from6 = (const struct sockaddr_in6 *)from; + p->ipi6_addr = from6->sin6_addr; + } + msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); + break; #endif default: - goto use_sendto; + goto use_sendto; } return sendmsg(s, &msg, flags); #endif @@ -1302,8 +1303,8 @@ send_to_from(int s, void *buf, size_t len, int flags, /* Dispatch routine for set/change password */ static krb5_error_code dispatch(void *handle, - struct sockaddr *local_saddr, krb5_fulladdr *remote_faddr, - krb5_data *request, krb5_data **response) + struct sockaddr *local_saddr, krb5_fulladdr *remote_faddr, + krb5_data *request, krb5_data **response) { krb5_error_code ret; krb5_keytab kt = NULL; @@ -1314,42 +1315,42 @@ dispatch(void *handle, *response = NULL; if (local_saddr == NULL) { - ret = krb5_os_localaddr(server_handle->context, &local_kaddrs); - if (ret != 0) - goto cleanup; + ret = krb5_os_localaddr(server_handle->context, &local_kaddrs); + if (ret != 0) + goto cleanup; - local_faddr.address = local_kaddrs[0]; - local_faddr.port = 0; + local_faddr.address = local_kaddrs[0]; + local_faddr.port = 0; } else { - local_faddr.address = &local_kaddr_buf; - init_addr(&local_faddr, local_saddr); + local_faddr.address = &local_kaddr_buf; + init_addr(&local_faddr, local_saddr); } ret = krb5_kt_resolve(server_handle->context, "KDB:", &kt); if (ret != 0) { - krb5_klog_syslog(LOG_ERR, "chpw: Couldn't open admin keytab %s", - krb5_get_error_message(server_handle->context, ret)); - goto cleanup; + krb5_klog_syslog(LOG_ERR, "chpw: Couldn't open admin keytab %s", + krb5_get_error_message(server_handle->context, ret)); + goto cleanup; } *response = (krb5_data *)malloc(sizeof(krb5_data)); if (*response == NULL) { - ret = ENOMEM; - goto cleanup; + ret = ENOMEM; + goto cleanup; } ret = process_chpw_request(server_handle->context, - handle, - server_handle->params.realm, - kt, - &local_faddr, - remote_faddr, - request, - *response); + handle, + server_handle->params.realm, + kt, + &local_faddr, + remote_faddr, + request, + *response); cleanup: if (local_kaddrs != NULL) - krb5_free_addresses(server_handle->context, local_kaddrs); + krb5_free_addresses(server_handle->context, local_kaddrs); krb5_kt_close(server_handle->context, kt); @@ -1357,8 +1358,8 @@ cleanup: } static void process_packet(void *handle, - struct connection *conn, const char *prog, - int selflags) + struct connection *conn, const char *prog, + int selflags) { int cc; socklen_t saddr_len, daddr_len; @@ -1376,40 +1377,40 @@ static void process_packet(void *handle, saddr_len = sizeof(saddr); daddr_len = sizeof(daddr); cc = recv_from_to(port_fd, pktbuf, sizeof(pktbuf), 0, - (struct sockaddr *)&saddr, &saddr_len, - (struct sockaddr *)&daddr, &daddr_len); + (struct sockaddr *)&saddr, &saddr_len, + (struct sockaddr *)&daddr, &daddr_len); if (cc == -1) { - if (errno != EINTR - /* This is how Linux indicates that a previous - transmission was refused, e.g., if the client timed out - before getting the response packet. */ - && errno != ECONNREFUSED - ) - com_err(prog, errno, "while receiving from network"); - return; + if (errno != EINTR + /* This is how Linux indicates that a previous + transmission was refused, e.g., if the client timed out + before getting the response packet. */ + && errno != ECONNREFUSED + ) + com_err(prog, errno, "while receiving from network"); + return; } if (!cc) - return; /* zero-length packet? */ + return; /* zero-length packet? */ #if 0 if (daddr_len > 0) { - char addrbuf[100]; - if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf), - 0, 0, NI_NUMERICHOST)) - strlcpy(addrbuf, "?", sizeof(addrbuf)); - com_err(prog, 0, "pktinfo says local addr is %s", addrbuf); + char addrbuf[100]; + if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf), + 0, 0, NI_NUMERICHOST)) + strlcpy(addrbuf, "?", sizeof(addrbuf)); + com_err(prog, 0, "pktinfo says local addr is %s", addrbuf); } #endif if (daddr_len == 0 && conn->type == CONN_UDP) { - /* If the PKTINFO option isn't set, this socket should be - bound to a specific local address. This info probably - should've been saved in our socket data structure at setup - time. */ - daddr_len = sizeof(daddr); - if (getsockname(port_fd, (struct sockaddr *)&daddr, &daddr_len) != 0) - daddr_len = 0; - /* On failure, keep going anyways. */ + /* If the PKTINFO option isn't set, this socket should be + bound to a specific local address. This info probably + should've been saved in our socket data structure at setup + time. */ + daddr_len = sizeof(daddr); + if (getsockname(port_fd, (struct sockaddr *)&daddr, &daddr_len) != 0) + daddr_len = 0; + /* On failure, keep going anyways. */ } request.length = cc; @@ -1418,28 +1419,28 @@ static void process_packet(void *handle, init_addr(&faddr, ss2sa(&saddr)); /* this address is in net order */ if ((retval = dispatch(handle, ss2sa(&daddr), &faddr, &request, &response))) { - com_err(prog, retval, "while dispatching (udp)"); - return; + com_err(prog, retval, "while dispatching (udp)"); + return; } if (response == NULL) - return; + return; cc = send_to_from(port_fd, response->data, (socklen_t) response->length, 0, - (struct sockaddr *)&saddr, saddr_len, - (struct sockaddr *)&daddr, daddr_len); + (struct sockaddr *)&saddr, saddr_len, + (struct sockaddr *)&daddr, daddr_len); if (cc == -1) { - char addrbuf[46]; + char addrbuf[46]; krb5_free_data(server_handle->context, response); - if (inet_ntop(((struct sockaddr *)&saddr)->sa_family, - addr.contents, addrbuf, sizeof(addrbuf)) == 0) { - strlcpy(addrbuf, "?", sizeof(addrbuf)); - } - com_err(prog, errno, "while sending reply to %s/%d", - addrbuf, faddr.port); - return; + if (inet_ntop(((struct sockaddr *)&saddr)->sa_family, + addr.contents, addrbuf, sizeof(addrbuf)) == 0) { + strlcpy(addrbuf, "?", sizeof(addrbuf)); + } + com_err(prog, errno, "while sending reply to %s/%d", + addrbuf, faddr.port); + return; } if (cc != response->length) { - com_err(prog, 0, "short reply write %d vs %d\n", - response->length, cc); + com_err(prog, 0, "short reply write %d vs %d\n", + response->length, cc); } krb5_free_data(server_handle->context, response); return; @@ -1459,31 +1460,31 @@ static int kill_lru_tcp_or_rpc_connection(void *handle, struct connection *newco krb5_klog_syslog(LOG_INFO, "too many connections"); FOREACH_ELT (connections, i, c) { - if (c->type != CONN_TCP && c->type != CONN_RPC) - continue; - if (c == newconn) - continue; + if (c->type != CONN_TCP && c->type != CONN_RPC) + continue; + if (c == newconn) + continue; #if 0 - krb5_klog_syslog(LOG_INFO, "fd %d started at %ld", c->fd, - c->u.tcp.start_time); + krb5_klog_syslog(LOG_INFO, "fd %d started at %ld", c->fd, + c->u.tcp.start_time); #endif - if (oldest_tcp == NULL - || oldest_tcp->u.tcp.start_time > c->u.tcp.start_time) - oldest_tcp = c; + if (oldest_tcp == NULL + || oldest_tcp->u.tcp.start_time > c->u.tcp.start_time) + oldest_tcp = c; } if (oldest_tcp != NULL) { - krb5_klog_syslog(LOG_INFO, "dropping %s fd %d from %s", - c->type == CONN_RPC ? "rpc" : "tcp", - oldest_tcp->fd, oldest_tcp->u.tcp.addrbuf); - fd = oldest_tcp->fd; - kill_tcp_or_rpc_connection(handle, oldest_tcp, 1); + krb5_klog_syslog(LOG_INFO, "dropping %s fd %d from %s", + c->type == CONN_RPC ? "rpc" : "tcp", + oldest_tcp->fd, oldest_tcp->u.tcp.addrbuf); + fd = oldest_tcp->fd; + kill_tcp_or_rpc_connection(handle, oldest_tcp, 1); } return fd; } static void accept_tcp_connection(void *handle, - struct connection *conn, const char *prog, - int selflags) + struct connection *conn, const char *prog, + int selflags) { int s; struct sockaddr_storage addr_s; @@ -1495,12 +1496,12 @@ static void accept_tcp_connection(void *handle, s = accept(conn->fd, addr, &addrlen); if (s < 0) - return; + return; set_cloexec_fd(s); #ifndef _WIN32 if (s >= FD_SETSIZE) { - close(s); - return; + close(s); + return; } #endif setnbio(s), setnolinger(s), setkeepalive(s); @@ -1510,26 +1511,26 @@ static void accept_tcp_connection(void *handle, newconn = add_tcp_data_fd(&sockdata, s); if (newconn == NULL) - return; + return; if (getnameinfo((struct sockaddr *)&addr_s, addrlen, - newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), - tmpbuf, sizeof(tmpbuf), - NI_NUMERICHOST | NI_NUMERICSERV)) - strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); + newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), + tmpbuf, sizeof(tmpbuf), + NI_NUMERICHOST | NI_NUMERICSERV)) + strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); else { - char *p, *end; - p = newconn->u.tcp.addrbuf; - end = p + sizeof(newconn->u.tcp.addrbuf); - p += strlen(p); - if (end - p > 2 + strlen(tmpbuf)) { - *p++ = '.'; - strlcpy(p, tmpbuf, end - p); - } + char *p, *end; + p = newconn->u.tcp.addrbuf; + end = p + sizeof(newconn->u.tcp.addrbuf); + p += strlen(p); + if (end - p > 2 + strlen(tmpbuf)) { + *p++ = '.'; + strlcpy(p, tmpbuf, end - p); + } } #if 0 krb5_klog_syslog(LOG_INFO, "accepted TCP connection on socket %d from %s", - s, newconn->u.tcp.addrbuf); + s, newconn->u.tcp.addrbuf); #endif newconn->u.tcp.addr_s = addr_s; @@ -1539,15 +1540,15 @@ static void accept_tcp_connection(void *handle, newconn->u.tcp.start_time = time(0); if (++tcp_or_rpc_data_counter > max_tcp_or_rpc_data_connections) - kill_lru_tcp_or_rpc_connection(handle, newconn); + kill_lru_tcp_or_rpc_connection(handle, newconn); if (newconn->u.tcp.buffer == 0) { - com_err(prog, errno, "allocating buffer for new TCP session from %s", - newconn->u.tcp.addrbuf); - delete_fd(newconn); - close(s); - tcp_or_rpc_data_counter--; - return; + com_err(prog, errno, "allocating buffer for new TCP session from %s", + newconn->u.tcp.addrbuf); + delete_fd(newconn); + close(s); + tcp_or_rpc_data_counter--; + return; } newconn->u.tcp.offset = 0; newconn->u.tcp.faddr.address = &newconn->u.tcp.kaddr; @@ -1557,7 +1558,7 @@ static void accept_tcp_connection(void *handle, FD_SET(s, &sstate.rfds); if (sstate.max <= s) - sstate.max = s + 1; + sstate.max = s + 1; } static void @@ -1569,37 +1570,37 @@ kill_tcp_or_rpc_connection(void *handle, struct connection *conn, int isForcedCl assert(conn->fd != -1); if (conn->u.tcp.response) - krb5_free_data(server_handle->context, conn->u.tcp.response); + krb5_free_data(server_handle->context, conn->u.tcp.response); if (conn->u.tcp.buffer) - free(conn->u.tcp.buffer); + free(conn->u.tcp.buffer); FD_CLR(conn->fd, &sstate.rfds); FD_CLR(conn->fd, &sstate.wfds); if (sstate.max == conn->fd + 1) - while (sstate.max > 0 - && ! FD_ISSET(sstate.max-1, &sstate.rfds) - && ! FD_ISSET(sstate.max-1, &sstate.wfds) - /* && ! FD_ISSET(sstate.max-1, &sstate.xfds) */ - ) - sstate.max--; + while (sstate.max > 0 + && ! FD_ISSET(sstate.max-1, &sstate.rfds) + && ! FD_ISSET(sstate.max-1, &sstate.wfds) + /* && ! FD_ISSET(sstate.max-1, &sstate.xfds) */ + ) + sstate.max--; /* In the non-forced case, the RPC runtime will close the descriptor for us */ if (conn->type == CONN_TCP || isForcedClose) { - close(conn->fd); + close(conn->fd); } /* For RPC connections, call into RPC runtime to flush out any internal state */ if (conn->type == CONN_RPC && isForcedClose) { - fd_set fds; + fd_set fds; - FD_ZERO(&fds); - FD_SET(conn->fd, &fds); + FD_ZERO(&fds); + FD_SET(conn->fd, &fds); - svc_getreqset(&fds); + svc_getreqset(&fds); - if (FD_ISSET(conn->fd, &svc_fdset)) { - krb5_klog_syslog(LOG_ERR, - "descriptor %d closed but still in svc_fdset", conn->fd); - } + if (FD_ISSET(conn->fd, &svc_fdset)) { + krb5_klog_syslog(LOG_ERR, + "descriptor %d closed but still in svc_fdset", conn->fd); + } } conn->fd = -1; @@ -1617,14 +1618,14 @@ make_toolong_error (void *handle, krb5_data **out) retval = krb5_us_timeofday(server_handle->context, &errpkt.stime, &errpkt.susec); if (retval) - return retval; + return retval; errpkt.error = KRB_ERR_FIELD_TOOLONG; retval = krb5_build_principal(server_handle->context, &errpkt.server, - strlen(server_handle->params.realm), - server_handle->params.realm, - "kadmin", "changepw", NULL); + strlen(server_handle->params.realm), + server_handle->params.realm, + "kadmin", "changepw", NULL); if (retval) - return retval; + return retval; errpkt.client = NULL; errpkt.cusec = 0; errpkt.ctime = 0; @@ -1634,11 +1635,11 @@ make_toolong_error (void *handle, krb5_data **out) errpkt.e_data.data = 0; scratch = malloc(sizeof(*scratch)); if (scratch == NULL) - return ENOMEM; + return ENOMEM; retval = krb5_mk_error(server_handle->context, &errpkt, scratch); if (retval) { - free(scratch); - return retval; + free(scratch); + return retval; } *out = scratch; @@ -1650,7 +1651,7 @@ queue_tcp_outgoing_response(struct connection *conn) { store_32_be(conn->u.tcp.response->length, conn->u.tcp.lenbuf); SG_SET(&conn->u.tcp.sgbuf[1], conn->u.tcp.response->data, - conn->u.tcp.response->length); + conn->u.tcp.response->length); conn->u.tcp.sgp = conn->u.tcp.sgbuf; conn->u.tcp.sgnum = 2; FD_SET(conn->fd, &sstate.wfds); @@ -1658,128 +1659,128 @@ queue_tcp_outgoing_response(struct connection *conn) static void process_tcp_connection(void *handle, - struct connection *conn, const char *prog, int selflags) + struct connection *conn, const char *prog, int selflags) { int isForcedClose = 1; /* not used now, but for completeness */ if (selflags & SSF_WRITE) { - ssize_t nwrote; - SOCKET_WRITEV_TEMP tmp; - - nwrote = SOCKET_WRITEV(conn->fd, conn->u.tcp.sgp, conn->u.tcp.sgnum, - tmp); - if (nwrote < 0) { - goto kill_tcp_connection; - } - if (nwrote == 0) { - /* eof */ - isForcedClose = 0; - goto kill_tcp_connection; - } - while (nwrote) { - sg_buf *sgp = conn->u.tcp.sgp; - if (nwrote < SG_LEN(sgp)) { - SG_ADVANCE(sgp, nwrote); - nwrote = 0; - } else { - nwrote -= SG_LEN(sgp); - conn->u.tcp.sgp++; - conn->u.tcp.sgnum--; - if (conn->u.tcp.sgnum == 0 && nwrote != 0) - abort(); - } - } - if (conn->u.tcp.sgnum == 0) { - /* finished sending */ - /* We should go back to reading, though if we sent a - FIELD_TOOLONG error in reply to a length with the high - bit set, RFC 4120 says we have to close the TCP - stream. */ - isForcedClose = 0; - goto kill_tcp_connection; - } + ssize_t nwrote; + SOCKET_WRITEV_TEMP tmp; + + nwrote = SOCKET_WRITEV(conn->fd, conn->u.tcp.sgp, conn->u.tcp.sgnum, + tmp); + if (nwrote < 0) { + goto kill_tcp_connection; + } + if (nwrote == 0) { + /* eof */ + isForcedClose = 0; + goto kill_tcp_connection; + } + while (nwrote) { + sg_buf *sgp = conn->u.tcp.sgp; + if (nwrote < SG_LEN(sgp)) { + SG_ADVANCE(sgp, nwrote); + nwrote = 0; + } else { + nwrote -= SG_LEN(sgp); + conn->u.tcp.sgp++; + conn->u.tcp.sgnum--; + if (conn->u.tcp.sgnum == 0 && nwrote != 0) + abort(); + } + } + if (conn->u.tcp.sgnum == 0) { + /* finished sending */ + /* We should go back to reading, though if we sent a + FIELD_TOOLONG error in reply to a length with the high + bit set, RFC 4120 says we have to close the TCP + stream. */ + isForcedClose = 0; + goto kill_tcp_connection; + } } else if (selflags & SSF_READ) { - /* Read message length and data into one big buffer, already - allocated at connect time. If we have a complete message, - we stop reading, so we should only be here if there is no - data in the buffer, or only an incomplete message. */ - size_t len; - ssize_t nread; - if (conn->u.tcp.offset < 4) { - /* msglen has not been computed */ - /* XXX Doing at least two reads here, letting the kernel - worry about buffering. It'll be faster when we add - code to manage the buffer here. */ - len = 4 - conn->u.tcp.offset; - nread = SOCKET_READ(conn->fd, - conn->u.tcp.buffer + conn->u.tcp.offset, len); - if (nread < 0) - /* error */ - goto kill_tcp_connection; - if (nread == 0) - /* eof */ - goto kill_tcp_connection; - conn->u.tcp.offset += nread; - if (conn->u.tcp.offset == 4) { - unsigned char *p = (unsigned char *)conn->u.tcp.buffer; - conn->u.tcp.msglen = load_32_be(p); - if (conn->u.tcp.msglen > conn->u.tcp.bufsiz - 4) { - krb5_error_code err; - /* message too big */ - krb5_klog_syslog(LOG_ERR, "TCP client %s wants %lu bytes, cap is %lu", - conn->u.tcp.addrbuf, (unsigned long) conn->u.tcp.msglen, - (unsigned long) conn->u.tcp.bufsiz - 4); - /* XXX Should return an error. */ - err = make_toolong_error (handle, &conn->u.tcp.response); - if (err) { - krb5_klog_syslog(LOG_ERR, - "error constructing KRB_ERR_FIELD_TOOLONG error! %s", - error_message(err)); - goto kill_tcp_connection; - } - goto have_response; - } - } - } else { - /* msglen known */ - krb5_data request; - krb5_error_code err; - struct sockaddr_storage local_saddr; - socklen_t local_saddrlen = sizeof(local_saddr); - struct sockaddr *local_saddrp = NULL; - - len = conn->u.tcp.msglen - (conn->u.tcp.offset - 4); - nread = SOCKET_READ(conn->fd, - conn->u.tcp.buffer + conn->u.tcp.offset, len); - if (nread < 0) - /* error */ - goto kill_tcp_connection; - if (nread == 0) - /* eof */ - goto kill_tcp_connection; - conn->u.tcp.offset += nread; - if (conn->u.tcp.offset < conn->u.tcp.msglen + 4) - return; - /* have a complete message, and exactly one message */ - request.length = conn->u.tcp.msglen; - request.data = conn->u.tcp.buffer + 4; - - if (getsockname(conn->fd, ss2sa(&local_saddr), &local_saddrlen) == 0) { - local_saddrp = ss2sa(&local_saddr); - } - - err = dispatch(handle, local_saddrp, &conn->u.tcp.faddr, - &request, &conn->u.tcp.response); - if (err) { - com_err(prog, err, "while dispatching (tcp)"); - goto kill_tcp_connection; - } - have_response: - queue_tcp_outgoing_response(conn); - FD_CLR(conn->fd, &sstate.rfds); - } + /* Read message length and data into one big buffer, already + allocated at connect time. If we have a complete message, + we stop reading, so we should only be here if there is no + data in the buffer, or only an incomplete message. */ + size_t len; + ssize_t nread; + if (conn->u.tcp.offset < 4) { + /* msglen has not been computed */ + /* XXX Doing at least two reads here, letting the kernel + worry about buffering. It'll be faster when we add + code to manage the buffer here. */ + len = 4 - conn->u.tcp.offset; + nread = SOCKET_READ(conn->fd, + conn->u.tcp.buffer + conn->u.tcp.offset, len); + if (nread < 0) + /* error */ + goto kill_tcp_connection; + if (nread == 0) + /* eof */ + goto kill_tcp_connection; + conn->u.tcp.offset += nread; + if (conn->u.tcp.offset == 4) { + unsigned char *p = (unsigned char *)conn->u.tcp.buffer; + conn->u.tcp.msglen = load_32_be(p); + if (conn->u.tcp.msglen > conn->u.tcp.bufsiz - 4) { + krb5_error_code err; + /* message too big */ + krb5_klog_syslog(LOG_ERR, "TCP client %s wants %lu bytes, cap is %lu", + conn->u.tcp.addrbuf, (unsigned long) conn->u.tcp.msglen, + (unsigned long) conn->u.tcp.bufsiz - 4); + /* XXX Should return an error. */ + err = make_toolong_error (handle, &conn->u.tcp.response); + if (err) { + krb5_klog_syslog(LOG_ERR, + "error constructing KRB_ERR_FIELD_TOOLONG error! %s", + error_message(err)); + goto kill_tcp_connection; + } + goto have_response; + } + } + } else { + /* msglen known */ + krb5_data request; + krb5_error_code err; + struct sockaddr_storage local_saddr; + socklen_t local_saddrlen = sizeof(local_saddr); + struct sockaddr *local_saddrp = NULL; + + len = conn->u.tcp.msglen - (conn->u.tcp.offset - 4); + nread = SOCKET_READ(conn->fd, + conn->u.tcp.buffer + conn->u.tcp.offset, len); + if (nread < 0) + /* error */ + goto kill_tcp_connection; + if (nread == 0) + /* eof */ + goto kill_tcp_connection; + conn->u.tcp.offset += nread; + if (conn->u.tcp.offset < conn->u.tcp.msglen + 4) + return; + /* have a complete message, and exactly one message */ + request.length = conn->u.tcp.msglen; + request.data = conn->u.tcp.buffer + 4; + + if (getsockname(conn->fd, ss2sa(&local_saddr), &local_saddrlen) == 0) { + local_saddrp = ss2sa(&local_saddr); + } + + err = dispatch(handle, local_saddrp, &conn->u.tcp.faddr, + &request, &conn->u.tcp.response); + if (err) { + com_err(prog, err, "while dispatching (tcp)"); + goto kill_tcp_connection; + } + have_response: + queue_tcp_outgoing_response(conn); + FD_CLR(conn->fd, &sstate.rfds); + } } else - abort(); + abort(); return; @@ -1788,8 +1789,8 @@ kill_tcp_connection: } static void service_conn(void *handle, - struct connection *conn, const char *prog, - int selflags) + struct connection *conn, const char *prog, + int selflags) { conn->service(handle, conn, prog, selflags); } @@ -1810,82 +1811,82 @@ static int getcurtime(struct timeval *tvp) krb5_error_code listen_and_process(void *handle, const char *prog) { - int nfound; + int nfound; /* This struct contains 3 fd_set objects; on some platforms, they can be rather large. Making this static avoids putting all that junk on the stack. */ static struct select_state sout; - int i, sret, netchanged = 0; - krb5_error_code err; + int i, sret, netchanged = 0; + krb5_error_code err; kadm5_server_handle_t server_handle = (kadm5_server_handle_t)handle; if (conns == (struct connection **) NULL) - return KDC5_NONET; - + return KDC5_NONET; + while (!signal_request_exit) { - if (signal_request_hup) { - krb5_klog_reopen(server_handle->context); - reset_db(); - signal_request_hup = 0; - } + if (signal_request_hup) { + krb5_klog_reopen(server_handle->context); + reset_db(); + signal_request_hup = 0; + } #ifdef PURIFY - if (signal_pure_report) { - purify_new_reports(); - signal_pure_report = 0; - } - if (signal_pure_clear) { - purify_clear_new_reports(); - signal_pure_clear = 0; - } + if (signal_pure_report) { + purify_new_reports(); + signal_pure_report = 0; + } + if (signal_pure_clear) { + purify_clear_new_reports(); + signal_pure_clear = 0; + } #endif /* PURIFY */ - if (network_reconfiguration_needed) { - krb5_klog_syslog(LOG_INFO, "network reconfiguration needed"); - /* It might be tidier to add a timer-callback interface to - the control loop here, but for this one use, it's not a - big deal. */ - err = getcurtime(&sstate.end_time); - if (err) { - com_err(prog, err, "while getting the time"); - continue; - } - sstate.end_time.tv_sec += 3; - netchanged = 1; - } else - sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0; - - err = krb5int_cm_call_select(&sstate, &sout, &sret); - if (err) { - if (err != EINTR) - com_err(prog, err, "while selecting for network input(1)"); - continue; - } - if (sret == 0 && netchanged) { - network_reconfiguration_needed = 0; - closedown_network(handle, prog); - err = setup_network(handle, prog); - if (err) { - com_err(prog, err, "while reinitializing network"); - return err; - } - netchanged = 0; - } - if (sret == -1) { - if (errno != EINTR) - com_err(prog, errno, "while selecting for network input(2)"); - continue; - } - nfound = sret; - for (i=0; i 0; i++) { - int sflags = 0; - if (conns[i]->fd < 0) - abort(); - if (FD_ISSET(conns[i]->fd, &sout.rfds)) - sflags |= SSF_READ, nfound--; - if (FD_ISSET(conns[i]->fd, &sout.wfds)) - sflags |= SSF_WRITE, nfound--; - if (sflags) - service_conn(handle, conns[i], prog, sflags); - } + if (network_reconfiguration_needed) { + krb5_klog_syslog(LOG_INFO, "network reconfiguration needed"); + /* It might be tidier to add a timer-callback interface to + the control loop here, but for this one use, it's not a + big deal. */ + err = getcurtime(&sstate.end_time); + if (err) { + com_err(prog, err, "while getting the time"); + continue; + } + sstate.end_time.tv_sec += 3; + netchanged = 1; + } else + sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0; + + err = krb5int_cm_call_select(&sstate, &sout, &sret); + if (err) { + if (err != EINTR) + com_err(prog, err, "while selecting for network input(1)"); + continue; + } + if (sret == 0 && netchanged) { + network_reconfiguration_needed = 0; + closedown_network(handle, prog); + err = setup_network(handle, prog); + if (err) { + com_err(prog, err, "while reinitializing network"); + return err; + } + netchanged = 0; + } + if (sret == -1) { + if (errno != EINTR) + com_err(prog, errno, "while selecting for network input(2)"); + continue; + } + nfound = sret; + for (i=0; i 0; i++) { + int sflags = 0; + if (conns[i]->fd < 0) + abort(); + if (FD_ISSET(conns[i]->fd, &sout.rfds)) + sflags |= SSF_READ, nfound--; + if (FD_ISSET(conns[i]->fd, &sout.wfds)) + sflags |= SSF_WRITE, nfound--; + if (sflags) + service_conn(handle, conns[i], prog, sflags); + } } krb5_klog_syslog(LOG_INFO, "shutdown signal received"); return 0; @@ -1898,31 +1899,31 @@ closedown_network(void *handle, const char *prog) struct connection *conn; if (conns == (struct connection **) NULL) - return KDC5_NONET; + return KDC5_NONET; FOREACH_ELT (connections, i, conn) { - if (conn->fd >= 0) { - krb5_klog_syslog(LOG_INFO, "closing down fd %d", conn->fd); - (void) close(conn->fd); - if (conn->type == CONN_RPC) { - fd_set fds; - - FD_ZERO(&fds); - FD_SET(conn->fd, &fds); - - svc_getreqset(&fds); - } - } - if (conn->type == CONN_RPC_LISTENER) { - if (conn->u.rpc.transp != NULL) - svc_destroy(conn->u.rpc.transp); - } - DEL (connections, i); - /* There may also be per-connection data in the tcp structure - (tcp.buffer, tcp.response) that we're not freeing here. - That should only happen if we quit with a connection in - progress. */ - free(conn); + if (conn->fd >= 0) { + krb5_klog_syslog(LOG_INFO, "closing down fd %d", conn->fd); + (void) close(conn->fd); + if (conn->type == CONN_RPC) { + fd_set fds; + + FD_ZERO(&fds); + FD_SET(conn->fd, &fds); + + svc_getreqset(&fds); + } + } + if (conn->type == CONN_RPC_LISTENER) { + if (conn->u.rpc.transp != NULL) + svc_destroy(conn->u.rpc.transp); + } + DEL (connections, i); + /* There may also be per-connection data in the tcp structure + (tcp.buffer, tcp.response) that we're not freeing here. + That should only happen if we quit with a connection in + progress. */ + free(conn); } FREE_SET_DATA(connections); FREE_SET_DATA(udp_port_data); @@ -1933,7 +1934,7 @@ closedown_network(void *handle, const char *prog) } static void accept_rpc_connection(void *handle, struct connection *conn, - const char *prog, int selflags) + const char *prog, int selflags) { struct socksetup sockdata; fd_set fds; @@ -1942,7 +1943,7 @@ static void accept_rpc_connection(void *handle, struct connection *conn, assert(selflags & SSF_READ); if ((selflags & SSF_READ) == 0) - return; + return; sockdata.prog = prog; sockdata.retval = 0; @@ -1959,73 +1960,73 @@ static void accept_rpc_connection(void *handle, struct connection *conn, * Scan svc_fdset for any new connections. */ for (s = 0; s < FD_SETSIZE; s++) { - /* sstate.rfds |= svc_fdset & ~(rpc_listenfds | sstate.rfds) */ - if (FD_ISSET(s, &svc_fdset) - && !FD_ISSET(s, &rpc_listenfds) - && !FD_ISSET(s, &sstate.rfds)) - { - struct connection *newconn; - struct sockaddr_storage addr_s; - struct sockaddr *addr = (struct sockaddr *)&addr_s; - socklen_t addrlen = sizeof(addr_s); - char tmpbuf[10]; - - newconn = add_rpc_data_fd(&sockdata, s); - if (newconn == NULL) - continue; - - set_cloexec_fd(s); + /* sstate.rfds |= svc_fdset & ~(rpc_listenfds | sstate.rfds) */ + if (FD_ISSET(s, &svc_fdset) + && !FD_ISSET(s, &rpc_listenfds) + && !FD_ISSET(s, &sstate.rfds)) + { + struct connection *newconn; + struct sockaddr_storage addr_s; + struct sockaddr *addr = (struct sockaddr *)&addr_s; + socklen_t addrlen = sizeof(addr_s); + char tmpbuf[10]; + + newconn = add_rpc_data_fd(&sockdata, s); + if (newconn == NULL) + continue; + + set_cloexec_fd(s); #if 0 - setnbio(s), setnolinger(s), setkeepalive(s); + setnbio(s), setnolinger(s), setkeepalive(s); #endif - if (getpeername(s, addr, &addrlen) || - getnameinfo(addr, addrlen, - newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), - tmpbuf, sizeof(tmpbuf), - NI_NUMERICHOST | NI_NUMERICSERV)) - strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); - else { - char *p, *end; - p = newconn->u.tcp.addrbuf; - end = p + sizeof(newconn->u.tcp.addrbuf); - p += strlen(p); - if (end - p > 2 + strlen(tmpbuf)) { - *p++ = '.'; - strlcpy(p, tmpbuf, end - p); - } - } + if (getpeername(s, addr, &addrlen) || + getnameinfo(addr, addrlen, + newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), + tmpbuf, sizeof(tmpbuf), + NI_NUMERICHOST | NI_NUMERICSERV)) + strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); + else { + char *p, *end; + p = newconn->u.tcp.addrbuf; + end = p + sizeof(newconn->u.tcp.addrbuf); + p += strlen(p); + if (end - p > 2 + strlen(tmpbuf)) { + *p++ = '.'; + strlcpy(p, tmpbuf, end - p); + } + } #if 0 - krb5_klog_syslog(LOG_INFO, "accepted RPC connection on socket %d from %s", - s, newconn->u.tcp.addrbuf); + krb5_klog_syslog(LOG_INFO, "accepted RPC connection on socket %d from %s", + s, newconn->u.tcp.addrbuf); #endif - newconn->u.tcp.addr_s = addr_s; - newconn->u.tcp.addrlen = addrlen; - newconn->u.tcp.start_time = time(0); + newconn->u.tcp.addr_s = addr_s; + newconn->u.tcp.addrlen = addrlen; + newconn->u.tcp.start_time = time(0); - if (++tcp_or_rpc_data_counter > max_tcp_or_rpc_data_connections) - kill_lru_tcp_or_rpc_connection(handle, newconn); + if (++tcp_or_rpc_data_counter > max_tcp_or_rpc_data_connections) + kill_lru_tcp_or_rpc_connection(handle, newconn); - newconn->u.tcp.faddr.address = &newconn->u.tcp.kaddr; - init_addr(&newconn->u.tcp.faddr, ss2sa(&newconn->u.tcp.addr_s)); + newconn->u.tcp.faddr.address = &newconn->u.tcp.kaddr; + init_addr(&newconn->u.tcp.faddr, ss2sa(&newconn->u.tcp.addr_s)); - FD_SET(s, &sstate.rfds); - if (sstate.max <= s) - sstate.max = s + 1; - } + FD_SET(s, &sstate.rfds); + if (sstate.max <= s) + sstate.max = s + 1; + } } } static void process_rpc_connection(void *handle, struct connection *conn, - const char *prog, int selflags) + const char *prog, int selflags) { fd_set fds; assert(selflags & SSF_READ); if ((selflags & SSF_READ) == 0) - return; + return; FD_ZERO(&fds); FD_SET(conn->fd, &fds); @@ -2033,7 +2034,7 @@ static void process_rpc_connection(void *handle, struct connection *conn, svc_getreqset(&fds); if (!FD_ISSET(conn->fd, &svc_fdset)) - kill_tcp_or_rpc_connection(handle, conn, 0); + kill_tcp_or_rpc_connection(handle, conn, 0); } #endif /* INET */ diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index c01cbef73..1615877fb 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -5,14 +6,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -23,7 +24,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -50,7 +51,7 @@ #include #include #include -#include "kdb_kt.h" /* for krb5_ktkdb_set_context */ +#include "kdb_kt.h" /* for krb5_ktkdb_set_context */ #include #include "kadm5/server_internal.h" /* XXX for kadm5_server_handle_t */ #include @@ -60,30 +61,30 @@ #ifdef PURIFY #include "purify.h" -int signal_pure_report = 0; -int signal_pure_clear = 0; -void request_pure_report(int); -void request_pure_clear(int); +int signal_pure_report = 0; +int signal_pure_clear = 0; +void request_pure_report(int); +void request_pure_clear(int); #endif /* PURIFY */ #if defined(NEED_DAEMON_PROTO) extern int daemon(int, int); #endif -volatile int signal_request_exit = 0; -volatile int signal_request_hup = 0; +volatile int signal_request_exit = 0; +volatile int signal_request_hup = 0; void setup_signal_handlers(iprop_role iproprole); -void request_exit(int); -void request_hup(int); -void reset_db(void); -void sig_pipe(int); +void request_exit(int); +void request_hup(int); +void reset_db(void); +void sig_pipe(int); #ifdef POSIX_SIGNALS static struct sigaction s_action; #endif /* POSIX_SIGNALS */ -#define TIMEOUT 15 +#define TIMEOUT 15 gss_name_t gss_changepw_name = NULL, gss_oldchangepw_name = NULL; gss_name_t gss_kadmin_name = NULL; @@ -94,16 +95,16 @@ extern krb5_keylist_node *master_keylist; char *build_princ_name(char *name, char *realm); void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); + struct sockaddr_in *addr, char *data); void log_badverf(gss_name_t client_name, gss_name_t server_name, - struct svc_req *rqst, struct rpc_msg *msg, - char *data); + struct svc_req *rqst, struct rpc_msg *msg, + char *data); void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, char - *error, char *data); + *error, char *data); void log_badauth_display_status(char *msg, OM_uint32 major, OM_uint32 minor); void log_badauth_display_status_1(char *m, OM_uint32 code, int type, - int rec); - + int rec); + int schpw; void do_schpw(int s, kadm5_config_params *params); @@ -117,7 +118,7 @@ void kadm5_set_use_password_server (void); /* * Function: usage - * + * * Purpose: print out the server usage message * * Arguments: @@ -128,15 +129,15 @@ void kadm5_set_use_password_server (void); static void usage() { - fprintf(stderr, "Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] " + fprintf(stderr, "Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] " #ifdef USE_PASSWORD_SERVER - "[-passwordserver] " + "[-passwordserver] " #endif - "[-port port-number]\n" - "\nwhere,\n\t[-x db_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n" - ); - exit(1); + "[-port port-number]\n" + "\nwhere,\n\t[-x db_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n" + ); + exit(1); } /* @@ -146,9 +147,9 @@ static void usage() * * Arguments: * - * msg a string to be displayed with the message - * maj_stat the GSS-API major status code - * min_stat the GSS-API minor status code + * msg a string to be displayed with the message + * maj_stat the GSS-API major status code + * min_stat the GSS-API minor status code * * Effects: * @@ -159,35 +160,35 @@ static void usage() static void display_status_1(char *, OM_uint32, int); static void display_status(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; + char *msg; + OM_uint32 maj_stat; + OM_uint32 min_stat; { - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); + display_status_1(msg, maj_stat, GSS_C_GSS_CODE); + display_status_1(msg, min_stat, GSS_C_MECH_CODE); } static void display_status_1(m, code, type) - char *m; - OM_uint32 code; - int type; + char *m; + OM_uint32 code; + int type; { - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "GSS-API error %s: %s\n", m, - (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } + OM_uint32 maj_stat, min_stat; + gss_buffer_desc msg; + OM_uint32 msg_ctx; + + msg_ctx = 0; + while (1) { + maj_stat = gss_display_status(&min_stat, code, + type, GSS_C_NULL_OID, + &msg_ctx, &msg); + fprintf(stderr, "GSS-API error %s: %s\n", m, + (char *)msg.value); + (void) gss_release_buffer(&min_stat, &msg); + + if (!msg_ctx) + break; + } } @@ -200,410 +201,410 @@ int nofork = 0; int main(int argc, char *argv[]) { - extern char *optarg; - extern int optind, opterr; - int ret; - OM_uint32 OMret, major_status, minor_status; - char *whoami; - gss_buffer_desc in_buf; - auth_gssapi_name names[4]; - gss_buffer_desc gssbuf; - gss_OID nt_krb5_name_oid; - kadm5_config_params params; - char **db_args = NULL; - int db_args_size = 0; - char *errmsg; - int i; - int strong_random = 1; - - kdb_log_context *log_ctx; - - setvbuf(stderr, NULL, _IONBF, 0); - - /* This is OID value the Krb5_Name NameType */ - gssbuf.value = "{1 2 840 113554 1 2 2 1}"; - gssbuf.length = strlen(gssbuf.value); - major_status = gss_str_to_oid(&minor_status, &gssbuf, &nt_krb5_name_oid); - if (major_status != GSS_S_COMPLETE) { - fprintf(stderr, "Couldn't create KRB5 Name NameType OID\n"); - display_status("str_to_oid", major_status, minor_status); - exit(1); - } - - names[0].name = names[1].name = names[2].name = names[3].name = NULL; - names[0].type = names[1].type = names[2].type = names[3].type = - nt_krb5_name_oid; + extern char *optarg; + extern int optind, opterr; + int ret; + OM_uint32 OMret, major_status, minor_status; + char *whoami; + gss_buffer_desc in_buf; + auth_gssapi_name names[4]; + gss_buffer_desc gssbuf; + gss_OID nt_krb5_name_oid; + kadm5_config_params params; + char **db_args = NULL; + int db_args_size = 0; + char *errmsg; + int i; + int strong_random = 1; + + kdb_log_context *log_ctx; + + setvbuf(stderr, NULL, _IONBF, 0); + + /* This is OID value the Krb5_Name NameType */ + gssbuf.value = "{1 2 840 113554 1 2 2 1}"; + gssbuf.length = strlen(gssbuf.value); + major_status = gss_str_to_oid(&minor_status, &gssbuf, &nt_krb5_name_oid); + if (major_status != GSS_S_COMPLETE) { + fprintf(stderr, "Couldn't create KRB5 Name NameType OID\n"); + display_status("str_to_oid", major_status, minor_status); + exit(1); + } + + names[0].name = names[1].name = names[2].name = names[3].name = NULL; + names[0].type = names[1].type = names[2].type = names[3].type = + nt_krb5_name_oid; #ifdef PURIFY - purify_start_batch(); + purify_start_batch(); #endif /* PURIFY */ - whoami = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); - - nofork = 0; - - memset(¶ms, 0, sizeof(params)); - - argc--; argv++; - while (argc) { - if (strcmp(*argv, "-x") == 0) { - argc--; argv++; - if (!argc) - usage(); - db_args_size++; - { - char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ - if( temp == NULL ) - { - fprintf(stderr,"%s: cannot initialize. Not enough memory\n", - whoami); - exit(1); - } - db_args = temp; - } - db_args[db_args_size-1] = *argv; - db_args[db_args_size] = NULL; - }else if (strcmp(*argv, "-r") == 0) { - argc--; argv++; - if (!argc) - usage(); - params.realm = *argv; - params.mask |= KADM5_CONFIG_REALM; - argc--; argv++; - continue; - } else if (strcmp(*argv, "-m") == 0) { - params.mkey_from_kbd = 1; - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - } else if (strcmp(*argv, "-nofork") == 0) { - nofork = 1; + whoami = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); + + nofork = 0; + + memset(¶ms, 0, sizeof(params)); + + argc--; argv++; + while (argc) { + if (strcmp(*argv, "-x") == 0) { + argc--; argv++; + if (!argc) + usage(); + db_args_size++; + { + char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ + if( temp == NULL ) + { + fprintf(stderr,"%s: cannot initialize. Not enough memory\n", + whoami); + exit(1); + } + db_args = temp; + } + db_args[db_args_size-1] = *argv; + db_args[db_args_size] = NULL; + }else if (strcmp(*argv, "-r") == 0) { + argc--; argv++; + if (!argc) + usage(); + params.realm = *argv; + params.mask |= KADM5_CONFIG_REALM; + argc--; argv++; + continue; + } else if (strcmp(*argv, "-m") == 0) { + params.mkey_from_kbd = 1; + params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + } else if (strcmp(*argv, "-nofork") == 0) { + nofork = 1; #ifdef USE_PASSWORD_SERVER - } else if (strcmp(*argv, "-passwordserver") == 0) { - kadm5_set_use_password_server (); -#endif - } else if(strcmp(*argv, "-port") == 0) { - argc--; argv++; - if(!argc) - usage(); - params.kadmind_port = atoi(*argv); - params.mask |= KADM5_CONFIG_KADMIND_PORT; - } else if (strcmp(*argv, "-W") == 0) { - strong_random = 0; - } else - break; - argc--; argv++; - } - - if (argc != 0) - usage(); - - if ((ret = kadm5_init_krb5_context(&context))) { - fprintf(stderr, "%s: %s while initializing context, aborting\n", - whoami, error_message(ret)); - exit(1); - } - - krb5_klog_init(context, "admin_server", whoami, 1); - - if((ret = kadm5_init(context, "kadmind", NULL, - NULL, ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_3, - db_args, - &global_server_handle)) != KADM5_OK) { - const char *e_txt = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "%s while initializing, aborting", - e_txt); - fprintf(stderr, "%s: %s while initializing, aborting\n", - whoami, e_txt); - krb5_klog_close(context); - exit(1); - } - - if ((ret = kadm5_get_config_params(context, 1, ¶ms, - ¶ms))) { - const char *e_txt = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting", - whoami, e_txt); - fprintf(stderr, "%s: %s while initializing, aborting\n", - whoami, e_txt); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } + } else if (strcmp(*argv, "-passwordserver") == 0) { + kadm5_set_use_password_server (); +#endif + } else if(strcmp(*argv, "-port") == 0) { + argc--; argv++; + if(!argc) + usage(); + params.kadmind_port = atoi(*argv); + params.mask |= KADM5_CONFIG_KADMIND_PORT; + } else if (strcmp(*argv, "-W") == 0) { + strong_random = 0; + } else + break; + argc--; argv++; + } + + if (argc != 0) + usage(); + + if ((ret = kadm5_init_krb5_context(&context))) { + fprintf(stderr, "%s: %s while initializing context, aborting\n", + whoami, error_message(ret)); + exit(1); + } + + krb5_klog_init(context, "admin_server", whoami, 1); + + if((ret = kadm5_init(context, "kadmind", NULL, + NULL, ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_3, + db_args, + &global_server_handle)) != KADM5_OK) { + const char *e_txt = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "%s while initializing, aborting", + e_txt); + fprintf(stderr, "%s: %s while initializing, aborting\n", + whoami, e_txt); + krb5_klog_close(context); + exit(1); + } + + if ((ret = kadm5_get_config_params(context, 1, ¶ms, + ¶ms))) { + const char *e_txt = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting", + whoami, e_txt); + fprintf(stderr, "%s: %s while initializing, aborting\n", + whoami, e_txt); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } #define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_ACL_FILE) - if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { - krb5_klog_syslog(LOG_ERR, "%s: Missing required configuration values " - "(%lx) while initializing, aborting", whoami, - (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); - fprintf(stderr, "%s: Missing required configuration values " - "(%lx) while initializing, aborting\n", whoami, - (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); - krb5_klog_close(context); - kadm5_destroy(global_server_handle); - exit(1); - } - - if ((ret = setup_network(global_server_handle, whoami))) { - const char *e_txt = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "%s: %s while initializing network, aborting", - whoami, e_txt); - fprintf(stderr, "%s: %s while initializing network, aborting\n", - whoami, e_txt); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm); - names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm); - if (names[0].name == NULL || names[1].name == NULL) { - krb5_klog_syslog(LOG_ERR, - "Cannot build GSS-API authentication names, " - "failing."); - fprintf(stderr, "%s: Cannot build GSS-API authentication names.\n", - whoami); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - /* - * Go through some contortions to point gssapi at a kdb keytab. - * This prevents kadmind from needing to use an actual file-based - * keytab. - */ - /* XXX extract kadm5's krb5_context */ - hctx = ((kadm5_server_handle_t)global_server_handle)->context; - /* Set ktkdb's internal krb5_context. */ - ret = krb5_ktkdb_set_context(hctx); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't set kdb keytab's internal context."); - goto kterr; - } - /* XXX master_keyblock is in guts of lib/kadm5/server_kdb.c */ - ret = krb5_db_set_mkey(hctx, &master_keyblock); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't set master key for kdb keytab."); - goto kterr; - } - ret = krb5_db_set_mkey_list(hctx, master_keylist); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't set master key list for kdb keytab."); - goto kterr; - } - ret = krb5_kt_register(context, &krb5_kt_kdb_ops); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't register kdb keytab."); - goto kterr; - } - /* Tell gssapi about the kdb keytab. */ - ret = krb5_gss_register_acceptor_identity("KDB:"); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't register acceptor keytab."); - goto kterr; - } + if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { + krb5_klog_syslog(LOG_ERR, "%s: Missing required configuration values " + "(%lx) while initializing, aborting", whoami, + (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); + fprintf(stderr, "%s: Missing required configuration values " + "(%lx) while initializing, aborting\n", whoami, + (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); + krb5_klog_close(context); + kadm5_destroy(global_server_handle); + exit(1); + } + + if ((ret = setup_network(global_server_handle, whoami))) { + const char *e_txt = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "%s: %s while initializing network, aborting", + whoami, e_txt); + fprintf(stderr, "%s: %s while initializing network, aborting\n", + whoami, e_txt); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm); + names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm); + if (names[0].name == NULL || names[1].name == NULL) { + krb5_klog_syslog(LOG_ERR, + "Cannot build GSS-API authentication names, " + "failing."); + fprintf(stderr, "%s: Cannot build GSS-API authentication names.\n", + whoami); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + /* + * Go through some contortions to point gssapi at a kdb keytab. + * This prevents kadmind from needing to use an actual file-based + * keytab. + */ + /* XXX extract kadm5's krb5_context */ + hctx = ((kadm5_server_handle_t)global_server_handle)->context; + /* Set ktkdb's internal krb5_context. */ + ret = krb5_ktkdb_set_context(hctx); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't set kdb keytab's internal context."); + goto kterr; + } + /* XXX master_keyblock is in guts of lib/kadm5/server_kdb.c */ + ret = krb5_db_set_mkey(hctx, &master_keyblock); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't set master key for kdb keytab."); + goto kterr; + } + ret = krb5_db_set_mkey_list(hctx, master_keylist); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't set master key list for kdb keytab."); + goto kterr; + } + ret = krb5_kt_register(context, &krb5_kt_kdb_ops); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't register kdb keytab."); + goto kterr; + } + /* Tell gssapi about the kdb keytab. */ + ret = krb5_gss_register_acceptor_identity("KDB:"); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't register acceptor keytab."); + goto kterr; + } kterr: - if (ret) { - krb5_klog_syslog(LOG_ERR, "%s", krb5_get_error_message (context, ret)); - fprintf(stderr, "%s: Can't set up keytab for RPC.\n", whoami); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - if (svcauth_gssapi_set_names(names, 2) == FALSE) { - krb5_klog_syslog(LOG_ERR, - "Cannot set GSS-API authentication names (keytab not present?), " - "failing."); - fprintf(stderr, "%s: Cannot set GSS-API authentication names.\n", - whoami); - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - /* if set_names succeeded, this will too */ - in_buf.value = names[1].name; - in_buf.length = strlen(names[1].name) + 1; - (void) gss_import_name(&OMret, &in_buf, nt_krb5_name_oid, - &gss_changepw_name); - - svcauth_gssapi_set_log_badauth_func(log_badauth, NULL); - svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); - svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); - - svcauth_gss_set_log_badauth_func(log_badauth, NULL); - svcauth_gss_set_log_badverf_func(log_badverf, NULL); - svcauth_gss_set_log_miscerr_func(log_miscerr, NULL); - - if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE) { - fprintf(stderr, "%s: Cannot initialize RPCSEC_GSS service name.\n", - whoami); - exit(1); - } - - if ((ret = kadm5int_acl_init(context, 0, params.acl_file))) { - errmsg = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "Cannot initialize acl file: %s", - errmsg); - fprintf(stderr, "%s: Cannot initialize acl file: %s\n", - whoami, errmsg); - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - if (!nofork && (ret = daemon(0, 0))) { - ret = errno; - errmsg = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "Cannot detach from tty: %s", errmsg); - fprintf(stderr, "%s: Cannot detach from tty: %s\n", - whoami, errmsg); - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - krb5_klog_syslog(LOG_INFO, "Seeding random number generator"); - ret = krb5_c_random_os_entropy(context, strong_random, NULL); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Error getting random seed: %s, aborting", - krb5_get_error_message(context, ret)); - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - + if (ret) { + krb5_klog_syslog(LOG_ERR, "%s", krb5_get_error_message (context, ret)); + fprintf(stderr, "%s: Can't set up keytab for RPC.\n", whoami); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + if (svcauth_gssapi_set_names(names, 2) == FALSE) { + krb5_klog_syslog(LOG_ERR, + "Cannot set GSS-API authentication names (keytab not present?), " + "failing."); + fprintf(stderr, "%s: Cannot set GSS-API authentication names.\n", + whoami); + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + /* if set_names succeeded, this will too */ + in_buf.value = names[1].name; + in_buf.length = strlen(names[1].name) + 1; + (void) gss_import_name(&OMret, &in_buf, nt_krb5_name_oid, + &gss_changepw_name); + + svcauth_gssapi_set_log_badauth_func(log_badauth, NULL); + svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); + svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); + + svcauth_gss_set_log_badauth_func(log_badauth, NULL); + svcauth_gss_set_log_badverf_func(log_badverf, NULL); + svcauth_gss_set_log_miscerr_func(log_miscerr, NULL); + + if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE) { + fprintf(stderr, "%s: Cannot initialize RPCSEC_GSS service name.\n", + whoami); + exit(1); + } + + if ((ret = kadm5int_acl_init(context, 0, params.acl_file))) { + errmsg = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "Cannot initialize acl file: %s", + errmsg); + fprintf(stderr, "%s: Cannot initialize acl file: %s\n", + whoami, errmsg); + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + if (!nofork && (ret = daemon(0, 0))) { + ret = errno; + errmsg = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "Cannot detach from tty: %s", errmsg); + fprintf(stderr, "%s: Cannot detach from tty: %s\n", + whoami, errmsg); + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + krb5_klog_syslog(LOG_INFO, "Seeding random number generator"); + ret = krb5_c_random_os_entropy(context, strong_random, NULL); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Error getting random seed: %s, aborting", + krb5_get_error_message(context, ret)); + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + if (params.iprop_enabled == TRUE) - ulog_set_role(hctx, IPROP_MASTER); + ulog_set_role(hctx, IPROP_MASTER); else - ulog_set_role(hctx, IPROP_NULL); + ulog_set_role(hctx, IPROP_NULL); log_ctx = hctx->kdblog_context; if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) { - /* - * IProp is enabled, so let's map in the update log - * and setup the service. - */ - if ((ret = ulog_map(hctx, params.iprop_logfile, - params.iprop_ulogsize, FKADMIND, db_args)) != 0) { - fprintf(stderr, - _("%s: %s while mapping update log (`%s.ulog')\n"), - whoami, error_message(ret), params.dbname); - krb5_klog_syslog(LOG_ERR, - _("%s while mapping update log (`%s.ulog')"), - error_message(ret), params.dbname); - krb5_klog_close(context); - exit(1); - } - - - if (nofork) - fprintf(stderr, - "%s: create IPROP svc (PROG=%d, VERS=%d)\n", - whoami, KRB5_IPROP_PROG, KRB5_IPROP_VERS); + /* + * IProp is enabled, so let's map in the update log + * and setup the service. + */ + if ((ret = ulog_map(hctx, params.iprop_logfile, + params.iprop_ulogsize, FKADMIND, db_args)) != 0) { + fprintf(stderr, + _("%s: %s while mapping update log (`%s.ulog')\n"), + whoami, error_message(ret), params.dbname); + krb5_klog_syslog(LOG_ERR, + _("%s while mapping update log (`%s.ulog')"), + error_message(ret), params.dbname); + krb5_klog_close(context); + exit(1); + } + + + if (nofork) + fprintf(stderr, + "%s: create IPROP svc (PROG=%d, VERS=%d)\n", + whoami, KRB5_IPROP_PROG, KRB5_IPROP_VERS); #if 0 - if (!svc_create(krb5_iprop_prog_1, - KRB5_IPROP_PROG, KRB5_IPROP_VERS, - "circuit_v")) { - fprintf(stderr, - _("%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n"), - whoami, - KRB5_IPROP_PROG, KRB5_IPROP_VERS); - krb5_klog_syslog(LOG_ERR, - _("Cannot create IProp RPC service (PROG=%d, VERS=%d), failing."), - KRB5_IPROP_PROG, KRB5_IPROP_VERS); - krb5_klog_close(context); - exit(1); - } + if (!svc_create(krb5_iprop_prog_1, + KRB5_IPROP_PROG, KRB5_IPROP_VERS, + "circuit_v")) { + fprintf(stderr, + _("%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n"), + whoami, + KRB5_IPROP_PROG, KRB5_IPROP_VERS); + krb5_klog_syslog(LOG_ERR, + _("Cannot create IProp RPC service (PROG=%d, VERS=%d), failing."), + KRB5_IPROP_PROG, KRB5_IPROP_VERS); + krb5_klog_close(context); + exit(1); + } #endif #if 0 /* authgss only? */ - if ((ret = kiprop_get_adm_host_srv_name(context, - params.realm, - &kiprop_name)) != 0) { - krb5_klog_syslog(LOG_ERR, - _("%s while getting IProp svc name, failing"), - error_message(ret)); - fprintf(stderr, - _("%s: %s while getting IProp svc name, failing\n"), - whoami, error_message(ret)); - krb5_klog_close(context); - exit(1); - } - - auth_gssapi_name iprop_name; - iprop_name.name = build_princ_name(foo, bar); - if (iprop_name.name == NULL) { - foo error; - } - iprop_name.type = nt_krb5_name_oid; - if (svcauth_gssapi_set_names(&iprop_name, 1) == FALSE) { - foo error; - } - if (!rpc_gss_set_svc_name(kiprop_name, "kerberos_v5", 0, - KRB5_IPROP_PROG, KRB5_IPROP_VERS)) { - rpc_gss_error_t err; - (void) rpc_gss_get_error(&err); - - krb5_klog_syslog(LOG_ERR, - _("Unable to set RPCSEC_GSS service name (`%s'), failing."), - kiprop_name ? kiprop_name : ""); - - fprintf(stderr, - _("%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n"), - whoami, - kiprop_name ? kiprop_name : ""); - - if (nofork) { - fprintf(stderr, - "%s: set svc name (rpcsec err=%d, sys err=%d)\n", - whoami, - err.rpc_gss_error, - err.system_error); - } - - exit(1); - } - free(kiprop_name); + if ((ret = kiprop_get_adm_host_srv_name(context, + params.realm, + &kiprop_name)) != 0) { + krb5_klog_syslog(LOG_ERR, + _("%s while getting IProp svc name, failing"), + error_message(ret)); + fprintf(stderr, + _("%s: %s while getting IProp svc name, failing\n"), + whoami, error_message(ret)); + krb5_klog_close(context); + exit(1); + } + + auth_gssapi_name iprop_name; + iprop_name.name = build_princ_name(foo, bar); + if (iprop_name.name == NULL) { + foo error; + } + iprop_name.type = nt_krb5_name_oid; + if (svcauth_gssapi_set_names(&iprop_name, 1) == FALSE) { + foo error; + } + if (!rpc_gss_set_svc_name(kiprop_name, "kerberos_v5", 0, + KRB5_IPROP_PROG, KRB5_IPROP_VERS)) { + rpc_gss_error_t err; + (void) rpc_gss_get_error(&err); + + krb5_klog_syslog(LOG_ERR, + _("Unable to set RPCSEC_GSS service name (`%s'), failing."), + kiprop_name ? kiprop_name : ""); + + fprintf(stderr, + _("%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n"), + whoami, + kiprop_name ? kiprop_name : ""); + + if (nofork) { + fprintf(stderr, + "%s: set svc name (rpcsec err=%d, sys err=%d)\n", + whoami, + err.rpc_gss_error, + err.system_error); + } + + exit(1); + } + free(kiprop_name); #endif } setup_signal_handlers(log_ctx->iproprole); krb5_klog_syslog(LOG_INFO, _("starting")); if (nofork) - fprintf(stderr, "%s: starting...\n", whoami); - - listen_and_process(global_server_handle, whoami); - krb5_klog_syslog(LOG_INFO, "finished, exiting"); - - /* Clean up memory, etc */ - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - closedown_network(global_server_handle, whoami); - kadm5int_acl_finish(context, 0); - if(gss_changepw_name) { - (void) gss_release_name(&OMret, &gss_changepw_name); - } - if(gss_oldchangepw_name) { - (void) gss_release_name(&OMret, &gss_oldchangepw_name); - } - for(i = 0 ; i < 4; i++) { - if (names[i].name) { - free(names[i].name); - } - } - - krb5_klog_close(context); - krb5_free_context(context); - exit(2); + fprintf(stderr, "%s: starting...\n", whoami); + + listen_and_process(global_server_handle, whoami); + krb5_klog_syslog(LOG_INFO, "finished, exiting"); + + /* Clean up memory, etc */ + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + closedown_network(global_server_handle, whoami); + kadm5int_acl_finish(context, 0); + if(gss_changepw_name) { + (void) gss_release_name(&OMret, &gss_changepw_name); + } + if(gss_oldchangepw_name) { + (void) gss_release_name(&OMret, &gss_oldchangepw_name); + } + for(i = 0 ; i < 4; i++) { + if (names[i].name) { + free(names[i].name); + } + } + + krb5_klog_close(context); + krb5_free_context(context); + exit(2); } /* @@ -615,123 +616,123 @@ kterr: void setup_signal_handlers(iprop_role iproprole) { #ifdef POSIX_SIGNALS - (void) sigemptyset(&s_action.sa_mask); - s_action.sa_handler = request_exit; - (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGQUIT, &s_action, (struct sigaction *) NULL); - s_action.sa_handler = request_hup; - (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL); - s_action.sa_handler = sig_pipe; - (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL); + (void) sigemptyset(&s_action.sa_mask); + s_action.sa_handler = request_exit; + (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL); + (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL); + (void) sigaction(SIGQUIT, &s_action, (struct sigaction *) NULL); + s_action.sa_handler = request_hup; + (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL); + s_action.sa_handler = sig_pipe; + (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL); #ifdef PURIFY - s_action.sa_handler = request_pure_report; - (void) sigaction(SIGUSR1, &s_action, (struct sigaction *) NULL); - s_action.sa_handler = request_pure_clear; - (void) sigaction(SIGUSR2, &s_action, (struct sigaction *) NULL); + s_action.sa_handler = request_pure_report; + (void) sigaction(SIGUSR1, &s_action, (struct sigaction *) NULL); + s_action.sa_handler = request_pure_clear; + (void) sigaction(SIGUSR2, &s_action, (struct sigaction *) NULL); #endif /* PURIFY */ - /* - * IProp will fork for a full-resync, we don't want to - * wait on it and we don't want the living dead procs either. - */ - if (iproprole == IPROP_MASTER) { - s_action.sa_handler = SIG_IGN; - (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL); - } + /* + * IProp will fork for a full-resync, we don't want to + * wait on it and we don't want the living dead procs either. + */ + if (iproprole == IPROP_MASTER) { + s_action.sa_handler = SIG_IGN; + (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL); + } #else /* POSIX_SIGNALS */ - signal(SIGINT, request_exit); - signal(SIGTERM, request_exit); - signal(SIGQUIT, request_exit); - signal(SIGHUP, request_hup); - signal(SIGPIPE, sig_pipe); + signal(SIGINT, request_exit); + signal(SIGTERM, request_exit); + signal(SIGQUIT, request_exit); + signal(SIGHUP, request_hup); + signal(SIGPIPE, sig_pipe); #ifdef PURIFY - signal(SIGUSR1, request_pure_report); - signal(SIGUSR2, request_pure_clear); + signal(SIGUSR1, request_pure_report); + signal(SIGUSR2, request_pure_clear); #endif /* PURIFY */ - /* - * IProp will fork for a full-resync, we don't want to - * wait on it and we don't want the living dead procs either. - */ - if (iproprole == IPROP_MASTER) - (void) signal(SIGCHLD, SIG_IGN); + /* + * IProp will fork for a full-resync, we don't want to + * wait on it and we don't want the living dead procs either. + */ + if (iproprole == IPROP_MASTER) + (void) signal(SIGCHLD, SIG_IGN); #endif /* POSIX_SIGNALS */ } #ifdef PURIFY /* * Function: request_pure_report - * + * * Purpose: sets flag saying the server got a signal and that it should - * dump a purify report when convenient. + * dump a purify report when convenient. * * Arguments: * Requires: * Effects: * Modifies: - * sets signal_pure_report to one + * sets signal_pure_report to one */ void request_pure_report(int signum) { - krb5_klog_syslog(LOG_DEBUG, "Got signal to request a Purify report"); - signal_pure_report = 1; - return; + krb5_klog_syslog(LOG_DEBUG, "Got signal to request a Purify report"); + signal_pure_report = 1; + return; } /* * Function: request_pure_clear - * + * * Purpose: sets flag saying the server got a signal and that it should - * dump a purify report when convenient, then clear the - * purify tables. + * dump a purify report when convenient, then clear the + * purify tables. * * Arguments: * Requires: * Effects: * Modifies: - * sets signal_pure_report to one - * sets signal_pure_clear to one + * sets signal_pure_report to one + * sets signal_pure_clear to one */ void request_pure_clear(int signum) { - krb5_klog_syslog(LOG_DEBUG, "Got signal to request a Purify report and clear the old Purify info"); - signal_pure_report = 1; - signal_pure_clear = 1; - return; + krb5_klog_syslog(LOG_DEBUG, "Got signal to request a Purify report and clear the old Purify info"); + signal_pure_report = 1; + signal_pure_clear = 1; + return; } #endif /* PURIFY */ /* * Function: request_hup - * + * * Purpose: sets flag saying the server got a signal and that it should - * reset the database files when convenient. + * reset the database files when convenient. * * Arguments: * Requires: * Effects: * Modifies: - * sets signal_request_hup to one + * sets signal_request_hup to one */ void request_hup(int signum) { - signal_request_hup = 1; - return; + signal_request_hup = 1; + return; } /* * Function: reset_db - * + * * Purpose: flushes the currently opened database files to disk. * * Arguments: * Requires: * Effects: - * + * * Currently, just sets signal_request_reset to 0. The kdb and adb * libraries used to be sufficiently broken that it was prudent to * close and reopen the databases periodically. They are no longer @@ -740,42 +741,42 @@ void request_hup(int signum) void reset_db(void) { #ifdef notdef - kadm5_ret_t ret; - char *errmsg; - - if (ret = kadm5_flush(global_server_handle)) { - krb5_klog_syslog(LOG_ERR, "FATAL ERROR! %s while flushing databases. " - "Databases may be corrupt! Aborting.", - krb5_get_error_message (context, ret)); - krb5_klog_close(context); - exit(3); - } + kadm5_ret_t ret; + char *errmsg; + + if (ret = kadm5_flush(global_server_handle)) { + krb5_klog_syslog(LOG_ERR, "FATAL ERROR! %s while flushing databases. " + "Databases may be corrupt! Aborting.", + krb5_get_error_message (context, ret)); + krb5_klog_close(context); + exit(3); + } #endif - return; + return; } /* * Function: request_exit - * + * * Purpose: sets flags saying the server got a signal and that it - * should exit when convient. + * should exit when convient. * * Arguments: * Requires: * Effects: - * modifies signal_request_exit which ideally makes the server exit - * at some point. + * modifies signal_request_exit which ideally makes the server exit + * at some point. * * Modifies: - * signal_request_exit + * signal_request_exit */ void request_exit(int signum) { - krb5_klog_syslog(LOG_DEBUG, "Got signal to request exit"); - signal_request_exit = 1; - return; + krb5_klog_syslog(LOG_DEBUG, "Got signal to request exit"); + signal_request_exit = 1; + return; } /* @@ -789,40 +790,40 @@ void request_exit(int signum) */ void sig_pipe(int unused) { - krb5_klog_syslog(LOG_NOTICE, "Warning: Received a SIGPIPE; probably a " - "client aborted. Continuing."); - return; + krb5_klog_syslog(LOG_NOTICE, "Warning: Received a SIGPIPE; probably a " + "client aborted. Continuing."); + return; } /* * Function: build_princ_name - * + * * Purpose: takes a name and a realm and builds a string that can be - * consumed by krb5_parse_name. + * consumed by krb5_parse_name. * * Arguments: - * name (input) name to be part of principal - * realm (input) realm part of principal - * char * pointing to "name@realm" + * name (input) name to be part of principal + * realm (input) realm part of principal + * char * pointing to "name@realm" * * Requires: - * name be non-null. - * + * name be non-null. + * * Effects: * Modifies: */ char *build_princ_name(char *name, char *realm) { - char *fullname; + char *fullname; - if (realm) { - if (asprintf(&fullname, "%s@%s", name, realm) < 0) - fullname = NULL; - } else - fullname = strdup(name); + if (realm) { + if (asprintf(&fullname, "%s@%s", name, realm) < 0) + fullname = NULL; + } else + fullname = strdup(name); - return fullname; + return fullname; } /* @@ -832,11 +833,11 @@ char *build_princ_name(char *name, char *realm) * messages. * * Argiments: - * client_name (r) GSS-API client name - * server_name (r) GSS-API server name - * rqst (r) RPC service request - * msg (r) RPC message - * data (r) arbitrary data (NULL), not used + * client_name (r) GSS-API client name + * server_name (r) GSS-API server name + * rqst (r) RPC service request + * msg (r) RPC message + * data (r) arbitrary data (NULL), not used * * Effects: * @@ -844,91 +845,91 @@ char *build_princ_name(char *name, char *realm) * format. */ void log_badverf(gss_name_t client_name, gss_name_t server_name, - struct svc_req *rqst, struct rpc_msg *msg, char - *data) + struct svc_req *rqst, struct rpc_msg *msg, char + *data) { - struct procnames { - rpcproc_t proc; - const char *proc_name; - }; - static const struct procnames proc_names[] = { - {1, "CREATE_PRINCIPAL"}, - {2, "DELETE_PRINCIPAL"}, - {3, "MODIFY_PRINCIPAL"}, - {4, "RENAME_PRINCIPAL"}, - {5, "GET_PRINCIPAL"}, - {6, "CHPASS_PRINCIPAL"}, - {7, "CHRAND_PRINCIPAL"}, - {8, "CREATE_POLICY"}, - {9, "DELETE_POLICY"}, - {10, "MODIFY_POLICY"}, - {11, "GET_POLICY"}, - {12, "GET_PRIVS"}, - {13, "INIT"}, - {14, "GET_PRINCS"}, - {15, "GET_POLS"}, - {16, "SETKEY_PRINCIPAL"}, - {17, "SETV4KEY_PRINCIPAL"}, - {18, "CREATE_PRINCIPAL3"}, - {19, "CHPASS_PRINCIPAL3"}, - {20, "CHRAND_PRINCIPAL3"}, - {21, "SETKEY_PRINCIPAL3"} - }; + struct procnames { + rpcproc_t proc; + const char *proc_name; + }; + static const struct procnames proc_names[] = { + {1, "CREATE_PRINCIPAL"}, + {2, "DELETE_PRINCIPAL"}, + {3, "MODIFY_PRINCIPAL"}, + {4, "RENAME_PRINCIPAL"}, + {5, "GET_PRINCIPAL"}, + {6, "CHPASS_PRINCIPAL"}, + {7, "CHRAND_PRINCIPAL"}, + {8, "CREATE_POLICY"}, + {9, "DELETE_POLICY"}, + {10, "MODIFY_POLICY"}, + {11, "GET_POLICY"}, + {12, "GET_PRIVS"}, + {13, "INIT"}, + {14, "GET_PRINCS"}, + {15, "GET_POLS"}, + {16, "SETKEY_PRINCIPAL"}, + {17, "SETV4KEY_PRINCIPAL"}, + {18, "CREATE_PRINCIPAL3"}, + {19, "CHPASS_PRINCIPAL3"}, + {20, "CHRAND_PRINCIPAL3"}, + {21, "SETKEY_PRINCIPAL3"} + }; #define NPROCNAMES (sizeof (proc_names) / sizeof (struct procnames)) - OM_uint32 minor; - gss_buffer_desc client, server; - gss_OID gss_type; - char *a; - rpcproc_t proc; - int i; - const char *procname; - size_t clen, slen; - char *cdots, *sdots; - - client.length = 0; - client.value = NULL; - server.length = 0; - server.value = NULL; - - (void) gss_display_name(&minor, client_name, &client, &gss_type); - (void) gss_display_name(&minor, server_name, &server, &gss_type); - if (client.value == NULL) { - client.value = "(null)"; - clen = sizeof("(null)") -1; - } else { - clen = client.length; - } - trunc_name(&clen, &cdots); - if (server.value == NULL) { - server.value = "(null)"; - slen = sizeof("(null)") - 1; - } else { - slen = server.length; - } - trunc_name(&slen, &sdots); - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - - proc = msg->rm_call.cb_proc; - procname = NULL; - for (i = 0; i < NPROCNAMES; i++) { - if (proc_names[i].proc == proc) { - procname = proc_names[i].proc_name; - break; - } - } - if (procname != NULL) - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " - "claimed client = %.*s%s, server = %.*s%s, addr = %s", - procname, (int) clen, (char *) client.value, cdots, - (int) slen, (char *) server.value, sdots, a); - else - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " - "claimed client = %.*s%s, server = %.*s%s, addr = %s", - proc, (int) clen, (char *) client.value, cdots, - (int) slen, (char *) server.value, sdots, a); - - (void) gss_release_buffer(&minor, &client); - (void) gss_release_buffer(&minor, &server); + OM_uint32 minor; + gss_buffer_desc client, server; + gss_OID gss_type; + char *a; + rpcproc_t proc; + int i; + const char *procname; + size_t clen, slen; + char *cdots, *sdots; + + client.length = 0; + client.value = NULL; + server.length = 0; + server.value = NULL; + + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); + if (client.value == NULL) { + client.value = "(null)"; + clen = sizeof("(null)") -1; + } else { + clen = client.length; + } + trunc_name(&clen, &cdots); + if (server.value == NULL) { + server.value = "(null)"; + slen = sizeof("(null)") - 1; + } else { + slen = server.length; + } + trunc_name(&slen, &sdots); + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + + proc = msg->rm_call.cb_proc; + procname = NULL; + for (i = 0; i < NPROCNAMES; i++) { + if (proc_names[i].proc == proc) { + procname = proc_names[i].proc_name; + break; + } + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " + "claimed client = %.*s%s, server = %.*s%s, addr = %s", + procname, (int) clen, (char *) client.value, cdots, + (int) slen, (char *) server.value, sdots, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " + "claimed client = %.*s%s, server = %.*s%s, addr = %s", + proc, (int) clen, (char *) client.value, cdots, + (int) slen, (char *) server.value, sdots, a); + + (void) gss_release_buffer(&minor, &client); + (void) gss_release_buffer(&minor, &server); } /* @@ -937,10 +938,10 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, * Purpose: Callback from GSS-API Sun RPC for miscellaneous errors * * Arguments: - * rqst (r) RPC service request - * msg (r) RPC message - * error (r) error message from RPC - * data (r) arbitrary data (NULL), not used + * rqst (r) RPC service request + * msg (r) RPC message + * error (r) error message from RPC + * data (r) arbitrary data (NULL), not used * * Effects: * @@ -948,12 +949,12 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, * format. */ void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, - char *error, char *data) + char *error, char *data) { - char *a; - - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - krb5_klog_syslog(LOG_NOTICE, "Miscellaneous RPC error: %s, %s", a, error); + char *a; + + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + krb5_klog_syslog(LOG_NOTICE, "Miscellaneous RPC error: %s, %s", a, error); } @@ -965,10 +966,10 @@ void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, * failures/errors. * * Arguments: - * major (r) GSS-API major status - * minor (r) GSS-API minor status - * addr (r) originating address - * data (r) arbitrary data (NULL), not used + * major (r) GSS-API major status + * minor (r) GSS-API minor status + * addr (r) originating address + * data (r) arbitrary data (NULL), not used * * Effects: * @@ -976,57 +977,56 @@ void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, * format. */ void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data) + struct sockaddr_in *addr, char *data) { - char *a; - - /* Authentication attempt failed: , */ + char *a; + + /* Authentication attempt failed: , */ - a = inet_ntoa(addr->sin_addr); + a = inet_ntoa(addr->sin_addr); - krb5_klog_syslog(LOG_NOTICE, "Authentication attempt failed: %s, GSS-API " - "error strings are:", a); - log_badauth_display_status(" ", major, minor); - krb5_klog_syslog(LOG_NOTICE, " GSS-API error strings complete."); + krb5_klog_syslog(LOG_NOTICE, "Authentication attempt failed: %s, GSS-API " + "error strings are:", a); + log_badauth_display_status(" ", major, minor); + krb5_klog_syslog(LOG_NOTICE, " GSS-API error strings complete."); } void log_badauth_display_status(char *msg, OM_uint32 major, OM_uint32 minor) { - log_badauth_display_status_1(msg, major, GSS_C_GSS_CODE, 0); - log_badauth_display_status_1(msg, minor, GSS_C_MECH_CODE, 0); + log_badauth_display_status_1(msg, major, GSS_C_GSS_CODE, 0); + log_badauth_display_status_1(msg, minor, GSS_C_MECH_CODE, 0); } void log_badauth_display_status_1(char *m, OM_uint32 code, int type, - int rec) + int rec) { - OM_uint32 gssstat, minor_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - gssstat = gss_display_status(&minor_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - if (gssstat != GSS_S_COMPLETE) { - if (!rec) { - log_badauth_display_status_1(m,gssstat,GSS_C_GSS_CODE,1); - log_badauth_display_status_1(m, minor_stat, - GSS_C_MECH_CODE, 1); - } else - krb5_klog_syslog(LOG_ERR, "GSS-API authentication error %.*s: " - "recursive failure!", (int) msg.length, - (char *) msg.value); - return; - } - - krb5_klog_syslog(LOG_NOTICE, "%s %.*s", m, (int)msg.length, - (char *)msg.value); - (void) gss_release_buffer(&minor_stat, &msg); - - if (!msg_ctx) - break; - } + OM_uint32 gssstat, minor_stat; + gss_buffer_desc msg; + OM_uint32 msg_ctx; + + msg_ctx = 0; + while (1) { + gssstat = gss_display_status(&minor_stat, code, + type, GSS_C_NULL_OID, + &msg_ctx, &msg); + if (gssstat != GSS_S_COMPLETE) { + if (!rec) { + log_badauth_display_status_1(m,gssstat,GSS_C_GSS_CODE,1); + log_badauth_display_status_1(m, minor_stat, + GSS_C_MECH_CODE, 1); + } else + krb5_klog_syslog(LOG_ERR, "GSS-API authentication error %.*s: " + "recursive failure!", (int) msg.length, + (char *) msg.value); + return; + } + + krb5_klog_syslog(LOG_NOTICE, "%s %.*s", m, (int)msg.length, + (char *)msg.value); + (void) gss_release_buffer(&minor_stat, &msg); + + if (!msg_ctx) + break; + } } - diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c index c3b7fa1e3..c1b221732 100644 --- a/src/kadmin/server/schpw.c +++ b/src/kadmin/server/schpw.c @@ -1,7 +1,8 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include #include -#include /* krb5_klog_syslog */ +#include /* krb5_klog_syslog */ #include #include @@ -11,19 +12,19 @@ #define GETSOCKNAME_ARG3_TYPE int #endif -#define RFC3244_VERSION 0xff80 +#define RFC3244_VERSION 0xff80 krb5_error_code process_chpw_request(context, server_handle, realm, keytab, - local_faddr, remote_faddr, req, rep) - krb5_context context; - void *server_handle; - char *realm; - krb5_keytab keytab; - krb5_fulladdr *local_faddr; - krb5_fulladdr *remote_faddr; - krb5_data *req; - krb5_data *rep; + local_faddr, remote_faddr, req, rep) + krb5_context context; + void *server_handle; + char *realm; + krb5_keytab keytab; + krb5_fulladdr *local_faddr; + krb5_fulladdr *remote_faddr; + krb5_data *req; + krb5_data *rep; { krb5_error_code ret; char *ptr; @@ -58,12 +59,12 @@ process_chpw_request(context, server_handle, realm, keytab, cipher.length = 0; if (req->length < 4) { - /* either this, or the server is printing bad messages, - or the caller passed in garbage */ - ret = KRB5KRB_AP_ERR_MODIFIED; - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Request was truncated", sizeof(strresult)); - goto chpwfail; + /* either this, or the server is printing bad messages, + or the caller passed in garbage */ + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); + goto chpwfail; } ptr = req->data; @@ -74,7 +75,7 @@ process_chpw_request(context, server_handle, realm, keytab, plen = (plen<<8) | (*ptr++ & 0xff); if (plen != req->length) - return(KRB5KRB_AP_ERR_MODIFIED); + return(KRB5KRB_AP_ERR_MODIFIED); /* verify version number */ @@ -82,11 +83,11 @@ process_chpw_request(context, server_handle, realm, keytab, vno = (vno<<8) | (*ptr++ & 0xff); if (vno != 1 && vno != RFC3244_VERSION) { - ret = KRB5KDC_ERR_BAD_PVNO; - numresult = KRB5_KPASSWD_BAD_VERSION; - snprintf(strresult, sizeof(strresult), - "Request contained unknown protocol version number %d", vno); - goto chpwfail; + ret = KRB5KDC_ERR_BAD_PVNO; + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); + goto chpwfail; } /* read, check ap-req length */ @@ -95,11 +96,11 @@ process_chpw_request(context, server_handle, realm, keytab, ap_req.length = (ap_req.length<<8) | (*ptr++ & 0xff); if (ptr + ap_req.length >= req->data + req->length) { - ret = KRB5KRB_AP_ERR_MODIFIED; - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Request was truncated in AP-REQ", - sizeof(strresult)); - goto chpwfail; + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); + goto chpwfail; } /* verify ap_req */ @@ -109,38 +110,38 @@ process_chpw_request(context, server_handle, realm, keytab, ret = krb5_auth_con_init(context, &auth_context); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed initializing auth context", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed initializing auth context", + sizeof(strresult)); + goto chpwfail; } ret = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); + KRB5_AUTH_CONTEXT_DO_SEQUENCE); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed initializing auth context", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed initializing auth context", + sizeof(strresult)); + goto chpwfail; } - + ret = krb5_build_principal(context, &changepw, strlen(realm), realm, - "kadmin", "changepw", NULL); + "kadmin", "changepw", NULL); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed building kadmin/changepw principal", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed building kadmin/changepw principal", + sizeof(strresult)); + goto chpwfail; } ret = krb5_rd_req(context, &auth_context, &ap_req, changepw, keytab, - NULL, &ticket); + NULL, &ticket); if (ret) { - numresult = KRB5_KPASSWD_AUTHERROR; - strlcpy(strresult, "Failed reading application request", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_AUTHERROR; + strlcpy(strresult, "Failed reading application request", + sizeof(strresult)); + goto chpwfail; } /* mk_priv requires that the local address be set. @@ -158,22 +159,22 @@ process_chpw_request(context, server_handle, realm, keytab, is specified. Are we having fun yet? */ ret = krb5_auth_con_setaddrs(context, auth_context, NULL, - remote_faddr->address); + remote_faddr->address); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed storing client internet address", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed storing client internet address", + sizeof(strresult)); + goto chpwfail; } /* construct the ap-rep */ ret = krb5_mk_rep(context, auth_context, &ap_rep); if (ret) { - numresult = KRB5_KPASSWD_AUTHERROR; - strlcpy(strresult, "Failed replying to application request", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_AUTHERROR; + strlcpy(strresult, "Failed replying to application request", + sizeof(strresult)); + goto chpwfail; } /* decrypt the ChangePasswdData */ @@ -183,57 +184,57 @@ process_chpw_request(context, server_handle, realm, keytab, ret = krb5_rd_priv(context, auth_context, &cipher, &clear, &replay); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed decrypting request", sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed decrypting request", sizeof(strresult)); + goto chpwfail; } client = ticket->enc_part2->client; /* decode ChangePasswdData for setpw requests */ if (vno == RFC3244_VERSION) { - krb5_data *clear_data; - - ret = decode_krb5_setpw_req(&clear, &clear_data, &target); - if (ret != 0) { - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Failed decoding ChangePasswdData", - sizeof(strresult)); - goto chpwfail; - } - - memset(clear.data, 0, clear.length); - free(clear.data); - - clear = *clear_data; - free(clear_data); - - if (target != NULL) { - ret = krb5_unparse_name(context, target, &targetstr); - if (ret != 0) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed unparsing target name for log", - sizeof(strresult)); - goto chpwfail; - } - } + krb5_data *clear_data; + + ret = decode_krb5_setpw_req(&clear, &clear_data, &target); + if (ret != 0) { + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Failed decoding ChangePasswdData", + sizeof(strresult)); + goto chpwfail; + } + + memset(clear.data, 0, clear.length); + free(clear.data); + + clear = *clear_data; + free(clear_data); + + if (target != NULL) { + ret = krb5_unparse_name(context, target, &targetstr); + if (ret != 0) { + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed unparsing target name for log", + sizeof(strresult)); + goto chpwfail; + } + } } ret = krb5_unparse_name(context, client, &clientstr); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed unparsing client name for log", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed unparsing client name for log", + sizeof(strresult)); + goto chpwfail; } /* for cpw, verify that this is an AS_REQ ticket */ if (vno == 1 && - (ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) { - numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED; - strlcpy(strresult, "Ticket must be derived from a password", - sizeof(strresult)); - goto chpwfail; + (ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) { + numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED; + strlcpy(strresult, "Ticket must be derived from a password", + sizeof(strresult)); + goto chpwfail; } /* change the password */ @@ -243,10 +244,10 @@ process_chpw_request(context, server_handle, realm, keytab, ptr[clear.length] = '\0'; ret = schpw_util_wrapper(server_handle, client, target, - (ticket->enc_part2->flags & TKT_FLG_INITIAL) != 0, - ptr, NULL, strresult, sizeof(strresult)); + (ticket->enc_part2->flags & TKT_FLG_INITIAL) != 0, + ptr, NULL, strresult, sizeof(strresult)); if (ret) - errmsg = krb5_get_error_message(context, ret); + errmsg = krb5_get_error_message(context, ret); /* zap the password */ memset(clear.data, 0, clear.length); @@ -260,81 +261,81 @@ process_chpw_request(context, server_handle, realm, keytab, switch (addr->addrtype) { case ADDRTYPE_INET: { - struct sockaddr_in *sin = ss2sin(&ss); + struct sockaddr_in *sin = ss2sin(&ss); - sin->sin_family = AF_INET; - memcpy(&sin->sin_addr, addr->contents, addr->length); - sin->sin_port = htons(remote_faddr->port); - salen = sizeof(*sin); - break; + sin->sin_family = AF_INET; + memcpy(&sin->sin_addr, addr->contents, addr->length); + sin->sin_port = htons(remote_faddr->port); + salen = sizeof(*sin); + break; } case ADDRTYPE_INET6: { - struct sockaddr_in6 *sin6 = ss2sin6(&ss); + struct sockaddr_in6 *sin6 = ss2sin6(&ss); - sin6->sin6_family = AF_INET6; - memcpy(&sin6->sin6_addr, addr->contents, addr->length); - sin6->sin6_port = htons(remote_faddr->port); - salen = sizeof(*sin6); - break; + sin6->sin6_family = AF_INET6; + memcpy(&sin6->sin6_addr, addr->contents, addr->length); + sin6->sin6_port = htons(remote_faddr->port); + salen = sizeof(*sin6); + break; } default: { - struct sockaddr *sa = ss2sa(&ss); + struct sockaddr *sa = ss2sa(&ss); - sa->sa_family = AF_UNSPEC; - salen = sizeof(*sa); - break; + sa->sa_family = AF_UNSPEC; + salen = sizeof(*sa); + break; } } if (getnameinfo(ss2sa(&ss), salen, - addrbuf, sizeof(addrbuf), NULL, 0, - NI_NUMERICHOST | NI_NUMERICSERV) != 0) - strlcpy(addrbuf, "", sizeof(addrbuf)); + addrbuf, sizeof(addrbuf), NULL, 0, + NI_NUMERICHOST | NI_NUMERICSERV) != 0) + strlcpy(addrbuf, "", sizeof(addrbuf)); if (vno == RFC3244_VERSION) { - size_t tlen; - char *tdots; - const char *targetp; - - if (target == NULL) { - tlen = clen; - tdots = cdots; - targetp = targetstr; - } else { - tlen = strlen(targetstr); - trunc_name(&tlen, &tdots); - targetp = clientstr; - } - - krb5_klog_syslog(LOG_NOTICE, "setpw request from %s by %.*s%s for %.*s%s: %s", - addrbuf, - (int) clen, clientstr, cdots, - (int) tlen, targetp, tdots, - errmsg ? errmsg : "success"); + size_t tlen; + char *tdots; + const char *targetp; + + if (target == NULL) { + tlen = clen; + tdots = cdots; + targetp = targetstr; + } else { + tlen = strlen(targetstr); + trunc_name(&tlen, &tdots); + targetp = clientstr; + } + + krb5_klog_syslog(LOG_NOTICE, "setpw request from %s by %.*s%s for %.*s%s: %s", + addrbuf, + (int) clen, clientstr, cdots, + (int) tlen, targetp, tdots, + errmsg ? errmsg : "success"); } else { - krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", - addrbuf, - (int) clen, clientstr, cdots, - errmsg ? errmsg : "success"); + krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", + addrbuf, + (int) clen, clientstr, cdots, + errmsg ? errmsg : "success"); } switch (ret) { case KADM5_AUTH_CHANGEPW: - numresult = KRB5_KPASSWD_ACCESSDENIED; - break; + numresult = KRB5_KPASSWD_ACCESSDENIED; + break; case KADM5_PASS_Q_TOOSHORT: case KADM5_PASS_REUSE: case KADM5_PASS_Q_CLASS: case KADM5_PASS_Q_DICT: case KADM5_PASS_TOOSOON: - numresult = KRB5_KPASSWD_HARDERROR; - break; + numresult = KRB5_KPASSWD_HARDERROR; + break; case 0: - numresult = KRB5_KPASSWD_SUCCESS; - strlcpy(strresult, "", sizeof(strresult)); - break; + numresult = KRB5_KPASSWD_SUCCESS; + strlcpy(strresult, "", sizeof(strresult)); + break; default: - numresult = KRB5_KPASSWD_SOFTERROR; - break; + numresult = KRB5_KPASSWD_SOFTERROR; + break; } chpwfail: @@ -352,66 +353,66 @@ chpwfail: cipher.length = 0; if (ap_rep.length) { - ret = krb5_auth_con_setaddrs(context, auth_context, - local_faddr->address, NULL); - if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, - "Failed storing client and server internet addresses", - sizeof(strresult)); - } else { - ret = krb5_mk_priv(context, auth_context, &clear, &cipher, - &replay); - if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed encrypting reply", - sizeof(strresult)); - } - } + ret = krb5_auth_con_setaddrs(context, auth_context, + local_faddr->address, NULL); + if (ret) { + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, + "Failed storing client and server internet addresses", + sizeof(strresult)); + } else { + ret = krb5_mk_priv(context, auth_context, &clear, &cipher, + &replay); + if (ret) { + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed encrypting reply", + sizeof(strresult)); + } + } } /* if no KRB-PRIV was constructed, then we need a KRB-ERROR. if this fails, just bail. there's nothing else we can do. */ if (cipher.length == 0) { - /* clear out ap_rep now, so that it won't be inserted in the + /* clear out ap_rep now, so that it won't be inserted in the reply */ - if (ap_rep.length) { - free(ap_rep.data); - ap_rep.length = 0; - } - - krberror.ctime = 0; - krberror.cusec = 0; - krberror.susec = 0; - ret = krb5_timeofday(context, &krberror.stime); - if (ret) - goto bailout; - - /* this is really icky. but it's what all the other callers - to mk_error do. */ - krberror.error = ret; - krberror.error -= ERROR_TABLE_BASE_krb5; - if (krberror.error < 0 || krberror.error > 128) - krberror.error = KRB_ERR_GENERIC; - - krberror.client = NULL; - - ret = krb5_build_principal(context, &krberror.server, - strlen(realm), realm, - "kadmin", "changepw", NULL); - if (ret) - goto bailout; - krberror.text.length = 0; - krberror.e_data = clear; - - ret = krb5_mk_error(context, &krberror, &cipher); - - krb5_free_principal(context, krberror.server); - - if (ret) - goto bailout; + if (ap_rep.length) { + free(ap_rep.data); + ap_rep.length = 0; + } + + krberror.ctime = 0; + krberror.cusec = 0; + krberror.susec = 0; + ret = krb5_timeofday(context, &krberror.stime); + if (ret) + goto bailout; + + /* this is really icky. but it's what all the other callers + to mk_error do. */ + krberror.error = ret; + krberror.error -= ERROR_TABLE_BASE_krb5; + if (krberror.error < 0 || krberror.error > 128) + krberror.error = KRB_ERR_GENERIC; + + krberror.client = NULL; + + ret = krb5_build_principal(context, &krberror.server, + strlen(realm), realm, + "kadmin", "changepw", NULL); + if (ret) + goto bailout; + krberror.text.length = 0; + krberror.e_data = clear; + + ret = krb5_mk_error(context, &krberror, &cipher); + + krb5_free_principal(context, krberror.server); + + if (ret) + goto bailout; } /* construct the reply */ @@ -419,9 +420,9 @@ chpwfail: rep->length = 6 + ap_rep.length + cipher.length; rep->data = (char *) malloc(rep->length); if (rep->data == NULL) { - rep->length = 0; /* checked by caller */ - ret = ENOMEM; - goto bailout; + rep->length = 0; /* checked by caller */ + ret = ENOMEM; + goto bailout; } ptr = rep->data; @@ -443,8 +444,8 @@ chpwfail: /* ap-rep data */ if (ap_rep.length) { - memcpy(ptr, ap_rep.data, ap_rep.length); - ptr += ap_rep.length; + memcpy(ptr, ap_rep.data, ap_rep.length); + ptr += ap_rep.length; } /* krb-priv or krb-error */ @@ -453,25 +454,25 @@ chpwfail: bailout: if (auth_context) - krb5_auth_con_free(context, auth_context); + krb5_auth_con_free(context, auth_context); if (changepw) - krb5_free_principal(context, changepw); + krb5_free_principal(context, changepw); if (ap_rep.length) - free(ap_rep.data); + free(ap_rep.data); if (ticket) - krb5_free_ticket(context, ticket); + krb5_free_ticket(context, ticket); if (clear.length) - free(clear.data); + free(clear.data); if (cipher.length) - free(cipher.data); + free(cipher.data); if (target) - krb5_free_principal(context, target); + krb5_free_principal(context, target); if (targetstr) - krb5_free_unparsed_name(context, targetstr); + krb5_free_unparsed_name(context, targetstr); if (clientstr) - krb5_free_unparsed_name(context, clientstr); + krb5_free_unparsed_name(context, clientstr); if (errmsg) - krb5_free_error_message(context, errmsg); + krb5_free_error_message(context, errmsg); return(ret); } diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index 9449fe8c2..29a8805ee 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -17,21 +18,21 @@ #include #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" -#define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" +#define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" -extern gss_name_t gss_changepw_name; -extern gss_name_t gss_oldchangepw_name; -extern void * global_server_handle; +extern gss_name_t gss_changepw_name; +extern gss_name_t gss_oldchangepw_name; +extern void * global_server_handle; -#define CHANGEPW_SERVICE(rqstp) \ - (cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), gss_changepw_name) |\ - (gss_oldchangepw_name && \ - cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), \ - gss_oldchangepw_name))) +#define CHANGEPW_SERVICE(rqstp) \ + (cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), gss_changepw_name) | \ + (gss_oldchangepw_name && \ + cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), \ + gss_oldchangepw_name))) static int gss_to_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal *princ); + gss_name_t gss_name, krb5_principal *princ); static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str); @@ -41,25 +42,25 @@ gss_name_t rqst2name(struct svc_req *rqstp); static int cmp_gss_names(gss_name_t n1, gss_name_t n2) { - OM_uint32 emaj, emin; - int equal; + OM_uint32 emaj, emin; + int equal; - if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal))) - return(0); + if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal))) + return(0); - return(equal); + return(equal); } /* Does a comparison of the names and then releases the first entity */ /* For use above in CHANGEPW_SERVICE */ static int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2) { - OM_uint32 min_stat; - int ret; + OM_uint32 min_stat; + int ret; - ret = cmp_gss_names(n1, n2); - if (n1) (void) gss_release_name(&min_stat, &n1); - return ret; + ret = cmp_gss_names(n1, n2); + if (n1) (void) gss_release_name(&min_stat, &n1); + return ret; } /* @@ -70,13 +71,13 @@ static int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2) * * Arguments: * - * handle The server handle. + * handle The server handle. */ static int check_handle(void *handle) { - CHECK_HANDLE(handle); - return 0; + CHECK_HANDLE(handle); + return 0; } /* @@ -88,45 +89,45 @@ static int check_handle(void *handle) * kadm5_init. * * Arguments: - * api_version (input) The API version specified by the client - * rqstp (input) The RPC request - * handle (output) The returned handle - * (output) An error code, or 0 if no error occurred - * + * api_version (input) The API version specified by the client + * rqstp (input) The RPC request + * handle (output) The returned handle + * (output) An error code, or 0 if no error occurred + * * Effects: - * Returns a pointer to allocated storage containing the server - * handle. If an error occurs, then no allocated storage is - * returned, and the return value of the function will be a - * non-zero com_err code. - * + * Returns a pointer to allocated storage containing the server + * handle. If an error occurs, then no allocated storage is + * returned, and the return value of the function will be a + * non-zero com_err code. + * * The allocated storage for the handle should be freed with - * free_server_handle (see below) when it is no longer needed. + * free_server_handle (see below) when it is no longer needed. */ static kadm5_ret_t new_server_handle(krb5_ui_4 api_version, - struct svc_req *rqstp, - kadm5_server_handle_t - *out_handle) + struct svc_req *rqstp, + kadm5_server_handle_t + *out_handle) { - kadm5_server_handle_t handle; + kadm5_server_handle_t handle; - *out_handle = NULL; + *out_handle = NULL; - if (! (handle = (kadm5_server_handle_t) - malloc(sizeof(*handle)))) - return ENOMEM; + if (! (handle = (kadm5_server_handle_t) + malloc(sizeof(*handle)))) + return ENOMEM; - *handle = *(kadm5_server_handle_t)global_server_handle; - handle->api_version = api_version; + *handle = *(kadm5_server_handle_t)global_server_handle; + handle->api_version = api_version; - if (! gss_to_krb5_name(handle, rqst2name(rqstp), - &handle->current_caller)) { - free(handle); - return KADM5_FAILURE; - } + if (! gss_to_krb5_name(handle, rqst2name(rqstp), + &handle->current_caller)) { + free(handle); + return KADM5_FAILURE; + } - *out_handle = handle; - return 0; + *out_handle = handle; + return 0; } /* @@ -135,14 +136,14 @@ static kadm5_ret_t new_server_handle(krb5_ui_4 api_version, * Purpose: Free handle memory allocated by new_server_handle * * Arguments: - * handle (input/output) The handle to free + * handle (input/output) The handle to free */ static void free_server_handle(kadm5_server_handle_t handle) { - if (!handle) - return; - krb5_free_principal(handle->context, handle->current_caller); - free(handle); + if (!handle) + return; + krb5_free_principal(handle->context, handle->current_caller); + free(handle); } /* @@ -152,9 +153,9 @@ static void free_server_handle(kadm5_server_handle_t handle) * names. * * Arguments: - * rqstp (r) the RPC request - * client_name (w) the gss_buffer_t for the client name - * server_name (w) the gss_buffer_t for the server name + * rqstp (r) the RPC request + * client_name (w) the gss_buffer_t for the client name + * server_name (w) the gss_buffer_t for the server name * * Effects: * @@ -163,82 +164,82 @@ static void free_server_handle(kadm5_server_handle_t handle) * on success and -1 on failure. */ int setup_gss_names(struct svc_req *rqstp, - gss_buffer_desc *client_name, - gss_buffer_desc *server_name) + gss_buffer_desc *client_name, + gss_buffer_desc *server_name) { - OM_uint32 maj_stat, min_stat; - gss_name_t server_gss_name; - - if (gss_name_to_string(rqst2name(rqstp), client_name) != 0) - return -1; - maj_stat = gss_inquire_context(&min_stat, rqstp->rq_svccred, NULL, - &server_gss_name, NULL, NULL, NULL, - NULL, NULL); - if (maj_stat != GSS_S_COMPLETE) { - gss_release_buffer(&min_stat, client_name); - gss_release_name(&min_stat, &server_gss_name); - return -1; - } - if (gss_name_to_string(server_gss_name, server_name) != 0) { - gss_release_buffer(&min_stat, client_name); - gss_release_name(&min_stat, &server_gss_name); - return -1; - } - gss_release_name(&min_stat, &server_gss_name); - return 0; + OM_uint32 maj_stat, min_stat; + gss_name_t server_gss_name; + + if (gss_name_to_string(rqst2name(rqstp), client_name) != 0) + return -1; + maj_stat = gss_inquire_context(&min_stat, rqstp->rq_svccred, NULL, + &server_gss_name, NULL, NULL, NULL, + NULL, NULL); + if (maj_stat != GSS_S_COMPLETE) { + gss_release_buffer(&min_stat, client_name); + gss_release_name(&min_stat, &server_gss_name); + return -1; + } + if (gss_name_to_string(server_gss_name, server_name) != 0) { + gss_release_buffer(&min_stat, client_name); + gss_release_name(&min_stat, &server_gss_name); + return -1; + } + gss_release_name(&min_stat, &server_gss_name); + return 0; } static gss_name_t acceptor_name(gss_ctx_id_t context) { - OM_uint32 maj_stat, min_stat; - gss_name_t name; - - maj_stat = gss_inquire_context(&min_stat, context, NULL, &name, - NULL, NULL, NULL, NULL, NULL); - if (maj_stat != GSS_S_COMPLETE) - return NULL; - return name; + OM_uint32 maj_stat, min_stat; + gss_name_t name; + + maj_stat = gss_inquire_context(&min_stat, context, NULL, &name, + NULL, NULL, NULL, NULL, NULL); + if (maj_stat != GSS_S_COMPLETE) + return NULL; + return name; } - + static int cmp_gss_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal princ) + gss_name_t gss_name, krb5_principal princ) { - krb5_principal princ2; - int status; - - if (! gss_to_krb5_name(handle, gss_name, &princ2)) - return 0; - status = krb5_principal_compare(handle->context, princ, princ2); - krb5_free_principal(handle->context, princ2); - return status; + krb5_principal princ2; + int status; + + if (! gss_to_krb5_name(handle, gss_name, &princ2)) + return 0; + status = krb5_principal_compare(handle->context, princ, princ2); + krb5_free_principal(handle->context, princ2); + return status; } static int gss_to_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal *princ) + gss_name_t gss_name, krb5_principal *princ) { - OM_uint32 status, minor_stat; - gss_buffer_desc gss_str; - gss_OID gss_type; - int success; - - status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type); - if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) - return 0; - success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0); - gss_release_buffer(&minor_stat, &gss_str); - return success; + OM_uint32 status, minor_stat; + gss_buffer_desc gss_str; + gss_OID gss_type; + int success; + + status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type); + if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) + return 0; + success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0); + gss_release_buffer(&minor_stat, &gss_str); + return success; } static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str) { - OM_uint32 status, minor_stat; - gss_OID gss_type; + OM_uint32 status, minor_stat; + gss_OID gss_type; - status = gss_display_name(&minor_stat, gss_name, str, &gss_type); - if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) - return 1; - return 0; + status = gss_display_name(&minor_stat, gss_name, str, &gss_type); + if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) + return 1; + return 0; } static int @@ -261,12 +262,12 @@ log_unauth( /* okay to cast lengths to int because trunc_name limits max value */ return krb5_klog_syslog(LOG_NOTICE, - "Unauthorized request: %s, %.*s%s, " - "client=%.*s%s, service=%.*s%s, addr=%s", - op, (int)tlen, target, tdots, - (int)clen, (char *)client->value, cdots, - (int)slen, (char *)server->value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + "Unauthorized request: %s, %.*s%s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + op, (int)tlen, target, tdots, + (int)clen, (char *)client->value, cdots, + (int)slen, (char *)server->value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } static int @@ -290,72 +291,72 @@ log_done( /* okay to cast lengths to int because trunc_name limits max value */ return krb5_klog_syslog(LOG_NOTICE, - "Request: %s, %.*s%s, %s, " - "client=%.*s%s, service=%.*s%s, addr=%s", - op, (int)tlen, target, tdots, errmsg, - (int)clen, (char *)client->value, cdots, - (int)slen, (char *)server->value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + "Request: %s, %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + op, (int)tlen, target, tdots, errmsg, + (int)clen, (char *)client->value, cdots, + (int)slen, (char *)server->value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } generic_ret * create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; - log_unauth("kadm5_create_principal", prime_arg, - &client_name, &service_name, rqstp); + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; + log_unauth("kadm5_create_principal", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_create_principal((void *)handle, - &arg->rec, arg->mask, - arg->passwd); + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, + arg->passwd); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_create_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_create_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); - exit_func: +exit_func: free_server_handle(handle); return &ret; } @@ -363,56 +364,56 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) generic_ret * create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; - log_unauth("kadm5_create_principal", prime_arg, - &client_name, &service_name, rqstp); + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; + log_unauth("kadm5_create_principal", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_create_principal_3((void *)handle, - &arg->rec, arg->mask, - arg->n_ks_tuple, - arg->ks_tuple, - arg->passwd); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done("kadm5_create_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_create_principal_3((void *)handle, + &arg->rec, arg->mask, + arg->n_ks_tuple, + arg->ks_tuple, + arg->passwd); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_create_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -426,50 +427,50 @@ exit_func: generic_ret * delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } - + if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, - arg->princ, NULL)) { - ret.code = KADM5_AUTH_DELETE; - log_unauth("kadm5_delete_principal", prime_arg, - &client_name, &service_name, rqstp); + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; + log_unauth("kadm5_delete_principal", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_delete_principal((void *)handle, arg->princ); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_delete_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_delete_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -484,52 +485,52 @@ exit_func: generic_ret * modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_MODIFY; - log_unauth("kadm5_modify_principal", prime_arg, - &client_name, &service_name, rqstp); + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; + log_unauth("kadm5_modify_principal", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_modify_principal((void *)handle, &arg->rec, - arg->mask); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_modify_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_modify_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -542,34 +543,34 @@ exit_func: generic_ret * rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg1, - *prime_arg2; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - const char *errmsg = NULL; - size_t tlen1, tlen2, clen, slen; - char *tdots1, *tdots2, *cdots, *sdots; + static generic_ret ret; + char *prime_arg1, + *prime_arg2; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; + size_t tlen1, tlen2, clen, slen; + char *tdots1, *tdots2, *cdots, *sdots; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) || krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } tlen1 = strlen(prime_arg1); trunc_name(&tlen1, &tdots1); @@ -582,54 +583,54 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { - if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_DELETE, arg->src, NULL)) - ret.code = KADM5_AUTH_DELETE; - /* any restrictions at all on the ADD kills the RENAME */ - if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_ADD, arg->dest, &rp) || rp) { - if (ret.code == KADM5_AUTH_DELETE) - ret.code = KADM5_AUTH_INSUFFICIENT; - else - ret.code = KADM5_AUTH_ADD; - } + if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_DELETE, arg->src, NULL)) + ret.code = KADM5_AUTH_DELETE; + /* any restrictions at all on the ADD kills the RENAME */ + if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_ADD, arg->dest, &rp) || rp) { + if (ret.code == KADM5_AUTH_DELETE) + ret.code = KADM5_AUTH_INSUFFICIENT; + else + ret.code = KADM5_AUTH_ADD; + } } else - ret.code = KADM5_AUTH_INSUFFICIENT; + ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { - /* okay to cast lengths to int because trunc_name limits max value */ - krb5_klog_syslog(LOG_NOTICE, - "Unauthorized request: kadm5_rename_principal, " - "%.*s%s to %.*s%s, " - "client=%.*s%s, service=%.*s%s, addr=%s", - (int)tlen1, prime_arg1, tdots1, - (int)tlen2, prime_arg2, tdots2, - (int)clen, (char *)client_name.value, cdots, - (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + /* okay to cast lengths to int because trunc_name limits max value */ + krb5_klog_syslog(LOG_NOTICE, + "Unauthorized request: kadm5_rename_principal, " + "%.*s%s to %.*s%s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + (int)tlen1, prime_arg1, tdots1, + (int)tlen2, prime_arg2, tdots2, + (int)clen, (char *)client_name.value, cdots, + (int)slen, (char *)service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { - ret.code = kadm5_rename_principal((void *)handle, arg->src, - arg->dest); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - /* okay to cast lengths to int because trunc_name limits max value */ - krb5_klog_syslog(LOG_NOTICE, - "Request: kadm5_rename_principal, " - "%.*s%s to %.*s%s, %s, " - "client=%.*s%s, service=%.*s%s, addr=%s", - (int)tlen1, prime_arg1, tdots1, - (int)tlen2, prime_arg2, tdots2, - errmsg ? errmsg : "success", - (int)clen, (char *)client_name.value, cdots, - (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + /* okay to cast lengths to int because trunc_name limits max value */ + krb5_klog_syslog(LOG_NOTICE, + "Request: kadm5_rename_principal, " + "%.*s%s to %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + (int)tlen1, prime_arg1, tdots1, + (int)tlen2, prime_arg2, tdots2, + errmsg ? errmsg : "success", + (int)clen, (char *)client_name.value, cdots, + (int)slen, (char *)service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg1); - free(prime_arg2); + free(prime_arg2); gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); exit_func: @@ -640,56 +641,56 @@ exit_func: gprinc_ret * get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) { - static gprinc_ret ret; - char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static gprinc_ret ret; + char *prime_arg, *funcname; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_gprinc_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; funcname = "kadm5_get_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && - (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_INQUIRE, - arg->princ, - NULL))) { - ret.code = KADM5_AUTH_GET; - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); + (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_INQUIRE, + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_get_principal(handle, arg->princ, &ret.rec, - arg->mask); - - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_get_principal(handle, arg->princ, &ret.rec, + arg->mask); - log_done(funcname, prime_arg, errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + log_done(funcname, prime_arg, errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -702,53 +703,53 @@ exit_func: gprincs_ret * get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) { - static gprincs_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static gprincs_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_gprincs_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->exp; if (prime_arg == NULL) - prime_arg = "*"; + prime_arg = "*"; if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_LIST, - NULL, - NULL)) { - ret.code = KADM5_AUTH_LIST; - log_unauth("kadm5_get_principals", prime_arg, - &client_name, &service_name, rqstp); + rqst2name(rqstp), + ACL_LIST, + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; + log_unauth("kadm5_get_principals", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_get_principals((void *)handle, - arg->exp, &ret.princs, - &ret.count); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, + &ret.count); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_get_principals", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_get_principals", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); @@ -761,57 +762,57 @@ exit_func: generic_ret * chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, - FALSE, 0, NULL, arg->pass); + ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, + FALSE, 0, NULL, arg->pass); } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_chpass_principal((void *)handle, arg->princ, - arg->pass); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); } else { - log_unauth("kadm5_chpass_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; + log_unauth("kadm5_chpass_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; } if (ret.code != KADM5_AUTH_CHANGEPW) { - if (ret.code != 0) - errmsg = krb5_get_error_message(handle->context, ret.code); + if (ret.code != 0) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_chpass_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_chpass_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -825,63 +826,63 @@ exit_func: generic_ret * chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - arg->pass); + ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + arg->pass); } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - arg->pass); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + arg->pass); } else { - log_unauth("kadm5_chpass_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; + log_unauth("kadm5_chpass_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; } if(ret.code != KADM5_AUTH_CHANGEPW) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_chpass_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_chpass_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -895,54 +896,54 @@ exit_func: generic_ret * setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { - ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, - arg->keyblock); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); } else { - log_unauth("kadm5_setv4key_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; + log_unauth("kadm5_setv4key_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; } if(ret.code != KADM5_AUTH_SETKEY) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_setv4key_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_setv4key_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -956,54 +957,54 @@ exit_func: generic_ret * setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { - ret.code = kadm5_setkey_principal((void *)handle, arg->princ, - arg->keyblocks, arg->n_keys); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); } else { - log_unauth("kadm5_setkey_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; + log_unauth("kadm5_setkey_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; } if(ret.code != KADM5_AUTH_SETKEY) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_setkey_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_setkey_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -1017,57 +1018,57 @@ exit_func: generic_ret * setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { - ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - arg->keyblocks, arg->n_keys); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + arg->keyblocks, arg->n_keys); } else { - log_unauth("kadm5_setkey_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; + log_unauth("kadm5_setkey_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; } if(ret.code != KADM5_AUTH_SETKEY) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_setkey_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_setkey_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -1081,66 +1082,66 @@ exit_func: chrand_ret * chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) { - static chrand_ret ret; - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static chrand_ret ret; + krb5_keyblock *k; + int nkeys; + char *prime_arg, *funcname; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_chrand_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; funcname = "kadm5_randkey_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, - FALSE, 0, NULL, &k, &nkeys); + ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, + FALSE, 0, NULL, &k, &nkeys); } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_randkey_principal((void *)handle, arg->princ, - &k, &nkeys); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); } else { - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; } if(ret.code == KADM5_OK) { - ret.keys = k; - ret.n_keys = nkeys; + ret.keys = k; + ret.n_keys = nkeys; } if(ret.code != KADM5_AUTH_CHANGEPW) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done(funcname, prime_arg, errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done(funcname, prime_arg, errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -1153,71 +1154,71 @@ exit_func: chrand_ret * chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) { - static chrand_ret ret; - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static chrand_ret ret; + krb5_keyblock *k; + int nkeys; + char *prime_arg, *funcname; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_chrand_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; funcname = "kadm5_randkey_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - &k, &nkeys); + ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + &k, &nkeys); } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - &k, &nkeys); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + &k, &nkeys); } else { - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; } if(ret.code == KADM5_OK) { - ret.keys = k; - ret.n_keys = nkeys; + ret.keys = k; + ret.n_keys = nkeys; } if(ret.code != KADM5_AUTH_CHANGEPW) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done(funcname, prime_arg, errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done(funcname, prime_arg, errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -1230,50 +1231,50 @@ exit_func: generic_ret * create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->rec.policy; if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_ADD, NULL, NULL)) { - ret.code = KADM5_AUTH_ADD; - log_unauth("kadm5_create_policy", prime_arg, - &client_name, &service_name, rqstp); + rqst2name(rqstp), + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; + log_unauth("kadm5_create_policy", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_create_policy((void *)handle, &arg->rec, - arg->mask); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done("kadm5_create_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_create_policy((void *)handle, &arg->rec, + arg->mask); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_create_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1285,48 +1286,48 @@ exit_func: generic_ret * delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->name; - + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_DELETE, NULL, NULL)) { - log_unauth("kadm5_delete_policy", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_DELETE; + rqst2name(rqstp), + ACL_DELETE, NULL, NULL)) { + log_unauth("kadm5_delete_policy", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_DELETE; } else { - ret.code = kadm5_delete_policy((void *)handle, arg->name); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_delete_policy((void *)handle, arg->name); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_delete_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_delete_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1338,49 +1339,49 @@ exit_func: generic_ret * modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->rec.policy; if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_MODIFY, NULL, NULL)) { - log_unauth("kadm5_modify_policy", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_MODIFY; + rqst2name(rqstp), + ACL_MODIFY, NULL, NULL)) { + log_unauth("kadm5_modify_policy", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_MODIFY; } else { - ret.code = kadm5_modify_policy((void *)handle, &arg->rec, - arg->mask); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done("kadm5_modify_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, + arg->mask); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_modify_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1389,74 +1390,74 @@ exit_func: return &ret; } -gpol_ret * +gpol_ret * get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) { - static gpol_ret ret; - kadm5_ret_t ret2; - char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_principal_ent_rec caller_ent; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static gpol_ret ret; + kadm5_ret_t ret2; + char *prime_arg, *funcname; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_principal_ent_rec caller_ent; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_gpol_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; funcname = "kadm5_get_policy"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->name; ret.code = KADM5_AUTH_GET; if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_INQUIRE, NULL, NULL)) - ret.code = KADM5_OK; + rqst2name(rqstp), + ACL_INQUIRE, NULL, NULL)) + ret.code = KADM5_OK; else { - ret.code = kadm5_get_principal(handle->lhandle, - handle->current_caller, - &caller_ent, - KADM5_PRINCIPAL_NORMAL_MASK); - if (ret.code == KADM5_OK) { - if (caller_ent.aux_attributes & KADM5_POLICY && - strcmp(caller_ent.policy, arg->name) == 0) { - ret.code = KADM5_OK; - } else ret.code = KADM5_AUTH_GET; - ret2 = kadm5_free_principal_ent(handle->lhandle, - &caller_ent); - ret.code = ret.code ? ret.code : ret2; - } - } - + ret.code = kadm5_get_principal(handle->lhandle, + handle->current_caller, + &caller_ent, + KADM5_PRINCIPAL_NORMAL_MASK); + if (ret.code == KADM5_OK) { + if (caller_ent.aux_attributes & KADM5_POLICY && + strcmp(caller_ent.policy, arg->name) == 0) { + ret.code = KADM5_OK; + } else ret.code = KADM5_AUTH_GET; + ret2 = kadm5_free_principal_ent(handle->lhandle, + &caller_ent); + ret.code = ret.code ? ret.code : ret2; + } + } + if (ret.code == KADM5_OK) { - ret.code = kadm5_get_policy(handle, arg->name, &ret.rec); - - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done(funcname, - ((prime_arg == NULL) ? "(null)" : prime_arg), - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_get_policy(handle, arg->name, &ret.rec); + + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done(funcname, + ((prime_arg == NULL) ? "(null)" : prime_arg), + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } else { - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1469,51 +1470,51 @@ exit_func: gpols_ret * get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) { - static gpols_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static gpols_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_gpols_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->exp; if (prime_arg == NULL) - prime_arg = "*"; + prime_arg = "*"; if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_LIST, NULL, NULL)) { - ret.code = KADM5_AUTH_LIST; - log_unauth("kadm5_get_policies", prime_arg, - &client_name, &service_name, rqstp); + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; + log_unauth("kadm5_get_policies", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_get_policies((void *)handle, - arg->exp, &ret.pols, - &ret.count); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done("kadm5_get_policies", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_get_policies((void *)handle, + arg->exp, &ret.pols, + &ret.count); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_get_policies", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1524,104 +1525,104 @@ exit_func: getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { - static getprivs_ret ret; - gss_buffer_desc client_name, service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static getprivs_ret ret; + gss_buffer_desc client_name, service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; - xdr_free(xdr_getprivs_ret, &ret); + xdr_free(xdr_getprivs_ret, &ret); - if ((ret.code = new_server_handle(*arg, rqstp, &handle))) - goto exit_func; + if ((ret.code = new_server_handle(*arg, rqstp, &handle))) + goto exit_func; - if ((ret.code = check_handle((void *)handle))) - goto exit_func; + if ((ret.code = check_handle((void *)handle))) + goto exit_func; - ret.api_version = handle->api_version; + ret.api_version = handle->api_version; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; - } + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto exit_func; + } - ret.code = kadm5_get_privs((void *)handle, &ret.privs); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_get_privs((void *)handle, &ret.privs); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_get_privs", client_name.value, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_get_privs", client_name.value, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); exit_func: - free_server_handle(handle); - return &ret; + free_server_handle(handle); + return &ret; } generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { - static generic_ret ret; - gss_buffer_desc client_name, - service_name; - kadm5_server_handle_t handle; - OM_uint32 minor_stat; - const char *errmsg = NULL; - size_t clen, slen; - char *cdots, *sdots; - - xdr_free(xdr_generic_ret, &ret); - - if ((ret.code = new_server_handle(*arg, rqstp, &handle))) - goto exit_func; - if (! (ret.code = check_handle((void *)handle))) { - ret.api_version = handle->api_version; - } - - free_server_handle(handle); - - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; - } - - if (ret.code != 0) - errmsg = krb5_get_error_message(NULL, ret.code); - - clen = client_name.length; - trunc_name(&clen, &cdots); - slen = service_name.length; - trunc_name(&slen, &sdots); - /* okay to cast lengths to int because trunc_name limits max value */ - krb5_klog_syslog(LOG_NOTICE, "Request: kadm5_init, %.*s%s, %s, " - "client=%.*s%s, service=%.*s%s, addr=%s, " - "vers=%d, flavor=%d", - (int)clen, (char *)client_name.value, cdots, - errmsg ? errmsg : "success", - (int)clen, (char *)client_name.value, cdots, - (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), - ret.api_version & ~(KADM5_API_VERSION_MASK), - rqstp->rq_cred.oa_flavor); - if (errmsg != NULL) - krb5_free_error_message(NULL, errmsg); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); - + static generic_ret ret; + gss_buffer_desc client_name, + service_name; + kadm5_server_handle_t handle; + OM_uint32 minor_stat; + const char *errmsg = NULL; + size_t clen, slen; + char *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + + if ((ret.code = new_server_handle(*arg, rqstp, &handle))) + goto exit_func; + if (! (ret.code = check_handle((void *)handle))) { + ret.api_version = handle->api_version; + } + + free_server_handle(handle); + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto exit_func; + } + + if (ret.code != 0) + errmsg = krb5_get_error_message(NULL, ret.code); + + clen = client_name.length; + trunc_name(&clen, &cdots); + slen = service_name.length; + trunc_name(&slen, &sdots); + /* okay to cast lengths to int because trunc_name limits max value */ + krb5_klog_syslog(LOG_NOTICE, "Request: kadm5_init, %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s, " + "vers=%d, flavor=%d", + (int)clen, (char *)client_name.value, cdots, + errmsg ? errmsg : "success", + (int)clen, (char *)client_name.value, cdots, + (int)slen, (char *)service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), + ret.api_version & ~(KADM5_API_VERSION_MASK), + rqstp->rq_cred.oa_flavor); + if (errmsg != NULL) + krb5_free_error_message(NULL, errmsg); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); + exit_func: - return(&ret); + return(&ret); } gss_name_t rqst2name(struct svc_req *rqstp) { - if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS) - return rqstp->rq_clntname; - else - return rqstp->rq_clntcred; + if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS) + return rqstp->rq_clntname; + else + return rqstp->rq_clntcred; } diff --git a/src/kadmin/testing/util/bsddb_dump.c b/src/kadmin/testing/util/bsddb_dump.c index ba69b8461..5dbe7ae9c 100644 --- a/src/kadmin/testing/util/bsddb_dump.c +++ b/src/kadmin/testing/util/bsddb_dump.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * $Id$ */ @@ -9,56 +10,56 @@ main(int argc, char *argv[]) { - char *file; - DB *db; - DBT dbkey, dbdata; - int code, i; + char *file; + DB *db; + DBT dbkey, dbdata; + int code, i; - HASHINFO info; + HASHINFO info; - info.hash = NULL; - info.bsize = 256; - info.ffactor = 8; - info.nelem = 25000; - info.lorder = 0; + info.hash = NULL; + info.bsize = 256; + info.ffactor = 8; + info.nelem = 25000; + info.lorder = 0; - if (argc != 2) { - fprintf(stderr, "usage: argv[0] dbfile\n"); - exit(2); - } - - file = argv[1]; + if (argc != 2) { + fprintf(stderr, "usage: argv[0] dbfile\n"); + exit(2); + } - if((db = dbopen(file, O_RDWR, 0666, DB_HASH, &info)) == NULL) { - perror("Opening db file"); - exit(1); - } + file = argv[1]; - if ((code = (*db->seq)(db, &dbkey, &dbdata, R_FIRST)) == -1) { - perror("starting db iteration"); - exit(1); - } + if((db = dbopen(file, O_RDWR, 0666, DB_HASH, &info)) == NULL) { + perror("Opening db file"); + exit(1); + } - while (code == 0) { - for (i=0; iseq)(db, &dbkey, &dbdata, R_FIRST)) == -1) { + perror("starting db iteration"); + exit(1); + } - code = (*db->seq)(db, &dbkey, &dbdata, R_NEXT); - } + while (code == 0) { + for (i=0; iseq)(db, &dbkey, &dbdata, R_NEXT); + } - if ((*db->close)(db) == -1) { - perror("closing db"); - exit(1); - } + if (code == -1) { + perror("during db iteration"); + exit(1); + } - exit(0); + if ((*db->close)(db) == -1) { + perror("closing db"); + exit(1); + } + + exit(0); } diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c index 08f3a52a4..b28635699 100644 --- a/src/kadmin/testing/util/tcl_kadm5.c +++ b/src/kadmin/testing/util/tcl_kadm5.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "autoconf.h" #include #include @@ -15,96 +16,96 @@ #include "tcl_kadm5.h" struct flagval { - char *name; - krb5_flags val; + char *name; + krb5_flags val; }; /* XXX This should probably be in the hash table like server_handle */ static krb5_context context; static struct flagval krb5_flags_array[] = { - {"KRB5_KDB_DISALLOW_POSTDATED", KRB5_KDB_DISALLOW_POSTDATED}, - {"KRB5_KDB_DISALLOW_FORWARDABLE", KRB5_KDB_DISALLOW_FORWARDABLE}, - {"KRB5_KDB_DISALLOW_TGT_BASED", KRB5_KDB_DISALLOW_TGT_BASED}, - {"KRB5_KDB_DISALLOW_RENEWABLE", KRB5_KDB_DISALLOW_RENEWABLE}, - {"KRB5_KDB_DISALLOW_PROXIABLE", KRB5_KDB_DISALLOW_PROXIABLE}, - {"KRB5_KDB_DISALLOW_DUP_SKEY", KRB5_KDB_DISALLOW_DUP_SKEY}, - {"KRB5_KDB_DISALLOW_ALL_TIX", KRB5_KDB_DISALLOW_ALL_TIX}, - {"KRB5_KDB_REQUIRES_PRE_AUTH", KRB5_KDB_REQUIRES_PRE_AUTH}, - {"KRB5_KDB_REQUIRES_HW_AUTH", KRB5_KDB_REQUIRES_HW_AUTH}, - {"KRB5_KDB_REQUIRES_PWCHANGE", KRB5_KDB_REQUIRES_PWCHANGE}, - {"KRB5_KDB_DISALLOW_SVR", KRB5_KDB_DISALLOW_SVR}, - {"KRB5_KDB_PWCHANGE_SERVICE", KRB5_KDB_PWCHANGE_SERVICE} + {"KRB5_KDB_DISALLOW_POSTDATED", KRB5_KDB_DISALLOW_POSTDATED}, + {"KRB5_KDB_DISALLOW_FORWARDABLE", KRB5_KDB_DISALLOW_FORWARDABLE}, + {"KRB5_KDB_DISALLOW_TGT_BASED", KRB5_KDB_DISALLOW_TGT_BASED}, + {"KRB5_KDB_DISALLOW_RENEWABLE", KRB5_KDB_DISALLOW_RENEWABLE}, + {"KRB5_KDB_DISALLOW_PROXIABLE", KRB5_KDB_DISALLOW_PROXIABLE}, + {"KRB5_KDB_DISALLOW_DUP_SKEY", KRB5_KDB_DISALLOW_DUP_SKEY}, + {"KRB5_KDB_DISALLOW_ALL_TIX", KRB5_KDB_DISALLOW_ALL_TIX}, + {"KRB5_KDB_REQUIRES_PRE_AUTH", KRB5_KDB_REQUIRES_PRE_AUTH}, + {"KRB5_KDB_REQUIRES_HW_AUTH", KRB5_KDB_REQUIRES_HW_AUTH}, + {"KRB5_KDB_REQUIRES_PWCHANGE", KRB5_KDB_REQUIRES_PWCHANGE}, + {"KRB5_KDB_DISALLOW_SVR", KRB5_KDB_DISALLOW_SVR}, + {"KRB5_KDB_PWCHANGE_SERVICE", KRB5_KDB_PWCHANGE_SERVICE} }; static struct flagval aux_attributes[] = { - {"KADM5_POLICY", KADM5_POLICY} + {"KADM5_POLICY", KADM5_POLICY} }; static struct flagval principal_mask_flags[] = { - {"KADM5_PRINCIPAL", KADM5_PRINCIPAL}, - {"KADM5_PRINC_EXPIRE_TIME", KADM5_PRINC_EXPIRE_TIME}, - {"KADM5_PW_EXPIRATION", KADM5_PW_EXPIRATION}, - {"KADM5_LAST_PWD_CHANGE", KADM5_LAST_PWD_CHANGE}, - {"KADM5_ATTRIBUTES", KADM5_ATTRIBUTES}, - {"KADM5_MAX_LIFE", KADM5_MAX_LIFE}, - {"KADM5_MOD_TIME", KADM5_MOD_TIME}, - {"KADM5_MOD_NAME", KADM5_MOD_NAME}, - {"KADM5_KVNO", KADM5_KVNO}, - {"KADM5_MKVNO", KADM5_MKVNO}, - {"KADM5_AUX_ATTRIBUTES", KADM5_AUX_ATTRIBUTES}, - {"KADM5_POLICY", KADM5_POLICY}, - {"KADM5_POLICY_CLR", KADM5_POLICY_CLR}, - {"KADM5_MAX_RLIFE", KADM5_MAX_RLIFE}, - {"KADM5_LAST_SUCCESS", KADM5_LAST_SUCCESS}, - {"KADM5_LAST_FAILED", KADM5_LAST_FAILED}, - {"KADM5_FAIL_AUTH_COUNT", KADM5_FAIL_AUTH_COUNT}, - {"KADM5_KEY_DATA", KADM5_KEY_DATA}, - {"KADM5_TL_DATA", KADM5_TL_DATA}, - {"KADM5_PRINCIPAL_NORMAL_MASK", KADM5_PRINCIPAL_NORMAL_MASK} + {"KADM5_PRINCIPAL", KADM5_PRINCIPAL}, + {"KADM5_PRINC_EXPIRE_TIME", KADM5_PRINC_EXPIRE_TIME}, + {"KADM5_PW_EXPIRATION", KADM5_PW_EXPIRATION}, + {"KADM5_LAST_PWD_CHANGE", KADM5_LAST_PWD_CHANGE}, + {"KADM5_ATTRIBUTES", KADM5_ATTRIBUTES}, + {"KADM5_MAX_LIFE", KADM5_MAX_LIFE}, + {"KADM5_MOD_TIME", KADM5_MOD_TIME}, + {"KADM5_MOD_NAME", KADM5_MOD_NAME}, + {"KADM5_KVNO", KADM5_KVNO}, + {"KADM5_MKVNO", KADM5_MKVNO}, + {"KADM5_AUX_ATTRIBUTES", KADM5_AUX_ATTRIBUTES}, + {"KADM5_POLICY", KADM5_POLICY}, + {"KADM5_POLICY_CLR", KADM5_POLICY_CLR}, + {"KADM5_MAX_RLIFE", KADM5_MAX_RLIFE}, + {"KADM5_LAST_SUCCESS", KADM5_LAST_SUCCESS}, + {"KADM5_LAST_FAILED", KADM5_LAST_FAILED}, + {"KADM5_FAIL_AUTH_COUNT", KADM5_FAIL_AUTH_COUNT}, + {"KADM5_KEY_DATA", KADM5_KEY_DATA}, + {"KADM5_TL_DATA", KADM5_TL_DATA}, + {"KADM5_PRINCIPAL_NORMAL_MASK", KADM5_PRINCIPAL_NORMAL_MASK} }; static struct flagval policy_mask_flags[] = { - {"KADM5_POLICY", KADM5_POLICY}, - {"KADM5_PW_MAX_LIFE", KADM5_PW_MAX_LIFE}, - {"KADM5_PW_MIN_LIFE", KADM5_PW_MIN_LIFE}, - {"KADM5_PW_MIN_LENGTH", KADM5_PW_MIN_LENGTH}, - {"KADM5_PW_MIN_CLASSES", KADM5_PW_MIN_CLASSES}, - {"KADM5_PW_HISTORY_NUM", KADM5_PW_HISTORY_NUM}, - {"KADM5_REF_COUNT", KADM5_REF_COUNT}, - {"KADM5_PW_MAX_FAILURE", KADM5_PW_MAX_FAILURE}, - {"KADM5_PW_FAILURE_COUNT_INTERVAL", KADM5_PW_FAILURE_COUNT_INTERVAL}, - {"KADM5_PW_LOCKOUT_DURATION", KADM5_PW_LOCKOUT_DURATION}, + {"KADM5_POLICY", KADM5_POLICY}, + {"KADM5_PW_MAX_LIFE", KADM5_PW_MAX_LIFE}, + {"KADM5_PW_MIN_LIFE", KADM5_PW_MIN_LIFE}, + {"KADM5_PW_MIN_LENGTH", KADM5_PW_MIN_LENGTH}, + {"KADM5_PW_MIN_CLASSES", KADM5_PW_MIN_CLASSES}, + {"KADM5_PW_HISTORY_NUM", KADM5_PW_HISTORY_NUM}, + {"KADM5_REF_COUNT", KADM5_REF_COUNT}, + {"KADM5_PW_MAX_FAILURE", KADM5_PW_MAX_FAILURE}, + {"KADM5_PW_FAILURE_COUNT_INTERVAL", KADM5_PW_FAILURE_COUNT_INTERVAL}, + {"KADM5_PW_LOCKOUT_DURATION", KADM5_PW_LOCKOUT_DURATION}, }; static struct flagval config_mask_flags[] = { - {"KADM5_CONFIG_REALM", KADM5_CONFIG_REALM}, - {"KADM5_CONFIG_DBNAME", KADM5_CONFIG_DBNAME}, - {"KADM5_CONFIG_MKEY_NAME", KADM5_CONFIG_MKEY_NAME}, - {"KADM5_CONFIG_MAX_LIFE", KADM5_CONFIG_MAX_LIFE}, - {"KADM5_CONFIG_MAX_RLIFE", KADM5_CONFIG_MAX_RLIFE}, - {"KADM5_CONFIG_EXPIRATION", KADM5_CONFIG_EXPIRATION}, - {"KADM5_CONFIG_FLAGS", KADM5_CONFIG_FLAGS}, - {"KADM5_CONFIG_ADMIN_KEYTAB", KADM5_CONFIG_ADMIN_KEYTAB}, - {"KADM5_CONFIG_STASH_FILE", KADM5_CONFIG_STASH_FILE}, - {"KADM5_CONFIG_ENCTYPE", KADM5_CONFIG_ENCTYPE}, - {"KADM5_CONFIG_ADBNAME", KADM5_CONFIG_ADBNAME}, - {"KADM5_CONFIG_ADB_LOCKFILE", KADM5_CONFIG_ADB_LOCKFILE}, - {"KADM5_CONFIG_ACL_FILE", KADM5_CONFIG_ACL_FILE}, - {"KADM5_CONFIG_KADMIND_PORT", KADM5_CONFIG_KADMIND_PORT}, - {"KADM5_CONFIG_ENCTYPES", KADM5_CONFIG_ENCTYPES}, - {"KADM5_CONFIG_ADMIN_SERVER", KADM5_CONFIG_ADMIN_SERVER}, - {"KADM5_CONFIG_DICT_FILE", KADM5_CONFIG_DICT_FILE}, - {"KADM5_CONFIG_MKEY_FROM_KBD", KADM5_CONFIG_MKEY_FROM_KBD}, + {"KADM5_CONFIG_REALM", KADM5_CONFIG_REALM}, + {"KADM5_CONFIG_DBNAME", KADM5_CONFIG_DBNAME}, + {"KADM5_CONFIG_MKEY_NAME", KADM5_CONFIG_MKEY_NAME}, + {"KADM5_CONFIG_MAX_LIFE", KADM5_CONFIG_MAX_LIFE}, + {"KADM5_CONFIG_MAX_RLIFE", KADM5_CONFIG_MAX_RLIFE}, + {"KADM5_CONFIG_EXPIRATION", KADM5_CONFIG_EXPIRATION}, + {"KADM5_CONFIG_FLAGS", KADM5_CONFIG_FLAGS}, + {"KADM5_CONFIG_ADMIN_KEYTAB", KADM5_CONFIG_ADMIN_KEYTAB}, + {"KADM5_CONFIG_STASH_FILE", KADM5_CONFIG_STASH_FILE}, + {"KADM5_CONFIG_ENCTYPE", KADM5_CONFIG_ENCTYPE}, + {"KADM5_CONFIG_ADBNAME", KADM5_CONFIG_ADBNAME}, + {"KADM5_CONFIG_ADB_LOCKFILE", KADM5_CONFIG_ADB_LOCKFILE}, + {"KADM5_CONFIG_ACL_FILE", KADM5_CONFIG_ACL_FILE}, + {"KADM5_CONFIG_KADMIND_PORT", KADM5_CONFIG_KADMIND_PORT}, + {"KADM5_CONFIG_ENCTYPES", KADM5_CONFIG_ENCTYPES}, + {"KADM5_CONFIG_ADMIN_SERVER", KADM5_CONFIG_ADMIN_SERVER}, + {"KADM5_CONFIG_DICT_FILE", KADM5_CONFIG_DICT_FILE}, + {"KADM5_CONFIG_MKEY_FROM_KBD", KADM5_CONFIG_MKEY_FROM_KBD}, }; static struct flagval priv_flags[] = { - {"KADM5_PRIV_GET", KADM5_PRIV_GET}, - {"KADM5_PRIV_ADD", KADM5_PRIV_ADD}, - {"KADM5_PRIV_MODIFY", KADM5_PRIV_MODIFY}, - {"KADM5_PRIV_DELETE", KADM5_PRIV_DELETE} + {"KADM5_PRIV_GET", KADM5_PRIV_GET}, + {"KADM5_PRIV_ADD", KADM5_PRIV_ADD}, + {"KADM5_PRIV_MODIFY", KADM5_PRIV_MODIFY}, + {"KADM5_PRIV_DELETE", KADM5_PRIV_DELETE} }; - + static char *arg_error = "wrong # args"; @@ -117,18 +118,18 @@ static int put_server_handle(Tcl_Interp *interp, void *handle, char **name) Tcl_HashEntry *entry; if (! struct_table) { - if (! (struct_table = - malloc(sizeof(*struct_table)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); + if (! (struct_table = + malloc(sizeof(*struct_table)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); } do { - sprintf(buf, "kadm5_handle%d", i); - entry = Tcl_CreateHashEntry(struct_table, buf, &newPtr); - i++; + sprintf(buf, "kadm5_handle%d", i); + entry = Tcl_CreateHashEntry(struct_table, buf, &newPtr); + i++; } while (! newPtr); Tcl_SetHashValue(entry, handle); @@ -139,19 +140,19 @@ static int put_server_handle(Tcl_Interp *interp, void *handle, char **name) } static int get_server_handle(Tcl_Interp *interp, const char *name, - void **handle) + void **handle) { Tcl_HashEntry *entry; if(!strcasecmp(name, "null")) - *handle = 0; + *handle = 0; else { - if (! (struct_table && - (entry = Tcl_FindHashEntry(struct_table, name)))) { - Tcl_AppendResult(interp, "unknown server handle ", name, 0); - return TCL_ERROR; - } - *handle = (void *) Tcl_GetHashValue(entry); + if (! (struct_table && + (entry = Tcl_FindHashEntry(struct_table, name)))) { + Tcl_AppendResult(interp, "unknown server handle ", name, 0); + return TCL_ERROR; + } + *handle = (void *) Tcl_GetHashValue(entry); } return TCL_OK; } @@ -161,2413 +162,2413 @@ static int remove_server_handle(Tcl_Interp *interp, const char *name) Tcl_HashEntry *entry; if (! (struct_table && - (entry = Tcl_FindHashEntry(struct_table, name)))) { - Tcl_AppendResult(interp, "unknown server handle ", name, 0); - return TCL_ERROR; + (entry = Tcl_FindHashEntry(struct_table, name)))) { + Tcl_AppendResult(interp, "unknown server handle ", name, 0); + return TCL_ERROR; } Tcl_SetHashValue(entry, NULL); return TCL_OK; } -#define GET_HANDLE(num_args, ignored) \ - void *server_handle; \ - const char *whoami = argv[0]; \ - argv++, argc--; \ - if (argc != num_args + 1) { \ - Tcl_AppendResult(interp, whoami, ": ", arg_error, 0); \ - return TCL_ERROR; \ - } \ - { \ - int ltcl_ret; \ - if ((ltcl_ret = get_server_handle(interp, argv[0], &server_handle)) \ - != TCL_OK) { \ - return ltcl_ret; \ - } \ - } \ +#define GET_HANDLE(num_args, ignored) \ + void *server_handle; \ + const char *whoami = argv[0]; \ + argv++, argc--; \ + if (argc != num_args + 1) { \ + Tcl_AppendResult(interp, whoami, ": ", arg_error, 0); \ + return TCL_ERROR; \ + } \ + { \ + int ltcl_ret; \ + if ((ltcl_ret = get_server_handle(interp, argv[0], &server_handle)) \ + != TCL_OK) { \ + return ltcl_ret; \ + } \ + } \ argv++, argc--; static Tcl_HashTable *create_flag_table(struct flagval *flags, int size) { - Tcl_HashTable *table; - Tcl_HashEntry *entry; - int i; + Tcl_HashTable *table; + Tcl_HashEntry *entry; + int i; - if (! (table = (Tcl_HashTable *) malloc(sizeof(Tcl_HashTable)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } + if (! (table = (Tcl_HashTable *) malloc(sizeof(Tcl_HashTable)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } - Tcl_InitHashTable(table, TCL_STRING_KEYS); + Tcl_InitHashTable(table, TCL_STRING_KEYS); - for (i = 0; i < size; i++) { - int newPtr; - - if (! (entry = Tcl_CreateHashEntry(table, flags[i].name, &newPtr))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } + for (i = 0; i < size; i++) { + int newPtr; - Tcl_SetHashValue(entry, &flags[i].val); - } + if (! (entry = Tcl_CreateHashEntry(table, flags[i].name, &newPtr))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } - return table; + Tcl_SetHashValue(entry, &flags[i].val); + } + + return table; } static Tcl_DString *unparse_str(char *in_str) { - Tcl_DString *str; + Tcl_DString *str; - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } + if (! (str = malloc(sizeof(*str)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } - Tcl_DStringInit(str); + Tcl_DStringInit(str); - if (! in_str) { - Tcl_DStringAppend(str, "null", -1); - } - else { - Tcl_DStringAppend(str, in_str, -1); - } + if (! in_str) { + Tcl_DStringAppend(str, "null", -1); + } + else { + Tcl_DStringAppend(str, in_str, -1); + } - return str; + return str; } - + static int parse_str(Tcl_Interp *interp, const char *in_str, char **out_str) { - if (! in_str) { - *out_str = 0; - } - else if (! strcasecmp(in_str, "null")) { - *out_str = 0; - } - else { - *out_str = (char *) in_str; - } - return TCL_OK; + if (! in_str) { + *out_str = 0; + } + else if (! strcasecmp(in_str, "null")) { + *out_str = 0; + } + else { + *out_str = (char *) in_str; + } + return TCL_OK; } static void set_ok(Tcl_Interp *interp, char *string) { - Tcl_SetResult(interp, "OK", TCL_STATIC); - Tcl_AppendElement(interp, "KADM5_OK"); - Tcl_AppendElement(interp, string); + Tcl_SetResult(interp, "OK", TCL_STATIC); + Tcl_AppendElement(interp, "KADM5_OK"); + Tcl_AppendElement(interp, string); } static Tcl_DString *unparse_err(kadm5_ret_t code) { - char *code_string; - const char *error_string; - Tcl_DString *dstring; - - switch (code) { - case KADM5_FAILURE: code_string = "KADM5_FAILURE"; break; - case KADM5_AUTH_GET: code_string = "KADM5_AUTH_GET"; break; - case KADM5_AUTH_ADD: code_string = "KADM5_AUTH_ADD"; break; - case KADM5_AUTH_MODIFY: - code_string = "KADM5_AUTH_MODIFY"; break; - case KADM5_AUTH_DELETE: - code_string = "KADM5_AUTH_DELETE"; break; - case KADM5_AUTH_INSUFFICIENT: - code_string = "KADM5_AUTH_INSUFFICIENT"; break; - case KADM5_BAD_DB: code_string = "KADM5_BAD_DB"; break; - case KADM5_DUP: code_string = "KADM5_DUP"; break; - case KADM5_RPC_ERROR: code_string = "KADM5_RPC_ERROR"; break; - case KADM5_NO_SRV: code_string = "KADM5_NO_SRV"; break; - case KADM5_BAD_HIST_KEY: - code_string = "KADM5_BAD_HIST_KEY"; break; - case KADM5_NOT_INIT: code_string = "KADM5_NOT_INIT"; break; - case KADM5_INIT: code_string = "KADM5_INIT"; break; - case KADM5_BAD_PASSWORD: - code_string = "KADM5_BAD_PASSWORD"; break; - case KADM5_UNK_PRINC: code_string = "KADM5_UNK_PRINC"; break; - case KADM5_UNK_POLICY: code_string = "KADM5_UNK_POLICY"; break; - case KADM5_BAD_MASK: code_string = "KADM5_BAD_MASK"; break; - case KADM5_BAD_CLASS: code_string = "KADM5_BAD_CLASS"; break; - case KADM5_BAD_LENGTH: code_string = "KADM5_BAD_LENGTH"; break; - case KADM5_BAD_POLICY: code_string = "KADM5_BAD_POLICY"; break; - case KADM5_BAD_HISTORY: code_string = "KADM5_BAD_HISTORY"; break; - case KADM5_BAD_PRINCIPAL: - code_string = "KADM5_BAD_PRINCIPAL"; break; - case KADM5_BAD_AUX_ATTR: - code_string = "KADM5_BAD_AUX_ATTR"; break; - case KADM5_PASS_Q_TOOSHORT: - code_string = "KADM5_PASS_Q_TOOSHORT"; break; - case KADM5_PASS_Q_CLASS: - code_string = "KADM5_PASS_Q_CLASS"; break; - case KADM5_PASS_Q_DICT: - code_string = "KADM5_PASS_Q_DICT"; break; - case KADM5_PASS_REUSE: code_string = "KADM5_PASS_REUSE"; break; - case KADM5_PASS_TOOSOON: - code_string = "KADM5_PASS_TOOSOON"; break; - case KADM5_POLICY_REF: - code_string = "KADM5_POLICY_REF"; break; - case KADM5_PROTECT_PRINCIPAL: - code_string = "KADM5_PROTECT_PRINCIPAL"; break; - case KADM5_BAD_SERVER_HANDLE: - code_string = "KADM5_BAD_SERVER_HANDLE"; break; - case KADM5_BAD_STRUCT_VERSION: - code_string = "KADM5_BAD_STRUCT_VERSION"; break; - case KADM5_OLD_STRUCT_VERSION: - code_string = "KADM5_OLD_STRUCT_VERSION"; break; - case KADM5_NEW_STRUCT_VERSION: - code_string = "KADM5_NEW_STRUCT_VERSION"; break; - case KADM5_BAD_API_VERSION: - code_string = "KADM5_BAD_API_VERSION"; break; - case KADM5_OLD_LIB_API_VERSION: - code_string = "KADM5_OLD_LIB_API_VERSION"; break; - case KADM5_OLD_SERVER_API_VERSION: - code_string = "KADM5_OLD_SERVER_API_VERSION"; break; - case KADM5_NEW_LIB_API_VERSION: - code_string = "KADM5_NEW_LIB_API_VERSION"; break; - case KADM5_NEW_SERVER_API_VERSION: - code_string = "KADM5_NEW_SERVER_API_VERSION"; break; - case KADM5_SECURE_PRINC_MISSING: - code_string = "KADM5_SECURE_PRINC_MISSING"; break; - case KADM5_NO_RENAME_SALT: - code_string = "KADM5_NO_RENAME_SALT"; break; - case KADM5_BAD_CLIENT_PARAMS: - code_string = "KADM5_BAD_CLIENT_PARAMS"; break; - case KADM5_BAD_SERVER_PARAMS: - code_string = "KADM5_BAD_SERVER_PARAMS"; break; - case KADM5_AUTH_LIST: - code_string = "KADM5_AUTH_LIST"; break; - case KADM5_AUTH_CHANGEPW: - code_string = "KADM5_AUTH_CHANGEPW"; break; - case KADM5_GSS_ERROR: code_string = "KADM5_GSS_ERROR"; break; - case KADM5_BAD_TL_TYPE: code_string = "KADM5_BAD_TL_TYPE"; break; - case KADM5_MISSING_CONF_PARAMS: - code_string = "KADM5_MISSING_CONF_PARAMS"; break; - case KADM5_BAD_SERVER_NAME: - code_string = "KADM5_BAD_SERVER_NAME"; break; - case KADM5_MISSING_KRB5_CONF_PARAMS: - code_string = "KADM5_MISSING_KRB5_CONF_PARAMS"; break; - - - case OSA_ADB_DUP: code_string = "OSA_ADB_DUP"; break; - case OSA_ADB_NOENT: code_string = "ENOENT"; break; - case OSA_ADB_DBINIT: code_string = "OSA_ADB_DBINIT"; break; - case OSA_ADB_BAD_POLICY: code_string = "Bad policy name"; break; - case OSA_ADB_BAD_PRINC: code_string = "Bad principal name"; break; - case OSA_ADB_BAD_DB: code_string = "Invalid database."; break; - case OSA_ADB_XDR_FAILURE: code_string = "OSA_ADB_XDR_FAILURE"; break; - case OSA_ADB_BADLOCKMODE: code_string = "OSA_ADB_BADLOCKMODE"; break; - case OSA_ADB_CANTLOCK_DB: code_string = "OSA_ADB_CANTLOCK_DB"; break; - case OSA_ADB_NOTLOCKED: code_string = "OSA_ADB_NOTLOCKED"; break; - case OSA_ADB_NOLOCKFILE: code_string = "OSA_ADB_NOLOCKFILE"; break; - case OSA_ADB_NOEXCL_PERM: code_string = "OSA_ADB_NOEXCL_PERM"; break; - - case KRB5_KDB_INUSE: code_string = "KRB5_KDB_INUSE"; break; - case KRB5_KDB_UK_SERROR: code_string = "KRB5_KDB_UK_SERROR"; break; - case KRB5_KDB_UK_RERROR: code_string = "KRB5_KDB_UK_RERROR"; break; - case KRB5_KDB_UNAUTH: code_string = "KRB5_KDB_UNAUTH"; break; - case KRB5_KDB_NOENTRY: code_string = "KRB5_KDB_NOENTRY"; break; - case KRB5_KDB_ILL_WILDCARD: code_string = "KRB5_KDB_ILL_WILDCARD"; break; - case KRB5_KDB_DB_INUSE: code_string = "KRB5_KDB_DB_INUSE"; break; - case KRB5_KDB_DB_CHANGED: code_string = "KRB5_KDB_DB_CHANGED"; break; - case KRB5_KDB_TRUNCATED_RECORD: - code_string = "KRB5_KDB_TRUNCATED_RECORD"; break; - case KRB5_KDB_RECURSIVELOCK: - code_string = "KRB5_KDB_RECURSIVELOCK"; break; - case KRB5_KDB_NOTLOCKED: code_string = "KRB5_KDB_NOTLOCKED"; break; - case KRB5_KDB_BADLOCKMODE: code_string = "KRB5_KDB_BADLOCKMODE"; break; - case KRB5_KDB_DBNOTINITED: code_string = "KRB5_KDB_DBNOTINITED"; break; - case KRB5_KDB_DBINITED: code_string = "KRB5_KDB_DBINITED"; break; - case KRB5_KDB_ILLDIRECTION: code_string = "KRB5_KDB_ILLDIRECTION"; break; - case KRB5_KDB_NOMASTERKEY: code_string = "KRB5_KDB_NOMASTERKEY"; break; - case KRB5_KDB_BADMASTERKEY: code_string = "KRB5_KDB_BADMASTERKEY"; break; - case KRB5_KDB_INVALIDKEYSIZE: - code_string = "KRB5_KDB_INVALIDKEYSIZE"; break; - case KRB5_KDB_CANTREAD_STORED: - code_string = "KRB5_KDB_CANTREAD_STORED"; break; - case KRB5_KDB_BADSTORED_MKEY: - code_string = "KRB5_KDB_BADSTORED_MKEY"; break; - case KRB5_KDB_CANTLOCK_DB: code_string = "KRB5_KDB_CANTLOCK_DB"; break; - case KRB5_KDB_DB_CORRUPT: code_string = "KRB5_KDB_DB_CORRUPT"; break; - - case KRB5_PARSE_ILLCHAR: code_string = "KRB5_PARSE_ILLCHAR"; break; - case KRB5_PARSE_MALFORMED: code_string = "KRB5_PARSE_MALFORMED"; break; - case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: code_string = "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN"; break; - case KRB5_REALM_UNKNOWN: code_string = "KRB5_REALM_UNKNOWN"; break; - case KRB5_KDC_UNREACH: code_string = "KRB5_KDC_UNREACH"; break; - case KRB5_KDCREP_MODIFIED: code_string = "KRB5_KDCREP_MODIFIED"; break; - case KRB5KRB_AP_ERR_BAD_INTEGRITY: code_string = "KRB5KRB_AP_ERR_BAD_INTEGRITY"; break; - case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: code_string = "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN"; break; - case KRB5_CONFIG_BADFORMAT: code_string = "KRB5_CONFIG_BADFORMAT"; break; - - case KRB5_CC_NOTFOUND: code_string = "KRB5_CC_NOTFOUND"; break; - case KRB5_FCC_NOFILE: code_string = "KRB5_FCC_NOFILE"; break; - - case EINVAL: code_string = "EINVAL"; break; - case ENOENT: code_string = "ENOENT"; break; - - default: - fprintf(stderr, "**** CODE %ld (%s) ***\n", (long) code, - error_message (code)); - code_string = "UNKNOWN"; - break; - } - - error_string = error_message(code); - - if (! (dstring = (Tcl_DString *) malloc(sizeof(Tcl_DString)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX Do we really want to exit? Ok if this is */ - /* just a test program, but what about if it gets */ - /* used for other things later? */ - } - - Tcl_DStringInit(dstring); - - if (! (Tcl_DStringAppendElement(dstring, "ERROR") && - Tcl_DStringAppendElement(dstring, code_string) && - Tcl_DStringAppendElement(dstring, error_string))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - return dstring; + char *code_string; + const char *error_string; + Tcl_DString *dstring; + + switch (code) { + case KADM5_FAILURE: code_string = "KADM5_FAILURE"; break; + case KADM5_AUTH_GET: code_string = "KADM5_AUTH_GET"; break; + case KADM5_AUTH_ADD: code_string = "KADM5_AUTH_ADD"; break; + case KADM5_AUTH_MODIFY: + code_string = "KADM5_AUTH_MODIFY"; break; + case KADM5_AUTH_DELETE: + code_string = "KADM5_AUTH_DELETE"; break; + case KADM5_AUTH_INSUFFICIENT: + code_string = "KADM5_AUTH_INSUFFICIENT"; break; + case KADM5_BAD_DB: code_string = "KADM5_BAD_DB"; break; + case KADM5_DUP: code_string = "KADM5_DUP"; break; + case KADM5_RPC_ERROR: code_string = "KADM5_RPC_ERROR"; break; + case KADM5_NO_SRV: code_string = "KADM5_NO_SRV"; break; + case KADM5_BAD_HIST_KEY: + code_string = "KADM5_BAD_HIST_KEY"; break; + case KADM5_NOT_INIT: code_string = "KADM5_NOT_INIT"; break; + case KADM5_INIT: code_string = "KADM5_INIT"; break; + case KADM5_BAD_PASSWORD: + code_string = "KADM5_BAD_PASSWORD"; break; + case KADM5_UNK_PRINC: code_string = "KADM5_UNK_PRINC"; break; + case KADM5_UNK_POLICY: code_string = "KADM5_UNK_POLICY"; break; + case KADM5_BAD_MASK: code_string = "KADM5_BAD_MASK"; break; + case KADM5_BAD_CLASS: code_string = "KADM5_BAD_CLASS"; break; + case KADM5_BAD_LENGTH: code_string = "KADM5_BAD_LENGTH"; break; + case KADM5_BAD_POLICY: code_string = "KADM5_BAD_POLICY"; break; + case KADM5_BAD_HISTORY: code_string = "KADM5_BAD_HISTORY"; break; + case KADM5_BAD_PRINCIPAL: + code_string = "KADM5_BAD_PRINCIPAL"; break; + case KADM5_BAD_AUX_ATTR: + code_string = "KADM5_BAD_AUX_ATTR"; break; + case KADM5_PASS_Q_TOOSHORT: + code_string = "KADM5_PASS_Q_TOOSHORT"; break; + case KADM5_PASS_Q_CLASS: + code_string = "KADM5_PASS_Q_CLASS"; break; + case KADM5_PASS_Q_DICT: + code_string = "KADM5_PASS_Q_DICT"; break; + case KADM5_PASS_REUSE: code_string = "KADM5_PASS_REUSE"; break; + case KADM5_PASS_TOOSOON: + code_string = "KADM5_PASS_TOOSOON"; break; + case KADM5_POLICY_REF: + code_string = "KADM5_POLICY_REF"; break; + case KADM5_PROTECT_PRINCIPAL: + code_string = "KADM5_PROTECT_PRINCIPAL"; break; + case KADM5_BAD_SERVER_HANDLE: + code_string = "KADM5_BAD_SERVER_HANDLE"; break; + case KADM5_BAD_STRUCT_VERSION: + code_string = "KADM5_BAD_STRUCT_VERSION"; break; + case KADM5_OLD_STRUCT_VERSION: + code_string = "KADM5_OLD_STRUCT_VERSION"; break; + case KADM5_NEW_STRUCT_VERSION: + code_string = "KADM5_NEW_STRUCT_VERSION"; break; + case KADM5_BAD_API_VERSION: + code_string = "KADM5_BAD_API_VERSION"; break; + case KADM5_OLD_LIB_API_VERSION: + code_string = "KADM5_OLD_LIB_API_VERSION"; break; + case KADM5_OLD_SERVER_API_VERSION: + code_string = "KADM5_OLD_SERVER_API_VERSION"; break; + case KADM5_NEW_LIB_API_VERSION: + code_string = "KADM5_NEW_LIB_API_VERSION"; break; + case KADM5_NEW_SERVER_API_VERSION: + code_string = "KADM5_NEW_SERVER_API_VERSION"; break; + case KADM5_SECURE_PRINC_MISSING: + code_string = "KADM5_SECURE_PRINC_MISSING"; break; + case KADM5_NO_RENAME_SALT: + code_string = "KADM5_NO_RENAME_SALT"; break; + case KADM5_BAD_CLIENT_PARAMS: + code_string = "KADM5_BAD_CLIENT_PARAMS"; break; + case KADM5_BAD_SERVER_PARAMS: + code_string = "KADM5_BAD_SERVER_PARAMS"; break; + case KADM5_AUTH_LIST: + code_string = "KADM5_AUTH_LIST"; break; + case KADM5_AUTH_CHANGEPW: + code_string = "KADM5_AUTH_CHANGEPW"; break; + case KADM5_GSS_ERROR: code_string = "KADM5_GSS_ERROR"; break; + case KADM5_BAD_TL_TYPE: code_string = "KADM5_BAD_TL_TYPE"; break; + case KADM5_MISSING_CONF_PARAMS: + code_string = "KADM5_MISSING_CONF_PARAMS"; break; + case KADM5_BAD_SERVER_NAME: + code_string = "KADM5_BAD_SERVER_NAME"; break; + case KADM5_MISSING_KRB5_CONF_PARAMS: + code_string = "KADM5_MISSING_KRB5_CONF_PARAMS"; break; + + + case OSA_ADB_DUP: code_string = "OSA_ADB_DUP"; break; + case OSA_ADB_NOENT: code_string = "ENOENT"; break; + case OSA_ADB_DBINIT: code_string = "OSA_ADB_DBINIT"; break; + case OSA_ADB_BAD_POLICY: code_string = "Bad policy name"; break; + case OSA_ADB_BAD_PRINC: code_string = "Bad principal name"; break; + case OSA_ADB_BAD_DB: code_string = "Invalid database."; break; + case OSA_ADB_XDR_FAILURE: code_string = "OSA_ADB_XDR_FAILURE"; break; + case OSA_ADB_BADLOCKMODE: code_string = "OSA_ADB_BADLOCKMODE"; break; + case OSA_ADB_CANTLOCK_DB: code_string = "OSA_ADB_CANTLOCK_DB"; break; + case OSA_ADB_NOTLOCKED: code_string = "OSA_ADB_NOTLOCKED"; break; + case OSA_ADB_NOLOCKFILE: code_string = "OSA_ADB_NOLOCKFILE"; break; + case OSA_ADB_NOEXCL_PERM: code_string = "OSA_ADB_NOEXCL_PERM"; break; + + case KRB5_KDB_INUSE: code_string = "KRB5_KDB_INUSE"; break; + case KRB5_KDB_UK_SERROR: code_string = "KRB5_KDB_UK_SERROR"; break; + case KRB5_KDB_UK_RERROR: code_string = "KRB5_KDB_UK_RERROR"; break; + case KRB5_KDB_UNAUTH: code_string = "KRB5_KDB_UNAUTH"; break; + case KRB5_KDB_NOENTRY: code_string = "KRB5_KDB_NOENTRY"; break; + case KRB5_KDB_ILL_WILDCARD: code_string = "KRB5_KDB_ILL_WILDCARD"; break; + case KRB5_KDB_DB_INUSE: code_string = "KRB5_KDB_DB_INUSE"; break; + case KRB5_KDB_DB_CHANGED: code_string = "KRB5_KDB_DB_CHANGED"; break; + case KRB5_KDB_TRUNCATED_RECORD: + code_string = "KRB5_KDB_TRUNCATED_RECORD"; break; + case KRB5_KDB_RECURSIVELOCK: + code_string = "KRB5_KDB_RECURSIVELOCK"; break; + case KRB5_KDB_NOTLOCKED: code_string = "KRB5_KDB_NOTLOCKED"; break; + case KRB5_KDB_BADLOCKMODE: code_string = "KRB5_KDB_BADLOCKMODE"; break; + case KRB5_KDB_DBNOTINITED: code_string = "KRB5_KDB_DBNOTINITED"; break; + case KRB5_KDB_DBINITED: code_string = "KRB5_KDB_DBINITED"; break; + case KRB5_KDB_ILLDIRECTION: code_string = "KRB5_KDB_ILLDIRECTION"; break; + case KRB5_KDB_NOMASTERKEY: code_string = "KRB5_KDB_NOMASTERKEY"; break; + case KRB5_KDB_BADMASTERKEY: code_string = "KRB5_KDB_BADMASTERKEY"; break; + case KRB5_KDB_INVALIDKEYSIZE: + code_string = "KRB5_KDB_INVALIDKEYSIZE"; break; + case KRB5_KDB_CANTREAD_STORED: + code_string = "KRB5_KDB_CANTREAD_STORED"; break; + case KRB5_KDB_BADSTORED_MKEY: + code_string = "KRB5_KDB_BADSTORED_MKEY"; break; + case KRB5_KDB_CANTLOCK_DB: code_string = "KRB5_KDB_CANTLOCK_DB"; break; + case KRB5_KDB_DB_CORRUPT: code_string = "KRB5_KDB_DB_CORRUPT"; break; + + case KRB5_PARSE_ILLCHAR: code_string = "KRB5_PARSE_ILLCHAR"; break; + case KRB5_PARSE_MALFORMED: code_string = "KRB5_PARSE_MALFORMED"; break; + case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: code_string = "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN"; break; + case KRB5_REALM_UNKNOWN: code_string = "KRB5_REALM_UNKNOWN"; break; + case KRB5_KDC_UNREACH: code_string = "KRB5_KDC_UNREACH"; break; + case KRB5_KDCREP_MODIFIED: code_string = "KRB5_KDCREP_MODIFIED"; break; + case KRB5KRB_AP_ERR_BAD_INTEGRITY: code_string = "KRB5KRB_AP_ERR_BAD_INTEGRITY"; break; + case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: code_string = "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN"; break; + case KRB5_CONFIG_BADFORMAT: code_string = "KRB5_CONFIG_BADFORMAT"; break; + + case KRB5_CC_NOTFOUND: code_string = "KRB5_CC_NOTFOUND"; break; + case KRB5_FCC_NOFILE: code_string = "KRB5_FCC_NOFILE"; break; + + case EINVAL: code_string = "EINVAL"; break; + case ENOENT: code_string = "ENOENT"; break; + + default: + fprintf(stderr, "**** CODE %ld (%s) ***\n", (long) code, + error_message (code)); + code_string = "UNKNOWN"; + break; + } + + error_string = error_message(code); + + if (! (dstring = (Tcl_DString *) malloc(sizeof(Tcl_DString)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX Do we really want to exit? Ok if this is */ + /* just a test program, but what about if it gets */ + /* used for other things later? */ + } + + Tcl_DStringInit(dstring); + + if (! (Tcl_DStringAppendElement(dstring, "ERROR") && + Tcl_DStringAppendElement(dstring, code_string) && + Tcl_DStringAppendElement(dstring, error_string))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + + return dstring; } static void stash_error(Tcl_Interp *interp, krb5_error_code code) { - Tcl_DString *dstring = unparse_err(code); - Tcl_DStringResult(interp, dstring); - Tcl_DStringFree(dstring); - free(dstring); + Tcl_DString *dstring = unparse_err(code); + Tcl_DStringResult(interp, dstring); + Tcl_DStringFree(dstring); + free(dstring); } static Tcl_DString *unparse_key_data(krb5_key_data *key_data, int n_key_data) { - Tcl_DString *str; - char buf[2048]; - int i, j; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - for (i = 0; i < n_key_data; i++) { - krb5_key_data *key = &key_data[i]; - - Tcl_DStringStartSublist(str); - sprintf(buf, "%d", key->key_data_type[0]); - Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", key->key_data_ver > 1 ? - key->key_data_type[1] : -1); - Tcl_DStringAppendElement(str, buf); - if (key->key_data_contents[0]) { - sprintf(buf, "0x"); - for (j = 0; j < key->key_data_length[0]; j++) { - sprintf(buf + 2*(j+1), "%02x", - key->key_data_contents[0][j]); - } - } else *buf = '\0'; - Tcl_DStringAppendElement(str, buf); - Tcl_DStringEndSublist(str); - } - - return str; + Tcl_DString *str; + char buf[2048]; + int i, j; + + if (! (str = malloc(sizeof(*str)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + + Tcl_DStringInit(str); + for (i = 0; i < n_key_data; i++) { + krb5_key_data *key = &key_data[i]; + + Tcl_DStringStartSublist(str); + sprintf(buf, "%d", key->key_data_type[0]); + Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%d", key->key_data_ver > 1 ? + key->key_data_type[1] : -1); + Tcl_DStringAppendElement(str, buf); + if (key->key_data_contents[0]) { + sprintf(buf, "0x"); + for (j = 0; j < key->key_data_length[0]; j++) { + sprintf(buf + 2*(j+1), "%02x", + key->key_data_contents[0][j]); + } + } else *buf = '\0'; + Tcl_DStringAppendElement(str, buf); + Tcl_DStringEndSublist(str); + } + + return str; } static Tcl_DString *unparse_tl_data(krb5_tl_data *tl_data, int n_tl_data) { - Tcl_DString *str; - char buf[2048]; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - Tcl_DStringStartSublist(str); - for (; tl_data; tl_data = tl_data->tl_data_next) { - Tcl_DStringStartSublist(str); - sprintf(buf, "%d", tl_data->tl_data_type); - Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", tl_data->tl_data_length); - Tcl_DStringAppendElement(str, buf); - Tcl_DStringAppend(str, " ", 1); - Tcl_DStringAppend(str, (char *) tl_data->tl_data_contents, - tl_data->tl_data_length); - Tcl_DStringEndSublist(str); - } - Tcl_DStringEndSublist(str); - - return str; + Tcl_DString *str; + char buf[2048]; + + if (! (str = malloc(sizeof(*str)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + + Tcl_DStringInit(str); + Tcl_DStringStartSublist(str); + for (; tl_data; tl_data = tl_data->tl_data_next) { + Tcl_DStringStartSublist(str); + sprintf(buf, "%d", tl_data->tl_data_type); + Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%d", tl_data->tl_data_length); + Tcl_DStringAppendElement(str, buf); + Tcl_DStringAppend(str, " ", 1); + Tcl_DStringAppend(str, (char *) tl_data->tl_data_contents, + tl_data->tl_data_length); + Tcl_DStringEndSublist(str); + } + Tcl_DStringEndSublist(str); + + return str; } static Tcl_DString *unparse_flags(struct flagval *array, int size, - krb5_int32 flags) + krb5_int32 flags) { - int i; - Tcl_DString *str; + int i; + Tcl_DString *str; - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } + if (! (str = malloc(sizeof(*str)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } - Tcl_DStringInit(str); + Tcl_DStringInit(str); - for (i = 0; i < size; i++) { - if (flags & array[i].val) { - Tcl_DStringAppendElement(str, array[i].name); - } - } + for (i = 0; i < size; i++) { + if (flags & array[i].val) { + Tcl_DStringAppendElement(str, array[i].name); + } + } - return str; + return str; } static int parse_flags(Tcl_Interp *interp, Tcl_HashTable *table, - struct flagval *array, int size, const char *str, - krb5_flags *flags) + struct flagval *array, int size, const char *str, + krb5_flags *flags) { - int tmp, argc, i, retcode = TCL_OK; - const char **argv; - Tcl_HashEntry *entry; - - if (Tcl_GetInt(interp, str, &tmp) == TCL_OK) { - *flags = tmp; - return TCL_OK; - } - Tcl_ResetResult(interp); - - if (Tcl_SplitList(interp, str, &argc, &argv) != TCL_OK) { - return TCL_ERROR; - } - - if (! table) { - table = create_flag_table(array, size); - } - - *flags = 0; - - for (i = 0; i < argc; i++) { - if (! (entry = Tcl_FindHashEntry(table, argv[i]))) { - Tcl_AppendResult(interp, "unknown krb5 flag ", argv[i], 0); - retcode = TCL_ERROR; - break; - } - *flags |= *(krb5_flags *) Tcl_GetHashValue(entry); - } - - Tcl_Free((char *) argv); - return(retcode); + int tmp, argc, i, retcode = TCL_OK; + const char **argv; + Tcl_HashEntry *entry; + + if (Tcl_GetInt(interp, str, &tmp) == TCL_OK) { + *flags = tmp; + return TCL_OK; + } + Tcl_ResetResult(interp); + + if (Tcl_SplitList(interp, str, &argc, &argv) != TCL_OK) { + return TCL_ERROR; + } + + if (! table) { + table = create_flag_table(array, size); + } + + *flags = 0; + + for (i = 0; i < argc; i++) { + if (! (entry = Tcl_FindHashEntry(table, argv[i]))) { + Tcl_AppendResult(interp, "unknown krb5 flag ", argv[i], 0); + retcode = TCL_ERROR; + break; + } + *flags |= *(krb5_flags *) Tcl_GetHashValue(entry); + } + + Tcl_Free((char *) argv); + return(retcode); } static Tcl_DString *unparse_privs(krb5_flags flags) { - return unparse_flags(priv_flags, sizeof(priv_flags) / - sizeof(struct flagval), flags); + return unparse_flags(priv_flags, sizeof(priv_flags) / + sizeof(struct flagval), flags); } static Tcl_DString *unparse_krb5_flags(krb5_flags flags) { - return unparse_flags(krb5_flags_array, sizeof(krb5_flags_array) / - sizeof(struct flagval), flags); + return unparse_flags(krb5_flags_array, sizeof(krb5_flags_array) / + sizeof(struct flagval), flags); } static int parse_krb5_flags(Tcl_Interp *interp, const char *str, - krb5_flags *flags) + krb5_flags *flags) { - krb5_flags tmp; - static Tcl_HashTable *table = 0; - int tcl_ret; - - if ((tcl_ret = parse_flags(interp, table, krb5_flags_array, - sizeof(krb5_flags_array) / - sizeof(struct flagval), - str, &tmp)) != TCL_OK) { - return tcl_ret; - } - - *flags = tmp; - return TCL_OK; + krb5_flags tmp; + static Tcl_HashTable *table = 0; + int tcl_ret; + + if ((tcl_ret = parse_flags(interp, table, krb5_flags_array, + sizeof(krb5_flags_array) / + sizeof(struct flagval), + str, &tmp)) != TCL_OK) { + return tcl_ret; + } + + *flags = tmp; + return TCL_OK; } static Tcl_DString *unparse_aux_attributes(krb5_int32 flags) { - return unparse_flags(aux_attributes, sizeof(aux_attributes) / - sizeof(struct flagval), flags); + return unparse_flags(aux_attributes, sizeof(aux_attributes) / + sizeof(struct flagval), flags); } static int parse_aux_attributes(Tcl_Interp *interp, const char *str, - long *flags) + long *flags) { - krb5_flags tmp; - static Tcl_HashTable *table = 0; - int tcl_ret; - - if ((tcl_ret = parse_flags(interp, table, aux_attributes, - sizeof(aux_attributes) / - sizeof(struct flagval), - str, &tmp)) != TCL_OK) { - return tcl_ret; - } - - *flags = tmp; - return TCL_OK; + krb5_flags tmp; + static Tcl_HashTable *table = 0; + int tcl_ret; + + if ((tcl_ret = parse_flags(interp, table, aux_attributes, + sizeof(aux_attributes) / + sizeof(struct flagval), + str, &tmp)) != TCL_OK) { + return tcl_ret; + } + + *flags = tmp; + return TCL_OK; } static int parse_principal_mask(Tcl_Interp *interp, const char *str, - krb5_int32 *flags) + krb5_int32 *flags) { - krb5_flags tmp; - static Tcl_HashTable *table = 0; - int tcl_ret; - - if ((tcl_ret = parse_flags(interp, table, principal_mask_flags, - sizeof(principal_mask_flags) / - sizeof(struct flagval), - str, &tmp)) != TCL_OK) { - return tcl_ret; - } - - *flags = tmp; - return TCL_OK; + krb5_flags tmp; + static Tcl_HashTable *table = 0; + int tcl_ret; + + if ((tcl_ret = parse_flags(interp, table, principal_mask_flags, + sizeof(principal_mask_flags) / + sizeof(struct flagval), + str, &tmp)) != TCL_OK) { + return tcl_ret; + } + + *flags = tmp; + return TCL_OK; } static int parse_policy_mask(Tcl_Interp *interp, const char *str, - krb5_int32 *flags) + krb5_int32 *flags) { - krb5_flags tmp; - static Tcl_HashTable *table = 0; - int tcl_ret; - - if ((tcl_ret = parse_flags(interp, table, policy_mask_flags, - sizeof(policy_mask_flags) / - sizeof(struct flagval), - str, &tmp)) != TCL_OK) { - return tcl_ret; - } - - *flags = tmp; - return TCL_OK; + krb5_flags tmp; + static Tcl_HashTable *table = 0; + int tcl_ret; + + if ((tcl_ret = parse_flags(interp, table, policy_mask_flags, + sizeof(policy_mask_flags) / + sizeof(struct flagval), + str, &tmp)) != TCL_OK) { + return tcl_ret; + } + + *flags = tmp; + return TCL_OK; } static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ, - krb5_int32 mask) + krb5_int32 mask) { - Tcl_DString *str, *tmp_dstring; - char *tmp; - char buf[20]; - krb5_error_code krb5_ret; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - tmp = 0; /* It looks to me from looking at the library source */ - /* code for krb5_parse_name that the pointer passed into */ - /* it should be initialized to 0 if I want it do be */ - /* allocated automatically. */ - if (mask & KADM5_PRINCIPAL) { - krb5_ret = krb5_unparse_name(context, princ->principal, &tmp); - if (krb5_ret) { - /* XXX Do we want to return an error? Not sure. */ - Tcl_DStringAppendElement(str, "[unparseable principal]"); - } - else { - Tcl_DStringAppendElement(str, tmp); - free(tmp); - } - } else - Tcl_DStringAppendElement(str, "null"); - - sprintf(buf, "%d", princ->princ_expire_time); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->last_pwd_change); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->pw_expiration); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->max_life); - Tcl_DStringAppendElement(str, buf); - - tmp = 0; - if (mask & KADM5_MOD_NAME) { - if ((krb5_ret = krb5_unparse_name(context, princ->mod_name, &tmp))) { - /* XXX */ - Tcl_DStringAppendElement(str, "[unparseable principal]"); - } - else { - Tcl_DStringAppendElement(str, tmp); - free(tmp); - } - } else - Tcl_DStringAppendElement(str, "null"); - - sprintf(buf, "%d", princ->mod_date); - Tcl_DStringAppendElement(str, buf); - - if (mask & KADM5_ATTRIBUTES) { - tmp_dstring = unparse_krb5_flags(princ->attributes); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - } else - Tcl_DStringAppendElement(str, "null"); - - sprintf(buf, "%d", princ->kvno); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->mkvno); - Tcl_DStringAppendElement(str, buf); - - /* XXX This may be dangerous, because the contents of the policy */ - /* field are undefined if the POLICY bit isn't set. However, I */ - /* think it's a bug for the field not to be null in that case */ - /* anyway, so we should assume that it will be null so that we'll */ - /* catch it if it isn't. */ - - tmp_dstring = unparse_str(princ->policy); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - tmp_dstring = unparse_aux_attributes(princ->aux_attributes); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - sprintf(buf, "%d", princ->max_renewable_life); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->last_success); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->last_failed); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->fail_auth_count); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->n_key_data); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->n_tl_data); - Tcl_DStringAppendElement(str, buf); - - tmp_dstring = unparse_key_data(princ->key_data, princ->n_key_data); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - tmp_dstring = unparse_tl_data(princ->tl_data, princ->n_tl_data); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - return str; + Tcl_DString *str, *tmp_dstring; + char *tmp; + char buf[20]; + krb5_error_code krb5_ret; + + if (! (str = malloc(sizeof(*str)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + + Tcl_DStringInit(str); + + tmp = 0; /* It looks to me from looking at the library source */ + /* code for krb5_parse_name that the pointer passed into */ + /* it should be initialized to 0 if I want it do be */ + /* allocated automatically. */ + if (mask & KADM5_PRINCIPAL) { + krb5_ret = krb5_unparse_name(context, princ->principal, &tmp); + if (krb5_ret) { + /* XXX Do we want to return an error? Not sure. */ + Tcl_DStringAppendElement(str, "[unparseable principal]"); + } + else { + Tcl_DStringAppendElement(str, tmp); + free(tmp); + } + } else + Tcl_DStringAppendElement(str, "null"); + + sprintf(buf, "%d", princ->princ_expire_time); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->last_pwd_change); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->pw_expiration); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->max_life); + Tcl_DStringAppendElement(str, buf); + + tmp = 0; + if (mask & KADM5_MOD_NAME) { + if ((krb5_ret = krb5_unparse_name(context, princ->mod_name, &tmp))) { + /* XXX */ + Tcl_DStringAppendElement(str, "[unparseable principal]"); + } + else { + Tcl_DStringAppendElement(str, tmp); + free(tmp); + } + } else + Tcl_DStringAppendElement(str, "null"); + + sprintf(buf, "%d", princ->mod_date); + Tcl_DStringAppendElement(str, buf); + + if (mask & KADM5_ATTRIBUTES) { + tmp_dstring = unparse_krb5_flags(princ->attributes); + Tcl_DStringAppendElement(str, tmp_dstring->string); + Tcl_DStringFree(tmp_dstring); + free(tmp_dstring); + } else + Tcl_DStringAppendElement(str, "null"); + + sprintf(buf, "%d", princ->kvno); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->mkvno); + Tcl_DStringAppendElement(str, buf); + + /* XXX This may be dangerous, because the contents of the policy */ + /* field are undefined if the POLICY bit isn't set. However, I */ + /* think it's a bug for the field not to be null in that case */ + /* anyway, so we should assume that it will be null so that we'll */ + /* catch it if it isn't. */ + + tmp_dstring = unparse_str(princ->policy); + Tcl_DStringAppendElement(str, tmp_dstring->string); + Tcl_DStringFree(tmp_dstring); + free(tmp_dstring); + + tmp_dstring = unparse_aux_attributes(princ->aux_attributes); + Tcl_DStringAppendElement(str, tmp_dstring->string); + Tcl_DStringFree(tmp_dstring); + free(tmp_dstring); + + sprintf(buf, "%d", princ->max_renewable_life); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->last_success); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->last_failed); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->fail_auth_count); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->n_key_data); + Tcl_DStringAppendElement(str, buf); + + sprintf(buf, "%d", princ->n_tl_data); + Tcl_DStringAppendElement(str, buf); + + tmp_dstring = unparse_key_data(princ->key_data, princ->n_key_data); + Tcl_DStringAppendElement(str, tmp_dstring->string); + Tcl_DStringFree(tmp_dstring); + free(tmp_dstring); + + tmp_dstring = unparse_tl_data(princ->tl_data, princ->n_tl_data); + Tcl_DStringAppendElement(str, tmp_dstring->string); + Tcl_DStringFree(tmp_dstring); + free(tmp_dstring); + + return str; } static int parse_keysalts(Tcl_Interp *interp, const char *list, - krb5_key_salt_tuple **keysalts, - int num_keysalts) + krb5_key_salt_tuple **keysalts, + int num_keysalts) { - const char **argv, **argv1 = NULL; - int i, tmp, argc, argc1, retcode; - - *keysalts = NULL; - if (list == NULL) - return TCL_OK; - - if ((retcode = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { - return retcode; - } - if (argc != num_keysalts) { - sprintf(interp->result, "%d keysalts specified, " - "but num_keysalts is %d", argc, num_keysalts); - retcode = TCL_ERROR; - goto finished; - } - *keysalts = (krb5_key_salt_tuple *) - malloc(sizeof(krb5_key_salt_tuple)*num_keysalts); - for (i = 0; i < num_keysalts; i++) { - if ((retcode = Tcl_SplitList(interp, argv[i], &argc1, &argv1)) != - TCL_OK) { - goto finished; - } - if (argc1 != 2) { - sprintf(interp->result, "wrong # fields in keysalt " - "(%d should be 2)", argc1); - retcode = TCL_ERROR; - goto finished; - } - /* XXX this used to be argv1[1] too! */ - if ((retcode = Tcl_GetInt(interp, argv1[0], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing ks_enctype"); - retcode = TCL_ERROR; - goto finished; - } - (*keysalts)[i].ks_enctype = tmp; - if ((retcode = Tcl_GetInt(interp, argv1[1], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing ks_salttype"); - goto finished; - } - (*keysalts)[i].ks_salttype = tmp; - - Tcl_Free((char *) argv1); - argv1 = NULL; - } + const char **argv, **argv1 = NULL; + int i, tmp, argc, argc1, retcode; + + *keysalts = NULL; + if (list == NULL) + return TCL_OK; + + if ((retcode = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { + return retcode; + } + if (argc != num_keysalts) { + sprintf(interp->result, "%d keysalts specified, " + "but num_keysalts is %d", argc, num_keysalts); + retcode = TCL_ERROR; + goto finished; + } + *keysalts = (krb5_key_salt_tuple *) + malloc(sizeof(krb5_key_salt_tuple)*num_keysalts); + for (i = 0; i < num_keysalts; i++) { + if ((retcode = Tcl_SplitList(interp, argv[i], &argc1, &argv1)) != + TCL_OK) { + goto finished; + } + if (argc1 != 2) { + sprintf(interp->result, "wrong # fields in keysalt " + "(%d should be 2)", argc1); + retcode = TCL_ERROR; + goto finished; + } + /* XXX this used to be argv1[1] too! */ + if ((retcode = Tcl_GetInt(interp, argv1[0], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing ks_enctype"); + retcode = TCL_ERROR; + goto finished; + } + (*keysalts)[i].ks_enctype = tmp; + if ((retcode = Tcl_GetInt(interp, argv1[1], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing ks_salttype"); + goto finished; + } + (*keysalts)[i].ks_salttype = tmp; + + Tcl_Free((char *) argv1); + argv1 = NULL; + } finished: - if (argv1) { - Tcl_Free((char *) argv1); - } - Tcl_Free((char *) argv); - return retcode; + if (argv1) { + Tcl_Free((char *) argv1); + } + Tcl_Free((char *) argv); + return retcode; } static int parse_key_data(Tcl_Interp *interp, const char *list, - krb5_key_data **key_data, - int n_key_data) + krb5_key_data **key_data, + int n_key_data) { - const char **argv; - int argc, retcode; - - *key_data = NULL; - if (list == NULL) { - if (n_key_data != 0) { - sprintf(interp->result, "0 key_datas specified, " - "but n_key_data is %d", n_key_data); - retcode = TCL_ERROR; - goto finished; - } else - return TCL_OK; - } - - if ((retcode = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { - return retcode; - } - if (argc != n_key_data) { - sprintf(interp->result, "%d key_datas specified, " - "but n_key_data is %d", argc, n_key_data); - retcode = TCL_ERROR; - goto finished; - } - - if (argc != 0) { - sprintf(interp->result, "cannot parse key_data yet"); - retcode = TCL_ERROR; - goto finished; - } + const char **argv; + int argc, retcode; + + *key_data = NULL; + if (list == NULL) { + if (n_key_data != 0) { + sprintf(interp->result, "0 key_datas specified, " + "but n_key_data is %d", n_key_data); + retcode = TCL_ERROR; + goto finished; + } else + return TCL_OK; + } + + if ((retcode = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { + return retcode; + } + if (argc != n_key_data) { + sprintf(interp->result, "%d key_datas specified, " + "but n_key_data is %d", argc, n_key_data); + retcode = TCL_ERROR; + goto finished; + } + + if (argc != 0) { + sprintf(interp->result, "cannot parse key_data yet"); + retcode = TCL_ERROR; + goto finished; + } finished: - Tcl_Free((char *) argv); - return retcode; + Tcl_Free((char *) argv); + return retcode; } static int parse_tl_data(Tcl_Interp *interp, const char *list, - krb5_tl_data **tlp, - int n_tl_data) + krb5_tl_data **tlp, + int n_tl_data) { - krb5_tl_data *tl, *tl2; - const char **argv, **argv1 = NULL; - int i, tmp, argc, argc1, retcode; - - *tlp = NULL; - if (list == NULL) { - if (n_tl_data != 0) { - sprintf(interp->result, "0 tl_datas specified, " - "but n_tl_data is %d", n_tl_data); - retcode = TCL_ERROR; - goto finished; - } else - return TCL_OK; - } - - if ((retcode = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { - return retcode; - } - if (argc != n_tl_data) { - sprintf(interp->result, "%d tl_datas specified, " - "but n_tl_data is %d", argc, n_tl_data); - retcode = TCL_ERROR; - goto finished; - } - - tl = tl2 = NULL; - for (i = 0; i < n_tl_data; i++) { - tl2 = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)); - memset(tl2, 0, sizeof(krb5_tl_data)); - tl2->tl_data_next = tl; - tl = tl2; - } - tl2 = tl; - - for (i = 0; i < n_tl_data; i++) { - if ((retcode = Tcl_SplitList(interp, argv[i], &argc1, &argv1)) != - TCL_OK) { - goto finished; - } - if (argc1 != 3) { - sprintf(interp->result, "wrong # fields in tl_data " - "(%d should be 3)", argc1); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = Tcl_GetInt(interp, argv1[0], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing tl_data_type"); - retcode = TCL_ERROR; - goto finished; - } - tl->tl_data_type = tmp; - if ((retcode = Tcl_GetInt(interp, argv1[1], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing tl_data_length"); - retcode = TCL_ERROR; - goto finished; - } - tl->tl_data_length = tmp; - if (tl->tl_data_length != strlen(argv1[2])) { - sprintf(interp->result, "specified length %d does not " - "match length %lu of string \"%s\"", tmp, - (unsigned long) strlen(argv1[2]), argv1[2]); - retcode = TCL_ERROR; - goto finished; - } - tl->tl_data_contents = (krb5_octet *) strdup(argv1[2]); - - Tcl_Free((char *) argv1); - argv1 = NULL; - tl = tl->tl_data_next; - } - if (tl != NULL) { - sprintf(interp->result, "tl is not NULL!"); - retcode = TCL_ERROR; - goto finished; - } - *tlp = tl2; + krb5_tl_data *tl, *tl2; + const char **argv, **argv1 = NULL; + int i, tmp, argc, argc1, retcode; + + *tlp = NULL; + if (list == NULL) { + if (n_tl_data != 0) { + sprintf(interp->result, "0 tl_datas specified, " + "but n_tl_data is %d", n_tl_data); + retcode = TCL_ERROR; + goto finished; + } else + return TCL_OK; + } + + if ((retcode = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { + return retcode; + } + if (argc != n_tl_data) { + sprintf(interp->result, "%d tl_datas specified, " + "but n_tl_data is %d", argc, n_tl_data); + retcode = TCL_ERROR; + goto finished; + } + + tl = tl2 = NULL; + for (i = 0; i < n_tl_data; i++) { + tl2 = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)); + memset(tl2, 0, sizeof(krb5_tl_data)); + tl2->tl_data_next = tl; + tl = tl2; + } + tl2 = tl; + + for (i = 0; i < n_tl_data; i++) { + if ((retcode = Tcl_SplitList(interp, argv[i], &argc1, &argv1)) != + TCL_OK) { + goto finished; + } + if (argc1 != 3) { + sprintf(interp->result, "wrong # fields in tl_data " + "(%d should be 3)", argc1); + retcode = TCL_ERROR; + goto finished; + } + if ((retcode = Tcl_GetInt(interp, argv1[0], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing tl_data_type"); + retcode = TCL_ERROR; + goto finished; + } + tl->tl_data_type = tmp; + if ((retcode = Tcl_GetInt(interp, argv1[1], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing tl_data_length"); + retcode = TCL_ERROR; + goto finished; + } + tl->tl_data_length = tmp; + if (tl->tl_data_length != strlen(argv1[2])) { + sprintf(interp->result, "specified length %d does not " + "match length %lu of string \"%s\"", tmp, + (unsigned long) strlen(argv1[2]), argv1[2]); + retcode = TCL_ERROR; + goto finished; + } + tl->tl_data_contents = (krb5_octet *) strdup(argv1[2]); + + Tcl_Free((char *) argv1); + argv1 = NULL; + tl = tl->tl_data_next; + } + if (tl != NULL) { + sprintf(interp->result, "tl is not NULL!"); + retcode = TCL_ERROR; + goto finished; + } + *tlp = tl2; finished: - if (argv1) { - Tcl_Free((char *) argv1); - } - Tcl_Free((char *) argv); - return retcode; + if (argv1) { + Tcl_Free((char *) argv1); + } + Tcl_Free((char *) argv); + return retcode; } static int parse_config_params(Tcl_Interp *interp, char *list, - kadm5_config_params *params) + kadm5_config_params *params) { - static Tcl_HashTable *table = 0; - const char **argv = NULL; - int tmp, argc, retcode; - - memset(params, 0, sizeof(kadm5_config_params)); - if (list == NULL) - return TCL_OK; - - if ((retcode = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { - return retcode; - } - - if (argc != 20) { - sprintf(interp->result, - "wrong # args in config params structure (%d should be 20)", - argc); - retcode = TCL_ERROR; - goto finished; - } - - if ((retcode = parse_flags(interp, table, config_mask_flags, - sizeof(config_mask_flags) / - sizeof(struct flagval), - argv[0], &tmp)) != TCL_OK) { - goto finished; - } - params->mask = tmp; - - if ((retcode = parse_str(interp, argv[1], ¶ms->realm)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing realm name"); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = Tcl_GetInt(interp, argv[2], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing kadmind_port"); - retcode = TCL_ERROR; - goto finished; - } - params->kadmind_port = tmp; - if ((retcode = parse_str(interp, argv[3], ¶ms->admin_server)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing profile name"); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = parse_str(interp, argv[4], ¶ms->dbname)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing profile name"); - retcode = TCL_ERROR; - goto finished; - } - /* Ignore argv[5], which used to set the admin_dbname field. */ - /* Ignore argv[6], which used to set the admin_lockfile field. */ - if ((retcode = parse_str(interp, argv[7], ¶ms->admin_keytab)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing admin_keytab name"); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = parse_str(interp, argv[8], ¶ms->acl_file)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing acl_file name"); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = parse_str(interp, argv[9], ¶ms->dict_file)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing dict_file name"); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = Tcl_GetInt(interp, argv[10], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing mkey_from_kbd"); - retcode = TCL_ERROR; - goto finished; - } - params->mkey_from_kbd = tmp; - if ((retcode = parse_str(interp, argv[11], ¶ms->stash_file)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing stash_file name"); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = parse_str(interp, argv[12], ¶ms->mkey_name)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing mkey_name name"); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = Tcl_GetInt(interp, argv[13], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing enctype"); - retcode = TCL_ERROR; - goto finished; - } - params->enctype = tmp; - if ((retcode = Tcl_GetInt(interp, argv[14], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing max_life"); - retcode = TCL_ERROR; - goto finished; - } - params->max_life = tmp; - if ((retcode = Tcl_GetInt(interp, argv[15], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing max_rlife"); - retcode = TCL_ERROR; - goto finished; - } - params->max_rlife = tmp; - if ((retcode = Tcl_GetInt(interp, argv[16], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing expiration"); - retcode = TCL_ERROR; - goto finished; - } - params->expiration = tmp; - if ((retcode = parse_krb5_flags(interp, argv[17], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing flags"); - retcode = TCL_ERROR; - goto finished; - } - params->flags = tmp; - if ((retcode = Tcl_GetInt(interp, argv[18], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing num_keysalts"); - retcode = TCL_ERROR; - goto finished; - } - params->num_keysalts = tmp; - if ((retcode = parse_keysalts(interp, argv[19], ¶ms->keysalts, - params->num_keysalts)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing keysalts"); - retcode = TCL_ERROR; - goto finished; - } + static Tcl_HashTable *table = 0; + const char **argv = NULL; + int tmp, argc, retcode; + + memset(params, 0, sizeof(kadm5_config_params)); + if (list == NULL) + return TCL_OK; + + if ((retcode = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { + return retcode; + } + + if (argc != 20) { + sprintf(interp->result, + "wrong # args in config params structure (%d should be 20)", + argc); + retcode = TCL_ERROR; + goto finished; + } + + if ((retcode = parse_flags(interp, table, config_mask_flags, + sizeof(config_mask_flags) / + sizeof(struct flagval), + argv[0], &tmp)) != TCL_OK) { + goto finished; + } + params->mask = tmp; + + if ((retcode = parse_str(interp, argv[1], ¶ms->realm)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing realm name"); + retcode = TCL_ERROR; + goto finished; + } + if ((retcode = Tcl_GetInt(interp, argv[2], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing kadmind_port"); + retcode = TCL_ERROR; + goto finished; + } + params->kadmind_port = tmp; + if ((retcode = parse_str(interp, argv[3], ¶ms->admin_server)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing profile name"); + retcode = TCL_ERROR; + goto finished; + } + if ((retcode = parse_str(interp, argv[4], ¶ms->dbname)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing profile name"); + retcode = TCL_ERROR; + goto finished; + } + /* Ignore argv[5], which used to set the admin_dbname field. */ + /* Ignore argv[6], which used to set the admin_lockfile field. */ + if ((retcode = parse_str(interp, argv[7], ¶ms->admin_keytab)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing admin_keytab name"); + retcode = TCL_ERROR; + goto finished; + } + if ((retcode = parse_str(interp, argv[8], ¶ms->acl_file)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing acl_file name"); + retcode = TCL_ERROR; + goto finished; + } + if ((retcode = parse_str(interp, argv[9], ¶ms->dict_file)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing dict_file name"); + retcode = TCL_ERROR; + goto finished; + } + if ((retcode = Tcl_GetInt(interp, argv[10], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing mkey_from_kbd"); + retcode = TCL_ERROR; + goto finished; + } + params->mkey_from_kbd = tmp; + if ((retcode = parse_str(interp, argv[11], ¶ms->stash_file)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing stash_file name"); + retcode = TCL_ERROR; + goto finished; + } + if ((retcode = parse_str(interp, argv[12], ¶ms->mkey_name)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing mkey_name name"); + retcode = TCL_ERROR; + goto finished; + } + if ((retcode = Tcl_GetInt(interp, argv[13], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing enctype"); + retcode = TCL_ERROR; + goto finished; + } + params->enctype = tmp; + if ((retcode = Tcl_GetInt(interp, argv[14], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing max_life"); + retcode = TCL_ERROR; + goto finished; + } + params->max_life = tmp; + if ((retcode = Tcl_GetInt(interp, argv[15], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing max_rlife"); + retcode = TCL_ERROR; + goto finished; + } + params->max_rlife = tmp; + if ((retcode = Tcl_GetInt(interp, argv[16], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing expiration"); + retcode = TCL_ERROR; + goto finished; + } + params->expiration = tmp; + if ((retcode = parse_krb5_flags(interp, argv[17], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing flags"); + retcode = TCL_ERROR; + goto finished; + } + params->flags = tmp; + if ((retcode = Tcl_GetInt(interp, argv[18], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing num_keysalts"); + retcode = TCL_ERROR; + goto finished; + } + params->num_keysalts = tmp; + if ((retcode = parse_keysalts(interp, argv[19], ¶ms->keysalts, + params->num_keysalts)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing keysalts"); + retcode = TCL_ERROR; + goto finished; + } finished: - return retcode; + return retcode; } - + static int parse_principal_ent(Tcl_Interp *interp, char *list, - kadm5_principal_ent_t *out_princ) + kadm5_principal_ent_t *out_princ) { - kadm5_principal_ent_t princ = 0; - krb5_error_code krb5_ret; - int tcl_ret; - int argc; - const char **argv; - int tmp; - int retcode = TCL_OK; - - if ((tcl_ret = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { - return tcl_ret; - } - - if (argc != 12 && argc != 20) { - sprintf(interp->result, - "wrong # args in principal structure (%d should be 12 or 20)", - argc); - retcode = TCL_ERROR; - goto finished; - } - - if (! (princ = malloc(sizeof *princ))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - memset(princ, 0, sizeof(*princ)); - - if ((krb5_ret = krb5_parse_name(context, argv[0], &princ->principal)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal"); - retcode = TCL_ERROR; - goto finished; - } - - /* - * All of the numerical values parsed here are parsed into an - * "int" and then assigned into the structure in case the actual - * width of the field in the Kerberos structure is different from - * the width of an integer. - */ - - if ((tcl_ret = Tcl_GetInt(interp, argv[1], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing princ_expire_time"); - retcode = TCL_ERROR; - goto finished; - } - princ->princ_expire_time = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[2], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing last_pwd_change"); - retcode = TCL_ERROR; - goto finished; - } - princ->last_pwd_change = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[3], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_expiration"); - retcode = TCL_ERROR; - goto finished; - } - princ->pw_expiration = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[4], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing max_life"); - retcode = TCL_ERROR; - goto finished; - } - princ->max_life = tmp; - - if ((krb5_ret = krb5_parse_name(context, argv[5], &princ->mod_name)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing mod_name"); - retcode = TCL_ERROR; - goto finished; - } - - if ((tcl_ret = Tcl_GetInt(interp, argv[6], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing mod_date"); - retcode = TCL_ERROR; - goto finished; - } - princ->mod_date = tmp; - - if ((tcl_ret = parse_krb5_flags(interp, argv[7], &princ->attributes)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing attributes"); - retcode = TCL_ERROR; - goto finished; - } - - if ((tcl_ret = Tcl_GetInt(interp, argv[8], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing kvno"); - retcode = TCL_ERROR; - goto finished; - } - princ->kvno = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[9], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing mkvno"); - retcode = TCL_ERROR; - goto finished; - } - princ->mkvno = tmp; - - if ((tcl_ret = parse_str(interp, argv[10], &princ->policy)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy"); - retcode = TCL_ERROR; - goto finished; - } - if(princ->policy != NULL) { - if(!(princ->policy = strdup(princ->policy))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); - } - } - - if ((tcl_ret = parse_aux_attributes(interp, argv[11], - &princ->aux_attributes)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing aux_attributes"); - retcode = TCL_ERROR; - goto finished; - } - - if (argc == 12) goto finished; - - if ((tcl_ret = Tcl_GetInt(interp, argv[12], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing max_renewable_life"); - retcode = TCL_ERROR; - goto finished; - } - princ->max_renewable_life = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[13], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing last_success"); - retcode = TCL_ERROR; - goto finished; - } - princ->last_success = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[14], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing last_failed"); - retcode = TCL_ERROR; - goto finished; - } - princ->last_failed = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[15], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing fail_auth_count"); - retcode = TCL_ERROR; - goto finished; - } - princ->fail_auth_count = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[16], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing n_key_data"); - retcode = TCL_ERROR; - goto finished; - } - princ->n_key_data = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[17], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing n_tl_data"); - retcode = TCL_ERROR; - goto finished; - } - princ->n_tl_data = tmp; - - if ((tcl_ret = parse_key_data(interp, argv[18], - &princ->key_data, - princ->n_key_data)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing key_data"); - retcode = TCL_ERROR; - goto finished; - } - - if ((tcl_ret = parse_tl_data(interp, argv[19], - &princ->tl_data, - princ->n_tl_data)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing tl_data"); - retcode = TCL_ERROR; - goto finished; - } - princ->n_tl_data = tmp; + kadm5_principal_ent_t princ = 0; + krb5_error_code krb5_ret; + int tcl_ret; + int argc; + const char **argv; + int tmp; + int retcode = TCL_OK; + + if ((tcl_ret = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { + return tcl_ret; + } + + if (argc != 12 && argc != 20) { + sprintf(interp->result, + "wrong # args in principal structure (%d should be 12 or 20)", + argc); + retcode = TCL_ERROR; + goto finished; + } + + if (! (princ = malloc(sizeof *princ))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + memset(princ, 0, sizeof(*princ)); + + if ((krb5_ret = krb5_parse_name(context, argv[0], &princ->principal)) != 0) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing principal"); + retcode = TCL_ERROR; + goto finished; + } + + /* + * All of the numerical values parsed here are parsed into an + * "int" and then assigned into the structure in case the actual + * width of the field in the Kerberos structure is different from + * the width of an integer. + */ + + if ((tcl_ret = Tcl_GetInt(interp, argv[1], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing princ_expire_time"); + retcode = TCL_ERROR; + goto finished; + } + princ->princ_expire_time = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[2], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing last_pwd_change"); + retcode = TCL_ERROR; + goto finished; + } + princ->last_pwd_change = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[3], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_expiration"); + retcode = TCL_ERROR; + goto finished; + } + princ->pw_expiration = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[4], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing max_life"); + retcode = TCL_ERROR; + goto finished; + } + princ->max_life = tmp; + + if ((krb5_ret = krb5_parse_name(context, argv[5], &princ->mod_name)) != 0) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing mod_name"); + retcode = TCL_ERROR; + goto finished; + } + + if ((tcl_ret = Tcl_GetInt(interp, argv[6], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing mod_date"); + retcode = TCL_ERROR; + goto finished; + } + princ->mod_date = tmp; + + if ((tcl_ret = parse_krb5_flags(interp, argv[7], &princ->attributes)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing attributes"); + retcode = TCL_ERROR; + goto finished; + } + + if ((tcl_ret = Tcl_GetInt(interp, argv[8], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing kvno"); + retcode = TCL_ERROR; + goto finished; + } + princ->kvno = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[9], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing mkvno"); + retcode = TCL_ERROR; + goto finished; + } + princ->mkvno = tmp; + + if ((tcl_ret = parse_str(interp, argv[10], &princ->policy)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing policy"); + retcode = TCL_ERROR; + goto finished; + } + if(princ->policy != NULL) { + if(!(princ->policy = strdup(princ->policy))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); + } + } + + if ((tcl_ret = parse_aux_attributes(interp, argv[11], + &princ->aux_attributes)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing aux_attributes"); + retcode = TCL_ERROR; + goto finished; + } + + if (argc == 12) goto finished; + + if ((tcl_ret = Tcl_GetInt(interp, argv[12], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing max_renewable_life"); + retcode = TCL_ERROR; + goto finished; + } + princ->max_renewable_life = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[13], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing last_success"); + retcode = TCL_ERROR; + goto finished; + } + princ->last_success = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[14], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing last_failed"); + retcode = TCL_ERROR; + goto finished; + } + princ->last_failed = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[15], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing fail_auth_count"); + retcode = TCL_ERROR; + goto finished; + } + princ->fail_auth_count = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[16], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing n_key_data"); + retcode = TCL_ERROR; + goto finished; + } + princ->n_key_data = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[17], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing n_tl_data"); + retcode = TCL_ERROR; + goto finished; + } + princ->n_tl_data = tmp; + + if ((tcl_ret = parse_key_data(interp, argv[18], + &princ->key_data, + princ->n_key_data)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing key_data"); + retcode = TCL_ERROR; + goto finished; + } + + if ((tcl_ret = parse_tl_data(interp, argv[19], + &princ->tl_data, + princ->n_tl_data)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing tl_data"); + retcode = TCL_ERROR; + goto finished; + } + princ->n_tl_data = tmp; finished: - Tcl_Free((char *) argv); - *out_princ = princ; - return retcode; + Tcl_Free((char *) argv); + *out_princ = princ; + return retcode; } static void free_principal_ent(kadm5_principal_ent_t *princ) { - krb5_free_principal(context, (*princ)->principal); - krb5_free_principal(context, (*princ)->mod_name); - free(*princ); - *princ = 0; + krb5_free_principal(context, (*princ)->principal); + krb5_free_principal(context, (*princ)->mod_name); + free(*princ); + *princ = 0; } static Tcl_DString *unparse_policy_ent(kadm5_policy_ent_t policy) { - Tcl_DString *str, *tmp_dstring; - char buf[20]; + Tcl_DString *str, *tmp_dstring; + char buf[20]; + + if (! (str = malloc(sizeof(*str)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } + Tcl_DStringInit(str); - Tcl_DStringInit(str); + tmp_dstring = unparse_str(policy->policy); + Tcl_DStringAppendElement(str, tmp_dstring->string); + Tcl_DStringFree(tmp_dstring); + free(tmp_dstring); - tmp_dstring = unparse_str(policy->policy); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - sprintf(buf, "%ld", policy->pw_min_life); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%ld", policy->pw_min_life); + Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%ld", policy->pw_max_life); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%ld", policy->pw_max_life); + Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%ld", policy->pw_min_length); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%ld", policy->pw_min_length); + Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%ld", policy->pw_min_classes); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%ld", policy->pw_min_classes); + Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%ld", policy->pw_history_num); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%ld", policy->pw_history_num); + Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%ld", policy->policy_refcnt); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%ld", policy->policy_refcnt); + Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", policy->pw_max_fail); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%d", policy->pw_max_fail); + Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", policy->pw_failcnt_interval); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%d", policy->pw_failcnt_interval); + Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", policy->pw_lockout_duration); - Tcl_DStringAppendElement(str, buf); + sprintf(buf, "%d", policy->pw_lockout_duration); + Tcl_DStringAppendElement(str, buf); - return str; + return str; } - - + + static int parse_policy_ent(Tcl_Interp *interp, char *list, - kadm5_policy_ent_t *out_policy) + kadm5_policy_ent_t *out_policy) { - kadm5_policy_ent_t policy = 0; - int tcl_ret; - int argc; - const char **argv; - int tmp; - int retcode = TCL_OK; - - if ((tcl_ret = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { - return tcl_ret; - } - - if (argc != 7 && argc != 10) { - sprintf(interp->result, "wrong # args in policy structure (%d should be 7 or 10)", - argc); - retcode = TCL_ERROR; - goto finished; - } - - if (! (policy = malloc(sizeof *policy))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - if ((tcl_ret = parse_str(interp, argv[0], &policy->policy)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy name"); - retcode = TCL_ERROR; - goto finished; - } - - if(policy->policy != NULL) { - if (! (policy->policy = strdup(policy->policy))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - } - - /* - * All of the numerical values parsed here are parsed into an - * "int" and then assigned into the structure in case the actual - * width of the field in the Kerberos structure is different from - * the width of an integer. - */ - - if ((tcl_ret = Tcl_GetInt(interp, argv[1], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_min_life"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_min_life = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[2], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_max_life"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_max_life = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[3], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_min_length"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_min_length = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[4], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_min_classes"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_min_classes = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[5], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_history_num"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_history_num = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[6], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy_refcnt"); - retcode = TCL_ERROR; - goto finished; - } - policy->policy_refcnt = tmp; - - if (argc == 7) goto finished; - - if ((tcl_ret = Tcl_GetInt(interp, argv[7], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_max_fail"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_max_fail = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[8], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_failcnt_interval"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_failcnt_interval = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[9], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_lockout_duration"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_lockout_duration = tmp; + kadm5_policy_ent_t policy = 0; + int tcl_ret; + int argc; + const char **argv; + int tmp; + int retcode = TCL_OK; + + if ((tcl_ret = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { + return tcl_ret; + } + + if (argc != 7 && argc != 10) { + sprintf(interp->result, "wrong # args in policy structure (%d should be 7 or 10)", + argc); + retcode = TCL_ERROR; + goto finished; + } + + if (! (policy = malloc(sizeof *policy))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + + if ((tcl_ret = parse_str(interp, argv[0], &policy->policy)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing policy name"); + retcode = TCL_ERROR; + goto finished; + } + + if(policy->policy != NULL) { + if (! (policy->policy = strdup(policy->policy))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + } + + /* + * All of the numerical values parsed here are parsed into an + * "int" and then assigned into the structure in case the actual + * width of the field in the Kerberos structure is different from + * the width of an integer. + */ + + if ((tcl_ret = Tcl_GetInt(interp, argv[1], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_min_life"); + retcode = TCL_ERROR; + goto finished; + } + policy->pw_min_life = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[2], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_max_life"); + retcode = TCL_ERROR; + goto finished; + } + policy->pw_max_life = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[3], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_min_length"); + retcode = TCL_ERROR; + goto finished; + } + policy->pw_min_length = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[4], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_min_classes"); + retcode = TCL_ERROR; + goto finished; + } + policy->pw_min_classes = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[5], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_history_num"); + retcode = TCL_ERROR; + goto finished; + } + policy->pw_history_num = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[6], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing policy_refcnt"); + retcode = TCL_ERROR; + goto finished; + } + policy->policy_refcnt = tmp; + + if (argc == 7) goto finished; + + if ((tcl_ret = Tcl_GetInt(interp, argv[7], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_max_fail"); + retcode = TCL_ERROR; + goto finished; + } + policy->pw_max_fail = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[8], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_failcnt_interval"); + retcode = TCL_ERROR; + goto finished; + } + policy->pw_failcnt_interval = tmp; + + if ((tcl_ret = Tcl_GetInt(interp, argv[9], &tmp)) + != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_lockout_duration"); + retcode = TCL_ERROR; + goto finished; + } + policy->pw_lockout_duration = tmp; finished: - Tcl_Free((char *) argv); - *out_policy = policy; - return retcode; + Tcl_Free((char *) argv); + *out_policy = policy; + return retcode; } static void free_policy_ent(kadm5_policy_ent_t *policy) { - free(*policy); - *policy = 0; + free(*policy); + *policy = 0; } static Tcl_DString *unparse_keytype(krb5_enctype enctype) { - Tcl_DString *str; - char buf[50]; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - switch (enctype) { - /* XXX is this right? */ - case ENCTYPE_NULL: Tcl_DStringAppend(str, "ENCTYPE_NULL", -1); break; - case ENCTYPE_DES_CBC_CRC: - Tcl_DStringAppend(str, "ENCTYPE_DES_CBC_CRC", -1); break; - default: - sprintf(buf, "UNKNOWN KEYTYPE (0x%x)", enctype); - Tcl_DStringAppend(str, buf, -1); - break; - } - - return str; + Tcl_DString *str; + char buf[50]; + + if (! (str = malloc(sizeof(*str)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + + Tcl_DStringInit(str); + + switch (enctype) { + /* XXX is this right? */ + case ENCTYPE_NULL: Tcl_DStringAppend(str, "ENCTYPE_NULL", -1); break; + case ENCTYPE_DES_CBC_CRC: + Tcl_DStringAppend(str, "ENCTYPE_DES_CBC_CRC", -1); break; + default: + sprintf(buf, "UNKNOWN KEYTYPE (0x%x)", enctype); + Tcl_DStringAppend(str, buf, -1); + break; + } + + return str; } - - + + static Tcl_DString *unparse_keyblocks(krb5_keyblock *keyblocks, int num_keys) { - Tcl_DString *str; - Tcl_DString *keytype; - int i, j; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - for (j = 0; j < num_keys; j++) { - krb5_keyblock *keyblock = &keyblocks[j]; - - Tcl_DStringStartSublist(str); - - keytype = unparse_keytype(keyblock->enctype); - Tcl_DStringAppendElement(str, keytype->string); - Tcl_DStringFree(keytype); - free(keytype); - if (keyblock->length == 0) { - Tcl_DStringAppendElement(str, "0x00"); - } - else { - Tcl_DStringAppendElement(str, "0x"); - for (i = 0; i < keyblock->length; i++) { - char buf[3]; - sprintf(buf, "%02x", (int) keyblock->contents[i]); - Tcl_DStringAppend(str, buf, -1); - } - } - - Tcl_DStringEndSublist(str); - } - - - return str; + Tcl_DString *str; + Tcl_DString *keytype; + int i, j; + + if (! (str = malloc(sizeof(*str)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + + Tcl_DStringInit(str); + + for (j = 0; j < num_keys; j++) { + krb5_keyblock *keyblock = &keyblocks[j]; + + Tcl_DStringStartSublist(str); + + keytype = unparse_keytype(keyblock->enctype); + Tcl_DStringAppendElement(str, keytype->string); + Tcl_DStringFree(keytype); + free(keytype); + if (keyblock->length == 0) { + Tcl_DStringAppendElement(str, "0x00"); + } + else { + Tcl_DStringAppendElement(str, "0x"); + for (i = 0; i < keyblock->length; i++) { + char buf[3]; + sprintf(buf, "%02x", (int) keyblock->contents[i]); + Tcl_DStringAppend(str, buf, -1); + } + } + + Tcl_DStringEndSublist(str); + } + + + return str; } enum init_type { INIT_NONE, INIT_PASS, INIT_CREDS }; - + static int _tcl_kadm5_init_any(enum init_type init_type, ClientData clientData, - Tcl_Interp *interp, int argc, const char *argv[]) + Tcl_Interp *interp, int argc, const char *argv[]) { - kadm5_ret_t ret; - char *client_name, *pass, *service_name; - int tcl_ret; - krb5_ui_4 struct_version, api_version; - const char *handle_var; - void *server_handle; - char *handle_name, *params_str; - const char *whoami = argv[0]; - kadm5_config_params params; - - argv++, argc--; - - kadm5_init_krb5_context(&context); - - if (argc != 7) { - Tcl_AppendResult(interp, whoami, ": ", arg_error, 0); - return TCL_ERROR; - } - - if (((tcl_ret = parse_str(interp, argv[0], &client_name)) != TCL_OK) || - ((tcl_ret = parse_str(interp, argv[1], &pass)) != TCL_OK) || - ((tcl_ret = parse_str(interp, argv[2], &service_name)) != TCL_OK) || - ((tcl_ret = parse_str(interp, argv[3], ¶ms_str)) != TCL_OK) || - ((tcl_ret = parse_config_params(interp, params_str, ¶ms)) - != TCL_OK) || - ((tcl_ret = Tcl_GetInt(interp, argv[4], (int *) &struct_version)) != - TCL_OK) || - ((tcl_ret = Tcl_GetInt(interp, argv[5], (int *) &api_version)) != - TCL_OK)) { - return tcl_ret; - } - - handle_var = argv[6]; - - if (! (handle_var && *handle_var)) { - Tcl_SetResult(interp, "must specify server handle variable name", - TCL_STATIC); - return TCL_ERROR; - } - - if (init_type == INIT_CREDS) { - krb5_ccache cc; - - if (pass == NULL) { - if ((ret = krb5_cc_default(context, &cc))) { - stash_error(interp, ret); - return TCL_ERROR; - } - } else { - if ((ret = krb5_cc_resolve(context, pass, &cc))) { - stash_error(interp, ret); - return TCL_ERROR; - } - } - - ret = kadm5_init_with_creds(context, client_name, cc, service_name, - ¶ms, struct_version, - api_version, NULL, &server_handle); - - (void) krb5_cc_close(context, cc); - } else - ret = kadm5_init(context, client_name, pass, service_name, ¶ms, - struct_version, api_version, NULL, &server_handle); - - if (ret != KADM5_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - - if ((tcl_ret = put_server_handle(interp, server_handle, &handle_name)) - != TCL_OK) { - return tcl_ret; - } - - if (! Tcl_SetVar(interp, handle_var, handle_name, TCL_LEAVE_ERR_MSG)) { - return TCL_ERROR; - } - - set_ok(interp, "KADM5 API initialized."); - return TCL_OK; + kadm5_ret_t ret; + char *client_name, *pass, *service_name; + int tcl_ret; + krb5_ui_4 struct_version, api_version; + const char *handle_var; + void *server_handle; + char *handle_name, *params_str; + const char *whoami = argv[0]; + kadm5_config_params params; + + argv++, argc--; + + kadm5_init_krb5_context(&context); + + if (argc != 7) { + Tcl_AppendResult(interp, whoami, ": ", arg_error, 0); + return TCL_ERROR; + } + + if (((tcl_ret = parse_str(interp, argv[0], &client_name)) != TCL_OK) || + ((tcl_ret = parse_str(interp, argv[1], &pass)) != TCL_OK) || + ((tcl_ret = parse_str(interp, argv[2], &service_name)) != TCL_OK) || + ((tcl_ret = parse_str(interp, argv[3], ¶ms_str)) != TCL_OK) || + ((tcl_ret = parse_config_params(interp, params_str, ¶ms)) + != TCL_OK) || + ((tcl_ret = Tcl_GetInt(interp, argv[4], (int *) &struct_version)) != + TCL_OK) || + ((tcl_ret = Tcl_GetInt(interp, argv[5], (int *) &api_version)) != + TCL_OK)) { + return tcl_ret; + } + + handle_var = argv[6]; + + if (! (handle_var && *handle_var)) { + Tcl_SetResult(interp, "must specify server handle variable name", + TCL_STATIC); + return TCL_ERROR; + } + + if (init_type == INIT_CREDS) { + krb5_ccache cc; + + if (pass == NULL) { + if ((ret = krb5_cc_default(context, &cc))) { + stash_error(interp, ret); + return TCL_ERROR; + } + } else { + if ((ret = krb5_cc_resolve(context, pass, &cc))) { + stash_error(interp, ret); + return TCL_ERROR; + } + } + + ret = kadm5_init_with_creds(context, client_name, cc, service_name, + ¶ms, struct_version, + api_version, NULL, &server_handle); + + (void) krb5_cc_close(context, cc); + } else + ret = kadm5_init(context, client_name, pass, service_name, ¶ms, + struct_version, api_version, NULL, &server_handle); + + if (ret != KADM5_OK) { + stash_error(interp, ret); + return TCL_ERROR; + } + + if ((tcl_ret = put_server_handle(interp, server_handle, &handle_name)) + != TCL_OK) { + return tcl_ret; + } + + if (! Tcl_SetVar(interp, handle_var, handle_name, TCL_LEAVE_ERR_MSG)) { + return TCL_ERROR; + } + + set_ok(interp, "KADM5 API initialized."); + return TCL_OK; } static int tcl_kadm5_init(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - return _tcl_kadm5_init_any(INIT_PASS, clientData, interp, argc, argv); + return _tcl_kadm5_init_any(INIT_PASS, clientData, interp, argc, argv); } static int tcl_kadm5_init_with_creds(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - return _tcl_kadm5_init_any(INIT_CREDS, clientData, interp, argc, argv); + return _tcl_kadm5_init_any(INIT_CREDS, clientData, interp, argc, argv); } static int tcl_kadm5_destroy(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - kadm5_ret_t ret; - int tcl_ret; + kadm5_ret_t ret; + int tcl_ret; + + GET_HANDLE(0, 0); - GET_HANDLE(0, 0); + ret = kadm5_destroy(server_handle); - ret = kadm5_destroy(server_handle); + if (ret != KADM5_OK) { + stash_error(interp, ret); + return TCL_ERROR; + } - if (ret != KADM5_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } + if ((tcl_ret = remove_server_handle(interp, argv[-1])) != TCL_OK) { + return tcl_ret; + } - if ((tcl_ret = remove_server_handle(interp, argv[-1])) != TCL_OK) { - return tcl_ret; - } - - set_ok(interp, "KADM5 API deinitialized."); - return TCL_OK; -} + set_ok(interp, "KADM5 API deinitialized."); + return TCL_OK; +} -static int tcl_kadm5_create_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) +static int tcl_kadm5_create_principal(ClientData clientData, + Tcl_Interp *interp, + int argc, const char *argv[]) { - int tcl_ret; - kadm5_ret_t ret; - int retcode = TCL_OK; - char *princ_string; - kadm5_principal_ent_t princ = 0; - krb5_int32 mask; - char *pw; -#ifdef OVERRIDE - int override_qual; -#endif - - GET_HANDLE(3, 0); - - if ((tcl_ret = parse_str(interp, argv[0], &princ_string)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing principal"); - return tcl_ret; - } - - if (princ_string && - ((tcl_ret = parse_principal_ent(interp, princ_string, &princ)) - != TCL_OK)) { - return tcl_ret; - } - - if ((tcl_ret = parse_principal_mask(interp, argv[1], &mask)) != TCL_OK) { - retcode = tcl_ret; - goto finished; - } - - if ((tcl_ret = parse_str(interp, argv[2], &pw)) != TCL_OK) { - retcode = tcl_ret; - goto finished; - } + int tcl_ret; + kadm5_ret_t ret; + int retcode = TCL_OK; + char *princ_string; + kadm5_principal_ent_t princ = 0; + krb5_int32 mask; + char *pw; +#ifdef OVERRIDE + int override_qual; +#endif + + GET_HANDLE(3, 0); + + if ((tcl_ret = parse_str(interp, argv[0], &princ_string)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing principal"); + return tcl_ret; + } + + if (princ_string && + ((tcl_ret = parse_principal_ent(interp, princ_string, &princ)) + != TCL_OK)) { + return tcl_ret; + } + + if ((tcl_ret = parse_principal_mask(interp, argv[1], &mask)) != TCL_OK) { + retcode = tcl_ret; + goto finished; + } + + if ((tcl_ret = parse_str(interp, argv[2], &pw)) != TCL_OK) { + retcode = tcl_ret; + goto finished; + } #ifdef OVERRIDE - if ((tcl_ret = Tcl_GetBoolean(interp, argv[3], &override_qual)) != - TCL_OK) { - retcode = tcl_ret; - goto finished; - } -#endif + if ((tcl_ret = Tcl_GetBoolean(interp, argv[3], &override_qual)) != + TCL_OK) { + retcode = tcl_ret; + goto finished; + } +#endif #ifdef OVERRIDE - ret = kadm5_create_principal(server_handle, princ, mask, pw, - override_qual); + ret = kadm5_create_principal(server_handle, princ, mask, pw, + override_qual); #else - ret = kadm5_create_principal(server_handle, princ, mask, pw); -#endif - - if (ret != KADM5_OK) { - stash_error(interp, ret); - retcode = TCL_ERROR; - goto finished; - } - else { - set_ok(interp, "Principal created."); - } + ret = kadm5_create_principal(server_handle, princ, mask, pw); +#endif + + if (ret != KADM5_OK) { + stash_error(interp, ret); + retcode = TCL_ERROR; + goto finished; + } + else { + set_ok(interp, "Principal created."); + } finished: - if (princ) { - free_principal_ent(&princ); - } - return retcode; + if (princ) { + free_principal_ent(&princ); + } + return retcode; } -static int tcl_kadm5_delete_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) +static int tcl_kadm5_delete_principal(ClientData clientData, + Tcl_Interp *interp, + int argc, const char *argv[]) { - krb5_principal princ; - krb5_error_code krb5_ret; - kadm5_ret_t ret; - int tcl_ret; - char *name; - - GET_HANDLE(1, 0); - - if((tcl_ret = parse_str(interp, argv[0], &name)) != TCL_OK) - return tcl_ret; - if(name != NULL) { - if ((krb5_ret = krb5_parse_name(context, name, &princ))) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal"); - return TCL_ERROR; - } - } else princ = NULL; - ret = kadm5_delete_principal(server_handle, princ); - - if(princ != NULL) - krb5_free_principal(context, princ); - - if (ret != KADM5_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - else { - set_ok(interp, "Principal deleted."); - return TCL_OK; - } + krb5_principal princ; + krb5_error_code krb5_ret; + kadm5_ret_t ret; + int tcl_ret; + char *name; + + GET_HANDLE(1, 0); + + if((tcl_ret = parse_str(interp, argv[0], &name)) != TCL_OK) + return tcl_ret; + if(name != NULL) { + if ((krb5_ret = krb5_parse_name(context, name, &princ))) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing principal"); + return TCL_ERROR; + } + } else princ = NULL; + ret = kadm5_delete_principal(server_handle, princ); + + if(princ != NULL) + krb5_free_principal(context, princ); + + if (ret != KADM5_OK) { + stash_error(interp, ret); + return TCL_ERROR; + } + else { + set_ok(interp, "Principal deleted."); + return TCL_OK; + } } -static int tcl_kadm5_modify_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) +static int tcl_kadm5_modify_principal(ClientData clientData, + Tcl_Interp *interp, + int argc, const char *argv[]) { - char *princ_string; - kadm5_principal_ent_t princ = 0; - int tcl_ret; - krb5_int32 mask; - int retcode = TCL_OK; - kadm5_ret_t ret; - - GET_HANDLE(2, 0); - - if ((tcl_ret = parse_str(interp, argv[0], &princ_string)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing principal"); - return tcl_ret; - } - - if (princ_string && - ((tcl_ret = parse_principal_ent(interp, princ_string, &princ)) - != TCL_OK)) { - return tcl_ret; - } - - if ((tcl_ret = parse_principal_mask(interp, argv[1], &mask)) != TCL_OK) { - retcode = TCL_ERROR; - goto finished; - } - - ret = kadm5_modify_principal(server_handle, princ, mask); - - if (ret != KADM5_OK) { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - else { - set_ok(interp, "Principal modified."); - } + char *princ_string; + kadm5_principal_ent_t princ = 0; + int tcl_ret; + krb5_int32 mask; + int retcode = TCL_OK; + kadm5_ret_t ret; + + GET_HANDLE(2, 0); + + if ((tcl_ret = parse_str(interp, argv[0], &princ_string)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing principal"); + return tcl_ret; + } + + if (princ_string && + ((tcl_ret = parse_principal_ent(interp, princ_string, &princ)) + != TCL_OK)) { + return tcl_ret; + } + + if ((tcl_ret = parse_principal_mask(interp, argv[1], &mask)) != TCL_OK) { + retcode = TCL_ERROR; + goto finished; + } + + ret = kadm5_modify_principal(server_handle, princ, mask); + + if (ret != KADM5_OK) { + stash_error(interp, ret); + retcode = TCL_ERROR; + } + else { + set_ok(interp, "Principal modified."); + } finished: - if (princ) { - free_principal_ent(&princ); - } - return retcode; + if (princ) { + free_principal_ent(&princ); + } + return retcode; } -static int tcl_kadm5_rename_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) +static int tcl_kadm5_rename_principal(ClientData clientData, + Tcl_Interp *interp, + int argc, const char *argv[]) { - krb5_principal source, target; - krb5_error_code krb5_ret; - kadm5_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(2, 0); - - if ((krb5_ret = krb5_parse_name(context, argv[0], &source)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing source"); - return TCL_ERROR; - } - - if ((krb5_ret = krb5_parse_name(context, argv[1], &target)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing target"); - krb5_free_principal(context, source); - return TCL_ERROR; - } - - ret = kadm5_rename_principal(server_handle, source, target); - - if (ret == KADM5_OK) { - set_ok(interp, "Principal renamed."); - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - - krb5_free_principal(context, source); - krb5_free_principal(context, target); - return retcode; + krb5_principal source, target; + krb5_error_code krb5_ret; + kadm5_ret_t ret; + int retcode = TCL_OK; + + GET_HANDLE(2, 0); + + if ((krb5_ret = krb5_parse_name(context, argv[0], &source)) != 0) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing source"); + return TCL_ERROR; + } + + if ((krb5_ret = krb5_parse_name(context, argv[1], &target)) != 0) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing target"); + krb5_free_principal(context, source); + return TCL_ERROR; + } + + ret = kadm5_rename_principal(server_handle, source, target); + + if (ret == KADM5_OK) { + set_ok(interp, "Principal renamed."); + } + else { + stash_error(interp, ret); + retcode = TCL_ERROR; + } + + krb5_free_principal(context, source); + krb5_free_principal(context, target); + return retcode; } - -static int tcl_kadm5_chpass_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) + +static int tcl_kadm5_chpass_principal(ClientData clientData, + Tcl_Interp *interp, + int argc, const char *argv[]) { - krb5_principal princ; - char *pw; -#ifdef OVERRIDE - int override_qual; -#endif - krb5_error_code krb5_ret; - int retcode = TCL_OK; - kadm5_ret_t ret; - - GET_HANDLE(2, 0); - - if ((krb5_ret = krb5_parse_name(context, argv[0], &princ)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal name"); - return TCL_ERROR; - } - - if (parse_str(interp, argv[1], &pw) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing password"); - retcode = TCL_ERROR; - goto finished; - } + krb5_principal princ; + char *pw; +#ifdef OVERRIDE + int override_qual; +#endif + krb5_error_code krb5_ret; + int retcode = TCL_OK; + kadm5_ret_t ret; + + GET_HANDLE(2, 0); + + if ((krb5_ret = krb5_parse_name(context, argv[0], &princ)) != 0) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing principal name"); + return TCL_ERROR; + } + + if (parse_str(interp, argv[1], &pw) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing password"); + retcode = TCL_ERROR; + goto finished; + } #ifdef OVERRIDE - if (Tcl_GetBoolean(interp, argv[2], &override_qual) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing override_qual"); - retcode = TCL_ERROR; - goto finished; - } - - ret = kadm5_chpass_principal(server_handle, - princ, pw, override_qual); + if (Tcl_GetBoolean(interp, argv[2], &override_qual) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing override_qual"); + retcode = TCL_ERROR; + goto finished; + } + + ret = kadm5_chpass_principal(server_handle, + princ, pw, override_qual); #else - ret = kadm5_chpass_principal(server_handle, princ, pw); -#endif - - if (ret == KADM5_OK) { - set_ok(interp, "Password changed."); - goto finished; - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } + ret = kadm5_chpass_principal(server_handle, princ, pw); +#endif + + if (ret == KADM5_OK) { + set_ok(interp, "Password changed."); + goto finished; + } + else { + stash_error(interp, ret); + retcode = TCL_ERROR; + } finished: - krb5_free_principal(context, princ); - return retcode; + krb5_free_principal(context, princ); + return retcode; } static int tcl_kadm5_chpass_principal_util(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) + Tcl_Interp *interp, + int argc, const char *argv[]) { - krb5_principal princ; - char *new_pw; -#ifdef OVERRIDE - int override_qual; -#endif - char *pw_ret, *pw_ret_var; - char msg_ret[1024], *msg_ret_var; - krb5_error_code krb5_ret; - kadm5_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(4, 0); - - if ((krb5_ret = krb5_parse_name(context, argv[0], &princ)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal name"); - return TCL_ERROR; - } - - if (parse_str(interp, argv[1], &new_pw) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing new password"); - retcode = TCL_ERROR; - goto finished; - } + krb5_principal princ; + char *new_pw; #ifdef OVERRIDE - if (Tcl_GetBoolean(interp, argv[2], &override_qual) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing override_qual"); - retcode = TCL_ERROR; - goto finished; - } + int override_qual; #endif - if (parse_str(interp, argv[3], &pw_ret_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_ret variable name"); - retcode = TCL_ERROR; - goto finished; - } - - if (parse_str(interp, argv[4], &msg_ret_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing msg_ret variable name"); - retcode = TCL_ERROR; - goto finished; - } - - ret = kadm5_chpass_principal_util(server_handle, princ, new_pw, -#ifdef OVERRIDE - override_qual, -#endif - pw_ret_var ? &pw_ret : 0, - msg_ret_var ? msg_ret : 0, - msg_ret_var ? sizeof(msg_ret) : 0); - - if (ret == KADM5_OK) { - if (pw_ret_var && - (! Tcl_SetVar(interp, pw_ret_var, pw_ret, - TCL_LEAVE_ERR_MSG))) { - Tcl_AppendElement(interp, "while setting pw_ret variable"); - retcode = TCL_ERROR; - goto finished; - } - if (msg_ret_var && - (! Tcl_SetVar(interp, msg_ret_var, msg_ret, - TCL_LEAVE_ERR_MSG))) { - Tcl_AppendElement(interp, - "while setting msg_ret variable"); - retcode = TCL_ERROR; - goto finished; - } - set_ok(interp, "Password changed."); - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } + char *pw_ret, *pw_ret_var; + char msg_ret[1024], *msg_ret_var; + krb5_error_code krb5_ret; + kadm5_ret_t ret; + int retcode = TCL_OK; + + GET_HANDLE(4, 0); + + if ((krb5_ret = krb5_parse_name(context, argv[0], &princ)) != 0) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing principal name"); + return TCL_ERROR; + } + + if (parse_str(interp, argv[1], &new_pw) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing new password"); + retcode = TCL_ERROR; + goto finished; + } +#ifdef OVERRIDE + if (Tcl_GetBoolean(interp, argv[2], &override_qual) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing override_qual"); + retcode = TCL_ERROR; + goto finished; + } +#endif + if (parse_str(interp, argv[3], &pw_ret_var) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing pw_ret variable name"); + retcode = TCL_ERROR; + goto finished; + } + + if (parse_str(interp, argv[4], &msg_ret_var) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing msg_ret variable name"); + retcode = TCL_ERROR; + goto finished; + } + + ret = kadm5_chpass_principal_util(server_handle, princ, new_pw, +#ifdef OVERRIDE + override_qual, +#endif + pw_ret_var ? &pw_ret : 0, + msg_ret_var ? msg_ret : 0, + msg_ret_var ? sizeof(msg_ret) : 0); + + if (ret == KADM5_OK) { + if (pw_ret_var && + (! Tcl_SetVar(interp, pw_ret_var, pw_ret, + TCL_LEAVE_ERR_MSG))) { + Tcl_AppendElement(interp, "while setting pw_ret variable"); + retcode = TCL_ERROR; + goto finished; + } + if (msg_ret_var && + (! Tcl_SetVar(interp, msg_ret_var, msg_ret, + TCL_LEAVE_ERR_MSG))) { + Tcl_AppendElement(interp, + "while setting msg_ret variable"); + retcode = TCL_ERROR; + goto finished; + } + set_ok(interp, "Password changed."); + } + else { + stash_error(interp, ret); + retcode = TCL_ERROR; + } finished: - krb5_free_principal(context, princ); - return retcode; + krb5_free_principal(context, princ); + return retcode; } -static int tcl_kadm5_randkey_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) +static int tcl_kadm5_randkey_principal(ClientData clientData, + Tcl_Interp *interp, + int argc, const char *argv[]) { - krb5_principal princ; - krb5_keyblock *keyblocks; - int num_keys; - char *keyblock_var, *num_var, buf[50]; - Tcl_DString *keyblock_dstring = 0; - krb5_error_code krb5_ret; - kadm5_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(3, 0); - - if ((krb5_ret = krb5_parse_name(context, argv[0], &princ)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal name"); - return TCL_ERROR; - } - - if (parse_str(interp, argv[1], &keyblock_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing keyblock variable name"); - retcode = TCL_ERROR; - goto finished; - } - if (parse_str(interp, argv[2], &num_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing keyblock variable name"); - retcode = TCL_ERROR; - goto finished; - } - - ret = kadm5_randkey_principal(server_handle, - princ, keyblock_var ? &keyblocks : 0, - &num_keys); - - if (ret == KADM5_OK) { - if (keyblock_var) { - keyblock_dstring = unparse_keyblocks(keyblocks, num_keys); - if (! Tcl_SetVar(interp, keyblock_var, - keyblock_dstring->string, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting keyblock variable"); - retcode = TCL_ERROR; - goto finished; - } - } - if (num_var) { - sprintf(buf, "%d", num_keys); - if (! Tcl_SetVar(interp, num_var, buf, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting num_keys variable"); - } - } - set_ok(interp, "Key randomized."); - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } + krb5_principal princ; + krb5_keyblock *keyblocks; + int num_keys; + char *keyblock_var, *num_var, buf[50]; + Tcl_DString *keyblock_dstring = 0; + krb5_error_code krb5_ret; + kadm5_ret_t ret; + int retcode = TCL_OK; + + GET_HANDLE(3, 0); + + if ((krb5_ret = krb5_parse_name(context, argv[0], &princ)) != 0) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing principal name"); + return TCL_ERROR; + } + + if (parse_str(interp, argv[1], &keyblock_var) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing keyblock variable name"); + retcode = TCL_ERROR; + goto finished; + } + if (parse_str(interp, argv[2], &num_var) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing keyblock variable name"); + retcode = TCL_ERROR; + goto finished; + } + + ret = kadm5_randkey_principal(server_handle, + princ, keyblock_var ? &keyblocks : 0, + &num_keys); + + if (ret == KADM5_OK) { + if (keyblock_var) { + keyblock_dstring = unparse_keyblocks(keyblocks, num_keys); + if (! Tcl_SetVar(interp, keyblock_var, + keyblock_dstring->string, + TCL_LEAVE_ERR_MSG)) { + Tcl_AppendElement(interp, + "while setting keyblock variable"); + retcode = TCL_ERROR; + goto finished; + } + } + if (num_var) { + sprintf(buf, "%d", num_keys); + if (! Tcl_SetVar(interp, num_var, buf, + TCL_LEAVE_ERR_MSG)) { + Tcl_AppendElement(interp, + "while setting num_keys variable"); + } + } + set_ok(interp, "Key randomized."); + } + else { + stash_error(interp, ret); + retcode = TCL_ERROR; + } finished: - krb5_free_principal(context, princ); - if (keyblock_dstring) { - Tcl_DStringFree(keyblock_dstring); - free(keyblock_dstring); - } - return retcode; + krb5_free_principal(context, princ); + if (keyblock_dstring) { + Tcl_DStringFree(keyblock_dstring); + free(keyblock_dstring); + } + return retcode; } static int tcl_kadm5_get_principal(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - krb5_principal princ; - kadm5_principal_ent_rec ent; - Tcl_DString *ent_dstring = 0; - char *ent_var; - char *name; - krb5_error_code krb5_ret; - int tcl_ret; - kadm5_ret_t ret = -1; - krb5_int32 mask; - int retcode = TCL_OK; - - GET_HANDLE(3, 1); - - if((tcl_ret = parse_str(interp, argv[0], &name)) != TCL_OK) - return tcl_ret; - if(name != NULL) { - if ((krb5_ret = krb5_parse_name(context, name, &princ)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal name"); - return TCL_ERROR; - } - } else princ = NULL; - - if ((tcl_ret = parse_str(interp, argv[1], &ent_var)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing entry variable name"); - retcode = TCL_ERROR; - goto finished; - } - if ((tcl_ret = parse_principal_mask(interp, argv[2], &mask)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing principal mask"); - retcode = TCL_ERROR; - goto finished; - } - - ret = kadm5_get_principal(server_handle, princ, ent_var ? &ent : 0, - mask); - - if (ret == KADM5_OK) { - if (ent_var) { - ent_dstring = unparse_principal_ent(&ent, mask); - if (! Tcl_SetVar(interp, ent_var, ent_dstring->string, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting entry variable"); - retcode = TCL_ERROR; - goto finished; - } - set_ok(interp, "Principal retrieved."); - } - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } + krb5_principal princ; + kadm5_principal_ent_rec ent; + Tcl_DString *ent_dstring = 0; + char *ent_var; + char *name; + krb5_error_code krb5_ret; + int tcl_ret; + kadm5_ret_t ret = -1; + krb5_int32 mask; + int retcode = TCL_OK; + + GET_HANDLE(3, 1); + + if((tcl_ret = parse_str(interp, argv[0], &name)) != TCL_OK) + return tcl_ret; + if(name != NULL) { + if ((krb5_ret = krb5_parse_name(context, name, &princ)) != 0) { + stash_error(interp, krb5_ret); + Tcl_AppendElement(interp, "while parsing principal name"); + return TCL_ERROR; + } + } else princ = NULL; + + if ((tcl_ret = parse_str(interp, argv[1], &ent_var)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing entry variable name"); + retcode = TCL_ERROR; + goto finished; + } + if ((tcl_ret = parse_principal_mask(interp, argv[2], &mask)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing principal mask"); + retcode = TCL_ERROR; + goto finished; + } + + ret = kadm5_get_principal(server_handle, princ, ent_var ? &ent : 0, + mask); + + if (ret == KADM5_OK) { + if (ent_var) { + ent_dstring = unparse_principal_ent(&ent, mask); + if (! Tcl_SetVar(interp, ent_var, ent_dstring->string, + TCL_LEAVE_ERR_MSG)) { + Tcl_AppendElement(interp, + "while setting entry variable"); + retcode = TCL_ERROR; + goto finished; + } + set_ok(interp, "Principal retrieved."); + } + } + else { + stash_error(interp, ret); + retcode = TCL_ERROR; + } finished: - if (ent_dstring) { - Tcl_DStringFree(ent_dstring); - free(ent_dstring); - } - if(princ != NULL) - krb5_free_principal(context, princ); - if (ret == KADM5_OK && ent_var && - (ret = kadm5_free_principal_ent(server_handle, &ent)) && - (retcode == TCL_OK)) { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - return retcode; + if (ent_dstring) { + Tcl_DStringFree(ent_dstring); + free(ent_dstring); + } + if(princ != NULL) + krb5_free_principal(context, princ); + if (ret == KADM5_OK && ent_var && + (ret = kadm5_free_principal_ent(server_handle, &ent)) && + (retcode == TCL_OK)) { + stash_error(interp, ret); + retcode = TCL_ERROR; + } + return retcode; } - + static int tcl_kadm5_create_policy(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - int tcl_ret; - kadm5_ret_t ret; - int retcode = TCL_OK; - char *policy_string; - kadm5_policy_ent_t policy = 0; - krb5_int32 mask; - - GET_HANDLE(2, 0); - - if ((tcl_ret = parse_str(interp, argv[0], &policy_string)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy"); - return tcl_ret; - } - - if (policy_string && - ((tcl_ret = parse_policy_ent(interp, policy_string, &policy)) - != TCL_OK)) { - return tcl_ret; - } - - if ((tcl_ret = parse_policy_mask(interp, argv[1], &mask)) != TCL_OK) { - retcode = tcl_ret; - goto finished; - } - - ret = kadm5_create_policy(server_handle, policy, mask); - - if (ret != KADM5_OK) { - stash_error(interp, ret); - retcode = TCL_ERROR; - goto finished; - } - else { - set_ok(interp, "Policy created."); - } + int tcl_ret; + kadm5_ret_t ret; + int retcode = TCL_OK; + char *policy_string; + kadm5_policy_ent_t policy = 0; + krb5_int32 mask; + + GET_HANDLE(2, 0); + + if ((tcl_ret = parse_str(interp, argv[0], &policy_string)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing policy"); + return tcl_ret; + } + + if (policy_string && + ((tcl_ret = parse_policy_ent(interp, policy_string, &policy)) + != TCL_OK)) { + return tcl_ret; + } + + if ((tcl_ret = parse_policy_mask(interp, argv[1], &mask)) != TCL_OK) { + retcode = tcl_ret; + goto finished; + } + + ret = kadm5_create_policy(server_handle, policy, mask); + + if (ret != KADM5_OK) { + stash_error(interp, ret); + retcode = TCL_ERROR; + goto finished; + } + else { + set_ok(interp, "Policy created."); + } finished: - if (policy) { - free_policy_ent(&policy); - } - return retcode; + if (policy) { + free_policy_ent(&policy); + } + return retcode; } static int tcl_kadm5_delete_policy(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - kadm5_ret_t ret; - char *policy; - - GET_HANDLE(1, 0); - - if (parse_str(interp, argv[0], &policy) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy name"); - return TCL_ERROR; - } - - ret = kadm5_delete_policy(server_handle, policy); - - if (ret != KADM5_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - else { - set_ok(interp, "Policy deleted."); - return TCL_OK; - } + kadm5_ret_t ret; + char *policy; + + GET_HANDLE(1, 0); + + if (parse_str(interp, argv[0], &policy) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing policy name"); + return TCL_ERROR; + } + + ret = kadm5_delete_policy(server_handle, policy); + + if (ret != KADM5_OK) { + stash_error(interp, ret); + return TCL_ERROR; + } + else { + set_ok(interp, "Policy deleted."); + return TCL_OK; + } } static int tcl_kadm5_modify_policy(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - char *policy_string; - kadm5_policy_ent_t policy = 0; - int tcl_ret; - krb5_int32 mask; - int retcode = TCL_OK; - kadm5_ret_t ret; - - GET_HANDLE(2, 0); - - if ((tcl_ret = parse_str(interp, argv[0], &policy_string)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy"); - return tcl_ret; - } - - if (policy_string && - ((tcl_ret = parse_policy_ent(interp, policy_string, &policy)) - != TCL_OK)) { - return tcl_ret; - } - - if ((tcl_ret = parse_policy_mask(interp, argv[1], &mask)) != TCL_OK) { - retcode = TCL_ERROR; - goto finished; - } - - ret = kadm5_modify_policy(server_handle, policy, mask); - - if (ret != KADM5_OK) { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - else { - set_ok(interp, "Policy modified."); - } + char *policy_string; + kadm5_policy_ent_t policy = 0; + int tcl_ret; + krb5_int32 mask; + int retcode = TCL_OK; + kadm5_ret_t ret; + + GET_HANDLE(2, 0); + + if ((tcl_ret = parse_str(interp, argv[0], &policy_string)) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing policy"); + return tcl_ret; + } + + if (policy_string && + ((tcl_ret = parse_policy_ent(interp, policy_string, &policy)) + != TCL_OK)) { + return tcl_ret; + } + + if ((tcl_ret = parse_policy_mask(interp, argv[1], &mask)) != TCL_OK) { + retcode = TCL_ERROR; + goto finished; + } + + ret = kadm5_modify_policy(server_handle, policy, mask); + + if (ret != KADM5_OK) { + stash_error(interp, ret); + retcode = TCL_ERROR; + } + else { + set_ok(interp, "Policy modified."); + } finished: - if (policy) { - free_policy_ent(&policy); - } - return retcode; + if (policy) { + free_policy_ent(&policy); + } + return retcode; } static int tcl_kadm5_get_policy(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - kadm5_policy_ent_rec ent; - Tcl_DString *ent_dstring = 0; - char *policy; - char *ent_var; - kadm5_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(2, 1); - - if (parse_str(interp, argv[0], &policy) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy name"); - return TCL_ERROR; - } - - if (parse_str(interp, argv[1], &ent_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing entry variable name"); - return TCL_ERROR; - } - - ret = kadm5_get_policy(server_handle, policy, ent_var ? &ent : 0); - - if (ret == KADM5_OK) { - if (ent_var) { - ent_dstring = unparse_policy_ent(&ent); - if (! Tcl_SetVar(interp, ent_var, ent_dstring->string, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting entry variable"); - retcode = TCL_ERROR; - goto finished; - } - set_ok(interp, "Policy retrieved."); - } - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } + kadm5_policy_ent_rec ent; + Tcl_DString *ent_dstring = 0; + char *policy; + char *ent_var; + kadm5_ret_t ret; + int retcode = TCL_OK; + + GET_HANDLE(2, 1); + + if (parse_str(interp, argv[0], &policy) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing policy name"); + return TCL_ERROR; + } + + if (parse_str(interp, argv[1], &ent_var) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing entry variable name"); + return TCL_ERROR; + } + + ret = kadm5_get_policy(server_handle, policy, ent_var ? &ent : 0); + + if (ret == KADM5_OK) { + if (ent_var) { + ent_dstring = unparse_policy_ent(&ent); + if (! Tcl_SetVar(interp, ent_var, ent_dstring->string, + TCL_LEAVE_ERR_MSG)) { + Tcl_AppendElement(interp, + "while setting entry variable"); + retcode = TCL_ERROR; + goto finished; + } + set_ok(interp, "Policy retrieved."); + } + } + else { + stash_error(interp, ret); + retcode = TCL_ERROR; + } finished: - if (ent_dstring) { - Tcl_DStringFree(ent_dstring); - free(ent_dstring); - } - if (ent_var && ret == KADM5_OK && - (ret = kadm5_free_policy_ent(server_handle, &ent)) && - (retcode == TCL_OK)) { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - return retcode; + if (ent_dstring) { + Tcl_DStringFree(ent_dstring); + free(ent_dstring); + } + if (ent_var && ret == KADM5_OK && + (ret = kadm5_free_policy_ent(server_handle, &ent)) && + (retcode == TCL_OK)) { + stash_error(interp, ret); + retcode = TCL_ERROR; + } + return retcode; } - - + + static int tcl_kadm5_free_principal_ent(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) + Tcl_Interp *interp, + int argc, const char *argv[]) { - char *ent_name; - kadm5_principal_ent_t ent; - kadm5_ret_t ret; - - GET_HANDLE(1, 0); - - if (parse_str(interp, argv[0], &ent_name) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing entry name"); - return TCL_ERROR; - } - - if ((! ent_name) && - (ret = kadm5_free_principal_ent(server_handle, 0))) { - stash_error(interp, ret); - return TCL_ERROR; - } - else { - Tcl_HashEntry *entry; - - if (strncmp(ent_name, "principal", sizeof("principal")-1)) { - Tcl_AppendResult(interp, "invalid principal handle \"", - ent_name, "\"", 0); - return TCL_ERROR; - } - if (! struct_table) { - if (! (struct_table = malloc(sizeof(*struct_table)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); - } - - if (! (entry = Tcl_FindHashEntry(struct_table, ent_name))) { - Tcl_AppendResult(interp, "principal handle \"", ent_name, - "\" not found", 0); - return TCL_ERROR; - } - - ent = (kadm5_principal_ent_t) Tcl_GetHashValue(entry); - - ret = kadm5_free_principal_ent(server_handle, ent); - if (ret != KADM5_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - Tcl_DeleteHashEntry(entry); - } - set_ok(interp, "Principal freed."); - return TCL_OK; + char *ent_name; + kadm5_principal_ent_t ent; + kadm5_ret_t ret; + + GET_HANDLE(1, 0); + + if (parse_str(interp, argv[0], &ent_name) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing entry name"); + return TCL_ERROR; + } + + if ((! ent_name) && + (ret = kadm5_free_principal_ent(server_handle, 0))) { + stash_error(interp, ret); + return TCL_ERROR; + } + else { + Tcl_HashEntry *entry; + + if (strncmp(ent_name, "principal", sizeof("principal")-1)) { + Tcl_AppendResult(interp, "invalid principal handle \"", + ent_name, "\"", 0); + return TCL_ERROR; + } + if (! struct_table) { + if (! (struct_table = malloc(sizeof(*struct_table)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); + } + + if (! (entry = Tcl_FindHashEntry(struct_table, ent_name))) { + Tcl_AppendResult(interp, "principal handle \"", ent_name, + "\" not found", 0); + return TCL_ERROR; + } + + ent = (kadm5_principal_ent_t) Tcl_GetHashValue(entry); + + ret = kadm5_free_principal_ent(server_handle, ent); + if (ret != KADM5_OK) { + stash_error(interp, ret); + return TCL_ERROR; + } + Tcl_DeleteHashEntry(entry); + } + set_ok(interp, "Principal freed."); + return TCL_OK; } - - + + static int tcl_kadm5_free_policy_ent(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) + Tcl_Interp *interp, + int argc, const char *argv[]) { - char *ent_name; - kadm5_policy_ent_t ent; - kadm5_ret_t ret; - - GET_HANDLE(1, 0); - - if (parse_str(interp, argv[0], &ent_name) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing entry name"); - return TCL_ERROR; - } - - if ((! ent_name) && - (ret = kadm5_free_policy_ent(server_handle, 0))) { - stash_error(interp, ret); - return TCL_ERROR; - } - else { - Tcl_HashEntry *entry; - - if (strncmp(ent_name, "policy", sizeof("policy")-1)) { - Tcl_AppendResult(interp, "invalid principal handle \"", - ent_name, "\"", 0); - return TCL_ERROR; - } - if (! struct_table) { - if (! (struct_table = malloc(sizeof(*struct_table)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); - } - - if (! (entry = Tcl_FindHashEntry(struct_table, ent_name))) { - Tcl_AppendResult(interp, "policy handle \"", ent_name, - "\" not found", 0); - return TCL_ERROR; - } - - ent = (kadm5_policy_ent_t) Tcl_GetHashValue(entry); - - if ((ret = kadm5_free_policy_ent(server_handle, ent)) != KADM5_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - Tcl_DeleteHashEntry(entry); - } - set_ok(interp, "Policy freed."); - return TCL_OK; + char *ent_name; + kadm5_policy_ent_t ent; + kadm5_ret_t ret; + + GET_HANDLE(1, 0); + + if (parse_str(interp, argv[0], &ent_name) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing entry name"); + return TCL_ERROR; + } + + if ((! ent_name) && + (ret = kadm5_free_policy_ent(server_handle, 0))) { + stash_error(interp, ret); + return TCL_ERROR; + } + else { + Tcl_HashEntry *entry; + + if (strncmp(ent_name, "policy", sizeof("policy")-1)) { + Tcl_AppendResult(interp, "invalid principal handle \"", + ent_name, "\"", 0); + return TCL_ERROR; + } + if (! struct_table) { + if (! (struct_table = malloc(sizeof(*struct_table)))) { + fprintf(stderr, "Out of memory!\n"); + exit(1); /* XXX */ + } + Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); + } + + if (! (entry = Tcl_FindHashEntry(struct_table, ent_name))) { + Tcl_AppendResult(interp, "policy handle \"", ent_name, + "\" not found", 0); + return TCL_ERROR; + } + + ent = (kadm5_policy_ent_t) Tcl_GetHashValue(entry); + + if ((ret = kadm5_free_policy_ent(server_handle, ent)) != KADM5_OK) { + stash_error(interp, ret); + return TCL_ERROR; + } + Tcl_DeleteHashEntry(entry); + } + set_ok(interp, "Policy freed."); + return TCL_OK; } - - + + static int tcl_kadm5_get_privs(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) + int argc, const char *argv[]) { - const char *set_ret; - kadm5_ret_t ret; - char *priv_var; - long privs; - - GET_HANDLE(1, 0); - - if (parse_str(interp, argv[0], &priv_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing privs variable name"); - return TCL_ERROR; - } - - ret = kadm5_get_privs(server_handle, priv_var ? &privs : 0); - - if (ret == KADM5_OK) { - if (priv_var) { - Tcl_DString *str = unparse_privs(privs); - set_ret = Tcl_SetVar(interp, priv_var, str->string, - TCL_LEAVE_ERR_MSG); - Tcl_DStringFree(str); - free(str); - if (! set_ret) { - Tcl_AppendElement(interp, "while setting priv variable"); - return TCL_ERROR; - } - } - set_ok(interp, "Privileges retrieved."); - return TCL_OK; - } - else { - stash_error(interp, ret); - return TCL_ERROR; - } + const char *set_ret; + kadm5_ret_t ret; + char *priv_var; + long privs; + + GET_HANDLE(1, 0); + + if (parse_str(interp, argv[0], &priv_var) != TCL_OK) { + Tcl_AppendElement(interp, "while parsing privs variable name"); + return TCL_ERROR; + } + + ret = kadm5_get_privs(server_handle, priv_var ? &privs : 0); + + if (ret == KADM5_OK) { + if (priv_var) { + Tcl_DString *str = unparse_privs(privs); + set_ret = Tcl_SetVar(interp, priv_var, str->string, + TCL_LEAVE_ERR_MSG); + Tcl_DStringFree(str); + free(str); + if (! set_ret) { + Tcl_AppendElement(interp, "while setting priv variable"); + return TCL_ERROR; + } + } + set_ok(interp, "Privileges retrieved."); + return TCL_OK; + } + else { + stash_error(interp, ret); + return TCL_ERROR; + } } - + void Tcl_kadm5_init(Tcl_Interp *interp) { char buf[20]; - Tcl_SetVar(interp, "KADM5_ADMIN_SERVICE", - KADM5_ADMIN_SERVICE, TCL_GLOBAL_ONLY); - Tcl_SetVar(interp, "KADM5_CHANGEPW_SERVICE", - KADM5_CHANGEPW_SERVICE, TCL_GLOBAL_ONLY); + Tcl_SetVar(interp, "KADM5_ADMIN_SERVICE", + KADM5_ADMIN_SERVICE, TCL_GLOBAL_ONLY); + Tcl_SetVar(interp, "KADM5_CHANGEPW_SERVICE", + KADM5_CHANGEPW_SERVICE, TCL_GLOBAL_ONLY); (void) sprintf(buf, "%d", KADM5_STRUCT_VERSION); - Tcl_SetVar(interp, "KADM5_STRUCT_VERSION", buf, TCL_GLOBAL_ONLY); + Tcl_SetVar(interp, "KADM5_STRUCT_VERSION", buf, TCL_GLOBAL_ONLY); (void) sprintf(buf, "%d", KADM5_API_VERSION_2); - Tcl_SetVar(interp, "KADM5_API_VERSION_2", buf, TCL_GLOBAL_ONLY); + Tcl_SetVar(interp, "KADM5_API_VERSION_2", buf, TCL_GLOBAL_ONLY); (void) sprintf(buf, "%d", KADM5_API_VERSION_3); - Tcl_SetVar(interp, "KADM5_API_VERSION_3", buf, TCL_GLOBAL_ONLY); + Tcl_SetVar(interp, "KADM5_API_VERSION_3", buf, TCL_GLOBAL_ONLY); (void) sprintf(buf, "%d", KADM5_API_VERSION_MASK); - Tcl_SetVar(interp, "KADM5_API_VERSION_MASK", buf, TCL_GLOBAL_ONLY); + Tcl_SetVar(interp, "KADM5_API_VERSION_MASK", buf, TCL_GLOBAL_ONLY); (void) sprintf(buf, "%d", KADM5_STRUCT_VERSION_MASK); - Tcl_SetVar(interp, "KADM5_STRUCT_VERSION_MASK", buf, - TCL_GLOBAL_ONLY); - - Tcl_CreateCommand(interp, "kadm5_init", tcl_kadm5_init, 0, 0); - Tcl_CreateCommand(interp, "kadm5_init_with_creds", - tcl_kadm5_init_with_creds, 0, 0); - Tcl_CreateCommand(interp, "kadm5_destroy", tcl_kadm5_destroy, 0, - 0); - Tcl_CreateCommand(interp, "kadm5_create_principal", - tcl_kadm5_create_principal, 0, 0); - Tcl_CreateCommand(interp, "kadm5_delete_principal", - tcl_kadm5_delete_principal, 0, 0); - Tcl_CreateCommand(interp, "kadm5_modify_principal", - tcl_kadm5_modify_principal, 0, 0); - Tcl_CreateCommand(interp, "kadm5_rename_principal", - tcl_kadm5_rename_principal, 0, 0); - Tcl_CreateCommand(interp, "kadm5_chpass_principal", - tcl_kadm5_chpass_principal, 0, 0); - Tcl_CreateCommand(interp, "kadm5_chpass_principal_util", - tcl_kadm5_chpass_principal_util, 0, 0); - Tcl_CreateCommand(interp, "kadm5_randkey_principal", - tcl_kadm5_randkey_principal, 0, 0); - Tcl_CreateCommand(interp, "kadm5_get_principal", - tcl_kadm5_get_principal, 0, 0); - Tcl_CreateCommand(interp, "kadm5_create_policy", - tcl_kadm5_create_policy, 0, 0); - Tcl_CreateCommand(interp, "kadm5_delete_policy", - tcl_kadm5_delete_policy, 0, 0); - Tcl_CreateCommand(interp, "kadm5_modify_policy", - tcl_kadm5_modify_policy, 0, 0); - Tcl_CreateCommand(interp, "kadm5_get_policy", - tcl_kadm5_get_policy, 0, 0); - Tcl_CreateCommand(interp, "kadm5_free_principal_ent", - tcl_kadm5_free_principal_ent, 0, 0); - Tcl_CreateCommand(interp, "kadm5_free_policy_ent", - tcl_kadm5_free_policy_ent, 0, 0); - Tcl_CreateCommand(interp, "kadm5_get_privs", - tcl_kadm5_get_privs, 0, 0); + Tcl_SetVar(interp, "KADM5_STRUCT_VERSION_MASK", buf, + TCL_GLOBAL_ONLY); + + Tcl_CreateCommand(interp, "kadm5_init", tcl_kadm5_init, 0, 0); + Tcl_CreateCommand(interp, "kadm5_init_with_creds", + tcl_kadm5_init_with_creds, 0, 0); + Tcl_CreateCommand(interp, "kadm5_destroy", tcl_kadm5_destroy, 0, + 0); + Tcl_CreateCommand(interp, "kadm5_create_principal", + tcl_kadm5_create_principal, 0, 0); + Tcl_CreateCommand(interp, "kadm5_delete_principal", + tcl_kadm5_delete_principal, 0, 0); + Tcl_CreateCommand(interp, "kadm5_modify_principal", + tcl_kadm5_modify_principal, 0, 0); + Tcl_CreateCommand(interp, "kadm5_rename_principal", + tcl_kadm5_rename_principal, 0, 0); + Tcl_CreateCommand(interp, "kadm5_chpass_principal", + tcl_kadm5_chpass_principal, 0, 0); + Tcl_CreateCommand(interp, "kadm5_chpass_principal_util", + tcl_kadm5_chpass_principal_util, 0, 0); + Tcl_CreateCommand(interp, "kadm5_randkey_principal", + tcl_kadm5_randkey_principal, 0, 0); + Tcl_CreateCommand(interp, "kadm5_get_principal", + tcl_kadm5_get_principal, 0, 0); + Tcl_CreateCommand(interp, "kadm5_create_policy", + tcl_kadm5_create_policy, 0, 0); + Tcl_CreateCommand(interp, "kadm5_delete_policy", + tcl_kadm5_delete_policy, 0, 0); + Tcl_CreateCommand(interp, "kadm5_modify_policy", + tcl_kadm5_modify_policy, 0, 0); + Tcl_CreateCommand(interp, "kadm5_get_policy", + tcl_kadm5_get_policy, 0, 0); + Tcl_CreateCommand(interp, "kadm5_free_principal_ent", + tcl_kadm5_free_principal_ent, 0, 0); + Tcl_CreateCommand(interp, "kadm5_free_policy_ent", + tcl_kadm5_free_policy_ent, 0, 0); + Tcl_CreateCommand(interp, "kadm5_get_privs", + tcl_kadm5_get_privs, 0, 0); } diff --git a/src/kadmin/testing/util/tcl_kadm5.h b/src/kadmin/testing/util/tcl_kadm5.h index d2fdd1d03..1f91a11a1 100644 --- a/src/kadmin/testing/util/tcl_kadm5.h +++ b/src/kadmin/testing/util/tcl_kadm5.h @@ -1,3 +1,3 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ void Tcl_kadm5_init(Tcl_Interp *interp); - diff --git a/src/kadmin/testing/util/tcl_krb5_hash.c b/src/kadmin/testing/util/tcl_krb5_hash.c index 7fe1b8f74..35c6bb0b3 100644 --- a/src/kadmin/testing/util/tcl_krb5_hash.c +++ b/src/kadmin/testing/util/tcl_krb5_hash.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * All of the TCL krb5 functions which return (or place into output * variables) structures or pointers to structures that can't be @@ -10,7 +11,7 @@ * table. * * The functions in this file do four things: - * + * * 1) Given a pointer to a datum and a string representing the type of * datum to which the pointer refers, create a new handle for the * datum, store the datum in the hash table using the new handle as @@ -54,114 +55,113 @@ static char *memory_error = "out of memory"; */ static TclHashTable *get_hash_table(Tcl_Interp *interp, - char *type) + char *type) { - static Tcl_HashTable *hash_table = 0; - - if (! hash_table) { - if (! (hash_table = malloc(sizeof(*hash_table)))) { - Tcl_SetResult(interp, memory_error, TCL_STATIC); - return 0; - } - Tcl_InitHashTable(hash_table, TCL_STRING_KEYS); - } - return hash_table; + static Tcl_HashTable *hash_table = 0; + + if (! hash_table) { + if (! (hash_table = malloc(sizeof(*hash_table)))) { + Tcl_SetResult(interp, memory_error, TCL_STATIC); + return 0; + } + Tcl_InitHashTable(hash_table, TCL_STRING_KEYS); + } + return hash_table; } #define MAX_ID 999999999 #define ID_BUF_SIZE 10 static Tcl_HashEntry *get_new_handle(Tcl_Interp *interp, - char *type) + char *type) { - static unsigned long int id_counter = 0; - Tcl_DString *handle; - char int_buf[ID_BUF_SIZE]; - - if (! (handle = malloc(sizeof(*handle)))) { - Tcl_SetResult(interp, memory_error, TCL_STATIC); - return 0; - } - Tcl_DStringInit(handle); + static unsigned long int id_counter = 0; + Tcl_DString *handle; + char int_buf[ID_BUF_SIZE]; + + if (! (handle = malloc(sizeof(*handle)))) { + Tcl_SetResult(interp, memory_error, TCL_STATIC); + return 0; + } + Tcl_DStringInit(handle); - assert(id_counter <= MAX_ID); + assert(id_counter <= MAX_ID); - sprintf(int_buf, "%d", id_counter++); + sprintf(int_buf, "%d", id_counter++); - Tcl_DStringAppend(handle, type, -1); - Tcl_DStringAppend(handle, SEP_STR, -1); - Tcl_DStringAppend(handle, int_buf, -1); + Tcl_DStringAppend(handle, type, -1); + Tcl_DStringAppend(handle, SEP_STR, -1); + Tcl_DStringAppend(handle, int_buf, -1); - return handle; + return handle; } - - + + Tcl_DString *tcl_krb5_create_object(Tcl_Interp *interp, - char *type, - ClientData datum) + char *type, + ClientData datum) { - Tcl_HashTable *table; - Tcl_DString *handle; - Tcl_HashEntry *entry; - int entry_created = 0; + Tcl_HashTable *table; + Tcl_DString *handle; + Tcl_HashEntry *entry; + int entry_created = 0; - if (! (table = get_hash_table(interp, type))) { - return 0; - } + if (! (table = get_hash_table(interp, type))) { + return 0; + } - if (! (handle = get_new_handle(interp, type))) { - return 0; - } + if (! (handle = get_new_handle(interp, type))) { + return 0; + } - if (! (entry = Tcl_CreateHashEntry(table, handle, &entry_created))) { - Tcl_SetResult(interp, "error creating hash entry", TCL_STATIC); - Tcl_DStringFree(handle); - return TCL_ERROR; - } + if (! (entry = Tcl_CreateHashEntry(table, handle, &entry_created))) { + Tcl_SetResult(interp, "error creating hash entry", TCL_STATIC); + Tcl_DStringFree(handle); + return TCL_ERROR; + } - assert(entry_created); + assert(entry_created); - Tcl_SetHashValue(entry, datum); + Tcl_SetHashValue(entry, datum); - return handle; + return handle; } ClientData tcl_krb5_get_object(Tcl_Interp *interp, - char *handle) + char *handle) { - char *myhandle, *id_ptr; - Tcl_HashTable *table; - Tcl_HashEntry *entry; - - if (! (myhandle = strdup(handle))) { - Tcl_SetResult(interp, memory_error, TCL_STATIC); - return 0; - } - - if (! (id_ptr = index(myhandle, *SEP_STR))) { - free(myhandle); - Tcl_ResetResult(interp); - Tcl_AppendResult(interp, "malformatted handle \"", handle, - "\"", 0); - return 0; - } - - *id_ptr = '\0'; - - if (! (table = get_hash_table(interp, myhandle))) { - free(myhandle); - return 0; - } - - free(myhandle); - - if (! (entry = Tcl_FindHashEntry(table, handle))) { - Tcl_ResetResult(interp); - Tcl_AppendResult(interp, "no object corresponding to handle \"", - handle, "\"", 0); - return 0; - } - - return(Tcl_GetHashValue(entry)); + char *myhandle, *id_ptr; + Tcl_HashTable *table; + Tcl_HashEntry *entry; + + if (! (myhandle = strdup(handle))) { + Tcl_SetResult(interp, memory_error, TCL_STATIC); + return 0; + } + + if (! (id_ptr = index(myhandle, *SEP_STR))) { + free(myhandle); + Tcl_ResetResult(interp); + Tcl_AppendResult(interp, "malformatted handle \"", handle, + "\"", 0); + return 0; + } + + *id_ptr = '\0'; + + if (! (table = get_hash_table(interp, myhandle))) { + free(myhandle); + return 0; + } + + free(myhandle); + + if (! (entry = Tcl_FindHashEntry(table, handle))) { + Tcl_ResetResult(interp); + Tcl_AppendResult(interp, "no object corresponding to handle \"", + handle, "\"", 0); + return 0; + } + + return(Tcl_GetHashValue(entry)); } - diff --git a/src/kadmin/testing/util/test.c b/src/kadmin/testing/util/test.c index 7f93eb460..37e49d680 100644 --- a/src/kadmin/testing/util/test.c +++ b/src/kadmin/testing/util/test.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "autoconf.h" #if HAVE_TCL_H #include @@ -11,11 +12,11 @@ #if _TCL_MAIN int main(argc, argv) - int argc; /* Number of command-line arguments. */ - char **argv; /* Values of command-line arguments. */ + int argc; /* Number of command-line arguments. */ + char **argv; /* Values of command-line arguments. */ { Tcl_Main(argc, argv, Tcl_AppInit); - return 0; /* Needed only to prevent compiler warning. */ + return 0; /* Needed only to prevent compiler warning. */ } #else /* @@ -31,7 +32,7 @@ int *tclDummyMainPtr = (int *) main; int Tcl_AppInit(Tcl_Interp *interp) { - Tcl_kadm5_init(interp); + Tcl_kadm5_init(interp); - return(TCL_OK); + return(TCL_OK); } diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c index 36786457f..3885b4ee4 100644 --- a/src/kdc/dispatch.c +++ b/src/kdc/dispatch.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/dispatch.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Dispatch an incoming packet. */ @@ -44,68 +45,68 @@ dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response) krb5_error_code retval; krb5_kdc_req *as_req; krb5_int32 now, now_usec; - + /* decode incoming packet, and dispatch */ #ifndef NOCACHE /* try the replay lookaside buffer */ if (kdc_check_lookaside(pkt, response)) { - /* a hit! */ - const char *name = 0; - char buf[46]; + /* a hit! */ + const char *name = 0; + char buf[46]; - name = inet_ntop (ADDRTYPE2FAMILY (from->address->addrtype), - from->address->contents, buf, sizeof (buf)); - if (name == 0) - name = "[unknown address type]"; - krb5_klog_syslog(LOG_INFO, - "DISPATCH: repeated (retransmitted?) request from %s, resending previous response", - name); - return 0; + name = inet_ntop (ADDRTYPE2FAMILY (from->address->addrtype), + from->address->contents, buf, sizeof (buf)); + if (name == 0) + name = "[unknown address type]"; + krb5_klog_syslog(LOG_INFO, + "DISPATCH: repeated (retransmitted?) request from %s, resending previous response", + name); + return 0; } #endif retval = krb5_crypto_us_timeofday(&now, &now_usec); if (retval == 0) { - krb5_int32 usec_difference = now_usec-last_usec; - krb5_data data; - if(last_os_random == 0) - last_os_random = now; - /* Grab random data from OS every hour*/ - if(now-last_os_random >= 60*60) { - krb5_c_random_os_entropy(kdc_context, 0, NULL); - last_os_random = now; - } - - data.length = sizeof(krb5_int32); - data.data = (void *) &usec_difference; - - krb5_c_random_add_entropy(kdc_context, - KRB5_C_RANDSOURCE_TIMING, &data); - last_usec = now_usec; + krb5_int32 usec_difference = now_usec-last_usec; + krb5_data data; + if(last_os_random == 0) + last_os_random = now; + /* Grab random data from OS every hour*/ + if(now-last_os_random >= 60*60) { + krb5_c_random_os_entropy(kdc_context, 0, NULL); + last_os_random = now; + } + + data.length = sizeof(krb5_int32); + data.data = (void *) &usec_difference; + + krb5_c_random_add_entropy(kdc_context, + KRB5_C_RANDSOURCE_TIMING, &data); + last_usec = now_usec; } /* try TGS_REQ first; they are more common! */ if (krb5_is_tgs_req(pkt)) { - retval = process_tgs_req(pkt, from, response); + retval = process_tgs_req(pkt, from, response); } else if (krb5_is_as_req(pkt)) { - if (!(retval = decode_krb5_as_req(pkt, &as_req))) { - /* - * setup_server_realm() sets up the global realm-specific data - * pointer. - * process_as_req frees the request if it is called - */ - if (!(retval = setup_server_realm(as_req->server))) { - retval = process_as_req(as_req, pkt, from, response); - } - else krb5_free_kdc_req(kdc_context, as_req); - } + if (!(retval = decode_krb5_as_req(pkt, &as_req))) { + /* + * setup_server_realm() sets up the global realm-specific data + * pointer. + * process_as_req frees the request if it is called + */ + if (!(retval = setup_server_realm(as_req->server))) { + retval = process_as_req(as_req, pkt, from, response); + } + else krb5_free_kdc_req(kdc_context, as_req); + } } else - retval = KRB5KRB_AP_ERR_MSG_TYPE; + retval = KRB5KRB_AP_ERR_MSG_TYPE; #ifndef NOCACHE /* put the response into the lookaside buffer */ if (!retval && *response != NULL) - kdc_insert_lookaside(pkt, *response); + kdc_insert_lookaside(pkt, *response); #endif return retval; diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 1feb468be..5067ff8fd 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/do_as_req.c * @@ -9,7 +10,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -23,7 +24,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * KDC Routines to deal with AS_REQ's */ @@ -64,7 +65,7 @@ #include #ifndef hpux #include -#endif /* hpux */ +#endif /* hpux */ #endif /* HAVE_NETINET_IN_H */ #include "kdc_util.h" @@ -75,21 +76,21 @@ #if APPLE_PKINIT #define AS_REQ_DEBUG 0 -#if AS_REQ_DEBUG +#if AS_REQ_DEBUG #define asReqDebug(args...) printf(args) #else #define asReqDebug(args...) #endif #endif /* APPLE_PKINIT */ -static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *, - krb5_principal, krb5_data **, - const char *); +static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *, + krb5_principal, krb5_data **, + const char *); /*ARGSUSED*/ krb5_error_code process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - const krb5_fulladdr *from, krb5_data **response) + const krb5_fulladdr *from, krb5_data **response) { krb5_db_entry client, server; krb5_kdc_rep reply; @@ -119,11 +120,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, struct kdc_request_state *state = NULL; krb5_data encoded_req_body; krb5_keyblock *as_encrypting_key = NULL; - + #if APPLE_PKINIT - asReqDebug("process_as_req top realm %s name %s\n", - request->client->realm.data, request->client->data->data); + asReqDebug("process_as_req top realm %s name %s\n", + request->client->realm.data, request->client->data->data); #endif /* APPLE_PKINIT */ ticket_reply.enc_part.ciphertext.data = 0; @@ -138,42 +139,42 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = kdc_make_rstate(&state); if (errcode != 0) { - status = "constructing state"; - goto errout; + status = "constructing state"; + goto errout; } if (fetch_asn1_field((unsigned char *) req_pkt->data, - 1, 4, &encoded_req_body) != 0) { + 1, 4, &encoded_req_body) != 0) { errcode = ASN1_BAD_ID; status = "Finding req_body"; - goto errout; + goto errout; } errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state); if (errcode) { - status = "error decoding FAST"; - goto errout; + status = "error decoding FAST"; + goto errout; } request->kdc_state = state; if (!request->client) { - status = "NULL_CLIENT"; - errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - goto errout; + status = "NULL_CLIENT"; + errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + goto errout; } if ((errcode = krb5_unparse_name(kdc_context, request->client, &cname))) { - status = "UNPARSING_CLIENT"; - goto errout; + status = "UNPARSING_CLIENT"; + goto errout; } limit_string(cname); if (!request->server) { - status = "NULL_SERVER"; - errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto errout; + status = "NULL_SERVER"; + errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; } if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) { - status = "UNPARSING_SERVER"; - goto errout; + status = "UNPARSING_SERVER"; + goto errout; } limit_string(sname); - + /* * We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint * to the backend to return naming information in lieu @@ -185,109 +186,109 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, * always canonicalize enterprise principal names. */ if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) || - krb5_princ_type(kdc_context, - request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) { - setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); + krb5_princ_type(kdc_context, + request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); } if (include_pac_p(kdc_context, request)) { - setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC); + setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC); } c_nprincs = 1; if ((errcode = krb5_db_get_principal_ext(kdc_context, request->client, - c_flags, &client, &c_nprincs, - &more))) { - status = "LOOKING_UP_CLIENT"; - c_nprincs = 0; - goto errout; + c_flags, &client, &c_nprincs, + &more))) { + status = "LOOKING_UP_CLIENT"; + c_nprincs = 0; + goto errout; } if (more) { - status = "NON-UNIQUE_CLIENT"; - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto errout; + status = "NON-UNIQUE_CLIENT"; + errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; + goto errout; } else if (c_nprincs != 1) { - status = "CLIENT_NOT_FOUND"; - if (vague_errors) - errcode = KRB5KRB_ERR_GENERIC; - else - errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - goto errout; - } - + status = "CLIENT_NOT_FOUND"; + if (vague_errors) + errcode = KRB5KRB_ERR_GENERIC; + else + errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + goto errout; + } + /* * If the backend returned a principal that is not in the local * realm, then we need to refer the client to that realm. */ if (!is_local_principal(client.princ)) { - /* Entry is a referral to another realm */ - status = "REFERRAL"; - errcode = KRB5KDC_ERR_WRONG_REALM; - goto errout; + /* Entry is a referral to another realm */ + status = "REFERRAL"; + errcode = KRB5KDC_ERR_WRONG_REALM; + goto errout; } -#if 0 +#if 0 /* * Turn off canonicalization if client is marked DES only * (unless enterprise principal name was requested) */ if (isflagset(client.attributes, KRB5_KDB_NON_MS_PRINCIPAL) && - krb5_princ_type(kdc_context, - request->client) != KRB5_NT_ENTERPRISE_PRINCIPAL) { - clear(c_flags, KRB5_KDB_FLAG_CANONICALIZE); + krb5_princ_type(kdc_context, + request->client) != KRB5_NT_ENTERPRISE_PRINCIPAL) { + clear(c_flags, KRB5_KDB_FLAG_CANONICALIZE); } #endif - + s_flags = 0; if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { - setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); + setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); } s_nprincs = 1; if ((errcode = krb5_db_get_principal_ext(kdc_context, request->server, - s_flags, &server, - &s_nprincs, &more))) { - status = "LOOKING_UP_SERVER"; - goto errout; + s_flags, &server, + &s_nprincs, &more))) { + status = "LOOKING_UP_SERVER"; + goto errout; } if (more) { - status = "NON-UNIQUE_SERVER"; - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto errout; + status = "NON-UNIQUE_SERVER"; + errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; + goto errout; } else if (s_nprincs != 1) { - status = "SERVER_NOT_FOUND"; - errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto errout; + status = "SERVER_NOT_FOUND"; + errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; } if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) { - status = "TIMEOFDAY"; - goto errout; + status = "TIMEOFDAY"; + goto errout; } authtime = kdc_time; /* for audit_as_request() */ if ((errcode = validate_as_request(request, client, server, - kdc_time, &status, &e_data))) { - if (!status) - status = "UNKNOWN_REASON"; - errcode += ERROR_TABLE_BASE_krb5; - goto errout; + kdc_time, &status, &e_data))) { + if (!status) + status = "UNKNOWN_REASON"; + errcode += ERROR_TABLE_BASE_krb5; + goto errout; } - + /* * Select the keytype for the ticket session key. */ if ((useenctype = select_session_keytype(kdc_context, &server, - request->nktypes, - request->ktype)) == 0) { - /* unsupported ktype */ - status = "BAD_ENCRYPTION_TYPE"; - errcode = KRB5KDC_ERR_ETYPE_NOSUPP; - goto errout; + request->nktypes, + request->ktype)) == 0) { + /* unsupported ktype */ + status = "BAD_ENCRYPTION_TYPE"; + errcode = KRB5KDC_ERR_ETYPE_NOSUPP; + goto errout; } if ((errcode = krb5_c_make_random_key(kdc_context, useenctype, - &session_key))) { - status = "RANDOM_KEY_FAILED"; - goto errout; + &session_key))) { + status = "RANDOM_KEY_FAILED"; + goto errout; } /* @@ -296,11 +297,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, * aliases, nothing more). */ if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) && - krb5_is_tgs_principal(request->server) && - krb5_is_tgs_principal(server.princ)) { - ticket_reply.server = server.princ; + krb5_is_tgs_principal(request->server) && + krb5_is_tgs_principal(server.princ)) { + ticket_reply.server = server.princ; } else { - ticket_reply.server = request->server; + ticket_reply.server = request->server; } enc_tkt_reply.flags = 0; @@ -308,94 +309,94 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL); - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ + /* It should be noted that local policy may affect the */ + /* processing of any of these flags. For example, some */ + /* realms may refuse to issue renewable tickets */ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) - setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE)) - setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE); + setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE); if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE)) - setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE); + setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE); enc_tkt_reply.session = &session_key; if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) { - client_princ = *(client.princ); + client_princ = *(client.princ); } else { - client_princ = *(request->client); - /* The realm is always canonicalized */ - client_princ.realm = *(krb5_princ_realm(context, client.princ)); + client_princ = *(request->client); + /* The realm is always canonicalized */ + client_princ.realm = *(krb5_princ_realm(context, client.princ)); } enc_tkt_reply.client = &client_princ; enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */ if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) { - setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED); - setflag(enc_tkt_reply.flags, TKT_FLG_INVALID); - enc_tkt_reply.times.starttime = request->from; + setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED); + setflag(enc_tkt_reply.flags, TKT_FLG_INVALID); + enc_tkt_reply.times.starttime = request->from; } else - enc_tkt_reply.times.starttime = kdc_time; + enc_tkt_reply.times.starttime = kdc_time; kdc_get_ticket_endtime(kdc_context, - enc_tkt_reply.times.starttime, - kdc_infinity, - request->till, - &client, - &server, - &enc_tkt_reply.times.endtime); + enc_tkt_reply.times.starttime, + kdc_infinity, + request->till, + &client, + &server, + &enc_tkt_reply.times.endtime); if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && - !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) && - (enc_tkt_reply.times.endtime < request->till)) { + !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) && + (enc_tkt_reply.times.endtime < request->till)) { - /* we set the RENEWABLE option for later processing */ + /* we set the RENEWABLE option for later processing */ - setflag(request->kdc_options, KDC_OPT_RENEWABLE); - request->rtime = request->till; + setflag(request->kdc_options, KDC_OPT_RENEWABLE); + request->rtime = request->till; } rtime = (request->rtime == 0) ? kdc_infinity : request->rtime; if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) { - /* - * XXX Should we squelch the output renew_till to be no - * earlier than the endtime of the ticket? - */ - setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE); - enc_tkt_reply.times.renew_till = - min(rtime, enc_tkt_reply.times.starttime + - min(client.max_renewable_life, - min(server.max_renewable_life, - max_renewable_life_for_realm))); + /* + * XXX Should we squelch the output renew_till to be no + * earlier than the endtime of the ticket? + */ + setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE); + enc_tkt_reply.times.renew_till = + min(rtime, enc_tkt_reply.times.starttime + + min(client.max_renewable_life, + min(server.max_renewable_life, + max_renewable_life_for_realm))); } else - enc_tkt_reply.times.renew_till = 0; /* XXX */ + enc_tkt_reply.times.renew_till = 0; /* XXX */ /* starttime is optional, and treated as authtime if not present. so we can nuke it if it matches */ if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime) - enc_tkt_reply.times.starttime = 0; + enc_tkt_reply.times.starttime = 0; enc_tkt_reply.caddrs = request->addresses; enc_tkt_reply.authorization_data = 0; - /* + /* * Check the preauthentication if it is there. */ if (request->padata) { - errcode = check_padata(kdc_context, &client, req_pkt, request, - &enc_tkt_reply, &pa_context, &e_data); - if (errcode) { - if (errcode == KRB5KDC_ERR_PREAUTH_FAILED) - get_preauth_hint_list(request, &client, &server, &e_data); - - status = "PREAUTH_FAILED"; - if (vague_errors) - errcode = KRB5KRB_ERR_GENERIC; - goto errout; - } + errcode = check_padata(kdc_context, &client, req_pkt, request, + &enc_tkt_reply, &pa_context, &e_data); + if (errcode) { + if (errcode == KRB5KDC_ERR_PREAUTH_FAILED) + get_preauth_hint_list(request, &client, &server, &e_data); + + status = "PREAUTH_FAILED"; + if (vague_errors) + errcode = KRB5KRB_ERR_GENERIC; + goto errout; + } } /* @@ -405,15 +406,15 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, */ status = missing_required_preauth(&client, &server, &enc_tkt_reply); if (status) { - errcode = KRB5KDC_ERR_PREAUTH_REQUIRED; - get_preauth_hint_list(request, &client, &server, &e_data); - goto errout; + errcode = KRB5KDC_ERR_PREAUTH_REQUIRED; + get_preauth_hint_list(request, &client, &server, &e_data); + goto errout; } if ((errcode = validate_forwardable(request, client, server, - kdc_time, &status))) { - errcode += ERROR_TABLE_BASE_krb5; - goto errout; + kdc_time, &status))) { + errcode += ERROR_TABLE_BASE_krb5; + goto errout; } ticket_reply.enc_part2 = &enc_tkt_reply; @@ -422,12 +423,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, * Find the server key */ if ((errcode = krb5_dbe_find_enctype(kdc_context, &server, - -1, /* ignore keytype */ - -1, /* Ignore salttype */ - 0, /* Get highest kvno */ - &server_key))) { - status = "FINDING_SERVER_KEY"; - goto errout; + -1, /* ignore keytype */ + -1, /* Ignore salttype */ + 0, /* Get highest kvno */ + &server_key))) { + status = "FINDING_SERVER_KEY"; + goto errout; } if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, @@ -451,33 +452,33 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* convert server.key into a real key (it may be encrypted in the database) */ - if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, - /* server_keyblock is later used to generate auth data signatures */ - server_key, &server_keyblock, - NULL))) { - status = "DECRYPT_SERVER_KEY"; - goto errout; - } - + if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, + /* server_keyblock is later used to generate auth data signatures */ + server_key, &server_keyblock, + NULL))) { + status = "DECRYPT_SERVER_KEY"; + goto errout; + } + /* * Find the appropriate client key. We search in the order specified * by request keytype list. */ client_key = (krb5_key_data *) NULL; for (i = 0; i < request->nktypes; i++) { - useenctype = request->ktype[i]; - if (!krb5_c_valid_enctype(useenctype)) - continue; + useenctype = request->ktype[i]; + if (!krb5_c_valid_enctype(useenctype)) + continue; - if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1, - 0, &client_key)) - break; + if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1, + 0, &client_key)) + break; } if (!(client_key)) { - /* Cannot find an appropriate key */ - status = "CANT_FIND_CLIENT_KEY"; - errcode = KRB5KDC_ERR_ETYPE_NOSUPP; - goto errout; + /* Cannot find an appropriate key */ + status = "CANT_FIND_CLIENT_KEY"; + errcode = KRB5KDC_ERR_ETYPE_NOSUPP; + goto errout; } if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client, @@ -500,11 +501,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } /* convert client.key_data into a real key */ - if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, - client_key, &client_keyblock, - NULL))) { - status = "DECRYPT_CLIENT_KEY"; - goto errout; + if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, + client_key, &client_keyblock, + NULL))) { + status = "DECRYPT_CLIENT_KEY"; + goto errout; } client_keyblock.enctype = useenctype; @@ -514,8 +515,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, reply.ticket = &ticket_reply; reply_encpart.session = &session_key; if ((errcode = fetch_last_req_info(&client, &reply_encpart.last_req))) { - status = "FETCH_LAST_REQ"; - goto errout; + status = "FETCH_LAST_REQ"; + goto errout; } reply_encpart.nonce = request->nonce; reply_encpart.key_exp = client.expiration; @@ -533,54 +534,54 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* Fetch the padata info to be returned (do this before authdata to handle possible replacement of reply key */ errcode = return_padata(kdc_context, &client, req_pkt, request, - &reply, client_key, &client_keyblock, &pa_context); + &reply, client_key, &client_keyblock, &pa_context); if (errcode) { - status = "KDC_RETURN_PADATA"; - goto errout; + status = "KDC_RETURN_PADATA"; + goto errout; } #if APPLE_PKINIT - asReqDebug("process_as_req reply realm %s name %s\n", - reply.client->realm.data, reply.client->data->data); + asReqDebug("process_as_req reply realm %s name %s\n", + reply.client->realm.data, reply.client->data->data); #endif /* APPLE_PKINIT */ errcode = return_svr_referral_data(kdc_context, - &server, &reply_encpart); + &server, &reply_encpart); if (errcode) { - status = "KDC_RETURN_ENC_PADATA"; - goto errout; + status = "KDC_RETURN_ENC_PADATA"; + goto errout; } - + errcode = handle_authdata(kdc_context, - c_flags, - &client, - &server, - &server, - &client_keyblock, - &server_keyblock, - &server_keyblock, - req_pkt, - request, - NULL, /* for_user_princ */ - NULL, /* enc_tkt_request */ - &enc_tkt_reply); + c_flags, + &client, + &server, + &server, + &client_keyblock, + &server_keyblock, + &server_keyblock, + req_pkt, + request, + NULL, /* for_user_princ */ + NULL, /* enc_tkt_request */ + &enc_tkt_reply); if (errcode) { - krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode); - status = "HANDLE_AUTHDATA"; - goto errout; + krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode); + status = "HANDLE_AUTHDATA"; + goto errout; } errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, &ticket_reply); if (errcode) { - status = "ENCRYPTING_TICKET"; - goto errout; + status = "ENCRYPTING_TICKET"; + goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; errcode = kdc_fast_response_handle_padata(state, request, &reply, client_keyblock.enctype); if (errcode) { - status = "fast response handling"; - goto errout; + status = "fast response handling"; + goto errout; } /* now encode/encrypt the response */ @@ -589,24 +590,24 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = kdc_fast_handle_reply_key(state, &client_keyblock, &as_encrypting_key); if (errcode) { - status = "generating reply key"; - goto errout; + status = "generating reply key"; + goto errout; } - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, - 0, as_encrypting_key, &reply, response); + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, + 0, as_encrypting_key, &reply, response); reply.enc_part.kvno = client_key->key_data_kvno; if (errcode) { - status = "ENCODE_KDC_REP"; - goto errout; + status = "ENCODE_KDC_REP"; + goto errout; } - + /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we can use them in raw form if needed. But, we don't... */ memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); log_as_req(from, request, &reply, &client, cname, &server, sname, - authtime, 0, 0, 0); + authtime, 0, 0, 0); did_log = 1; goto egress; @@ -617,56 +618,56 @@ errout: egress: if (pa_context) - free_padata_context(kdc_context, &pa_context); + free_padata_context(kdc_context, &pa_context); if (as_encrypting_key) - krb5_free_keyblock(kdc_context, as_encrypting_key); + krb5_free_keyblock(kdc_context, as_encrypting_key); if (errcode) - emsg = krb5_get_error_message(kdc_context, errcode); + emsg = krb5_get_error_message(kdc_context, errcode); if (status) { - log_as_req(from, request, &reply, &client, cname, &server, sname, - authtime, status, errcode, emsg); - did_log = 1; + log_as_req(from, request, &reply, &client, cname, &server, sname, + authtime, status, errcode, emsg); + did_log = 1; } if (errcode) { - if (status == 0) { - status = emsg; - } - errcode -= ERROR_TABLE_BASE_krb5; - if (errcode < 0 || errcode > 128) - errcode = KRB_ERR_GENERIC; - - errcode = prepare_error_as(state, request, errcode, &e_data, - c_nprincs ? client.princ : NULL, - response, status); - status = 0; + if (status == 0) { + status = emsg; + } + errcode -= ERROR_TABLE_BASE_krb5; + if (errcode < 0 || errcode > 128) + errcode = KRB_ERR_GENERIC; + + errcode = prepare_error_as(state, request, errcode, &e_data, + c_nprincs ? client.princ : NULL, + response, status); + status = 0; } if (emsg) - krb5_free_error_message(kdc_context, emsg); + krb5_free_error_message(kdc_context, emsg); if (enc_tkt_reply.authorization_data != NULL) - krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data); + krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data); if (server_keyblock.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &server_keyblock); + krb5_free_keyblock_contents(kdc_context, &server_keyblock); if (client_keyblock.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &client_keyblock); + krb5_free_keyblock_contents(kdc_context, &client_keyblock); if (reply.padata != NULL) - krb5_free_pa_data(kdc_context, reply.padata); + krb5_free_pa_data(kdc_context, reply.padata); if (cname != NULL) - free(cname); + free(cname); if (sname != NULL) - free(sname); + free(sname); if (c_nprincs) - krb5_db_free_principal(kdc_context, &client, c_nprincs); + krb5_db_free_principal(kdc_context, &client, c_nprincs); if (s_nprincs) - krb5_db_free_principal(kdc_context, &server, s_nprincs); + krb5_db_free_principal(kdc_context, &server, s_nprincs); if (session_key.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &session_key); + krb5_free_keyblock_contents(kdc_context, &session_key); if (ticket_reply.enc_part.ciphertext.data != NULL) { - memset(ticket_reply.enc_part.ciphertext.data , 0, - ticket_reply.enc_part.ciphertext.length); - free(ticket_reply.enc_part.ciphertext.data); + memset(ticket_reply.enc_part.ciphertext.data , 0, + ticket_reply.enc_part.ciphertext.length); + free(ticket_reply.enc_part.ciphertext.data); } krb5_free_data_contents(kdc_context, &e_data); @@ -679,8 +680,8 @@ egress: static krb5_error_code prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data, - krb5_principal canon_client, krb5_data **response, - const char *status) + krb5_principal canon_client, krb5_data **response, + const char *status) { krb5_error errpkt; krb5_error_code retval; @@ -688,66 +689,66 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int e krb5_pa_data **pa = NULL; krb5_typed_data **td = NULL; size_t size; - + errpkt.ctime = request->nonce; errpkt.cusec = 0; if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime, - &errpkt.susec))) - return(retval); + &errpkt.susec))) + return(retval); errpkt.error = error; errpkt.server = request->server; if (error == KRB5KDC_ERR_WRONG_REALM) - errpkt.client = canon_client; + errpkt.client = canon_client; else - errpkt.client = request->client; + errpkt.client = request->client; errpkt.text.length = strlen(status) + 1; if (!(errpkt.text.data = strdup(status))) - return ENOMEM; + return ENOMEM; if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { - free(errpkt.text.data); - return ENOMEM; + free(errpkt.text.data); + return ENOMEM; } if (e_data != NULL&& e_data->data != NULL) { - errpkt.e_data = *e_data; + errpkt.e_data = *e_data; } else { - errpkt.e_data.length = 0; - errpkt.e_data.data = NULL; + errpkt.e_data.length = 0; + errpkt.e_data.data = NULL; } /*We need to try and produce a padata sequence for FAST*/ retval = decode_krb5_padata_sequence(e_data, &pa); if (retval != 0) { - retval = decode_krb5_typed_data(e_data, &td); - if (retval == 0) { - for (size =0; td[size]; size++); - pa = calloc(size+1, sizeof(*pa)); - if (pa == NULL) - retval = ENOMEM; - else for (size = 0; td[size]; size++) { - krb5_pa_data *pad = malloc(sizeof(krb5_pa_data )); - if (pad == NULL) { - retval = ENOMEM; - break; - } - pad->pa_type = td[size]->type; - pad->contents = td[size]->data; - pad->length = td[size]->length; - pa[size] = pad; - } - krb5_free_typed_data(kdc_context, td); - } + retval = decode_krb5_typed_data(e_data, &td); + if (retval == 0) { + for (size =0; td[size]; size++); + pa = calloc(size+1, sizeof(*pa)); + if (pa == NULL) + retval = ENOMEM; + else for (size = 0; td[size]; size++) { + krb5_pa_data *pad = malloc(sizeof(krb5_pa_data )); + if (pad == NULL) { + retval = ENOMEM; + break; + } + pad->pa_type = td[size]->type; + pad->contents = td[size]->data; + pad->length = td[size]->length; + pa[size] = pad; + } + krb5_free_typed_data(kdc_context, td); + } } retval = kdc_fast_handle_error(kdc_context, rstate, - request, pa, &errpkt); + request, pa, &errpkt); if (retval == 0) - retval = krb5_mk_error(kdc_context, &errpkt, scratch); + retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) - free(scratch); - else - *response = scratch; + free(scratch); + else + *response = scratch; krb5_free_pa_data(kdc_context, pa); return retval; } diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 103a29fb1..24e32df44 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/do_tgs_req.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * KDC Routines to deal with TGS_REQ's */ @@ -71,11 +72,11 @@ #include "adm_proto.h" #include -static void +static void find_alternate_tgs(krb5_kdc_req *,krb5_db_entry *, krb5_boolean *,int *); -static krb5_error_code +static krb5_error_code prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int, krb5_principal,krb5_data **,const char *, krb5_data *); @@ -152,7 +153,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, &krbtgt, &k_nprincs, &tgskey, &subkey, &pa_tgs_req); if (header_ticket && header_ticket->enc_part2 && - (errcode2 = krb5_unparse_name(kdc_context, + (errcode2 = krb5_unparse_name(kdc_context, header_ticket->enc_part2->client, &cname))) { status = "UNPARSING CLIENT"; @@ -160,7 +161,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, goto cleanup; } limit_string(cname); - + if (errcode) { status = "PROCESS_TGS"; goto cleanup; @@ -173,18 +174,18 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, } errcode = kdc_make_rstate(&state); if (errcode !=0) { - status = "making state"; - goto cleanup; + status = "making state"; + goto cleanup; } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state); if (errcode !=0) { - status = "kdc_find_fast"; - goto cleanup; + status = "kdc_find_fast"; + goto cleanup; } - - + + /* * Pointer to the encrypted part of the header ticket, which may be * replaced to point to the encrypted part of the evidence ticket @@ -192,7 +193,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, * special cases for constrained delegation. */ header_enc_tkt = header_ticket->enc_part2; - + /* * We've already dealt with the AP_REQ authentication, so we can * use header_ticket freely. The encrypted part (if any) has been @@ -240,8 +241,8 @@ tgt_again: if (firstpass ) { if ( krb5_is_tgs_principal(request->server) == TRUE) { /* Principal is a name of krb ticket service */ - if (krb5_princ_size(kdc_context, request->server) == 2) { - + if (krb5_princ_size(kdc_context, request->server) == 2) { + server_1 = krb5_princ_component(kdc_context, request->server, 1); tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1); @@ -251,7 +252,7 @@ tgt_again: firstpass = 0; goto tgt_again; } - } + } krb5_db_free_principal(kdc_context, &server, nprincs); status = "UNKNOWN_SERVER"; errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; @@ -264,7 +265,7 @@ tgt_again: retval = krb5_copy_principal(kdc_context, krbtgt_princ, &(request->server)); if (!retval) { db_ref_done = TRUE; - if (sname != NULL) + if (sname != NULL) free(sname); goto ref_tgt_again; } @@ -282,11 +283,11 @@ tgt_again: status = "TIME_OF_DAY"; goto cleanup; } - + if ((retval = validate_tgs_request(request, server, header_ticket, kdc_time, &status, &e_data))) { - if (!status) - status = "UNKNOWN_REASON"; + if (!status) + status = "UNKNOWN_REASON"; errcode = retval + ERROR_TABLE_BASE_krb5; goto cleanup; } @@ -299,16 +300,16 @@ tgt_again: /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, - request, - header_enc_tkt->client, + request, + header_enc_tkt->client, &server, - subkey, - header_enc_tkt->session, - kdc_time, + subkey, + header_enc_tkt->session, + kdc_time, &s4u_x509_user, - &client, - &c_nprincs, - &status); + &client, + &c_nprincs, + &status); if (errcode) goto cleanup; if (s4u_x509_user != NULL) @@ -316,7 +317,7 @@ tgt_again: /* * We pick the session keytype here.... - * + * * Some special care needs to be taken in the user-to-user * case, since we don't know what keytypes the application server * which is doing user-to-user authentication can support. We @@ -327,7 +328,7 @@ tgt_again: */ useenctype = 0; if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY | - KDC_OPT_CNAME_IN_ADDL_TKT)) { + KDC_OPT_CNAME_IN_ADDL_TKT)) { krb5_keyblock * st_sealing_key; krb5_kvno st_srv_kvno; krb5_enctype etype; @@ -348,14 +349,14 @@ tgt_again: goto cleanup; } errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key, - request->second_ticket[st_idx]); + request->second_ticket[st_idx]); krb5_free_keyblock(kdc_context, st_sealing_key); if (errcode) { status = "2ND_TKT_DECRYPT"; krb5_db_free_principal(kdc_context, &st_client, st_nprincs); goto cleanup; } - + etype = request->second_ticket[st_idx]->enc_part2->session->enctype; if (!krb5_c_valid_enctype(etype)) { status = "BAD_ETYPE_IN_2ND_TKT"; @@ -363,7 +364,7 @@ tgt_again: krb5_db_free_principal(kdc_context, &st_client, st_nprincs); goto cleanup; } - + for (i = 0; i < request->nktypes; i++) { if (request->ktype[i] == etype) { useenctype = etype; @@ -386,7 +387,7 @@ tgt_again: setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION); assert(krb5_is_tgs_principal(header_ticket->server)); - + /* From now on, use evidence ticket as header ticket */ header_enc_tkt = request->second_ticket[st_idx]->enc_part2; @@ -405,14 +406,14 @@ tgt_again: */ if ((useenctype == 0) && (useenctype = select_session_keytype(kdc_context, &server, - request->nktypes, - request->ktype)) == 0) { + request->nktypes, + request->ktype)) == 0) { /* unsupported ktype */ status = "BAD_ENCRYPTION_TYPE"; errcode = KRB5KDC_ERR_ETYPE_NOSUPP; goto cleanup; } - + errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key); if (errcode) { @@ -478,7 +479,7 @@ tgt_again: * S4U2Self in order for forwardable tickets to be returned. */ else if (!is_referral && - !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) + !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); } } @@ -490,7 +491,7 @@ tgt_again: enc_tkt_reply.caddrs = request->addresses; reply_encpart.caddrs = request->addresses; - } + } if (isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDED)) setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED); @@ -544,13 +545,13 @@ tgt_again: /* not a renew request */ enc_tkt_reply.times.starttime = kdc_time; - kdc_get_ticket_endtime(kdc_context, - enc_tkt_reply.times.starttime, - header_enc_tkt->times.endtime, - request->till, - &client, - &server, - &enc_tkt_reply.times.endtime); + kdc_get_ticket_endtime(kdc_context, + enc_tkt_reply.times.starttime, + header_enc_tkt->times.endtime, + request->till, + &client, + &server, + &enc_tkt_reply.times.endtime); if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && (enc_tkt_reply.times.endtime < request->till) && @@ -558,7 +559,7 @@ tgt_again: setflag(request->kdc_options, KDC_OPT_RENEWABLE); request->rtime = min(request->till, header_enc_tkt->times.renew_till); - } + } } rtime = (request->rtime == 0) ? kdc_infinity : request->rtime; @@ -567,20 +568,20 @@ tgt_again: renewable ticket using a non-renewable ticket */ setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE); enc_tkt_reply.times.renew_till = - min(rtime, - min(header_enc_tkt->times.renew_till, - enc_tkt_reply.times.starttime + - min(server.max_renewable_life, - max_renewable_life_for_realm))); + min(rtime, + min(header_enc_tkt->times.renew_till, + enc_tkt_reply.times.starttime + + min(server.max_renewable_life, + max_renewable_life_for_realm))); } else { enc_tkt_reply.times.renew_till = 0; } - + /* * Set authtime to be the same as header_ticket's */ enc_tkt_reply.times.authtime = header_enc_tkt->times.authtime; - + /* * Propagate the preauthentication flags through to the returned ticket. */ @@ -589,7 +590,7 @@ tgt_again: if (isflagset(header_enc_tkt->flags, TKT_FLG_HW_AUTH)) setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH); - + /* starttime is optional, and treated as authtime if not present. so we can nuke it if it matches */ if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime) @@ -615,7 +616,7 @@ tgt_again: * Find the server key */ if ((errcode = krb5_dbe_find_enctype(kdc_context, &server, - -1, /* ignore keytype */ + -1, /* ignore keytype */ -1, /* Ignore salttype */ 0,/* Get highest kvno */ &server_key))) { @@ -646,7 +647,7 @@ tgt_again: /* convert server.key into a real key (it may be encrypted * in the database) */ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, - mkey_ptr, + mkey_ptr, server_key, &encrypting_key, NULL))) { status = "DECRYPT_SERVER_KEY"; @@ -727,7 +728,7 @@ tgt_again: pkt, request, s4u_x509_user ? - s4u_x509_user->user_id.user : NULL, + s4u_x509_user->user_id.user : NULL, header_enc_tkt, &enc_tkt_reply); if (errcode) { @@ -746,7 +747,7 @@ tgt_again: } /* - * Only add the realm of the presented tgt to the transited list if + * Only add the realm of the presented tgt to the transited list if * it is different than the local realm (cross-realm) and it is different * than the realm of the client (since the realm of the client is already * implicitly part of the transited list and should not be explicitly @@ -774,20 +775,20 @@ tgt_again: enc_tkt_transited.tr_contents.length = 0; enc_tkt_reply.transited = enc_tkt_transited; if ((errcode = - add_to_transited(&header_enc_tkt->transited.tr_contents, - &enc_tkt_reply.transited.tr_contents, - header_ticket->server, - enc_tkt_reply.client, - request->server))) { - status = "ADD_TR_FAIL"; - goto cleanup; + add_to_transited(&header_enc_tkt->transited.tr_contents, + &enc_tkt_reply.transited.tr_contents, + header_ticket->server, + enc_tkt_reply.client, + request->server))) { + status = "ADD_TR_FAIL"; + goto cleanup; } newtransited = 1; } if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) { errcode = validate_transit_path(kdc_context, header_enc_tkt->client, - &server, - (k_nprincs != 0) ? &krbtgt : NULL); + &server, + (k_nprincs != 0) ? &krbtgt : NULL); if (errcode) { status = "NON_TRANSITIVE"; goto cleanup; @@ -863,7 +864,7 @@ tgt_again: status = "2ND_TKT_MISMATCH"; goto cleanup; } - + ticket_kvno = 0; ticket_reply.enc_part.enctype = t2enc->session->enctype; st_idx++; @@ -872,7 +873,7 @@ tgt_again: } errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, - &ticket_reply); + &ticket_reply); if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) krb5_free_keyblock_contents(kdc_context, &encrypting_key); if (errcode) { @@ -921,27 +922,27 @@ tgt_again: reply_encpart.key_exp = 0;/* ditto */ reply_encpart.flags = enc_tkt_reply.flags; reply_encpart.server = ticket_reply.server; - + /* use the session key in the ticket, unless there's a subsession key in the AP_REQ */ reply.enc_part.enctype = subkey ? subkey->enctype : - header_ticket->enc_part2->session->enctype; + header_ticket->enc_part2->session->enctype; errcode = kdc_fast_response_handle_padata(state, request, &reply, - subkey?subkey->enctype:header_ticket->enc_part2->session->enctype); + subkey?subkey->enctype:header_ticket->enc_part2->session->enctype); if (errcode !=0 ) { - status = "Preparing FAST padata"; - goto cleanup; + status = "Preparing FAST padata"; + goto cleanup; } errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key); if (errcode) { - status = "generating reply key"; - goto cleanup; + status = "generating reply key"; + goto cleanup; } - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, - subkey ? 1 : 0, - reply_key, - &reply, response); + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, + subkey ? 1 : 0, + reply_key, + &reply, response); if (errcode) { status = "ENCODE_KDC_REP"; } else { @@ -956,12 +957,12 @@ tgt_again: memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); - + cleanup: assert(status != NULL); if (reply_key) - krb5_free_keyblock(kdc_context, reply_key); - if (errcode) + krb5_free_keyblock(kdc_context, reply_key); + if (errcode) emsg = krb5_get_error_message (kdc_context, errcode); log_tgs_req(from, request, &reply, cname, sname, altcname, authtime, c_flags, s4u_name, status, errcode, emsg); @@ -979,22 +980,22 @@ cleanup: errcode -= ERROR_TABLE_BASE_krb5; if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - + retval = prepare_error_tgs(state, request, header_ticket, errcode, - nprincs ? server.princ : NULL, - response, status, &e_data); + nprincs ? server.princ : NULL, + response, status, &e_data); if (got_err) { krb5_free_error_message (kdc_context, status); status = 0; } } - + if (header_ticket != NULL) krb5_free_ticket(kdc_context, header_ticket); if (request != NULL) krb5_free_kdc_req(kdc_context, request); if (state) - kdc_free_rstate(state); + kdc_free_rstate(state); if (cname != NULL) free(cname); if (sname != NULL) @@ -1030,10 +1031,10 @@ cleanup: static krb5_error_code prepare_error_tgs (struct kdc_request_state *state, - krb5_kdc_req *request, krb5_ticket *ticket, int error, + krb5_kdc_req *request, krb5_ticket *ticket, int error, krb5_principal canon_server, krb5_data **response, const char *status, - krb5_data *e_data) + krb5_data *e_data) { krb5_error errpkt; krb5_error_code retval = 0; @@ -1043,7 +1044,7 @@ prepare_error_tgs (struct kdc_request_state *state, errpkt.cusec = 0; if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime, - &errpkt.susec))) + &errpkt.susec))) return(retval); errpkt.error = error; errpkt.server = request->server; @@ -1054,18 +1055,18 @@ prepare_error_tgs (struct kdc_request_state *state, errpkt.text.length = strlen(status) + 1; if (!(errpkt.text.data = strdup(status))) return ENOMEM; - + if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { free(errpkt.text.data); return ENOMEM; } errpkt.e_data = *e_data; if (state) - retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); if (retval) { - free(scratch); - free(errpkt.text.data); - return retval; + free(scratch); + free(errpkt.text.data); + return retval; } retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); @@ -1099,10 +1100,10 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, * somewhere that has already checked the number of components in * the principal. */ - if ((retval = krb5_walk_realm_tree(kdc_context, - krb5_princ_realm(kdc_context, request->server), - krb5_princ_component(kdc_context, request->server, 1), - &plist, KRB5_REALM_BRANCH_CHAR))) + if ((retval = krb5_walk_realm_tree(kdc_context, + krb5_princ_realm(kdc_context, request->server), + krb5_princ_component(kdc_context, request->server, 1), + &plist, KRB5_REALM_BRANCH_CHAR))) return; /* move to the end */ @@ -1113,8 +1114,8 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, while (--pl2 > plist) { *nprincs = 1; tmp = *krb5_princ_realm(kdc_context, *pl2); - krb5_princ_set_realm(kdc_context, *pl2, - krb5_princ_realm(kdc_context, tgs_server)); + krb5_princ_set_realm(kdc_context, *pl2, + krb5_princ_realm(kdc_context, tgs_server)); retval = get_principal(kdc_context, *pl2, server, nprincs, more); krb5_princ_set_realm(kdc_context, *pl2, &tmp); if (retval) { @@ -1131,12 +1132,12 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, krb5_principal tmpprinc; tmp = *krb5_princ_realm(kdc_context, *pl2); - krb5_princ_set_realm(kdc_context, *pl2, - krb5_princ_realm(kdc_context, tgs_server)); + krb5_princ_set_realm(kdc_context, *pl2, + krb5_princ_realm(kdc_context, tgs_server)); if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) { - krb5_db_free_principal(kdc_context, server, *nprincs); - krb5_princ_set_realm(kdc_context, *pl2, &tmp); - continue; + krb5_db_free_principal(kdc_context, server, *nprincs); + krb5_princ_set_realm(kdc_context, *pl2, &tmp); + continue; } krb5_princ_set_realm(kdc_context, *pl2, &tmp); @@ -1157,54 +1158,54 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, } static krb5_int32 -prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) +prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) { krb5_error_code retval = KRB5KRB_AP_ERR_BADMATCH; char **realms, **cpp, *temp_buf=NULL; - krb5_data *comp1 = NULL, *comp2 = NULL; - char *comp1_str = NULL; + krb5_data *comp1 = NULL, *comp2 = NULL; + char *comp1_str = NULL; /* By now we know that server principal name is unknown. - * If CANONICALIZE flag is set in the request - * If req is not U2U authn. req - * the requested server princ. has exactly two components - * either - * the name type is NT-SRV-HST - * or name type is NT-UNKNOWN and - * the 1st component is listed in conf file under host_based_services - * the 1st component is not in a list in conf under "no_host_referral" - * the 2d component looks like fully-qualified domain name (FQDN) - * If all of these conditions are satisfied - try mapping the FQDN and + * If CANONICALIZE flag is set in the request + * If req is not U2U authn. req + * the requested server princ. has exactly two components + * either + * the name type is NT-SRV-HST + * or name type is NT-UNKNOWN and + * the 1st component is listed in conf file under host_based_services + * the 1st component is not in a list in conf under "no_host_referral" + * the 2d component looks like fully-qualified domain name (FQDN) + * If all of these conditions are satisfied - try mapping the FQDN and * re-process the request as if client had asked for cross-realm TGT. */ - if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) && - !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) && - krb5_princ_size(kdc_context, request->server) == 2) { + if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) && + !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) && + krb5_princ_size(kdc_context, request->server) == 2) { comp1 = krb5_princ_component(kdc_context, request->server, 0); comp2 = krb5_princ_component(kdc_context, request->server, 1); comp1_str = calloc(1,comp1->length+1); if (!comp1_str) { - retval = ENOMEM; - goto cleanup; - } + retval = ENOMEM; + goto cleanup; + } strlcpy(comp1_str,comp1->data,comp1->length+1); - if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || - (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && - kdc_active_realm->realm_host_based_services != NULL && - (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE || - krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE))) && - (kdc_active_realm->realm_no_host_referral == NULL || - (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, KRB5_CONF_ASTERISK) == FALSE && - krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) { - - if (memchr(comp2->data, '.', comp2->length) == NULL) - goto cleanup; + if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || + (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && + kdc_active_realm->realm_host_based_services != NULL && + (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE || + krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE))) && + (kdc_active_realm->realm_no_host_referral == NULL || + (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, KRB5_CONF_ASTERISK) == FALSE && + krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) { + + if (memchr(comp2->data, '.', comp2->length) == NULL) + goto cleanup; temp_buf = calloc(1, comp2->length+1); if (!temp_buf){ - retval = ENOMEM; + retval = ENOMEM; goto cleanup; } strlcpy(temp_buf, comp2->data,comp2->length+1); @@ -1224,21 +1225,19 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; } - /* Modify request. - * Construct cross-realm tgt : krbtgt/REMOTE_REALM@LOCAL_REALM - * and use it as a principal in this req. + /* Modify request. + * Construct cross-realm tgt : krbtgt/REMOTE_REALM@LOCAL_REALM + * and use it as a principal in this req. */ - retval = krb5_build_principal(kdc_context, krbtgt_princ, - (*request->server).realm.length, - (*request->server).realm.data, + retval = krb5_build_principal(kdc_context, krbtgt_princ, + (*request->server).realm.length, + (*request->server).realm.data, "krbtgt", realms[0], (char *)0); - for (cpp = realms; *cpp; cpp++) - free(*cpp); + for (cpp = realms; *cpp; cpp++) + free(*cpp); } } cleanup: free(comp1_str); return retval; } - - diff --git a/src/kdc/extern.c b/src/kdc/extern.c index 7ebc7bb3a..763adf57d 100644 --- a/src/kdc/extern.c +++ b/src/kdc/extern.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/extern.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * allocations of extern stuff */ @@ -31,14 +32,14 @@ #include "extern.h" /* real declarations of KDC's externs */ -kdc_realm_t **kdc_realmlist = (kdc_realm_t **) NULL; -int kdc_numrealms = 0; -kdc_realm_t *kdc_active_realm = (kdc_realm_t *) NULL; +kdc_realm_t **kdc_realmlist = (kdc_realm_t **) NULL; +int kdc_numrealms = 0; +kdc_realm_t *kdc_active_realm = (kdc_realm_t *) NULL; krb5_data empty_string = {0, 0, ""}; krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */ -krb5_rcache kdc_rcache = (krb5_rcache) NULL; -krb5_keyblock psr_key; -krb5_int32 max_dgram_reply_size = MAX_DGRAM_SIZE; +krb5_rcache kdc_rcache = (krb5_rcache) NULL; +krb5_keyblock psr_key; +krb5_int32 max_dgram_reply_size = MAX_DGRAM_SIZE; -volatile int signal_requests_exit = 0; /* gets set when signal hits */ +volatile int signal_requests_exit = 0; /* gets set when signal hits */ volatile int signal_requests_hup = 0; /* ditto */ diff --git a/src/kdc/extern.h b/src/kdc/extern.h index 079f0e47f..af5b3086c 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/extern.h * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * <<< Description >>> */ @@ -33,52 +34,52 @@ typedef struct __kdc_realm_data { /* * General Kerberos per-realm data. */ - char * realm_name; /* Realm name */ -/* XXX the real context should go away once the db_context is done. - * The db_context is then associated with the realm keytab using - * krb5_ktkdb_resolv(). There should be nothing in the context which + char * realm_name; /* Realm name */ +/* XXX the real context should go away once the db_context is done. + * The db_context is then associated with the realm keytab using + * krb5_ktkdb_resolv(). There should be nothing in the context which * cannot span multiple realms -- proven */ - krb5_context realm_context; /* Context to be used for realm */ - krb5_keytab realm_keytab; /* keytab to be used for this realm */ - char * realm_profile; /* Profile file for this realm */ - char * realm_host_based_services; /* do referral processing for these services + krb5_context realm_context; /* Context to be used for realm */ + krb5_keytab realm_keytab; /* keytab to be used for this realm */ + char * realm_profile; /* Profile file for this realm */ + char * realm_host_based_services; /* do referral processing for these services * If '*' - allow all referrals */ char * realm_no_host_referral; /* no referral for these services. - * If '*' - disallow all referrals and + * If '*' - disallow all referrals and * ignore realm_host_based_services */ /* * Database per-realm data. */ - char * realm_dbname; /* Database name for realm */ - char * realm_stash; /* Stash file name for realm */ - char * realm_mpname; /* Master principal name for realm */ - krb5_principal realm_mprinc; /* Master principal for realm */ + char * realm_dbname; /* Database name for realm */ + char * realm_stash; /* Stash file name for realm */ + char * realm_mpname; /* Master principal name for realm */ + krb5_principal realm_mprinc; /* Master principal for realm */ /* * Note realm_mkey is mkey read from stash or keyboard and may not be the * latest. The mkey_list will have all the mkeys in use. */ - krb5_keyblock realm_mkey; /* Master key for this realm */ - krb5_keylist_node * mkey_list; /* list of mkeys in use for this realm */ + krb5_keyblock realm_mkey; /* Master key for this realm */ + krb5_keylist_node * mkey_list; /* list of mkeys in use for this realm */ /* * TGS per-realm data. */ - krb5_principal realm_tgsprinc; /* TGS principal for this realm */ + krb5_principal realm_tgsprinc; /* TGS principal for this realm */ /* * Other per-realm data. */ - char *realm_ports; /* Per-realm KDC UDP port */ - char *realm_tcp_ports; /* Per-realm KDC TCP port */ + char *realm_ports; /* Per-realm KDC UDP port */ + char *realm_tcp_ports; /* Per-realm KDC TCP port */ /* * Per-realm parameters. */ - krb5_deltat realm_maxlife; /* Maximum ticket life for realm */ - krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */ - krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */ + krb5_deltat realm_maxlife; /* Maximum ticket life for realm */ + krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */ + krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */ } kdc_realm_t; -extern kdc_realm_t **kdc_realmlist; -extern int kdc_numrealms; -extern kdc_realm_t *kdc_active_realm; +extern kdc_realm_t **kdc_realmlist; +extern int kdc_numrealms; +extern kdc_realm_t *kdc_active_realm; kdc_realm_t *find_realm_data (char *, krb5_ui_4); @@ -87,25 +88,25 @@ kdc_realm_t *find_realm_data (char *, krb5_ui_4); * realm data. This allows us to support multiple realms with minimal logic * changes. */ -#define kdc_context kdc_active_realm->realm_context -#define max_life_for_realm kdc_active_realm->realm_maxlife -#define max_renewable_life_for_realm kdc_active_realm->realm_maxrlife -#define master_keyblock kdc_active_realm->realm_mkey -#define master_keylist kdc_active_realm->mkey_list -#define master_princ kdc_active_realm->realm_mprinc -#define tgs_server kdc_active_realm->realm_tgsprinc -#define reject_bad_transit kdc_active_realm->realm_reject_bad_transit +#define kdc_context kdc_active_realm->realm_context +#define max_life_for_realm kdc_active_realm->realm_maxlife +#define max_renewable_life_for_realm kdc_active_realm->realm_maxrlife +#define master_keyblock kdc_active_realm->realm_mkey +#define master_keylist kdc_active_realm->mkey_list +#define master_princ kdc_active_realm->realm_mprinc +#define tgs_server kdc_active_realm->realm_tgsprinc +#define reject_bad_transit kdc_active_realm->realm_reject_bad_transit /* various externs for KDC */ -extern krb5_data empty_string; /* an empty string */ -extern krb5_timestamp kdc_infinity; /* greater than all other timestamps */ -extern krb5_rcache kdc_rcache; /* replay cache */ -extern krb5_keyblock psr_key; /* key for predicted sam response */ -extern const int kdc_modifies_kdb; -extern char **db_args; -extern krb5_int32 max_dgram_reply_size; /* maximum datagram size */ +extern krb5_data empty_string; /* an empty string */ +extern krb5_timestamp kdc_infinity; /* greater than all other timestamps */ +extern krb5_rcache kdc_rcache; /* replay cache */ +extern krb5_keyblock psr_key; /* key for predicted sam response */ +extern const int kdc_modifies_kdb; +extern char **db_args; +extern krb5_int32 max_dgram_reply_size; /* maximum datagram size */ -extern const int vague_errors; +extern const int vague_errors; extern volatile int signal_requests_exit; extern volatile int signal_requests_hup; diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index f02410b96..f7a1ac43a 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/fast_util.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * */ @@ -49,49 +50,49 @@ static krb5_error_code armor_ap_request krb5_auth_context authcontext = NULL; krb5_ticket *ticket = NULL; krb5_keyblock *subkey = NULL; - + assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST); krb5_clear_error_message(kdc_context); retval = krb5_auth_con_init(kdc_context, &authcontext); if (retval == 0) - retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/ + retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/ retval = krb5_rd_req(kdc_context, &authcontext, - &armor->armor_value, NULL /*server*/, - kdc_active_realm->realm_keytab, NULL, &ticket); + &armor->armor_value, NULL /*server*/, + kdc_active_realm->realm_keytab, NULL, &ticket); if (retval !=0) { - const char * errmsg = krb5_get_error_message(kdc_context, retval); - krb5_set_error_message(kdc_context, retval, - "%s while handling ap-request armor", errmsg); - krb5_free_error_message(kdc_context, errmsg); + const char * errmsg = krb5_get_error_message(kdc_context, retval); + krb5_set_error_message(kdc_context, retval, + "%s while handling ap-request armor", errmsg); + krb5_free_error_message(kdc_context, errmsg); } if (retval == 0) { - if (!krb5_principal_compare_any_realm(kdc_context, - tgs_server, - ticket->server)) { - krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, - "ap-request armor for something other than the local TGS"); - retval = KRB5KDC_ERR_SERVER_NOMATCH; - } + if (!krb5_principal_compare_any_realm(kdc_context, + tgs_server, + ticket->server)) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, + "ap-request armor for something other than the local TGS"); + retval = KRB5KDC_ERR_SERVER_NOMATCH; + } } if (retval ==0) { - retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); - if (retval !=0 || subkey == NULL) { - krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, - "ap-request armor without subkey"); - retval = KRB5KDC_ERR_POLICY; - } + retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); + if (retval !=0 || subkey == NULL) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "ap-request armor without subkey"); + retval = KRB5KDC_ERR_POLICY; + } } - if (retval==0) - retval = krb5_c_fx_cf2_simple(kdc_context, - subkey, "subkeyarmor", - ticket->enc_part2->session, "ticketarmor", - &state->armor_key); + if (retval==0) + retval = krb5_c_fx_cf2_simple(kdc_context, + subkey, "subkeyarmor", + ticket->enc_part2->session, "ticketarmor", + &state->armor_key); if (ticket) - krb5_free_ticket(kdc_context, ticket); + krb5_free_ticket(kdc_context, ticket); if (subkey) - krb5_free_keyblock(kdc_context, subkey); + krb5_free_keyblock(kdc_context, subkey); if (authcontext) - krb5_auth_con_free(kdc_context, authcontext); + krb5_auth_con_free(kdc_context, authcontext); return retval; } @@ -104,22 +105,22 @@ static krb5_error_code encrypt_fast_reply krb5_data *encoded_response = NULL; assert(state->armor_key); retval = encode_krb5_fast_response(response, &encoded_response); - if (retval== 0) - retval = krb5_encrypt_helper(kdc_context, state->armor_key, - KRB5_KEYUSAGE_FAST_REP, - encoded_response, &encrypted_reply); + if (retval== 0) + retval = krb5_encrypt_helper(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, + encoded_response, &encrypted_reply); if (encoded_response) - krb5_free_data(kdc_context, encoded_response); + krb5_free_data(kdc_context, encoded_response); encoded_response = NULL; if (retval == 0) { - retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply, - fx_fast_reply); - krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext); + retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply, + fx_fast_reply); + krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext); } return retval; } - + krb5_error_code kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, krb5_keyblock *tgs_subkey, @@ -139,115 +140,115 @@ krb5_error_code kdc_find_fast krb5_clear_error_message(kdc_context); memset(&empty_keyblock, 0, sizeof(krb5_keyblock)); fast_padata = find_pa_data(request->padata, - KRB5_PADATA_FX_FAST); + KRB5_PADATA_FX_FAST); if (fast_padata != NULL){ - scratch.length = fast_padata->length; - scratch.data = (char *) fast_padata->contents; - retval = decode_krb5_pa_fx_fast_request(&scratch, &fast_armored_req); - if (retval == 0 &&fast_armored_req->armor) { - switch (fast_armored_req->armor->armor_type) { - case KRB5_FAST_ARMOR_AP_REQUEST: - retval = armor_ap_request(state, fast_armored_req->armor); - break; - default: - krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, - "Unknow FAST armor type %d", - fast_armored_req->armor->armor_type); - retval = KRB5KDC_ERR_PREAUTH_FAILED; - } - } - if (retval == 0 && !state->armor_key) { - if (tgs_subkey) - retval = krb5_c_fx_cf2_simple(kdc_context, - tgs_subkey, "subkeyarmor", - tgs_session, "ticketarmor", - &state->armor_key); - else { - krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, - "No armor key but FAST armored request present"); - retval = KRB5KDC_ERR_PREAUTH_FAILED; - } - } - if (retval == 0) { - krb5_data plaintext; - plaintext.length = fast_armored_req->enc_part.ciphertext.length; - plaintext.data = malloc(plaintext.length); - if (plaintext.data == NULL) - retval = ENOMEM; - retval = krb5_c_decrypt(kdc_context, - state->armor_key, - KRB5_KEYUSAGE_FAST_ENC, NULL, - &fast_armored_req->enc_part, - &plaintext); - if (retval == 0) - retval = decode_krb5_fast_req(&plaintext, &fast_req); - if (plaintext.data) - free(plaintext.data); - } - if (retval == 0) - retval = krb5_c_verify_checksum(kdc_context, state->armor_key, - KRB5_KEYUSAGE_FAST_REQ_CHKSUM, - checksummed_data, &fast_armored_req->req_checksum, - &cksum_valid); - if (retval == 0 && !cksum_valid) { - retval = KRB5KRB_AP_ERR_MODIFIED; - krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, - "FAST req_checksum invalid; request modified"); - } - if (retval == 0) { - krb5_error_code ret; - /* We need to confirm that a keyed checksum is used for the - * fast_req checksum. In April 2009, the best way to do this is - * to try verifying the checksum with a keyblock with an zero - * length; if it succeeds, then an unkeyed checksum is used.*/ - ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, - KRB5_KEYUSAGE_FAST_REQ_CHKSUM, - checksummed_data, &fast_armored_req->req_checksum, - &cksum_valid); - if (ret == 0) { - retval = KRB5KDC_ERR_POLICY; - krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, - "Unkeyed checksum used in fast_req"); - } - } - if (retval == 0) { - if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) - retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; - } - if (retval == 0) - cookie_padata = find_pa_data(fast_req->req_body->padata, KRB5_PADATA_FX_COOKIE); - if (retval == 0) { - state->fast_options = fast_req->fast_options; - if (request->kdc_state == state) - request->kdc_state = NULL; - krb5_free_kdc_req( kdc_context, request); - *requestptr = fast_req->req_body; - fast_req->req_body = NULL; - - } + scratch.length = fast_padata->length; + scratch.data = (char *) fast_padata->contents; + retval = decode_krb5_pa_fx_fast_request(&scratch, &fast_armored_req); + if (retval == 0 &&fast_armored_req->armor) { + switch (fast_armored_req->armor->armor_type) { + case KRB5_FAST_ARMOR_AP_REQUEST: + retval = armor_ap_request(state, fast_armored_req->armor); + break; + default: + krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "Unknow FAST armor type %d", + fast_armored_req->armor->armor_type); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0 && !state->armor_key) { + if (tgs_subkey) + retval = krb5_c_fx_cf2_simple(kdc_context, + tgs_subkey, "subkeyarmor", + tgs_session, "ticketarmor", + &state->armor_key); + else { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "No armor key but FAST armored request present"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + krb5_data plaintext; + plaintext.length = fast_armored_req->enc_part.ciphertext.length; + plaintext.data = malloc(plaintext.length); + if (plaintext.data == NULL) + retval = ENOMEM; + retval = krb5_c_decrypt(kdc_context, + state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, NULL, + &fast_armored_req->enc_part, + &plaintext); + if (retval == 0) + retval = decode_krb5_fast_req(&plaintext, &fast_req); + if (plaintext.data) + free(plaintext.data); + } + if (retval == 0) + retval = krb5_c_verify_checksum(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (retval == 0 && !cksum_valid) { + retval = KRB5KRB_AP_ERR_MODIFIED; + krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, + "FAST req_checksum invalid; request modified"); + } + if (retval == 0) { + krb5_error_code ret; + /* We need to confirm that a keyed checksum is used for the + * fast_req checksum. In April 2009, the best way to do this is + * to try verifying the checksum with a keyblock with an zero + * length; if it succeeds, then an unkeyed checksum is used.*/ + ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (ret == 0) { + retval = KRB5KDC_ERR_POLICY; + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "Unkeyed checksum used in fast_req"); + } + } + if (retval == 0) { + if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) + retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; + } + if (retval == 0) + cookie_padata = find_pa_data(fast_req->req_body->padata, KRB5_PADATA_FX_COOKIE); + if (retval == 0) { + state->fast_options = fast_req->fast_options; + if (request->kdc_state == state) + request->kdc_state = NULL; + krb5_free_kdc_req( kdc_context, request); + *requestptr = fast_req->req_body; + fast_req->req_body = NULL; + + } } else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); - if (retval == 0 && cookie_padata != NULL) { - krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data)); - if (new_padata == NULL) { - retval = ENOMEM; - } else { - new_padata->pa_type = KRB5_PADATA_FX_COOKIE; - new_padata->length = cookie_padata->length; - new_padata->contents = malloc(new_padata->length); - if (new_padata->contents == NULL) { - retval = ENOMEM; - free(new_padata); - } else { - memcpy(new_padata->contents, cookie_padata->contents, new_padata->length); - state->cookie = new_padata; - } - } + if (retval == 0 && cookie_padata != NULL) { + krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data)); + if (new_padata == NULL) { + retval = ENOMEM; + } else { + new_padata->pa_type = KRB5_PADATA_FX_COOKIE; + new_padata->length = cookie_padata->length; + new_padata->contents = malloc(new_padata->length); + if (new_padata->contents == NULL) { + retval = ENOMEM; + free(new_padata); + } else { + memcpy(new_padata->contents, cookie_padata->contents, new_padata->length); + state->cookie = new_padata; + } + } } - if (fast_req) - krb5_free_fast_req( kdc_context, fast_req); + if (fast_req) + krb5_free_fast_req( kdc_context, fast_req); if (fast_armored_req) - krb5_free_fast_armored_req(kdc_context, fast_armored_req); + krb5_free_fast_armored_req(kdc_context, fast_armored_req); return retval; } @@ -256,7 +257,7 @@ krb5_error_code kdc_make_rstate(struct kdc_request_state **out) { struct kdc_request_state *state = malloc( sizeof(struct kdc_request_state)); if (state == NULL) - return ENOMEM; + return ENOMEM; memset( state, 0, sizeof(struct kdc_request_state)); *out = state; return 0; @@ -265,15 +266,15 @@ krb5_error_code kdc_make_rstate(struct kdc_request_state **out) void kdc_free_rstate (struct kdc_request_state *s) { - if (s == NULL) - return; + if (s == NULL) + return; if (s->armor_key) - krb5_free_keyblock(kdc_context, s->armor_key); + krb5_free_keyblock(kdc_context, s->armor_key); if (s->strengthen_key) - krb5_free_keyblock(kdc_context, s->strengthen_key); + krb5_free_keyblock(kdc_context, s->strengthen_key); if (s->cookie) { - free(s->cookie->contents); - free(s->cookie); + free(s->cookie->contents); + free(s->cookie); } free(s); } @@ -292,70 +293,70 @@ krb5_error_code kdc_fast_response_handle_padata krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; krb5_pa_data *empty_padata[] = {NULL}; krb5_keyblock *strengthen_key = NULL; - + if (!state->armor_key) - return 0; + return 0; memset(&finish, 0, sizeof(finish)); retval = krb5_init_keyblock(kdc_context, enctype, 0, &strengthen_key); if (retval == 0) - retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key); + retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key); if (retval == 0) { - state->strengthen_key = strengthen_key; - strengthen_key = NULL; + state->strengthen_key = strengthen_key; + strengthen_key = NULL; } - + fast_response.padata = rep->padata; if (fast_response.padata == NULL) - fast_response.padata = &empty_padata[0]; - fast_response.strengthen_key = state->strengthen_key; + fast_response.padata = &empty_padata[0]; + fast_response.strengthen_key = state->strengthen_key; fast_response.nonce = request->nonce; fast_response.finished = &finish; finish.client = rep->client; pa_array = calloc(3, sizeof(*pa_array)); if (pa_array == NULL) - retval = ENOMEM; + retval = ENOMEM; pa = calloc(1, sizeof(krb5_pa_data)); if (retval == 0 && pa == NULL) - retval = ENOMEM; + retval = ENOMEM; if (retval == 0) - retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec); + retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec); if (retval == 0) - retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); + retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); if (retval == 0) - retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype); + retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype); if (retval == 0) - retval = krb5_c_make_checksum(kdc_context, cksumtype, - state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, - encoded_ticket, &finish.ticket_checksum); + retval = krb5_c_make_checksum(kdc_context, cksumtype, + state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, &finish.ticket_checksum); if (retval == 0) - retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply); + retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply); if (retval == 0) { - pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].length = encrypted_reply->length; - pa[0].contents = (unsigned char *) encrypted_reply->data; - pa_array[0] = &pa[0]; - rep->padata = pa_array; - pa_array = NULL; - free(encrypted_reply); - encrypted_reply = NULL; - pa = NULL; + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; + pa_array[0] = &pa[0]; + rep->padata = pa_array; + pa_array = NULL; + free(encrypted_reply); + encrypted_reply = NULL; + pa = NULL; } if (pa) - free(pa); + free(pa); if (pa_array) - free(pa_array); + free(pa_array); if (encrypted_reply) - krb5_free_data(kdc_context, encrypted_reply); + krb5_free_data(kdc_context, encrypted_reply); if (encoded_ticket) - krb5_free_data(kdc_context, encoded_ticket); + krb5_free_data(kdc_context, encoded_ticket); if (strengthen_key != NULL) - krb5_free_keyblock(kdc_context, strengthen_key); + krb5_free_keyblock(kdc_context, strengthen_key); if (finish.ticket_checksum.contents) - krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); + krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); return retval; } - + /* * We assume the caller is responsible for passing us an in_padata * sufficient to include in a FAST error. In the FAST case we will @@ -379,7 +380,7 @@ krb5_error_code kdc_fast_handle_error memset(outer_pa, 0, sizeof(outer_pa)); if (!state->armor_key) - return 0; + return 0; fx_error = *err; fx_error.e_data.data = NULL; fx_error.e_data.length = 0; @@ -387,76 +388,76 @@ krb5_error_code kdc_fast_handle_error size +=3; inner_pa = calloc(size, sizeof(krb5_pa_data *)); if (inner_pa == NULL) - retval = ENOMEM; + retval = ENOMEM; if (retval == 0) - for (size=0; in_padata&&in_padata[size]; size++) - inner_pa[size] = in_padata[size]; + for (size=0; in_padata&&in_padata[size]; size++) + inner_pa[size] = in_padata[size]; if (retval == 0) - retval = encode_krb5_error(&fx_error, &encoded_fx_error); + retval = encode_krb5_error(&fx_error, &encoded_fx_error); if (retval == 0) { - pa[0].pa_type = KRB5_PADATA_FX_ERROR; - pa[0].length = encoded_fx_error->length; - pa[0].contents = (unsigned char *) encoded_fx_error->data; - inner_pa[size++] = &pa[0]; - if (find_pa_data(inner_pa, KRB5_PADATA_FX_COOKIE) == NULL) - retval = kdc_preauth_get_cookie(state, &cookie); + pa[0].pa_type = KRB5_PADATA_FX_ERROR; + pa[0].length = encoded_fx_error->length; + pa[0].contents = (unsigned char *) encoded_fx_error->data; + inner_pa[size++] = &pa[0]; + if (find_pa_data(inner_pa, KRB5_PADATA_FX_COOKIE) == NULL) + retval = kdc_preauth_get_cookie(state, &cookie); } if (cookie != NULL) - inner_pa[size++] = cookie; + inner_pa[size++] = cookie; if (retval == 0) { - resp.padata = inner_pa; - resp.nonce = request->nonce; - resp.strengthen_key = NULL; - resp.finished = NULL; + resp.padata = inner_pa; + resp.nonce = request->nonce; + resp.strengthen_key = NULL; + resp.finished = NULL; } if (retval == 0) - retval = encrypt_fast_reply(state, &resp, &encrypted_reply); + retval = encrypt_fast_reply(state, &resp, &encrypted_reply); if (inner_pa) - free(inner_pa); /*contained storage from caller and our stack*/ + free(inner_pa); /*contained storage from caller and our stack*/ if (cookie) { - free(cookie->contents); - free(cookie); - cookie = NULL; + free(cookie->contents); + free(cookie); + cookie = NULL; } if (retval == 0) { - pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].length = encrypted_reply->length; - pa[0].contents = (unsigned char *) encrypted_reply->data; - outer_pa[0] = &pa[0]; + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; + outer_pa[0] = &pa[0]; } retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data); if (retval == 0) { - /*process_as holds onto a pointer to the original e_data and frees it*/ - err->e_data = *encoded_e_data; - free(encoded_e_data); /*contents belong to err*/ - encoded_e_data = NULL; + /*process_as holds onto a pointer to the original e_data and frees it*/ + err->e_data = *encoded_e_data; + free(encoded_e_data); /*contents belong to err*/ + encoded_e_data = NULL; } if (encoded_e_data) - krb5_free_data(kdc_context, encoded_e_data); + krb5_free_data(kdc_context, encoded_e_data); if (encrypted_reply) - krb5_free_data(kdc_context, encrypted_reply); + krb5_free_data(kdc_context, encrypted_reply); if (encoded_fx_error) - krb5_free_data(kdc_context, encoded_fx_error); + krb5_free_data(kdc_context, encoded_fx_error); return retval; } krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, - krb5_keyblock *existing_key, - krb5_keyblock **out_key) + krb5_keyblock *existing_key, + krb5_keyblock **out_key) { krb5_error_code retval = 0; if (state->armor_key) - retval = krb5_c_fx_cf2_simple(kdc_context, - state->strengthen_key, "strengthenkey", - existing_key, - "replykey", out_key); + retval = krb5_c_fx_cf2_simple(kdc_context, + state->strengthen_key, "strengthenkey", + existing_key, + "replykey", out_key); else retval = krb5_copy_keyblock(kdc_context, existing_key, out_key); return retval; } krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, - krb5_pa_data **cookie) + krb5_pa_data **cookie) { char *contents; krb5_pa_data *pa = NULL; @@ -469,11 +470,11 @@ krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, */ contents = strdup("MIT"); if (contents == NULL) - return ENOMEM; + return ENOMEM; pa = calloc(1, sizeof(krb5_pa_data)); if (pa == NULL) { - free(contents); - return ENOMEM; + free(contents); + return ENOMEM; } pa->pa_type = KRB5_PADATA_FX_COOKIE; pa->length = strlen(contents); diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 4ccfcb98b..e6d4bd2b6 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/kdc_authdata.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * AuthorizationData routines for the KDC. */ @@ -45,74 +46,74 @@ static const char *objdirs[] = { LIBDIR "/krb5/plugins/authdata", NULL }; /* MIT Kerberos 1.6 (V0) authdata plugin callback */ typedef krb5_error_code (*authdata_proc_0) - (krb5_context, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply); +(krb5_context, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply); /* MIT Kerberos 1.8 (V2) authdata plugin callback */ typedef krb5_error_code (*authdata_proc_2) - (krb5_context, unsigned int flags, - krb5_db_entry *client, krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply); +(krb5_context, unsigned int flags, + krb5_db_entry *client, krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); typedef krb5_error_code (*init_proc) - (krb5_context, void **); +(krb5_context, void **); typedef void (*fini_proc) - (krb5_context, void *); +(krb5_context, void *); /* Internal authdata system for copying TGS-REQ authdata to ticket */ static krb5_error_code handle_request_authdata - (krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply); +(krb5_context context, + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); /* Internal authdata system for handling KDC-issued authdata */ static krb5_error_code handle_tgt_authdata - (krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply); +(krb5_context context, + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); typedef struct _krb5_authdata_systems { const char *name; -#define AUTHDATA_SYSTEM_UNKNOWN -1 -#define AUTHDATA_SYSTEM_V0 0 -#define AUTHDATA_SYSTEM_V2 2 +#define AUTHDATA_SYSTEM_UNKNOWN -1 +#define AUTHDATA_SYSTEM_V0 0 +#define AUTHDATA_SYSTEM_V2 2 int type; -#define AUTHDATA_FLAG_CRITICAL 0x1 +#define AUTHDATA_FLAG_CRITICAL 0x1 int flags; void *plugin_context; init_proc init; fini_proc fini; union { - authdata_proc_2 v2; - authdata_proc_0 v0; + authdata_proc_2 v2; + authdata_proc_0 v0; } handle_authdata; } krb5_authdata_systems; @@ -139,10 +140,10 @@ load_authdata_plugins(krb5_context context) /* Attempt to load all of the authdata plugins we can find. */ PLUGIN_DIR_INIT(&authdata_plugins); if (PLUGIN_DIR_OPEN(&authdata_plugins) == 0) { - if (krb5int_open_plugin_dirs(objdirs, NULL, - &authdata_plugins, &context->err) != 0) { - return KRB5_PLUGIN_NO_HANDLE; - } + if (krb5int_open_plugin_dirs(objdirs, NULL, + &authdata_plugins, &context->err) != 0) { + return KRB5_PLUGIN_NO_HANDLE; + } } /* Get the method tables provided by the loaded plugins. */ @@ -151,141 +152,141 @@ load_authdata_plugins(krb5_context context) n_authdata_systems = 0; if (krb5int_get_plugin_dir_data(&authdata_plugins, - "authdata_server_2", - &authdata_plugins_ftables_v2, &context->err) != 0 || - krb5int_get_plugin_dir_data(&authdata_plugins, - "authdata_server_0", - &authdata_plugins_ftables_v0, &context->err) != 0) { - code = KRB5_PLUGIN_NO_HANDLE; - goto cleanup; + "authdata_server_2", + &authdata_plugins_ftables_v2, &context->err) != 0 || + krb5int_get_plugin_dir_data(&authdata_plugins, + "authdata_server_0", + &authdata_plugins_ftables_v0, &context->err) != 0) { + code = KRB5_PLUGIN_NO_HANDLE; + goto cleanup; } - /* Count the valid modules. */ + /* Count the valid modules. */ module_count = 0; if (authdata_plugins_ftables_v2 != NULL) { - struct krb5plugin_authdata_server_ftable_v2 *ftable; + struct krb5plugin_authdata_server_ftable_v2 *ftable; - for (i = 0; authdata_plugins_ftables_v2[i] != NULL; i++) { - ftable = authdata_plugins_ftables_v2[i]; - if (ftable->authdata_proc != NULL) - module_count++; - } + for (i = 0; authdata_plugins_ftables_v2[i] != NULL; i++) { + ftable = authdata_plugins_ftables_v2[i]; + if (ftable->authdata_proc != NULL) + module_count++; + } } - + if (authdata_plugins_ftables_v0 != NULL) { - struct krb5plugin_authdata_server_ftable_v0 *ftable; + struct krb5plugin_authdata_server_ftable_v0 *ftable; - for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) { - ftable = authdata_plugins_ftables_v0[i]; - if (ftable->authdata_proc != NULL) - module_count++; - } + for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) { + ftable = authdata_plugins_ftables_v0[i]; + if (ftable->authdata_proc != NULL) + module_count++; + } } module_count += sizeof(static_authdata_systems) - / sizeof(static_authdata_systems[0]); + / sizeof(static_authdata_systems[0]); /* Build the complete list of supported authdata options, and * leave room for a terminator entry. */ authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems)); if (authdata_systems == NULL) { - code = ENOMEM; - goto cleanup; + code = ENOMEM; + goto cleanup; } k = 0; /* Add dynamically loaded V2 plugins */ if (authdata_plugins_ftables_v2 != NULL) { - struct krb5plugin_authdata_server_ftable_v2 *ftable; - - for (i = 0; authdata_plugins_ftables_v2[i] != NULL; i++) { - krb5_error_code initerr; - void *pctx = NULL; - - ftable = authdata_plugins_ftables_v2[i]; - if ((ftable->authdata_proc == NULL)) { - continue; - } - server_init_proc = ftable->init_proc; - if ((server_init_proc != NULL) && - ((initerr = (*server_init_proc)(context, &pctx)) != 0)) { - const char *emsg; - emsg = krb5_get_error_message(context, initerr); - if (emsg) { - krb5_klog_syslog(LOG_ERR, - "authdata %s failed to initialize: %s", - ftable->name, emsg); - krb5_free_error_message(context, emsg); - } - memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); - - continue; - } - - authdata_systems[k].name = ftable->name; - authdata_systems[k].type = AUTHDATA_SYSTEM_V2; - authdata_systems[k].init = server_init_proc; - authdata_systems[k].fini = ftable->fini_proc; - authdata_systems[k].handle_authdata.v2 = ftable->authdata_proc; - authdata_systems[k].plugin_context = pctx; - k++; - } + struct krb5plugin_authdata_server_ftable_v2 *ftable; + + for (i = 0; authdata_plugins_ftables_v2[i] != NULL; i++) { + krb5_error_code initerr; + void *pctx = NULL; + + ftable = authdata_plugins_ftables_v2[i]; + if ((ftable->authdata_proc == NULL)) { + continue; + } + server_init_proc = ftable->init_proc; + if ((server_init_proc != NULL) && + ((initerr = (*server_init_proc)(context, &pctx)) != 0)) { + const char *emsg; + emsg = krb5_get_error_message(context, initerr); + if (emsg) { + krb5_klog_syslog(LOG_ERR, + "authdata %s failed to initialize: %s", + ftable->name, emsg); + krb5_free_error_message(context, emsg); + } + memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); + + continue; + } + + authdata_systems[k].name = ftable->name; + authdata_systems[k].type = AUTHDATA_SYSTEM_V2; + authdata_systems[k].init = server_init_proc; + authdata_systems[k].fini = ftable->fini_proc; + authdata_systems[k].handle_authdata.v2 = ftable->authdata_proc; + authdata_systems[k].plugin_context = pctx; + k++; + } } /* Add dynamically loaded V0 plugins */ if (authdata_plugins_ftables_v0 != NULL) { - struct krb5plugin_authdata_server_ftable_v0 *ftable; - - for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) { - krb5_error_code initerr; - void *pctx = NULL; - - ftable = authdata_plugins_ftables_v0[i]; - if ((ftable->authdata_proc == NULL)) { - continue; - } - server_init_proc = ftable->init_proc; - if ((server_init_proc != NULL) && - ((initerr = (*server_init_proc)(context, &pctx)) != 0)) { - const char *emsg; - emsg = krb5_get_error_message(context, initerr); - if (emsg) { - krb5_klog_syslog(LOG_ERR, - "authdata %s failed to initialize: %s", - ftable->name, emsg); - krb5_free_error_message(context, emsg); - } - memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); - - continue; - } - - authdata_systems[k].name = ftable->name; - authdata_systems[k].type = AUTHDATA_SYSTEM_V0; - authdata_systems[k].init = server_init_proc; - authdata_systems[k].fini = ftable->fini_proc; - authdata_systems[k].handle_authdata.v0 = ftable->authdata_proc; - authdata_systems[k].plugin_context = pctx; - k++; - } + struct krb5plugin_authdata_server_ftable_v0 *ftable; + + for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) { + krb5_error_code initerr; + void *pctx = NULL; + + ftable = authdata_plugins_ftables_v0[i]; + if ((ftable->authdata_proc == NULL)) { + continue; + } + server_init_proc = ftable->init_proc; + if ((server_init_proc != NULL) && + ((initerr = (*server_init_proc)(context, &pctx)) != 0)) { + const char *emsg; + emsg = krb5_get_error_message(context, initerr); + if (emsg) { + krb5_klog_syslog(LOG_ERR, + "authdata %s failed to initialize: %s", + ftable->name, emsg); + krb5_free_error_message(context, emsg); + } + memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); + + continue; + } + + authdata_systems[k].name = ftable->name; + authdata_systems[k].type = AUTHDATA_SYSTEM_V0; + authdata_systems[k].init = server_init_proc; + authdata_systems[k].fini = ftable->fini_proc; + authdata_systems[k].handle_authdata.v0 = ftable->authdata_proc; + authdata_systems[k].plugin_context = pctx; + k++; + } } /* Add the locally-supplied mechanisms to the dynamic list first. */ for (i = 0; - i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]); - i++) { - authdata_systems[k] = static_authdata_systems[i]; - /* Try to initialize the authdata system. If it fails, we'll remove it - * from the list of systems we'll be using. */ - server_init_proc = static_authdata_systems[i].init; - if ((server_init_proc != NULL) && - ((*server_init_proc)(context, &authdata_systems[k].plugin_context) != 0)) { - memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); - continue; - } - k++; + i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]); + i++) { + authdata_systems[k] = static_authdata_systems[i]; + /* Try to initialize the authdata system. If it fails, we'll remove it + * from the list of systems we'll be using. */ + server_init_proc = static_authdata_systems[i].init; + if ((server_init_proc != NULL) && + ((*server_init_proc)(context, &authdata_systems[k].plugin_context) != 0)) { + memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); + continue; + } + k++; } n_authdata_systems = k; @@ -296,9 +297,9 @@ load_authdata_plugins(krb5_context context) cleanup: if (authdata_plugins_ftables_v2 != NULL) - krb5int_free_plugin_dir_data(authdata_plugins_ftables_v2); + krb5int_free_plugin_dir_data(authdata_plugins_ftables_v2); if (authdata_plugins_ftables_v0 != NULL) - krb5int_free_plugin_dir_data(authdata_plugins_ftables_v0); + krb5int_free_plugin_dir_data(authdata_plugins_ftables_v0); return code; } @@ -308,17 +309,17 @@ unload_authdata_plugins(krb5_context context) { int i; if (authdata_systems != NULL) { - for (i = 0; i < n_authdata_systems; i++) { - if (authdata_systems[i].fini != NULL) { - (*authdata_systems[i].fini)(context, - authdata_systems[i].plugin_context); - } - memset(&authdata_systems[i], 0, sizeof(authdata_systems[i])); - } - free(authdata_systems); - authdata_systems = NULL; - n_authdata_systems = 0; - krb5int_close_plugin_dirs(&authdata_plugins); + for (i = 0; i < n_authdata_systems; i++) { + if (authdata_systems[i].fini != NULL) { + (*authdata_systems[i].fini)(context, + authdata_systems[i].plugin_context); + } + memset(&authdata_systems[i], 0, sizeof(authdata_systems[i])); + } + free(authdata_systems); + authdata_systems = NULL; + n_authdata_systems = 0; + krb5int_close_plugin_dirs(&authdata_plugins); } return 0; } @@ -326,46 +327,46 @@ unload_authdata_plugins(krb5_context context) /* Merge authdata. If copy == 0, in_authdata is invalid on return */ static krb5_error_code merge_authdata (krb5_context context, - krb5_authdata **in_authdata, - krb5_authdata ***out_authdata, - krb5_boolean copy) + krb5_authdata **in_authdata, + krb5_authdata ***out_authdata, + krb5_boolean copy) { size_t i, nadata = 0; krb5_authdata **authdata = *out_authdata; if (in_authdata == NULL || in_authdata[0] == NULL) - return 0; + return 0; if (authdata != NULL) { - for (nadata = 0; authdata[nadata] != NULL; nadata++) - ; + for (nadata = 0; authdata[nadata] != NULL; nadata++) + ; } for (i = 0; in_authdata[i] != NULL; i++) - ; + ; if (authdata == NULL) { - authdata = (krb5_authdata **)calloc(i + 1, sizeof(krb5_authdata *)); + authdata = (krb5_authdata **)calloc(i + 1, sizeof(krb5_authdata *)); } else { - authdata = (krb5_authdata **)realloc(authdata, - ((nadata + i + 1) * sizeof(krb5_authdata *))); + authdata = (krb5_authdata **)realloc(authdata, + ((nadata + i + 1) * sizeof(krb5_authdata *))); } if (authdata == NULL) - return ENOMEM; + return ENOMEM; if (copy) { - krb5_error_code code; - krb5_authdata **tmp; + krb5_error_code code; + krb5_authdata **tmp; - code = krb5_copy_authdata(context, in_authdata, &tmp); - if (code != 0) - return code; + code = krb5_copy_authdata(context, in_authdata, &tmp); + if (code != 0) + return code; - in_authdata = tmp; + in_authdata = tmp; } for (i = 0; in_authdata[i] != NULL; i++) - authdata[nadata + i] = in_authdata[i]; + authdata[nadata + i] = in_authdata[i]; authdata[nadata + i] = NULL; @@ -379,32 +380,32 @@ merge_authdata (krb5_context context, /* Handle copying TGS-REQ authorization data into reply */ static krb5_error_code handle_request_authdata (krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply) + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply) { krb5_error_code code; krb5_data scratch; if (request->msg_type != KRB5_TGS_REQ || - request->authorization_data.ciphertext.data == NULL) - return 0; + request->authorization_data.ciphertext.data == NULL) + return 0; assert(enc_tkt_request != NULL); scratch.length = request->authorization_data.ciphertext.length; scratch.data = malloc(scratch.length); if (scratch.data == NULL) - return ENOMEM; + return ENOMEM; /* * RFC 4120 requires authdata in the TGS body to be encrypted in @@ -418,34 +419,34 @@ handle_request_authdata (krb5_context context, * fails. */ code = krb5_c_decrypt(context, - enc_tkt_request->session, - KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, - 0, &request->authorization_data, - &scratch); + enc_tkt_request->session, + KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, + 0, &request->authorization_data, + &scratch); if (code != 0) - code = krb5_c_decrypt(context, - client_key, - KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, - 0, &request->authorization_data, - &scratch); + code = krb5_c_decrypt(context, + client_key, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, + 0, &request->authorization_data, + &scratch); if (code != 0) { - free(scratch.data); - return code; + free(scratch.data); + return code; } /* scratch now has the authorization data, so we decode it, and make * it available to subsequent authdata plugins */ code = decode_krb5_authdata(&scratch, &request->unenc_authdata); if (code != 0) { - free(scratch.data); - return code; + free(scratch.data); + return code; } free(scratch.data); code = merge_authdata(context, request->unenc_authdata, - &enc_tkt_reply->authorization_data, TRUE /* copy */); + &enc_tkt_reply->authorization_data, TRUE /* copy */); return code; } @@ -453,18 +454,18 @@ handle_request_authdata (krb5_context context, /* Handle backend-managed authorization data */ static krb5_error_code handle_tgt_authdata (krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply) + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply) { krb5_error_code code; krb5_authdata **db_authdata = NULL; @@ -488,19 +489,19 @@ handle_tgt_authdata (krb5_context context, * for cross-realm protocol transition below). */ if (tgs_req) { - assert(enc_tkt_request != NULL); + assert(enc_tkt_request != NULL); - if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED)) - return 0; + if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED)) + return 0; - if (enc_tkt_request->authorization_data == NULL && - !isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U)) - return 0; + if (enc_tkt_request->authorization_data == NULL && + !isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U)) + return 0; - assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime); + assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime); } else { - if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC)) - return 0; + if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC)) + return 0; } /* @@ -509,9 +510,9 @@ handle_tgt_authdata (krb5_context context, * not be changed until the final hop. */ if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) - actual_client = for_user_princ; + actual_client = for_user_princ; else - actual_client = enc_tkt_reply->client; + actual_client = enc_tkt_reply->client; /* * If the backend does not implement the sign authdata method, then @@ -524,37 +525,37 @@ handle_tgt_authdata (krb5_context context, * to influence (eg. possibly restrict) the reply auth data. */ code = sign_db_authdata(context, - flags, - actual_client, - client, - server, - krbtgt, - client_key, - server_key, /* U2U or server key */ - krbtgt_key, - enc_tkt_reply->times.authtime, - tgs_req ? enc_tkt_request->authorization_data : NULL, - enc_tkt_reply->session, - &db_authdata); + flags, + actual_client, + client, + server, + krbtgt, + client_key, + server_key, /* U2U or server key */ + krbtgt_key, + enc_tkt_reply->times.authtime, + tgs_req ? enc_tkt_request->authorization_data : NULL, + enc_tkt_reply->session, + &db_authdata); if (code == KRB5_KDB_DBTYPE_NOSUP) { - assert(db_authdata == NULL); + assert(db_authdata == NULL); - if (isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) - return KRB5KDC_ERR_POLICY; + if (isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) + return KRB5KDC_ERR_POLICY; - if (tgs_req) - return merge_authdata(context, enc_tkt_request->authorization_data, - &enc_tkt_reply->authorization_data, TRUE); - else - return 0; + if (tgs_req) + return merge_authdata(context, enc_tkt_request->authorization_data, + &enc_tkt_reply->authorization_data, TRUE); + else + return 0; } if (db_authdata != NULL) { - code = merge_authdata(context, db_authdata, - &enc_tkt_reply->authorization_data, - FALSE); - if (code != 0) - krb5_free_authdata(context, db_authdata); + code = merge_authdata(context, db_authdata, + &enc_tkt_reply->authorization_data, + FALSE); + if (code != 0) + krb5_free_authdata(context, db_authdata); } return code; @@ -562,60 +563,59 @@ handle_tgt_authdata (krb5_context context, krb5_error_code handle_authdata (krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply) + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply) { krb5_error_code code = 0; int i; for (i = 0; i < n_authdata_systems; i++) { - const krb5_authdata_systems *asys = &authdata_systems[i]; - - switch (asys->type) { - case AUTHDATA_SYSTEM_V0: - /* V0 was only in AS-REQ code path */ - if (request->msg_type != KRB5_AS_REQ) - continue; - - code = (*asys->handle_authdata.v0)(context, client, req_pkt, - request, enc_tkt_reply); - break; - case AUTHDATA_SYSTEM_V2: - code = (*asys->handle_authdata.v2)(context, flags, - client, server, krbtgt, - client_key, server_key, krbtgt_key, - req_pkt, request, for_user_princ, - enc_tkt_request, - enc_tkt_reply); - break; - default: - code = 0; - break; - } - if (code != 0) { - const char *emsg; - - emsg = krb5_get_error_message (context, code); - krb5_klog_syslog (LOG_INFO, - "authdata (%s) handling failure: %s", - asys->name, emsg); - krb5_free_error_message (context, emsg); - - if (asys->flags & AUTHDATA_FLAG_CRITICAL) - break; - } + const krb5_authdata_systems *asys = &authdata_systems[i]; + + switch (asys->type) { + case AUTHDATA_SYSTEM_V0: + /* V0 was only in AS-REQ code path */ + if (request->msg_type != KRB5_AS_REQ) + continue; + + code = (*asys->handle_authdata.v0)(context, client, req_pkt, + request, enc_tkt_reply); + break; + case AUTHDATA_SYSTEM_V2: + code = (*asys->handle_authdata.v2)(context, flags, + client, server, krbtgt, + client_key, server_key, krbtgt_key, + req_pkt, request, for_user_princ, + enc_tkt_request, + enc_tkt_reply); + break; + default: + code = 0; + break; + } + if (code != 0) { + const char *emsg; + + emsg = krb5_get_error_message (context, code); + krb5_klog_syslog (LOG_INFO, + "authdata (%s) handling failure: %s", + asys->name, emsg); + krb5_free_error_message (context, emsg); + + if (asys->flags & AUTHDATA_FLAG_CRITICAL) + break; + } } return code; } - diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 2149fd1ac..1eda93ba9 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/kdc_preauth.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,20 +23,20 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Preauthentication routines for the KDC. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -46,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -103,7 +104,7 @@ static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL }; /* XXX This is ugly and should be in a header file somewhere */ #ifndef KRB5INT_DES_TYPES_DEFINED #define KRB5INT_DES_TYPES_DEFINED -typedef unsigned char des_cblock[8]; /* crypto-block size */ +typedef unsigned char des_cblock[8]; /* crypto-block size */ #endif typedef des_cblock mit_des_cblock; extern void mit_des_fixup_key_parity (mit_des_cblock ); @@ -111,127 +112,127 @@ extern int mit_des_is_weak_key (mit_des_cblock ); typedef struct _krb5_preauth_systems { const char *name; - int type; - int flags; + int type; + int flags; void *plugin_context; - preauth_server_init_proc init; - preauth_server_fini_proc fini; - preauth_server_edata_proc get_edata; - preauth_server_verify_proc verify_padata; - preauth_server_return_proc return_padata; - preauth_server_free_reqcontext_proc free_pa_reqctx; + preauth_server_init_proc init; + preauth_server_fini_proc fini; + preauth_server_edata_proc get_edata; + preauth_server_verify_proc verify_padata; + preauth_server_return_proc return_padata; + preauth_server_free_reqcontext_proc free_pa_reqctx; } krb5_preauth_systems; static krb5_error_code verify_enc_timestamp - (krb5_context, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data); +(krb5_context, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data); static krb5_error_code get_enc_ts - (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - krb5_pa_data *data); +(krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *data); static krb5_error_code get_etype_info - (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - krb5_pa_data *data); +(krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *data); static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - krb5_pa_data *pa_data); + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *pa_data); static krb5_error_code -etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - int etype_info2); +etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + int etype_info2); static krb5_error_code -return_etype_info(krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - void **pa_request_context); +return_etype_info(krb5_context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + void **pa_request_context); static krb5_error_code -return_etype_info2(krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - void **pa_request_context); +return_etype_info2(krb5_context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + void **pa_request_context); static krb5_error_code return_pw_salt - (krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - void **pa_request_context); +(krb5_context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + void **pa_request_context); /* SAM preauth support */ static krb5_error_code verify_sam_response - (krb5_context, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data); +(krb5_context, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_data, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data); static krb5_error_code get_sam_edata - (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - krb5_pa_data *data); +(krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_module_context, + krb5_pa_data *data); static krb5_error_code return_sam_data - (krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - void **pa_request_context); +(krb5_context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_data, + void *pa_module_context, + void **pa_request_context); #if APPLE_PKINIT /* PKINIT preauth support */ static krb5_error_code get_pkinit_edata( - krb5_context context, + krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, + krb5_db_entry *client, krb5_db_entry *server, preauth_get_entry_data_proc get_entry_data, void *pa_module_context, @@ -241,7 +242,7 @@ static krb5_error_code verify_pkinit_request( krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, preauth_get_entry_data_proc get_entry_data, void *pa_module_context, @@ -249,11 +250,11 @@ static krb5_error_code verify_pkinit_request( krb5_data **e_data, krb5_authdata ***authz_data); static krb5_error_code return_pkinit_response( - krb5_context context, - krb5_pa_data * padata, + krb5_context context, + krb5_pa_data * padata, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, + krb5_kdc_req *request, krb5_kdc_rep *reply, krb5_key_data *client_key, krb5_keyblock *encrypting_key, @@ -266,114 +267,114 @@ static krb5_error_code return_pkinit_response( static krb5_preauth_systems static_preauth_systems[] = { #if APPLE_PKINIT { - "pkinit", - KRB5_PADATA_PK_AS_REQ, - PA_SUFFICIENT, - NULL, /* pa_sys_context */ - NULL, /* init */ - NULL, /* fini */ - get_pkinit_edata, - verify_pkinit_request, - return_pkinit_response, - NULL /* free_pa_request_context */ + "pkinit", + KRB5_PADATA_PK_AS_REQ, + PA_SUFFICIENT, + NULL, /* pa_sys_context */ + NULL, /* init */ + NULL, /* fini */ + get_pkinit_edata, + verify_pkinit_request, + return_pkinit_response, + NULL /* free_pa_request_context */ }, #endif /* APPLE_PKINIT */ { - "timestamp", + "timestamp", KRB5_PADATA_ENC_TIMESTAMP, 0, - NULL, - NULL, - NULL, + NULL, + NULL, + NULL, get_enc_ts, - verify_enc_timestamp, - 0 + verify_enc_timestamp, + 0 }, { - "FAST", + "FAST", KRB5_PADATA_FX_FAST, PA_HARDWARE, - NULL, - NULL, - NULL, NULL, - NULL, - 0 + NULL, + NULL, + NULL, + NULL, + 0 }, { - "etype-info", - KRB5_PADATA_ETYPE_INFO, - 0, - NULL, - NULL, - NULL, - get_etype_info, - 0, - return_etype_info + "etype-info", + KRB5_PADATA_ETYPE_INFO, + 0, + NULL, + NULL, + NULL, + get_etype_info, + 0, + return_etype_info }, { - "etype-info2", - KRB5_PADATA_ETYPE_INFO2, - 0, - NULL, - NULL, - NULL, - get_etype_info2, - 0, - return_etype_info2 + "etype-info2", + KRB5_PADATA_ETYPE_INFO2, + 0, + NULL, + NULL, + NULL, + get_etype_info2, + 0, + return_etype_info2 }, { - "pw-salt", - KRB5_PADATA_PW_SALT, - PA_PSEUDO, /* Don't include this in the error list */ - NULL, - NULL, - NULL, - 0, - 0, - return_pw_salt + "pw-salt", + KRB5_PADATA_PW_SALT, + PA_PSEUDO, /* Don't include this in the error list */ + NULL, + NULL, + NULL, + 0, + 0, + return_pw_salt }, { - "sam-response", - KRB5_PADATA_SAM_RESPONSE, - 0, - NULL, - NULL, - NULL, - 0, - verify_sam_response, - return_sam_data + "sam-response", + KRB5_PADATA_SAM_RESPONSE, + 0, + NULL, + NULL, + NULL, + 0, + verify_sam_response, + return_sam_data }, { - "sam-challenge", - KRB5_PADATA_SAM_CHALLENGE, - PA_HARDWARE, /* causes get_preauth_hint_list to use this */ - NULL, - NULL, - NULL, - get_sam_edata, - 0, - 0 + "sam-challenge", + KRB5_PADATA_SAM_CHALLENGE, + PA_HARDWARE, /* causes get_preauth_hint_list to use this */ + NULL, + NULL, + NULL, + get_sam_edata, + 0, + 0 }, { - "pac-request", - KRB5_PADATA_PAC_REQUEST, - PA_PSEUDO, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL + "pac-request", + KRB5_PADATA_PAC_REQUEST, + PA_PSEUDO, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL }, #if 0 { - "server-referral", - KRB5_PADATA_SERVER_REFERRAL, - PA_PSEUDO, - 0, - 0, - return_server_referral + "server-referral", + KRB5_PADATA_SERVER_REFERRAL, + PA_PSEUDO, + 0, + 0, + return_server_referral }, #endif { "[end]", -1,} @@ -396,140 +397,140 @@ load_preauth_plugins(krb5_context context) /* Attempt to load all of the preauth plugins we can find. */ PLUGIN_DIR_INIT(&preauth_plugins); if (PLUGIN_DIR_OPEN(&preauth_plugins) == 0) { - if (krb5int_open_plugin_dirs(objdirs, NULL, - &preauth_plugins, &context->err) != 0) { - return KRB5_PLUGIN_NO_HANDLE; - } + if (krb5int_open_plugin_dirs(objdirs, NULL, + &preauth_plugins, &context->err) != 0) { + return KRB5_PLUGIN_NO_HANDLE; + } } /* Get the method tables provided by the loaded plugins. */ preauth_plugins_ftables = NULL; if (krb5int_get_plugin_dir_data(&preauth_plugins, - "preauthentication_server_1", - &preauth_plugins_ftables, &context->err) != 0) { - return KRB5_PLUGIN_NO_HANDLE; + "preauthentication_server_1", + &preauth_plugins_ftables, &context->err) != 0) { + return KRB5_PLUGIN_NO_HANDLE; } /* Count the valid modules. */ module_count = sizeof(static_preauth_systems) - / sizeof(static_preauth_systems[0]); + / sizeof(static_preauth_systems[0]); if (preauth_plugins_ftables != NULL) { - for (i = 0; preauth_plugins_ftables[i] != NULL; i++) { - ftable = preauth_plugins_ftables[i]; - if ((ftable->flags_proc == NULL) && - (ftable->edata_proc == NULL) && - (ftable->verify_proc == NULL) && - (ftable->return_proc == NULL)) { - continue; - } - for (j = 0; - ftable->pa_type_list != NULL && - ftable->pa_type_list[j] > 0; - j++) { - module_count++; - } - } + for (i = 0; preauth_plugins_ftables[i] != NULL; i++) { + ftable = preauth_plugins_ftables[i]; + if ((ftable->flags_proc == NULL) && + (ftable->edata_proc == NULL) && + (ftable->verify_proc == NULL) && + (ftable->return_proc == NULL)) { + continue; + } + for (j = 0; + ftable->pa_type_list != NULL && + ftable->pa_type_list[j] > 0; + j++) { + module_count++; + } + } } /* Build the complete list of supported preauthentication options, and * leave room for a terminator entry. */ preauth_systems = malloc(sizeof(krb5_preauth_systems) * (module_count + 1)); if (preauth_systems == NULL) { - krb5int_free_plugin_dir_data(preauth_plugins_ftables); - return ENOMEM; + krb5int_free_plugin_dir_data(preauth_plugins_ftables); + return ENOMEM; } /* Build a list of the names of the supported realms for this KDC. * The list of names is terminated with a NULL. */ kdc_realm_names = malloc(sizeof(char *) * (kdc_numrealms + 1)); if (kdc_realm_names == NULL) { - krb5int_free_plugin_dir_data(preauth_plugins_ftables); - return ENOMEM; + krb5int_free_plugin_dir_data(preauth_plugins_ftables); + return ENOMEM; } for (i = 0; i < (size_t)kdc_numrealms; i++) { - kdc_realm_names[i] = kdc_realmlist[i]->realm_name; + kdc_realm_names[i] = kdc_realmlist[i]->realm_name; } kdc_realm_names[i] = NULL; /* Add the locally-supplied mechanisms to the dynamic list first. */ for (i = 0, k = 0; - i < sizeof(static_preauth_systems) / sizeof(static_preauth_systems[0]); - i++) { - if (static_preauth_systems[i].type == -1) - break; - preauth_systems[k] = static_preauth_systems[i]; - /* Try to initialize the preauth system. If it fails, we'll remove it - * from the list of systems we'll be using. */ - plugin_context = NULL; - server_init_proc = static_preauth_systems[i].init; - if ((server_init_proc != NULL) && - ((*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names) != 0)) { - memset(&preauth_systems[k], 0, sizeof(preauth_systems[k])); - continue; - } - preauth_systems[k].plugin_context = plugin_context; - k++; + i < sizeof(static_preauth_systems) / sizeof(static_preauth_systems[0]); + i++) { + if (static_preauth_systems[i].type == -1) + break; + preauth_systems[k] = static_preauth_systems[i]; + /* Try to initialize the preauth system. If it fails, we'll remove it + * from the list of systems we'll be using. */ + plugin_context = NULL; + server_init_proc = static_preauth_systems[i].init; + if ((server_init_proc != NULL) && + ((*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names) != 0)) { + memset(&preauth_systems[k], 0, sizeof(preauth_systems[k])); + continue; + } + preauth_systems[k].plugin_context = plugin_context; + k++; } /* Now add the dynamically-loaded mechanisms to the list. */ if (preauth_plugins_ftables != NULL) { - for (i = 0; preauth_plugins_ftables[i] != NULL; i++) { - ftable = preauth_plugins_ftables[i]; - if ((ftable->flags_proc == NULL) && - (ftable->edata_proc == NULL) && - (ftable->verify_proc == NULL) && - (ftable->return_proc == NULL)) { - continue; - } - plugin_context = NULL; - for (j = 0; - ftable->pa_type_list != NULL && - ftable->pa_type_list[j] > 0; - j++) { - /* Try to initialize the plugin. If it fails, we'll remove it - * from the list of modules we'll be using. */ - if (j == 0) { - server_init_proc = ftable->init_proc; - if (server_init_proc != NULL) { - krb5_error_code initerr; - initerr = (*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names); - if (initerr) { - const char *emsg; - emsg = krb5_get_error_message(context, initerr); - if (emsg) { - krb5_klog_syslog(LOG_ERR, - "preauth %s failed to initialize: %s", - ftable->name, emsg); - krb5_free_error_message(context, emsg); - } - memset(&preauth_systems[k], 0, sizeof(preauth_systems[k])); - - break; /* skip all modules in this plugin */ - } - } - } - preauth_systems[k].name = ftable->name; - preauth_systems[k].type = ftable->pa_type_list[j]; - if (ftable->flags_proc != NULL) - preauth_systems[k].flags = ftable->flags_proc(context, preauth_systems[k].type); - else - preauth_systems[k].flags = 0; - preauth_systems[k].plugin_context = plugin_context; - preauth_systems[k].init = server_init_proc; - /* Only call fini once for each plugin */ - if (j == 0) - preauth_systems[k].fini = ftable->fini_proc; - else - preauth_systems[k].fini = NULL; - preauth_systems[k].get_edata = ftable->edata_proc; - preauth_systems[k].verify_padata = ftable->verify_proc; - preauth_systems[k].return_padata = ftable->return_proc; - preauth_systems[k].free_pa_reqctx = - ftable->freepa_reqcontext_proc; - k++; - } - } - krb5int_free_plugin_dir_data(preauth_plugins_ftables); + for (i = 0; preauth_plugins_ftables[i] != NULL; i++) { + ftable = preauth_plugins_ftables[i]; + if ((ftable->flags_proc == NULL) && + (ftable->edata_proc == NULL) && + (ftable->verify_proc == NULL) && + (ftable->return_proc == NULL)) { + continue; + } + plugin_context = NULL; + for (j = 0; + ftable->pa_type_list != NULL && + ftable->pa_type_list[j] > 0; + j++) { + /* Try to initialize the plugin. If it fails, we'll remove it + * from the list of modules we'll be using. */ + if (j == 0) { + server_init_proc = ftable->init_proc; + if (server_init_proc != NULL) { + krb5_error_code initerr; + initerr = (*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names); + if (initerr) { + const char *emsg; + emsg = krb5_get_error_message(context, initerr); + if (emsg) { + krb5_klog_syslog(LOG_ERR, + "preauth %s failed to initialize: %s", + ftable->name, emsg); + krb5_free_error_message(context, emsg); + } + memset(&preauth_systems[k], 0, sizeof(preauth_systems[k])); + + break; /* skip all modules in this plugin */ + } + } + } + preauth_systems[k].name = ftable->name; + preauth_systems[k].type = ftable->pa_type_list[j]; + if (ftable->flags_proc != NULL) + preauth_systems[k].flags = ftable->flags_proc(context, preauth_systems[k].type); + else + preauth_systems[k].flags = 0; + preauth_systems[k].plugin_context = plugin_context; + preauth_systems[k].init = server_init_proc; + /* Only call fini once for each plugin */ + if (j == 0) + preauth_systems[k].fini = ftable->fini_proc; + else + preauth_systems[k].fini = NULL; + preauth_systems[k].get_edata = ftable->edata_proc; + preauth_systems[k].verify_padata = ftable->verify_proc; + preauth_systems[k].return_padata = ftable->return_proc; + preauth_systems[k].free_pa_reqctx = + ftable->freepa_reqcontext_proc; + k++; + } + } + krb5int_free_plugin_dir_data(preauth_plugins_ftables); } free(kdc_realm_names); n_preauth_systems = k; @@ -544,17 +545,17 @@ unload_preauth_plugins(krb5_context context) { int i; if (preauth_systems != NULL) { - for (i = 0; i < n_preauth_systems; i++) { - if (preauth_systems[i].fini != NULL) { - (*preauth_systems[i].fini)(context, - preauth_systems[i].plugin_context); - } - memset(&preauth_systems[i], 0, sizeof(preauth_systems[i])); - } - free(preauth_systems); - preauth_systems = NULL; - n_preauth_systems = 0; - krb5int_close_plugin_dirs(&preauth_plugins); + for (i = 0; i < n_preauth_systems; i++) { + if (preauth_systems[i].fini != NULL) { + (*preauth_systems[i].fini)(context, + preauth_systems[i].plugin_context); + } + memset(&preauth_systems[i], 0, sizeof(preauth_systems[i])); + } + free(preauth_systems); + preauth_systems = NULL; + n_preauth_systems = 0; + krb5int_close_plugin_dirs(&preauth_plugins); } return 0; } @@ -567,8 +568,8 @@ unload_preauth_plugins(krb5_context context) struct request_pa_context { int n_contexts; struct { - krb5_preauth_systems *pa_system; - void *pa_context; + krb5_preauth_systems *pa_system; + void *pa_context; } *contexts; }; @@ -580,21 +581,21 @@ make_padata_context(krb5_context context, void **padata_context) ret = malloc(sizeof(*ret)); if (ret == NULL) { - return ENOMEM; + return ENOMEM; } ret->n_contexts = n_preauth_systems; ret->contexts = malloc(sizeof(ret->contexts[0]) * ret->n_contexts); if (ret->contexts == NULL) { - free(ret); - return ENOMEM; + free(ret); + return ENOMEM; } memset(ret->contexts, 0, sizeof(ret->contexts[0]) * ret->n_contexts); for (i = 0; i < ret->n_contexts; i++) { - ret->contexts[i].pa_system = &preauth_systems[i]; - ret->contexts[i].pa_context = NULL; + ret->contexts[i].pa_system = &preauth_systems[i]; + ret->contexts[i].pa_context = NULL; } *padata_context = ret; @@ -616,20 +617,20 @@ free_padata_context(krb5_context kcontext, void **padata_context) int i; if (padata_context == NULL) - return 0; + return 0; context = *padata_context; for (i = 0; i < context->n_contexts; i++) { - if (context->contexts[i].pa_context != NULL) { - preauth_system = context->contexts[i].pa_system; - mctx = preauth_system->plugin_context; - if (preauth_system->free_pa_reqctx != NULL) { - pctx = &context->contexts[i].pa_context; - (*preauth_system->free_pa_reqctx)(kcontext, mctx, pctx); - } - context->contexts[i].pa_context = NULL; - } + if (context->contexts[i].pa_context != NULL) { + preauth_system = context->contexts[i].pa_system; + mctx = preauth_system->plugin_context; + if (preauth_system->free_pa_reqctx != NULL) { + pctx = &context->contexts[i].pa_context; + (*preauth_system->free_pa_reqctx)(kcontext, mctx, pctx); + } + context->contexts[i].pa_context = NULL; + } } free(context->contexts); @@ -642,25 +643,25 @@ free_padata_context(krb5_context kcontext, void **padata_context) * contents in a new krb5_data, which must be freed by the caller. */ static krb5_error_code get_entry_tl_data(krb5_context context, krb5_db_entry *entry, - krb5_int16 tl_data_type, krb5_data **result) + krb5_int16 tl_data_type, krb5_data **result) { krb5_tl_data *tl; for (tl = entry->tl_data; tl != NULL; tl = tl->tl_data_next) { - if (tl->tl_data_type == tl_data_type) { - *result = malloc(sizeof(krb5_data)); - if (*result == NULL) { - return ENOMEM; - } - (*result)->magic = KV5M_DATA; - (*result)->data = malloc(tl->tl_data_length); - if ((*result)->data == NULL) { - free(*result); - *result = NULL; - return ENOMEM; - } - memcpy((*result)->data, tl->tl_data_contents, tl->tl_data_length); - return 0; - } + if (tl->tl_data_type == tl_data_type) { + *result = malloc(sizeof(krb5_data)); + if (*result == NULL) { + return ENOMEM; + } + (*result)->magic = KV5M_DATA; + (*result)->data = malloc(tl->tl_data_length); + if ((*result)->data == NULL) { + free(*result); + *result = NULL; + return ENOMEM; + } + memcpy((*result)->data, tl->tl_data_contents, tl->tl_data_length); + return 0; + } } return ENOENT; } @@ -675,9 +676,9 @@ get_entry_tl_data(krb5_context context, krb5_db_entry *entry, */ static krb5_error_code get_entry_data(krb5_context context, - krb5_kdc_req *request, krb5_db_entry *entry, - krb5_int32 type, - krb5_data **result) + krb5_kdc_req *request, krb5_db_entry *entry, + krb5_int32 type, + krb5_data **result) { int i, k; krb5_data *ret; @@ -689,37 +690,37 @@ get_entry_data(krb5_context context, switch (type) { case krb5plugin_preauth_entry_request_certificate: - return get_entry_tl_data(context, entry, - KRB5_TL_USER_CERTIFICATE, result); - break; + return get_entry_tl_data(context, entry, + KRB5_TL_USER_CERTIFICATE, result); + break; case krb5plugin_preauth_entry_max_time_skew: - ret = malloc(sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - delta = malloc(sizeof(krb5_deltat)); - if (delta == NULL) { - free(ret); - return ENOMEM; - } - *delta = context->clockskew; - ret->data = (char *) delta; - ret->length = sizeof(*delta); - *result = ret; - return 0; - break; + ret = malloc(sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + delta = malloc(sizeof(krb5_deltat)); + if (delta == NULL) { + free(ret); + return ENOMEM; + } + *delta = context->clockskew; + ret->data = (char *) delta; + ret->length = sizeof(*delta); + *result = ret; + return 0; + break; case krb5plugin_preauth_keys: - ret = malloc(sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - keys = malloc(sizeof(krb5_keyblock) * (request->nktypes + 1)); - if (keys == NULL) { - free(ret); - return ENOMEM; - } - ret->data = (char *) keys; - ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1); - memset(ret->data, 0, ret->length); - if ((error = krb5_dbe_find_mkey(context, master_keylist, entry, + ret = malloc(sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + keys = malloc(sizeof(krb5_keyblock) * (request->nktypes + 1)); + if (keys == NULL) { + free(ret); + return ENOMEM; + } + ret->data = (char *) keys; + ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1); + memset(ret->data, 0, ret->length); + if ((error = krb5_dbe_find_mkey(context, master_keylist, entry, &mkey_ptr))) { krb5_keylist_node *tmp_mkey_list; /* try refreshing the mkey list in case it's been updated */ @@ -738,64 +739,64 @@ get_entry_data(krb5_context context, return (error); } } - k = 0; - for (i = 0; i < request->nktypes; i++) { - entry_key = NULL; - if (krb5_dbe_find_enctype(context, entry, request->ktype[i], - -1, 0, &entry_key) != 0) - continue; - if (krb5_dbekd_decrypt_key_data(context, mkey_ptr, - entry_key, &keys[k], NULL) != 0) { - if (keys[k].contents != NULL) - krb5_free_keyblock_contents(context, &keys[k]); - memset(&keys[k], 0, sizeof(keys[k])); - continue; - } - k++; - } - if (k > 0) { - *result = ret; - return 0; - } else { - free(keys); - free(ret); - } - break; + k = 0; + for (i = 0; i < request->nktypes; i++) { + entry_key = NULL; + if (krb5_dbe_find_enctype(context, entry, request->ktype[i], + -1, 0, &entry_key) != 0) + continue; + if (krb5_dbekd_decrypt_key_data(context, mkey_ptr, + entry_key, &keys[k], NULL) != 0) { + if (keys[k].contents != NULL) + krb5_free_keyblock_contents(context, &keys[k]); + memset(&keys[k], 0, sizeof(keys[k])); + continue; + } + k++; + } + if (k > 0) { + *result = ret; + return 0; + } else { + free(keys); + free(ret); + } + break; case krb5plugin_preauth_request_body: - ret = NULL; - encode_krb5_kdc_req_body(request, &ret); - if (ret != NULL) { - *result = ret; - return 0; - } - return ASN1_PARSE_ERROR; - break; + ret = NULL; + encode_krb5_kdc_req_body(request, &ret); + if (ret != NULL) { + *result = ret; + return 0; + } + return ASN1_PARSE_ERROR; + break; case krb5plugin_preauth_fast_armor: - ret = calloc(1, sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - if (state->armor_key == NULL) { - *result = ret; - return 0; - } - error = krb5_copy_keyblock(context, state->armor_key, &keys); - if (error == 0) { - ret->data = (char *) keys; - ret->length = sizeof(krb5_keyblock); - *result = ret; - return 0; - } - free(ret); - return error; + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + if (state->armor_key == NULL) { + *result = ret; + return 0; + } + error = krb5_copy_keyblock(context, state->armor_key, &keys); + if (error == 0) { + ret->data = (char *) keys; + ret->length = sizeof(krb5_keyblock); + *result = ret; + return 0; + } + free(ret); + return error; case krb5plugin_preauth_free_fast_armor: - if ((*result)->data) { - keys = (krb5_keyblock *) (*result)->data; - krb5_free_keyblock(context, keys); - } - free(*result); - return 0; + if ((*result)->data) { + keys = (krb5_keyblock *) (*result)->data; + krb5_free_keyblock(context, keys); + } + free(*result); + return 0; default: - break; + break; } return ENOENT; } @@ -807,30 +808,30 @@ find_pa_system(int type, krb5_preauth_systems **preauth) ap = preauth_systems ? preauth_systems : static_preauth_systems; while ((ap->type != -1) && (ap->type != type)) - ap++; + ap++; if (ap->type == -1) - return(KRB5_PREAUTH_BAD_TYPE); + return(KRB5_PREAUTH_BAD_TYPE); *preauth = ap; return 0; -} +} static krb5_error_code find_pa_context(krb5_preauth_systems *pa_sys, - struct request_pa_context *context, - void ***pa_context) + struct request_pa_context *context, + void ***pa_context) { int i; *pa_context = 0; if (context == NULL) - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; for (i = 0; i < context->n_contexts; i++) { - if (context->contexts[i].pa_system == pa_sys) { - *pa_context = &context->contexts[i].pa_context; - return 0; - } + if (context->contexts[i].pa_system == pa_sys) { + *pa_context = &context->contexts[i].pa_context; + return 0; + } } return KRB5KRB_ERR_GENERIC; @@ -844,9 +845,9 @@ static krb5_boolean pa_list_includes(krb5_pa_data **pa_data, krb5_preauthtype pa_type) { while (*pa_data != NULL) { - if ((*pa_data)->pa_type == pa_type) - return TRUE; - pa_data++; + if ((*pa_data)->pa_type == pa_type) + return TRUE; + pa_data++; } return FALSE; } @@ -859,158 +860,158 @@ sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order) i = 0; for (j = 0; j < n_preauth_systems; j++) { if (preauth_systems[j].return_padata != NULL) - pa_order[i++] = j; + pa_order[i++] = j; } n_repliers = i; pa_order[n_repliers] = -1; /* Reorder so that PA_REPLACES_KEY modules are listed first. */ for (i = 0; i < n_repliers; i++) { - /* If this module replaces the key, then it's okay to leave it where it - * is in the order. */ - if (preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY) - continue; - /* If not, search for a module which does, and swap in the first one we - * find. */ + /* If this module replaces the key, then it's okay to leave it where it + * is in the order. */ + if (preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY) + continue; + /* If not, search for a module which does, and swap in the first one we + * find. */ for (j = i + 1; j < n_repliers; j++) { - if (preauth_systems[pa_order[j]].flags & PA_REPLACES_KEY) { + if (preauth_systems[pa_order[j]].flags & PA_REPLACES_KEY) { k = pa_order[j]; - pa_order[j] = pa_order[i]; - pa_order[i] = k; - break; - } + pa_order[j] = pa_order[i]; + pa_order[i] = k; + break; + } } } if (request->padata != NULL) { - /* Now reorder the subset of modules which replace the key, - * bubbling those which handle pa_data types provided by the - * client ahead of the others. */ - for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) { - continue; - } - n_key_replacers = i; - for (i = 0; i < n_key_replacers; i++) { - if (pa_list_includes(request->padata, - preauth_systems[pa_order[i]].type)) - continue; - for (j = i + 1; j < n_key_replacers; j++) { - if (pa_list_includes(request->padata, - preauth_systems[pa_order[j]].type)) { - k = pa_order[j]; - pa_order[j] = pa_order[i]; - pa_order[i] = k; - break; - } - } - } + /* Now reorder the subset of modules which replace the key, + * bubbling those which handle pa_data types provided by the + * client ahead of the others. */ + for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) { + continue; + } + n_key_replacers = i; + for (i = 0; i < n_key_replacers; i++) { + if (pa_list_includes(request->padata, + preauth_systems[pa_order[i]].type)) + continue; + for (j = i + 1; j < n_key_replacers; j++) { + if (pa_list_includes(request->padata, + preauth_systems[pa_order[j]].type)) { + k = pa_order[j]; + pa_order[j] = pa_order[i]; + pa_order[i] = k; + break; + } + } + } } #ifdef DEBUG krb5_klog_syslog(LOG_DEBUG, "original preauth mechanism list:"); for (i = 0; i < n_preauth_systems; i++) { - if (preauth_systems[i].return_padata != NULL) + if (preauth_systems[i].return_padata != NULL) krb5_klog_syslog(LOG_DEBUG, "... %s(%d)", preauth_systems[i].name, - preauth_systems[i].type); + preauth_systems[i].type); } krb5_klog_syslog(LOG_DEBUG, "sorted preauth mechanism list:"); for (i = 0; pa_order[i] != -1; i++) { krb5_klog_syslog(LOG_DEBUG, "... %s(%d)", - preauth_systems[pa_order[i]].name, - preauth_systems[pa_order[i]].type); + preauth_systems[pa_order[i]].name, + preauth_systems[pa_order[i]].type); } #endif } const char *missing_required_preauth(krb5_db_entry *client, - krb5_db_entry *server, - krb5_enc_tkt_part *enc_tkt_reply) + krb5_db_entry *server, + krb5_enc_tkt_part *enc_tkt_reply) { #if 0 /* * If this is the pwchange service, and the pre-auth bit is set, * allow it even if the HW preauth would normally be required. - * + * * Sandia national labs wanted this for some strange reason... we * leave it disabled normally. */ if (isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE) && - isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH)) - return 0; + isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH)) + return 0; #endif - + #ifdef DEBUG krb5_klog_syslog (LOG_DEBUG, - "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth", - isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ", - isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ", - isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ", - isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no "); + "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth", + isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ", + isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ", + isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ", + isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no "); #endif if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && - !isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH)) - return "NEEDED_PREAUTH"; + !isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH)) + return "NEEDED_PREAUTH"; if (isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) && - !isflagset(enc_tkt_reply->flags, TKT_FLG_HW_AUTH)) - return "NEEDED_HW_PREAUTH"; + !isflagset(enc_tkt_reply->flags, TKT_FLG_HW_AUTH)) + return "NEEDED_HW_PREAUTH"; return 0; } void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, - krb5_db_entry *server, krb5_data *e_data) + krb5_db_entry *server, krb5_data *e_data) { int hw_only; krb5_preauth_systems *ap; krb5_pa_data **pa_data, **pa; krb5_data *edat; krb5_error_code retval; - + /* Zero these out in case we need to abort */ e_data->length = 0; e_data->data = 0; - + hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); /* Allocate two extra entries for the cookie and the terminator. */ pa_data = calloc(n_preauth_systems + 2, sizeof(krb5_pa_data *)); if (pa_data == 0) - return; + return; pa = pa_data; for (ap = preauth_systems; ap->type != -1; ap++) { - if (hw_only && !(ap->flags & PA_HARDWARE)) - continue; - if (ap->flags & PA_PSEUDO) - continue; - *pa = malloc(sizeof(krb5_pa_data)); - if (*pa == 0) - goto errout; - memset(*pa, 0, sizeof(krb5_pa_data)); - (*pa)->magic = KV5M_PA_DATA; - (*pa)->pa_type = ap->type; - if (ap->get_edata) { - retval = (ap->get_edata)(kdc_context, request, client, server, - get_entry_data, ap->plugin_context, *pa); - if (retval) { - /* just failed on this type, continue */ - free(*pa); - *pa = 0; - continue; - } - } - pa++; + if (hw_only && !(ap->flags & PA_HARDWARE)) + continue; + if (ap->flags & PA_PSEUDO) + continue; + *pa = malloc(sizeof(krb5_pa_data)); + if (*pa == 0) + goto errout; + memset(*pa, 0, sizeof(krb5_pa_data)); + (*pa)->magic = KV5M_PA_DATA; + (*pa)->pa_type = ap->type; + if (ap->get_edata) { + retval = (ap->get_edata)(kdc_context, request, client, server, + get_entry_data, ap->plugin_context, *pa); + if (retval) { + /* just failed on this type, continue */ + free(*pa); + *pa = 0; + continue; + } + } + pa++; } if (pa_data[0] == 0) { - krb5_klog_syslog (LOG_INFO, - "%spreauth required but hint list is empty", - hw_only ? "hw" : ""); + krb5_klog_syslog (LOG_INFO, + "%spreauth required but hint list is empty", + hw_only ? "hw" : ""); } /* If we fail to get the cookie it is probably still reasonable to continue with the response*/ kdc_preauth_get_cookie(request->kdc_state, pa); retval = encode_krb5_padata_sequence(pa_data, &edat); if (retval) - goto errout; + goto errout; *e_data = *edat; free(edat); @@ -1031,36 +1032,36 @@ add_authorization_data(krb5_enc_tkt_part *enc_tkt_part, krb5_authdata **ad) int i; if (enc_tkt_part == NULL || ad == NULL) - return EINVAL; + return EINVAL; for (newones = 0; ad[newones] != NULL; newones++); if (newones == 0) - return 0; /* nothing to add */ + return 0; /* nothing to add */ if (enc_tkt_part->authorization_data == NULL) - oldones = 0; + oldones = 0; else - for (oldones = 0; - enc_tkt_part->authorization_data[oldones] != NULL; oldones++); + for (oldones = 0; + enc_tkt_part->authorization_data[oldones] != NULL; oldones++); newad = malloc((oldones + newones + 1) * sizeof(krb5_authdata *)); if (newad == NULL) - return ENOMEM; + return ENOMEM; /* Copy any existing pointers */ for (i = 0; i < oldones; i++) - newad[i] = enc_tkt_part->authorization_data[i]; + newad[i] = enc_tkt_part->authorization_data[i]; /* Add the new ones */ for (i = 0; i < newones; i++) - newad[oldones+i] = ad[i]; + newad[oldones+i] = ad[i]; /* Terminate the new list */ newad[oldones+i] = NULL; /* Free any existing list */ if (enc_tkt_part->authorization_data != NULL) - free(enc_tkt_part->authorization_data); + free(enc_tkt_part->authorization_data); /* Install our new list */ enc_tkt_part->authorization_data = newad; @@ -1078,25 +1079,25 @@ add_authorization_data(krb5_enc_tkt_part *enc_tkt_part, krb5_authdata **ad) krb5_error_code check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - void **padata_context, krb5_data *e_data) + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + void **padata_context, krb5_data *e_data) { krb5_error_code retval = 0; krb5_pa_data **padata; krb5_preauth_systems *pa_sys; void **pa_context; krb5_data *pa_e_data = NULL, *tmp_e_data = NULL; - int pa_ok = 0, pa_found = 0; + int pa_ok = 0, pa_found = 0; krb5_error_code saved_retval = 0; int use_saved_retval = 0; const char *emsg; krb5_authdata **tmp_authz_data = NULL; if (request->padata == 0) - return 0; + return 0; if (make_padata_context(context, padata_context) != 0) { - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } #ifdef DEBUG @@ -1104,109 +1105,109 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, #endif for (padata = request->padata; *padata; padata++) { #ifdef DEBUG - krb5_klog_syslog (LOG_DEBUG, ".. pa_type 0x%x", (*padata)->pa_type); + krb5_klog_syslog (LOG_DEBUG, ".. pa_type 0x%x", (*padata)->pa_type); #endif - if (find_pa_system((*padata)->pa_type, &pa_sys)) - continue; - if (find_pa_context(pa_sys, *padata_context, &pa_context)) - continue; + if (find_pa_system((*padata)->pa_type, &pa_sys)) + continue; + if (find_pa_context(pa_sys, *padata_context, &pa_context)) + continue; #ifdef DEBUG - krb5_klog_syslog (LOG_DEBUG, ".. pa_type %s", pa_sys->name); + krb5_klog_syslog (LOG_DEBUG, ".. pa_type %s", pa_sys->name); #endif - if (pa_sys->verify_padata == 0) - continue; - pa_found++; - retval = pa_sys->verify_padata(context, client, req_pkt, request, - enc_tkt_reply, *padata, - get_entry_data, pa_sys->plugin_context, - pa_context, &tmp_e_data, &tmp_authz_data); - if (retval) { - emsg = krb5_get_error_message (context, retval); - krb5_klog_syslog (LOG_INFO, "preauth (%s) verify failure: %s", - pa_sys->name, emsg); - krb5_free_error_message (context, emsg); - /* Ignore authorization data returned from modules that fail */ - if (tmp_authz_data != NULL) { - krb5_free_authdata(context, tmp_authz_data); - tmp_authz_data = NULL; - } - if (pa_sys->flags & PA_REQUIRED) { - /* free up any previous edata we might have been saving */ - if (pa_e_data != NULL) - krb5_free_data(context, pa_e_data); - pa_e_data = tmp_e_data; - tmp_e_data = NULL; - use_saved_retval = 0; /* Make sure we use the current retval */ - pa_ok = 0; - break; - } - /* - * We'll return edata from either the first PA_REQUIRED module - * that fails, or the first non-PA_REQUIRED module that fails. - * Hang on to edata from the first non-PA_REQUIRED module. - * If we've already got one saved, simply discard this one. - */ - if (tmp_e_data != NULL) { - if (pa_e_data == NULL) { - /* save the first error code and e-data */ - pa_e_data = tmp_e_data; - tmp_e_data = NULL; - saved_retval = retval; - use_saved_retval = 1; - } else { - /* discard this extra e-data from non-PA_REQUIRED module */ - krb5_free_data(context, tmp_e_data); - tmp_e_data = NULL; - } - } - } else { + if (pa_sys->verify_padata == 0) + continue; + pa_found++; + retval = pa_sys->verify_padata(context, client, req_pkt, request, + enc_tkt_reply, *padata, + get_entry_data, pa_sys->plugin_context, + pa_context, &tmp_e_data, &tmp_authz_data); + if (retval) { + emsg = krb5_get_error_message (context, retval); + krb5_klog_syslog (LOG_INFO, "preauth (%s) verify failure: %s", + pa_sys->name, emsg); + krb5_free_error_message (context, emsg); + /* Ignore authorization data returned from modules that fail */ + if (tmp_authz_data != NULL) { + krb5_free_authdata(context, tmp_authz_data); + tmp_authz_data = NULL; + } + if (pa_sys->flags & PA_REQUIRED) { + /* free up any previous edata we might have been saving */ + if (pa_e_data != NULL) + krb5_free_data(context, pa_e_data); + pa_e_data = tmp_e_data; + tmp_e_data = NULL; + use_saved_retval = 0; /* Make sure we use the current retval */ + pa_ok = 0; + break; + } + /* + * We'll return edata from either the first PA_REQUIRED module + * that fails, or the first non-PA_REQUIRED module that fails. + * Hang on to edata from the first non-PA_REQUIRED module. + * If we've already got one saved, simply discard this one. + */ + if (tmp_e_data != NULL) { + if (pa_e_data == NULL) { + /* save the first error code and e-data */ + pa_e_data = tmp_e_data; + tmp_e_data = NULL; + saved_retval = retval; + use_saved_retval = 1; + } else { + /* discard this extra e-data from non-PA_REQUIRED module */ + krb5_free_data(context, tmp_e_data); + tmp_e_data = NULL; + } + } + } else { #ifdef DEBUG - krb5_klog_syslog (LOG_DEBUG, ".. .. ok"); + krb5_klog_syslog (LOG_DEBUG, ".. .. ok"); #endif - /* Ignore any edata returned on success */ - if (tmp_e_data != NULL) { - krb5_free_data(context, tmp_e_data); - tmp_e_data = NULL; - } - /* Add any authorization data to the ticket */ - if (tmp_authz_data != NULL) { - add_authorization_data(enc_tkt_reply, tmp_authz_data); - free(tmp_authz_data); - tmp_authz_data = NULL; - } - pa_ok = 1; - if (pa_sys->flags & PA_SUFFICIENT) - break; - } + /* Ignore any edata returned on success */ + if (tmp_e_data != NULL) { + krb5_free_data(context, tmp_e_data); + tmp_e_data = NULL; + } + /* Add any authorization data to the ticket */ + if (tmp_authz_data != NULL) { + add_authorization_data(enc_tkt_reply, tmp_authz_data); + free(tmp_authz_data); + tmp_authz_data = NULL; + } + pa_ok = 1; + if (pa_sys->flags & PA_SUFFICIENT) + break; + } } /* Don't bother copying and returning e-data on success */ if (pa_ok && pa_e_data != NULL) { - krb5_free_data(context, pa_e_data); - pa_e_data = NULL; + krb5_free_data(context, pa_e_data); + pa_e_data = NULL; } /* Return any e-data from the preauth that caused us to exit the loop */ if (pa_e_data != NULL) { - e_data->data = malloc(pa_e_data->length); - if (e_data->data == NULL) { - krb5_free_data(context, pa_e_data); - return KRB5KRB_ERR_GENERIC; - } - memcpy(e_data->data, pa_e_data->data, pa_e_data->length); - e_data->length = pa_e_data->length; - krb5_free_data(context, pa_e_data); - pa_e_data = NULL; - if (use_saved_retval != 0) - retval = saved_retval; + e_data->data = malloc(pa_e_data->length); + if (e_data->data == NULL) { + krb5_free_data(context, pa_e_data); + return KRB5KRB_ERR_GENERIC; + } + memcpy(e_data->data, pa_e_data->data, pa_e_data->length); + e_data->length = pa_e_data->length; + krb5_free_data(context, pa_e_data); + pa_e_data = NULL; + if (use_saved_retval != 0) + retval = saved_retval; } if (pa_ok) - return 0; + return 0; /* pa system was not found; we may return PREAUTH_REQUIRED later, but we did not actually fail to verify the pre-auth. */ if (!pa_found) - return 0; + return 0; /* The following switch statement allows us @@ -1217,7 +1218,7 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, case KRB5KRB_AP_ERR_BAD_INTEGRITY: case KRB5KRB_AP_ERR_SKEW: case KRB5KDC_ERR_ETYPE_NOSUPP: - /* rfc 4556 */ + /* rfc 4556 */ case KRB5KDC_ERR_CLIENT_NOT_TRUSTED: case KRB5KDC_ERR_INVALID_SIG: case KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED: @@ -1231,15 +1232,15 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, case KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED: case KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED: case KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED: - /* earlier drafts of what became rfc 4556 */ + /* earlier drafts of what became rfc 4556 */ case KRB5KDC_ERR_CERTIFICATE_MISMATCH: case KRB5KDC_ERR_KDC_NOT_TRUSTED: case KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE: - /* This value is shared with KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. */ - /* case KRB5KDC_ERR_KEY_TOO_WEAK: */ - return retval; + /* This value is shared with KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. */ + /* case KRB5KDC_ERR_KEY_TOO_WEAK: */ + return retval; default: - return KRB5KDC_ERR_PREAUTH_FAILED; + return KRB5KDC_ERR_PREAUTH_FAILED; } } @@ -1249,45 +1250,45 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, */ krb5_error_code return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - void **padata_context) + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, krb5_keyblock *encrypting_key, + void **padata_context) { - krb5_error_code retval; - krb5_pa_data ** padata; - krb5_pa_data ** send_pa_list; - krb5_pa_data ** send_pa; - krb5_pa_data * pa = 0; - krb5_preauth_systems * ap; - int * pa_order; - int * pa_type; - int size = 0; - void ** pa_context; - krb5_boolean key_modified; - krb5_keyblock original_key; + krb5_error_code retval; + krb5_pa_data ** padata; + krb5_pa_data ** send_pa_list; + krb5_pa_data ** send_pa; + krb5_pa_data * pa = 0; + krb5_preauth_systems * ap; + int * pa_order; + int * pa_type; + int size = 0; + void ** pa_context; + krb5_boolean key_modified; + krb5_keyblock original_key; if ((!*padata_context)&& (make_padata_context(context, padata_context) != 0)) { - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } for (ap = preauth_systems; ap->type != -1; ap++) { - if (ap->return_padata) - size++; + if (ap->return_padata) + size++; } if ((send_pa_list = malloc((size+1) * sizeof(krb5_pa_data *))) == NULL) - return ENOMEM; + return ENOMEM; if ((pa_order = malloc((size+1) * sizeof(int))) == NULL) { - free(send_pa_list); - return ENOMEM; + free(send_pa_list); + return ENOMEM; } sort_pa_order(context, request, pa_order); retval = krb5_copy_keyblock_contents(context, encrypting_key, - &original_key); + &original_key); if (retval) { - free(send_pa_list); - free(pa_order); - return retval; + free(send_pa_list); + free(pa_order); + return retval; } key_modified = FALSE; @@ -1295,117 +1296,117 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, *send_pa = 0; for (pa_type = pa_order; *pa_type != -1; pa_type++) { - ap = &preauth_systems[*pa_type]; + ap = &preauth_systems[*pa_type]; if (!key_modified) - if (original_key.enctype != encrypting_key->enctype) + if (original_key.enctype != encrypting_key->enctype) key_modified = TRUE; if (!key_modified) - if (original_key.length != encrypting_key->length) + if (original_key.length != encrypting_key->length) key_modified = TRUE; if (!key_modified) - if (memcmp(original_key.contents, encrypting_key->contents, - original_key.length) != 0) + if (memcmp(original_key.contents, encrypting_key->contents, + original_key.length) != 0) key_modified = TRUE; - if (key_modified && (ap->flags & PA_REPLACES_KEY)) - continue; - if (ap->return_padata == 0) - continue; - if (find_pa_context(ap, *padata_context, &pa_context)) - continue; - pa = 0; - if (request->padata) { - for (padata = request->padata; *padata; padata++) { - if ((*padata)->pa_type == ap->type) { - pa = *padata; - break; - } - } - } - if ((retval = ap->return_padata(context, pa, client, req_pkt, request, reply, - client_key, encrypting_key, send_pa, - get_entry_data, ap->plugin_context, - pa_context))) { - goto cleanup; - } - - if (*send_pa) - send_pa++; - *send_pa = 0; - } - + if (key_modified && (ap->flags & PA_REPLACES_KEY)) + continue; + if (ap->return_padata == 0) + continue; + if (find_pa_context(ap, *padata_context, &pa_context)) + continue; + pa = 0; + if (request->padata) { + for (padata = request->padata; *padata; padata++) { + if ((*padata)->pa_type == ap->type) { + pa = *padata; + break; + } + } + } + if ((retval = ap->return_padata(context, pa, client, req_pkt, request, reply, + client_key, encrypting_key, send_pa, + get_entry_data, ap->plugin_context, + pa_context))) { + goto cleanup; + } + + if (*send_pa) + send_pa++; + *send_pa = 0; + } + retval = 0; if (send_pa_list[0]) { - reply->padata = send_pa_list; - send_pa_list = 0; + reply->padata = send_pa_list; + send_pa_list = 0; } - + cleanup: krb5_free_keyblock_contents(context, &original_key); free(pa_order); if (send_pa_list) - krb5_free_pa_data(context, send_pa_list); + krb5_free_pa_data(context, send_pa_list); return (retval); } static krb5_boolean request_contains_enctype (krb5_context context, const krb5_kdc_req *request, - krb5_enctype enctype) + krb5_enctype enctype) { int i; for (i =0; i < request->nktypes; i++) - if (request->ktype[i] == enctype) - return 1; + if (request->ktype[i] == enctype) + return 1; return 0; } static krb5_error_code get_enc_ts - (krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data_proc, - void *pa_system_context, - krb5_pa_data *data) +(krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data_proc, + void *pa_system_context, + krb5_pa_data *data) { - struct kdc_request_state *state = request->kdc_state; - if (state->armor_key) - return ENOENT; - return 0; + struct kdc_request_state *state = request->kdc_state; + if (state->armor_key) + return ENOENT; + return 0; } - - + + static krb5_error_code verify_enc_timestamp(krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *pa, - preauth_get_entry_data_proc ets_get_entry_data, - void *pa_system_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa, + preauth_get_entry_data_proc ets_get_entry_data, + void *pa_system_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) { - krb5_pa_enc_ts * pa_enc = 0; - krb5_error_code retval; - krb5_data scratch; - krb5_data enc_ts_data; - krb5_enc_data *enc_data = 0; - krb5_keyblock key, *mkey_ptr; - krb5_key_data * client_key; - krb5_int32 start; - krb5_timestamp timenow; - krb5_error_code decrypt_err = 0; + krb5_pa_enc_ts * pa_enc = 0; + krb5_error_code retval; + krb5_data scratch; + krb5_data enc_ts_data; + krb5_enc_data *enc_data = 0; + krb5_keyblock key, *mkey_ptr; + krb5_key_data * client_key; + krb5_int32 start; + krb5_timestamp timenow; + krb5_error_code decrypt_err = 0; scratch.data = (char *)pa->contents; scratch.length = pa->length; enc_ts_data.data = 0; - + if ((retval = decode_krb5_enc_data(&scratch, &enc_data)) != 0) - goto cleanup; + goto cleanup; enc_ts_data.length = enc_data->ciphertext.length; if ((enc_ts_data.data = (char *) malloc(enc_ts_data.length)) == NULL) - goto cleanup; + goto cleanup; if ((retval = krb5_dbe_find_mkey(context, master_keylist, client, &mkey_ptr))) { @@ -1428,49 +1429,49 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, start = 0; decrypt_err = 0; while (1) { - if ((retval = krb5_dbe_search_enctype(context, client, - &start, enc_data->enctype, - -1, 0, &client_key))) - goto cleanup; + if ((retval = krb5_dbe_search_enctype(context, client, + &start, enc_data->enctype, + -1, 0, &client_key))) + goto cleanup; - if ((retval = krb5_dbekd_decrypt_key_data(context, mkey_ptr, - client_key, &key, NULL))) - goto cleanup; + if ((retval = krb5_dbekd_decrypt_key_data(context, mkey_ptr, + client_key, &key, NULL))) + goto cleanup; - key.enctype = enc_data->enctype; + key.enctype = enc_data->enctype; - retval = krb5_c_decrypt(context, &key, KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, - 0, enc_data, &enc_ts_data); - krb5_free_keyblock_contents(context, &key); - if (retval == 0) - break; - else - decrypt_err = retval; + retval = krb5_c_decrypt(context, &key, KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, + 0, enc_data, &enc_ts_data); + krb5_free_keyblock_contents(context, &key); + if (retval == 0) + break; + else + decrypt_err = retval; } if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) - goto cleanup; + goto cleanup; if ((retval = krb5_timeofday(context, &timenow)) != 0) - goto cleanup; - + goto cleanup; + if (labs(timenow - pa_enc->patimestamp) > context->clockskew) { - retval = KRB5KRB_AP_ERR_SKEW; - goto cleanup; + retval = KRB5KRB_AP_ERR_SKEW; + goto cleanup; } setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH); retval = 0; - + cleanup: if (enc_data) { - krb5_free_data_contents(context, &enc_data->ciphertext); - free(enc_data); + krb5_free_data_contents(context, &enc_data->ciphertext); + free(enc_data); } krb5_free_data_contents(context, &enc_ts_data); if (pa_enc) - free(pa_enc); + free(pa_enc); /* * If we get NO_MATCHING_KEY and decryption previously failed, and * we failed to find any other keys of the correct enctype after @@ -1478,22 +1479,22 @@ cleanup: * incorrect. */ if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) - retval = decrypt_err; + retval = decrypt_err; return retval; } static krb5_error_code _make_etype_info_entry(krb5_context context, - krb5_principal client_princ, krb5_key_data *client_key, - krb5_enctype etype, krb5_etype_info_entry **entry, - int etype_info2) + krb5_principal client_princ, krb5_key_data *client_key, + krb5_enctype etype, krb5_etype_info_entry **entry, + int etype_info2) { - krb5_data salt; - krb5_etype_info_entry * tmp_entry; - krb5_error_code retval; + krb5_data salt; + krb5_etype_info_entry * tmp_entry; + krb5_error_code retval; if ((tmp_entry = malloc(sizeof(krb5_etype_info_entry))) == NULL) - return ENOMEM; + return ENOMEM; salt.data = 0; @@ -1505,125 +1506,125 @@ _make_etype_info_entry(krb5_context context, tmp_entry->s2kparams.length = 0; retval = get_salt_from_key(context, client_princ, client_key, &salt); if (retval) - goto fail; + goto fail; if (etype_info2 && client_key->key_data_ver > 1 && - client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_AFS3) { - switch (etype) { - case ENCTYPE_DES_CBC_CRC: - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_MD5: - tmp_entry->s2kparams.data = malloc(1); - if (tmp_entry->s2kparams.data == NULL) { - retval = ENOMEM; - goto fail; - } - tmp_entry->s2kparams.length = 1; - tmp_entry->s2kparams.data[0] = 1; - break; - default: - break; - } + client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_AFS3) { + switch (etype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + tmp_entry->s2kparams.data = malloc(1); + if (tmp_entry->s2kparams.data == NULL) { + retval = ENOMEM; + goto fail; + } + tmp_entry->s2kparams.length = 1; + tmp_entry->s2kparams.data[0] = 1; + break; + default: + break; + } } if (salt.length >= 0) { - tmp_entry->length = salt.length; - tmp_entry->salt = (unsigned char *) salt.data; - salt.data = 0; + tmp_entry->length = salt.length; + tmp_entry->salt = (unsigned char *) salt.data; + salt.data = 0; } *entry = tmp_entry; return 0; fail: if (tmp_entry) { - if (tmp_entry->s2kparams.data) - free(tmp_entry->s2kparams.data); - free(tmp_entry); + if (tmp_entry->s2kparams.data) + free(tmp_entry->s2kparams.data); + free(tmp_entry); } if (salt.data) - free(salt.data); + free(salt.data); return retval; } /* * This function returns the etype information for a particular * client, to be passed back in the preauth list in the KRB_ERROR * message. It supports generating both etype_info and etype_info2 - * as most of the work is the same. + * as most of the work is the same. */ static krb5_error_code etype_info_helper(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *pa_data, int etype_info2) + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *pa_data, int etype_info2) { - krb5_etype_info_entry ** entry = 0; - krb5_key_data *client_key; - krb5_error_code retval; - krb5_data * scratch; - krb5_enctype db_etype; - int i = 0; - int start = 0; - int seen_des = 0; + krb5_etype_info_entry ** entry = 0; + krb5_key_data *client_key; + krb5_error_code retval; + krb5_data * scratch; + krb5_enctype db_etype; + int i = 0; + int start = 0; + int seen_des = 0; entry = malloc((client->n_key_data * 2 + 1) * sizeof(krb5_etype_info_entry *)); if (entry == NULL) - return ENOMEM; + return ENOMEM; entry[0] = NULL; while (1) { - retval = krb5_dbe_search_enctype(context, client, &start, -1, - -1, 0, &client_key); - if (retval == KRB5_KDB_NO_MATCHING_KEY) - break; - if (retval) - goto cleanup; - db_etype = client_key->key_data_type[0]; - if (db_etype == ENCTYPE_DES_CBC_MD4) - db_etype = ENCTYPE_DES_CBC_MD5; - - if (request_contains_enctype(context, request, db_etype)) { - assert(etype_info2 || - !enctype_requires_etype_info_2(db_etype)); - retval = _make_etype_info_entry(context, client->princ, client_key, - db_etype, &entry[i], etype_info2); - if (retval != 0) - goto cleanup; - entry[i+1] = 0; - i++; - } - - /* - * If there is a des key in the kdb, try the "similar" enctypes, - * avoid duplicate entries. - */ - if (!seen_des) { - switch (db_etype) { - case ENCTYPE_DES_CBC_MD5: - db_etype = ENCTYPE_DES_CBC_CRC; - break; - case ENCTYPE_DES_CBC_CRC: - db_etype = ENCTYPE_DES_CBC_MD5; - break; - default: - continue; - - } - if (request_contains_enctype(context, request, db_etype)) { - retval = _make_etype_info_entry(context, client->princ, - client_key, db_etype, - &entry[i], etype_info2); - if (retval != 0) - goto cleanup; - entry[i+1] = 0; - i++; - } - seen_des++; - } + retval = krb5_dbe_search_enctype(context, client, &start, -1, + -1, 0, &client_key); + if (retval == KRB5_KDB_NO_MATCHING_KEY) + break; + if (retval) + goto cleanup; + db_etype = client_key->key_data_type[0]; + if (db_etype == ENCTYPE_DES_CBC_MD4) + db_etype = ENCTYPE_DES_CBC_MD5; + + if (request_contains_enctype(context, request, db_etype)) { + assert(etype_info2 || + !enctype_requires_etype_info_2(db_etype)); + retval = _make_etype_info_entry(context, client->princ, client_key, + db_etype, &entry[i], etype_info2); + if (retval != 0) + goto cleanup; + entry[i+1] = 0; + i++; + } + + /* + * If there is a des key in the kdb, try the "similar" enctypes, + * avoid duplicate entries. + */ + if (!seen_des) { + switch (db_etype) { + case ENCTYPE_DES_CBC_MD5: + db_etype = ENCTYPE_DES_CBC_CRC; + break; + case ENCTYPE_DES_CBC_CRC: + db_etype = ENCTYPE_DES_CBC_MD5; + break; + default: + continue; + + } + if (request_contains_enctype(context, request, db_etype)) { + retval = _make_etype_info_entry(context, client->princ, + client_key, db_etype, + &entry[i], etype_info2); + if (retval != 0) + goto cleanup; + entry[i+1] = 0; + i++; + } + seen_des++; + } } if (etype_info2) - retval = encode_krb5_etype_info2(entry, &scratch); + retval = encode_krb5_etype_info2(entry, &scratch); else - retval = encode_krb5_etype_info(entry, &scratch); + retval = encode_krb5_etype_info(entry, &scratch); if (retval) - goto cleanup; + goto cleanup; pa_data->contents = (unsigned char *)scratch->data; pa_data->length = scratch->length; free(scratch); @@ -1632,45 +1633,45 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, cleanup: if (entry) - krb5_free_etype_info(context, entry); + krb5_free_etype_info(context, entry); return retval; } static krb5_error_code get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc etype_get_entry_data, - void *pa_system_context, - krb5_pa_data *pa_data) + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc etype_get_entry_data, + void *pa_system_context, + krb5_pa_data *pa_data) { - int i; + int i; for (i=0; i < request->nktypes; i++) { - if (enctype_requires_etype_info_2(request->ktype[i])) - return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will - * skip this - * type*/ + if (enctype_requires_etype_info_2(request->ktype[i])) + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will + * skip this + * type*/ } return etype_info_helper(context, request, client, server, pa_data, 0); } static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc etype_get_entry_data, - void *pa_system_context, - krb5_pa_data *pa_data) + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc etype_get_entry_data, + void *pa_system_context, + krb5_pa_data *pa_data) { return etype_info_helper( context, request, client, server, pa_data, 1); } static krb5_error_code -etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - int etype_info2) +etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + int etype_info2) { int i; krb5_error_code retval; @@ -1683,181 +1684,181 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, * enctypes. */ if (!etype_info2) { - for (i = 0; i < request->nktypes; i++) { - if (enctype_requires_etype_info_2(request->ktype[i])) { - *send_pa = NULL; - return 0; - } - } + for (i = 0; i < request->nktypes; i++) { + if (enctype_requires_etype_info_2(request->ktype[i])) { + *send_pa = NULL; + return 0; + } + } } tmp_padata = malloc( sizeof(krb5_pa_data)); if (tmp_padata == NULL) - return ENOMEM; + return ENOMEM; if (etype_info2) - tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO2; + tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO2; else - tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO; + tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO; entry = malloc(2 * sizeof(krb5_etype_info_entry *)); if (entry == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } entry[0] = NULL; entry[1] = NULL; retval = _make_etype_info_entry(context, client->princ, client_key, - encrypting_key->enctype, entry, - etype_info2); + encrypting_key->enctype, entry, + etype_info2); if (retval) - goto cleanup; + goto cleanup; if (etype_info2) - retval = encode_krb5_etype_info2(entry, &scratch); + retval = encode_krb5_etype_info2(entry, &scratch); else - retval = encode_krb5_etype_info(entry, &scratch); + retval = encode_krb5_etype_info(entry, &scratch); if (retval) - goto cleanup; + goto cleanup; tmp_padata->contents = (krb5_octet *)scratch->data; tmp_padata->length = scratch->length; *send_pa = tmp_padata; - /* For cleanup - we no longer own the contents of the krb5_data + /* For cleanup - we no longer own the contents of the krb5_data * only to pointer to the krb5_data */ scratch->data = 0; - cleanup: +cleanup: if (entry) - krb5_free_etype_info(context, entry); + krb5_free_etype_info(context, entry); if (retval) { - if (tmp_padata) - free(tmp_padata); + if (tmp_padata) + free(tmp_padata); } if (scratch) - krb5_free_data(context, scratch); + krb5_free_data(context, scratch); return retval; } static krb5_error_code -return_etype_info2(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc etype_get_entry_data, - void *pa_system_context, - void **pa_request_context) +return_etype_info2(krb5_context context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc etype_get_entry_data, + void *pa_system_context, + void **pa_request_context) { return etype_info_as_rep_helper(context, padata, client, request, reply, - client_key, encrypting_key, send_pa, 1); + client_key, encrypting_key, send_pa, 1); } static krb5_error_code -return_etype_info(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc etypeget_entry_data, - void *pa_system_context, - void **pa_request_context) +return_etype_info(krb5_context context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc etypeget_entry_data, + void *pa_system_context, + void **pa_request_context) { return etype_info_as_rep_helper(context, padata, client, request, reply, - client_key, encrypting_key, send_pa, 0); + client_key, encrypting_key, send_pa, 0); } static krb5_error_code return_pw_salt(krb5_context context, krb5_pa_data *in_padata, - krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_key_data *client_key, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - preauth_get_entry_data_proc etype_get_entry_data, - void *pa_system_context, - void **pa_request_context) + krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_key_data *client_key, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + preauth_get_entry_data_proc etype_get_entry_data, + void *pa_system_context, + void **pa_request_context) { - krb5_error_code retval; - krb5_pa_data * padata; - krb5_data * scratch; - krb5_data salt_data; + krb5_error_code retval; + krb5_pa_data * padata; + krb5_data * scratch; + krb5_data salt_data; int i; - + for (i = 0; i < request->nktypes; i++) { - if (enctype_requires_etype_info_2(request->ktype[i])) - return 0; + if (enctype_requires_etype_info_2(request->ktype[i])) + return 0; } if (client_key->key_data_ver == 1 || - client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL) - return 0; + client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL) + return 0; if ((padata = malloc(sizeof(krb5_pa_data))) == NULL) - return ENOMEM; + return ENOMEM; padata->magic = KV5M_PA_DATA; padata->pa_type = KRB5_PADATA_PW_SALT; - + switch (client_key->key_data_type[1]) { case KRB5_KDB_SALTTYPE_V4: - /* send an empty (V4) salt */ - padata->contents = 0; - padata->length = 0; - break; + /* send an empty (V4) salt */ + padata->contents = 0; + padata->length = 0; + break; case KRB5_KDB_SALTTYPE_NOREALM: - if ((retval = krb5_principal2salt_norealm(kdc_context, - request->client, - &salt_data))) - goto cleanup; - padata->contents = (krb5_octet *)salt_data.data; - padata->length = salt_data.length; - break; + if ((retval = krb5_principal2salt_norealm(kdc_context, + request->client, + &salt_data))) + goto cleanup; + padata->contents = (krb5_octet *)salt_data.data; + padata->length = salt_data.length; + break; case KRB5_KDB_SALTTYPE_AFS3: - /* send an AFS style realm-based salt */ - /* for now, just pass the realm back and let the client - do the work. In the future, add a kdc configuration - variable that specifies the old cell name. */ - padata->pa_type = KRB5_PADATA_AFS3_SALT; - /* it would be just like ONLYREALM, but we need to pass the 0 */ - scratch = krb5_princ_realm(kdc_context, request->client); - if ((padata->contents = malloc(scratch->length+1)) == NULL) { - retval = ENOMEM; - goto cleanup; - } - memcpy(padata->contents, scratch->data, scratch->length); - padata->length = scratch->length+1; - padata->contents[scratch->length] = 0; - break; + /* send an AFS style realm-based salt */ + /* for now, just pass the realm back and let the client + do the work. In the future, add a kdc configuration + variable that specifies the old cell name. */ + padata->pa_type = KRB5_PADATA_AFS3_SALT; + /* it would be just like ONLYREALM, but we need to pass the 0 */ + scratch = krb5_princ_realm(kdc_context, request->client); + if ((padata->contents = malloc(scratch->length+1)) == NULL) { + retval = ENOMEM; + goto cleanup; + } + memcpy(padata->contents, scratch->data, scratch->length); + padata->length = scratch->length+1; + padata->contents[scratch->length] = 0; + break; case KRB5_KDB_SALTTYPE_ONLYREALM: - scratch = krb5_princ_realm(kdc_context, request->client); - if ((padata->contents = malloc(scratch->length)) == NULL) { - retval = ENOMEM; - goto cleanup; - } - memcpy(padata->contents, scratch->data, scratch->length); - padata->length = scratch->length; - break; + scratch = krb5_princ_realm(kdc_context, request->client); + if ((padata->contents = malloc(scratch->length)) == NULL) { + retval = ENOMEM; + goto cleanup; + } + memcpy(padata->contents, scratch->data, scratch->length); + padata->length = scratch->length; + break; case KRB5_KDB_SALTTYPE_SPECIAL: - if ((padata->contents = malloc(client_key->key_data_length[1])) - == NULL) { - retval = ENOMEM; - goto cleanup; - } - memcpy(padata->contents, client_key->key_data_contents[1], - client_key->key_data_length[1]); - padata->length = client_key->key_data_length[1]; - break; + if ((padata->contents = malloc(client_key->key_data_length[1])) + == NULL) { + retval = ENOMEM; + goto cleanup; + } + memcpy(padata->contents, client_key->key_data_contents[1], + client_key->key_data_length[1]); + padata->length = client_key->key_data_length[1]; + break; default: - free(padata); - return 0; + free(padata); + return 0; } *send_pa = padata; return 0; - + cleanup: free(padata); return retval; @@ -1865,22 +1866,22 @@ cleanup: static krb5_error_code return_sam_data(krb5_context context, krb5_pa_data *in_padata, - krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_key_data *client_key, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - preauth_get_entry_data_proc sam_get_entry_data, - void *pa_system_context, - void **pa_request_context) + krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_key_data *client_key, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + preauth_get_entry_data_proc sam_get_entry_data, + void *pa_system_context, + void **pa_request_context) { - krb5_error_code retval; - krb5_data scratch; - int i; + krb5_error_code retval; + krb5_data scratch; + int i; - krb5_sam_response *sr = 0; - krb5_predicted_sam_response *psr = 0; + krb5_sam_response *sr = 0; + krb5_predicted_sam_response *psr = 0; if (in_padata == 0) - return 0; + return 0; /* * We start by doing the same thing verify_sam_response() does: @@ -1891,71 +1892,71 @@ return_sam_data(krb5_context context, krb5_pa_data *in_padata, scratch.data = (char *)in_padata->contents; scratch.length = in_padata->length; - + if ((retval = decode_krb5_sam_response(&scratch, &sr))) { - kdc_err(context, retval, - "return_sam_data(): decode_krb5_sam_response failed"); - goto cleanup; + kdc_err(context, retval, + "return_sam_data(): decode_krb5_sam_response failed"); + goto cleanup; } { - krb5_enc_data tmpdata; + krb5_enc_data tmpdata; - tmpdata.enctype = ENCTYPE_UNKNOWN; - tmpdata.ciphertext = sr->sam_track_id; + tmpdata.enctype = ENCTYPE_UNKNOWN; + tmpdata.ciphertext = sr->sam_track_id; - scratch.length = tmpdata.ciphertext.length; - if ((scratch.data = (char *) malloc(scratch.length)) == NULL) { - retval = ENOMEM; - goto cleanup; - } + scratch.length = tmpdata.ciphertext.length; + if ((scratch.data = (char *) malloc(scratch.length)) == NULL) { + retval = ENOMEM; + goto cleanup; + } - if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0, - &tmpdata, &scratch))) { - kdc_err(context, retval, - "return_sam_data(): decrypt track_id failed"); - free(scratch.data); - goto cleanup; - } + if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0, + &tmpdata, &scratch))) { + kdc_err(context, retval, + "return_sam_data(): decrypt track_id failed"); + free(scratch.data); + goto cleanup; + } } if ((retval = decode_krb5_predicted_sam_response(&scratch, &psr))) { - kdc_err(context, retval, - "return_sam_data(): decode_krb5_predicted_sam_response failed"); - free(scratch.data); - goto cleanup; + kdc_err(context, retval, + "return_sam_data(): decode_krb5_predicted_sam_response failed"); + free(scratch.data); + goto cleanup; } /* We could use sr->sam_flags, but it may be absent or altered. */ if (psr->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, - "Unsupported SAM flag must-pk-encrypt-sad"); - goto cleanup; + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, + "Unsupported SAM flag must-pk-encrypt-sad"); + goto cleanup; } if (psr->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { - /* No key munging */ - goto cleanup; + /* No key munging */ + goto cleanup; } if (psr->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) { - /* Use sam_key instead of client key */ - krb5_free_keyblock_contents(context, encrypting_key); - krb5_copy_keyblock_contents(context, &psr->sam_key, encrypting_key); - /* XXX Attach a useful pa_data */ - goto cleanup; + /* Use sam_key instead of client key */ + krb5_free_keyblock_contents(context, encrypting_key); + krb5_copy_keyblock_contents(context, &psr->sam_key, encrypting_key); + /* XXX Attach a useful pa_data */ + goto cleanup; } /* Otherwise (no flags set), we XOR the keys */ /* XXX The passwords-04 draft is underspecified here wrt different - key types. We will do what I hope to get into the -05 draft. */ + key types. We will do what I hope to get into the -05 draft. */ { - krb5_octet *p = encrypting_key->contents; - krb5_octet *q = psr->sam_key.contents; - int length = ((encrypting_key->length < psr->sam_key.length) - ? encrypting_key->length - : psr->sam_key.length); + krb5_octet *p = encrypting_key->contents; + krb5_octet *q = psr->sam_key.contents; + int length = ((encrypting_key->length < psr->sam_key.length) + ? encrypting_key->length + : psr->sam_key.length); - for (i = 0; i < length; i++) - p[i] ^= q[i]; + for (i = 0; i < length; i++) + p[i] ^= q[i]; } /* Post-mixing key correction */ @@ -1964,58 +1965,58 @@ return_sam_data(krb5_context context, krb5_pa_data *in_padata, case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES_CBC_RAW: - mit_des_fixup_key_parity(encrypting_key->contents); - if (mit_des_is_weak_key(encrypting_key->contents)) - ((krb5_octet *) encrypting_key->contents)[7] ^= 0xf0; - break; + mit_des_fixup_key_parity(encrypting_key->contents); + if (mit_des_is_weak_key(encrypting_key->contents)) + ((krb5_octet *) encrypting_key->contents)[7] ^= 0xf0; + break; - /* XXX case ENCTYPE_DES3_CBC_MD5: listed in 1510bis-04 draft */ + /* XXX case ENCTYPE_DES3_CBC_MD5: listed in 1510bis-04 draft */ case ENCTYPE_DES3_CBC_SHA: /* XXX deprecated? */ case ENCTYPE_DES3_CBC_RAW: case ENCTYPE_DES3_CBC_SHA1: - for (i = 0; i < 3; i++) { - mit_des_fixup_key_parity(encrypting_key->contents + i * 8); - if (mit_des_is_weak_key(encrypting_key->contents + i * 8)) - ((krb5_octet *) encrypting_key->contents)[7 + i * 8] ^= 0xf0; - } - break; + for (i = 0; i < 3; i++) { + mit_des_fixup_key_parity(encrypting_key->contents + i * 8); + if (mit_des_is_weak_key(encrypting_key->contents + i * 8)) + ((krb5_octet *) encrypting_key->contents)[7 + i * 8] ^= 0xf0; + } + break; default: - kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, - "Unimplemented keytype for SAM key mixing"); - goto cleanup; + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, + "Unimplemented keytype for SAM key mixing"); + goto cleanup; } /* XXX Attach a useful pa_data */ cleanup: if (sr) - krb5_free_sam_response(context, sr); + krb5_free_sam_response(context, sr); if (psr) - krb5_free_predicted_sam_response(context, psr); + krb5_free_predicted_sam_response(context, psr); return retval; } - + static struct { - char* name; - int sam_type; + char* name; + int sam_type; } *sam_ptr, sam_inst_map[] = { - { "SNK4", PA_SAM_TYPE_DIGI_PATH, }, - { "SECURID", PA_SAM_TYPE_SECURID, }, - { "GRAIL", PA_SAM_TYPE_GRAIL, }, - { 0, 0 }, + { "SNK4", PA_SAM_TYPE_DIGI_PATH, }, + { "SECURID", PA_SAM_TYPE_SECURID, }, + { "GRAIL", PA_SAM_TYPE_GRAIL, }, + { 0, 0 }, }; static krb5_error_code get_sam_edata(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc sam_get_entry_data, - void *pa_system_context, krb5_pa_data *pa_data) + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc sam_get_entry_data, + void *pa_system_context, krb5_pa_data *pa_data) { - krb5_error_code retval; - krb5_sam_challenge sc; - krb5_predicted_sam_response psr; - krb5_data * scratch; + krb5_error_code retval; + krb5_sam_challenge sc; + krb5_predicted_sam_response psr; + krb5_data * scratch; krb5_keyblock encrypting_key, *mkey_ptr; char response[9]; char inputblock[8]; @@ -2029,368 +2030,368 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, names that match the types of preauth used. Later we should make this mapping show up in kdc.conf. In the meantime, we hardcode the following: - /SNK4 -- Digital Pathways SNK/4 preauth. - /GRAIL -- experimental preauth + /SNK4 -- Digital Pathways SNK/4 preauth. + /GRAIL -- experimental preauth The first one found is used. See sam_inst_map above. For SNK4 in particular, the key in the database is the key for the device; kadmin needs a special interface for it. - */ + */ { - int npr = 1; - krb5_boolean more; - krb5_db_entry assoc; - krb5_key_data *assoc_key; - krb5_principal newp; - int probeslot; - - sc.sam_type = 0; - - retval = krb5_copy_principal(kdc_context, request->client, &newp); - if (retval) { - kdc_err(kdc_context, retval, "copying client name for preauth probe"); - return retval; - } - - probeslot = krb5_princ_size(context, newp)++; - krb5_princ_name(kdc_context, newp) = - realloc(krb5_princ_name(kdc_context, newp), - krb5_princ_size(context, newp) * sizeof(krb5_data)); - - for(sam_ptr = sam_inst_map; sam_ptr->name; sam_ptr++) { - krb5_princ_component(kdc_context,newp,probeslot)->data = sam_ptr->name; - krb5_princ_component(kdc_context,newp,probeslot)->length = - strlen(sam_ptr->name); - npr = 1; - retval = get_principal(kdc_context, newp, &assoc, &npr, &more); - if(!retval && npr) { - sc.sam_type = sam_ptr->sam_type; - break; - } - } - - krb5_princ_component(kdc_context,newp,probeslot)->data = 0; - krb5_princ_component(kdc_context,newp,probeslot)->length = 0; - krb5_princ_size(context, newp)--; - - krb5_free_principal(kdc_context, newp); - - /* if sc.sam_type is set, it worked */ - if (sc.sam_type) { - /* so use assoc to get the key out! */ - { - if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc, - &mkey_ptr))) { - krb5_keylist_node *tmp_mkey_list; - /* try refreshing the mkey list in case it's been updated */ - if (krb5_db_fetch_mkey_list(context, master_princ, - &master_keyblock, 0, - &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(context, master_keylist); - master_keylist = tmp_mkey_list; - if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc, - &mkey_ptr))) { - return (retval); - } - } else { - return (retval); - } - } - - /* here's what do_tgs_req does */ - retval = krb5_dbe_find_enctype(kdc_context, &assoc, - ENCTYPE_DES_CBC_RAW, - KRB5_KDB_SALTTYPE_NORMAL, - 0, /* Get highest kvno */ - &assoc_key); - if (retval) { - char *sname; - krb5_unparse_name(kdc_context, request->client, &sname); - kdc_err(kdc_context, retval, - "snk4 finding the enctype and key <%s>", sname); - free(sname); - return retval; - } - /* convert server.key into a real key */ - retval = krb5_dbekd_decrypt_key_data(kdc_context, - mkey_ptr, - assoc_key, &encrypting_key, - NULL); - if (retval) { - kdc_err(kdc_context, retval, - "snk4 pulling out key entry"); - return retval; - } - /* now we can use encrypting_key... */ - } - } else { - /* SAM is not an option - so don't return as hint */ - return KRB5_PREAUTH_BAD_TYPE; - } + int npr = 1; + krb5_boolean more; + krb5_db_entry assoc; + krb5_key_data *assoc_key; + krb5_principal newp; + int probeslot; + + sc.sam_type = 0; + + retval = krb5_copy_principal(kdc_context, request->client, &newp); + if (retval) { + kdc_err(kdc_context, retval, "copying client name for preauth probe"); + return retval; + } + + probeslot = krb5_princ_size(context, newp)++; + krb5_princ_name(kdc_context, newp) = + realloc(krb5_princ_name(kdc_context, newp), + krb5_princ_size(context, newp) * sizeof(krb5_data)); + + for(sam_ptr = sam_inst_map; sam_ptr->name; sam_ptr++) { + krb5_princ_component(kdc_context,newp,probeslot)->data = sam_ptr->name; + krb5_princ_component(kdc_context,newp,probeslot)->length = + strlen(sam_ptr->name); + npr = 1; + retval = get_principal(kdc_context, newp, &assoc, &npr, &more); + if(!retval && npr) { + sc.sam_type = sam_ptr->sam_type; + break; + } + } + + krb5_princ_component(kdc_context,newp,probeslot)->data = 0; + krb5_princ_component(kdc_context,newp,probeslot)->length = 0; + krb5_princ_size(context, newp)--; + + krb5_free_principal(kdc_context, newp); + + /* if sc.sam_type is set, it worked */ + if (sc.sam_type) { + /* so use assoc to get the key out! */ + { + if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc, + &mkey_ptr))) { + krb5_keylist_node *tmp_mkey_list; + /* try refreshing the mkey list in case it's been updated */ + if (krb5_db_fetch_mkey_list(context, master_princ, + &master_keyblock, 0, + &tmp_mkey_list) == 0) { + krb5_dbe_free_key_list(context, master_keylist); + master_keylist = tmp_mkey_list; + if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc, + &mkey_ptr))) { + return (retval); + } + } else { + return (retval); + } + } + + /* here's what do_tgs_req does */ + retval = krb5_dbe_find_enctype(kdc_context, &assoc, + ENCTYPE_DES_CBC_RAW, + KRB5_KDB_SALTTYPE_NORMAL, + 0, /* Get highest kvno */ + &assoc_key); + if (retval) { + char *sname; + krb5_unparse_name(kdc_context, request->client, &sname); + kdc_err(kdc_context, retval, + "snk4 finding the enctype and key <%s>", sname); + free(sname); + return retval; + } + /* convert server.key into a real key */ + retval = krb5_dbekd_decrypt_key_data(kdc_context, + mkey_ptr, + assoc_key, &encrypting_key, + NULL); + if (retval) { + kdc_err(kdc_context, retval, + "snk4 pulling out key entry"); + return retval; + } + /* now we can use encrypting_key... */ + } + } else { + /* SAM is not an option - so don't return as hint */ + return KRB5_PREAUTH_BAD_TYPE; + } } sc.magic = KV5M_SAM_CHALLENGE; psr.sam_flags = sc.sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* Replay prevention */ if ((retval = krb5_copy_principal(context, request->client, &psr.client))) - return retval; + return retval; #ifdef USE_RCACHE if ((retval = krb5_us_timeofday(context, &psr.stime, &psr.susec))) - return retval; + return retval; #endif /* USE_RCACHE */ switch (sc.sam_type) { case PA_SAM_TYPE_GRAIL: - sc.sam_type_name.data = "Experimental System"; - sc.sam_type_name.length = strlen(sc.sam_type_name.data); - sc.sam_challenge_label.data = "experimental challenge label"; - sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data); - sc.sam_challenge.data = "12345"; - sc.sam_challenge.length = strlen(sc.sam_challenge.data); + sc.sam_type_name.data = "Experimental System"; + sc.sam_type_name.length = strlen(sc.sam_type_name.data); + sc.sam_challenge_label.data = "experimental challenge label"; + sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data); + sc.sam_challenge.data = "12345"; + sc.sam_challenge.length = strlen(sc.sam_challenge.data); #if 0 /* Enable this to test "normal" (no flags set) mode. */ - psr.sam_flags = sc.sam_flags = 0; + psr.sam_flags = sc.sam_flags = 0; #endif - psr.magic = KV5M_PREDICTED_SAM_RESPONSE; - /* string2key on sc.sam_challenge goes in here */ - /* eblock is just to set the enctype */ - { - const krb5_enctype type = ENCTYPE_DES_CBC_MD5; - - if ((retval = krb5_c_string_to_key(context, type, &sc.sam_challenge, - 0 /* salt */, &psr.sam_key))) - goto cleanup; - - if ((retval = encode_krb5_predicted_sam_response(&psr, &scratch))) - goto cleanup; - - { - size_t enclen; - krb5_enc_data tmpdata; - - if ((retval = krb5_c_encrypt_length(context, - psr_key.enctype, - scratch->length, &enclen))) - goto cleanup; - - if ((tmpdata.ciphertext.data = (char *) malloc(enclen)) == NULL) { - retval = ENOMEM; - goto cleanup; - } - tmpdata.ciphertext.length = enclen; - - if ((retval = krb5_c_encrypt(context, &psr_key, - /* XXX */ 0, 0, scratch, &tmpdata))) - goto cleanup; - - sc.sam_track_id = tmpdata.ciphertext; - } - } - - sc.sam_response_prompt.data = "response prompt"; - sc.sam_response_prompt.length = strlen(sc.sam_response_prompt.data); - sc.sam_pk_for_sad.length = 0; - sc.sam_nonce = 0; - /* Generate checksum */ - /*krb5_checksum_size(context, ctype)*/ - /*krb5_calculate_checksum(context,ctype,in,in_length,seed, - seed_length,outcksum) */ - /*krb5_verify_checksum(context,ctype,cksum,in,in_length,seed, - seed_length) */ + psr.magic = KV5M_PREDICTED_SAM_RESPONSE; + /* string2key on sc.sam_challenge goes in here */ + /* eblock is just to set the enctype */ + { + const krb5_enctype type = ENCTYPE_DES_CBC_MD5; + + if ((retval = krb5_c_string_to_key(context, type, &sc.sam_challenge, + 0 /* salt */, &psr.sam_key))) + goto cleanup; + + if ((retval = encode_krb5_predicted_sam_response(&psr, &scratch))) + goto cleanup; + + { + size_t enclen; + krb5_enc_data tmpdata; + + if ((retval = krb5_c_encrypt_length(context, + psr_key.enctype, + scratch->length, &enclen))) + goto cleanup; + + if ((tmpdata.ciphertext.data = (char *) malloc(enclen)) == NULL) { + retval = ENOMEM; + goto cleanup; + } + tmpdata.ciphertext.length = enclen; + + if ((retval = krb5_c_encrypt(context, &psr_key, + /* XXX */ 0, 0, scratch, &tmpdata))) + goto cleanup; + + sc.sam_track_id = tmpdata.ciphertext; + } + } + + sc.sam_response_prompt.data = "response prompt"; + sc.sam_response_prompt.length = strlen(sc.sam_response_prompt.data); + sc.sam_pk_for_sad.length = 0; + sc.sam_nonce = 0; + /* Generate checksum */ + /*krb5_checksum_size(context, ctype)*/ + /*krb5_calculate_checksum(context,ctype,in,in_length,seed, + seed_length,outcksum) */ + /*krb5_verify_checksum(context,ctype,cksum,in,in_length,seed, + seed_length) */ #if 0 /* XXX a) glue appears broken; b) this gives up the SAD */ - sc.sam_cksum.contents = (krb5_octet *) - malloc(krb5_checksum_size(context, CKSUMTYPE_RSA_MD5_DES)); - if (sc.sam_cksum.contents == NULL) return(ENOMEM); - - retval = krb5_calculate_checksum(context, CKSUMTYPE_RSA_MD5_DES, - sc.sam_challenge.data, - sc.sam_challenge.length, - psr.sam_key.contents, /* key */ - psr.sam_key.length, /* key length */ - &sc.sam_cksum); - if (retval) { free(sc.sam_cksum.contents); return(retval); } + sc.sam_cksum.contents = (krb5_octet *) + malloc(krb5_checksum_size(context, CKSUMTYPE_RSA_MD5_DES)); + if (sc.sam_cksum.contents == NULL) return(ENOMEM); + + retval = krb5_calculate_checksum(context, CKSUMTYPE_RSA_MD5_DES, + sc.sam_challenge.data, + sc.sam_challenge.length, + psr.sam_key.contents, /* key */ + psr.sam_key.length, /* key length */ + &sc.sam_cksum); + if (retval) { free(sc.sam_cksum.contents); return(retval); } #endif /* 0 */ - - retval = encode_krb5_sam_challenge(&sc, &scratch); - if (retval) goto cleanup; - pa_data->magic = KV5M_PA_DATA; - pa_data->pa_type = KRB5_PADATA_SAM_CHALLENGE; - pa_data->contents = (krb5_octet *)scratch->data; - pa_data->length = scratch->length; - - retval = 0; - break; + + retval = encode_krb5_sam_challenge(&sc, &scratch); + if (retval) goto cleanup; + pa_data->magic = KV5M_PA_DATA; + pa_data->pa_type = KRB5_PADATA_SAM_CHALLENGE; + pa_data->contents = (krb5_octet *)scratch->data; + pa_data->length = scratch->length; + + retval = 0; + break; case PA_SAM_TYPE_DIGI_PATH: - sc.sam_type_name.data = "Digital Pathways"; - sc.sam_type_name.length = strlen(sc.sam_type_name.data); + sc.sam_type_name.data = "Digital Pathways"; + sc.sam_type_name.length = strlen(sc.sam_type_name.data); #if 1 - sc.sam_challenge_label.data = "Enter the following on your keypad"; - sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data); + sc.sam_challenge_label.data = "Enter the following on your keypad"; + sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data); #endif - /* generate digit string, take it mod 1000000 (six digits.) */ - { - int j; - krb5_keyblock session_key; - char outputblock[8]; - int i; - - session_key.contents = 0; - - memset(inputblock, 0, 8); - - retval = krb5_c_make_random_key(kdc_context, ENCTYPE_DES_CBC_CRC, - &session_key); - - if (retval) { - /* random key failed */ - kdc_err(kdc_context, retval, - "generating random challenge for preauth"); - return retval; - } - /* now session_key has a key which we can pick bits out of */ - /* we need six decimal digits. Grab 6 bytes, div 2, mod 10 each. */ - if (session_key.length != 8) { - kdc_err(kdc_context, retval = KRB5KDC_ERR_ETYPE_NOSUPP, - "keytype didn't match code expectations"); - return retval; - } - for(i = 0; i<6; i++) { - inputblock[i] = '0' + ((session_key.contents[i]/2) % 10); - } - if (session_key.contents) - krb5_free_keyblock_contents(kdc_context, &session_key); - - /* retval = krb5_finish_key(kdc_context, &eblock); */ - /* now we have inputblock containing the 8 byte input to DES... */ - sc.sam_challenge.data = inputblock; - sc.sam_challenge.length = 6; - - encrypting_key.enctype = ENCTYPE_DES_CBC_RAW; - - if (retval) - kdc_err(kdc_context, retval, "snk4 processing key"); - - { - krb5_data plain; - krb5_enc_data cipher; - - plain.length = 8; - plain.data = inputblock; - - /* XXX I know this is enough because of the fixed raw enctype. - if it's not, the underlying code will return a reasonable - error, which should never happen */ - cipher.ciphertext.length = 8; - cipher.ciphertext.data = outputblock; - - if ((retval = krb5_c_encrypt(kdc_context, &encrypting_key, - /* XXX */ 0, 0, &plain, &cipher))) { - kdc_err(kdc_context, retval, - "snk4 response generation failed"); - return retval; - } - } - - /* now output block is the raw bits of the response; convert it - to display form */ - for (j=0; j<4; j++) { - char n[2]; - int k; - n[0] = outputblock[j] & 0xf; - n[1] = (outputblock[j]>>4) & 0xf; - for (k=0; k<2; k++) { - if(n[k] > 9) n[k] = ((n[k]-1)>>2); - /* This is equivalent to: - if(n[k]>=0xa && n[k]<=0xc) n[k] = 2; - if(n[k]>=0xd && n[k]<=0xf) n[k] = 3; - */ - } - /* for v4, we keygen: *(j+(char*)&key1) = (n[1]<<4) | n[0]; */ - /* for v5, we just generate a string */ - response[2*j+0] = '0' + n[1]; - response[2*j+1] = '0' + n[0]; - /* and now, response has what we work with. */ - } - response[8] = 0; - predict_response.data = response; - predict_response.length = 8; -#if 0 /* for debugging, hack the output too! */ -sc.sam_challenge_label.data = response; -sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data); + /* generate digit string, take it mod 1000000 (six digits.) */ + { + int j; + krb5_keyblock session_key; + char outputblock[8]; + int i; + + session_key.contents = 0; + + memset(inputblock, 0, 8); + + retval = krb5_c_make_random_key(kdc_context, ENCTYPE_DES_CBC_CRC, + &session_key); + + if (retval) { + /* random key failed */ + kdc_err(kdc_context, retval, + "generating random challenge for preauth"); + return retval; + } + /* now session_key has a key which we can pick bits out of */ + /* we need six decimal digits. Grab 6 bytes, div 2, mod 10 each. */ + if (session_key.length != 8) { + kdc_err(kdc_context, retval = KRB5KDC_ERR_ETYPE_NOSUPP, + "keytype didn't match code expectations"); + return retval; + } + for(i = 0; i<6; i++) { + inputblock[i] = '0' + ((session_key.contents[i]/2) % 10); + } + if (session_key.contents) + krb5_free_keyblock_contents(kdc_context, &session_key); + + /* retval = krb5_finish_key(kdc_context, &eblock); */ + /* now we have inputblock containing the 8 byte input to DES... */ + sc.sam_challenge.data = inputblock; + sc.sam_challenge.length = 6; + + encrypting_key.enctype = ENCTYPE_DES_CBC_RAW; + + if (retval) + kdc_err(kdc_context, retval, "snk4 processing key"); + + { + krb5_data plain; + krb5_enc_data cipher; + + plain.length = 8; + plain.data = inputblock; + + /* XXX I know this is enough because of the fixed raw enctype. + if it's not, the underlying code will return a reasonable + error, which should never happen */ + cipher.ciphertext.length = 8; + cipher.ciphertext.data = outputblock; + + if ((retval = krb5_c_encrypt(kdc_context, &encrypting_key, + /* XXX */ 0, 0, &plain, &cipher))) { + kdc_err(kdc_context, retval, + "snk4 response generation failed"); + return retval; + } + } + + /* now output block is the raw bits of the response; convert it + to display form */ + for (j=0; j<4; j++) { + char n[2]; + int k; + n[0] = outputblock[j] & 0xf; + n[1] = (outputblock[j]>>4) & 0xf; + for (k=0; k<2; k++) { + if(n[k] > 9) n[k] = ((n[k]-1)>>2); + /* This is equivalent to: + if(n[k]>=0xa && n[k]<=0xc) n[k] = 2; + if(n[k]>=0xd && n[k]<=0xf) n[k] = 3; + */ + } + /* for v4, we keygen: *(j+(char*)&key1) = (n[1]<<4) | n[0]; */ + /* for v5, we just generate a string */ + response[2*j+0] = '0' + n[1]; + response[2*j+1] = '0' + n[0]; + /* and now, response has what we work with. */ + } + response[8] = 0; + predict_response.data = response; + predict_response.length = 8; +#if 0 /* for debugging, hack the output too! */ + sc.sam_challenge_label.data = response; + sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data); #endif - } - - psr.magic = KV5M_PREDICTED_SAM_RESPONSE; - /* string2key on sc.sam_challenge goes in here */ - /* eblock is just to set the enctype */ - { - retval = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, - &predict_response, 0 /* salt */, - &psr.sam_key); - if (retval) goto cleanup; - - retval = encode_krb5_predicted_sam_response(&psr, &scratch); - if (retval) goto cleanup; - - { - size_t enclen; - krb5_enc_data tmpdata; - - if ((retval = krb5_c_encrypt_length(context, - psr_key.enctype, - scratch->length, &enclen))) - goto cleanup; - - if ((tmpdata.ciphertext.data = (char *) malloc(enclen)) == NULL) { - retval = ENOMEM; - goto cleanup; - } - tmpdata.ciphertext.length = enclen; - - if ((retval = krb5_c_encrypt(context, &psr_key, - /* XXX */ 0, 0, scratch, &tmpdata))) - goto cleanup; - - sc.sam_track_id = tmpdata.ciphertext; - } - if (retval) goto cleanup; - } - - sc.sam_response_prompt.data = "Enter the displayed response"; - sc.sam_response_prompt.length = strlen(sc.sam_response_prompt.data); - sc.sam_pk_for_sad.length = 0; - sc.sam_nonce = 0; - /* Generate checksum */ - /*krb5_checksum_size(context, ctype)*/ - /*krb5_calculate_checksum(context,ctype,in,in_length,seed, - seed_length,outcksum) */ - /*krb5_verify_checksum(context,ctype,cksum,in,in_length,seed, - seed_length) */ + } + + psr.magic = KV5M_PREDICTED_SAM_RESPONSE; + /* string2key on sc.sam_challenge goes in here */ + /* eblock is just to set the enctype */ + { + retval = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, + &predict_response, 0 /* salt */, + &psr.sam_key); + if (retval) goto cleanup; + + retval = encode_krb5_predicted_sam_response(&psr, &scratch); + if (retval) goto cleanup; + + { + size_t enclen; + krb5_enc_data tmpdata; + + if ((retval = krb5_c_encrypt_length(context, + psr_key.enctype, + scratch->length, &enclen))) + goto cleanup; + + if ((tmpdata.ciphertext.data = (char *) malloc(enclen)) == NULL) { + retval = ENOMEM; + goto cleanup; + } + tmpdata.ciphertext.length = enclen; + + if ((retval = krb5_c_encrypt(context, &psr_key, + /* XXX */ 0, 0, scratch, &tmpdata))) + goto cleanup; + + sc.sam_track_id = tmpdata.ciphertext; + } + if (retval) goto cleanup; + } + + sc.sam_response_prompt.data = "Enter the displayed response"; + sc.sam_response_prompt.length = strlen(sc.sam_response_prompt.data); + sc.sam_pk_for_sad.length = 0; + sc.sam_nonce = 0; + /* Generate checksum */ + /*krb5_checksum_size(context, ctype)*/ + /*krb5_calculate_checksum(context,ctype,in,in_length,seed, + seed_length,outcksum) */ + /*krb5_verify_checksum(context,ctype,cksum,in,in_length,seed, + seed_length) */ #if 0 /* XXX a) glue appears broken; b) this gives up the SAD */ - sc.sam_cksum.contents = (krb5_octet *) - malloc(krb5_checksum_size(context, CKSUMTYPE_RSA_MD5_DES)); - if (sc.sam_cksum.contents == NULL) return(ENOMEM); - - retval = krb5_calculate_checksum(context, CKSUMTYPE_RSA_MD5_DES, - sc.sam_challenge.data, - sc.sam_challenge.length, - psr.sam_key.contents, /* key */ - psr.sam_key.length, /* key length */ - &sc.sam_cksum); - if (retval) { free(sc.sam_cksum.contents); return(retval); } + sc.sam_cksum.contents = (krb5_octet *) + malloc(krb5_checksum_size(context, CKSUMTYPE_RSA_MD5_DES)); + if (sc.sam_cksum.contents == NULL) return(ENOMEM); + + retval = krb5_calculate_checksum(context, CKSUMTYPE_RSA_MD5_DES, + sc.sam_challenge.data, + sc.sam_challenge.length, + psr.sam_key.contents, /* key */ + psr.sam_key.length, /* key length */ + &sc.sam_cksum); + if (retval) { free(sc.sam_cksum.contents); return(retval); } #endif /* 0 */ - - retval = encode_krb5_sam_challenge(&sc, &scratch); - if (retval) goto cleanup; - pa_data->magic = KV5M_PA_DATA; - pa_data->pa_type = KRB5_PADATA_SAM_CHALLENGE; - pa_data->contents = (krb5_octet *)scratch->data; - pa_data->length = scratch->length; - - retval = 0; - break; + + retval = encode_krb5_sam_challenge(&sc, &scratch); + if (retval) goto cleanup; + pa_data->magic = KV5M_PA_DATA; + pa_data->pa_type = KRB5_PADATA_SAM_CHALLENGE; + pa_data->contents = (krb5_octet *)scratch->data; + pa_data->length = scratch->length; + + retval = 0; + break; } cleanup: @@ -2400,138 +2401,138 @@ cleanup: static krb5_error_code verify_sam_response(krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *pa, - preauth_get_entry_data_proc sam_get_entry_data, - void *pa_system_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa, + preauth_get_entry_data_proc sam_get_entry_data, + void *pa_system_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) { - krb5_error_code retval; - krb5_data scratch; - krb5_sam_response *sr = 0; - krb5_predicted_sam_response *psr = 0; - krb5_enc_sam_response_enc *esre = 0; - krb5_timestamp timenow; - char *princ_req = 0, *princ_psr = 0; + krb5_error_code retval; + krb5_data scratch; + krb5_sam_response *sr = 0; + krb5_predicted_sam_response *psr = 0; + krb5_enc_sam_response_enc *esre = 0; + krb5_timestamp timenow; + char *princ_req = 0, *princ_psr = 0; scratch.data = (char *)pa->contents; scratch.length = pa->length; - + if ((retval = decode_krb5_sam_response(&scratch, &sr))) { - scratch.data = 0; - kdc_err(context, retval, "decode_krb5_sam_response failed"); - goto cleanup; + scratch.data = 0; + kdc_err(context, retval, "decode_krb5_sam_response failed"); + goto cleanup; } /* XXX We can only handle the challenge/response model of SAM. - See passwords-04, par 4.1, 4.2 */ + See passwords-04, par 4.1, 4.2 */ { - krb5_enc_data tmpdata; + krb5_enc_data tmpdata; - tmpdata.enctype = ENCTYPE_UNKNOWN; - tmpdata.ciphertext = sr->sam_track_id; + tmpdata.enctype = ENCTYPE_UNKNOWN; + tmpdata.ciphertext = sr->sam_track_id; - scratch.length = tmpdata.ciphertext.length; - if ((scratch.data = (char *) malloc(scratch.length)) == NULL) { - retval = ENOMEM; - goto cleanup; - } + scratch.length = tmpdata.ciphertext.length; + if ((scratch.data = (char *) malloc(scratch.length)) == NULL) { + retval = ENOMEM; + goto cleanup; + } - if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0, - &tmpdata, &scratch))) { - kdc_err(context, retval, "decrypt track_id failed"); - goto cleanup; - } + if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0, + &tmpdata, &scratch))) { + kdc_err(context, retval, "decrypt track_id failed"); + goto cleanup; + } } if ((retval = decode_krb5_predicted_sam_response(&scratch, &psr))) { - kdc_err(context, retval, - "decode_krb5_predicted_sam_response failed -- replay attack?"); - goto cleanup; + kdc_err(context, retval, + "decode_krb5_predicted_sam_response failed -- replay attack?"); + goto cleanup; } /* Replay detection */ if ((retval = krb5_unparse_name(context, request->client, &princ_req))) - goto cleanup; + goto cleanup; if ((retval = krb5_unparse_name(context, psr->client, &princ_psr))) - goto cleanup; + goto cleanup; if (strcmp(princ_req, princ_psr) != 0) { - kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, - "Principal mismatch in SAM psr! -- replay attack?"); - goto cleanup; + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, + "Principal mismatch in SAM psr! -- replay attack?"); + goto cleanup; } if ((retval = krb5_timeofday(context, &timenow))) - goto cleanup; + goto cleanup; #ifdef USE_RCACHE { - krb5_donot_replay rep; - extern krb5_deltat rc_lifetime; - /* - * Verify this response came back in a timely manner. - * We do this b/c otherwise very old (expunged from the rcache) - * psr's would be able to be replayed. - */ - if (timenow - psr->stime > rc_lifetime) { - kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, - "SAM psr came back too late! -- replay attack?"); - goto cleanup; - } - - /* Now check the replay cache. */ - rep.client = princ_psr; - rep.server = "SAM/rc"; /* Should not match any principal name. */ - rep.msghash = NULL; - rep.ctime = psr->stime; - rep.cusec = psr->susec; - retval = krb5_rc_store(kdc_context, kdc_rcache, &rep); - if (retval) { - kdc_err(kdc_context, retval, "SAM psr replay attack!"); - goto cleanup; - } + krb5_donot_replay rep; + extern krb5_deltat rc_lifetime; + /* + * Verify this response came back in a timely manner. + * We do this b/c otherwise very old (expunged from the rcache) + * psr's would be able to be replayed. + */ + if (timenow - psr->stime > rc_lifetime) { + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, + "SAM psr came back too late! -- replay attack?"); + goto cleanup; + } + + /* Now check the replay cache. */ + rep.client = princ_psr; + rep.server = "SAM/rc"; /* Should not match any principal name. */ + rep.msghash = NULL; + rep.ctime = psr->stime; + rep.cusec = psr->susec; + retval = krb5_rc_store(kdc_context, kdc_rcache, &rep); + if (retval) { + kdc_err(kdc_context, retval, "SAM psr replay attack!"); + goto cleanup; + } } #endif /* USE_RCACHE */ { - free(scratch.data); - scratch.length = sr->sam_enc_nonce_or_ts.ciphertext.length; - if ((scratch.data = (char *) malloc(scratch.length)) == NULL) { - retval = ENOMEM; - goto cleanup; - } + free(scratch.data); + scratch.length = sr->sam_enc_nonce_or_ts.ciphertext.length; + if ((scratch.data = (char *) malloc(scratch.length)) == NULL) { + retval = ENOMEM; + goto cleanup; + } - if ((retval = krb5_c_decrypt(context, &psr->sam_key, /* XXX */ 0, - 0, &sr->sam_enc_nonce_or_ts, &scratch))) { - kdc_err(context, retval, "decrypt nonce_or_ts failed"); - goto cleanup; - } + if ((retval = krb5_c_decrypt(context, &psr->sam_key, /* XXX */ 0, + 0, &sr->sam_enc_nonce_or_ts, &scratch))) { + kdc_err(context, retval, "decrypt nonce_or_ts failed"); + goto cleanup; + } } if ((retval = decode_krb5_enc_sam_response_enc(&scratch, &esre))) { - kdc_err(context, retval, "decode_krb5_enc_sam_response_enc failed"); - goto cleanup; + kdc_err(context, retval, "decode_krb5_enc_sam_response_enc failed"); + goto cleanup; } if (esre->sam_timestamp != sr->sam_patimestamp) { - retval = KRB5KDC_ERR_PREAUTH_FAILED; - goto cleanup; + retval = KRB5KDC_ERR_PREAUTH_FAILED; + goto cleanup; } - + if (labs(timenow - sr->sam_patimestamp) > context->clockskew) { - retval = KRB5KRB_AP_ERR_SKEW; - goto cleanup; + retval = KRB5KRB_AP_ERR_SKEW; + goto cleanup; } setflag(enc_tkt_reply->flags, TKT_FLG_HW_AUTH); - cleanup: +cleanup: if (retval) - kdc_err(context, retval, "sam verify failure"); + kdc_err(context, retval, "sam verify failure"); if (scratch.data) free(scratch.data); if (sr) free(sr); if (psr) free(psr); @@ -2552,14 +2553,14 @@ verify_sam_response(krb5_context context, krb5_db_entry *client, #endif /* - * get_edata() - our only job is to determine whether this KDC is capable of - * performing PKINIT. We infer that from the presence or absence of any + * get_edata() - our only job is to determine whether this KDC is capable of + * performing PKINIT. We infer that from the presence or absence of any * KDC signing cert. */ static krb5_error_code get_pkinit_edata( - krb5_context context, + krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, + krb5_db_entry *client, krb5_db_entry *server, preauth_get_entry_data_proc pkinit_get_entry_data, void *pa_module_context, @@ -2567,17 +2568,17 @@ static krb5_error_code get_pkinit_edata( { krb5_pkinit_signing_cert_t cert = NULL; krb5_error_code err = krb5_pkinit_get_kdc_cert(0, NULL, NULL, &cert); - + kdcPkinitDebug("get_pkinit_edata: kdc cert %s\n", err ? "NOT FOUND" : "FOUND"); if(cert) { - krb5_pkinit_release_cert(cert); + krb5_pkinit_release_cert(cert); } return err; } -/* +/* * This is 0 only for testing until the KDC DB contains - * the hash of the client cert + * the hash of the client cert */ #define REQUIRE_CLIENT_CERT_MATCH 1 @@ -2586,7 +2587,7 @@ static krb5_error_code verify_pkinit_request( krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, preauth_get_entry_data_proc pkinit_get_entry_data, void *pa_module_context, @@ -2594,156 +2595,156 @@ static krb5_error_code verify_pkinit_request( krb5_data **e_data, krb5_authdata ***authz_data) { - krb5_error_code krtn; - krb5_data pa_data; - krb5_data *der_req = NULL; - krb5_boolean valid_cksum; - char *cert_hash = NULL; - unsigned cert_hash_len; - unsigned key_dex; - unsigned cert_match = 0; - krb5_keyblock decrypted_key, *mkey_ptr; - + krb5_error_code krtn; + krb5_data pa_data; + krb5_data *der_req = NULL; + krb5_boolean valid_cksum; + char *cert_hash = NULL; + unsigned cert_hash_len; + unsigned key_dex; + unsigned cert_match = 0; + krb5_keyblock decrypted_key, *mkey_ptr; + /* the data we get from the AS-REQ */ - krb5_timestamp client_ctime = 0; - krb5_ui_4 client_cusec = 0; - krb5_timestamp kdc_ctime = 0; - krb5_int32 kdc_cusec = 0; - krb5_ui_4 nonce = 0; - krb5_checksum pa_cksum; + krb5_timestamp client_ctime = 0; + krb5_ui_4 client_cusec = 0; + krb5_timestamp kdc_ctime = 0; + krb5_int32 kdc_cusec = 0; + krb5_ui_4 nonce = 0; + krb5_checksum pa_cksum; krb5int_cert_sig_status cert_sig_status; - krb5_data client_cert = {0, 0, NULL}; - + krb5_data client_cert = {0, 0, NULL}; + krb5_kdc_req *tmp_as_req = NULL; - + kdcPkinitDebug("verify_pkinit_request\n"); decrypted_key.contents = NULL; pa_data.data = (char *)data->contents; pa_data.length = data->length; - krtn = krb5int_pkinit_as_req_parse(context, &pa_data, - &client_ctime, &client_cusec, - &nonce, &pa_cksum, - &cert_sig_status, - NULL, NULL, /* num_cms_types, cms_types */ - &client_cert, /* signer_cert */ - /* remaining fields unused (for now) */ - NULL, NULL, /* num_all_certs, all_certs */ - NULL, NULL, /* num_trusted_CAs, trusted_CAs */ - NULL); /* kdc_cert */ + krtn = krb5int_pkinit_as_req_parse(context, &pa_data, + &client_ctime, &client_cusec, + &nonce, &pa_cksum, + &cert_sig_status, + NULL, NULL, /* num_cms_types, cms_types */ + &client_cert, /* signer_cert */ + /* remaining fields unused (for now) */ + NULL, NULL, /* num_all_certs, all_certs */ + NULL, NULL, /* num_trusted_CAs, trusted_CAs */ + NULL); /* kdc_cert */ if(krtn) { - kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", - (int)krtn); - return krtn; + kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", + (int)krtn); + return krtn; } - #if PKINIT_DEBUG +#if PKINIT_DEBUG if(cert_sig_status != pki_cs_good) { - kdcPkinitDebug("verify_pkinit_request: cert_sig_status %d\n", - (int)cert_sig_status); + kdcPkinitDebug("verify_pkinit_request: cert_sig_status %d\n", + (int)cert_sig_status); } - #endif /* PKINIT_DEBUG */ - - /* +#endif /* PKINIT_DEBUG */ + + /* * Verify signature and cert. * FIXME: The spec calls for an e-data with error-specific type to be * returned on error here. TD_TRUSTED_CERTIFIERS - * to be returned to the client here. There is no way for a preauth - * module to pass back e-data to process_as_req at this time. We - * might want to add such capability via an out param to check_padata - * and to its callees. + * to be returned to the client here. There is no way for a preauth + * module to pass back e-data to process_as_req at this time. We + * might want to add such capability via an out param to check_padata + * and to its callees. */ switch(cert_sig_status) { - case pki_cs_good: - break; - case pki_cs_sig_verify_fail: - /* no e-data */ - krtn = KDC_ERR_INVALID_SIG; - goto cleanup; - case pki_cs_no_root: - case pki_cs_unknown_root: - case pki_cs_untrusted: - /* - * Can't verify to known root. - * e-data TD_TRUSTED_CERTIFIERS - */ - kdcPkinitDebug("verify_pkinit_request: KDC_ERR_CANT_VERIFY_CERTIFICATE\n"); - krtn = KDC_ERR_CANT_VERIFY_CERTIFICATE; - goto cleanup; - case pki_cs_bad_leaf: - case pki_cs_expired: - case pki_cs_not_valid_yet: - /* - * Problems with client cert itself. - * e-data type TD_INVALID_CERTIFICATES - */ - krtn = KDC_ERR_INVALID_CERTIFICATE; - goto cleanup; - case pki_cs_revoked: - /* e-data type TD-INVALID-CERTIFICATES */ - krtn = KDC_ERR_REVOKED_CERTIFICATE; - goto cleanup; - case pki_bad_key_use: - krtn = KDC_ERR_INCONSISTENT_KEY_PURPOSE; - /* no e-data */ - goto cleanup; - case pki_bad_digest: - /* undefined (explicitly!) e-data */ - krtn = KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED; - goto cleanup; - case pki_bad_cms: - case pki_cs_other_err: - default: - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto cleanup; - } - + case pki_cs_good: + break; + case pki_cs_sig_verify_fail: + /* no e-data */ + krtn = KDC_ERR_INVALID_SIG; + goto cleanup; + case pki_cs_no_root: + case pki_cs_unknown_root: + case pki_cs_untrusted: + /* + * Can't verify to known root. + * e-data TD_TRUSTED_CERTIFIERS + */ + kdcPkinitDebug("verify_pkinit_request: KDC_ERR_CANT_VERIFY_CERTIFICATE\n"); + krtn = KDC_ERR_CANT_VERIFY_CERTIFICATE; + goto cleanup; + case pki_cs_bad_leaf: + case pki_cs_expired: + case pki_cs_not_valid_yet: + /* + * Problems with client cert itself. + * e-data type TD_INVALID_CERTIFICATES + */ + krtn = KDC_ERR_INVALID_CERTIFICATE; + goto cleanup; + case pki_cs_revoked: + /* e-data type TD-INVALID-CERTIFICATES */ + krtn = KDC_ERR_REVOKED_CERTIFICATE; + goto cleanup; + case pki_bad_key_use: + krtn = KDC_ERR_INCONSISTENT_KEY_PURPOSE; + /* no e-data */ + goto cleanup; + case pki_bad_digest: + /* undefined (explicitly!) e-data */ + krtn = KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED; + goto cleanup; + case pki_bad_cms: + case pki_cs_other_err: + default: + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto cleanup; + } + krtn = krb5_us_timeofday(context, &kdc_ctime, &kdc_cusec); if(krtn) { - goto cleanup; + goto cleanup; } if (labs(kdc_ctime - client_ctime) > context->clockskew) { - kdcPkinitDebug("verify_pkinit_request: clock skew violation client %d svr %d\n", - (int)client_ctime, (int)kdc_ctime); - krtn = KRB5KRB_AP_ERR_SKEW; - goto cleanup; + kdcPkinitDebug("verify_pkinit_request: clock skew violation client %d svr %d\n", + (int)client_ctime, (int)kdc_ctime); + krtn = KRB5KRB_AP_ERR_SKEW; + goto cleanup; } - + /* * The KDC may have modified the request after decoding it. * We need to compute the checksum on the data that * came from the client. Therefore, we use the original * packet contents. */ - krtn = decode_krb5_as_req(req_pkt, &tmp_as_req); + krtn = decode_krb5_as_req(req_pkt, &tmp_as_req); if(krtn) { - kdcPkinitDebug("decode_krb5_as_req returned %d\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("decode_krb5_as_req returned %d\n", (int)krtn); + goto cleanup; } - + /* calculate and compare checksum */ krtn = encode_krb5_kdc_req_body(tmp_as_req, &der_req); if(krtn) { - kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); + goto cleanup; } - krtn = krb5_c_verify_checksum(context, NULL, 0, der_req, - &pa_cksum, &valid_cksum); + krtn = krb5_c_verify_checksum(context, NULL, 0, der_req, + &pa_cksum, &valid_cksum); if(krtn) { - kdcPkinitDebug("krb5_c_verify_checksum returned %d\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("krb5_c_verify_checksum returned %d\n", (int)krtn); + goto cleanup; } if(!valid_cksum) { - kdcPkinitDebug("verify_pkinit_request: checksum error\n"); - krtn = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; + kdcPkinitDebug("verify_pkinit_request: checksum error\n"); + krtn = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto cleanup; } - - #if REQUIRE_CLIENT_CERT_MATCH + +#if REQUIRE_CLIENT_CERT_MATCH /* look up in the KDB to ensure correct client/cert binding */ cert_hash = krb5_pkinit_cert_hash_str(&client_cert); if(cert_hash == NULL) { - krtn = ENOMEM; - goto cleanup; + krtn = ENOMEM; + goto cleanup; } cert_hash_len = strlen(cert_hash); if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, &mkey_ptr))) { @@ -2763,70 +2764,70 @@ static krb5_error_code verify_pkinit_request( } } for(key_dex=0; key_dexn_key_data; key_dex++) { - krb5_key_data *key_data = &client->key_data[key_dex]; - kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n", - key_dex, - key_data->key_data_type[0], key_data->key_data_length[0], - key_data->key_data_type[1], key_data->key_data_length[1]); - if(key_data->key_data_type[1] != KRB5_KDB_SALTTYPE_CERTHASH) { - continue; - } - - /* - * Unfortunately this key is stored encrypted even though it's - * not sensitive... - */ - krtn = krb5_dbekd_decrypt_key_data(context, mkey_ptr, - key_data, &decrypted_key, NULL); - if(krtn) { - kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n"); - break; - } - if((decrypted_key.contents != NULL) && - (cert_hash_len == decrypted_key.length) && - !memcmp(decrypted_key.contents, cert_hash, cert_hash_len)) { - cert_match = 1; - break; - } + krb5_key_data *key_data = &client->key_data[key_dex]; + kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n", + key_dex, + key_data->key_data_type[0], key_data->key_data_length[0], + key_data->key_data_type[1], key_data->key_data_length[1]); + if(key_data->key_data_type[1] != KRB5_KDB_SALTTYPE_CERTHASH) { + continue; + } + + /* + * Unfortunately this key is stored encrypted even though it's + * not sensitive... + */ + krtn = krb5_dbekd_decrypt_key_data(context, mkey_ptr, + key_data, &decrypted_key, NULL); + if(krtn) { + kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n"); + break; + } + if((decrypted_key.contents != NULL) && + (cert_hash_len == decrypted_key.length) && + !memcmp(decrypted_key.contents, cert_hash, cert_hash_len)) { + cert_match = 1; + break; + } } if(decrypted_key.contents) { - krb5_free_keyblock_contents(context, &decrypted_key); + krb5_free_keyblock_contents(context, &decrypted_key); } if(!cert_match) { - kdcPkinitDebug("verify_pkinit_request: client cert does not match\n"); - krtn = KDC_ERR_CLIENT_NOT_TRUSTED; - goto cleanup; - } - #endif /* REQUIRE_CLIENT_CERT_MATCH */ + kdcPkinitDebug("verify_pkinit_request: client cert does not match\n"); + krtn = KDC_ERR_CLIENT_NOT_TRUSTED; + goto cleanup; + } +#endif /* REQUIRE_CLIENT_CERT_MATCH */ krtn = 0; setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH); - + cleanup: if(pa_cksum.contents) { - free(pa_cksum.contents); + free(pa_cksum.contents); } if (tmp_as_req) { - krb5_free_kdc_req(context, tmp_as_req); + krb5_free_kdc_req(context, tmp_as_req); } if (der_req) { - krb5_free_data(context, der_req); + krb5_free_data(context, der_req); } if(cert_hash) { - free(cert_hash); + free(cert_hash); } if(client_cert.data) { - free(client_cert.data); + free(client_cert.data); } kdcPkinitDebug("verify_pkinit_request: returning %d\n", (int)krtn); return krtn; } static krb5_error_code return_pkinit_response( - krb5_context context, - krb5_pa_data * padata, + krb5_context context, + krb5_pa_data * padata, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, + krb5_kdc_req *request, krb5_kdc_rep *reply, krb5_key_data *client_key, krb5_keyblock *encrypting_key, @@ -2835,79 +2836,79 @@ static krb5_error_code return_pkinit_response( void *pa_module_context, void **pa_request_context) { - krb5_error_code krtn; - krb5_data pa_data; - krb5_pkinit_signing_cert_t signing_cert = NULL; - krb5_checksum as_req_checksum = {0}; - krb5_data *encoded_as_req = NULL; - krb5int_algorithm_id *cms_types = NULL; - krb5_ui_4 num_cms_types = 0; + krb5_error_code krtn; + krb5_data pa_data; + krb5_pkinit_signing_cert_t signing_cert = NULL; + krb5_checksum as_req_checksum = {0}; + krb5_data *encoded_as_req = NULL; + krb5int_algorithm_id *cms_types = NULL; + krb5_ui_4 num_cms_types = 0; /* the data we get from the AS-REQ */ - krb5_ui_4 nonce = 0; - krb5_data client_cert = {0}; - - /* + krb5_ui_4 nonce = 0; + krb5_data client_cert = {0}; + + /* * Trusted CA list and specific KC cert optionally obtained via - * krb5int_pkinit_as_req_parse(). All are DER-encoded - * issuerAndSerialNumbers. + * krb5int_pkinit_as_req_parse(). All are DER-encoded + * issuerAndSerialNumbers. */ - krb5_data *trusted_CAs = NULL; - krb5_ui_4 num_trusted_CAs; - krb5_data kdc_cert = {0}; - + krb5_data *trusted_CAs = NULL; + krb5_ui_4 num_trusted_CAs; + krb5_data kdc_cert = {0}; + if (padata == NULL) { - /* Client has to send us something */ - return 0; + /* Client has to send us something */ + return 0; } - + kdcPkinitDebug("return_pkinit_response\n"); pa_data.data = (char *)padata->contents; pa_data.length = padata->length; - /* - * We've already verified; just obtain the fields we need to create a response + /* + * We've already verified; just obtain the fields we need to create a response */ - krtn = krb5int_pkinit_as_req_parse(context, - &pa_data, - NULL, NULL, &nonce, /* ctime, cusec, nonce */ - NULL, NULL, /* pa_cksum, cert_status */ - &num_cms_types, &cms_types, - &client_cert, /* signer_cert: we encrypt for this */ - /* remaining fields unused (for now) */ - NULL, NULL, /* num_all_certs, all_certs */ - &num_trusted_CAs, &trusted_CAs, - &kdc_cert); + krtn = krb5int_pkinit_as_req_parse(context, + &pa_data, + NULL, NULL, &nonce, /* ctime, cusec, nonce */ + NULL, NULL, /* pa_cksum, cert_status */ + &num_cms_types, &cms_types, + &client_cert, /* signer_cert: we encrypt for this */ + /* remaining fields unused (for now) */ + NULL, NULL, /* num_all_certs, all_certs */ + &num_trusted_CAs, &trusted_CAs, + &kdc_cert); if(krtn) { - kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", (int)krtn); + goto cleanup; } if(client_cert.data == NULL) { - kdcPkinitDebug("pa_pk_as_req_parse failed to give a client_cert; aborting.\n"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto cleanup; + kdcPkinitDebug("pa_pk_as_req_parse failed to give a client_cert; aborting.\n"); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto cleanup; } if(krb5_pkinit_get_kdc_cert(num_trusted_CAs, trusted_CAs, - (kdc_cert.data ? &kdc_cert : NULL), - &signing_cert)) { - /* - * Since get_pkinit_edata was able to obtain *some* KDC cert, - * this means that we can't satisfy the client's requirement. - * FIXME - particular error status for this? - */ - kdcPkinitDebug("return_pkinit_response: NO appropriate signing cert!\n"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto cleanup; - } - - /* + (kdc_cert.data ? &kdc_cert : NULL), + &signing_cert)) { + /* + * Since get_pkinit_edata was able to obtain *some* KDC cert, + * this means that we can't satisfy the client's requirement. + * FIXME - particular error status for this? + */ + kdcPkinitDebug("return_pkinit_response: NO appropriate signing cert!\n"); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto cleanup; + } + + /* * Cook up keyblock for caller and for outgoing AS-REP. * FIXME how much is known to be valid about encrypting_key? * Will encrypting_key->enctype always be valid here? Seems that * if we allow for clients without a shared secret (i.e. preauth - * by PKINIT only) there won't be a valid encrypting_key set up - * here for us. + * by PKINIT only) there won't be a valid encrypting_key set up + * here for us. */ krb5_free_keyblock_contents(context, encrypting_key); krb5_c_make_random_key(context, encrypting_key->enctype, encrypting_key); @@ -2915,39 +2916,39 @@ static krb5_error_code return_pkinit_response( /* calculate checksum of incoming AS-REQ */ krtn = encode_krb5_as_req(request, &encoded_as_req); if(krtn) { - kdcPkinitDebug("encode_krb5_as_req returned %d; PKINIT aborting.\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("encode_krb5_as_req returned %d; PKINIT aborting.\n", (int)krtn); + goto cleanup; } - krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, - encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - encoded_as_req, &as_req_checksum); + krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, + encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + encoded_as_req, &as_req_checksum); if(krtn) { - goto cleanup; + goto cleanup; } - - /* - * FIXME: here we assume that the client has one cert - the one that + + /* + * FIXME: here we assume that the client has one cert - the one that * signed the AuthPack in the request (and that we therefore obtained from - * krb5int_pkinit_as_req_parse()), and the one we're using to encrypt the + * krb5int_pkinit_as_req_parse()), and the one we're using to encrypt the * ReplyKeyPack with here. This may need rethinking. */ - krtn = krb5int_pkinit_as_rep_create(context, - encrypting_key, &as_req_checksum, signing_cert, TRUE, - &client_cert, - num_cms_types, cms_types, - num_trusted_CAs, trusted_CAs, - (kdc_cert.data ? &kdc_cert : NULL), - &pa_data); + krtn = krb5int_pkinit_as_rep_create(context, + encrypting_key, &as_req_checksum, signing_cert, TRUE, + &client_cert, + num_cms_types, cms_types, + num_trusted_CAs, trusted_CAs, + (kdc_cert.data ? &kdc_cert : NULL), + &pa_data); if(krtn) { - kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n", (int)krtn); + goto cleanup; } - + *send_pa = (krb5_pa_data *)malloc(sizeof(krb5_pa_data)); if(*send_pa == NULL) { - krtn = ENOMEM; - free(pa_data.data); - goto cleanup; + krtn = ENOMEM; + free(pa_data.data); + goto cleanup; } (*send_pa)->magic = KV5M_PA_DATA; (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP; @@ -2955,49 +2956,49 @@ static krb5_error_code return_pkinit_response( (*send_pa)->contents = (krb5_octet *)pa_data.data; krtn = 0; - #if PKINIT_DEBUG +#if PKINIT_DEBUG fprintf(stderr, "return_pkinit_response: SUCCESS\n"); fprintf(stderr, "nonce 0x%x enctype %d keydata %02x %02x %02x %02x...\n", - (int)nonce, (int)encrypting_key->enctype, - encrypting_key->contents[0], encrypting_key->contents[1], - encrypting_key->contents[2], encrypting_key->contents[3]); - #endif + (int)nonce, (int)encrypting_key->enctype, + encrypting_key->contents[0], encrypting_key->contents[1], + encrypting_key->contents[2], encrypting_key->contents[3]); +#endif cleanup: /* all of this was allocd by krb5int_pkinit_as_req_parse() */ if(signing_cert) { - krb5_pkinit_release_cert(signing_cert); + krb5_pkinit_release_cert(signing_cert); } if(cms_types) { - unsigned dex; - krb5int_algorithm_id *alg_id; - - for(dex=0; dexalgorithm.data) { - free(alg_id->algorithm.data); - } - if(alg_id->parameters.data) { - free(alg_id->parameters.data); - } - } - free(cms_types); + unsigned dex; + krb5int_algorithm_id *alg_id; + + for(dex=0; dexalgorithm.data) { + free(alg_id->algorithm.data); + } + if(alg_id->parameters.data) { + free(alg_id->parameters.data); + } + } + free(cms_types); } if(trusted_CAs) { - unsigned dex; - for(dex=0; dexpadata == NULL) { - return retval; + return retval; } for (padata = request->padata; *padata != NULL; padata++) { - if ((*padata)->pa_type == KRB5_PADATA_PAC_REQUEST) { - data.data = (char *)(*padata)->contents; - data.length = (*padata)->length; - - code = decode_krb5_pa_pac_req(&data, &req); - if (code == 0) { - retval = req->include_pac; - krb5_free_pa_pac_req(context, req); - req = NULL; - } - break; - } + if ((*padata)->pa_type == KRB5_PADATA_PAC_REQUEST) { + data.data = (char *)(*padata)->contents; + data.length = (*padata)->length; + + code = decode_krb5_pa_pac_req(&data, &req); + if (code == 0) { + retval = req->include_pac; + krb5_free_pa_pac_req(context, req); + req = NULL; + } + break; + } } return retval; @@ -3040,12 +3041,12 @@ include_pac_p(krb5_context context, krb5_kdc_req *request) krb5_error_code return_svr_referral_data(krb5_context context, - krb5_db_entry *server, - krb5_enc_kdc_rep_part *reply_encpart) + krb5_db_entry *server, + krb5_enc_kdc_rep_part *reply_encpart) { - krb5_error_code code; - krb5_tl_data tl_data; - krb5_pa_data *pa_data; + krb5_error_code code; + krb5_tl_data tl_data; + krb5_pa_data *pa_data; /* This should be initialized and only used for Win2K compat */ assert(reply_encpart->enc_padata == NULL); @@ -3054,28 +3055,28 @@ return_svr_referral_data(krb5_context context, code = krb5_dbe_lookup_tl_data(context, server, &tl_data); if (code || tl_data.tl_data_length == 0) - return 0; /* no server referrals to return */ + return 0; /* no server referrals to return */ pa_data = (krb5_pa_data *)malloc(sizeof(*pa_data)); if (pa_data == NULL) - return ENOMEM; + return ENOMEM; pa_data->magic = KV5M_PA_DATA; pa_data->pa_type = KRB5_PADATA_SVR_REFERRAL_INFO; pa_data->length = tl_data.tl_data_length; pa_data->contents = malloc(pa_data->length); if (pa_data->contents == NULL) { - free(pa_data); - return ENOMEM; + free(pa_data); + return ENOMEM; } memcpy(pa_data->contents, tl_data.tl_data_contents, tl_data.tl_data_length); reply_encpart->enc_padata = (krb5_pa_data **)calloc(2, sizeof(krb5_pa_data *)); if (reply_encpart->enc_padata == NULL) { - free(pa_data->contents); - free(pa_data); - return ENOMEM; - } + free(pa_data->contents); + free(pa_data); + return ENOMEM; + } reply_encpart->enc_padata[0] = pa_data; reply_encpart->enc_padata[1] = NULL; @@ -3085,20 +3086,20 @@ return_svr_referral_data(krb5_context context, #if 0 static krb5_error_code return_server_referral(krb5_context context, - krb5_pa_data * padata, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa) + krb5_pa_data * padata, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa) { - krb5_error_code code; - krb5_tl_data tl_data; - krb5_pa_data *pa_data; - krb5_enc_data enc_data; - krb5_data plain; - krb5_data *enc_pa_data; + krb5_error_code code; + krb5_tl_data tl_data; + krb5_pa_data *pa_data; + krb5_enc_data enc_data; + krb5_data plain; + krb5_data *enc_pa_data; *send_pa = NULL; @@ -3106,23 +3107,23 @@ static krb5_error_code return_server_referral(krb5_context context, code = krb5_dbe_lookup_tl_data(context, server, &tl_data); if (code || tl_data.tl_data_length == 0) - return 0; /* no server referrals to return */ + return 0; /* no server referrals to return */ plain.length = tl_data.tl_data_length; plain.data = tl_data.tl_data_contents; /* Encrypt ServerReferralData */ code = krb5_encrypt_helper(context, encrypting_key, - KRB5_KEYUSAGE_PA_SERVER_REFERRAL_DATA, - &plain, &enc_data); + KRB5_KEYUSAGE_PA_SERVER_REFERRAL_DATA, + &plain, &enc_data); if (code) - return code; + return code; /* Encode ServerReferralData into PA-SERVER-REFERRAL-DATA */ code = encode_krb5_enc_data(&enc_data, &enc_pa_data); if (code) { - krb5_free_data_contents(context, &enc_data.ciphertext); - return code; + krb5_free_data_contents(context, &enc_data.ciphertext); + return code; } krb5_free_data_contents(context, &enc_data.ciphertext); @@ -3130,8 +3131,8 @@ static krb5_error_code return_server_referral(krb5_context context, /* Return PA-SERVER-REFERRAL-DATA */ pa_data = (krb5_pa_data *)malloc(sizeof(*pa_data)); if (pa_data == NULL) { - krb5_free_data(context, enc_pa_data); - return ENOMEM; + krb5_free_data(context, enc_pa_data); + return ENOMEM; } pa_data->magic = KV5M_PA_DATA; diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 96dc34135..39c6be600 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/kdc_util.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Utility functions for the KDC implementation. */ @@ -82,9 +83,9 @@ const int vague_errors = 0; krb5_error_code kdc_initialize_rcache(krb5_context kcontext, char *rcache_name) { - krb5_error_code retval; - char *rcname; - char *sname; + krb5_error_code retval; + char *rcname; + char *sname; rcname = (rcache_name) ? rcache_name : kdc_current_rcname; @@ -93,24 +94,24 @@ kdc_initialize_rcache(krb5_context kcontext, char *rcache_name) rc_lifetime = kcontext->clockskew; if (!rcname) - rcname = KDCRCACHE; + rcname = KDCRCACHE; if (!(retval = krb5_rc_resolve_full(kcontext, &kdc_rcache, rcname))) { - /* Recover or initialize the replay cache */ - if (!(retval = krb5_rc_recover(kcontext, kdc_rcache)) || - !(retval = krb5_rc_initialize(kcontext, - kdc_rcache, - kcontext->clockskew)) - ) { - /* Expunge the replay cache */ - if (!(retval = krb5_rc_expunge(kcontext, kdc_rcache))) { - sname = kdc_current_rcname; - kdc_current_rcname = strdup(rcname); - if (sname) - free(sname); - } - } - if (retval) - krb5_rc_close(kcontext, kdc_rcache); + /* Recover or initialize the replay cache */ + if (!(retval = krb5_rc_recover(kcontext, kdc_rcache)) || + !(retval = krb5_rc_initialize(kcontext, + kdc_rcache, + kcontext->clockskew)) + ) { + /* Expunge the replay cache */ + if (!(retval = krb5_rc_expunge(kcontext, kdc_rcache))) { + sname = kdc_current_rcname; + kdc_current_rcname = strdup(rcname); + if (sname) + free(sname); + } + } + if (retval) + krb5_rc_close(kcontext, kdc_rcache); } return(retval); } @@ -122,7 +123,7 @@ kdc_initialize_rcache(krb5_context kcontext, char *rcache_name) */ krb5_error_code concat_authorization_data(krb5_authdata **first, krb5_authdata **second, - krb5_authdata ***output) + krb5_authdata ***output) { register int i, j; register krb5_authdata **ptr, **retdata; @@ -130,37 +131,37 @@ concat_authorization_data(krb5_authdata **first, krb5_authdata **second, /* count up the entries */ i = 0; if (first) - for (ptr = first; *ptr; ptr++) - i++; + for (ptr = first; *ptr; ptr++) + i++; if (second) - for (ptr = second; *ptr; ptr++) - i++; - + for (ptr = second; *ptr; ptr++) + i++; + retdata = (krb5_authdata **)malloc((i+1)*sizeof(*retdata)); if (!retdata) - return ENOMEM; - retdata[i] = 0; /* null-terminated array */ + return ENOMEM; + retdata[i] = 0; /* null-terminated array */ for (i = 0, j = 0, ptr = first; j < 2 ; ptr = second, j++) - while (ptr && *ptr) { - /* now walk & copy */ - retdata[i] = (krb5_authdata *)malloc(sizeof(*retdata[i])); - if (!retdata[i]) { - krb5_free_authdata(kdc_context, retdata); - return ENOMEM; - } - *retdata[i] = **ptr; - if (!(retdata[i]->contents = - (krb5_octet *)malloc(retdata[i]->length))) { - free(retdata[i]); - retdata[i] = 0; - krb5_free_authdata(kdc_context, retdata); - return ENOMEM; - } - memcpy(retdata[i]->contents, (*ptr)->contents, retdata[i]->length); - - ptr++; - i++; - } + while (ptr && *ptr) { + /* now walk & copy */ + retdata[i] = (krb5_authdata *)malloc(sizeof(*retdata[i])); + if (!retdata[i]) { + krb5_free_authdata(kdc_context, retdata); + return ENOMEM; + } + *retdata[i] = **ptr; + if (!(retdata[i]->contents = + (krb5_octet *)malloc(retdata[i]->length))) { + free(retdata[i]); + retdata[i] = 0; + krb5_free_authdata(kdc_context, retdata); + return ENOMEM; + } + memcpy(retdata[i]->contents, (*ptr)->contents, retdata[i]->length); + + ptr++; + i++; + } *output = retdata; return 0; } @@ -184,9 +185,9 @@ is_local_principal(krb5_const_principal princ1) krb5_boolean krb5_is_tgs_principal(krb5_const_principal principal) { if ((krb5_princ_size(kdc_context, principal) > 0) && - data_eq_string (*krb5_princ_component(kdc_context, principal, 0), - KRB5_TGS_NAME)) - return TRUE; + data_eq_string (*krb5_princ_component(kdc_context, principal, 0), + KRB5_TGS_NAME)) + return TRUE; return FALSE; } @@ -196,26 +197,26 @@ krb5_boolean krb5_is_tgs_principal(krb5_const_principal principal) */ static krb5_error_code comp_cksum(krb5_context kcontext, krb5_data *source, krb5_ticket *ticket, - krb5_checksum *his_cksum) + krb5_checksum *his_cksum) { - krb5_error_code retval; - krb5_boolean valid; + krb5_error_code retval; + krb5_boolean valid; - if (!krb5_c_valid_cksumtype(his_cksum->checksum_type)) - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + if (!krb5_c_valid_cksumtype(his_cksum->checksum_type)) + return KRB5KDC_ERR_SUMTYPE_NOSUPP; /* must be collision proof */ if (!krb5_c_is_coll_proof_cksum(his_cksum->checksum_type)) - return KRB5KRB_AP_ERR_INAPP_CKSUM; + return KRB5KRB_AP_ERR_INAPP_CKSUM; /* verify checksum */ if ((retval = krb5_c_verify_checksum(kcontext, ticket->enc_part2->session, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - source, his_cksum, &valid))) - return(retval); + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + source, his_cksum, &valid))) + return(retval); if (!valid) - return(KRB5KRB_AP_ERR_BAD_INTEGRITY); + return(KRB5KRB_AP_ERR_BAD_INTEGRITY); return(0); } @@ -226,180 +227,180 @@ find_pa_data(krb5_pa_data **padata, krb5_preauthtype pa_type) return krb5int_find_pa_data(kdc_context, padata, pa_type); } -krb5_error_code +krb5_error_code kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, - krb5_data *pkt, krb5_ticket **ticket, - krb5_db_entry *krbtgt, int *nprincs, - krb5_keyblock **tgskey, - krb5_keyblock **subkey, - krb5_pa_data **pa_tgs_req) + krb5_data *pkt, krb5_ticket **ticket, + krb5_db_entry *krbtgt, int *nprincs, + krb5_keyblock **tgskey, + krb5_keyblock **subkey, + krb5_pa_data **pa_tgs_req) { krb5_pa_data * tmppa; - krb5_ap_req * apreq; - krb5_error_code retval; + krb5_ap_req * apreq; + krb5_error_code retval; krb5_authdata **authdata = NULL; - krb5_data scratch1; - krb5_data * scratch = NULL; - krb5_boolean foreign_server = FALSE; - krb5_auth_context auth_context = NULL; - krb5_authenticator * authenticator = NULL; - krb5_checksum * his_cksum = NULL; - krb5_kvno kvno = 0; + krb5_data scratch1; + krb5_data * scratch = NULL; + krb5_boolean foreign_server = FALSE; + krb5_auth_context auth_context = NULL; + krb5_authenticator * authenticator = NULL; + krb5_checksum * his_cksum = NULL; + krb5_kvno kvno = 0; *nprincs = 0; *tgskey = NULL; tmppa = find_pa_data(request->padata, KRB5_PADATA_AP_REQ); if (!tmppa) - return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; scratch1.length = tmppa->length; scratch1.data = (char *)tmppa->contents; if ((retval = decode_krb5_ap_req(&scratch1, &apreq))) - return retval; + return retval; if (isflagset(apreq->ap_options, AP_OPTS_USE_SESSION_KEY) || - isflagset(apreq->ap_options, AP_OPTS_MUTUAL_REQUIRED)) { - krb5_klog_syslog(LOG_INFO, "TGS_REQ: SESSION KEY or MUTUAL"); - retval = KRB5KDC_ERR_POLICY; - goto cleanup; + isflagset(apreq->ap_options, AP_OPTS_MUTUAL_REQUIRED)) { + krb5_klog_syslog(LOG_INFO, "TGS_REQ: SESSION KEY or MUTUAL"); + retval = KRB5KDC_ERR_POLICY; + goto cleanup; } /* If the "server" principal in the ticket is not something in the local realm, then we must refuse to service the request if the client claims to be from the local realm. - + If we don't do this, then some other realm's nasty KDC can claim to be authenticating a client from our realm, and we'll give out tickets concurring with it! - + we set a flag here for checking below. - */ + */ foreign_server = !is_local_principal(apreq->ticket->server); if ((retval = krb5_auth_con_init(kdc_context, &auth_context))) - goto cleanup; + goto cleanup; if ((retval = krb5_auth_con_setaddrs(kdc_context, auth_context, NULL, - from->address)) ) - goto cleanup_auth_context; + from->address)) ) + goto cleanup_auth_context; #ifdef USE_RCACHE if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, - kdc_rcache))) - goto cleanup_auth_context; + kdc_rcache))) + goto cleanup_auth_context; #endif if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server, - krbtgt, nprincs, tgskey, &kvno))) - goto cleanup_auth_context; + krbtgt, nprincs, tgskey, &kvno))) + goto cleanup_auth_context; /* * We do not use the KDB keytab because other parts of the TGS need the TGT key. */ retval = krb5_auth_con_setuseruserkey(kdc_context, auth_context, *tgskey); - if (retval) - goto cleanup_auth_context; + if (retval) + goto cleanup_auth_context; - if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, - apreq->ticket->server, - kdc_active_realm->realm_keytab, - NULL, ticket))) { + if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, + apreq->ticket->server, + kdc_active_realm->realm_keytab, + NULL, ticket))) { #ifdef USE_RCACHE - /* - * I'm not so sure that this is right, but it's better than nothing - * at all. - * - * If we choke in the rd_req because of the replay cache, then attempt - * to reinitialize the replay cache because somebody could have deleted - * it from underneath us (e.g. a cron job) - */ - if ((retval == KRB5_RC_IO_IO) || - (retval == KRB5_RC_IO_UNKNOWN)) { - (void) krb5_rc_close(kdc_context, kdc_rcache); - kdc_rcache = (krb5_rcache) NULL; - if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) { - if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, - kdc_rcache)) || - (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, - apreq, apreq->ticket->server, - kdc_active_realm->realm_keytab, - NULL, ticket)) - ) - goto cleanup_auth_context; - } - } else - goto cleanup_auth_context; + /* + * I'm not so sure that this is right, but it's better than nothing + * at all. + * + * If we choke in the rd_req because of the replay cache, then attempt + * to reinitialize the replay cache because somebody could have deleted + * it from underneath us (e.g. a cron job) + */ + if ((retval == KRB5_RC_IO_IO) || + (retval == KRB5_RC_IO_UNKNOWN)) { + (void) krb5_rc_close(kdc_context, kdc_rcache); + kdc_rcache = (krb5_rcache) NULL; + if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) { + if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, + kdc_rcache)) || + (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, + apreq, apreq->ticket->server, + kdc_active_realm->realm_keytab, + NULL, ticket)) + ) + goto cleanup_auth_context; + } + } else + goto cleanup_auth_context; #else - goto cleanup_auth_context; + goto cleanup_auth_context; #endif } /* "invalid flag" tickets can must be used to validate */ if (isflagset((*ticket)->enc_part2->flags, TKT_FLG_INVALID) - && !isflagset(request->kdc_options, KDC_OPT_VALIDATE)) { + && !isflagset(request->kdc_options, KDC_OPT_VALIDATE)) { retval = KRB5KRB_AP_ERR_TKT_INVALID; - goto cleanup_auth_context; + goto cleanup_auth_context; } if ((retval = krb5_auth_con_getrecvsubkey(kdc_context, - auth_context, subkey))) - goto cleanup_auth_context; + auth_context, subkey))) + goto cleanup_auth_context; if ((retval = krb5_auth_con_getauthenticator(kdc_context, auth_context, - &authenticator))) - goto cleanup_auth_context; + &authenticator))) + goto cleanup_auth_context; retval = krb5int_find_authdata(kdc_context, - (*ticket)->enc_part2->authorization_data, - authenticator->authorization_data, - KRB5_AUTHDATA_FX_ARMOR, &authdata); + (*ticket)->enc_part2->authorization_data, + authenticator->authorization_data, + KRB5_AUTHDATA_FX_ARMOR, &authdata); if (retval != 0) - goto cleanup_authenticator; - if (authdata&& authdata[0]) { - krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, - "ticket valid only as FAST armor"); - retval = KRB5KDC_ERR_POLICY; - krb5_free_authdata(kdc_context, authdata); - goto cleanup_authenticator; + goto cleanup_authenticator; + if (authdata&& authdata[0]) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "ticket valid only as FAST armor"); + retval = KRB5KDC_ERR_POLICY; + krb5_free_authdata(kdc_context, authdata); + goto cleanup_authenticator; } krb5_free_authdata(kdc_context, authdata); - - + + /* Check for a checksum */ if (!(his_cksum = authenticator->checksum)) { - retval = KRB5KRB_AP_ERR_INAPP_CKSUM; - goto cleanup_authenticator; + retval = KRB5KRB_AP_ERR_INAPP_CKSUM; + goto cleanup_authenticator; } /* make sure the client is of proper lineage (see above) */ if (foreign_server && - !find_pa_data(request->padata, KRB5_PADATA_FOR_USER)) { - if (is_local_principal((*ticket)->enc_part2->client)) { - /* someone in a foreign realm claiming to be local */ - krb5_klog_syslog(LOG_INFO, "PROCESS_TGS: failed lineage check"); - retval = KRB5KDC_ERR_POLICY; - goto cleanup_authenticator; - } + !find_pa_data(request->padata, KRB5_PADATA_FOR_USER)) { + if (is_local_principal((*ticket)->enc_part2->client)) { + /* someone in a foreign realm claiming to be local */ + krb5_klog_syslog(LOG_INFO, "PROCESS_TGS: failed lineage check"); + retval = KRB5KDC_ERR_POLICY; + goto cleanup_authenticator; + } } /* * Check application checksum vs. tgs request - * + * * We try checksumming the req-body two different ways: first we * try reaching into the raw asn.1 stream (if available), and * checksum that directly; if that fails, then we try encoding * using our local asn.1 library. */ if (pkt && (fetch_asn1_field((unsigned char *) pkt->data, - 1, 4, &scratch1) >= 0)) { - if (comp_cksum(kdc_context, &scratch1, *ticket, his_cksum)) { - if (!(retval = encode_krb5_kdc_req_body(request, &scratch))) - retval = comp_cksum(kdc_context, scratch, *ticket, his_cksum); - krb5_free_data(kdc_context, scratch); - } + 1, 4, &scratch1) >= 0)) { + if (comp_cksum(kdc_context, &scratch1, *ticket, his_cksum)) { + if (!(retval = encode_krb5_kdc_req_body(request, &scratch))) + retval = comp_cksum(kdc_context, scratch, *ticket, his_cksum); + krb5_free_data(kdc_context, scratch); + } } if (retval == 0) - *pa_tgs_req = tmppa; + *pa_tgs_req = tmppa; cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); @@ -412,15 +413,15 @@ cleanup_auth_context: cleanup: if (retval != 0) { - krb5_free_keyblock(kdc_context, *tgskey); - *tgskey = NULL; + krb5_free_keyblock(kdc_context, *tgskey); + *tgskey = NULL; } krb5_free_ap_req(kdc_context, apreq); return retval; } -/* XXX This function should no longer be necessary. - * The KDC should take the keytab associated with the realm and pass that to +/* XXX This function should no longer be necessary. + * The KDC should take the keytab associated with the realm and pass that to * the krb5_rd_req_decode(). --proven * * It's actually still used by do_tgs_req() for u2u auth, and not too @@ -428,42 +429,42 @@ cleanup: */ krb5_error_code kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, - krb5_boolean match_enctype, krb5_db_entry *server, - int *nprincs, krb5_keyblock **key, krb5_kvno *kvno) + krb5_boolean match_enctype, krb5_db_entry *server, + int *nprincs, krb5_keyblock **key, krb5_kvno *kvno) { - krb5_error_code retval; - krb5_boolean more, similar; - krb5_key_data * server_key; + krb5_error_code retval; + krb5_boolean more, similar; + krb5_key_data * server_key; krb5_keyblock * mkey_ptr; *nprincs = 1; retval = krb5_db_get_principal_ext(kdc_context, - ticket->server, - flags, - server, - nprincs, - &more); + ticket->server, + flags, + server, + nprincs, + &more); if (retval) { - return(retval); + return(retval); } if (more) { - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); + return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); } else if (*nprincs != 1) { - char *sname; + char *sname; - if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { - limit_string(sname); - krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", - sname); - free(sname); - } - return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); + if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { + limit_string(sname); + krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", + sname); + free(sname); + } + return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); } if (server->attributes & KRB5_KDB_DISALLOW_SVR || - server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) { - retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto errout; + server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) { + retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; } if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, @@ -475,7 +476,7 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, &master_keyblock, 0, &tmp_mkey_list) == 0) { krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; - retval = krb5_db_set_mkey_list(kdc_context, master_keylist); + retval = krb5_db_set_mkey_list(kdc_context, master_keylist); if (retval) goto errout; if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, @@ -488,9 +489,9 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, } retval = krb5_dbe_find_enctype(kdc_context, server, - match_enctype ? ticket->enc_part.enctype : -1, - -1, (krb5_int32)ticket->enc_part.kvno, - &server_key); + match_enctype ? ticket->enc_part.enctype : -1, + -1, (krb5_int32)ticket->enc_part.kvno, + &server_key); if (retval) goto errout; if (!server_key) { @@ -498,25 +499,25 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, goto errout; } if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { - retval = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, - server_key, - *key, NULL); + retval = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, + server_key, + *key, NULL); } else - retval = ENOMEM; + retval = ENOMEM; retval = krb5_c_enctype_compare(kdc_context, ticket->enc_part.enctype, - (*key)->enctype, &similar); + (*key)->enctype, &similar); if (retval) - goto errout; + goto errout; if (!similar) { - retval = KRB5_KDB_NO_PERMITTED_KEY; - goto errout; + retval = KRB5_KDB_NO_PERMITTED_KEY; + goto errout; } (*key)->enctype = ticket->enc_part.enctype; *kvno = server_key->key_data_kvno; errout: if (retval != 0) { - krb5_db_free_principal(kdc_context, server, *nprincs); - *nprincs = 0; + krb5_db_free_principal(kdc_context, server, *nprincs); + *nprincs = 0; } return retval; @@ -547,13 +548,13 @@ check_hot_list(krb5_ticket *ticket) #define MAX_REALM_LN 500 -/* +/* * subrealm - determine if r2 is a subrealm of r1 * - * SUBREALM takes two realms, r1 and r2, and - * determines if r2 is a subrealm of r1. + * SUBREALM takes two realms, r1 and r2, and + * determines if r2 is a subrealm of r1. * r2 is a subrealm of r1 if (r1 is a prefix - * of r2 AND r1 and r2 begin with a /) or if + * of r2 AND r1 and r2 begin with a /) or if * (r1 is a suffix of r2 and neither r1 nor r2 * begin with a /). * @@ -576,7 +577,7 @@ subrealm(char *r1, char *r2) if(l2 <= l1) return(0); if((*r1 == '/') && (*r2 == '/') && (strncmp(r1,r2,l1) == 0)) return(l1-l2); if((*r1 != '/') && (*r2 != '/') && (strncmp(r1,r2+l2-l1,l1) == 0)) - return(l2-l1); + return(l2-l1); return(0); } @@ -585,7 +586,7 @@ subrealm(char *r1, char *r2) * ticket granting ticket on which the new ticket to * be issued is based (note that this is the same as * the realm of the server listed in the ticket - * granting ticket. + * granting ticket. * * ASSUMPTIONS: This procedure assumes that the transited field from * the existing ticket granting ticket already appears @@ -616,21 +617,21 @@ subrealm(char *r1, char *r2) * * MODIFIES: new_trans: ->length will contain the length of the new * transited field. - * + * * If ->data was not null when this procedure * is called, the memory referenced by ->data - * will be deallocated. + * will be deallocated. * * Memory will be allocated for the new transited field * ->data will be updated to point to the newly - * allocated memory. + * allocated memory. * * BUGS: The space allocated for the new transited field is the * maximum that might be needed given the old transited field, * and the realm to be added. This length is calculated * assuming that no compression of the new realm is possible. * This has no adverse consequences other than the allocation - * of more space than required. + * of more space than required. * * This procedure will not yet use the null subfield notation, * and it will get confused if it sees it. @@ -645,283 +646,283 @@ data2string (krb5_data *d) char *s; s = malloc(d->length + 1); if (s) { - memcpy(s, d->data, d->length); - s[d->length] = 0; + memcpy(s, d->data, d->length); + s[d->length] = 0; } return s; } -krb5_error_code +krb5_error_code add_to_transited(krb5_data *tgt_trans, krb5_data *new_trans, - krb5_principal tgs, krb5_principal client, - krb5_principal server) + krb5_principal tgs, krb5_principal client, + krb5_principal server) { - krb5_error_code retval; - char *realm; - char *trans; - char *otrans, *otrans_ptr; - size_t bufsize; - - /* The following are for stepping through the transited field */ - - char prev[MAX_REALM_LN]; - char next[MAX_REALM_LN]; - char current[MAX_REALM_LN]; - char exp[MAX_REALM_LN]; /* Expanded current realm name */ - - int i; - int clst, nlst; /* count of last character in current and next */ - int pl, pl1; /* prefix length */ - int added; /* TRUE = new realm has been added */ - - realm = data2string(krb5_princ_realm(kdc_context, tgs)); - if (realm == NULL) - return(ENOMEM); - - otrans = data2string(tgt_trans); - if (otrans == NULL) { - free(realm); - return(ENOMEM); - } - /* Keep track of start so we can free */ - otrans_ptr = otrans; - - /* +1 for null, - +1 for extra comma which may be added between - +1 for potential space when leading slash in realm */ - bufsize = strlen(realm) + strlen(otrans) + 3; - if (bufsize > MAX_REALM_LN) - bufsize = MAX_REALM_LN; - if (!(trans = (char *) malloc(bufsize))) { - retval = ENOMEM; - goto fail; - } - - if (new_trans->data) free(new_trans->data); - new_trans->data = trans; - new_trans->length = 0; - - trans[0] = '\0'; - - /* For the purpose of appending, the realm preceding the first */ - /* realm in the transited field is considered the null realm */ - - prev[0] = '\0'; - - /* read field into current */ - for (i = 0; *otrans != '\0';) { - if (*otrans == '\\') { - if (*(++otrans) == '\0') - break; - else - continue; - } - if (*otrans == ',') { - otrans++; - break; - } - current[i++] = *otrans++; - if (i >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - } - current[i] = '\0'; - - added = (krb5_princ_realm(kdc_context, client)->length == strlen(realm) && - !strncmp(krb5_princ_realm(kdc_context, client)->data, realm, strlen(realm))) || - (krb5_princ_realm(kdc_context, server)->length == strlen(realm) && - !strncmp(krb5_princ_realm(kdc_context, server)->data, realm, strlen(realm))); - - while (current[0]) { - - /* figure out expanded form of current name */ - - clst = strlen(current) - 1; - if (current[0] == ' ') { - strncpy(exp, current+1, sizeof(exp) - 1); - exp[sizeof(exp) - 1] = '\0'; - } - else if ((current[0] == '/') && (prev[0] == '/')) { - strncpy(exp, prev, sizeof(exp) - 1); - exp[sizeof(exp) - 1] = '\0'; - if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - strncat(exp, current, sizeof(exp) - 1 - strlen(exp)); - } - else if (current[clst] == '.') { - strncpy(exp, current, sizeof(exp) - 1); - exp[sizeof(exp) - 1] = '\0'; - if (strlen(exp) + strlen(prev) + 1 >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - strncat(exp, prev, sizeof(exp) - 1 - strlen(exp)); - } - else { - strncpy(exp, current, sizeof(exp) - 1); - exp[sizeof(exp) - 1] = '\0'; - } - - /* read field into next */ - for (i = 0; *otrans != '\0';) { - if (*otrans == '\\') { - if (*(++otrans) == '\0') - break; - else - continue; - } - if (*otrans == ',') { - otrans++; - break; - } - next[i++] = *otrans++; - if (i >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - } - next[i] = '\0'; - nlst = i - 1; - - if (!strcmp(exp, realm)) added = TRUE; - - /* If we still have to insert the new realm */ + krb5_error_code retval; + char *realm; + char *trans; + char *otrans, *otrans_ptr; + size_t bufsize; - if (!added) { + /* The following are for stepping through the transited field */ + + char prev[MAX_REALM_LN]; + char next[MAX_REALM_LN]; + char current[MAX_REALM_LN]; + char exp[MAX_REALM_LN]; /* Expanded current realm name */ + + int i; + int clst, nlst; /* count of last character in current and next */ + int pl, pl1; /* prefix length */ + int added; /* TRUE = new realm has been added */ + + realm = data2string(krb5_princ_realm(kdc_context, tgs)); + if (realm == NULL) + return(ENOMEM); - /* Is the next field compressed? If not, and if the new */ - /* realm is a subrealm of the current realm, compress */ - /* the new realm, and insert immediately following the */ - /* current one. Note that we can not do this if the next*/ - /* field is already compressed since it would mess up */ - /* what has already been done. In most cases, this is */ - /* not a problem because the realm to be added will be a */ - /* subrealm of the next field too, and we will catch */ - /* it in a future iteration. */ - - /* Note that the second test here is an unsigned comparison, - so the first half (or a cast) is also required. */ - assert(nlst < 0 || nlst < (int)sizeof(next)); - if ((nlst < 0 || next[nlst] != '.') && - (next[0] != '/') && - (pl = subrealm(exp, realm))) { - added = TRUE; - current[sizeof(current) - 1] = '\0'; - if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - strncat(current, ",", sizeof(current) - 1 - strlen(current)); - if (pl > 0) { - strncat(current, realm, (unsigned) pl); + otrans = data2string(tgt_trans); + if (otrans == NULL) { + free(realm); + return(ENOMEM); + } + /* Keep track of start so we can free */ + otrans_ptr = otrans; + + /* +1 for null, + +1 for extra comma which may be added between + +1 for potential space when leading slash in realm */ + bufsize = strlen(realm) + strlen(otrans) + 3; + if (bufsize > MAX_REALM_LN) + bufsize = MAX_REALM_LN; + if (!(trans = (char *) malloc(bufsize))) { + retval = ENOMEM; + goto fail; + } + + if (new_trans->data) free(new_trans->data); + new_trans->data = trans; + new_trans->length = 0; + + trans[0] = '\0'; + + /* For the purpose of appending, the realm preceding the first */ + /* realm in the transited field is considered the null realm */ + + prev[0] = '\0'; + + /* read field into current */ + for (i = 0; *otrans != '\0';) { + if (*otrans == '\\') { + if (*(++otrans) == '\0') + break; + else + continue; } - else { - strncat(current, realm+strlen(realm)+pl, (unsigned) (-pl)); + if (*otrans == ',') { + otrans++; + break; } - } - - /* Whether or not the next field is compressed, if the */ - /* realm to be added is a superrealm of the current realm,*/ - /* then the current realm can be compressed. First the */ - /* realm to be added must be compressed relative to the */ - /* previous realm (if possible), and then the current */ - /* realm compressed relative to the new realm. Note that */ - /* if the realm to be added is also a superrealm of the */ - /* previous realm, it would have been added earlier, and */ - /* we would not reach this step this time around. */ - - else if ((pl = subrealm(realm, exp))) { - added = TRUE; - current[0] = '\0'; - if ((pl1 = subrealm(prev,realm))) { - if (strlen(current) + (pl1>0?pl1:-pl1) + 1 >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - if (pl1 > 0) { - strncat(current, realm, (unsigned) pl1); - } - else { - strncat(current, realm+strlen(realm)+pl1, (unsigned) (-pl1)); - } + current[i++] = *otrans++; + if (i >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; } - else { /* If not a subrealm */ - if ((realm[0] == '/') && prev[0]) { - if (strlen(current) + 2 >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - strncat(current, " ", sizeof(current) - 1 - strlen(current)); - current[sizeof(current) - 1] = '\0'; - } - if (strlen(current) + strlen(realm) + 1 >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - strncat(current, realm, sizeof(current) - 1 - strlen(current)); - current[sizeof(current) - 1] = '\0'; + } + current[i] = '\0'; + + added = (krb5_princ_realm(kdc_context, client)->length == strlen(realm) && + !strncmp(krb5_princ_realm(kdc_context, client)->data, realm, strlen(realm))) || + (krb5_princ_realm(kdc_context, server)->length == strlen(realm) && + !strncmp(krb5_princ_realm(kdc_context, server)->data, realm, strlen(realm))); + + while (current[0]) { + + /* figure out expanded form of current name */ + + clst = strlen(current) - 1; + if (current[0] == ' ') { + strncpy(exp, current+1, sizeof(exp) - 1); + exp[sizeof(exp) - 1] = '\0'; } - if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - strncat(current,",", sizeof(current) - 1 - strlen(current)); - current[sizeof(current) - 1] = '\0'; - if (pl > 0) { - strncat(current, exp, (unsigned) pl); + else if ((current[0] == '/') && (prev[0] == '/')) { + strncpy(exp, prev, sizeof(exp) - 1); + exp[sizeof(exp) - 1] = '\0'; + if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strncat(exp, current, sizeof(exp) - 1 - strlen(exp)); + } + else if (current[clst] == '.') { + strncpy(exp, current, sizeof(exp) - 1); + exp[sizeof(exp) - 1] = '\0'; + if (strlen(exp) + strlen(prev) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strncat(exp, prev, sizeof(exp) - 1 - strlen(exp)); } else { - strncat(current, exp+strlen(exp)+pl, (unsigned)(-pl)); + strncpy(exp, current, sizeof(exp) - 1); + exp[sizeof(exp) - 1] = '\0'; } - } - } - if (new_trans->length != 0) { - if (strlcat(trans, ",", bufsize) >= bufsize) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - } - if (strlcat(trans, current, bufsize) >= bufsize) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - new_trans->length = strlen(trans); + /* read field into next */ + for (i = 0; *otrans != '\0';) { + if (*otrans == '\\') { + if (*(++otrans) == '\0') + break; + else + continue; + } + if (*otrans == ',') { + otrans++; + break; + } + next[i++] = *otrans++; + if (i >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + } + next[i] = '\0'; + nlst = i - 1; + + if (!strcmp(exp, realm)) added = TRUE; + + /* If we still have to insert the new realm */ + + if (!added) { + + /* Is the next field compressed? If not, and if the new */ + /* realm is a subrealm of the current realm, compress */ + /* the new realm, and insert immediately following the */ + /* current one. Note that we can not do this if the next*/ + /* field is already compressed since it would mess up */ + /* what has already been done. In most cases, this is */ + /* not a problem because the realm to be added will be a */ + /* subrealm of the next field too, and we will catch */ + /* it in a future iteration. */ + + /* Note that the second test here is an unsigned comparison, + so the first half (or a cast) is also required. */ + assert(nlst < 0 || nlst < (int)sizeof(next)); + if ((nlst < 0 || next[nlst] != '.') && + (next[0] != '/') && + (pl = subrealm(exp, realm))) { + added = TRUE; + current[sizeof(current) - 1] = '\0'; + if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strncat(current, ",", sizeof(current) - 1 - strlen(current)); + if (pl > 0) { + strncat(current, realm, (unsigned) pl); + } + else { + strncat(current, realm+strlen(realm)+pl, (unsigned) (-pl)); + } + } - strncpy(prev, exp, sizeof(prev) - 1); - prev[sizeof(prev) - 1] = '\0'; - strncpy(current, next, sizeof(current) - 1); - current[sizeof(current) - 1] = '\0'; - } + /* Whether or not the next field is compressed, if the */ + /* realm to be added is a superrealm of the current realm,*/ + /* then the current realm can be compressed. First the */ + /* realm to be added must be compressed relative to the */ + /* previous realm (if possible), and then the current */ + /* realm compressed relative to the new realm. Note that */ + /* if the realm to be added is also a superrealm of the */ + /* previous realm, it would have been added earlier, and */ + /* we would not reach this step this time around. */ + + else if ((pl = subrealm(realm, exp))) { + added = TRUE; + current[0] = '\0'; + if ((pl1 = subrealm(prev,realm))) { + if (strlen(current) + (pl1>0?pl1:-pl1) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + if (pl1 > 0) { + strncat(current, realm, (unsigned) pl1); + } + else { + strncat(current, realm+strlen(realm)+pl1, (unsigned) (-pl1)); + } + } + else { /* If not a subrealm */ + if ((realm[0] == '/') && prev[0]) { + if (strlen(current) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strncat(current, " ", sizeof(current) - 1 - strlen(current)); + current[sizeof(current) - 1] = '\0'; + } + if (strlen(current) + strlen(realm) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strncat(current, realm, sizeof(current) - 1 - strlen(current)); + current[sizeof(current) - 1] = '\0'; + } + if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strncat(current,",", sizeof(current) - 1 - strlen(current)); + current[sizeof(current) - 1] = '\0'; + if (pl > 0) { + strncat(current, exp, (unsigned) pl); + } + else { + strncat(current, exp+strlen(exp)+pl, (unsigned)(-pl)); + } + } + } - if (!added) { - if (new_trans->length != 0) { - if (strlcat(trans, ",", bufsize) >= bufsize) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } - } - if((realm[0] == '/') && trans[0]) { - if (strlcat(trans, " ", bufsize) >= bufsize) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } + if (new_trans->length != 0) { + if (strlcat(trans, ",", bufsize) >= bufsize) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + } + if (strlcat(trans, current, bufsize) >= bufsize) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + new_trans->length = strlen(trans); + + strncpy(prev, exp, sizeof(prev) - 1); + prev[sizeof(prev) - 1] = '\0'; + strncpy(current, next, sizeof(current) - 1); + current[sizeof(current) - 1] = '\0'; } - if (strlcat(trans, realm, bufsize) >= bufsize) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; + + if (!added) { + if (new_trans->length != 0) { + if (strlcat(trans, ",", bufsize) >= bufsize) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + } + if((realm[0] == '/') && trans[0]) { + if (strlcat(trans, " ", bufsize) >= bufsize) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + } + if (strlcat(trans, realm, bufsize) >= bufsize) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + new_trans->length = strlen(trans); } - new_trans->length = strlen(trans); - } - retval = 0; + retval = 0; fail: - free(realm); - free(otrans_ptr); - return (retval); + free(realm); + free(otrans_ptr); + return (retval); } /* @@ -930,67 +931,67 @@ fail: * Returns a Kerberos protocol error number, which is _not_ the same * as a com_err error number! */ -#define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\ - KDC_OPT_VALIDATE | KDC_OPT_RENEW | \ - KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT) +#define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY | \ + KDC_OPT_VALIDATE | KDC_OPT_RENEW | \ + KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT) int validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, - krb5_db_entry server, krb5_timestamp kdc_time, - const char **status, krb5_data *e_data) + krb5_db_entry server, krb5_timestamp kdc_time, + const char **status, krb5_data *e_data) { - int errcode; - + int errcode; + /* * If an option is set that is only allowed in TGS requests, complain. */ if (request->kdc_options & AS_INVALID_OPTIONS) { - *status = "INVALID AS OPTIONS"; - return KDC_ERR_BADOPTION; + *status = "INVALID AS OPTIONS"; + return KDC_ERR_BADOPTION; } /* The client must not be expired */ if (client.expiration && client.expiration < kdc_time) { - *status = "CLIENT EXPIRED"; - if (vague_errors) - return(KRB_ERR_GENERIC); - else - return(KDC_ERR_NAME_EXP); + *status = "CLIENT EXPIRED"; + if (vague_errors) + return(KRB_ERR_GENERIC); + else + return(KDC_ERR_NAME_EXP); } /* The client's password must not be expired, unless the server is - a KRB5_KDC_PWCHANGE_SERVICE. */ + a KRB5_KDC_PWCHANGE_SERVICE. */ if (client.pw_expiration && client.pw_expiration < kdc_time && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { - *status = "CLIENT KEY EXPIRED"; - if (vague_errors) - return(KRB_ERR_GENERIC); - else - return(KDC_ERR_KEY_EXP); + !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + *status = "CLIENT KEY EXPIRED"; + if (vague_errors) + return(KRB_ERR_GENERIC); + else + return(KDC_ERR_KEY_EXP); } /* The server must not be expired */ if (server.expiration && server.expiration < kdc_time) { - *status = "SERVICE EXPIRED"; - return(KDC_ERR_SERVICE_EXP); + *status = "SERVICE EXPIRED"; + return(KDC_ERR_SERVICE_EXP); } /* - * If the client requires password changing, then only allow the + * If the client requires password changing, then only allow the * pwchange service. */ if (isflagset(client.attributes, KRB5_KDB_REQUIRES_PWCHANGE) && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { - *status = "REQUIRED PWCHANGE"; - return(KDC_ERR_KEY_EXP); + !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + *status = "REQUIRED PWCHANGE"; + return(KDC_ERR_KEY_EXP); } /* Client and server must allow postdating tickets */ if ((isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE) || - isflagset(request->kdc_options, KDC_OPT_POSTDATED)) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_POSTDATED) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED))) { - *status = "POSTDATE NOT ALLOWED"; - return(KDC_ERR_CANNOT_POSTDATE); + isflagset(request->kdc_options, KDC_OPT_POSTDATED)) && + (isflagset(client.attributes, KRB5_KDB_DISALLOW_POSTDATED) || + isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED))) { + *status = "POSTDATE NOT ALLOWED"; + return(KDC_ERR_CANNOT_POSTDATE); } /* @@ -999,86 +1000,86 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, * * - KDC_OPT_FORWARDABLE is set in KDCOptions but local * policy has KRB5_KDB_DISALLOW_FORWARDABLE set for the - * client, and; + * client, and; * - KRB5_KDB_REQUIRES_PRE_AUTH is set for the client but - * preauthentication data is absent in the request. + * preauthentication data is absent in the request. * * Hence, this check most be done after the check for preauth * data, and is now performed by validate_forwardable() (the * contents of which were previously below). */ - + /* Client and server must allow renewable tickets */ if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE))) { - *status = "RENEWABLE NOT ALLOWED"; - return(KDC_ERR_POLICY); + (isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) || + isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE))) { + *status = "RENEWABLE NOT ALLOWED"; + return(KDC_ERR_POLICY); } - + /* Client and server must allow proxiable tickets */ if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_PROXIABLE) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE))) { - *status = "PROXIABLE NOT ALLOWED"; - return(KDC_ERR_POLICY); + (isflagset(client.attributes, KRB5_KDB_DISALLOW_PROXIABLE) || + isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE))) { + *status = "PROXIABLE NOT ALLOWED"; + return(KDC_ERR_POLICY); } - + /* Check to see if client is locked out */ if (isflagset(client.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { - *status = "CLIENT LOCKED OUT"; - return(KDC_ERR_CLIENT_REVOKED); + *status = "CLIENT LOCKED OUT"; + return(KDC_ERR_CLIENT_REVOKED); } /* Check to see if server is locked out */ if (isflagset(server.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { - *status = "SERVICE LOCKED OUT"; - return(KDC_ERR_S_PRINCIPAL_UNKNOWN); + *status = "SERVICE LOCKED OUT"; + return(KDC_ERR_S_PRINCIPAL_UNKNOWN); } - + /* Check to see if server is allowed to be a service */ if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) { - *status = "SERVICE NOT ALLOWED"; - return(KDC_ERR_MUST_USE_USER2USER); + *status = "SERVICE NOT ALLOWED"; + return(KDC_ERR_MUST_USE_USER2USER); } /* * Check against local policy */ errcode = against_local_policy_as(request, client, server, - kdc_time, status, e_data); + kdc_time, status, e_data); if (errcode) - return errcode; + return errcode; return 0; } int validate_forwardable(krb5_kdc_req *request, krb5_db_entry client, - krb5_db_entry server, krb5_timestamp kdc_time, - const char **status) + krb5_db_entry server, krb5_timestamp kdc_time, + const char **status) { *status = NULL; if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) && - (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) || - isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) { - *status = "FORWARDABLE NOT ALLOWED"; - return(KDC_ERR_POLICY); + (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) || + isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) { + *status = "FORWARDABLE NOT ALLOWED"; + return(KDC_ERR_POLICY); } else - return 0; + return 0; } -#define ASN1_ID_CLASS (0xc0) +#define ASN1_ID_CLASS (0xc0) #define ASN1_ID_TYPE (0x20) -#define ASN1_ID_TAG (0x1f) -#define ASN1_CLASS_UNIV (0) -#define ASN1_CLASS_APP (1) -#define ASN1_CLASS_CTX (2) -#define ASN1_CLASS_PRIV (3) -#define asn1_id_constructed(x) (x & ASN1_ID_TYPE) -#define asn1_id_primitive(x) (!asn1_id_constructed(x)) -#define asn1_id_class(x) ((x & ASN1_ID_CLASS) >> 6) -#define asn1_id_tag(x) (x & ASN1_ID_TAG) +#define ASN1_ID_TAG (0x1f) +#define ASN1_CLASS_UNIV (0) +#define ASN1_CLASS_APP (1) +#define ASN1_CLASS_CTX (2) +#define ASN1_CLASS_PRIV (3) +#define asn1_id_constructed(x) (x & ASN1_ID_TYPE) +#define asn1_id_primitive(x) (!asn1_id_constructed(x)) +#define asn1_id_class(x) ((x & ASN1_ID_CLASS) >> 6) +#define asn1_id_tag(x) (x & ASN1_ID_TAG) /* * asn1length - return encoded length of value. @@ -1091,42 +1092,42 @@ validate_forwardable(krb5_kdc_req *request, krb5_db_entry client, static int asn1length(unsigned char **astream) { - int length; /* resulting length */ - int sublen; /* sublengths */ - int blen; /* bytes of length */ - unsigned char *p; /* substring searching */ + int length; /* resulting length */ + int sublen; /* sublengths */ + int blen; /* bytes of length */ + unsigned char *p; /* substring searching */ if (**astream & 0x80) { blen = **astream & 0x7f; - if (blen > 3) { - return(-1); - } - for (++*astream, length = 0; blen; ++*astream, blen--) { - length = (length << 8) | **astream; - } - if (length == 0) { - /* indefinite length, figure out by hand */ - p = *astream; - p++; - while (1) { - /* compute value length. */ - if ((sublen = asn1length(&p)) < 0) { - return(-1); - } - p += sublen; + if (blen > 3) { + return(-1); + } + for (++*astream, length = 0; blen; ++*astream, blen--) { + length = (length << 8) | **astream; + } + if (length == 0) { + /* indefinite length, figure out by hand */ + p = *astream; + p++; + while (1) { + /* compute value length. */ + if ((sublen = asn1length(&p)) < 0) { + return(-1); + } + p += sublen; /* check for termination */ - if ((!*p++) && (!*p)) { - p++; - break; - } - } - length = p - *astream; - } + if ((!*p++) && (!*p)) { + p++; + break; + } + } + length = p - *astream; + } } else { - length = **astream; - ++*astream; - } - return(length); + length = **astream; + ++*astream; + } + return(length); } /* @@ -1135,81 +1136,81 @@ asn1length(unsigned char **astream) * this routine is passed a context-dependent tag number and "level" and returns * the size and length of the corresponding level subfield. * - * levels and are numbered starting from 1. + * levels and are numbered starting from 1. * * returns 0 on success, -1 otherwise. */ int fetch_asn1_field(unsigned char *astream, unsigned int level, - unsigned int field, krb5_data *data) + unsigned int field, krb5_data *data) { - unsigned char *estream; /* end of stream */ - int classes; /* # classes seen so far this level */ - unsigned int levels = 0; /* levels seen so far */ + unsigned char *estream; /* end of stream */ + int classes; /* # classes seen so far this level */ + unsigned int levels = 0; /* levels seen so far */ int lastlevel = 1000; /* last level seen */ - int length; /* various lengths */ - int tag; /* tag number */ + int length; /* various lengths */ + int tag; /* tag number */ unsigned char savelen; /* saved length of our field */ classes = -1; - /* we assume that the first identifier/length will tell us + /* we assume that the first identifier/length will tell us how long the entire stream is. */ astream++; estream = astream; if ((length = asn1length(&astream)) < 0) { - return(-1); + return(-1); } estream += length; /* search down the stream, checking identifiers. we process identifiers until we hit the "level" we want, and then process that level for our subfield, always making sure we don't go off the end of the stream. */ while (astream < estream) { - if (!asn1_id_constructed(*astream)) { - return(-1); - } + if (!asn1_id_constructed(*astream)) { + return(-1); + } if (asn1_id_class(*astream) == ASN1_CLASS_CTX) { if ((tag = (int)asn1_id_tag(*astream)) <= lastlevel) { levels++; classes = -1; } - lastlevel = tag; + lastlevel = tag; if (levels == level) { - /* in our context-dependent class, is this the one we're looking for ? */ - if (tag == (int)field) { - /* return length and data */ - astream++; - savelen = *astream; - if ((data->length = asn1length(&astream)) < 0) { - return(-1); - } - /* if the field length is indefinite, we will have to subtract two + /* in our context-dependent class, is this the one we're looking for ? */ + if (tag == (int)field) { + /* return length and data */ + astream++; + savelen = *astream; + if ((data->length = asn1length(&astream)) < 0) { + return(-1); + } + /* if the field length is indefinite, we will have to subtract two (terminating octets) from the length returned since we don't want to pass any info from the "wrapper" back. asn1length will always return - the *total* length of the field, not just what's contained in it */ - if ((savelen & 0xff) == 0x80) { - data->length -=2 ; - } - data->data = (char *)astream; - return(0); - } else if (tag <= classes) { - /* we've seen this class before, something must be wrong */ - return(-1); - } else { - classes = tag; - } - } + the *total* length of the field, not just what's contained in it */ + if ((savelen & 0xff) == 0x80) { + data->length -=2 ; + } + data->data = (char *)astream; + return(0); + } else if (tag <= classes) { + /* we've seen this class before, something must be wrong */ + return(-1); + } else { + classes = tag; + } + } } /* if we're not on our level yet, process this value. otherwise skip over it */ - astream++; - if ((length = asn1length(&astream)) < 0) { - return(-1); - } - if (levels == level) { - astream += length; - } + astream++; + if ((length = asn1length(&astream)) < 0) { + return(-1); + } + if (levels == level) { + astream += length; + } } return(-1); -} +} /* * Routines that validate a TGS request; checks a lot of things. :-) @@ -1217,22 +1218,22 @@ fetch_asn1_field(unsigned char *astream, unsigned int level, * Returns a Kerberos protocol error number, which is _not_ the same * as a com_err error number! */ -#define TGS_OPTIONS_HANDLED (KDC_OPT_FORWARDABLE | KDC_OPT_FORWARDED | \ - KDC_OPT_PROXIABLE | KDC_OPT_PROXY | \ - KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \ - KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK | \ - KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \ - KDC_OPT_VALIDATE | KDC_OPT_CANONICALIZE | KDC_OPT_CNAME_IN_ADDL_TKT) +#define TGS_OPTIONS_HANDLED (KDC_OPT_FORWARDABLE | KDC_OPT_FORWARDED | \ + KDC_OPT_PROXIABLE | KDC_OPT_PROXY | \ + KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \ + KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK | \ + KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \ + KDC_OPT_VALIDATE | KDC_OPT_CANONICALIZE | KDC_OPT_CNAME_IN_ADDL_TKT) #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \ - KDC_OPT_VALIDATE) + KDC_OPT_VALIDATE) int validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, - krb5_ticket *ticket, krb5_timestamp kdc_time, - const char **status, krb5_data *e_data) + krb5_ticket *ticket, krb5_timestamp kdc_time, + const char **status, krb5_data *e_data) { - int errcode; - int st_idx = 0; + int errcode; + int st_idx = 0; /* * If an illegal option is set, ignore it. @@ -1241,8 +1242,8 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, /* Check to see if server has expired */ if (server.expiration && server.expiration < kdc_time) { - *status = "SERVICE EXPIRED"; - return(KDC_ERR_SERVICE_EXP); + *status = "SERVICE EXPIRED"; + return(KDC_ERR_SERVICE_EXP); } /* @@ -1251,172 +1252,172 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, * originally requested) */ if (request->kdc_options & NO_TGT_OPTION) { - if (!krb5_principal_compare(kdc_context, ticket->server, request->server)) { - *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; - return(KDC_ERR_SERVER_NOMATCH); - } + if (!krb5_principal_compare(kdc_context, ticket->server, request->server)) { + *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; + return(KDC_ERR_SERVER_NOMATCH); + } } else { - /* - * OK, we need to validate the krbtgt service in the ticket. - * - * The krbtgt service is of the form: - * krbtgt/realm-A@realm-B - * - * Realm A is the "server realm"; the realm of the - * server of the requested ticket must match this realm. - * Of course, it should be a realm serviced by this KDC. - * - * Realm B is the "client realm"; this is what should be - * added to the transited field. (which is done elsewhere) - */ - - /* Make sure there are two components... */ - if (krb5_princ_size(kdc_context, ticket->server) != 2) { - *status = "BAD TGS SERVER LENGTH"; - return KRB_AP_ERR_NOT_US; - } - /* ...that the first component is krbtgt... */ - if (!krb5_is_tgs_principal(ticket->server)) { - *status = "BAD TGS SERVER NAME"; - return KRB_AP_ERR_NOT_US; - } - /* ...and that the second component matches the server realm... */ - if ((krb5_princ_size(kdc_context, ticket->server) <= 1) || - !data_eq(*krb5_princ_component(kdc_context, ticket->server, 1), - *krb5_princ_realm(kdc_context, request->server))) { - *status = "BAD TGS SERVER INSTANCE"; - return KRB_AP_ERR_NOT_US; - } - /* XXX add check that second component must match locally - * supported realm? - */ - - /* Server must allow TGS based issuances */ - if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) { - *status = "TGT BASED NOT ALLOWED"; - return(KDC_ERR_POLICY); - } - } - + /* + * OK, we need to validate the krbtgt service in the ticket. + * + * The krbtgt service is of the form: + * krbtgt/realm-A@realm-B + * + * Realm A is the "server realm"; the realm of the + * server of the requested ticket must match this realm. + * Of course, it should be a realm serviced by this KDC. + * + * Realm B is the "client realm"; this is what should be + * added to the transited field. (which is done elsewhere) + */ + + /* Make sure there are two components... */ + if (krb5_princ_size(kdc_context, ticket->server) != 2) { + *status = "BAD TGS SERVER LENGTH"; + return KRB_AP_ERR_NOT_US; + } + /* ...that the first component is krbtgt... */ + if (!krb5_is_tgs_principal(ticket->server)) { + *status = "BAD TGS SERVER NAME"; + return KRB_AP_ERR_NOT_US; + } + /* ...and that the second component matches the server realm... */ + if ((krb5_princ_size(kdc_context, ticket->server) <= 1) || + !data_eq(*krb5_princ_component(kdc_context, ticket->server, 1), + *krb5_princ_realm(kdc_context, request->server))) { + *status = "BAD TGS SERVER INSTANCE"; + return KRB_AP_ERR_NOT_US; + } + /* XXX add check that second component must match locally + * supported realm? + */ + + /* Server must allow TGS based issuances */ + if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) { + *status = "TGT BASED NOT ALLOWED"; + return(KDC_ERR_POLICY); + } + } + /* TGS must be forwardable to get forwarded or forwardable ticket */ if ((isflagset(request->kdc_options, KDC_OPT_FORWARDED) || - isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) && - !isflagset(ticket->enc_part2->flags, TKT_FLG_FORWARDABLE)) { - *status = "TGT NOT FORWARDABLE"; + isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) && + !isflagset(ticket->enc_part2->flags, TKT_FLG_FORWARDABLE)) { + *status = "TGT NOT FORWARDABLE"; - return KDC_ERR_BADOPTION; + return KDC_ERR_BADOPTION; } - /* TGS must be proxiable to get proxiable ticket */ + /* TGS must be proxiable to get proxiable ticket */ if ((isflagset(request->kdc_options, KDC_OPT_PROXY) || - isflagset(request->kdc_options, KDC_OPT_PROXIABLE)) && - !isflagset(ticket->enc_part2->flags, TKT_FLG_PROXIABLE)) { - *status = "TGT NOT PROXIABLE"; - return KDC_ERR_BADOPTION; + isflagset(request->kdc_options, KDC_OPT_PROXIABLE)) && + !isflagset(ticket->enc_part2->flags, TKT_FLG_PROXIABLE)) { + *status = "TGT NOT PROXIABLE"; + return KDC_ERR_BADOPTION; } /* TGS must allow postdating to get postdated ticket */ if ((isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE) || - isflagset(request->kdc_options, KDC_OPT_POSTDATED)) && - !isflagset(ticket->enc_part2->flags, TKT_FLG_MAY_POSTDATE)) { - *status = "TGT NOT POSTDATABLE"; - return KDC_ERR_BADOPTION; + isflagset(request->kdc_options, KDC_OPT_POSTDATED)) && + !isflagset(ticket->enc_part2->flags, TKT_FLG_MAY_POSTDATE)) { + *status = "TGT NOT POSTDATABLE"; + return KDC_ERR_BADOPTION; } /* can only validate invalid tix */ if (isflagset(request->kdc_options, KDC_OPT_VALIDATE) && - !isflagset(ticket->enc_part2->flags, TKT_FLG_INVALID)) { - *status = "VALIDATE VALID TICKET"; - return KDC_ERR_BADOPTION; + !isflagset(ticket->enc_part2->flags, TKT_FLG_INVALID)) { + *status = "VALIDATE VALID TICKET"; + return KDC_ERR_BADOPTION; } /* can only renew renewable tix */ if ((isflagset(request->kdc_options, KDC_OPT_RENEW) || - isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) && - !isflagset(ticket->enc_part2->flags, TKT_FLG_RENEWABLE)) { - *status = "TICKET NOT RENEWABLE"; - return KDC_ERR_BADOPTION; + isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) && + !isflagset(ticket->enc_part2->flags, TKT_FLG_RENEWABLE)) { + *status = "TICKET NOT RENEWABLE"; + return KDC_ERR_BADOPTION; } /* can not proxy ticket granting tickets */ if (isflagset(request->kdc_options, KDC_OPT_PROXY) && - (!request->server->data || - !data_eq_string(request->server->data[0], KRB5_TGS_NAME))) { - *status = "CAN'T PROXY TGT"; - return KDC_ERR_BADOPTION; + (!request->server->data || + !data_eq_string(request->server->data[0], KRB5_TGS_NAME))) { + *status = "CAN'T PROXY TGT"; + return KDC_ERR_BADOPTION; } - + /* Server must allow forwardable tickets */ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) { - *status = "NON-FORWARDABLE TICKET"; - return(KDC_ERR_POLICY); + isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) { + *status = "NON-FORWARDABLE TICKET"; + return(KDC_ERR_POLICY); } - + /* Server must allow renewable tickets */ if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE)) { - *status = "NON-RENEWABLE TICKET"; - return(KDC_ERR_POLICY); + isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE)) { + *status = "NON-RENEWABLE TICKET"; + return(KDC_ERR_POLICY); } - + /* Server must allow proxiable tickets */ if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE)) { - *status = "NON-PROXIABLE TICKET"; - return(KDC_ERR_POLICY); + isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE)) { + *status = "NON-PROXIABLE TICKET"; + return(KDC_ERR_POLICY); } - + /* Server must allow postdated tickets */ if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED)) { - *status = "NON-POSTDATABLE TICKET"; - return(KDC_ERR_CANNOT_POSTDATE); + isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED)) { + *status = "NON-POSTDATABLE TICKET"; + return(KDC_ERR_CANNOT_POSTDATE); } - + /* Server must allow DUP SKEY requests */ if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) && - isflagset(server.attributes, KRB5_KDB_DISALLOW_DUP_SKEY)) { - *status = "DUP_SKEY DISALLOWED"; - return(KDC_ERR_POLICY); + isflagset(server.attributes, KRB5_KDB_DISALLOW_DUP_SKEY)) { + *status = "DUP_SKEY DISALLOWED"; + return(KDC_ERR_POLICY); } /* Server must not be locked out */ if (isflagset(server.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { - *status = "SERVER LOCKED OUT"; - return(KDC_ERR_S_PRINCIPAL_UNKNOWN); + *status = "SERVER LOCKED OUT"; + return(KDC_ERR_S_PRINCIPAL_UNKNOWN); } - + /* Server must be allowed to be a service */ if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) { - *status = "SERVER NOT ALLOWED"; - return(KDC_ERR_MUST_USE_USER2USER); + *status = "SERVER NOT ALLOWED"; + return(KDC_ERR_MUST_USE_USER2USER); } /* Check the hot list */ if (check_hot_list(ticket)) { - *status = "HOT_LIST"; - return(KRB_AP_ERR_REPEAT); + *status = "HOT_LIST"; + return(KRB_AP_ERR_REPEAT); } - + /* Check the start time vs. the KDC time */ if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) { - if (ticket->enc_part2->times.starttime > kdc_time) { - *status = "NOT_YET_VALID"; - return(KRB_AP_ERR_TKT_NYV); - } + if (ticket->enc_part2->times.starttime > kdc_time) { + *status = "NOT_YET_VALID"; + return(KRB_AP_ERR_TKT_NYV); + } } - + /* * Check the renew_till time. The endtime was already * been checked in the initial authentication check. */ if (isflagset(request->kdc_options, KDC_OPT_RENEW) && - (ticket->enc_part2->times.renew_till < kdc_time)) { - *status = "TKT_EXPIRED"; - return(KRB_AP_ERR_TKT_EXPIRED); + (ticket->enc_part2->times.renew_till < kdc_time)) { + *status = "TKT_EXPIRED"; + return(KRB_AP_ERR_TKT_EXPIRED); } - + /* * Checks for ENC_TKT_IN_SKEY: * @@ -1424,50 +1425,50 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, * (2) Make sure it is a ticket granting ticket */ if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) { - if (!request->second_ticket || - !request->second_ticket[st_idx]) { - *status = "NO_2ND_TKT"; - return(KDC_ERR_BADOPTION); - } - if (!krb5_principal_compare(kdc_context, request->second_ticket[st_idx]->server, - tgs_server)) { - *status = "2ND_TKT_NOT_TGS"; - return(KDC_ERR_POLICY); - } - st_idx++; + if (!request->second_ticket || + !request->second_ticket[st_idx]) { + *status = "NO_2ND_TKT"; + return(KDC_ERR_BADOPTION); + } + if (!krb5_principal_compare(kdc_context, request->second_ticket[st_idx]->server, + tgs_server)) { + *status = "2ND_TKT_NOT_TGS"; + return(KDC_ERR_POLICY); + } + st_idx++; } if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) { - if (!request->second_ticket || - !request->second_ticket[st_idx]) { - *status = "NO_2ND_TKT"; - return(KDC_ERR_BADOPTION); - } - st_idx++; + if (!request->second_ticket || + !request->second_ticket[st_idx]) { + *status = "NO_2ND_TKT"; + return(KDC_ERR_BADOPTION); + } + st_idx++; } /* Check for hardware preauthentication */ if (isflagset(server.attributes, KRB5_KDB_REQUIRES_HW_AUTH) && - !isflagset(ticket->enc_part2->flags,TKT_FLG_HW_AUTH)) { - *status = "NO HW PREAUTH"; - return KRB_ERR_GENERIC; + !isflagset(ticket->enc_part2->flags,TKT_FLG_HW_AUTH)) { + *status = "NO HW PREAUTH"; + return KRB_ERR_GENERIC; } /* Check for any kind of preauthentication */ if (isflagset(server.attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && - !isflagset(ticket->enc_part2->flags, TKT_FLG_PRE_AUTH)) { - *status = "NO PREAUTH"; - return KRB_ERR_GENERIC; + !isflagset(ticket->enc_part2->flags, TKT_FLG_PRE_AUTH)) { + *status = "NO PREAUTH"; + return KRB_ERR_GENERIC; } - + /* * Check local policy */ errcode = against_local_policy_tgs(request, server, ticket, - status, e_data); + status, e_data); if (errcode) - return errcode; - - + return errcode; + + return 0; } @@ -1477,17 +1478,17 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, */ int dbentry_has_key_for_enctype(krb5_context context, krb5_db_entry *client, - krb5_enctype enctype) + krb5_enctype enctype) { - krb5_error_code retval; - krb5_key_data *datap; + krb5_error_code retval; + krb5_key_data *datap; retval = krb5_dbe_find_enctype(context, client, enctype, - -1, 0, &datap); + -1, 0, &datap); if (retval) - return 0; + return 0; else - return 1; + return 1; } /* @@ -1501,7 +1502,7 @@ dbentry_has_key_for_enctype(krb5_context context, krb5_db_entry *client, */ int dbentry_supports_enctype(krb5_context context, krb5_db_entry *client, - krb5_enctype enctype) + krb5_enctype enctype) { /* * If it's DES_CBC_MD5, there's a bit in the attribute mask which @@ -1512,14 +1513,14 @@ dbentry_supports_enctype(krb5_context context, krb5_db_entry *client, * that's not the reality.... */ if (enctype == ENCTYPE_DES_CBC_MD5) - return 0; + return 0; /* * XXX we assume everything can understand DES_CBC_CRC */ if (enctype == ENCTYPE_DES_CBC_CRC) - return 1; - + return 1; + /* * If we have a key for the encryption system, we assume it's * supported. @@ -1534,19 +1535,19 @@ dbentry_supports_enctype(krb5_context context, krb5_db_entry *client, */ krb5_enctype select_session_keytype(krb5_context context, krb5_db_entry *server, - int nktypes, krb5_enctype *ktype) + int nktypes, krb5_enctype *ktype) { - int i; - + int i; + for (i = 0; i < nktypes; i++) { - if (!krb5_c_valid_enctype(ktype[i])) - continue; + if (!krb5_c_valid_enctype(ktype[i])) + continue; - if (!krb5_is_permitted_enctype(context, ktype[i])) - continue; + if (!krb5_is_permitted_enctype(context, ktype[i])) + continue; - if (dbentry_supports_enctype(context, server, ktype[i])) - return ktype[i]; + if (dbentry_supports_enctype(context, server, ktype[i])) + return ktype[i]; } return 0; } @@ -1556,53 +1557,53 @@ select_session_keytype(krb5_context context, krb5_db_entry *server, */ krb5_error_code get_salt_from_key(krb5_context context, krb5_principal client, - krb5_key_data *client_key, krb5_data *salt) + krb5_key_data *client_key, krb5_data *salt) { - krb5_error_code retval; - krb5_data * realm; - + krb5_error_code retval; + krb5_data * realm; + salt->data = 0; salt->length = SALT_TYPE_NO_LENGTH; - + if (client_key->key_data_ver == 1) - return 0; + return 0; switch (client_key->key_data_type[1]) { case KRB5_KDB_SALTTYPE_NORMAL: - /* - * The client could infer the salt from the principal, but - * might use the wrong principal name if this is an alias. So - * it's more reliable to send an explicit salt. - */ - if ((retval = krb5_principal2salt(context, client, salt))) - return retval; - break; + /* + * The client could infer the salt from the principal, but + * might use the wrong principal name if this is an alias. So + * it's more reliable to send an explicit salt. + */ + if ((retval = krb5_principal2salt(context, client, salt))) + return retval; + break; case KRB5_KDB_SALTTYPE_V4: - /* send an empty (V4) salt */ - salt->data = 0; - salt->length = 0; - break; + /* send an empty (V4) salt */ + salt->data = 0; + salt->length = 0; + break; case KRB5_KDB_SALTTYPE_NOREALM: - if ((retval = krb5_principal2salt_norealm(context, client, salt))) - return retval; - break; + if ((retval = krb5_principal2salt_norealm(context, client, salt))) + return retval; + break; case KRB5_KDB_SALTTYPE_AFS3: - /* send the same salt as with onlyrealm - but with no type info, - we just hope they figure it out on the other end. */ - /* fall through to onlyrealm: */ + /* send the same salt as with onlyrealm - but with no type info, + we just hope they figure it out on the other end. */ + /* fall through to onlyrealm: */ case KRB5_KDB_SALTTYPE_ONLYREALM: - realm = krb5_princ_realm(context, client); - salt->length = realm->length; - if ((salt->data = malloc(realm->length)) == NULL) - return ENOMEM; - memcpy(salt->data, realm->data, realm->length); - break; + realm = krb5_princ_realm(context, client); + salt->length = realm->length; + if ((salt->data = malloc(realm->length)) == NULL) + return ENOMEM; + memcpy(salt->data, realm->data, realm->length); + break; case KRB5_KDB_SALTTYPE_SPECIAL: - salt->length = client_key->key_data_length[1]; - if ((salt->data = malloc(salt->length)) == NULL) - return ENOMEM; - memcpy(salt->data, client_key->key_data_contents[1], salt->length); - break; + salt->length = client_key->key_data_length[1]; + if ((salt->data = malloc(salt->length)) == NULL) + return ENOMEM; + memcpy(salt->data, client_key->key_data_contents[1], salt->length); + break; } return 0; } @@ -1615,20 +1616,20 @@ get_salt_from_key(krb5_context context, krb5_principal client, void limit_string(char *name) { - int i; + int i; - if (!name) - return; + if (!name) + return; - if (strlen(name) < NAME_LENGTH_LIMIT) - return; + if (strlen(name) < NAME_LENGTH_LIMIT) + return; - i = NAME_LENGTH_LIMIT-4; - name[i++] = '.'; - name[i++] = '.'; - name[i++] = '.'; - name[i] = '\0'; - return; + i = NAME_LENGTH_LIMIT-4; + name[i++] = '.'; + name[i++] = '.'; + name[i++] = '.'; + name[i] = '\0'; + return; } /* @@ -1650,32 +1651,32 @@ ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype) char *p; if (nktypes < 0 - || len < (sizeof(" etypes {...}") + D_LEN(int))) { - *s = '\0'; - return; + || len < (sizeof(" etypes {...}") + D_LEN(int))) { + *s = '\0'; + return; } snprintf(s, len, "%d etypes {", nktypes); for (i = 0; i < nktypes; i++) { - snprintf(stmp, sizeof(stmp), "%s%ld", i ? " " : "", (long)ktype[i]); - if (strlen(s) + strlen(stmp) + sizeof("}") > len) - break; - strlcat(s, stmp, len); + snprintf(stmp, sizeof(stmp), "%s%ld", i ? " " : "", (long)ktype[i]); + if (strlen(s) + strlen(stmp) + sizeof("}") > len) + break; + strlcat(s, stmp, len); } if (i < nktypes) { - /* - * We broke out of the loop. Try to truncate the list. - */ - p = s + strlen(s); - while (p - s + sizeof("...}") > len) { - while (p > s && *p != ' ' && *p != '{') - *p-- = '\0'; - if (p > s && *p == ' ') { - *p-- = '\0'; - continue; - } - } - strlcat(s, "...", len); + /* + * We broke out of the loop. Try to truncate the list. + */ + p = s + strlen(s); + while (p - s + sizeof("...}") > len) { + while (p > s && *p != ' ' && *p != '{') + *p-- = '\0'; + if (p > s && *p == ' ') { + *p-- = '\0'; + continue; + } + } + strlcat(s, "...", len); } strlcat(s, "}", len); return; @@ -1687,25 +1688,25 @@ rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep) char stmp[sizeof("ses=") + D_LEN(krb5_enctype)]; if (len < (3 * D_LEN(krb5_enctype) - + sizeof("etypes {rep= tkt= ses=}"))) { - *s = '\0'; - return; + + sizeof("etypes {rep= tkt= ses=}"))) { + *s = '\0'; + return; } snprintf(s, len, "etypes {rep=%ld", (long)rep->enc_part.enctype); if (rep->ticket != NULL) { - snprintf(stmp, sizeof(stmp), - " tkt=%ld", (long)rep->ticket->enc_part.enctype); - strlcat(s, stmp, len); + snprintf(stmp, sizeof(stmp), + " tkt=%ld", (long)rep->ticket->enc_part.enctype); + strlcat(s, stmp, len); } if (rep->ticket != NULL - && rep->ticket->enc_part2 != NULL - && rep->ticket->enc_part2->session != NULL) { - snprintf(stmp, sizeof(stmp), " ses=%ld", - (long)rep->ticket->enc_part2->session->enctype); - strlcat(s, stmp, len); + && rep->ticket->enc_part2 != NULL + && rep->ticket->enc_part2->session != NULL) { + snprintf(stmp, sizeof(stmp), " ses=%ld", + (long)rep->ticket->enc_part2->session->enctype); + strlcat(s, stmp, len); } strlcat(s, "}", len); return; @@ -1713,40 +1714,40 @@ rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep) krb5_error_code get_principal_locked (krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry *entries, int *nentries, - krb5_boolean *more) + krb5_const_principal search_for, + krb5_db_entry *entries, int *nentries, + krb5_boolean *more) { return krb5_db_get_principal (kcontext, search_for, entries, nentries, - more); + more); } krb5_error_code get_principal (krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry *entries, int *nentries, krb5_boolean *more) + krb5_const_principal search_for, + krb5_db_entry *entries, int *nentries, krb5_boolean *more) { /* Eventually this will be used to manage locking while looking up principals in the database. */ return get_principal_locked (kcontext, search_for, entries, nentries, - more); + more); } krb5_error_code sign_db_authdata (krb5_context context, - unsigned int flags, - krb5_const_principal client_princ, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_timestamp authtime, - krb5_authdata **tgs_authdata, - krb5_keyblock *session_key, - krb5_authdata ***ret_authdata) + unsigned int flags, + krb5_const_principal client_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_timestamp authtime, + krb5_authdata **tgs_authdata, + krb5_keyblock *session_key, + krb5_authdata ***ret_authdata) { krb5_error_code code; kdb_sign_auth_data_req req; @@ -1759,17 +1760,17 @@ sign_db_authdata (krb5_context context, memset(&req, 0, sizeof(req)); memset(&rep, 0, sizeof(rep)); - req.flags = flags; - req.client_princ = client_princ; - req.client = client; - req.server = server; - req.krbtgt = krbtgt; - req.client_key = client_key; - req.server_key = server_key; - req.authtime = authtime; - req.auth_data = tgs_authdata; - req.session_key = session_key; - req.krbtgt_key = krbtgt_key; + req.flags = flags; + req.client_princ = client_princ; + req.client = client; + req.server = server; + req.krbtgt = krbtgt; + req.client_key = client_key; + req.server_key = server_key; + req.authtime = authtime; + req.auth_data = tgs_authdata; + req.session_key = session_key; + req.krbtgt_key = krbtgt_key; req_data.data = (void *)&req; req_data.length = sizeof(req); @@ -1778,29 +1779,29 @@ sign_db_authdata (krb5_context context, rep_data.length = sizeof(rep); code = krb5_db_invoke(context, - KRB5_KDB_METHOD_SIGN_AUTH_DATA, - &req_data, - &rep_data); + KRB5_KDB_METHOD_SIGN_AUTH_DATA, + &req_data, + &rep_data); *ret_authdata = rep.auth_data; - + return code; } static krb5_error_code verify_for_user_checksum(krb5_context context, - krb5_keyblock *key, - krb5_pa_for_user *req) + krb5_keyblock *key, + krb5_pa_for_user *req) { - krb5_error_code code; - int i; - krb5_int32 name_type; - char *p; - krb5_data data; - krb5_boolean valid = FALSE; + krb5_error_code code; + int i; + krb5_int32 name_type; + char *p; + krb5_data data; + krb5_boolean valid = FALSE; if (!krb5_c_is_keyed_cksum(req->cksum.checksum_type)) { - return KRB5KRB_AP_ERR_INAPP_CKSUM; + return KRB5KRB_AP_ERR_INAPP_CKSUM; } /* @@ -1809,14 +1810,14 @@ verify_for_user_checksum(krb5_context context, */ data.length = 4; for (i = 0; i < krb5_princ_size(context, req->user); i++) { - data.length += krb5_princ_component(context, req->user, i)->length; + data.length += krb5_princ_component(context, req->user, i)->length; } data.length += krb5_princ_realm(context, req->user)->length; data.length += req->auth_package.length; p = data.data = malloc(data.length); if (data.data == NULL) { - return ENOMEM; + return ENOMEM; } name_type = krb5_princ_type(context, req->user); @@ -1827,27 +1828,27 @@ verify_for_user_checksum(krb5_context context, p += 4; for (i = 0; i < krb5_princ_size(context, req->user); i++) { - memcpy(p, krb5_princ_component(context, req->user, i)->data, - krb5_princ_component(context, req->user, i)->length); - p += krb5_princ_component(context, req->user, i)->length; + memcpy(p, krb5_princ_component(context, req->user, i)->data, + krb5_princ_component(context, req->user, i)->length); + p += krb5_princ_component(context, req->user, i)->length; } memcpy(p, krb5_princ_realm(context, req->user)->data, - krb5_princ_realm(context, req->user)->length); + krb5_princ_realm(context, req->user)->length); p += krb5_princ_realm(context, req->user)->length; memcpy(p, req->auth_package.data, req->auth_package.length); p += req->auth_package.length; code = krb5_c_verify_checksum(context, - key, - KRB5_KEYUSAGE_APP_DATA_CKSUM, - &data, - &req->cksum, - &valid); + key, + KRB5_KEYUSAGE_APP_DATA_CKSUM, + &data, + &req->cksum, + &valid); if (code == 0 && valid == FALSE) - code = KRB5KRB_AP_ERR_MODIFIED; + code = KRB5KRB_AP_ERR_MODIFIED; free(data.data); @@ -1859,33 +1860,33 @@ verify_for_user_checksum(krb5_context context, */ static krb5_error_code kdc_process_for_user(krb5_context context, - krb5_pa_data *pa_data, - krb5_keyblock *tgs_session, - krb5_pa_s4u_x509_user **s4u_x509_user, - const char **status) + krb5_pa_data *pa_data, + krb5_keyblock *tgs_session, + krb5_pa_s4u_x509_user **s4u_x509_user, + const char **status) { - krb5_error_code code; - krb5_pa_for_user *for_user; - krb5_data req_data; + krb5_error_code code; + krb5_pa_for_user *for_user; + krb5_data req_data; req_data.length = pa_data->length; req_data.data = (char *)pa_data->contents; code = decode_krb5_pa_for_user(&req_data, &for_user); if (code) - return code; + return code; code = verify_for_user_checksum(context, tgs_session, for_user); if (code) { - *status = "INVALID_S4U2SELF_CHECKSUM"; - krb5_free_pa_for_user(kdc_context, for_user); - return code; + *status = "INVALID_S4U2SELF_CHECKSUM"; + krb5_free_pa_for_user(kdc_context, for_user); + return code; } *s4u_x509_user = calloc(1, sizeof(krb5_pa_s4u_x509_user)); if (*s4u_x509_user == NULL) { - krb5_free_pa_for_user(kdc_context, for_user); - return ENOMEM; + krb5_free_pa_for_user(kdc_context, for_user); + return ENOMEM; } (*s4u_x509_user)->user_id.user = for_user->user; @@ -1897,21 +1898,21 @@ kdc_process_for_user(krb5_context context, static krb5_error_code verify_s4u_x509_user_checksum(krb5_context context, - krb5_keyblock *key, - krb5_data *req_data, - krb5_int32 kdc_req_nonce, - krb5_pa_s4u_x509_user *req) + krb5_keyblock *key, + krb5_data *req_data, + krb5_int32 kdc_req_nonce, + krb5_pa_s4u_x509_user *req) { - krb5_error_code code; - krb5_data scratch; - krb5_boolean valid = FALSE; + krb5_error_code code; + krb5_data scratch; + krb5_boolean valid = FALSE; if (enctype_requires_etype_info_2(key->enctype) && - !krb5_c_is_keyed_cksum(req->cksum.checksum_type)) - return KRB5KRB_AP_ERR_INAPP_CKSUM; + !krb5_c_is_keyed_cksum(req->cksum.checksum_type)) + return KRB5KRB_AP_ERR_INAPP_CKSUM; if (req->user_id.nonce != kdc_req_nonce) - return KRB5KRB_AP_ERR_MODIFIED; + return KRB5KRB_AP_ERR_MODIFIED; /* * Verify checksum over the encoded userid. If that fails, @@ -1919,35 +1920,35 @@ verify_s4u_x509_user_checksum(krb5_context context, * behaviour in kdc_process_tgs_req(). */ if (fetch_asn1_field((unsigned char *)req_data->data, 1, 0, &scratch) < 0) - return ASN1_PARSE_ERROR; + return ASN1_PARSE_ERROR; code = krb5_c_verify_checksum(context, - key, - KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST, - &scratch, - &req->cksum, - &valid); + key, + KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST, + &scratch, + &req->cksum, + &valid); if (code != 0) - return code; + return code; if (valid == FALSE) { - krb5_data *data; + krb5_data *data; - code = encode_krb5_s4u_userid(&req->user_id, &data); - if (code != 0) - return code; + code = encode_krb5_s4u_userid(&req->user_id, &data); + if (code != 0) + return code; - code = krb5_c_verify_checksum(context, - key, - KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST, - data, - &req->cksum, - &valid); + code = krb5_c_verify_checksum(context, + key, + KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST, + data, + &req->cksum, + &valid); - krb5_free_data(context, data); + krb5_free_data(context, data); - if (code != 0) - return code; + if (code != 0) + return code; } return valid ? 0 : KRB5KRB_AP_ERR_MODIFIED; @@ -1958,42 +1959,42 @@ verify_s4u_x509_user_checksum(krb5_context context, */ static krb5_error_code kdc_process_s4u_x509_user(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *pa_data, - krb5_keyblock *tgs_subkey, - krb5_keyblock *tgs_session, - krb5_pa_s4u_x509_user **s4u_x509_user, - const char **status) + krb5_kdc_req *request, + krb5_pa_data *pa_data, + krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, + krb5_pa_s4u_x509_user **s4u_x509_user, + const char **status) { - krb5_error_code code; - krb5_data req_data; + krb5_error_code code; + krb5_data req_data; req_data.length = pa_data->length; req_data.data = (char *)pa_data->contents; code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user); if (code) - return code; + return code; code = verify_s4u_x509_user_checksum(context, - tgs_subkey ? tgs_subkey : - tgs_session, - &req_data, - request->nonce, *s4u_x509_user); + tgs_subkey ? tgs_subkey : + tgs_session, + &req_data, + request->nonce, *s4u_x509_user); if (code) { - *status = "INVALID_S4U2SELF_CHECKSUM"; - krb5_free_pa_s4u_x509_user(context, *s4u_x509_user); - *s4u_x509_user = NULL; - return code; + *status = "INVALID_S4U2SELF_CHECKSUM"; + krb5_free_pa_s4u_x509_user(context, *s4u_x509_user); + *s4u_x509_user = NULL; + return code; } if (krb5_princ_size(context, (*s4u_x509_user)->user_id.user) == 0 || - (*s4u_x509_user)->user_id.subject_cert.length != 0) { - *status = "INVALID_S4U2SELF_REQUEST"; - krb5_free_pa_s4u_x509_user(context, *s4u_x509_user); - *s4u_x509_user = NULL; - return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + (*s4u_x509_user)->user_id.subject_cert.length != 0) { + *status = "INVALID_S4U2SELF_REQUEST"; + krb5_free_pa_s4u_x509_user(context, *s4u_x509_user); + *s4u_x509_user = NULL; + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; } return 0; @@ -2001,25 +2002,25 @@ kdc_process_s4u_x509_user(krb5_context context, krb5_error_code kdc_make_s4u2self_rep(krb5_context context, - krb5_keyblock *tgs_subkey, - krb5_keyblock *tgs_session, - krb5_pa_s4u_x509_user *req_s4u_user, - krb5_kdc_rep *reply, - krb5_enc_kdc_rep_part *reply_encpart) + krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, + krb5_pa_s4u_x509_user *req_s4u_user, + krb5_kdc_rep *reply, + krb5_enc_kdc_rep_part *reply_encpart) { - krb5_error_code code; - krb5_data *data = NULL; - krb5_pa_s4u_x509_user rep_s4u_user; - krb5_pa_data padata; - krb5_enctype enctype; - krb5_keyusage usage; + krb5_error_code code; + krb5_data *data = NULL; + krb5_pa_s4u_x509_user rep_s4u_user; + krb5_pa_data padata; + krb5_enctype enctype; + krb5_keyusage usage; memset(&rep_s4u_user, 0, sizeof(rep_s4u_user)); rep_s4u_user.user_id.nonce = req_s4u_user->user_id.nonce; rep_s4u_user.user_id.user = req_s4u_user->user_id.user; rep_s4u_user.user_id.options = - req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE; + req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE; code = encode_krb5_s4u_userid(&rep_s4u_user.user_id, &data); if (code != 0) @@ -2031,7 +2032,7 @@ kdc_make_s4u2self_rep(krb5_context context, usage = KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST; code = krb5_c_make_checksum(context, req_s4u_user->cksum.checksum_type, - tgs_subkey != NULL ? tgs_subkey : tgs_session, + tgs_subkey != NULL ? tgs_subkey : tgs_session, usage, data, &rep_s4u_user.cksum); if (code != 0) @@ -2051,15 +2052,15 @@ kdc_make_s4u2self_rep(krb5_context context, code = add_pa_data_element(context, &padata, &reply->padata, FALSE); if (code != 0) - goto cleanup; + goto cleanup; free(data); data = NULL; if (tgs_subkey != NULL) - enctype = tgs_subkey->enctype; + enctype = tgs_subkey->enctype; else - enctype = tgs_session->enctype; + enctype = tgs_session->enctype; /* * Owing to a bug in Windows, unkeyed checksums were used for older @@ -2067,26 +2068,26 @@ kdc_make_s4u2self_rep(krb5_context context, * includes the checksum bytes in the encrypted padata. */ if ((req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) && - enctype_requires_etype_info_2(enctype) == FALSE) { - padata.length = req_s4u_user->cksum.length + - rep_s4u_user.cksum.length; - padata.contents = malloc(padata.length); - if (padata.contents == NULL) { - code = ENOMEM; - goto cleanup; - } - - memcpy(padata.contents, - req_s4u_user->cksum.contents, - req_s4u_user->cksum.length); - memcpy(&padata.contents[req_s4u_user->cksum.length], - rep_s4u_user.cksum.contents, - rep_s4u_user.cksum.length); - - code = add_pa_data_element(context,&padata, - &reply_encpart->enc_padata, FALSE); - if (code != 0) - goto cleanup; + enctype_requires_etype_info_2(enctype) == FALSE) { + padata.length = req_s4u_user->cksum.length + + rep_s4u_user.cksum.length; + padata.contents = malloc(padata.length); + if (padata.contents == NULL) { + code = ENOMEM; + goto cleanup; + } + + memcpy(padata.contents, + req_s4u_user->cksum.contents, + req_s4u_user->cksum.length); + memcpy(&padata.contents[req_s4u_user->cksum.length], + rep_s4u_user.cksum.contents, + rep_s4u_user.cksum.length); + + code = add_pa_data_element(context,&padata, + &reply_encpart->enc_padata, FALSE); + if (code != 0) + goto cleanup; } cleanup: @@ -2102,48 +2103,48 @@ cleanup: */ krb5_error_code kdc_process_s4u2self_req(krb5_context context, - krb5_kdc_req *request, - krb5_const_principal client_princ, - const krb5_db_entry *server, - krb5_keyblock *tgs_subkey, - krb5_keyblock *tgs_session, - krb5_timestamp kdc_time, - krb5_pa_s4u_x509_user **s4u_x509_user, - krb5_db_entry *princ, - int *nprincs, - const char **status) + krb5_kdc_req *request, + krb5_const_principal client_princ, + const krb5_db_entry *server, + krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, + krb5_timestamp kdc_time, + krb5_pa_s4u_x509_user **s4u_x509_user, + krb5_db_entry *princ, + int *nprincs, + const char **status) { - krb5_error_code code; - krb5_pa_data *pa_data; - krb5_boolean more; - int flags; + krb5_error_code code; + krb5_pa_data *pa_data; + krb5_boolean more; + int flags; *nprincs = 0; memset(princ, 0, sizeof(*princ)); pa_data = find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER); if (pa_data != NULL) { - code = kdc_process_s4u_x509_user(context, - request, - pa_data, - tgs_subkey, - tgs_session, - s4u_x509_user, - status); - if (code != 0) - return code; + code = kdc_process_s4u_x509_user(context, + request, + pa_data, + tgs_subkey, + tgs_session, + s4u_x509_user, + status); + if (code != 0) + return code; } else { - pa_data = find_pa_data(request->padata, KRB5_PADATA_FOR_USER); - if (pa_data != NULL) { - code = kdc_process_for_user(context, - pa_data, - tgs_session, - s4u_x509_user, - status); - if (code != 0) - return code; - } else - return 0; + pa_data = find_pa_data(request->padata, KRB5_PADATA_FOR_USER); + if (pa_data != NULL) { + code = kdc_process_for_user(context, + pa_data, + tgs_session, + s4u_x509_user, + status); + if (code != 0) + return code; + } else + return 0; } /* @@ -2174,23 +2175,23 @@ kdc_process_s4u2self_req(krb5_context context, */ flags = 0; switch (krb5_princ_type(context, request->server)) { - case KRB5_NT_SRV_HST: /* (1) */ - if (krb5_princ_size(context, request->server) == 2) - flags |= KRB5_PRINCIPAL_COMPARE_IGNORE_REALM; - break; - case KRB5_NT_ENTERPRISE_PRINCIPAL: /* (2) */ - flags |= KRB5_PRINCIPAL_COMPARE_ENTERPRISE; - break; - default: /* (3) */ - break; + case KRB5_NT_SRV_HST: /* (1) */ + if (krb5_princ_size(context, request->server) == 2) + flags |= KRB5_PRINCIPAL_COMPARE_IGNORE_REALM; + break; + case KRB5_NT_ENTERPRISE_PRINCIPAL: /* (2) */ + flags |= KRB5_PRINCIPAL_COMPARE_ENTERPRISE; + break; + default: /* (3) */ + break; } if (!krb5_principal_compare_flags(context, - request->server, - client_princ, - flags)) { - *status = "INVALID_S4U2SELF_REQUEST"; - return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error code */ + request->server, + client_princ, + flags)) { + *status = "INVALID_S4U2SELF_REQUEST"; + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error code */ } /* @@ -2202,45 +2203,45 @@ kdc_process_s4u2self_req(krb5_context context, * that is validated previously in validate_tgs_request(). */ if (request->kdc_options & AS_INVALID_OPTIONS) { - *status = "INVALID AS OPTIONS"; - return KRB5KDC_ERR_BADOPTION; + *status = "INVALID AS OPTIONS"; + return KRB5KDC_ERR_BADOPTION; } /* * Do not attempt to lookup principals in foreign realms. */ if (is_local_principal((*s4u_x509_user)->user_id.user)) { - krb5_db_entry no_server; - krb5_data e_data; - - e_data.data = NULL; - *nprincs = 1; - code = krb5_db_get_principal_ext(context, - (*s4u_x509_user)->user_id.user, - KRB5_KDB_FLAG_INCLUDE_PAC, - princ, nprincs, &more); - if (code) { - *status = "LOOKING_UP_S4U2SELF_PRINCIPAL"; - *nprincs = 0; - return code; /* caller can free for_user */ - } - - if (more) { - *status = "NON_UNIQUE_S4U2SELF_PRINCIPAL"; - return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - } else if (*nprincs != 1) { - *status = "UNKNOWN_S4U2SELF_PRINCIPAL"; - return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - } - - memset(&no_server, 0, sizeof(no_server)); - - code = validate_as_request(request, *princ, - no_server, kdc_time, status, &e_data); - if (code) { - krb5_free_data_contents(context, &e_data); - return code; - } + krb5_db_entry no_server; + krb5_data e_data; + + e_data.data = NULL; + *nprincs = 1; + code = krb5_db_get_principal_ext(context, + (*s4u_x509_user)->user_id.user, + KRB5_KDB_FLAG_INCLUDE_PAC, + princ, nprincs, &more); + if (code) { + *status = "LOOKING_UP_S4U2SELF_PRINCIPAL"; + *nprincs = 0; + return code; /* caller can free for_user */ + } + + if (more) { + *status = "NON_UNIQUE_S4U2SELF_PRINCIPAL"; + return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; + } else if (*nprincs != 1) { + *status = "UNKNOWN_S4U2SELF_PRINCIPAL"; + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + } + + memset(&no_server, 0, sizeof(no_server)); + + code = validate_as_request(request, *princ, + no_server, kdc_time, status, &e_data); + if (code) { + krb5_free_data_contents(context, &e_data); + return code; + } } return 0; @@ -2248,23 +2249,23 @@ kdc_process_s4u2self_req(krb5_context context, static krb5_error_code check_allowed_to_delegate_to(krb5_context context, - krb5_const_principal client, - const krb5_db_entry *server, - krb5_const_principal proxy) + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy) { kdb_check_allowed_to_delegate_req req; - krb5_data req_data; - krb5_data rep_data; - krb5_error_code code; + krb5_data req_data; + krb5_data rep_data; + krb5_error_code code; /* Can't get a TGT (otherwise it would be unconstrained delegation) */ if (krb5_is_tgs_principal(proxy)) { - return KRB5KDC_ERR_POLICY; + return KRB5KDC_ERR_POLICY; } /* Must be in same realm */ if (!krb5_realm_compare(context, server->princ, proxy)) { - return KRB5KDC_ERR_POLICY; + return KRB5KDC_ERR_POLICY; } req.server = server; @@ -2278,11 +2279,11 @@ check_allowed_to_delegate_to(krb5_context context, rep_data.length = 0; code = krb5_db_invoke(context, - KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE, - &req_data, - &rep_data); + KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE, + &req_data, + &rep_data); if (code == KRB5_KDB_DBTYPE_NOSUP) { - code = KRB5KDC_ERR_POLICY; + code = KRB5KDC_ERR_POLICY; } assert(rep_data.length == 0); @@ -2292,12 +2293,12 @@ check_allowed_to_delegate_to(krb5_context context, krb5_error_code kdc_process_s4u2proxy_req(krb5_context context, - krb5_kdc_req *request, - const krb5_enc_tkt_part *t2enc, - const krb5_db_entry *server, - krb5_const_principal server_princ, - krb5_const_principal proxy_princ, - const char **status) + krb5_kdc_req *request, + const krb5_enc_tkt_part *t2enc, + const krb5_db_entry *server, + krb5_const_principal server_princ, + krb5_const_principal proxy_princ, + const char **status) { krb5_error_code errcode; @@ -2307,29 +2308,29 @@ kdc_process_s4u2proxy_req(krb5_context context, * that is validated previously in validate_tgs_request(). */ if (request->kdc_options & (NO_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) { - return KRB5KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* Ensure that evidence ticket server matches TGT client */ if (!krb5_principal_compare(kdc_context, - server->princ, /* after canon */ - server_princ)) { - return KRB5KDC_ERR_SERVER_NOMATCH; + server->princ, /* after canon */ + server_princ)) { + return KRB5KDC_ERR_SERVER_NOMATCH; } if (!isflagset(t2enc->flags, TKT_FLG_FORWARDABLE)) { - *status = "EVIDENCE_TKT_NOT_FORWARDABLE"; - return KRB5_TKT_NOT_FORWARDABLE; + *status = "EVIDENCE_TKT_NOT_FORWARDABLE"; + return KRB5_TKT_NOT_FORWARDABLE; } /* Backend policy check */ errcode = check_allowed_to_delegate_to(kdc_context, - t2enc->client, - server, - proxy_princ); + t2enc->client, + server, + proxy_princ); if (errcode) { - *status = "NOT_ALLOWED_TO_DELEGATE"; - return errcode; + *status = "NOT_ALLOWED_TO_DELEGATE"; + return errcode; } return 0; @@ -2337,25 +2338,25 @@ kdc_process_s4u2proxy_req(krb5_context context, krb5_error_code kdc_check_transited_list(krb5_context context, - const krb5_data *trans, - const krb5_data *realm1, - const krb5_data *realm2) + const krb5_data *trans, + const krb5_data *realm1, + const krb5_data *realm2) { - krb5_error_code code; - kdb_check_transited_realms_req req; - krb5_data req_data; - krb5_data rep_data; + krb5_error_code code; + kdb_check_transited_realms_req req; + krb5_data req_data; + krb5_data rep_data; /* First check using krb5.conf */ code = krb5_check_transited_list(kdc_context, trans, realm1, realm2); if (code) - return code; + return code; memset(&req, 0, sizeof(req)); - req.tr_contents = trans; - req.client_realm = realm1; - req.server_realm = realm2; + req.tr_contents = trans; + req.client_realm = realm1; + req.server_realm = realm2; req_data.data = (void *)&req; req_data.length = sizeof(req); @@ -2364,11 +2365,11 @@ kdc_check_transited_list(krb5_context context, rep_data.length = 0; code = krb5_db_invoke(context, - KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS, - &req_data, - &rep_data); + KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS, + &req_data, + &rep_data); if (code == KRB5_KDB_DBTYPE_NOSUP) { - code = 0; + code = 0; } assert(rep_data.length == 0); @@ -2378,20 +2379,20 @@ kdc_check_transited_list(krb5_context context, krb5_error_code validate_transit_path(krb5_context context, - krb5_const_principal client, - krb5_db_entry *server, - krb5_db_entry *krbtgt) + krb5_const_principal client, + krb5_db_entry *server, + krb5_db_entry *krbtgt) { /* Incoming */ if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) { - return KRB5KDC_ERR_PATH_NOT_ACCEPTED; + return KRB5KDC_ERR_PATH_NOT_ACCEPTED; } /* Outgoing */ if (isflagset(krbtgt->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) && - (!krb5_principal_compare(context, server->princ, krbtgt->princ) || - !krb5_realm_compare(context, client, krbtgt->princ))) { - return KRB5KDC_ERR_PATH_NOT_ACCEPTED; + (!krb5_principal_compare(context, server->princ, krbtgt->princ) || + !krb5_realm_compare(context, client, krbtgt->princ))) { + return KRB5KDC_ERR_PATH_NOT_ACCEPTED; } return 0; @@ -2410,11 +2411,11 @@ validate_transit_path(krb5_context context, /* Currently no info about name canonicalization is logged. */ void log_as_req(const krb5_fulladdr *from, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_db_entry *client, const char *cname, - krb5_db_entry *server, const char *sname, - krb5_timestamp authtime, - const char *status, krb5_error_code errcode, const char *emsg) + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_db_entry *client, const char *cname, + krb5_db_entry *server, const char *sname, + krb5_timestamp authtime, + const char *status, krb5_error_code errcode, const char *emsg) { const char *fromstring = 0; char fromstringbuf[70]; @@ -2423,26 +2424,26 @@ log_as_req(const krb5_fulladdr *from, const char *sname2 = sname ? sname : ""; fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype), - from->address->contents, - fromstringbuf, sizeof(fromstringbuf)); + from->address->contents, + fromstringbuf, sizeof(fromstringbuf)); if (!fromstring) - fromstring = ""; + fromstring = ""; ktypes2str(ktypestr, sizeof(ktypestr), - request->nktypes, request->ktype); + request->nktypes, request->ktype); if (status == NULL) { - /* success */ - char rep_etypestr[128]; - rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); - krb5_klog_syslog(LOG_INFO, - "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s", - ktypestr, fromstring, authtime, - rep_etypestr, cname2, sname2); + /* success */ + char rep_etypestr[128]; + rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); + krb5_klog_syslog(LOG_INFO, + "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s", + ktypestr, fromstring, authtime, + rep_etypestr, cname2, sname2); } else { - /* fail */ + /* fail */ krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s", - ktypestr, fromstring, status, - cname2, sname2, emsg ? ", " : "", emsg ? emsg : ""); + ktypestr, fromstring, status, + cname2, sname2, emsg ? ", " : "", emsg ? emsg : ""); } #if 0 /* Sun (OpenSolaris) version would probably something like this. @@ -2450,33 +2451,33 @@ log_as_req(const krb5_fulladdr *from, logging routines used above. Note that a struct in_addr is used, but the real address could be an IPv6 address. */ audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0, - cname, sname, errcode); + cname, sname, errcode); #endif #if 1 { - kdb_audit_as_req req; - krb5_data req_data; - krb5_data rep_data; + kdb_audit_as_req req; + krb5_data req_data; + krb5_data rep_data; - memset(&req, 0, sizeof(req)); + memset(&req, 0, sizeof(req)); - req.request = request; - req.client = client; - req.server = server; - req.authtime = authtime; - req.error_code = errcode; + req.request = request; + req.client = client; + req.server = server; + req.authtime = authtime; + req.error_code = errcode; - req_data.data = (void *)&req; - req_data.length = sizeof(req); + req_data.data = (void *)&req; + req_data.length = sizeof(req); - rep_data.data = NULL; - rep_data.length = 0; + rep_data.data = NULL; + rep_data.length = 0; - (void) krb5_db_invoke(kdc_context, - KRB5_KDB_METHOD_AUDIT_AS, - &req_data, - &rep_data); - assert(rep_data.length == 0); + (void) krb5_db_invoke(kdc_context, + KRB5_KDB_METHOD_AUDIT_AS, + &req_data, + &rep_data); + assert(rep_data.length == 0); } #endif } @@ -2487,11 +2488,11 @@ log_as_req(const krb5_fulladdr *from, Currently no info about name canonicalization is logged. */ void log_tgs_req(const krb5_fulladdr *from, - krb5_kdc_req *request, krb5_kdc_rep *reply, - const char *cname, const char *sname, const char *altcname, - krb5_timestamp authtime, - unsigned int c_flags, const char *s4u_name, - const char *status, krb5_error_code errcode, const char *emsg) + krb5_kdc_req *request, krb5_kdc_rep *reply, + const char *cname, const char *sname, const char *altcname, + krb5_timestamp authtime, + unsigned int c_flags, const char *s4u_name, + const char *status, krb5_error_code errcode, const char *emsg) { char ktypestr[128]; const char *fromstring = 0; @@ -2499,49 +2500,49 @@ log_tgs_req(const krb5_fulladdr *from, char rep_etypestr[128]; fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype), - from->address->contents, - fromstringbuf, sizeof(fromstringbuf)); + from->address->contents, + fromstringbuf, sizeof(fromstringbuf)); if (!fromstring) - fromstring = ""; + fromstring = ""; ktypes2str(ktypestr, sizeof(ktypestr), request->nktypes, request->ktype); if (!errcode) - rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); + rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); else - rep_etypestr[0] = 0; + rep_etypestr[0] = 0; /* Differences: server-nomatch message logs 2nd ticket's client name (useful), and doesn't log ktypestr (probably not important). */ if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) { - krb5_klog_syslog(LOG_INFO, - "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s", - ktypestr, - fromstring, status, authtime, - rep_etypestr, - !errcode ? "," : "", - cname ? cname : "", - sname ? sname : "", - errcode ? ", " : "", - errcode ? emsg : ""); - if (s4u_name) { - assert(isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) || - isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)); - if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) - krb5_klog_syslog(LOG_INFO, - "... PROTOCOL-TRANSITION s4u-client=%s", - s4u_name); - else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) - krb5_klog_syslog(LOG_INFO, - "... CONSTRAINED-DELEGATION s4u-client=%s", - s4u_name); - } + krb5_klog_syslog(LOG_INFO, + "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s", + ktypestr, + fromstring, status, authtime, + rep_etypestr, + !errcode ? "," : "", + cname ? cname : "", + sname ? sname : "", + errcode ? ", " : "", + errcode ? emsg : ""); + if (s4u_name) { + assert(isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) || + isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)); + if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) + krb5_klog_syslog(LOG_INFO, + "... PROTOCOL-TRANSITION s4u-client=%s", + s4u_name); + else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) + krb5_klog_syslog(LOG_INFO, + "... CONSTRAINED-DELEGATION s4u-client=%s", + s4u_name); + } } else - krb5_klog_syslog(LOG_INFO, - "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s", - fromstring, status, authtime, - cname ? cname : "", - sname ? sname : "", - altcname ? altcname : ""); + krb5_klog_syslog(LOG_INFO, + "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s", + fromstring, status, authtime, + cname ? cname : "", + sname ? sname : "", + altcname ? altcname : ""); /* OpenSolaris: audit_krb5kdc_tgs_req(...) or audit_krb5kdc_tgs_req_2ndtktmm(...) */ @@ -2553,12 +2554,12 @@ log_tgs_alt_tgt(krb5_principal p) { char *sname; if (krb5_unparse_name(kdc_context, p, &sname)) { - krb5_klog_syslog(LOG_INFO, - "TGS_REQ: issuing alternate TGT"); + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing alternate TGT"); } else { - limit_string(sname); - krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname); - free(sname); + limit_string(sname); + krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname); + free(sname); } /* OpenSolaris: audit_krb5kdc_tgs_req_alt_tgt(...) */ } @@ -2574,50 +2575,50 @@ enctype_requires_etype_info_2(krb5_enctype enctype) case ENCTYPE_DES3_CBC_RAW: case ENCTYPE_ARCFOUR_HMAC: case ENCTYPE_ARCFOUR_HMAC_EXP : - return 0; + return 0; default: - return krb5_c_valid_enctype(enctype); + return krb5_c_valid_enctype(enctype); } } /* XXX where are the generic helper routines for this? */ krb5_error_code add_pa_data_element(krb5_context context, - krb5_pa_data *padata, - krb5_pa_data ***inout_padata, - krb5_boolean copy) + krb5_pa_data *padata, + krb5_pa_data ***inout_padata, + krb5_boolean copy) { - int i; - krb5_pa_data **p; + int i; + krb5_pa_data **p; if (*inout_padata != NULL) { - for (i = 0; (*inout_padata)[i] != NULL; i++) - ; + for (i = 0; (*inout_padata)[i] != NULL; i++) + ; } else - i = 0; + i = 0; p = realloc(*inout_padata, (i + 2) * sizeof(krb5_pa_data *)); if (p == NULL) - return ENOMEM; + return ENOMEM; *inout_padata = p; p[i] = (krb5_pa_data *)malloc(sizeof(krb5_pa_data)); if (p[i] == NULL) - return ENOMEM; + return ENOMEM; *(p[i]) = *padata; p[i + 1] = NULL; if (copy) { - p[i]->contents = (krb5_octet *)malloc(padata->length); - if (p[i]->contents == NULL) { - free(p[i]); - p[i] = NULL; - return ENOMEM; - } + p[i]->contents = (krb5_octet *)malloc(padata->length); + if (p[i]->contents == NULL) { + free(p[i]); + p[i] = NULL; + return ENOMEM; + } - memcpy(p[i]->contents, padata->contents, padata->length); + memcpy(p[i]->contents, padata->contents, padata->length); } return 0; @@ -2625,29 +2626,28 @@ add_pa_data_element(krb5_context context, void kdc_get_ticket_endtime(krb5_context context, - krb5_timestamp starttime, - krb5_timestamp endtime, - krb5_timestamp till, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_timestamp *out_endtime) + krb5_timestamp starttime, + krb5_timestamp endtime, + krb5_timestamp till, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp *out_endtime) { krb5_timestamp until, life; if (till == 0) - till = kdc_infinity; + till = kdc_infinity; until = min(till, endtime); life = until - starttime; if (client->max_life != 0) - life = min(life, client->max_life); + life = min(life, client->max_life); if (server->max_life != 0) - life = min(life, server->max_life); + life = min(life, server->max_life); if (max_life_for_realm != 0) - life = min(life, max_life_for_realm); + life = min(life, max_life_for_realm); *out_endtime = starttime + life; } - diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 84319f7b8..1950ec090 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/kdc_util.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Declarations for policy.c */ @@ -34,8 +35,8 @@ #include "kdb_ext.h" typedef struct _krb5_fulladdr { - krb5_address * address; - krb5_ui_4 port; + krb5_address * address; + krb5_ui_4 port; } krb5_fulladdr; krb5_error_code check_hot_list (krb5_ticket *); @@ -43,71 +44,71 @@ krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal); krb5_boolean is_local_principal(krb5_const_principal princ1); krb5_boolean krb5_is_tgs_principal (krb5_const_principal); krb5_error_code add_to_transited (krb5_data *, - krb5_data *, - krb5_principal, - krb5_principal, - krb5_principal); + krb5_data *, + krb5_principal, + krb5_principal, + krb5_principal); krb5_error_code compress_transited (krb5_data *, - krb5_principal, - krb5_data *); + krb5_principal, + krb5_data *); krb5_error_code concat_authorization_data (krb5_authdata **, - krb5_authdata **, - krb5_authdata ***); + krb5_authdata **, + krb5_authdata ***); krb5_error_code fetch_last_req_info (krb5_db_entry *, - krb5_last_req_entry ***); + krb5_last_req_entry ***); krb5_error_code kdc_convert_key (krb5_keyblock *, - krb5_keyblock *, - int); -krb5_error_code kdc_process_tgs_req - (krb5_kdc_req *, - const krb5_fulladdr *, - krb5_data *, - krb5_ticket **, - krb5_db_entry *krbtgt, - int *nprincs, - krb5_keyblock **, krb5_keyblock **, - krb5_pa_data **pa_tgs_req); + krb5_keyblock *, + int); +krb5_error_code kdc_process_tgs_req +(krb5_kdc_req *, + const krb5_fulladdr *, + krb5_data *, + krb5_ticket **, + krb5_db_entry *krbtgt, + int *nprincs, + krb5_keyblock **, krb5_keyblock **, + krb5_pa_data **pa_tgs_req); krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int, - krb5_boolean match_enctype, - krb5_db_entry *, int *, - krb5_keyblock **, krb5_kvno *); + krb5_boolean match_enctype, + krb5_db_entry *, int *, + krb5_keyblock **, krb5_kvno *); -int validate_as_request (krb5_kdc_req *, krb5_db_entry, - krb5_db_entry, krb5_timestamp, - const char **, krb5_data *); +int validate_as_request (krb5_kdc_req *, krb5_db_entry, + krb5_db_entry, krb5_timestamp, + const char **, krb5_data *); -int validate_forwardable(krb5_kdc_req *, krb5_db_entry, - krb5_db_entry, krb5_timestamp, - const char **); +int validate_forwardable(krb5_kdc_req *, krb5_db_entry, + krb5_db_entry, krb5_timestamp, + const char **); -int validate_tgs_request (krb5_kdc_req *, krb5_db_entry, - krb5_ticket *, krb5_timestamp, - const char **, krb5_data *); +int validate_tgs_request (krb5_kdc_req *, krb5_db_entry, + krb5_ticket *, krb5_timestamp, + const char **, krb5_data *); int fetch_asn1_field (unsigned char *, unsigned int, unsigned int, - krb5_data *); + krb5_data *); int dbentry_has_key_for_enctype (krb5_context context, - krb5_db_entry *client, - krb5_enctype enctype); - + krb5_db_entry *client, + krb5_enctype enctype); + int dbentry_supports_enctype (krb5_context context, - krb5_db_entry *client, - krb5_enctype enctype); + krb5_db_entry *client, + krb5_enctype enctype); krb5_enctype select_session_keytype (krb5_context context, - krb5_db_entry *server, - int nktypes, - krb5_enctype *ktypes); + krb5_db_entry *server, + int nktypes, + krb5_enctype *ktypes); krb5_error_code get_salt_from_key (krb5_context, krb5_principal, - krb5_key_data *, krb5_data *); + krb5_key_data *, krb5_data *); void limit_string (char *name); @@ -119,17 +120,17 @@ rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep); /* do_as_req.c */ krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *, - const krb5_fulladdr *, - krb5_data ** ); + const krb5_fulladdr *, + krb5_data ** ); /* do_tgs_req.c */ krb5_error_code process_tgs_req (krb5_data *, - const krb5_fulladdr *, - krb5_data ** ); + const krb5_fulladdr *, + krb5_data ** ); /* dispatch.c */ krb5_error_code dispatch (krb5_data *, - const krb5_fulladdr *, - krb5_data **); + const krb5_fulladdr *, + krb5_data **); /* main.c */ krb5_error_code kdc_initialize_rcache (krb5_context, char *); @@ -144,48 +145,48 @@ krb5_error_code closedown_network (void); /* policy.c */ int against_local_policy_as (krb5_kdc_req *, krb5_db_entry, - krb5_db_entry, krb5_timestamp, - const char **, krb5_data *); + krb5_db_entry, krb5_timestamp, + const char **, krb5_data *); int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry, - krb5_ticket *, const char **, - krb5_data *); + krb5_ticket *, const char **, + krb5_data *); /* kdc_preauth.c */ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype); const char * missing_required_preauth - (krb5_db_entry *client, krb5_db_entry *server, - krb5_enc_tkt_part *enc_tkt_reply); +(krb5_db_entry *client, krb5_db_entry *server, + krb5_enc_tkt_part *enc_tkt_reply); void get_preauth_hint_list (krb5_kdc_req * request, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_data *e_data); + krb5_db_entry *client, + krb5_db_entry *server, + krb5_data *e_data); krb5_error_code load_preauth_plugins(krb5_context context); krb5_error_code unload_preauth_plugins(krb5_context context); krb5_error_code check_padata - (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - void **padata_context, krb5_data *e_data); - +(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + void **padata_context, krb5_data *e_data); + krb5_error_code return_padata - (krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - void **padata_context); - +(krb5_context context, krb5_db_entry *client, + krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, krb5_keyblock *encrypting_key, + void **padata_context); + krb5_error_code free_padata_context - (krb5_context context, void **padata_context); +(krb5_context context, void **padata_context); krb5_pa_data *find_pa_data - (krb5_pa_data **padata, krb5_preauthtype pa_type); +(krb5_pa_data **padata, krb5_preauthtype pa_type); krb5_error_code add_pa_data_element - (krb5_context context, - krb5_pa_data *padata, - krb5_pa_data ***out_padata, - krb5_boolean copy); +(krb5_context context, + krb5_pa_data *padata, + krb5_pa_data ***out_padata, + krb5_boolean copy); /* kdc_authdata.c */ krb5_error_code load_authdata_plugins(krb5_context context); @@ -193,18 +194,18 @@ krb5_error_code unload_authdata_plugins(krb5_context context); krb5_error_code handle_authdata (krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply); + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); /* replay.c */ krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **); @@ -214,122 +215,122 @@ void kdc_free_lookaside(krb5_context); /* kdc_util.c */ krb5_error_code get_principal_locked (krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry *entries, int *nentries, - krb5_boolean *more); + krb5_const_principal search_for, + krb5_db_entry *entries, int *nentries, + krb5_boolean *more); krb5_error_code get_principal (krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry *entries, int *nentries, krb5_boolean *more); + krb5_const_principal search_for, + krb5_db_entry *entries, int *nentries, krb5_boolean *more); krb5_boolean include_pac_p(krb5_context context, krb5_kdc_req *request); krb5_error_code return_svr_referral_data - (krb5_context context, - krb5_db_entry *server, - krb5_enc_kdc_rep_part *reply_encpart); +(krb5_context context, + krb5_db_entry *server, + krb5_enc_kdc_rep_part *reply_encpart); krb5_error_code sign_db_authdata - (krb5_context context, - unsigned int flags, - krb5_const_principal client_princ, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_timestamp authtime, - krb5_authdata **tgs_authdata, - krb5_keyblock *session_key, - krb5_authdata ***ret_authdata); +(krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_timestamp authtime, + krb5_authdata **tgs_authdata, + krb5_keyblock *session_key, + krb5_authdata ***ret_authdata); krb5_error_code kdc_process_s4u2self_req - (krb5_context context, - krb5_kdc_req *request, - krb5_const_principal client_princ, - const krb5_db_entry *server, - krb5_keyblock *tgs_subkey, - krb5_keyblock *tgs_session, - krb5_timestamp kdc_time, - krb5_pa_s4u_x509_user **s4u2self_req, - krb5_db_entry *princ, - int *nprincs, - const char **status); +(krb5_context context, + krb5_kdc_req *request, + krb5_const_principal client_princ, + const krb5_db_entry *server, + krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, + krb5_timestamp kdc_time, + krb5_pa_s4u_x509_user **s4u2self_req, + krb5_db_entry *princ, + int *nprincs, + const char **status); krb5_error_code kdc_make_s4u2self_rep - (krb5_context context, - krb5_keyblock *tgs_subkey, - krb5_keyblock *tgs_session, - krb5_pa_s4u_x509_user *req_s4u_user, - krb5_kdc_rep *reply, - krb5_enc_kdc_rep_part *reply_encpart); +(krb5_context context, + krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, + krb5_pa_s4u_x509_user *req_s4u_user, + krb5_kdc_rep *reply, + krb5_enc_kdc_rep_part *reply_encpart); krb5_error_code kdc_process_s4u2proxy_req - (krb5_context context, - krb5_kdc_req *request, - const krb5_enc_tkt_part *t2enc, - const krb5_db_entry *server, - krb5_const_principal server_princ, - krb5_const_principal proxy_princ, - const char **status); +(krb5_context context, + krb5_kdc_req *request, + const krb5_enc_tkt_part *t2enc, + const krb5_db_entry *server, + krb5_const_principal server_princ, + krb5_const_principal proxy_princ, + const char **status); krb5_error_code kdc_check_transited_list - (krb5_context context, - const krb5_data *trans, - const krb5_data *realm1, - const krb5_data *realm2); +(krb5_context context, + const krb5_data *trans, + const krb5_data *realm1, + const krb5_data *realm2); krb5_error_code audit_as_request - (krb5_kdc_req *request, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_timestamp authtime, - krb5_error_code errcode); +(krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp authtime, + krb5_error_code errcode); krb5_error_code audit_tgs_request - (krb5_kdc_req *request, - krb5_const_principal client, - krb5_db_entry *server, - krb5_timestamp authtime, - krb5_error_code errcode); +(krb5_kdc_req *request, + krb5_const_principal client, + krb5_db_entry *server, + krb5_timestamp authtime, + krb5_error_code errcode); krb5_error_code validate_transit_path(krb5_context context, - krb5_const_principal client, - krb5_db_entry *server, - krb5_db_entry *krbtgt); + krb5_const_principal client, + krb5_db_entry *server, + krb5_db_entry *krbtgt); void kdc_get_ticket_endtime(krb5_context context, - krb5_timestamp now, - krb5_timestamp endtime, - krb5_timestamp till, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_timestamp *out_endtime); + krb5_timestamp now, + krb5_timestamp endtime, + krb5_timestamp till, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp *out_endtime); void log_as_req(const krb5_fulladdr *from, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_db_entry *client, const char *cname, - krb5_db_entry *server, const char *sname, - krb5_timestamp authtime, - const char *status, krb5_error_code errcode, const char *emsg); + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_db_entry *client, const char *cname, + krb5_db_entry *server, const char *sname, + krb5_timestamp authtime, + const char *status, krb5_error_code errcode, const char *emsg); void log_tgs_req(const krb5_fulladdr *from, - krb5_kdc_req *request, krb5_kdc_rep *reply, - const char *cname, const char *sname, const char *altcname, - krb5_timestamp authtime, - unsigned int c_flags, const char *s4u_name, - const char *status, krb5_error_code errcode, const char *emsg); + krb5_kdc_req *request, krb5_kdc_rep *reply, + const char *cname, const char *sname, const char *altcname, + krb5_timestamp authtime, + unsigned int c_flags, const char *s4u_name, + const char *status, krb5_error_code errcode, const char *emsg); void log_tgs_alt_tgt(krb5_principal p); /*Request state*/ struct kdc_request_state { krb5_keyblock *armor_key; - krb5_keyblock *strengthen_key; + krb5_keyblock *strengthen_key; krb5_pa_data *cookie; krb5_int32 fast_options; krb5_int32 fast_internal_flags; @@ -361,31 +362,31 @@ krb5_error_code kdc_fast_handle_error krb5_pa_data **in_padata, krb5_error *err); krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, - krb5_keyblock *existing_key, - krb5_keyblock **out_key); + krb5_keyblock *existing_key, + krb5_keyblock **out_key); krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, - krb5_pa_data **cookie); + krb5_pa_data **cookie); + - #define isflagset(flagfield, flag) (flagfield & (flag)) #define setflag(flagfield, flag) (flagfield |= (flag)) #define clear(flagfield, flag) (flagfield &= ~(flag)) -#ifndef min -#define min(a, b) ((a) < (b) ? (a) : (b)) -#define max(a, b) ((a) > (b) ? (a) : (b)) +#ifndef min +#define min(a, b) ((a) < (b) ? (a) : (b)) +#define max(a, b) ((a) > (b) ? (a) : (b)) #endif #ifdef KRB5_USE_INET6 -#define ADDRTYPE2FAMILY(X) \ - ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1) +#define ADDRTYPE2FAMILY(X) \ + ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1) #else -#define ADDRTYPE2FAMILY(X) \ - ((X) == ADDRTYPE_INET ? AF_INET : -1) +#define ADDRTYPE2FAMILY(X) \ + ((X) == ADDRTYPE_INET ? AF_INET : -1) #endif /* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK diff --git a/src/kdc/main.c b/src/kdc/main.c index 039d918d1..64b6beb55 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/main.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Main procedure body for the KDC server process. */ @@ -95,7 +96,7 @@ static int rkey_init_done = 0; static struct sigaction s_action; #endif /* POSIX_SIGNALS */ -#define KRB5_KDC_MAX_REALMS 32 +#define KRB5_KDC_MAX_REALMS 32 static krb5_context kdc_err_context; static const char *kdc_progname; @@ -116,7 +117,7 @@ kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...) va_list ap; if (call_context) - krb5_copy_error_message(kdc_err_context, call_context); + krb5_copy_error_message(kdc_err_context, call_context); va_start(ap, fmt); com_err_va(kdc_progname, code, fmt, ap); va_end(ap); @@ -130,9 +131,9 @@ find_realm_data(char *rname, krb5_ui_4 rsize) { int i; for (i=0; irealm_name)) && - !strncmp(rname, kdc_realmlist[i]->realm_name, rsize)) - return(kdc_realmlist[i]); + if ((rsize == strlen(kdc_realmlist[i]->realm_name)) && + !strncmp(rname, kdc_realmlist[i]->realm_name, rsize)) + return(kdc_realmlist[i]); } return((kdc_realm_t *) NULL); } @@ -140,19 +141,19 @@ find_realm_data(char *rname, krb5_ui_4 rsize) krb5_error_code setup_server_realm(krb5_principal sprinc) { - krb5_error_code kret; - kdc_realm_t *newrealm; + krb5_error_code kret; + kdc_realm_t *newrealm; kret = 0; if (kdc_numrealms > 1) { - if (!(newrealm = find_realm_data(sprinc->realm.data, - (krb5_ui_4) sprinc->realm.length))) - kret = ENOENT; - else - kdc_active_realm = newrealm; + if (!(newrealm = find_realm_data(sprinc->realm.data, + (krb5_ui_4) sprinc->realm.length))) + kret = ENOENT; + else + kdc_active_realm = newrealm; } else - kdc_active_realm = kdc_realmlist[0]; + kdc_active_realm = kdc_realmlist[0]; return(kret); } @@ -160,43 +161,43 @@ static void finish_realm(kdc_realm_t *rdp) { if (rdp->realm_dbname) - free(rdp->realm_dbname); + free(rdp->realm_dbname); if (rdp->realm_mpname) - free(rdp->realm_mpname); + free(rdp->realm_mpname); if (rdp->realm_stash) - free(rdp->realm_stash); + free(rdp->realm_stash); if (rdp->realm_ports) - free(rdp->realm_ports); + free(rdp->realm_ports); if (rdp->realm_tcp_ports) - free(rdp->realm_tcp_ports); + free(rdp->realm_tcp_ports); if (rdp->realm_keytab) - krb5_kt_close(rdp->realm_context, rdp->realm_keytab); + krb5_kt_close(rdp->realm_context, rdp->realm_keytab); if (rdp->realm_host_based_services) - free(rdp->realm_host_based_services); + free(rdp->realm_host_based_services); if (rdp->realm_no_host_referral) - free(rdp->realm_no_host_referral); + free(rdp->realm_no_host_referral); if (rdp->realm_context) { - if (rdp->realm_mprinc) - krb5_free_principal(rdp->realm_context, rdp->realm_mprinc); - if (rdp->realm_mkey.length && rdp->realm_mkey.contents) { + if (rdp->realm_mprinc) + krb5_free_principal(rdp->realm_context, rdp->realm_mprinc); + if (rdp->realm_mkey.length && rdp->realm_mkey.contents) { /* XXX shouldn't memset be zap for safety? */ - memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length); - free(rdp->realm_mkey.contents); - } + memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length); + free(rdp->realm_mkey.contents); + } if (rdp->mkey_list) krb5_dbe_free_key_list(rdp->realm_context, rdp->mkey_list); - krb5_db_fini(rdp->realm_context); - if (rdp->realm_tgsprinc) - krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc); - krb5_free_context(rdp->realm_context); + krb5_db_fini(rdp->realm_context); + if (rdp->realm_tgsprinc) + krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc); + krb5_free_context(rdp->realm_context); } memset(rdp, 0, sizeof(*rdp)); free(rdp); } -static krb5_error_code -handle_referral_params(krb5_realm_params *rparams, - char *no_refrls, char *host_based_srvcs, +static krb5_error_code +handle_referral_params(krb5_realm_params *rparams, + char *no_refrls, char *host_based_srvcs, kdc_realm_t *rdp ) { krb5_error_code retval = 0; @@ -210,46 +211,46 @@ handle_referral_params(krb5_realm_params *rparams, rdp->realm_no_host_referral = strdup(KRB5_CONF_ASTERISK); if (!rdp->realm_no_host_referral) retval = ENOMEM; - } else if (no_refrls && (asprintf(&(rdp->realm_no_host_referral), "%s%s%s%s%s", - " ", no_refrls," ",rparams->realm_no_host_referral, " ") < 0)) - retval = ENOMEM; - else if (asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", - rparams->realm_no_host_referral, " ") < 0) - retval = ENOMEM; + } else if (no_refrls && (asprintf(&(rdp->realm_no_host_referral), "%s%s%s%s%s", + " ", no_refrls," ",rparams->realm_no_host_referral, " ") < 0)) + retval = ENOMEM; + else if (asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", + rparams->realm_no_host_referral, " ") < 0) + retval = ENOMEM; } else if( no_refrls != NULL) { if ( asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", no_refrls, " ") < 0) - retval = ENOMEM; + retval = ENOMEM; } else rdp->realm_no_host_referral = NULL; } if (rdp->realm_no_host_referral && krb5_match_config_pattern(rdp->realm_no_host_referral, KRB5_CONF_ASTERISK) == TRUE) { - rdp->realm_host_based_services = NULL; + rdp->realm_host_based_services = NULL; return 0; } if (host_based_srvcs && (krb5_match_config_pattern(host_based_srvcs, KRB5_CONF_ASTERISK) == TRUE)) { - rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK); - if (!rdp->realm_host_based_services) - retval = ENOMEM; + rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK); + if (!rdp->realm_host_based_services) + retval = ENOMEM; } else { - if (rparams && rparams->realm_host_based_services) { - if (krb5_match_config_pattern(rparams->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE) { - rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK); - if (!rdp->realm_host_based_services) - retval = ENOMEM; - } else if (host_based_srvcs) { - if (asprintf(&(rdp->realm_host_based_services), "%s%s%s%s%s", - " ", host_based_srvcs," ",rparams->realm_host_based_services, " ") < 0) - retval = ENOMEM; - } else if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", - rparams->realm_host_based_services, " ") < 0) - retval = ENOMEM; + if (rparams && rparams->realm_host_based_services) { + if (krb5_match_config_pattern(rparams->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE) { + rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK); + if (!rdp->realm_host_based_services) + retval = ENOMEM; } else if (host_based_srvcs) { - if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", host_based_srvcs, " ") < 0) - retval = ENOMEM; - } else - rdp->realm_host_based_services = NULL; + if (asprintf(&(rdp->realm_host_based_services), "%s%s%s%s%s", + " ", host_based_srvcs," ",rparams->realm_host_based_services, " ") < 0) + retval = ENOMEM; + } else if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", + rparams->realm_host_based_services, " ") < 0) + retval = ENOMEM; + } else if (host_based_srvcs) { + if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", host_based_srvcs, " ") < 0) + retval = ENOMEM; + } else + rdp->realm_host_based_services = NULL; } return retval; @@ -263,39 +264,39 @@ handle_referral_params(krb5_realm_params *rparams, */ static krb5_error_code init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, - krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports, - krb5_boolean def_manual, char **db_args, char *no_refrls, - char *host_based_srvcs) + krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports, + krb5_boolean def_manual, char **db_args, char *no_refrls, + char *host_based_srvcs) { - krb5_error_code kret; - krb5_boolean manual; - krb5_realm_params *rparams; - int kdb_open_flags; + krb5_error_code kret; + krb5_boolean manual; + krb5_realm_params *rparams; + int kdb_open_flags; krb5_kvno mkvno = IGNORE_VNO; memset(rdp, 0, sizeof(kdc_realm_t)); if (!realm) { - kret = EINVAL; - goto whoops; + kret = EINVAL; + goto whoops; } - + rdp->realm_name = realm; kret = krb5int_init_context_kdc(&rdp->realm_context); if (kret) { - kdc_err(NULL, kret, "while getting context for realm %s", realm); - goto whoops; + kdc_err(NULL, kret, "while getting context for realm %s", realm); + goto whoops; } kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name, - &rparams); + &rparams); if (kret) { - kdc_err(rdp->realm_context, kret, "while reading realm parameters"); - goto whoops; + kdc_err(rdp->realm_context, kret, "while reading realm parameters"); + goto whoops; } - + /* Handle profile file name */ if (rparams && rparams->realm_profile) { - rdp->realm_profile = strdup(rparams->realm_profile); + rdp->realm_profile = strdup(rparams->realm_profile); if (!rdp->realm_profile) { kret = ENOMEM; goto whoops; @@ -304,10 +305,10 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, /* Handle master key name */ if (rparams && rparams->realm_mkey_name) - rdp->realm_mpname = strdup(rparams->realm_mkey_name); + rdp->realm_mpname = strdup(rparams->realm_mkey_name); else - rdp->realm_mpname = (def_mpname) ? strdup(def_mpname) : - strdup(KRB5_KDB_M_NAME); + rdp->realm_mpname = (def_mpname) ? strdup(def_mpname) : + strdup(KRB5_KDB_M_NAME); if (!rdp->realm_mpname) { kret = ENOMEM; goto whoops; @@ -315,59 +316,59 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, /* Handle KDC ports */ if (rparams && rparams->realm_kdc_ports) - rdp->realm_ports = strdup(rparams->realm_kdc_ports); + rdp->realm_ports = strdup(rparams->realm_kdc_ports); else - rdp->realm_ports = strdup(def_udp_ports); + rdp->realm_ports = strdup(def_udp_ports); if (!rdp->realm_ports) { kret = ENOMEM; goto whoops; } if (rparams && rparams->realm_kdc_tcp_ports) - rdp->realm_tcp_ports = strdup(rparams->realm_kdc_tcp_ports); + rdp->realm_tcp_ports = strdup(rparams->realm_kdc_tcp_ports); else - rdp->realm_tcp_ports = strdup(def_tcp_ports); + rdp->realm_tcp_ports = strdup(def_tcp_ports); if (!rdp->realm_tcp_ports) { kret = ENOMEM; goto whoops; } /* Handle stash file */ if (rparams && rparams->realm_stash_file) { - rdp->realm_stash = strdup(rparams->realm_stash_file); + rdp->realm_stash = strdup(rparams->realm_stash_file); if (!rdp->realm_stash) { kret = ENOMEM; goto whoops; } - manual = FALSE; + manual = FALSE; } else - manual = def_manual; + manual = def_manual; /* Handle master key type */ if (rparams && rparams->realm_enctype_valid) - rdp->realm_mkey.enctype = (krb5_enctype) rparams->realm_enctype; + rdp->realm_mkey.enctype = (krb5_enctype) rparams->realm_enctype; else - rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN; + rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN; /* Handle reject-bad-transit flag */ if (rparams && rparams->realm_reject_bad_transit_valid) - rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit; + rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit; else - rdp->realm_reject_bad_transit = 1; - + rdp->realm_reject_bad_transit = 1; + /* Handle ticket maximum life */ rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ? - rparams->realm_max_life : KRB5_KDB_MAX_LIFE; + rparams->realm_max_life : KRB5_KDB_MAX_LIFE; /* Handle ticket renewable maximum life */ rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ? - rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE; + rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE; /* Handle KDC referrals */ kret = handle_referral_params(rparams, no_refrls, host_based_srvcs, rdp); if (kret == ENOMEM) - goto whoops; + goto whoops; if (rparams) - krb5_free_realm_params(rdp->realm_context, rparams); + krb5_free_realm_params(rdp->realm_context, rparams); /* * We've got our parameters, now go and setup our realm context. @@ -375,40 +376,40 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, /* Set the default realm of this context */ if ((kret = krb5_set_default_realm(rdp->realm_context, realm))) { - kdc_err(rdp->realm_context, kret, "while setting default realm to %s", - realm); - goto whoops; + kdc_err(rdp->realm_context, kret, "while setting default realm to %s", + realm); + goto whoops; } /* first open the database before doing anything */ kdb_open_flags = KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_KDC; if ((kret = krb5_db_open(rdp->realm_context, db_args, kdb_open_flags))) { - kdc_err(rdp->realm_context, kret, - "while initializing database for realm %s", realm); - goto whoops; + kdc_err(rdp->realm_context, kret, + "while initializing database for realm %s", realm); + goto whoops; } /* Assemble and parse the master key name */ if ((kret = krb5_db_setup_mkey_name(rdp->realm_context, rdp->realm_mpname, - rdp->realm_name, (char **) NULL, - &rdp->realm_mprinc))) { - kdc_err(rdp->realm_context, kret, - "while setting up master key name %s for realm %s", - rdp->realm_mpname, realm); - goto whoops; + rdp->realm_name, (char **) NULL, + &rdp->realm_mprinc))) { + kdc_err(rdp->realm_context, kret, + "while setting up master key name %s for realm %s", + rdp->realm_mpname, realm); + goto whoops; } /* * Get the master key (note, may not be the most current mkey). */ if ((kret = krb5_db_fetch_mkey(rdp->realm_context, rdp->realm_mprinc, - rdp->realm_mkey.enctype, manual, - FALSE, rdp->realm_stash, - &mkvno, NULL, &rdp->realm_mkey))) { - kdc_err(rdp->realm_context, kret, - "while fetching master key %s for realm %s", - rdp->realm_mpname, realm); - goto whoops; + rdp->realm_mkey.enctype, manual, + FALSE, rdp->realm_stash, + &mkvno, NULL, &rdp->realm_mkey))) { + kdc_err(rdp->realm_context, kret, + "while fetching master key %s for realm %s", + rdp->realm_mpname, realm); + goto whoops; } #if 0 /************** Begin IFDEF'ed OUT *******************************/ /* @@ -419,26 +420,26 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, */ /* Verify the master key */ if ((kret = krb5_db_verify_master_key(rdp->realm_context, - rdp->realm_mprinc, + rdp->realm_mprinc, IGNORE_VNO, - &rdp->realm_mkey))) { - kdc_err(rdp->realm_context, kret, - "while verifying master key for realm %s", realm); - goto whoops; + &rdp->realm_mkey))) { + kdc_err(rdp->realm_context, kret, + "while verifying master key for realm %s", realm); + goto whoops; } #endif /**************** END IFDEF'ed OUT *******************************/ if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc, - &rdp->realm_mkey, mkvno, &rdp->mkey_list))) { - kdc_err(rdp->realm_context, kret, - "while fetching master keys list for realm %s", realm); - goto whoops; + &rdp->realm_mkey, mkvno, &rdp->mkey_list))) { + kdc_err(rdp->realm_context, kret, + "while fetching master keys list for realm %s", realm); + goto whoops; } if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) { - kdc_err(rdp->realm_context, kret, - "while setting master key for realm %s", realm); - goto whoops; + kdc_err(rdp->realm_context, kret, + "while setting master key for realm %s", realm); + goto whoops; } kret = krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list); if (kret) { @@ -449,44 +450,44 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, /* Set up the keytab */ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, - &rdp->realm_keytab))) { - kdc_err(rdp->realm_context, kret, - "while resolving kdb keytab for realm %s", realm); - goto whoops; + &rdp->realm_keytab))) { + kdc_err(rdp->realm_context, kret, + "while resolving kdb keytab for realm %s", realm); + goto whoops; } /* Preformat the TGS name */ if ((kret = krb5_build_principal(rdp->realm_context, &rdp->realm_tgsprinc, - strlen(realm), realm, KRB5_TGS_NAME, - realm, (char *) NULL))) { - kdc_err(rdp->realm_context, kret, - "while building TGS name for realm %s", realm); - goto whoops; + strlen(realm), realm, KRB5_TGS_NAME, + realm, (char *) NULL))) { + kdc_err(rdp->realm_context, kret, + "while building TGS name for realm %s", realm); + goto whoops; } if (!rkey_init_done) { - krb5_data seed; - /* - * If all that worked, then initialize the random key - * generators. - */ + krb5_data seed; + /* + * If all that worked, then initialize the random key + * generators. + */ - seed.length = rdp->realm_mkey.length; - seed.data = (char *)rdp->realm_mkey.contents; + seed.length = rdp->realm_mkey.length; + seed.data = (char *)rdp->realm_mkey.contents; - if ((kret = krb5_c_random_add_entropy(rdp->realm_context, - KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed))) - goto whoops; + if ((kret = krb5_c_random_add_entropy(rdp->realm_context, + KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed))) + goto whoops; - rkey_init_done = 1; + rkey_init_done = 1; } - whoops: +whoops: /* * If we choked, then clean up any dirt we may have dropped on the floor. */ if (kret) { - - finish_realm(rdp); + + finish_realm(rdp); } return(kret); } @@ -548,9 +549,9 @@ void usage(char *name) { fprintf(stderr, "usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n\t\t[-R replaycachename] [-m] [-k masterenctype] [-M masterkeyname]\n\t\t[-p port] [-n]\n" - "\nwhere,\n\t[-x db_args]* - Any number of database specific arguments. Look at\n" - "\t\t\teach database module documentation for supported\n\t\t\targuments\n", - name); + "\nwhere,\n\t[-x db_args]* - Any number of database specific arguments. Look at\n" + "\t\t\teach database module documentation for supported\n\t\t\targuments\n", + name); return; } @@ -558,19 +559,19 @@ char **db_args = NULL; void initialize_realms(krb5_context kcontext, int argc, char **argv) { - int c; - char *db_name = (char *) NULL; - char *lrealm = (char *) NULL; - char *mkey_name = (char *) NULL; - char *rcname = KDCRCACHE; - krb5_error_code retval; - krb5_enctype menctype = ENCTYPE_UNKNOWN; - kdc_realm_t *rdatap = NULL; - krb5_boolean manual = FALSE; - char *default_udp_ports = 0; - char *default_tcp_ports = 0; - krb5_pointer aprof; - const char *hierarchy[3]; + int c; + char *db_name = (char *) NULL; + char *lrealm = (char *) NULL; + char *mkey_name = (char *) NULL; + char *rcname = KDCRCACHE; + krb5_error_code retval; + krb5_enctype menctype = ENCTYPE_UNKNOWN; + kdc_realm_t *rdatap = NULL; + krb5_boolean manual = FALSE; + char *default_udp_ports = 0; + char *default_tcp_ports = 0; + krb5_pointer aprof; + const char *hierarchy[3]; char *no_refrls = NULL; char *host_based_srvcs = NULL; int db_args_size = 0; @@ -578,19 +579,19 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) extern char *optarg; if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) { - hierarchy[0] = KRB5_CONF_KDCDEFAULTS; - hierarchy[1] = KRB5_CONF_KDC_PORTS; - hierarchy[2] = (char *) NULL; - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_udp_ports)) - default_udp_ports = 0; - hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS; - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports)) - default_tcp_ports = 0; - hierarchy[1] = KRB5_CONF_MAX_DGRAM_REPLY_SIZE; - if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size)) - max_dgram_reply_size = MAX_DGRAM_SIZE; + hierarchy[0] = KRB5_CONF_KDCDEFAULTS; + hierarchy[1] = KRB5_CONF_KDC_PORTS; + hierarchy[2] = (char *) NULL; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_udp_ports)) + default_udp_ports = 0; + hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports)) + default_tcp_ports = 0; + hierarchy[1] = KRB5_CONF_MAX_DGRAM_REPLY_SIZE; + if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size)) + max_dgram_reply_size = MAX_DGRAM_SIZE; hierarchy[1] = KRB5_CONF_NO_HOST_REFERRAL; - if (krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls)) + if (krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls)) no_refrls = 0; if (!no_refrls || krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == FALSE) { hierarchy[1] = KRB5_CONF_HOST_BASED_SERVICES; @@ -598,13 +599,13 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) host_based_srvcs = 0; } - /* aprof_init can return 0 with aprof == NULL */ - if (aprof) - krb5_aprof_finish(aprof); + /* aprof_init can return 0 with aprof == NULL */ + if (aprof) + krb5_aprof_finish(aprof); } - + if (default_udp_ports == 0) { - default_udp_ports = strdup(DEFAULT_KDC_UDP_PORTLIST); + default_udp_ports = strdup(DEFAULT_KDC_UDP_PORTLIST); if (default_udp_ports == 0) { fprintf(stderr," KDC cannot initialize. Not enough memory\n"); exit(1); @@ -623,140 +624,140 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) * use the previously scanned options to fill in for defaults. */ while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:p:s:n4:X3")) != -1) { - switch(c) { - case 'x': - db_args_size++; - { - char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ - if( temp == NULL ) - { - fprintf(stderr,"%s: KDC cannot initialize. Not enough memory\n", - argv[0]); - exit(1); - } - - db_args = temp; - } - db_args[db_args_size-1] = optarg; - db_args[db_args_size] = NULL; - break; - - case 'r': /* realm name for db */ - if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) { - if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { - if ((retval = init_realm(rdatap, optarg, mkey_name, - menctype, default_udp_ports, - default_tcp_ports, manual, db_args, + switch(c) { + case 'x': + db_args_size++; + { + char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ + if( temp == NULL ) + { + fprintf(stderr,"%s: KDC cannot initialize. Not enough memory\n", + argv[0]); + exit(1); + } + + db_args = temp; + } + db_args[db_args_size-1] = optarg; + db_args[db_args_size] = NULL; + break; + + case 'r': /* realm name for db */ + if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) { + if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { + if ((retval = init_realm(rdatap, optarg, mkey_name, + menctype, default_udp_ports, + default_tcp_ports, manual, db_args, no_refrls, host_based_srvcs))) { - fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", - argv[0], optarg); - exit(1); - } - kdc_realmlist[kdc_numrealms] = rdatap; - kdc_numrealms++; - free(db_args), db_args=NULL, db_args_size = 0; - } - else - { - fprintf(stderr,"%s: cannot initialize realm %s. Not enough memory\n", - argv[0], optarg); - exit(1); - } - } - break; - case 'd': /* pathname for db */ - /* now db_name is not a seperate argument. It has to be passed as part of the db_args */ - if( db_name == NULL ) { - if (asprintf(&db_name, "dbname=%s", optarg) < 0) { - fprintf(stderr, - "%s: KDC cannot initialize. Not enough memory\n", - argv[0]); - exit(1); - } - } - - db_args_size++; - { - char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ - if( temp == NULL ) - { - fprintf(stderr,"%s: KDC cannot initialize. Not enough memory\n", - argv[0]); - exit(1); - } - - db_args = temp; - } - db_args[db_args_size-1] = db_name; - db_args[db_args_size] = NULL; - break; - case 'm': /* manual type-in of master key */ - manual = TRUE; - if (menctype == ENCTYPE_UNKNOWN) - menctype = ENCTYPE_DES_CBC_CRC; - break; - case 'M': /* master key name in DB */ - mkey_name = optarg; - break; - case 'n': - nofork++; /* don't detach from terminal */ - break; - case 'k': /* enctype for master key */ - if (krb5_string_to_enctype(optarg, &menctype)) - com_err(argv[0], 0, "invalid enctype %s", optarg); - break; - case 'R': - rcname = optarg; - break; - case 'p': - if (default_udp_ports) - free(default_udp_ports); - default_udp_ports = strdup(optarg); + fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", + argv[0], optarg); + exit(1); + } + kdc_realmlist[kdc_numrealms] = rdatap; + kdc_numrealms++; + free(db_args), db_args=NULL, db_args_size = 0; + } + else + { + fprintf(stderr,"%s: cannot initialize realm %s. Not enough memory\n", + argv[0], optarg); + exit(1); + } + } + break; + case 'd': /* pathname for db */ + /* now db_name is not a seperate argument. It has to be passed as part of the db_args */ + if( db_name == NULL ) { + if (asprintf(&db_name, "dbname=%s", optarg) < 0) { + fprintf(stderr, + "%s: KDC cannot initialize. Not enough memory\n", + argv[0]); + exit(1); + } + } + + db_args_size++; + { + char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ + if( temp == NULL ) + { + fprintf(stderr,"%s: KDC cannot initialize. Not enough memory\n", + argv[0]); + exit(1); + } + + db_args = temp; + } + db_args[db_args_size-1] = db_name; + db_args[db_args_size] = NULL; + break; + case 'm': /* manual type-in of master key */ + manual = TRUE; + if (menctype == ENCTYPE_UNKNOWN) + menctype = ENCTYPE_DES_CBC_CRC; + break; + case 'M': /* master key name in DB */ + mkey_name = optarg; + break; + case 'n': + nofork++; /* don't detach from terminal */ + break; + case 'k': /* enctype for master key */ + if (krb5_string_to_enctype(optarg, &menctype)) + com_err(argv[0], 0, "invalid enctype %s", optarg); + break; + case 'R': + rcname = optarg; + break; + case 'p': + if (default_udp_ports) + free(default_udp_ports); + default_udp_ports = strdup(optarg); if (!default_udp_ports) { fprintf(stderr," KDC cannot initialize. Not enough memory\n"); exit(1); } #if 0 /* not yet */ - if (default_tcp_ports) - free(default_tcp_ports); - default_tcp_ports = strdup(optarg); + if (default_tcp_ports) + free(default_tcp_ports); + default_tcp_ports = strdup(optarg); #endif - break; - case '4': - break; - case 'X': - break; - case '?': - default: - usage(argv[0]); - exit(1); - } + break; + case '4': + break; + case 'X': + break; + case '?': + default: + usage(argv[0]); + exit(1); + } } /* * Check to see if we processed any realms. */ if (kdc_numrealms == 0) { - /* no realm specified, use default realm */ - if ((retval = krb5_get_default_realm(kcontext, &lrealm))) { - com_err(argv[0], retval, - "while attempting to retrieve default realm"); - fprintf (stderr, "%s: %s, attempting to retrieve default realm\n", - argv[0], krb5_get_error_message(kcontext, retval)); - exit(1); - } - if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { - if ((retval = init_realm(rdatap, lrealm, mkey_name, menctype, - default_udp_ports, default_tcp_ports, - manual, db_args, no_refrls, - host_based_srvcs))) { - fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", - argv[0], lrealm); - exit(1); - } - kdc_realmlist[0] = rdatap; - kdc_numrealms++; - } + /* no realm specified, use default realm */ + if ((retval = krb5_get_default_realm(kcontext, &lrealm))) { + com_err(argv[0], retval, + "while attempting to retrieve default realm"); + fprintf (stderr, "%s: %s, attempting to retrieve default realm\n", + argv[0], krb5_get_error_message(kcontext, retval)); + exit(1); + } + if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { + if ((retval = init_realm(rdatap, lrealm, mkey_name, menctype, + default_udp_ports, default_tcp_ports, + manual, db_args, no_refrls, + host_based_srvcs))) { + fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", + argv[0], lrealm); + exit(1); + } + kdc_realmlist[0] = rdatap; + kdc_numrealms++; + } } #ifdef USE_RCACHE @@ -764,22 +765,22 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) * Now handle the replay cache. */ if ((retval = kdc_initialize_rcache(kcontext, rcname))) { - com_err(argv[0], retval, "while initializing KDC replay cache '%s'", - rcname); - exit(1); + com_err(argv[0], retval, "while initializing KDC replay cache '%s'", + rcname); + exit(1); } #endif /* Ensure that this is set for our first request. */ kdc_active_realm = kdc_realmlist[0]; if (default_udp_ports) - free(default_udp_ports); + free(default_udp_ports); if (default_tcp_ports) - free(default_tcp_ports); + free(default_tcp_ports); if (db_args) - free(db_args); + free(db_args); if (db_name) - free(db_name); + free(db_name); if (host_based_srvcs) free(host_based_srvcs); if (no_refrls) @@ -794,53 +795,53 @@ finish_realms() int i; for (i = 0; i < kdc_numrealms; i++) { - finish_realm(kdc_realmlist[i]); - kdc_realmlist[i] = 0; + finish_realm(kdc_realmlist[i]); + kdc_realmlist[i] = 0; } } /* - outline: + outline: - process args & setup + process args & setup - initialize database access (fetch master key, open DB) + initialize database access (fetch master key, open DB) - initialize network + initialize network - loop: - listen for packet + loop: + listen for packet - determine packet type, dispatch to handling routine - (AS or TGS (or V4?)) + determine packet type, dispatch to handling routine + (AS or TGS (or V4?)) - reflect response + reflect response - exit on signal + exit on signal - clean up secrets, close db + clean up secrets, close db - shut down network + shut down network - exit - */ + exit +*/ int main(int argc, char **argv) { - krb5_error_code retval; - krb5_context kcontext; + krb5_error_code retval; + krb5_context kcontext; int errout = 0; if (strrchr(argv[0], '/')) - argv[0] = strrchr(argv[0], '/')+1; + argv[0] = strrchr(argv[0], '/')+1; - if (!(kdc_realmlist = (kdc_realm_t **) malloc(sizeof(kdc_realm_t *) * - KRB5_KDC_MAX_REALMS))) { - fprintf(stderr, "%s: cannot get memory for realm list\n", argv[0]); - exit(1); + if (!(kdc_realmlist = (kdc_realm_t **) malloc(sizeof(kdc_realm_t *) * + KRB5_KDC_MAX_REALMS))) { + fprintf(stderr, "%s: cannot get memory for realm list\n", argv[0]); + exit(1); } memset(kdc_realmlist, 0, - (size_t) (sizeof(kdc_realm_t *) * KRB5_KDC_MAX_REALMS)); + (size_t) (sizeof(kdc_realm_t *) * KRB5_KDC_MAX_REALMS)); /* * A note about Kerberos contexts: This context, "kcontext", is used @@ -850,8 +851,8 @@ int main(int argc, char **argv) */ retval = krb5int_init_context_kdc(&kcontext); if (retval) { - com_err(argv[0], retval, "while initializing krb5"); - exit(1); + com_err(argv[0], retval, "while initializing krb5"); + exit(1); } krb5_klog_init(kcontext, "kdc", argv[0], 1); kdc_err_context = kcontext; @@ -875,39 +876,39 @@ int main(int argc, char **argv) retval = setup_sam(); if (retval) { - kdc_err(kcontext, retval, "while initializing SAM"); - finish_realms(); - return 1; + kdc_err(kcontext, retval, "while initializing SAM"); + finish_realms(); + return 1; } if ((retval = setup_network())) { - kdc_err(kcontext, retval, "while initializing network"); - finish_realms(); - return 1; + kdc_err(kcontext, retval, "while initializing network"); + finish_realms(); + return 1; } if (!nofork && daemon(0, 0)) { - kdc_err(kcontext, errno, "while detaching from tty"); - finish_realms(); - return 1; + kdc_err(kcontext, errno, "while detaching from tty"); + finish_realms(); + return 1; } krb5_klog_syslog(LOG_INFO, "commencing operation"); if (nofork) - fprintf(stderr, "%s: starting...\n", kdc_progname); + fprintf(stderr, "%s: starting...\n", kdc_progname); if ((retval = listen_and_process())) { - kdc_err(kcontext, retval, "while processing network requests"); - errout++; + kdc_err(kcontext, retval, "while processing network requests"); + errout++; } if ((retval = closedown_network())) { - kdc_err(kcontext, retval, "while shutting down network"); - errout++; + kdc_err(kcontext, retval, "while shutting down network"); + errout++; } krb5_klog_syslog(LOG_INFO, "shutting down"); unload_preauth_plugins(kcontext); unload_authdata_plugins(kcontext); krb5_klog_close(kdc_context); finish_realms(); - if (kdc_realmlist) - free(kdc_realmlist); + if (kdc_realmlist) + free(kdc_realmlist); #ifdef USE_RCACHE (void) krb5_rc_close(kcontext, kdc_rcache); #endif @@ -917,5 +918,3 @@ int main(int argc, char **argv) krb5_free_context(kcontext); return errout; } - - diff --git a/src/kdc/network.c b/src/kdc/network.c index 4fdfcf1c6..ec0262231 100644 --- a/src/kdc/network.c +++ b/src/kdc/network.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/network.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Network code for Kerberos v5 KDC. */ @@ -58,7 +59,7 @@ #endif #ifdef HAVE_SYS_FILIO_H -#include /* FIONBIO */ +#include /* FIONBIO */ #endif #include "fake-addrinfo.h" @@ -69,15 +70,15 @@ set_sa_port(struct sockaddr *addr, int port) { switch (addr->sa_family) { case AF_INET: - sa2sin(addr)->sin_port = port; - break; + sa2sin(addr)->sin_port = port; + break; #ifdef KRB5_USE_INET6 case AF_INET6: - sa2sin6(addr)->sin6_port = port; - break; + sa2sin6(addr)->sin6_port = port; + break; #endif default: - break; + break; } } @@ -86,13 +87,13 @@ static int ipv6_enabled() #ifdef KRB5_USE_INET6 static int result = -1; if (result == -1) { - int s; - s = socket(AF_INET6, SOCK_STREAM, 0); - if (s >= 0) { - result = 1; - close(s); - } else - result = 0; + int s; + s = socket(AF_INET6, SOCK_STREAM, 0); + if (s >= 0) { + result = 1; + close(s); + } else + result = 0; } return result; #else @@ -133,21 +134,21 @@ set_pktinfo(int sock, int family) switch (family) { #if defined(IP_PKTINFO) && defined(HAVE_STRUCT_IN_PKTINFO) case AF_INET: - proto = IPPROTO_IP; - option = IP_RECVPKTINFO; - break; + proto = IPPROTO_IP; + option = IP_RECVPKTINFO; + break; #endif #if defined(IPV6_PKTINFO) && defined(HAVE_STRUCT_IN6_PKTINFO) case AF_INET6: - proto = IPPROTO_IPV6; - option = IPV6_RECVPKTINFO; - break; + proto = IPPROTO_IPV6; + option = IPV6_RECVPKTINFO; + break; #endif default: - return EINVAL; + return EINVAL; } if (setsockopt(sock, proto, option, &sockopt, sizeof(sockopt))) - return errno; + return errno; return 0; } @@ -157,17 +158,17 @@ static const char *paddr (struct sockaddr *sa) static char buf[100]; char portbuf[10]; if (getnameinfo(sa, socklen(sa), - buf, sizeof(buf), portbuf, sizeof(portbuf), - NI_NUMERICHOST|NI_NUMERICSERV)) - strlcpy(buf, "", sizeof(buf)); + buf, sizeof(buf), portbuf, sizeof(portbuf), + NI_NUMERICHOST|NI_NUMERICSERV)) + strlcpy(buf, "", sizeof(buf)); else { - unsigned int len = sizeof(buf) - strlen(buf); - char *p = buf + strlen(buf); - if (len > 2+strlen(portbuf)) { - *p++ = '.'; - len--; - strncpy(p, portbuf, len); - } + unsigned int len = sizeof(buf) - strlen(buf); + char *p = buf + strlen(buf); + if (len > 2+strlen(portbuf)) { + *p++ = '.'; + len--; + strncpy(p, portbuf, len); + } } return buf; } @@ -185,28 +186,28 @@ struct connection { enum conn_type type; void (*service)(struct connection *, int); union { - /* Type-specific information. */ - struct { - /* connection */ - struct sockaddr_storage addr_s; - socklen_t addrlen; - char addrbuf[56]; - krb5_fulladdr faddr; - krb5_address kaddr; - /* incoming */ - size_t bufsiz; - size_t offset; - char *buffer; - size_t msglen; - /* outgoing */ - krb5_data *response; - unsigned char lenbuf[4]; - sg_buf sgbuf[2]; - sg_buf *sgp; - int sgnum; - /* crude denial-of-service avoidance support */ - time_t start_time; - } tcp; + /* Type-specific information. */ + struct { + /* connection */ + struct sockaddr_storage addr_s; + socklen_t addrlen; + char addrbuf[56]; + krb5_fulladdr faddr; + krb5_address kaddr; + /* incoming */ + size_t bufsiz; + size_t offset; + char *buffer; + size_t msglen; + /* outgoing */ + krb5_data *response; + unsigned char lenbuf[4]; + sg_buf sgbuf[2]; + sg_buf *sgp; + int sgnum; + /* crude denial-of-service avoidance support */ + time_t start_time; + } tcp; } u; }; @@ -216,78 +217,78 @@ struct connection { /* Start at the top and work down -- this should allow for deletions without disrupting the iteration, since we delete by overwriting the element to be removed with the last element. */ -#define FOREACH_ELT(set,idx,vvar) \ - for (idx = set.n-1; idx >= 0 && (vvar = set.data[idx], 1); idx--) - -#define GROW_SET(set, incr, tmpptr) \ - (((int)(set.max + incr) < set.max \ - || (((size_t)((int)(set.max + incr) * sizeof(set.data[0])) \ - / sizeof(set.data[0])) \ - != (set.max + incr))) \ - ? 0 /* overflow */ \ - : ((tmpptr = realloc(set.data, \ - (int)(set.max + incr) * sizeof(set.data[0]))) \ - ? (set.data = tmpptr, set.max += incr, 1) \ - : 0)) +#define FOREACH_ELT(set,idx,vvar) \ + for (idx = set.n-1; idx >= 0 && (vvar = set.data[idx], 1); idx--) + +#define GROW_SET(set, incr, tmpptr) \ + (((int)(set.max + incr) < set.max \ + || (((size_t)((int)(set.max + incr) * sizeof(set.data[0])) \ + / sizeof(set.data[0])) \ + != (set.max + incr))) \ + ? 0 /* overflow */ \ + : ((tmpptr = realloc(set.data, \ + (int)(set.max + incr) * sizeof(set.data[0]))) \ + ? (set.data = tmpptr, set.max += incr, 1) \ + : 0)) /* 1 = success, 0 = failure */ -#define ADD(set, val, tmpptr) \ - ((set.n < set.max || GROW_SET(set, 10, tmpptr)) \ - ? (set.data[set.n++] = val, 1) \ - : 0) +#define ADD(set, val, tmpptr) \ + ((set.n < set.max || GROW_SET(set, 10, tmpptr)) \ + ? (set.data[set.n++] = val, 1) \ + : 0) -#define DEL(set, idx) \ - (set.data[idx] = set.data[--set.n], 0) +#define DEL(set, idx) \ + (set.data[idx] = set.data[--set.n], 0) -#define FREE_SET_DATA(set) \ - (free(set.data), set.data = 0, set.max = 0, set.n = 0) +#define FREE_SET_DATA(set) \ + (free(set.data), set.data = 0, set.max = 0, set.n = 0) /* Set connections; */ static SET(struct connection *) connections; -#define n_sockets connections.n -#define conns connections.data +#define n_sockets connections.n +#define conns connections.data /* Set udp_port_data, tcp_port_data; */ static SET(u_short) udp_port_data, tcp_port_data; #include "cm.h" -static struct select_state sstate; + static struct select_state sstate; -static krb5_error_code add_udp_port(int port) + static krb5_error_code add_udp_port(int port) { - int i; + int i; void *tmp; u_short val; u_short s_port = port; if (s_port != port) - return EINVAL; + return EINVAL; FOREACH_ELT (udp_port_data, i, val) - if (s_port == val) - return 0; + if (s_port == val) + return 0; if (!ADD(udp_port_data, s_port, tmp)) - return ENOMEM; + return ENOMEM; return 0; } static krb5_error_code add_tcp_port(int port) { - int i; + int i; void *tmp; u_short val; u_short s_port = port; if (s_port != port) - return EINVAL; + return EINVAL; FOREACH_ELT (tcp_port_data, i, val) - if (s_port == val) - return 0; + if (s_port == val) + return 0; if (!ADD(tcp_port_data, s_port, tmp)) - return ENOMEM; + return ENOMEM; return 0; } @@ -307,29 +308,29 @@ struct socksetup { static struct connection * add_fd (struct socksetup *data, int sock, enum conn_type conntype, - void (*service)(struct connection *, int)) + void (*service)(struct connection *, int)) { struct connection *newconn; void *tmp; #ifndef _WIN32 if (sock >= FD_SETSIZE) { - data->retval = EMFILE; /* XXX */ - kdc_err(NULL, 0, "file descriptor number %d too high", sock); - return 0; + data->retval = EMFILE; /* XXX */ + kdc_err(NULL, 0, "file descriptor number %d too high", sock); + return 0; } #endif newconn = malloc(sizeof(*newconn)); if (newconn == 0) { - data->retval = ENOMEM; - kdc_err(NULL, ENOMEM, "cannot allocate storage for connection info"); - return 0; + data->retval = ENOMEM; + kdc_err(NULL, ENOMEM, "cannot allocate storage for connection info"); + return 0; } if (!ADD(connections, newconn, tmp)) { - data->retval = ENOMEM; - kdc_err(NULL, ENOMEM, "cannot save socket info"); - free(newconn); - return 0; + data->retval = ENOMEM; + kdc_err(NULL, ENOMEM, "cannot save socket info"); + free(newconn); + return 0; } memset(newconn, 0, sizeof(*newconn)); @@ -347,7 +348,7 @@ static struct connection * add_udp_fd (struct socksetup *data, int sock, int pktinfo) { return add_fd(data, sock, pktinfo ? CONN_UDP_PKTINFO : CONN_UDP, - process_packet); + process_packet); } static struct connection * @@ -369,10 +370,10 @@ delete_fd (struct connection *xconn) int i; FOREACH_ELT(connections, i, conn) - if (conn == xconn) { - DEL(connections, i); - break; - } + if (conn == xconn) { + DEL(connections, i); + break; + } free(xconn); } @@ -405,57 +406,57 @@ setup_a_tcp_listener(struct socksetup *data, struct sockaddr *addr) sock = socket(addr->sa_family, SOCK_STREAM, 0); if (sock == -1) { - kdc_err(NULL, errno, "Cannot create TCP server socket on %s", - paddr(addr)); - return -1; + kdc_err(NULL, errno, "Cannot create TCP server socket on %s", + paddr(addr)); + return -1; } set_cloexec_fd(sock); #ifndef _WIN32 if (sock >= FD_SETSIZE) { - close(sock); - kdc_err(NULL, 0, "TCP socket fd number %d (for %s) too high", - sock, paddr(addr)); - return -1; + close(sock); + kdc_err(NULL, 0, "TCP socket fd number %d (for %s) too high", + sock, paddr(addr)); + return -1; } #endif if (setreuseaddr(sock, 1) < 0) - kdc_err(NULL, errno, "Cannot enable SO_REUSEADDR on fd %d", sock); + kdc_err(NULL, errno, "Cannot enable SO_REUSEADDR on fd %d", sock); #ifdef KRB5_USE_INET6 if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY - if (setv6only(sock, 1)) - kdc_err(NULL, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); - else - kdc_err(NULL, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", sock); + if (setv6only(sock, 1)) + kdc_err(NULL, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); + else + kdc_err(NULL, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", sock); #else - krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); + krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ } #endif /* KRB5_USE_INET6 */ if (bind(sock, addr, socklen(addr)) == -1) { - kdc_err(NULL, errno, "Cannot bind TCP server socket on %s", - paddr(addr)); - close(sock); - return -1; + kdc_err(NULL, errno, "Cannot bind TCP server socket on %s", + paddr(addr)); + close(sock); + return -1; } if (listen(sock, 5) < 0) { - kdc_err(NULL, errno, "Cannot listen on TCP server socket on %s", - paddr(addr)); - close(sock); - return -1; + kdc_err(NULL, errno, "Cannot listen on TCP server socket on %s", + paddr(addr)); + close(sock); + return -1; } if (setnbio(sock)) { - kdc_err(NULL, errno, - "cannot set listening tcp socket on %s non-blocking", - paddr(addr)); - close(sock); - return -1; + kdc_err(NULL, errno, + "cannot set listening tcp socket on %s non-blocking", + paddr(addr)); + close(sock); + return -1; } if (setnolinger(sock)) { - kdc_err(NULL, errno, "disabling SO_LINGER on TCP socket on %s", - paddr(addr)); - close(sock); - return -1; + kdc_err(NULL, errno, "disabling SO_LINGER on TCP socket on %s", + paddr(addr)); + close(sock); + return -1; } return sock; } @@ -486,58 +487,58 @@ setup_tcp_listener_ports(struct socksetup *data) #endif FOREACH_ELT (tcp_port_data, i, port) { - int s4, s6; - - set_sa_port((struct sockaddr *)&sin4, htons(port)); - if (!ipv6_enabled()) { - s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); - if (s4 < 0) - return -1; - s6 = -1; - } else { + int s4, s6; + + set_sa_port((struct sockaddr *)&sin4, htons(port)); + if (!ipv6_enabled()) { + s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); + if (s4 < 0) + return -1; + s6 = -1; + } else { #ifndef KRB5_USE_INET6 - abort(); + abort(); #else - s4 = s6 = -1; + s4 = s6 = -1; - set_sa_port((struct sockaddr *)&sin6, htons(port)); + set_sa_port((struct sockaddr *)&sin6, htons(port)); - s6 = setup_a_tcp_listener(data, (struct sockaddr *)&sin6); - if (s6 < 0) - return -1; + s6 = setup_a_tcp_listener(data, (struct sockaddr *)&sin6); + if (s6 < 0) + return -1; - s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); + s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); #endif /* KRB5_USE_INET6 */ - } - - /* Sockets are created, prepare to listen on them. */ - if (s4 >= 0) { - if (add_tcp_listener_fd(data, s4) == NULL) - close(s4); - else { - FD_SET(s4, &sstate.rfds); - if (s4 >= sstate.max) - sstate.max = s4 + 1; - krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", - s4, paddr((struct sockaddr *)&sin4)); - } - } + } + + /* Sockets are created, prepare to listen on them. */ + if (s4 >= 0) { + if (add_tcp_listener_fd(data, s4) == NULL) + close(s4); + else { + FD_SET(s4, &sstate.rfds); + if (s4 >= sstate.max) + sstate.max = s4 + 1; + krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", + s4, paddr((struct sockaddr *)&sin4)); + } + } #ifdef KRB5_USE_INET6 - if (s6 >= 0) { - if (add_tcp_listener_fd(data, s6) == NULL) { - close(s6); - s6 = -1; - } else { - FD_SET(s6, &sstate.rfds); - if (s6 >= sstate.max) - sstate.max = s6 + 1; - krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", - s6, paddr((struct sockaddr *)&sin6)); - } - if (s4 < 0) - krb5_klog_syslog(LOG_INFO, - "assuming IPv6 socket accepts IPv4"); - } + if (s6 >= 0) { + if (add_tcp_listener_fd(data, s6) == NULL) { + close(s6); + s6 = -1; + } else { + FD_SET(s6, &sstate.rfds); + if (s6 >= sstate.max) + sstate.max = s6 + 1; + krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", + s6, paddr((struct sockaddr *)&sin6)); + } + if (s4 < 0) + krb5_klog_syslog(LOG_INFO, + "assuming IPv6 socket accepts IPv4"); + } #endif } return 0; @@ -556,39 +557,39 @@ union pktinfo { static int setup_udp_port_1(struct socksetup *data, struct sockaddr *addr, - char *haddrbuf, int pktinfo); + char *haddrbuf, int pktinfo); static void setup_udp_pktinfo_ports(struct socksetup *data) { #ifdef IP_PKTINFO { - struct sockaddr_in sa; - int r; + struct sockaddr_in sa; + int r; - memset(&sa, 0, sizeof(sa)); - sa.sin_family = AF_INET; + memset(&sa, 0, sizeof(sa)); + sa.sin_family = AF_INET; #ifdef HAVE_SA_LEN - sa.sin_len = sizeof(sa); + sa.sin_len = sizeof(sa); #endif - r = setup_udp_port_1(data, (struct sockaddr *) &sa, "0.0.0.0", 4); - if (r == 0) - data->udp_flags &= ~UDP_DO_IPV4; + r = setup_udp_port_1(data, (struct sockaddr *) &sa, "0.0.0.0", 4); + if (r == 0) + data->udp_flags &= ~UDP_DO_IPV4; } #endif #ifdef IPV6_PKTINFO { - struct sockaddr_in6 sa; - int r; + struct sockaddr_in6 sa; + int r; - memset(&sa, 0, sizeof(sa)); - sa.sin6_family = AF_INET6; + memset(&sa, 0, sizeof(sa)); + sa.sin6_family = AF_INET6; #ifdef HAVE_SA_LEN - sa.sin6_len = sizeof(sa); + sa.sin6_len = sizeof(sa); #endif - r = setup_udp_port_1(data, (struct sockaddr *) &sa, "::", 6); - if (r == 0) - data->udp_flags &= ~UDP_DO_IPV6; + r = setup_udp_port_1(data, (struct sockaddr *) &sa, "::", 6); + if (r == 0) + data->udp_flags &= ~UDP_DO_IPV6; } #endif } @@ -601,66 +602,66 @@ setup_udp_pktinfo_ports(struct socksetup *data) static int setup_udp_port_1(struct socksetup *data, struct sockaddr *addr, - char *haddrbuf, int pktinfo) + char *haddrbuf, int pktinfo) { int sock = -1, i, r; u_short port; FOREACH_ELT (udp_port_data, i, port) { - sock = socket (addr->sa_family, SOCK_DGRAM, 0); - if (sock == -1) { - data->retval = errno; - kdc_err(NULL, data->retval, - "Cannot create server socket for port %d address %s", - port, haddrbuf); - return 1; - } - set_cloexec_fd(sock); + sock = socket (addr->sa_family, SOCK_DGRAM, 0); + if (sock == -1) { + data->retval = errno; + kdc_err(NULL, data->retval, + "Cannot create server socket for port %d address %s", + port, haddrbuf); + return 1; + } + set_cloexec_fd(sock); #ifdef KRB5_USE_INET6 - if (addr->sa_family == AF_INET6) { + if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY - if (setv6only(sock, 1)) - kdc_err(NULL, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", - sock); - else - kdc_err(NULL, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", sock); + if (setv6only(sock, 1)) + kdc_err(NULL, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", + sock); + else + kdc_err(NULL, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", sock); #else - krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); + krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ - } + } #endif - set_sa_port(addr, htons(port)); - if (bind (sock, (struct sockaddr *)addr, socklen (addr)) == -1) { - data->retval = errno; - kdc_err(NULL, data->retval, - "Cannot bind server socket to port %d address %s", - port, haddrbuf); - close(sock); - return 1; - } + set_sa_port(addr, htons(port)); + if (bind (sock, (struct sockaddr *)addr, socklen (addr)) == -1) { + data->retval = errno; + kdc_err(NULL, data->retval, + "Cannot bind server socket to port %d address %s", + port, haddrbuf); + close(sock); + return 1; + } #if !(defined(CMSG_SPACE) && defined(HAVE_STRUCT_CMSGHDR) && (defined(IP_PKTINFO) || defined(IPV6_PKTINFO))) - assert(pktinfo == 0); + assert(pktinfo == 0); #endif - if (pktinfo) { - r = set_pktinfo(sock, addr->sa_family); - if (r) { - kdc_err(NULL, r, - "Cannot request packet info for udp socket address %s port %d", - haddrbuf, port); - close(sock); - return 1; - } - } - krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s%s", sock, - paddr((struct sockaddr *)addr), - pktinfo ? " (pktinfo)" : ""); - if (add_udp_fd (data, sock, pktinfo) == 0) { - close(sock); - return 1; - } - FD_SET (sock, &sstate.rfds); - if (sock >= sstate.max) - sstate.max = sock + 1; + if (pktinfo) { + r = set_pktinfo(sock, addr->sa_family); + if (r) { + kdc_err(NULL, r, + "Cannot request packet info for udp socket address %s port %d", + haddrbuf, port); + close(sock); + return 1; + } + } + krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s%s", sock, + paddr((struct sockaddr *)addr), + pktinfo ? " (pktinfo)" : ""); + if (add_udp_fd (data, sock, pktinfo) == 0) { + close(sock); + return 1; + } + FD_SET (sock, &sstate.rfds); + if (sock >= sstate.max) + sstate.max = sock + 1; } return 0; } @@ -673,51 +674,51 @@ setup_udp_port(void *P_data, struct sockaddr *addr) int err; if (addr->sa_family == AF_INET && !(data->udp_flags & UDP_DO_IPV4)) - return 0; + return 0; #ifdef AF_INET6 if (addr->sa_family == AF_INET6 && !(data->udp_flags & UDP_DO_IPV6)) - return 0; + return 0; #endif err = getnameinfo(addr, socklen(addr), haddrbuf, sizeof(haddrbuf), - 0, 0, NI_NUMERICHOST); + 0, 0, NI_NUMERICHOST); if (err) - strlcpy(haddrbuf, "", sizeof(haddrbuf)); + strlcpy(haddrbuf, "", sizeof(haddrbuf)); switch (addr->sa_family) { case AF_INET: - break; + break; #ifdef AF_INET6 case AF_INET6: #ifdef KRB5_USE_INET6 - break; + break; #else - { - static int first = 1; - if (first) { - krb5_klog_syslog (LOG_INFO, "skipping local ipv6 addresses"); - first = 0; - } - return 0; - } + { + static int first = 1; + if (first) { + krb5_klog_syslog (LOG_INFO, "skipping local ipv6 addresses"); + first = 0; + } + return 0; + } #endif #endif #ifdef AF_LINK /* some BSD systems, AIX */ case AF_LINK: - return 0; + return 0; #endif #ifdef AF_DLI /* Direct Link Interface - DEC Ultrix/OSF1 link layer? */ case AF_DLI: - return 0; + return 0; #endif #ifdef AF_APPLETALK case AF_APPLETALK: - return 0; + return 0; #endif default: - krb5_klog_syslog (LOG_INFO, - "skipping unrecognized local address family %d", - addr->sa_family); - return 0; + krb5_klog_syslog (LOG_INFO, + "skipping unrecognized local address family %d", + addr->sa_family); + return 0; } return setup_udp_port_1(data, addr, haddrbuf, 0); } @@ -729,40 +730,40 @@ static void klog_handler(const void *data, size_t len) static int bufoffset; void *p; -#define flush_buf() \ - (bufoffset \ - ? (((buf[0] == 0 || buf[0] == '\n') \ - ? (fork()==0?abort():(void)0) \ - : (void)0), \ - krb5_klog_syslog(LOG_INFO, "%s", buf), \ - memset(buf, 0, sizeof(buf)), \ - bufoffset = 0) \ - : 0) +#define flush_buf() \ + (bufoffset \ + ? (((buf[0] == 0 || buf[0] == '\n') \ + ? (fork()==0?abort():(void)0) \ + : (void)0), \ + krb5_klog_syslog(LOG_INFO, "%s", buf), \ + memset(buf, 0, sizeof(buf)), \ + bufoffset = 0) \ + : 0) p = memchr(data, 0, len); if (p) - len = (const char *)p - (const char *)data; + len = (const char *)p - (const char *)data; scan_for_newlines: if (len == 0) - return; + return; p = memchr(data, '\n', len); if (p) { - if (p != data) - klog_handler(data, (size_t)((const char *)p - (const char *)data)); - flush_buf(); - len -= ((const char *)p - (const char *)data) + 1; - data = 1 + (const char *)p; - goto scan_for_newlines; + if (p != data) + klog_handler(data, (size_t)((const char *)p - (const char *)data)); + flush_buf(); + len -= ((const char *)p - (const char *)data) + 1; + data = 1 + (const char *)p; + goto scan_for_newlines; } else if (len > sizeof(buf) - 1 || len + bufoffset > sizeof(buf) - 1) { - size_t x = sizeof(buf) - len - 1; - klog_handler(data, x); - flush_buf(); - len -= x; - data = (const char *)data + x; - goto scan_for_newlines; + size_t x = sizeof(buf) - len - 1; + klog_handler(data, x); + flush_buf(); + len -= x; + data = (const char *)data + x; + goto scan_for_newlines; } else { - memcpy(buf + bufoffset, data, len); - bufoffset += len; + memcpy(buf + bufoffset, data, len); + bufoffset += len; } } #endif @@ -801,73 +802,73 @@ static void process_routing_update(struct connection *conn, int selflags) struct rt_msghdr rtm; while ((n_read = read(conn->fd, &rtm, sizeof(rtm))) > 0) { - if (n_read < sizeof(rtm)) { - /* Quick hack to figure out if the interesting - fields are present in a short read. + if (n_read < sizeof(rtm)) { + /* Quick hack to figure out if the interesting + fields are present in a short read. - A short read seems to be normal for some message types. - Only complain if we don't have the critical initial - header fields. */ + A short read seems to be normal for some message types. + Only complain if we don't have the critical initial + header fields. */ #define RS(FIELD) (offsetof(struct rt_msghdr, FIELD) + sizeof(rtm.FIELD)) - if (n_read < RS(rtm_type) || - n_read < RS(rtm_version) || - n_read < RS(rtm_msglen)) { - krb5_klog_syslog(LOG_ERR, - "short read (%d/%d) from routing socket", - n_read, (int) sizeof(rtm)); - return; - } - } + if (n_read < RS(rtm_type) || + n_read < RS(rtm_version) || + n_read < RS(rtm_msglen)) { + krb5_klog_syslog(LOG_ERR, + "short read (%d/%d) from routing socket", + n_read, (int) sizeof(rtm)); + return; + } + } #if 0 - krb5_klog_syslog(LOG_INFO, - "got routing msg type %d(%s) v%d", - rtm.rtm_type, rtm_type_name(rtm.rtm_type), - rtm.rtm_version); + krb5_klog_syslog(LOG_INFO, + "got routing msg type %d(%s) v%d", + rtm.rtm_type, rtm_type_name(rtm.rtm_type), + rtm.rtm_version); #endif - if (rtm.rtm_msglen > sizeof(rtm)) { - /* It appears we get a partial message and the rest is - thrown away? */ - } else if (rtm.rtm_msglen != n_read) { - krb5_klog_syslog(LOG_ERR, - "read %d from routing socket but msglen is %d", - n_read, rtm.rtm_msglen); - } - switch (rtm.rtm_type) { - case RTM_ADD: - case RTM_DELETE: - case RTM_NEWADDR: - case RTM_DELADDR: - case RTM_IFINFO: - case RTM_OLDADD: - case RTM_OLDDEL: + if (rtm.rtm_msglen > sizeof(rtm)) { + /* It appears we get a partial message and the rest is + thrown away? */ + } else if (rtm.rtm_msglen != n_read) { + krb5_klog_syslog(LOG_ERR, + "read %d from routing socket but msglen is %d", + n_read, rtm.rtm_msglen); + } + switch (rtm.rtm_type) { + case RTM_ADD: + case RTM_DELETE: + case RTM_NEWADDR: + case RTM_DELADDR: + case RTM_IFINFO: + case RTM_OLDADD: + case RTM_OLDDEL: #if 0 - krb5_klog_syslog(LOG_DEBUG, - "network reconfiguration message (%s) received", - rtm_type_name(rtm.rtm_type)); + krb5_klog_syslog(LOG_DEBUG, + "network reconfiguration message (%s) received", + rtm_type_name(rtm.rtm_type)); #endif - network_reconfiguration_needed = 1; - break; - case RTM_RESOLVE: + network_reconfiguration_needed = 1; + break; + case RTM_RESOLVE: #ifdef RTM_NEWMADDR - case RTM_NEWMADDR: - case RTM_DELMADDR: + case RTM_NEWMADDR: + case RTM_DELMADDR: #endif - case RTM_MISS: - case RTM_REDIRECT: - case RTM_LOSING: - case RTM_GET: - /* Not interesting. */ + case RTM_MISS: + case RTM_REDIRECT: + case RTM_LOSING: + case RTM_GET: + /* Not interesting. */ #if 0 - krb5_klog_syslog(LOG_DEBUG, "routing msg not interesting"); + krb5_klog_syslog(LOG_DEBUG, "routing msg not interesting"); #endif - break; - default: - krb5_klog_syslog(LOG_INFO, - "unhandled routing message type %d, will reconfigure just for the fun of it", - rtm.rtm_type); - network_reconfiguration_needed = 1; - break; - } + break; + default: + krb5_klog_syslog(LOG_INFO, + "unhandled routing message type %d, will reconfigure just for the fun of it", + rtm.rtm_type); + network_reconfiguration_needed = 1; + break; + } } } @@ -876,14 +877,14 @@ setup_routing_socket(struct socksetup *data) { int sock = socket(PF_ROUTE, SOCK_RAW, 0); if (sock < 0) { - int e = errno; - krb5_klog_syslog(LOG_INFO, "couldn't set up routing socket: %s", - strerror(e)); + int e = errno; + krb5_klog_syslog(LOG_INFO, "couldn't set up routing socket: %s", + strerror(e)); } else { - krb5_klog_syslog(LOG_INFO, "routing socket is fd %d", sock); - add_fd(data, sock, CONN_ROUTING, process_routing_update); - setnbio(sock); - FD_SET(sock, &sstate.rfds); + krb5_klog_syslog(LOG_INFO, "routing socket is fd %d", sock); + add_fd(data, sock, CONN_ROUTING, process_routing_update); + setnbio(sock); + FD_SET(sock, &sstate.rfds); } } #endif @@ -910,33 +911,33 @@ setup_network() /* Handle each realm's ports */ for (i=0; irealm_ports; - while (cp && *cp) { - if (*cp == ',' || isspace((int) *cp)) { - cp++; - continue; - } - port = strtol(cp, &cp, 10); - if (cp == 0) - break; - retval = add_udp_port(port); - if (retval) - return retval; - } - - cp = kdc_realmlist[i]->realm_tcp_ports; - while (cp && *cp) { - if (*cp == ',' || isspace((int) *cp)) { - cp++; - continue; - } - port = strtol(cp, &cp, 10); - if (cp == 0) - break; - retval = add_tcp_port(port); - if (retval) - return retval; - } + cp = kdc_realmlist[i]->realm_ports; + while (cp && *cp) { + if (*cp == ',' || isspace((int) *cp)) { + cp++; + continue; + } + port = strtol(cp, &cp, 10); + if (cp == 0) + break; + retval = add_udp_port(port); + if (retval) + return retval; + } + + cp = kdc_realmlist[i]->realm_tcp_ports; + while (cp && *cp) { + if (*cp == ',' || isspace((int) *cp)) { + cp++; + continue; + } + port = strtol(cp, &cp, 10); + if (cp == 0) + break; + retval = add_tcp_port(port); + if (retval) + return retval; + } } setup_data.retval = 0; @@ -951,15 +952,15 @@ setup_network() setup_data.udp_flags = UDP_DO_IPV4 | UDP_DO_IPV6; setup_udp_pktinfo_ports(&setup_data); if (setup_data.udp_flags) { - if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { - return setup_data.retval; - } + if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { + return setup_data.retval; + } } setup_tcp_listener_ports(&setup_data); krb5_klog_syslog (LOG_INFO, "set up %d sockets", n_sockets); if (n_sockets == 0) { - kdc_err(NULL, 0, "no sockets set up?"); - exit (1); + kdc_err(NULL, 0, "no sockets set up?"); + exit (1); } return 0; @@ -969,45 +970,45 @@ static void init_addr(krb5_fulladdr *faddr, struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET: - faddr->address->addrtype = ADDRTYPE_INET; - faddr->address->length = 4; - faddr->address->contents = (krb5_octet *) &sa2sin(sa)->sin_addr; - faddr->port = ntohs(sa2sin(sa)->sin_port); - break; + faddr->address->addrtype = ADDRTYPE_INET; + faddr->address->length = 4; + faddr->address->contents = (krb5_octet *) &sa2sin(sa)->sin_addr; + faddr->port = ntohs(sa2sin(sa)->sin_port); + break; #ifdef KRB5_USE_INET6 case AF_INET6: - if (IN6_IS_ADDR_V4MAPPED(&sa2sin6(sa)->sin6_addr)) { - faddr->address->addrtype = ADDRTYPE_INET; - faddr->address->length = 4; - faddr->address->contents = 12 + (krb5_octet *) &sa2sin6(sa)->sin6_addr; - } else { - faddr->address->addrtype = ADDRTYPE_INET6; - faddr->address->length = 16; - faddr->address->contents = (krb5_octet *) &sa2sin6(sa)->sin6_addr; - } - faddr->port = ntohs(sa2sin6(sa)->sin6_port); - break; + if (IN6_IS_ADDR_V4MAPPED(&sa2sin6(sa)->sin6_addr)) { + faddr->address->addrtype = ADDRTYPE_INET; + faddr->address->length = 4; + faddr->address->contents = 12 + (krb5_octet *) &sa2sin6(sa)->sin6_addr; + } else { + faddr->address->addrtype = ADDRTYPE_INET6; + faddr->address->length = 16; + faddr->address->contents = (krb5_octet *) &sa2sin6(sa)->sin6_addr; + } + faddr->port = ntohs(sa2sin6(sa)->sin6_port); + break; #endif default: - faddr->address->addrtype = -1; - faddr->address->length = 0; - faddr->address->contents = 0; - faddr->port = 0; - break; + faddr->address->addrtype = -1; + faddr->address->length = 0; + faddr->address->contents = 0; + faddr->port = 0; + break; } } static int recv_from_to(int s, void *buf, size_t len, int flags, - struct sockaddr *from, socklen_t *fromlen, - struct sockaddr *to, socklen_t *tolen) + struct sockaddr *from, socklen_t *fromlen, + struct sockaddr *to, socklen_t *tolen) { #if (!defined(IP_PKTINFO) && !defined(IPV6_PKTINFO)) || !defined(CMSG_SPACE) if (to && tolen) { - /* Clobber with something recognizeable in case we try to use - the address. */ - memset(to, 0x40, *tolen); - *tolen = 0; + /* Clobber with something recognizeable in case we try to use + the address. */ + memset(to, 0x40, *tolen); + *tolen = 0; } return recvfrom(s, buf, len, flags, from, fromlen); #else @@ -1018,7 +1019,7 @@ recv_from_to(int s, void *buf, size_t len, int flags, struct msghdr msg; if (!to || !tolen) - return recvfrom(s, buf, len, flags, from, fromlen); + return recvfrom(s, buf, len, flags, from, fromlen); /* Clobber with something recognizeable in case we can't extract the address but try to use it anyways. */ @@ -1036,7 +1037,7 @@ recv_from_to(int s, void *buf, size_t len, int flags, r = recvmsg(s, &msg, flags); if (r < 0) - return r; + return r; *fromlen = msg.msg_namelen; /* On Darwin (and presumably all *BSD with KAME stacks), @@ -1044,36 +1045,36 @@ recv_from_to(int s, void *buf, size_t len, int flags, 3542 recommends making this check, even though the (new) spec for CMSG_FIRSTHDR says it's supposed to do the check. */ if (msg.msg_controllen) { - cmsgptr = CMSG_FIRSTHDR(&msg); - while (cmsgptr) { + cmsgptr = CMSG_FIRSTHDR(&msg); + while (cmsgptr) { #ifdef IP_PKTINFO - if (cmsgptr->cmsg_level == IPPROTO_IP - && cmsgptr->cmsg_type == IP_PKTINFO - && *tolen >= sizeof(struct sockaddr_in)) { - struct in_pktinfo *pktinfo; - memset(to, 0, sizeof(struct sockaddr_in)); - pktinfo = (struct in_pktinfo *)CMSG_DATA(cmsgptr); - ((struct sockaddr_in *)to)->sin_addr = pktinfo->ipi_addr; - ((struct sockaddr_in *)to)->sin_family = AF_INET; - *tolen = sizeof(struct sockaddr_in); - return r; - } + if (cmsgptr->cmsg_level == IPPROTO_IP + && cmsgptr->cmsg_type == IP_PKTINFO + && *tolen >= sizeof(struct sockaddr_in)) { + struct in_pktinfo *pktinfo; + memset(to, 0, sizeof(struct sockaddr_in)); + pktinfo = (struct in_pktinfo *)CMSG_DATA(cmsgptr); + ((struct sockaddr_in *)to)->sin_addr = pktinfo->ipi_addr; + ((struct sockaddr_in *)to)->sin_family = AF_INET; + *tolen = sizeof(struct sockaddr_in); + return r; + } #endif #if defined(KRB5_USE_INET6) && defined(IPV6_PKTINFO)&& defined(HAVE_STRUCT_IN6_PKTINFO) - if (cmsgptr->cmsg_level == IPPROTO_IPV6 - && cmsgptr->cmsg_type == IPV6_PKTINFO - && *tolen >= sizeof(struct sockaddr_in6)) { - struct in6_pktinfo *pktinfo; - memset(to, 0, sizeof(struct sockaddr_in6)); - pktinfo = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); - ((struct sockaddr_in6 *)to)->sin6_addr = pktinfo->ipi6_addr; - ((struct sockaddr_in6 *)to)->sin6_family = AF_INET6; - *tolen = sizeof(struct sockaddr_in6); - return r; - } + if (cmsgptr->cmsg_level == IPPROTO_IPV6 + && cmsgptr->cmsg_type == IPV6_PKTINFO + && *tolen >= sizeof(struct sockaddr_in6)) { + struct in6_pktinfo *pktinfo; + memset(to, 0, sizeof(struct sockaddr_in6)); + pktinfo = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); + ((struct sockaddr_in6 *)to)->sin6_addr = pktinfo->ipi6_addr; + ((struct sockaddr_in6 *)to)->sin6_family = AF_INET6; + *tolen = sizeof(struct sockaddr_in6); + return r; + } #endif - cmsgptr = CMSG_NXTHDR(&msg, cmsgptr); - } + cmsgptr = CMSG_NXTHDR(&msg, cmsgptr); + } } /* No info about destination addr was available. */ *tolen = 0; @@ -1083,8 +1084,8 @@ recv_from_to(int s, void *buf, size_t len, int flags, static int send_to_from(int s, void *buf, size_t len, int flags, - const struct sockaddr *to, socklen_t tolen, - const struct sockaddr *from, socklen_t fromlen) + const struct sockaddr *to, socklen_t tolen, + const struct sockaddr *from, socklen_t fromlen) { #if (!defined(IP_PKTINFO) && !defined(IPV6_PKTINFO)) || !defined(CMSG_SPACE) return sendto(s, buf, len, flags, to, tolen); @@ -1096,14 +1097,14 @@ send_to_from(int s, void *buf, size_t len, int flags, if (from == 0 || fromlen == 0 || from->sa_family != to->sa_family) { use_sendto: - return sendto(s, buf, len, flags, to, tolen); + return sendto(s, buf, len, flags, to, tolen); } iov.iov_base = buf; iov.iov_len = len; /* Truncation? */ if (iov.iov_len != len) - return EINVAL; + return EINVAL; memset(cbuf, 0, sizeof(cbuf)); memset(&msg, 0, sizeof(msg)); msg.msg_name = (void *) to; @@ -1120,36 +1121,36 @@ send_to_from(int s, void *buf, size_t len, int flags, switch (from->sa_family) { #if defined(IP_PKTINFO) case AF_INET: - if (fromlen != sizeof(struct sockaddr_in)) - goto use_sendto; - cmsgptr->cmsg_level = IPPROTO_IP; - cmsgptr->cmsg_type = IP_PKTINFO; - cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); - { - struct in_pktinfo *p = (struct in_pktinfo *)CMSG_DATA(cmsgptr); - const struct sockaddr_in *from4 = (const struct sockaddr_in *)from; - p->ipi_spec_dst = from4->sin_addr; - } - msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); - break; + if (fromlen != sizeof(struct sockaddr_in)) + goto use_sendto; + cmsgptr->cmsg_level = IPPROTO_IP; + cmsgptr->cmsg_type = IP_PKTINFO; + cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + { + struct in_pktinfo *p = (struct in_pktinfo *)CMSG_DATA(cmsgptr); + const struct sockaddr_in *from4 = (const struct sockaddr_in *)from; + p->ipi_spec_dst = from4->sin_addr; + } + msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); + break; #endif #if defined(KRB5_USE_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_STRUCT_IN6_PKTINFO) case AF_INET6: - if (fromlen != sizeof(struct sockaddr_in6)) - goto use_sendto; - cmsgptr->cmsg_level = IPPROTO_IPV6; - cmsgptr->cmsg_type = IPV6_PKTINFO; - cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); - { - struct in6_pktinfo *p = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); - const struct sockaddr_in6 *from6 = (const struct sockaddr_in6 *)from; - p->ipi6_addr = from6->sin6_addr; - } - msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); - break; + if (fromlen != sizeof(struct sockaddr_in6)) + goto use_sendto; + cmsgptr->cmsg_level = IPPROTO_IPV6; + cmsgptr->cmsg_type = IPV6_PKTINFO; + cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + { + struct in6_pktinfo *p = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); + const struct sockaddr_in6 *from6 = (const struct sockaddr_in6 *)from; + p->ipi6_addr = from6->sin6_addr; + } + msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); + break; #endif default: - goto use_sendto; + goto use_sendto; } return sendmsg(s, &msg, flags); #endif @@ -1167,7 +1168,7 @@ make_too_big_error (krb5_data **out) retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec); if (retval) - return retval; + return retval; errpkt.error = KRB_ERR_RESPONSE_TOO_BIG; errpkt.server = tgs_server; errpkt.client = NULL; @@ -1177,11 +1178,11 @@ make_too_big_error (krb5_data **out) errpkt.e_data.data = 0; scratch = malloc(sizeof(*scratch)); if (scratch == NULL) - return ENOMEM; + return ENOMEM; retval = krb5_mk_error(kdc_context, &errpkt, scratch); if (retval) { - free(scratch); - return retval; + free(scratch); + return retval; } *out = scratch; @@ -1205,28 +1206,28 @@ static void process_packet(struct connection *conn, int selflags) saddr_len = sizeof(saddr); daddr_len = sizeof(daddr); cc = recv_from_to(port_fd, pktbuf, sizeof(pktbuf), 0, - (struct sockaddr *)&saddr, &saddr_len, - (struct sockaddr *)&daddr, &daddr_len); + (struct sockaddr *)&saddr, &saddr_len, + (struct sockaddr *)&daddr, &daddr_len); if (cc == -1) { - if (errno != EINTR - /* This is how Linux indicates that a previous - transmission was refused, e.g., if the client timed out - before getting the response packet. */ - && errno != ECONNREFUSED - ) - kdc_err(NULL, errno, "while receiving from network"); - return; + if (errno != EINTR + /* This is how Linux indicates that a previous + transmission was refused, e.g., if the client timed out + before getting the response packet. */ + && errno != ECONNREFUSED + ) + kdc_err(NULL, errno, "while receiving from network"); + return; } if (!cc) - return; /* zero-length packet? */ + return; /* zero-length packet? */ #if 0 if (daddr_len > 0) { - char addrbuf[100]; - if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf), - 0, 0, NI_NUMERICHOST)) - strlcpy(addrbuf, "?", sizeof(addrbuf)); - kdc_err(NULL, 0, "pktinfo says local addr is %s", addrbuf); + char addrbuf[100]; + if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf), + 0, 0, NI_NUMERICHOST)) + strlcpy(addrbuf, "?", sizeof(addrbuf)); + kdc_err(NULL, 0, "pktinfo says local addr is %s", addrbuf); } #endif @@ -1236,38 +1237,38 @@ static void process_packet(struct connection *conn, int selflags) init_addr(&faddr, ss2sa(&saddr)); /* this address is in net order */ if ((retval = dispatch(&request, &faddr, &response))) { - kdc_err(NULL, retval, "while dispatching (udp)"); - return; + kdc_err(NULL, retval, "while dispatching (udp)"); + return; } if (response == NULL) - return; + return; if (response->length > max_dgram_reply_size) { - krb5_free_data(kdc_context, response); - retval = make_too_big_error(&response); - if (retval) { - krb5_klog_syslog(LOG_ERR, - "error constructing KRB_ERR_RESPONSE_TOO_BIG error: %s", - error_message(retval)); - return; - } + krb5_free_data(kdc_context, response); + retval = make_too_big_error(&response); + if (retval) { + krb5_klog_syslog(LOG_ERR, + "error constructing KRB_ERR_RESPONSE_TOO_BIG error: %s", + error_message(retval)); + return; + } } cc = send_to_from(port_fd, response->data, (socklen_t) response->length, 0, - (struct sockaddr *)&saddr, saddr_len, - (struct sockaddr *)&daddr, daddr_len); + (struct sockaddr *)&saddr, saddr_len, + (struct sockaddr *)&daddr, daddr_len); if (cc == -1) { - char addrbuf[46]; + char addrbuf[46]; krb5_free_data(kdc_context, response); - if (inet_ntop(((struct sockaddr *)&saddr)->sa_family, - addr.contents, addrbuf, sizeof(addrbuf)) == 0) { - strlcpy(addrbuf, "?", sizeof(addrbuf)); - } - kdc_err(NULL, errno, "while sending reply to %s/%d", - addrbuf, faddr.port); - return; + if (inet_ntop(((struct sockaddr *)&saddr)->sa_family, + addr.contents, addrbuf, sizeof(addrbuf)) == 0) { + strlcpy(addrbuf, "?", sizeof(addrbuf)); + } + kdc_err(NULL, errno, "while sending reply to %s/%d", + addrbuf, faddr.port); + return; } if (cc != response->length) { - kdc_err(NULL, 0, "short reply write %d vs %d\n", - response->length, cc); + kdc_err(NULL, 0, "short reply write %d vs %d\n", + response->length, cc); } krb5_free_data(kdc_context, response); return; @@ -1290,12 +1291,12 @@ static void accept_tcp_connection(struct connection *conn, int selflags) s = accept(conn->fd, addr, &addrlen); if (s < 0) - return; + return; set_cloexec_fd(s); #ifndef _WIN32 if (s >= FD_SETSIZE) { - close(s); - return; + close(s); + return; } #endif setnbio(s), setnolinger(s), setkeepalive(s); @@ -1304,26 +1305,26 @@ static void accept_tcp_connection(struct connection *conn, int selflags) newconn = add_tcp_data_fd(&sockdata, s); if (newconn == NULL) - return; + return; if (getnameinfo((struct sockaddr *)&addr_s, addrlen, - newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), - tmpbuf, sizeof(tmpbuf), - NI_NUMERICHOST | NI_NUMERICSERV)) - strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); + newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), + tmpbuf, sizeof(tmpbuf), + NI_NUMERICHOST | NI_NUMERICSERV)) + strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); else { - char *p, *end; - p = newconn->u.tcp.addrbuf; - end = p + sizeof(newconn->u.tcp.addrbuf); - p += strlen(p); - if (end - p > 2 + strlen(tmpbuf)) { - *p++ = '.'; - strlcpy(p, tmpbuf, end - p); - } + char *p, *end; + p = newconn->u.tcp.addrbuf; + end = p + sizeof(newconn->u.tcp.addrbuf); + p += strlen(p); + if (end - p > 2 + strlen(tmpbuf)) { + *p++ = '.'; + strlcpy(p, tmpbuf, end - p); + } } #if 0 krb5_klog_syslog(LOG_INFO, "accepted TCP connection on socket %d from %s", - s, newconn->u.tcp.addrbuf); + s, newconn->u.tcp.addrbuf); #endif newconn->u.tcp.addr_s = addr_s; @@ -1333,38 +1334,38 @@ static void accept_tcp_connection(struct connection *conn, int selflags) newconn->u.tcp.start_time = time(0); if (++tcp_data_counter > max_tcp_data_connections) { - struct connection *oldest_tcp = NULL; - struct connection *c; - int i; + struct connection *oldest_tcp = NULL; + struct connection *c; + int i; - krb5_klog_syslog(LOG_INFO, "too many connections"); + krb5_klog_syslog(LOG_INFO, "too many connections"); - FOREACH_ELT (connections, i, c) { - if (c->type != CONN_TCP) - continue; - if (c == newconn) - continue; + FOREACH_ELT (connections, i, c) { + if (c->type != CONN_TCP) + continue; + if (c == newconn) + continue; #if 0 - krb5_klog_syslog(LOG_INFO, "fd %d started at %ld", c->fd, - c->u.tcp.start_time); + krb5_klog_syslog(LOG_INFO, "fd %d started at %ld", c->fd, + c->u.tcp.start_time); #endif - if (oldest_tcp == NULL - || oldest_tcp->u.tcp.start_time > c->u.tcp.start_time) - oldest_tcp = c; - } - if (oldest_tcp != NULL) { - krb5_klog_syslog(LOG_INFO, "dropping tcp fd %d from %s", - oldest_tcp->fd, oldest_tcp->u.tcp.addrbuf); - kill_tcp_connection(oldest_tcp); - } + if (oldest_tcp == NULL + || oldest_tcp->u.tcp.start_time > c->u.tcp.start_time) + oldest_tcp = c; + } + if (oldest_tcp != NULL) { + krb5_klog_syslog(LOG_INFO, "dropping tcp fd %d from %s", + oldest_tcp->fd, oldest_tcp->u.tcp.addrbuf); + kill_tcp_connection(oldest_tcp); + } } if (newconn->u.tcp.buffer == 0) { - kdc_err(NULL, errno, "allocating buffer for new TCP session from %s", - newconn->u.tcp.addrbuf); - delete_fd(newconn); - close(s); - tcp_data_counter--; - return; + kdc_err(NULL, errno, "allocating buffer for new TCP session from %s", + newconn->u.tcp.addrbuf); + delete_fd(newconn); + close(s); + tcp_data_counter--; + return; } newconn->u.tcp.offset = 0; newconn->u.tcp.faddr.address = &newconn->u.tcp.kaddr; @@ -1374,25 +1375,25 @@ static void accept_tcp_connection(struct connection *conn, int selflags) FD_SET(s, &sstate.rfds); if (sstate.max <= s) - sstate.max = s + 1; + sstate.max = s + 1; } static void kill_tcp_connection(struct connection *conn) { if (conn->u.tcp.response) - krb5_free_data(kdc_context, conn->u.tcp.response); + krb5_free_data(kdc_context, conn->u.tcp.response); if (conn->u.tcp.buffer) - free(conn->u.tcp.buffer); + free(conn->u.tcp.buffer); FD_CLR(conn->fd, &sstate.rfds); FD_CLR(conn->fd, &sstate.wfds); if (sstate.max == conn->fd + 1) - while (sstate.max > 0 - && ! FD_ISSET(sstate.max-1, &sstate.rfds) - && ! FD_ISSET(sstate.max-1, &sstate.wfds) - /* && ! FD_ISSET(sstate.max-1, &sstate.xfds) */ - ) - sstate.max--; + while (sstate.max > 0 + && ! FD_ISSET(sstate.max-1, &sstate.rfds) + && ! FD_ISSET(sstate.max-1, &sstate.wfds) + /* && ! FD_ISSET(sstate.max-1, &sstate.xfds) */ + ) + sstate.max--; close(conn->fd); conn->fd = -1; delete_fd(conn); @@ -1408,7 +1409,7 @@ make_toolong_error (krb5_data **out) retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec); if (retval) - return retval; + return retval; errpkt.error = KRB_ERR_FIELD_TOOLONG; errpkt.server = tgs_server; errpkt.client = NULL; @@ -1420,11 +1421,11 @@ make_toolong_error (krb5_data **out) errpkt.e_data.data = 0; scratch = malloc(sizeof(*scratch)); if (scratch == NULL) - return ENOMEM; + return ENOMEM; retval = krb5_mk_error(kdc_context, &errpkt, scratch); if (retval) { - free(scratch); - return retval; + free(scratch); + return retval; } *out = scratch; @@ -1436,7 +1437,7 @@ queue_tcp_outgoing_response(struct connection *conn) { store_32_be(conn->u.tcp.response->length, conn->u.tcp.lenbuf); SG_SET(&conn->u.tcp.sgbuf[1], conn->u.tcp.response->data, - conn->u.tcp.response->length); + conn->u.tcp.response->length); conn->u.tcp.sgp = conn->u.tcp.sgbuf; conn->u.tcp.sgnum = 2; FD_SET(conn->fd, &sstate.wfds); @@ -1446,112 +1447,112 @@ static void process_tcp_connection(struct connection *conn, int selflags) { if (selflags & SSF_WRITE) { - ssize_t nwrote; - SOCKET_WRITEV_TEMP tmp; - - nwrote = SOCKET_WRITEV(conn->fd, conn->u.tcp.sgp, conn->u.tcp.sgnum, - tmp); - if (nwrote < 0) { - goto kill_tcp_connection; - } - if (nwrote == 0) - /* eof */ - goto kill_tcp_connection; - while (nwrote) { - sg_buf *sgp = conn->u.tcp.sgp; - if (nwrote < SG_LEN(sgp)) { - SG_ADVANCE(sgp, nwrote); - nwrote = 0; - } else { - nwrote -= SG_LEN(sgp); - conn->u.tcp.sgp++; - conn->u.tcp.sgnum--; - if (conn->u.tcp.sgnum == 0 && nwrote != 0) - abort(); - } - } - if (conn->u.tcp.sgnum == 0) { - /* finished sending */ - /* We should go back to reading, though if we sent a - FIELD_TOOLONG error in reply to a length with the high - bit set, RFC 4120 says we have to close the TCP - stream. */ - goto kill_tcp_connection; - } + ssize_t nwrote; + SOCKET_WRITEV_TEMP tmp; + + nwrote = SOCKET_WRITEV(conn->fd, conn->u.tcp.sgp, conn->u.tcp.sgnum, + tmp); + if (nwrote < 0) { + goto kill_tcp_connection; + } + if (nwrote == 0) + /* eof */ + goto kill_tcp_connection; + while (nwrote) { + sg_buf *sgp = conn->u.tcp.sgp; + if (nwrote < SG_LEN(sgp)) { + SG_ADVANCE(sgp, nwrote); + nwrote = 0; + } else { + nwrote -= SG_LEN(sgp); + conn->u.tcp.sgp++; + conn->u.tcp.sgnum--; + if (conn->u.tcp.sgnum == 0 && nwrote != 0) + abort(); + } + } + if (conn->u.tcp.sgnum == 0) { + /* finished sending */ + /* We should go back to reading, though if we sent a + FIELD_TOOLONG error in reply to a length with the high + bit set, RFC 4120 says we have to close the TCP + stream. */ + goto kill_tcp_connection; + } } else if (selflags & SSF_READ) { - /* Read message length and data into one big buffer, already - allocated at connect time. If we have a complete message, - we stop reading, so we should only be here if there is no - data in the buffer, or only an incomplete message. */ - size_t len; - ssize_t nread; - if (conn->u.tcp.offset < 4) { - /* msglen has not been computed */ - /* XXX Doing at least two reads here, letting the kernel - worry about buffering. It'll be faster when we add - code to manage the buffer here. */ - len = 4 - conn->u.tcp.offset; - nread = SOCKET_READ(conn->fd, - conn->u.tcp.buffer + conn->u.tcp.offset, len); - if (nread < 0) - /* error */ - goto kill_tcp_connection; - if (nread == 0) - /* eof */ - goto kill_tcp_connection; - conn->u.tcp.offset += nread; - if (conn->u.tcp.offset == 4) { - unsigned char *p = (unsigned char *)conn->u.tcp.buffer; - conn->u.tcp.msglen = load_32_be(p); - if (conn->u.tcp.msglen > conn->u.tcp.bufsiz - 4) { - krb5_error_code err; - /* message too big */ - krb5_klog_syslog(LOG_ERR, "TCP client %s wants %lu bytes, cap is %lu", - conn->u.tcp.addrbuf, (unsigned long) conn->u.tcp.msglen, - (unsigned long) conn->u.tcp.bufsiz - 4); - /* XXX Should return an error. */ - err = make_toolong_error (&conn->u.tcp.response); - if (err) { - krb5_klog_syslog(LOG_ERR, - "error constructing KRB_ERR_FIELD_TOOLONG error! %s", - error_message(err)); - goto kill_tcp_connection; - } - goto have_response; - } - } - } else { - /* msglen known */ - krb5_data request; - krb5_error_code err; - - len = conn->u.tcp.msglen - (conn->u.tcp.offset - 4); - nread = SOCKET_READ(conn->fd, - conn->u.tcp.buffer + conn->u.tcp.offset, len); - if (nread < 0) - /* error */ - goto kill_tcp_connection; - if (nread == 0) - /* eof */ - goto kill_tcp_connection; - conn->u.tcp.offset += nread; - if (conn->u.tcp.offset < conn->u.tcp.msglen + 4) - return; - /* have a complete message, and exactly one message */ - request.length = conn->u.tcp.msglen; - request.data = conn->u.tcp.buffer + 4; - err = dispatch(&request, &conn->u.tcp.faddr, - &conn->u.tcp.response); - if (err) { - kdc_err(NULL, err, "while dispatching (tcp)"); - goto kill_tcp_connection; - } - have_response: - queue_tcp_outgoing_response(conn); - FD_CLR(conn->fd, &sstate.rfds); - } + /* Read message length and data into one big buffer, already + allocated at connect time. If we have a complete message, + we stop reading, so we should only be here if there is no + data in the buffer, or only an incomplete message. */ + size_t len; + ssize_t nread; + if (conn->u.tcp.offset < 4) { + /* msglen has not been computed */ + /* XXX Doing at least two reads here, letting the kernel + worry about buffering. It'll be faster when we add + code to manage the buffer here. */ + len = 4 - conn->u.tcp.offset; + nread = SOCKET_READ(conn->fd, + conn->u.tcp.buffer + conn->u.tcp.offset, len); + if (nread < 0) + /* error */ + goto kill_tcp_connection; + if (nread == 0) + /* eof */ + goto kill_tcp_connection; + conn->u.tcp.offset += nread; + if (conn->u.tcp.offset == 4) { + unsigned char *p = (unsigned char *)conn->u.tcp.buffer; + conn->u.tcp.msglen = load_32_be(p); + if (conn->u.tcp.msglen > conn->u.tcp.bufsiz - 4) { + krb5_error_code err; + /* message too big */ + krb5_klog_syslog(LOG_ERR, "TCP client %s wants %lu bytes, cap is %lu", + conn->u.tcp.addrbuf, (unsigned long) conn->u.tcp.msglen, + (unsigned long) conn->u.tcp.bufsiz - 4); + /* XXX Should return an error. */ + err = make_toolong_error (&conn->u.tcp.response); + if (err) { + krb5_klog_syslog(LOG_ERR, + "error constructing KRB_ERR_FIELD_TOOLONG error! %s", + error_message(err)); + goto kill_tcp_connection; + } + goto have_response; + } + } + } else { + /* msglen known */ + krb5_data request; + krb5_error_code err; + + len = conn->u.tcp.msglen - (conn->u.tcp.offset - 4); + nread = SOCKET_READ(conn->fd, + conn->u.tcp.buffer + conn->u.tcp.offset, len); + if (nread < 0) + /* error */ + goto kill_tcp_connection; + if (nread == 0) + /* eof */ + goto kill_tcp_connection; + conn->u.tcp.offset += nread; + if (conn->u.tcp.offset < conn->u.tcp.msglen + 4) + return; + /* have a complete message, and exactly one message */ + request.length = conn->u.tcp.msglen; + request.data = conn->u.tcp.buffer + 4; + err = dispatch(&request, &conn->u.tcp.faddr, + &conn->u.tcp.response); + if (err) { + kdc_err(NULL, err, "while dispatching (tcp)"); + goto kill_tcp_connection; + } + have_response: + queue_tcp_outgoing_response(conn); + FD_CLR(conn->fd, &sstate.rfds); + } } else - abort(); + abort(); return; @@ -1581,79 +1582,79 @@ static int getcurtime(struct timeval *tvp) krb5_error_code listen_and_process() { - int nfound; + int nfound; /* This struct contains 3 fd_set objects; on some platforms, they can be rather large. Making this static avoids putting all that junk on the stack. */ static struct select_state sout; - int i, sret, netchanged = 0; - krb5_error_code err; + int i, sret, netchanged = 0; + krb5_error_code err; if (conns == (struct connection **) NULL) - return KDC5_NONET; - + return KDC5_NONET; + while (!signal_requests_exit) { - if (signal_requests_hup) { - int k; - - krb5_klog_reopen(kdc_context); - for (k = 0; k < kdc_numrealms; k++) - krb5_db_invoke(kdc_realmlist[k]->realm_context, - KRB5_KDB_METHOD_REFRESH_POLICY, - NULL, NULL); - signal_requests_hup = 0; - } - - if (network_reconfiguration_needed) { - /* No point in re-logging what we've just logged. */ - if (netchanged == 0) - krb5_klog_syslog(LOG_INFO, "network reconfiguration needed"); - /* It might be tidier to add a timer-callback interface to - the control loop here, but for this one use, it's not a - big deal. */ - err = getcurtime(&sstate.end_time); - if (err) { - kdc_err(NULL, err, "while getting the time"); - continue; - } - sstate.end_time.tv_sec += 3; - netchanged = 1; - } else - sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0; - - err = krb5int_cm_call_select(&sstate, &sout, &sret); - if (err) { - if (err != EINTR) - kdc_err(NULL, err, "while selecting for network input(1)"); - continue; - } - if (sret == 0 && netchanged) { - network_reconfiguration_needed = 0; - closedown_network(); - err = setup_network(); - if (err) { - kdc_err(NULL, err, "while reinitializing network"); - return err; - } - netchanged = 0; - } - if (sret == -1) { - if (errno != EINTR) - kdc_err(NULL, errno, "while selecting for network input(2)"); - continue; - } - nfound = sret; - for (i=0; i 0; i++) { - int sflags = 0; - if (conns[i]->fd < 0) - abort(); - if (FD_ISSET(conns[i]->fd, &sout.rfds)) - sflags |= SSF_READ, nfound--; - if (FD_ISSET(conns[i]->fd, &sout.wfds)) - sflags |= SSF_WRITE, nfound--; - if (sflags) - service_conn(conns[i], sflags); - } + if (signal_requests_hup) { + int k; + + krb5_klog_reopen(kdc_context); + for (k = 0; k < kdc_numrealms; k++) + krb5_db_invoke(kdc_realmlist[k]->realm_context, + KRB5_KDB_METHOD_REFRESH_POLICY, + NULL, NULL); + signal_requests_hup = 0; + } + + if (network_reconfiguration_needed) { + /* No point in re-logging what we've just logged. */ + if (netchanged == 0) + krb5_klog_syslog(LOG_INFO, "network reconfiguration needed"); + /* It might be tidier to add a timer-callback interface to + the control loop here, but for this one use, it's not a + big deal. */ + err = getcurtime(&sstate.end_time); + if (err) { + kdc_err(NULL, err, "while getting the time"); + continue; + } + sstate.end_time.tv_sec += 3; + netchanged = 1; + } else + sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0; + + err = krb5int_cm_call_select(&sstate, &sout, &sret); + if (err) { + if (err != EINTR) + kdc_err(NULL, err, "while selecting for network input(1)"); + continue; + } + if (sret == 0 && netchanged) { + network_reconfiguration_needed = 0; + closedown_network(); + err = setup_network(); + if (err) { + kdc_err(NULL, err, "while reinitializing network"); + return err; + } + netchanged = 0; + } + if (sret == -1) { + if (errno != EINTR) + kdc_err(NULL, errno, "while selecting for network input(2)"); + continue; + } + nfound = sret; + for (i=0; i 0; i++) { + int sflags = 0; + if (conns[i]->fd < 0) + abort(); + if (FD_ISSET(conns[i]->fd, &sout.rfds)) + sflags |= SSF_READ, nfound--; + if (FD_ISSET(conns[i]->fd, &sout.wfds)) + sflags |= SSF_WRITE, nfound--; + if (sflags) + service_conn(conns[i], sflags); + } } krb5_klog_syslog(LOG_INFO, "shutdown signal received"); return 0; @@ -1666,19 +1667,19 @@ closedown_network() struct connection *conn; if (conns == (struct connection **) NULL) - return KDC5_NONET; + return KDC5_NONET; FOREACH_ELT (connections, i, conn) { - if (conn->fd >= 0) { - krb5_klog_syslog(LOG_INFO, "closing down fd %d", conn->fd); - (void) close(conn->fd); - } - DEL (connections, i); - /* There may also be per-connection data in the tcp structure - (tcp.buffer, tcp.response) that we're not freeing here. - That should only happen if we quit with a connection in - progress. */ - free(conn); + if (conn->fd >= 0) { + krb5_klog_syslog(LOG_INFO, "closing down fd %d", conn->fd); + (void) close(conn->fd); + } + DEL (connections, i); + /* There may also be per-connection data in the tcp structure + (tcp.buffer, tcp.response) that we're not freeing here. + That should only happen if we quit with a connection in + progress. */ + free(conn); } FREE_SET_DATA(connections); FREE_SET_DATA(udp_port_data); diff --git a/src/kdc/pkinit_apple_server.c b/src/kdc/pkinit_apple_server.c index b86c63444..ade1b8b76 100644 --- a/src/kdc/pkinit_apple_server.c +++ b/src/kdc/pkinit_apple_server.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -37,47 +38,47 @@ #include #define PKINIT_DEBUG 0 -#if PKINIT_DEBUG +#if PKINIT_DEBUG #define pkiDebug(args...) printf(args) #else #define pkiDebug(args...) #endif /* - * Parse PA-PK-AS-REQ message. Optionally evaluates the message's certificate chain. - * Optionally returns various components. + * Parse PA-PK-AS-REQ message. Optionally evaluates the message's certificate chain. + * Optionally returns various components. */ krb5_error_code krb5int_pkinit_as_req_parse( - krb5_context context, - const krb5_data *as_req, - krb5_timestamp *kctime, /* optionally RETURNED */ - krb5_ui_4 *cusec, /* microseconds, optionally RETURNED */ - krb5_ui_4 *nonce, /* optionally RETURNED */ - krb5_checksum *pa_cksum, /* optional, contents mallocd and RETURNED */ + krb5_context context, + const krb5_data *as_req, + krb5_timestamp *kctime, /* optionally RETURNED */ + krb5_ui_4 *cusec, /* microseconds, optionally RETURNED */ + krb5_ui_4 *nonce, /* optionally RETURNED */ + krb5_checksum *pa_cksum, /* optional, contents mallocd and RETURNED */ krb5int_cert_sig_status *cert_status,/* optionally RETURNED */ - krb5_ui_4 *num_cms_types, /* optionally RETURNED */ - krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ + krb5_ui_4 *num_cms_types, /* optionally RETURNED */ + krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ /* * Cert fields, all optionally RETURNED. * * signer_cert is the full X.509 leaf cert from the incoming SignedData. * all_certs is an array of all of the certs in the incoming SignedData, - * in full X.509 form. + * in full X.509 form. */ - krb5_data *signer_cert, /* content mallocd */ - krb5_ui_4 *num_all_certs, /* sizeof *all_certs */ - krb5_data **all_certs, /* krb5_data's and their content mallocd */ - + krb5_data *signer_cert, /* content mallocd */ + krb5_ui_4 *num_all_certs, /* sizeof *all_certs */ + krb5_data **all_certs, /* krb5_data's and their content mallocd */ + /* - * Array of trustedCertifiers, optionally RETURNED. These are DER-encoded - * issuer/serial numbers. + * Array of trustedCertifiers, optionally RETURNED. These are DER-encoded + * issuer/serial numbers. */ - krb5_ui_4 *num_trusted_CAs, /* sizeof *trusted_CAs */ - krb5_data **trusted_CAs, /* krb5_data's and their content mallocd */ - + krb5_ui_4 *num_trusted_CAs, /* sizeof *trusted_CAs */ + krb5_data **trusted_CAs, /* krb5_data's and their content mallocd */ + /* KDC cert specified by client as kdcPkId. DER-encoded issuer/serial number. */ - krb5_data *kdc_cert) + krb5_data *kdc_cert) { krb5_error_code krtn; krb5_data signed_auth_pack = {0, 0, NULL}; @@ -89,84 +90,84 @@ krb5_error_code krb5int_pkinit_as_req_parse( krb5_pkinit_cert_db_t cert_db = NULL; krb5_boolean is_signed; krb5_boolean is_encrypted; - + assert(as_req != NULL); - - /* + + /* * We always have to decode the top-level AS-REQ... */ krtn = krb5int_pkinit_pa_pk_as_req_decode(as_req, &signed_auth_pack, - num_trusted_CAs, trusted_CAs, /* optional */ - kdc_cert); /* optional */ + num_trusted_CAs, trusted_CAs, /* optional */ + kdc_cert); /* optional */ if (krtn) { - pkiDebug("krb5int_pkinit_pa_pk_as_req_decode returned %d\n", (int)krtn); - return krtn; + pkiDebug("krb5int_pkinit_pa_pk_as_req_decode returned %d\n", (int)krtn); + return krtn; } /* Do we need info about or from the ContentInto or AuthPack? */ - if ((kctime != NULL) || (cusec != NULL) || (nonce != NULL) || + if ((kctime != NULL) || (cusec != NULL) || (nonce != NULL) || (pa_cksum != NULL) || (cms_types != NULL)) { - need_auth_pack = TRUE; - raw_auth_pack_p = &raw_auth_pack; + need_auth_pack = TRUE; + raw_auth_pack_p = &raw_auth_pack; } if (need_auth_pack || (cert_status != NULL) || (signer_cert != NULL) || (all_certs != NULL)) { - proceed = TRUE; + proceed = TRUE; } if (!proceed) { - krtn = 0; - goto err_out; + krtn = 0; + goto err_out; } - + /* Parse and possibly verify the ContentInfo */ krtn = krb5_pkinit_get_kdc_cert_db(&cert_db); if (krtn) { - pkiDebug("pa_pk_as_req_parse: error in krb5_pkinit_get_kdc_cert_db\n"); - goto err_out; + pkiDebug("pa_pk_as_req_parse: error in krb5_pkinit_get_kdc_cert_db\n"); + goto err_out; } krtn = krb5int_pkinit_parse_cms_msg(&signed_auth_pack, cert_db, TRUE, - &is_signed, &is_encrypted, - raw_auth_pack_p, &content_type, signer_cert, cert_status, - num_all_certs, all_certs); + &is_signed, &is_encrypted, + raw_auth_pack_p, &content_type, signer_cert, cert_status, + num_all_certs, all_certs); if (krtn) { - pkiDebug("krb5int_pkinit_parse_content_info returned %d\n", (int)krtn); - goto err_out; + pkiDebug("krb5int_pkinit_parse_content_info returned %d\n", (int)krtn); + goto err_out; } if (is_encrypted || !is_signed) { - pkiDebug("pkinit_parse_content_info: is_encrypted %s is_signed %s!\n", - is_encrypted ? "true" :"false", - is_signed ? "true" : "false"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto err_out; + pkiDebug("pkinit_parse_content_info: is_encrypted %s is_signed %s!\n", + is_encrypted ? "true" :"false", + is_signed ? "true" : "false"); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto err_out; } if (content_type != ECT_PkAuthData) { - pkiDebug("authPack eContentType %d!\n", (int)content_type); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto err_out; + pkiDebug("authPack eContentType %d!\n", (int)content_type); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto err_out; } - + /* optionally parse contents of authPack */ if (need_auth_pack) { - krtn = krb5int_pkinit_auth_pack_decode(&raw_auth_pack, kctime, - cusec, nonce, pa_cksum, + krtn = krb5int_pkinit_auth_pack_decode(&raw_auth_pack, kctime, + cusec, nonce, pa_cksum, cms_types, num_cms_types); - if(krtn) { - pkiDebug("krb5int_pkinit_auth_pack_decode returned %d\n", (int)krtn); - goto err_out; - } + if(krtn) { + pkiDebug("krb5int_pkinit_auth_pack_decode returned %d\n", (int)krtn); + goto err_out; + } } err_out: /* free temp mallocd data that we didn't pass back to caller */ if(signed_auth_pack.data) { - free(signed_auth_pack.data); + free(signed_auth_pack.data); } if(raw_auth_pack.data) { - free(raw_auth_pack.data); + free(raw_auth_pack.data); } if(cert_db) { - krb5_pkinit_release_cert_db(cert_db); + krb5_pkinit_release_cert_db(cert_db); } return krtn; } @@ -179,61 +180,61 @@ err_out: * PA-PK-AS-REP ::= EnvelopedData(SignedData(ReplyKeyPack)) */ krb5_error_code krb5int_pkinit_as_rep_create( - krb5_context context, - const krb5_keyblock *key_block, - const krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ - krb5_pkinit_signing_cert_t signer_cert, /* server's cert */ - krb5_boolean include_server_cert,/* include signer_cert in SignerInfo */ - const krb5_data *recipient_cert, /* client's cert */ - - /* - * These correspond to the same out-parameters from - * krb5int_pkinit_as_req_parse(). All are optional. + krb5_context context, + const krb5_keyblock *key_block, + const krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ + krb5_pkinit_signing_cert_t signer_cert, /* server's cert */ + krb5_boolean include_server_cert,/* include signer_cert in SignerInfo */ + const krb5_data *recipient_cert, /* client's cert */ + + /* + * These correspond to the same out-parameters from + * krb5int_pkinit_as_req_parse(). All are optional. */ - krb5_ui_4 num_cms_types, - const krb5int_algorithm_id *cms_types, - krb5_ui_4 num_trusted_CAs, - krb5_data *trusted_CAs, - krb5_data *kdc_cert, - - krb5_data *as_rep) /* mallocd and RETURNED */ + krb5_ui_4 num_cms_types, + const krb5int_algorithm_id *cms_types, + krb5_ui_4 num_trusted_CAs, + krb5_data *trusted_CAs, + krb5_data *kdc_cert, + + krb5_data *as_rep) /* mallocd and RETURNED */ { krb5_data reply_key_pack = {0, 0, NULL}; krb5_error_code krtn; krb5_data enc_key_pack = {0, 0, NULL}; - + /* innermost content = ReplyKeyPack */ - krtn = krb5int_pkinit_reply_key_pack_encode(key_block, checksum, + krtn = krb5int_pkinit_reply_key_pack_encode(key_block, checksum, &reply_key_pack); if (krtn) { - return krtn; + return krtn; } - - /* + + /* * Put that in an EnvelopedData(SignedData) * -- SignedData.EncapsulatedData.ContentType = id-pkinit-rkeyData */ krtn = krb5int_pkinit_create_cms_msg(&reply_key_pack, - signer_cert, - recipient_cert, - ECT_PkReplyKeyKata, - num_cms_types, cms_types, - &enc_key_pack); + signer_cert, + recipient_cert, + ECT_PkReplyKeyKata, + num_cms_types, cms_types, + &enc_key_pack); if (krtn) { - goto err_out; + goto err_out; } - + /* * Finally, wrap that inside of PA-PK-AS-REP */ krtn = krb5int_pkinit_pa_pk_as_rep_encode(NULL, &enc_key_pack, as_rep); - + err_out: if (reply_key_pack.data) { - free(reply_key_pack.data); + free(reply_key_pack.data); } if (enc_key_pack.data) { - free(enc_key_pack.data); + free(enc_key_pack.data); } return krtn; } diff --git a/src/kdc/pkinit_server.h b/src/kdc/pkinit_server.h index 773b497e0..b97cb9867 100644 --- a/src/kdc/pkinit_server.h +++ b/src/kdc/pkinit_server.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -42,41 +43,41 @@ extern "C" { /* * Parse PA-PK-AS-REQ message. Optionally evaluates the message's certificate chain - * if cert_status is non-NULL. Optionally returns various components. + * if cert_status is non-NULL. Optionally returns various components. */ krb5_error_code krb5int_pkinit_as_req_parse( - krb5_context context, - const krb5_data *as_req, - krb5_timestamp *kctime, /* optionally RETURNED */ - krb5_ui_4 *cusec, /* microseconds, optionally RETURNED */ - krb5_ui_4 *nonce, /* optionally RETURNED */ - krb5_checksum *pa_cksum, /* optional, contents mallocd and RETURNED */ + krb5_context context, + const krb5_data *as_req, + krb5_timestamp *kctime, /* optionally RETURNED */ + krb5_ui_4 *cusec, /* microseconds, optionally RETURNED */ + krb5_ui_4 *nonce, /* optionally RETURNED */ + krb5_checksum *pa_cksum, /* optional, contents mallocd and RETURNED */ krb5int_cert_sig_status *cert_status, /* optionally RETURNED */ - krb5_ui_4 *num_cms_types, /* optionally RETURNED */ - krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ + krb5_ui_4 *num_cms_types, /* optionally RETURNED */ + krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ /* * Cert fields, all optionally RETURNED. * * signer_cert is the full X.509 leaf cert from the incoming SignedData. * all_certs is an array of all of the certs in the incoming SignedData, - * in full X.509 form. + * in full X.509 form. */ - krb5_data *signer_cert, /* content mallocd */ - krb5_ui_4 *num_all_certs, /* sizeof *all_certs */ - krb5_data **all_certs, /* krb5_data's and their content mallocd */ - + krb5_data *signer_cert, /* content mallocd */ + krb5_ui_4 *num_all_certs, /* sizeof *all_certs */ + krb5_data **all_certs, /* krb5_data's and their content mallocd */ + /* - * Array of trustedCertifiers, optionally RETURNED. These are DER-encoded - * issuer/serial numbers. + * Array of trustedCertifiers, optionally RETURNED. These are DER-encoded + * issuer/serial numbers. */ - krb5_ui_4 *num_trusted_CAs, /* sizeof *trustedCAs */ - krb5_data **trusted_CAs, /* krb5_data's and their content mallocd */ - + krb5_ui_4 *num_trusted_CAs, /* sizeof *trustedCAs */ + krb5_data **trusted_CAs, /* krb5_data's and their content mallocd */ + /* KDC cert specified by client as kdcPkId. DER-encoded issuer/serial number. */ - krb5_data *kdc_cert); - - + krb5_data *kdc_cert); + + /* * Create a PA-PK-AS-REP message, public key (no Diffie Hellman) version. * @@ -85,26 +86,26 @@ krb5_error_code krb5int_pkinit_as_req_parse( * PA-PK-AS-REP ::= EnvelopedData(SignedData(ReplyKeyPack)) */ krb5_error_code krb5int_pkinit_as_rep_create( - krb5_context context, - const krb5_keyblock *key_block, - const krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ - krb5_pkinit_signing_cert_t signer_cert, /* server's cert */ - krb5_boolean include_server_cert, /* include signer_cert in SignerInfo */ - const krb5_data *recipient_cert, /* client's cert */ - - /* - * These correspond to the same out-parameters from - * krb5int_pkinit_as_req_parse(). All are optional. + krb5_context context, + const krb5_keyblock *key_block, + const krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ + krb5_pkinit_signing_cert_t signer_cert, /* server's cert */ + krb5_boolean include_server_cert, /* include signer_cert in SignerInfo */ + const krb5_data *recipient_cert, /* client's cert */ + + /* + * These correspond to the same out-parameters from + * krb5int_pkinit_as_req_parse(). All are optional. */ - krb5_ui_4 num_cms_types, - const krb5int_algorithm_id *cms_types, - krb5_ui_4 num_trusted_CAs, - krb5_data *trusted_CAs, - krb5_data *kdc_cert, - + krb5_ui_4 num_cms_types, + const krb5int_algorithm_id *cms_types, + krb5_ui_4 num_trusted_CAs, + krb5_data *trusted_CAs, + krb5_data *kdc_cert, + /* result here, mallocd and RETURNED */ - krb5_data *as_rep); - + krb5_data *as_rep); + #ifdef __cplusplus } #endif diff --git a/src/kdc/policy.c b/src/kdc/policy.c index d4a70feb6..aefddfffc 100644 --- a/src/kdc/policy.c +++ b/src/kdc/policy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/policy.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Policy decision routines for KDC. */ @@ -59,30 +60,30 @@ int against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, - krb5_db_entry server, krb5_timestamp kdc_time, - const char **status, krb5_data *e_data) + krb5_db_entry server, krb5_timestamp kdc_time, + const char **status, krb5_data *e_data) { - krb5_error_code code; - kdb_check_policy_as_req req; - kdb_check_policy_as_rep rep; - krb5_data req_data; - krb5_data rep_data; + krb5_error_code code; + kdb_check_policy_as_req req; + kdb_check_policy_as_rep rep; + krb5_data req_data; + krb5_data rep_data; #if 0 - /* An AS request must include the addresses field */ + /* An AS request must include the addresses field */ if (request->addresses == 0) { - *status = "NO ADDRESS"; - return KRB5KDC_ERR_POLICY; + *status = "NO ADDRESS"; + return KRB5KDC_ERR_POLICY; } #endif memset(&req, 0, sizeof(req)); memset(&rep, 0, sizeof(rep)); - req.request = request; - req.client = &client; - req.server = &server; - req.kdc_time = kdc_time; + req.request = request; + req.client = &client; + req.server = &server; + req.kdc_time = kdc_time; req_data.data = (void *)&req; req_data.length = sizeof(req); @@ -91,19 +92,19 @@ against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, rep_data.length = sizeof(rep); code = krb5_db_invoke(kdc_context, - KRB5_KDB_METHOD_CHECK_POLICY_AS, - &req_data, - &rep_data); + KRB5_KDB_METHOD_CHECK_POLICY_AS, + &req_data, + &rep_data); if (code == KRB5_KDB_DBTYPE_NOSUP) - return 0; + return 0; *status = rep.status; *e_data = rep.e_data; if (code != 0) { - code -= ERROR_TABLE_BASE_krb5; - if (code < 0 || code > 128) - code = KRB_ERR_GENERIC; + code -= ERROR_TABLE_BASE_krb5; + if (code < 0 || code > 128) + code = KRB_ERR_GENERIC; } return code; @@ -114,33 +115,33 @@ against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, */ krb5_error_code against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, - krb5_ticket *ticket, const char **status, - krb5_data *e_data) + krb5_ticket *ticket, const char **status, + krb5_data *e_data) { - krb5_error_code code; - kdb_check_policy_tgs_req req; - kdb_check_policy_tgs_rep rep; - krb5_data req_data; - krb5_data rep_data; + krb5_error_code code; + kdb_check_policy_tgs_req req; + kdb_check_policy_tgs_rep rep; + krb5_data req_data; + krb5_data rep_data; #if 0 /* * For example, if your site wants to disallow ticket forwarding, * you might do something like this: */ - + if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) { - *status = "FORWARD POLICY"; - return KRB5KDC_ERR_POLICY; + *status = "FORWARD POLICY"; + return KRB5KDC_ERR_POLICY; } #endif memset(&req, 0, sizeof(req)); memset(&rep, 0, sizeof(rep)); - req.request = request; - req.server = &server; - req.ticket = ticket; + req.request = request; + req.server = &server; + req.ticket = ticket; req_data.data = (void *)&req; req_data.length = sizeof(req); @@ -149,21 +150,20 @@ against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, rep_data.length = sizeof(rep); code = krb5_db_invoke(kdc_context, - KRB5_KDB_METHOD_CHECK_POLICY_TGS, - &req_data, - &rep_data); + KRB5_KDB_METHOD_CHECK_POLICY_TGS, + &req_data, + &rep_data); if (code == KRB5_KDB_DBTYPE_NOSUP) - return 0; + return 0; *status = rep.status; *e_data = rep.e_data; if (code != 0) { - code -= ERROR_TABLE_BASE_krb5; - if (code < 0 || code > 128) - code = KRB_ERR_GENERIC; + code -= ERROR_TABLE_BASE_krb5; + if (code < 0 || code > 128) + code = KRB_ERR_GENERIC; } return code; } - diff --git a/src/kdc/policy.h b/src/kdc/policy.h index fe8307625..9ccf392b5 100644 --- a/src/kdc/policy.h +++ b/src/kdc/policy.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/policy.h * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Declarations for policy.c */ @@ -34,6 +35,6 @@ extern int against_postdate_policy (krb5_timestamp); extern int against_flag_policy_as (const krb5_kdc_req *); extern int against_flag_policy_tgs (const krb5_kdc_req *, - const krb5_ticket *); + const krb5_ticket *); #endif /* __KRB5_KDC_POLICY__ */ diff --git a/src/kdc/replay.c b/src/kdc/replay.c index e6c48a4ea..d53936f24 100644 --- a/src/kdc/replay.c +++ b/src/kdc/replay.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/replay.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Replay lookaside cache for the KDC, to avoid extra work. * @@ -50,17 +51,17 @@ static int calls = 0; static int max_hits_per_entry = 0; static int num_entries = 0; -#define STALE_TIME 2*60 /* two minutes */ -#define STALE(ptr) ((abs((ptr)->timein - timenow) >= STALE_TIME) || \ - ((ptr)->db_age != db_age)) +#define STALE_TIME 2*60 /* two minutes */ +#define STALE(ptr) ((abs((ptr)->timein - timenow) >= STALE_TIME) || \ + ((ptr)->db_age != db_age)) -#define MATCH(ptr) (((ptr)->req_packet->length == inpkt->length) && \ - !memcmp((ptr)->req_packet->data, inpkt->data, \ - inpkt->length) && \ - ((ptr)->db_age == db_age)) +#define MATCH(ptr) (((ptr)->req_packet->length == inpkt->length) && \ + !memcmp((ptr)->req_packet->data, inpkt->data, \ + inpkt->length) && \ + ((ptr)->db_age == db_age)) /* XXX Todo: quench the size of the queue... - */ +*/ /* return TRUE if outpkt is filled in with a packet to reply with, FALSE if the caller should do the work */ @@ -72,9 +73,9 @@ kdc_check_lookaside(krb5_data *inpkt, krb5_data **outpkt) register krb5_kdc_replay_ent *eptr, *last, *hold; time_t db_age; - if (krb5_timeofday(kdc_context, &timenow) || - krb5_db_get_age(kdc_context, 0, &db_age)) - return FALSE; + if (krb5_timeofday(kdc_context, &timenow) || + krb5_db_get_age(kdc_context, 0, &db_age)) + return FALSE; calls++; @@ -82,34 +83,34 @@ kdc_check_lookaside(krb5_data *inpkt, krb5_data **outpkt) stale entries while we're here */ if (root_ptr.next) { - for (last = &root_ptr, eptr = root_ptr.next; - eptr; - eptr = eptr->next) { - if (MATCH(eptr)) { - eptr->num_hits++; - hits++; - - if (krb5_copy_data(kdc_context, eptr->reply_packet, outpkt)) - return FALSE; - else - return TRUE; - /* return here, don't bother flushing even if it is stale. - if we just matched, we may get another retransmit... */ - } - if (STALE(eptr)) { - /* flush it and collect stats */ - max_hits_per_entry = max(max_hits_per_entry, eptr->num_hits); - krb5_free_data(kdc_context, eptr->req_packet); - krb5_free_data(kdc_context, eptr->reply_packet); - hold = eptr; - last->next = eptr->next; - eptr = last; - free(hold); - } else { - /* this isn't it, just move along */ - last = eptr; - } - } + for (last = &root_ptr, eptr = root_ptr.next; + eptr; + eptr = eptr->next) { + if (MATCH(eptr)) { + eptr->num_hits++; + hits++; + + if (krb5_copy_data(kdc_context, eptr->reply_packet, outpkt)) + return FALSE; + else + return TRUE; + /* return here, don't bother flushing even if it is stale. + if we just matched, we may get another retransmit... */ + } + if (STALE(eptr)) { + /* flush it and collect stats */ + max_hits_per_entry = max(max_hits_per_entry, eptr->num_hits); + krb5_free_data(kdc_context, eptr->req_packet); + krb5_free_data(kdc_context, eptr->reply_packet); + hold = eptr; + last->next = eptr->next; + eptr = last; + free(hold); + } else { + /* this isn't it, just move along */ + last = eptr; + } + } } return FALSE; } @@ -120,18 +121,18 @@ kdc_check_lookaside(krb5_data *inpkt, krb5_data **outpkt) void kdc_insert_lookaside(krb5_data *inpkt, krb5_data *outpkt) { - register krb5_kdc_replay_ent *eptr; + register krb5_kdc_replay_ent *eptr; krb5_int32 timenow; time_t db_age; - if (krb5_timeofday(kdc_context, &timenow) || - krb5_db_get_age(kdc_context, 0, &db_age)) - return; + if (krb5_timeofday(kdc_context, &timenow) || + krb5_db_get_age(kdc_context, 0, &db_age)) + return; /* this is a new entry */ eptr = (krb5_kdc_replay_ent *)calloc(1, sizeof(*eptr)); if (!eptr) - return; + return; eptr->timein = timenow; eptr->db_age = db_age; /* @@ -140,13 +141,13 @@ kdc_insert_lookaside(krb5_data *inpkt, krb5_data *outpkt) * ARGH! */ if (krb5_copy_data(kdc_context, inpkt, &eptr->req_packet)) { - free(eptr); - return; + free(eptr); + return; } if (krb5_copy_data(kdc_context, outpkt, &eptr->reply_packet)) { - krb5_free_data(kdc_context, eptr->req_packet); - free(eptr); - return; + krb5_free_data(kdc_context, eptr->req_packet); + free(eptr); + return; } eptr->next = root_ptr.next; root_ptr.next = eptr; @@ -161,14 +162,14 @@ kdc_free_lookaside(krb5_context kcontext) register krb5_kdc_replay_ent *eptr, *last, *hold; if (root_ptr.next) { for (last = &root_ptr, eptr = root_ptr.next; - eptr; eptr = eptr->next) { - krb5_free_data(kcontext, eptr->req_packet); - krb5_free_data(kcontext, eptr->reply_packet); - hold = eptr; - last->next = eptr->next; - eptr = last; - free(hold); - } + eptr; eptr = eptr->next) { + krb5_free_data(kcontext, eptr->req_packet); + krb5_free_data(kcontext, eptr->reply_packet); + hold = eptr; + last->next = eptr->next; + eptr = last; + free(hold); + } } } diff --git a/src/kdc/rtest.c b/src/kdc/rtest.c index 87f4a9652..4e3cd7bda 100644 --- a/src/kdc/rtest.c +++ b/src/kdc/rtest.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kdc/rtest.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -33,84 +34,84 @@ void krb5_klog_syslog(void); -static krb5_principal +static krb5_principal make_princ(krb5_context ctx, const char *str, const char *prog) { krb5_principal ret; char *dat; if(!(ret = (krb5_principal) malloc(sizeof(krb5_principal_data)))) { - com_err(prog, ENOMEM, "while allocating principal data"); - exit(3); + com_err(prog, ENOMEM, "while allocating principal data"); + exit(3); } memset(ret, 0, sizeof(krb5_principal_data)); /* We do not include the null... */ if(!(dat = (char *) malloc(strlen(str)))) { - com_err(prog, ENOMEM, "while allocating principal realm data"); - exit(3); + com_err(prog, ENOMEM, "while allocating principal realm data"); + exit(3); } memcpy(dat, str, strlen(str)); krb5_princ_set_realm_data(ctx, ret, dat); krb5_princ_set_realm_length(ctx, ret, strlen(str)); - + return ret; } int main(int argc, char **argv) { - krb5_data otrans; - krb5_data ntrans; - krb5_principal tgs, cl, sv; - krb5_error_code kret; - kdc_realm_t kdc_realm; - - if (argc < 4) { - fprintf(stderr, "not enough args\n"); - exit(1); - } - - - /* Get a context */ - kret = krb5int_init_context_kdc(&kdc_realm.realm_context); - if (kret) { - com_err(argv[0], kret, "while getting krb5 context"); - exit(2); - } - /* Needed so kdc_context will work */ - kdc_active_realm = &kdc_realm; - - ntrans.length = 0; - ntrans.data = 0; - - otrans.length = strlen(argv[1]); - if (otrans.length) - otrans.data = (char *) malloc(otrans.length); - else - otrans.data = 0; - memcpy(otrans.data,argv[1], otrans.length); - - tgs = make_princ(kdc_context, argv[2], argv[0]); - cl = make_princ(kdc_context, argv[3], argv[0]); - sv = make_princ(kdc_context, argv[4], argv[0]); - - add_to_transited(&otrans,&ntrans,tgs,cl,sv); - - printf("%s\n",ntrans.data); - - /* Free up all memory so we can profile for leaks */ - if (otrans.data) - free(otrans.data); - free(ntrans.data); - - krb5_free_principal(kdc_realm.realm_context, tgs); - krb5_free_principal(kdc_realm.realm_context, cl); - krb5_free_principal(kdc_realm.realm_context, sv); - krb5_free_context(kdc_realm.realm_context); - - exit(0); + krb5_data otrans; + krb5_data ntrans; + krb5_principal tgs, cl, sv; + krb5_error_code kret; + kdc_realm_t kdc_realm; + + if (argc < 4) { + fprintf(stderr, "not enough args\n"); + exit(1); + } + + + /* Get a context */ + kret = krb5int_init_context_kdc(&kdc_realm.realm_context); + if (kret) { + com_err(argv[0], kret, "while getting krb5 context"); + exit(2); } + /* Needed so kdc_context will work */ + kdc_active_realm = &kdc_realm; + + ntrans.length = 0; + ntrans.data = 0; + + otrans.length = strlen(argv[1]); + if (otrans.length) + otrans.data = (char *) malloc(otrans.length); + else + otrans.data = 0; + memcpy(otrans.data,argv[1], otrans.length); + + tgs = make_princ(kdc_context, argv[2], argv[0]); + cl = make_princ(kdc_context, argv[3], argv[0]); + sv = make_princ(kdc_context, argv[4], argv[0]); + + add_to_transited(&otrans,&ntrans,tgs,cl,sv); + + printf("%s\n",ntrans.data); + + /* Free up all memory so we can profile for leaks */ + if (otrans.data) + free(otrans.data); + free(ntrans.data); + + krb5_free_principal(kdc_realm.realm_context, tgs); + krb5_free_principal(kdc_realm.realm_context, cl); + krb5_free_principal(kdc_realm.realm_context, sv); + krb5_free_context(kdc_realm.realm_context); + + exit(0); +} void krb5_klog_syslog(void) {} kdc_realm_t *find_realm_data (char *rname, krb5_ui_4 rsize) { return 0; } diff --git a/src/kim/agent/mac/AuthenticationController.h b/src/kim/agent/mac/AuthenticationController.h index ba0b21223..03b76ce53 100644 --- a/src/kim/agent/mac/AuthenticationController.h +++ b/src/kim/agent/mac/AuthenticationController.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -30,9 +30,9 @@ @interface AuthenticationController : NSWindowController { IPCClient *associatedClient; - + IBOutlet KerberosTimeFormatter *lifetimeFormatter; - + IBOutlet NSView *containerView; IBOutlet NSView *identityView; IBOutlet NSView *passwordView; @@ -46,30 +46,30 @@ IBOutlet BadgedImageView *samBadge; IBOutlet BadgedImageView *changePasswordBadge; IBOutlet BadgedImageView *errorBadge; - + IBOutlet NSProgressIndicator *enterSpinny; IBOutlet NSProgressIndicator *passwordSpinny; IBOutlet NSProgressIndicator *samSpinny; IBOutlet NSProgressIndicator *changePasswordSpinny; - + // Controls that need to be made key IBOutlet NSTextField *identityField; IBOutlet NSTextField *passwordField; IBOutlet NSTextField *samPromptField; IBOutlet NSTextField *oldPasswordField; - + // Other controls of interest IBOutlet NSButton *rememberPasswordInKeychainCheckBox; - + IBOutlet NSObjectController *glueController; IBOutlet NSWindow *ticketOptionsSheet; IBOutlet NSObjectController *ticketOptionsController; BOOL visibleAsSheet; - + IBOutlet NSSlider *validLifetimeSlider; IBOutlet NSSlider *renewableLifetimeSlider; - + NSMutableArray *favoriteIdentities; NSMutableDictionary *favoriteOptions; } @@ -102,11 +102,11 @@ - (IBAction) cancelAuthSheet: (id) sender; -- (void) authSheetDidEnd: (NSWindow *) sheet - returnCode: (int) returnCode +- (void) authSheetDidEnd: (NSWindow *) sheet + returnCode: (int) returnCode contextInfo: (void *) contextInfo; -- (void) ticketOptionsSheetDidEnd: (NSWindow *) sheet - returnCode: (int) returnCode +- (void) ticketOptionsSheetDidEnd: (NSWindow *) sheet + returnCode: (int) returnCode contextInfo: (void *) contextInfo; - (IBAction) changePasswordGearAction: (id) sender; diff --git a/src/kim/agent/mac/BadgedImageView.h b/src/kim/agent/mac/BadgedImageView.h index 4fba86727..489a90954 100644 --- a/src/kim/agent/mac/BadgedImageView.h +++ b/src/kim/agent/mac/BadgedImageView.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/kim/agent/mac/IPCClient.h b/src/kim/agent/mac/IPCClient.h index 0bea6000b..a700a6a53 100644 --- a/src/kim/agent/mac/IPCClient.h +++ b/src/kim/agent/mac/IPCClient.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -59,11 +59,11 @@ - (kim_error) handleError: (NSDictionary *) info; - (void) didCancel; -- (void) didSelectIdentity: (NSString *) identityString - options: (NSDictionary *) options +- (void) didSelectIdentity: (NSString *) identityString + options: (NSDictionary *) options wantsChangePassword: (BOOL) wantsChangePassword; -- (void) didEnterIdentity: (NSString *) identityString - options: (NSDictionary *) options +- (void) didEnterIdentity: (NSString *) identityString + options: (NSDictionary *) options wantsChangePassword: (BOOL) wantsChangePassword; - (void) didPromptForAuth: (NSString *) responseString saveResponse: (NSNumber *) saveResponse; - (void) didChangePassword: (NSString *) oldPassword diff --git a/src/kim/agent/mac/Identities.h b/src/kim/agent/mac/Identities.h index 712abb31c..72f735522 100644 --- a/src/kim/agent/mac/Identities.h +++ b/src/kim/agent/mac/Identities.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/kim/agent/mac/KIMUtilities.h b/src/kim/agent/mac/KIMUtilities.h index 6575ca712..adbc15914 100644 --- a/src/kim/agent/mac/KIMUtilities.h +++ b/src/kim/agent/mac/KIMUtilities.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/kim/agent/mac/KerberosAgentController.h b/src/kim/agent/mac/KerberosAgentController.h index 876961163..c6fae8670 100644 --- a/src/kim/agent/mac/KerberosAgentController.h +++ b/src/kim/agent/mac/KerberosAgentController.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/kim/agent/mac/KerberosAgentListener.h b/src/kim/agent/mac/KerberosAgentListener.h index 2d9378aff..4e0dc3dbb 100644 --- a/src/kim/agent/mac/KerberosAgentListener.h +++ b/src/kim/agent/mac/KerberosAgentListener.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -46,7 +46,7 @@ path: (kim_string) path; // contains reply_port -+ (void) didAddClient: (NSDictionary *) info ++ (void) didAddClient: (NSDictionary *) info error: (int32_t) error; + (void) enterIdentityWithClientPort: (mach_port_t) client_port @@ -54,7 +54,7 @@ options: (kim_options) options; // contains reply_port, kim_identity -+ (void) didEnterIdentity: (NSDictionary *) info ++ (void) didEnterIdentity: (NSDictionary *) info error: (int32_t) error; + (void) selectIdentityWithClientPort: (mach_port_t) client_port @@ -62,21 +62,21 @@ hints: (kim_selection_hints) hints; // contains reply_port, kim_identity -+ (void) didSelectIdentity: (NSDictionary *) info ++ (void) didSelectIdentity: (NSDictionary *) info error: (int32_t) error; + (void) promptForAuthWithClientPort: (mach_port_t) client_port replyPort: (mach_port_t) reply_port identity: (kim_string) identity_string promptType: (uint32_t) prompt_type - allowSave: (kim_boolean) allow_save + allowSave: (kim_boolean) allow_save hideReply: (kim_boolean) hide_reply title: (kim_string) title message: (kim_string) message description: (kim_string) description; // contains reply_port, (string) prompt_response -+ (void) didPromptForAuth: (NSDictionary *) info ++ (void) didPromptForAuth: (NSDictionary *) info error: (int32_t) error; + (void) changePasswordWithClientPort: (mach_port_t) client_port @@ -85,7 +85,7 @@ expired: (kim_boolean) expired; // contains reply_port, old password, new password, verify password -+ (void) didChangePassword: (NSDictionary *) info ++ (void) didChangePassword: (NSDictionary *) info error: (int32_t) error; + (void) handleErrorWithClientPort: (mach_port_t) client_port @@ -96,7 +96,7 @@ description: (kim_string) description; // contains reply_port -+ (void) didHandleError: (NSDictionary *) info ++ (void) didHandleError: (NSDictionary *) info error: (int32_t) error; diff --git a/src/kim/agent/mac/KerberosFormatters.h b/src/kim/agent/mac/KerberosFormatters.h index 104ea5f42..7dd28b7ab 100644 --- a/src/kim/agent/mac/KerberosFormatters.h +++ b/src/kim/agent/mac/KerberosFormatters.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -35,7 +35,7 @@ - (NSString *)stringForObjectValue:(id)anObject; -- (NSAttributedString *)attributedStringForObjectValue:(id)anObject +- (NSAttributedString *)attributedStringForObjectValue:(id)anObject withDefaultAttributes:(NSDictionary *)attributes; - (NSString *) stringForLifetime: (time_t) lifetime; @@ -43,11 +43,11 @@ @end @interface KerberosFavoriteFormatter : NSFormatter { - + } - (NSString *)stringForObjectValue:(id)anObject; -- (NSAttributedString *)attributedStringForObjectValue:(id)anObject +- (NSAttributedString *)attributedStringForObjectValue:(id)anObject withDefaultAttributes:(NSDictionary *)attributes; @end diff --git a/src/kim/agent/mac/PopupButton.h b/src/kim/agent/mac/PopupButton.h index 5ced9513e..823ecb26e 100644 --- a/src/kim/agent/mac/PopupButton.h +++ b/src/kim/agent/mac/PopupButton.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/kim/agent/mac/SelectIdentityController.h b/src/kim/agent/mac/SelectIdentityController.h index 4d744ba08..b5f0bceb2 100644 --- a/src/kim/agent/mac/SelectIdentityController.h +++ b/src/kim/agent/mac/SelectIdentityController.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -31,17 +31,17 @@ @interface SelectIdentityController : NSWindowController { IPCClient *associatedClient; - + IBOutlet KerberosTimeFormatter *shortTimeFormatter; IBOutlet KerberosTimeFormatter *longTimeFormatter; - + IBOutlet NSObjectController *identitiesController; IBOutlet NSArrayController *identityArrayController; IBOutlet BadgedImageView *kerberosIconImageView; IBOutlet NSTextField *headerTextField; IBOutlet NSTextField *explanationTextField; - + IBOutlet NSScrollView *identityTableScrollView; IBOutlet NSTableView *identityTableView; IBOutlet NSButton *addIdentityButton; @@ -51,9 +51,9 @@ Identities *identities; NSTimer *refreshTimer; - + IBOutlet NSObjectController *glueController; - + IBOutlet NSWindow *ticketOptionsWindow; IBOutlet NSObjectController *identityOptionsController; IBOutlet NSTextField *identityField; @@ -61,7 +61,7 @@ IBOutlet NSSlider *validLifetimeSlider; IBOutlet NSSlider *renewableLifetimeSlider; - + IBOutlet NSBox *ticketOptionsBox; IBOutlet NSButton *ticketOptionsOkButton; IBOutlet NSButton *ticketOptionsToggleButton; diff --git a/src/kim/agent/mac/ServerDemux.h b/src/kim/agent/mac/ServerDemux.h index 39fd28107..b454376ca 100644 --- a/src/kim/agent/mac/ServerDemux.h +++ b/src/kim/agent/mac/ServerDemux.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -30,34 +30,34 @@ int32_t kim_agent_listen_loop (void); -int32_t kim_handle_reply_init (mach_port_t in_reply_port, +int32_t kim_handle_reply_init (mach_port_t in_reply_port, int32_t in_error); -int32_t kim_handle_reply_enter_identity (mach_port_t in_reply_port, +int32_t kim_handle_reply_enter_identity (mach_port_t in_reply_port, kim_identity in_identity, kim_options in_options, kim_boolean in_change_password, int32_t in_error); -int32_t kim_handle_reply_select_identity (mach_port_t in_reply_port, +int32_t kim_handle_reply_select_identity (mach_port_t in_reply_port, kim_identity in_identity, kim_options in_options, kim_boolean in_change_password, int32_t in_error); -int32_t kim_handle_reply_auth_prompt (mach_port_t in_reply_port, +int32_t kim_handle_reply_auth_prompt (mach_port_t in_reply_port, kim_string in_prompt_response, kim_boolean in_allow_save_response, int32_t in_error); -int32_t kim_handle_reply_change_password (mach_port_t in_reply_port, +int32_t kim_handle_reply_change_password (mach_port_t in_reply_port, kim_string in_old_password, kim_string in_new_password, kim_string in_vfy_password, int32_t in_error); -int32_t kim_handle_reply_handle_error (mach_port_t in_reply_port, +int32_t kim_handle_reply_handle_error (mach_port_t in_reply_port, int32_t in_error); -int32_t kim_handle_reply_fini (mach_port_t in_reply_port, +int32_t kim_handle_reply_fini (mach_port_t in_reply_port, int32_t in_error); diff --git a/src/kim/lib/kim_ccache.c b/src/kim/lib/kim_ccache.c index cf6a18315..6e48eda43 100644 --- a/src/kim/lib/kim_ccache.c +++ b/src/kim/lib/kim_ccache.c @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -40,35 +40,35 @@ kim_error kim_ccache_iterator_create (kim_ccache_iterator *out_ccache_iterator) { kim_error err = kim_library_init (); kim_ccache_iterator ccache_iterator = NULL; - + if (!err && !out_ccache_iterator) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { ccache_iterator = malloc (sizeof (*ccache_iterator)); - if (ccache_iterator) { + if (ccache_iterator) { *ccache_iterator = kim_ccache_iterator_initializer; } else { - err = KIM_OUT_OF_MEMORY_ERR; + err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&ccache_iterator->context)); } - + if (!err) { err = krb5_error (ccache_iterator->context, krb5_cccol_cursor_new (ccache_iterator->context, &ccache_iterator->cursor)); } - - if (!err) { + + if (!err) { *out_ccache_iterator = ccache_iterator; ccache_iterator = NULL; } - + kim_ccache_iterator_free (&ccache_iterator); - + return check_error (err); } @@ -79,54 +79,54 @@ kim_error kim_ccache_iterator_next (kim_ccache_iterator in_ccache_iterator, { kim_error err = KIM_NO_ERROR; krb5_ccache ccache = NULL; - + if (!err && !in_ccache_iterator) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = krb5_cccol_cursor_next (in_ccache_iterator->context, + err = krb5_cccol_cursor_next (in_ccache_iterator->context, in_ccache_iterator->cursor, &ccache); if (err == KRB5_CC_END) { ccache = NULL; /* out of ccaches */ err = KIM_NO_ERROR; - } + } } - + if (!err && ccache && in_ccache_iterator->first) { krb5_principal principal = NULL; - + /* krb5 API is sneaky and returns a single empty ccache if the * cache collection is empty. Check for it: */ err = krb5_error (in_ccache_iterator->context, - krb5_cc_get_principal (in_ccache_iterator->context, - ccache, + krb5_cc_get_principal (in_ccache_iterator->context, + ccache, &principal)); - + if (err) { krb5_cc_close (in_ccache_iterator->context, ccache); ccache = NULL; err = KIM_NO_ERROR; } - - if (principal) { krb5_free_principal (in_ccache_iterator->context, + + if (principal) { krb5_free_principal (in_ccache_iterator->context, principal); } } - + if (!err) { in_ccache_iterator->first = 0; - + if (ccache) { err = kim_ccache_create_from_krb5_ccache (out_ccache, - in_ccache_iterator->context, + in_ccache_iterator->context, ccache); } else { *out_ccache = NULL; /* no more ccaches */ - } + } } - + if (ccache) { krb5_cc_close (in_ccache_iterator->context, ccache); } - + return check_error (err); } @@ -135,12 +135,12 @@ kim_error kim_ccache_iterator_next (kim_ccache_iterator in_ccache_iterator, void kim_ccache_iterator_free (kim_ccache_iterator *io_ccache_iterator) { if (io_ccache_iterator && *io_ccache_iterator) { - if ((*io_ccache_iterator)->context) { + if ((*io_ccache_iterator)->context) { if ((*io_ccache_iterator)->cursor) { - krb5_cccol_cursor_free ((*io_ccache_iterator)->context, + krb5_cccol_cursor_free ((*io_ccache_iterator)->context, &(*io_ccache_iterator)->cursor); } - krb5_free_context ((*io_ccache_iterator)->context); + krb5_free_context ((*io_ccache_iterator)->context); } free (*io_ccache_iterator); *io_ccache_iterator = NULL; @@ -165,16 +165,16 @@ static kim_error kim_ccache_create_resolve_name (kim_string *out_resolve_name, kim_string in_type) { kim_error err = KIM_NO_ERROR; - + if (!err && !out_resolve_name) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_name ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_type ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_string_create_from_format (out_resolve_name, "%s:%s", + err = kim_string_create_from_format (out_resolve_name, "%s:%s", in_type, in_name); } - + return check_error (err); } @@ -186,23 +186,23 @@ static inline kim_error kim_ccache_allocate (kim_ccache *out_ccache) { kim_error err = kim_library_init (); kim_ccache ccache = NULL; - + if (!err && !out_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { ccache = malloc (sizeof (*ccache)); if (!ccache) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { *ccache = kim_ccache_initializer; *out_ccache = ccache; ccache = NULL; } - + kim_ccache_free (&ccache); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -227,27 +227,27 @@ kim_error kim_ccache_create_new_with_password (kim_ccache *out_ccache, kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; kim_identity client_identity = NULL; - + if (!err && !out_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_credential_create_new_with_password (&credential, - in_client_identity, + err = kim_credential_create_new_with_password (&credential, + in_client_identity, in_options, in_password); } - + if (!err) { err = kim_credential_get_client_identity (credential, &client_identity); } - + if (!err) { err = kim_credential_store (credential, client_identity, out_ccache); } - + kim_identity_free (&client_identity); kim_credential_free (&credential); - + return check_error (err); } @@ -272,20 +272,20 @@ kim_error kim_ccache_create_new_if_needed_with_password (kim_ccache *out_ccach { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - + if (!err && !out_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_client_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_credential_state state; - - err = kim_ccache_create_from_client_identity (&ccache, + + err = kim_ccache_create_from_client_identity (&ccache, in_client_identity); - + if (!err) { err = kim_ccache_get_state (ccache, &state); } - + if (!err && state != kim_credentials_state_valid) { if (state == kim_credentials_state_needs_validation) { err = kim_ccache_validate (ccache, in_options); @@ -294,23 +294,23 @@ kim_error kim_ccache_create_new_if_needed_with_password (kim_ccache *out_ccach ccache = NULL; } } - + if (!ccache) { /* ccache does not already exist, create a new one */ - err = kim_ccache_create_new_with_password (&ccache, - in_client_identity, - in_options, + err = kim_ccache_create_new_with_password (&ccache, + in_client_identity, + in_options, in_password); - } + } } - + if (!err) { *out_ccache = ccache; ccache = NULL; } - + kim_ccache_free (&ccache); - + return check_error (err); } @@ -320,62 +320,62 @@ kim_error kim_ccache_create_from_client_identity (kim_ccache *out_ccache, kim_identity in_client_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !out_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && in_client_identity) { kim_ccache_iterator iterator = NULL; kim_boolean found = FALSE; err = kim_ccache_iterator_create (&iterator); - + while (!err && !found) { kim_ccache ccache = NULL; kim_identity identity = NULL; kim_comparison comparison; - + err = kim_ccache_iterator_next (iterator, &ccache); - + if (!err && !ccache) { kim_string string = NULL; - - err = kim_identity_get_display_string (in_client_identity, + + err = kim_identity_get_display_string (in_client_identity, &string); - + if (!err) { - err = kim_error_set_message_for_code (KIM_NO_SUCH_PRINCIPAL_ERR, + err = kim_error_set_message_for_code (KIM_NO_SUCH_PRINCIPAL_ERR, string); } - + kim_string_free (&string); } - + if (!err) { err = kim_ccache_get_client_identity (ccache, &identity); } - + if (!err) { - err = kim_identity_compare (in_client_identity, identity, + err = kim_identity_compare (in_client_identity, identity, &comparison); } - + if (!err && kim_comparison_is_equal_to (comparison)) { found = 1; *out_ccache = ccache; ccache = NULL; } - + kim_identity_free (&identity); kim_ccache_free (&ccache); } - + kim_ccache_iterator_free (&iterator); - + } else if (!err) { /* in_client_identity is NULL, get default ccache */ err = kim_ccache_create_from_default (out_ccache); } - + return check_error (err); } @@ -391,25 +391,25 @@ kim_error kim_ccache_create_from_keytab (kim_ccache *out_ccache, kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; kim_identity client_identity = NULL; - + if (!err && !out_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_credential_create_from_keytab (&credential, in_identity, + err = kim_credential_create_from_keytab (&credential, in_identity, in_options, in_keytab); } - + if (!err) { err = kim_credential_get_client_identity (credential, &client_identity); } - + if (!err) { err = kim_credential_store (credential, client_identity, out_ccache); } - + kim_identity_free (&client_identity); kim_credential_free (&credential); - + return check_error (err); } @@ -421,29 +421,29 @@ kim_error kim_ccache_create_from_default (kim_ccache *out_ccache) { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - + if (!err && !out_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ccache_allocate (&ccache); } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&ccache->context)); } - + if (!err) { err = krb5_error (ccache->context, krb5_cc_default (ccache->context, &ccache->ccache)); } - + if (!err) { *out_ccache = ccache; ccache = NULL; } - + kim_ccache_free (&ccache); - + return check_error (err); } @@ -454,31 +454,31 @@ kim_error kim_ccache_create_from_display_name (kim_ccache *out_ccache, { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - + if (!err && !out_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_display_name) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ccache_allocate (&ccache); } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&ccache->context)); } - + if (!err) { err = krb5_error (ccache->context, - krb5_cc_resolve (ccache->context, in_display_name, + krb5_cc_resolve (ccache->context, in_display_name, &ccache->ccache)); } - + if (!err) { *out_ccache = ccache; ccache = NULL; } - + kim_ccache_free (&ccache); - + return check_error (err); } @@ -490,21 +490,21 @@ kim_error kim_ccache_create_from_type_and_name (kim_ccache *out_ccache, { kim_error err = KIM_NO_ERROR; kim_string resolve_name = NULL; - + if (!err && !out_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_name ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_type ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ccache_create_resolve_name (&resolve_name, in_name, in_type); } - + if (!err) { err = kim_ccache_create_from_display_name (out_ccache, resolve_name); } - + kim_string_free (&resolve_name); - + return check_error (err); } @@ -515,18 +515,18 @@ kim_error kim_ccache_create_from_krb5_ccache (kim_ccache *out_ccache, krb5_ccache in_krb5_ccache) { kim_error err = KIM_NO_ERROR; - + if (!err && !out_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_krb5_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_krb5_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_string type = krb5_cc_get_type (in_krb5_context, in_krb5_ccache); kim_string name = krb5_cc_get_name (in_krb5_context, in_krb5_ccache); - + err = kim_ccache_create_from_type_and_name (out_ccache, type, name); } - + return check_error (err); } @@ -538,25 +538,25 @@ kim_error kim_ccache_copy (kim_ccache *out_ccache, kim_error err = KIM_NO_ERROR; kim_string name = NULL; kim_string type = NULL; - + if (!err && !out_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ccache_get_name (in_ccache, &name); } - + if (!err) { err = kim_ccache_get_type (in_ccache, &type); } - + if (!err) { err = kim_ccache_create_from_type_and_name (out_ccache, type, name); } - + kim_string_free (&name); kim_string_free (&type); - + return check_error (err); } @@ -569,28 +569,28 @@ kim_error kim_ccache_compare (kim_ccache in_ccache, kim_comparison *out_comparison) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_compare_to_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_comparison ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - const char *type = krb5_cc_get_type (in_ccache->context, + const char *type = krb5_cc_get_type (in_ccache->context, in_ccache->ccache); - const char *compare_to_type = krb5_cc_get_type (in_compare_to_ccache->context, + const char *compare_to_type = krb5_cc_get_type (in_compare_to_ccache->context, in_compare_to_ccache->ccache); - const char *name = krb5_cc_get_name (in_ccache->context, + const char *name = krb5_cc_get_name (in_ccache->context, in_ccache->ccache); - const char *compare_to_name = krb5_cc_get_name (in_compare_to_ccache->context, + const char *compare_to_name = krb5_cc_get_name (in_compare_to_ccache->context, in_compare_to_ccache->ccache); - + *out_comparison = strcmp (type, compare_to_type); - + if (*out_comparison == 0) { *out_comparison = strcmp (name, compare_to_name); } } - + return check_error (err); } @@ -602,23 +602,23 @@ kim_error kim_ccache_get_krb5_ccache (kim_ccache in_ccache, { kim_error err = KIM_NO_ERROR; kim_string resolve_name = NULL; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_krb5_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_krb5_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ccache_get_display_name (in_ccache, &resolve_name); } - + if (!err) { err = krb5_error (in_krb5_context, - krb5_cc_resolve (in_krb5_context, resolve_name, + krb5_cc_resolve (in_krb5_context, resolve_name, out_krb5_ccache)); } - + kim_string_free (&resolve_name); - + return check_error (err); } @@ -628,15 +628,15 @@ kim_error kim_ccache_get_type (kim_ccache in_ccache, kim_string *out_type) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_type ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_string_copy (out_type, krb5_cc_get_type (in_ccache->context, + err = kim_string_copy (out_type, krb5_cc_get_type (in_ccache->context, in_ccache->ccache)); } - + return check_error (err); } @@ -646,15 +646,15 @@ kim_error kim_ccache_get_name (kim_ccache in_ccache, kim_string *out_name) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_name ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_string_copy (out_name, krb5_cc_get_name (in_ccache->context, + err = kim_string_copy (out_name, krb5_cc_get_name (in_ccache->context, in_ccache->ccache)); } - + return check_error (err); } @@ -664,19 +664,19 @@ kim_error kim_ccache_get_display_name (kim_ccache in_ccache, kim_string *out_display_name) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_display_name) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - kim_string type = krb5_cc_get_type (in_ccache->context, + kim_string type = krb5_cc_get_type (in_ccache->context, in_ccache->ccache); - kim_string name = krb5_cc_get_name (in_ccache->context, + kim_string name = krb5_cc_get_name (in_ccache->context, in_ccache->ccache); - + err = kim_ccache_create_resolve_name (out_display_name, name, type); } - + return check_error (err); } @@ -687,25 +687,25 @@ kim_error kim_ccache_get_client_identity (kim_ccache in_ccache, { kim_error err = KIM_NO_ERROR; krb5_principal principal = NULL; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_client_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5_error (in_ccache->context, - krb5_cc_get_principal (in_ccache->context, - in_ccache->ccache, + krb5_cc_get_principal (in_ccache->context, + in_ccache->ccache, &principal)); } - + if (!err) { err = kim_identity_create_from_krb5_principal (out_client_identity, - in_ccache->context, + in_ccache->context, principal); } - + if (principal) { krb5_free_principal (in_ccache->context, principal); } - + return check_error (err); } @@ -723,110 +723,110 @@ static kim_error kim_ccache_get_dominant_credential (kim_ccache in_cc kim_boolean dominant_is_tgt = FALSE; kim_credential_state dominant_state = kim_credentials_state_valid; kim_credential dominant_credential = NULL; - + if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_iterator_create (&iterator, in_ccache); } - + while (!err && !out_of_credentials && !found_valid_tgt) { kim_credential credential = NULL; - + err = kim_credential_iterator_next (iterator, &credential); - + if (!err && !credential) { out_of_credentials = TRUE; - + } else if (!err) { kim_credential_state state = kim_credentials_state_valid; kim_boolean is_tgt = FALSE; - + err = kim_credential_get_state (credential, &state); - + if (!err) { kim_identity service_identity = NULL; - - err = kim_credential_get_service_identity (credential, + + err = kim_credential_get_service_identity (credential, &service_identity); - + if (!err) { err = kim_identity_is_tgt_service (service_identity, &is_tgt); } - + kim_identity_free (&service_identity); } - + if (!err) { - /* There are three cases where we replace: + /* There are three cases where we replace: * 1) We don't have a dominant yet * 2) This is a tgt and dominant isn't * 3) Both are tgts but this is valid and dominant isn't */ - - if ((!dominant_credential) /* 1 */ || + + if ((!dominant_credential) /* 1 */ || (is_tgt && !dominant_is_tgt) /* 2 */ || - (is_tgt && dominant_is_tgt && /* 3 */ + (is_tgt && dominant_is_tgt && /* 3 */ state == kim_credentials_state_valid && dominant_state != kim_credentials_state_valid)) { /* replace */ kim_credential_free (&dominant_credential); - + dominant_credential = credential; credential = NULL; /* take ownership */ - + dominant_is_tgt = is_tgt; dominant_state = state; } - - if (dominant_is_tgt && + + if (dominant_is_tgt && dominant_state == kim_credentials_state_valid) { /* Since we will never replace a valid tgt, stop here */ found_valid_tgt = TRUE; } } } - + kim_credential_free (&credential); } - + if (!err && !dominant_credential) { kim_identity identity = NULL; kim_string identity_string = NULL; - + err = kim_ccache_get_client_identity (in_ccache, &identity); - + if (!err) { - err = kim_identity_get_display_string (identity, + err = kim_identity_get_display_string (identity, &identity_string); } - + if (!err) { - err = kim_error_set_message_for_code (KIM_NO_CREDENTIALS_ERR, + err = kim_error_set_message_for_code (KIM_NO_CREDENTIALS_ERR, identity_string); - } + } kim_string_free (&identity_string); kim_identity_free (&identity); } - + if (!err) { if (out_is_tgt) { *out_is_tgt = dominant_is_tgt; } - + if (out_state) { *out_state = dominant_state; } - + if (out_credential) { *out_credential = dominant_credential; dominant_credential = NULL; /* take ownership */ } } - + kim_credential_free (&dominant_credential); kim_credential_iterator_free (&iterator); - + return check_error (err); } @@ -839,57 +839,57 @@ kim_error kim_ccache_get_valid_credential (kim_ccache in_ccache, kim_boolean is_tgt = FALSE; kim_credential_state state = kim_credentials_state_valid; kim_credential credential = NULL; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_ccache_get_dominant_credential (in_ccache, + err = kim_ccache_get_dominant_credential (in_ccache, &state, &is_tgt, &credential); } - + if (!err && state != kim_credentials_state_valid) { kim_identity identity = NULL; kim_string identity_string = NULL; - + err = kim_ccache_get_client_identity (in_ccache, &identity); - + if (!err) { - err = kim_identity_get_display_string (identity, + err = kim_identity_get_display_string (identity, &identity_string); } - + if (!err) { if (state == kim_credentials_state_expired) { - err = kim_error_set_message_for_code (KIM_CREDENTIALS_EXPIRED_ERR, + err = kim_error_set_message_for_code (KIM_CREDENTIALS_EXPIRED_ERR, identity_string); - + } else if (state == kim_credentials_state_not_yet_valid || state == kim_credentials_state_needs_validation) { - err = kim_error_set_message_for_code (KIM_NEEDS_VALIDATION_ERR, + err = kim_error_set_message_for_code (KIM_NEEDS_VALIDATION_ERR, identity_string); - + } else if (state == kim_credentials_state_address_mismatch) { - err = kim_error_set_message_for_code (KIM_BAD_IP_ADDRESS_ERR, - identity_string); + err = kim_error_set_message_for_code (KIM_BAD_IP_ADDRESS_ERR, + identity_string); } else { /* just default to this */ - err = kim_error_set_message_for_code (KIM_NEEDS_VALIDATION_ERR, + err = kim_error_set_message_for_code (KIM_NEEDS_VALIDATION_ERR, identity_string); } } - + kim_string_free (&identity_string); kim_identity_free (&identity); } - + if (!err) { *out_credential = credential; credential = NULL; /* take ownership */ } - + kim_credential_free (&credential); - + return check_error (err); } @@ -899,16 +899,16 @@ kim_error kim_ccache_get_state (kim_ccache in_ccache, kim_credential_state *out_state) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_state) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_ccache_get_dominant_credential (in_ccache, + err = kim_ccache_get_dominant_credential (in_ccache, out_state, NULL, NULL); } - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -918,21 +918,21 @@ kim_error kim_ccache_get_start_time (kim_ccache in_ccache, { kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_start_time) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_ccache_get_dominant_credential (in_ccache, NULL, NULL, + err = kim_ccache_get_dominant_credential (in_ccache, NULL, NULL, &credential); } - + if (!err) { err = kim_credential_get_start_time (credential, out_start_time); } - + kim_credential_free (&credential); - + return check_error (err); } @@ -943,22 +943,22 @@ kim_error kim_ccache_get_expiration_time (kim_ccache in_ccache, { kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_expiration_time) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_ccache_get_dominant_credential (in_ccache, NULL, NULL, + err = kim_ccache_get_dominant_credential (in_ccache, NULL, NULL, &credential); } - + if (!err) { - err = kim_credential_get_expiration_time (credential, + err = kim_credential_get_expiration_time (credential, out_expiration_time); } - + kim_credential_free (&credential); - + return check_error (err); } @@ -969,22 +969,22 @@ kim_error kim_ccache_get_renewal_expiration_time (kim_ccache in_ccache, { kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_renewal_expiration_time) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_ccache_get_dominant_credential (in_ccache, NULL, NULL, + err = kim_ccache_get_dominant_credential (in_ccache, NULL, NULL, &credential); } - + if (!err) { - err = kim_credential_get_renewal_expiration_time (credential, + err = kim_credential_get_renewal_expiration_time (credential, out_renewal_expiration_time); } - + kim_credential_free (&credential); - + return check_error (err); } @@ -995,21 +995,21 @@ kim_error kim_ccache_get_options (kim_ccache in_ccache, { kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; - + if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_ccache_get_dominant_credential (in_ccache, NULL, NULL, + err = kim_ccache_get_dominant_credential (in_ccache, NULL, NULL, &credential); } - + if (!err) { err = kim_credential_get_options (credential, out_options); } - + kim_credential_free (&credential); - + return check_error (err); } @@ -1020,104 +1020,104 @@ kim_error kim_ccache_get_options (kim_ccache in_ccache, kim_error kim_ccache_set_default (kim_ccache io_ccache) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { char *environment_ccache_name = getenv ("KRB5CCNAME"); - + if (environment_ccache_name) { kim_ccache environment_ccache = NULL; kim_comparison comparison; - + err = kim_ccache_create_from_display_name (&environment_ccache, environment_ccache_name); - + if (!err) { - err = kim_ccache_compare (io_ccache, + err = kim_ccache_compare (io_ccache, environment_ccache, &comparison); } - + if (!err && !kim_comparison_is_equal_to (comparison)) { krb5_principal client_principal = NULL; - /* KRB5CCNAME is set and does not point to this ccache. + /* KRB5CCNAME is set and does not point to this ccache. * Move the creds and make this kim_ccache_t object refer to that ccache. */ - + err = krb5_error (io_ccache->context, - krb5_cc_get_principal (io_ccache->context, - io_ccache->ccache, + krb5_cc_get_principal (io_ccache->context, + io_ccache->ccache, &client_principal)); - + if (!err) { err = krb5_error (io_ccache->context, - krb5_cc_initialize (environment_ccache->context, - environment_ccache->ccache, + krb5_cc_initialize (environment_ccache->context, + environment_ccache->ccache, client_principal)); } - + if (!err) { err = krb5_error (io_ccache->context, - krb5_cc_copy_creds (io_ccache->context, - io_ccache->ccache, + krb5_cc_copy_creds (io_ccache->context, + io_ccache->ccache, environment_ccache->ccache)); } - - if (client_principal) { krb5_free_principal (io_ccache->context, + + if (client_principal) { krb5_free_principal (io_ccache->context, client_principal); } - + if (!err) { kim_ccache_destroy (&io_ccache); io_ccache = environment_ccache; environment_ccache = NULL; /* take ownership */ } } - + kim_ccache_free (&environment_ccache); - + } else { #ifdef USE_CCAPI kim_string type = NULL; kim_string name = NULL; cc_context_t cc_context = NULL; cc_ccache_t cc_ccache = NULL; - + err = kim_ccache_get_type (io_ccache, &type); - + if (!err && strcmp (type, "API")) { #endif kim_string display_name = NULL; /* Not a CCAPI ccache; can't set to default */ - + err = kim_ccache_get_display_name (io_ccache, &display_name); - + if (!err) { - err = kim_error_set_message_for_code (KIM_CANT_BECOME_DEFAULT_ERR, + err = kim_error_set_message_for_code (KIM_CANT_BECOME_DEFAULT_ERR, display_name); } - + kim_string_free (&display_name); #ifdef USE_CCAPI } - + if (!err) { err = kim_ccache_get_name (io_ccache, &name); } - + /* get a CCAPI ccache for this cache */ if (!err) { err = cc_initialize (&cc_context, ccapi_version_4, NULL, NULL); } - + if (!err) { err = cc_context_open_ccache (cc_context, name, &cc_ccache); } - + if (!err) { err = cc_ccache_set_default (cc_ccache); } - + if (cc_context) { cc_context_release (cc_context); } if (cc_ccache ) { cc_ccache_release (cc_ccache); } kim_string_free (&name); @@ -1125,7 +1125,7 @@ kim_error kim_ccache_set_default (kim_ccache io_ccache) #endif } } - + return check_error (err); } @@ -1140,20 +1140,20 @@ kim_error kim_ccache_verify (kim_ccache in_ccache, { kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; - + if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ccache_get_valid_credential (in_ccache, &credential); } - + if (!err) { - err = kim_credential_verify (credential, in_service_identity, + err = kim_credential_verify (credential, in_service_identity, in_keytab, in_fail_if_no_service_key); } - + kim_credential_free (&credential); - + return check_error (err); } @@ -1167,28 +1167,28 @@ kim_error kim_ccache_renew (kim_ccache in_ccache, kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; kim_identity client_identity = NULL; - + if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ccache_get_valid_credential (in_ccache, &credential); } - + if (!err) { err = kim_credential_renew (&credential, in_options); } - + if (!err) { err = kim_ccache_get_client_identity (in_ccache, &client_identity); } - + if (!err) { err = kim_credential_store (credential, client_identity, NULL); } - + kim_identity_free (&client_identity); kim_credential_free (&credential); - + return check_error (err); } @@ -1200,28 +1200,28 @@ kim_error kim_ccache_validate (kim_ccache in_ccache, kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; kim_identity client_identity = NULL; - + if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ccache_get_valid_credential (in_ccache, &credential); } - + if (!err) { err = kim_credential_validate (&credential, in_options); } - + if (!err) { err = kim_ccache_get_client_identity (in_ccache, &client_identity); } - + if (!err) { err = kim_credential_store (credential, client_identity, NULL); } - + kim_identity_free (&client_identity); kim_credential_free (&credential); - + return check_error (err); } @@ -1232,18 +1232,18 @@ kim_error kim_ccache_validate (kim_ccache in_ccache, kim_error kim_ccache_destroy (kim_ccache *io_ccache) { kim_error err = KIM_NO_ERROR; - + if (io_ccache && *io_ccache) { err = krb5_error ((*io_ccache)->context, - krb5_cc_destroy ((*io_ccache)->context, + krb5_cc_destroy ((*io_ccache)->context, (*io_ccache)->ccache)); - - if (!err) { - (*io_ccache)->ccache = NULL; + + if (!err) { + (*io_ccache)->ccache = NULL; kim_ccache_free (io_ccache); } } - + return check_error (err); } @@ -1252,14 +1252,13 @@ kim_error kim_ccache_destroy (kim_ccache *io_ccache) void kim_ccache_free (kim_ccache *io_ccache) { if (io_ccache && *io_ccache) { - if ((*io_ccache)->context) { + if ((*io_ccache)->context) { if ((*io_ccache)->ccache) { krb5_cc_close ((*io_ccache)->context, (*io_ccache)->ccache); } - krb5_free_context ((*io_ccache)->context); + krb5_free_context ((*io_ccache)->context); } free (*io_ccache); *io_ccache = NULL; } } - diff --git a/src/kim/lib/kim_credential.c b/src/kim/lib/kim_credential.c index 8d2c1ee60..fe910cf04 100644 --- a/src/kim/lib/kim_credential.c +++ b/src/kim/lib/kim_credential.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -43,42 +43,42 @@ kim_error kim_credential_iterator_create (kim_credential_iterator *out_credentia { kim_error err = kim_library_init (); kim_credential_iterator credential_iterator = NULL; - + if (!err && !out_credential_iterator) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { credential_iterator = malloc (sizeof (*credential_iterator)); - if (credential_iterator) { + if (credential_iterator) { *credential_iterator = kim_credential_iterator_initializer; } else { - err = KIM_OUT_OF_MEMORY_ERR; + err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&credential_iterator->context)); } - + if (!err) { err = kim_ccache_get_krb5_ccache (in_ccache, credential_iterator->context, &credential_iterator->ccache); } - + if (!err) { /* Turn off OPENCLOSE mode */ err = krb5_error (credential_iterator->context, krb5_cc_get_flags (credential_iterator->context, credential_iterator->ccache, &credential_iterator->old_flags)); - + if (!err && credential_iterator->old_flags & KRB5_TC_OPENCLOSE) { krb5_flags new_flags = credential_iterator->old_flags & ~KRB5_TC_OPENCLOSE; - + err = krb5_error (credential_iterator->context, - krb5_cc_set_flags (credential_iterator->context, - credential_iterator->ccache, + krb5_cc_set_flags (credential_iterator->context, + credential_iterator->ccache, new_flags)); if (err == KRB5_FCC_NOFILE) { err = KIM_NO_ERROR; } } @@ -86,18 +86,18 @@ kim_error kim_credential_iterator_create (kim_credential_iterator *out_credentia if (!err) { err = krb5_error (credential_iterator->context, - krb5_cc_start_seq_get (credential_iterator->context, + krb5_cc_start_seq_get (credential_iterator->context, credential_iterator->ccache, &credential_iterator->cursor)); } - + if (!err) { *out_credential_iterator = credential_iterator; credential_iterator = NULL; } - + kim_credential_iterator_free (&credential_iterator); - + return check_error (err); } @@ -107,33 +107,33 @@ kim_error kim_credential_iterator_next (kim_credential_iterator in_credential_i kim_credential *out_credential) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_credential_iterator) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { krb5_creds creds; - - krb5_error_code terr = krb5_cc_next_cred (in_credential_iterator->context, + + krb5_error_code terr = krb5_cc_next_cred (in_credential_iterator->context, in_credential_iterator->ccache, &in_credential_iterator->cursor, &creds); - + if (!terr) { err = kim_credential_create_from_krb5_creds (out_credential, in_credential_iterator->context, &creds); - + krb5_free_cred_contents (in_credential_iterator->context, &creds); - + } else if (terr == KRB5_CC_END) { *out_credential = NULL; /* no more ccaches */ - + } else { err = krb5_error (in_credential_iterator->context, terr); } } - + return check_error (err); } @@ -142,21 +142,21 @@ kim_error kim_credential_iterator_next (kim_credential_iterator in_credential_i void kim_credential_iterator_free (kim_credential_iterator *io_credential_iterator) { if (io_credential_iterator && *io_credential_iterator) { - if ((*io_credential_iterator)->context) { + if ((*io_credential_iterator)->context) { if ((*io_credential_iterator)->ccache) { if ((*io_credential_iterator)->cursor) { - krb5_cc_end_seq_get ((*io_credential_iterator)->context, + krb5_cc_end_seq_get ((*io_credential_iterator)->context, (*io_credential_iterator)->ccache, &(*io_credential_iterator)->cursor); - krb5_cc_set_flags ((*io_credential_iterator)->context, - (*io_credential_iterator)->ccache, + krb5_cc_set_flags ((*io_credential_iterator)->context, + (*io_credential_iterator)->ccache, (*io_credential_iterator)->old_flags); } - krb5_cc_close ((*io_credential_iterator)->context, + krb5_cc_close ((*io_credential_iterator)->context, (*io_credential_iterator)->ccache); } - krb5_free_context ((*io_credential_iterator)->context); + krb5_free_context ((*io_credential_iterator)->context); } free (*io_credential_iterator); *io_credential_iterator = NULL; @@ -180,23 +180,23 @@ static inline kim_error kim_credential_allocate (kim_credential *out_credential) { kim_error err = kim_library_init (); kim_credential credential = NULL; - + if (!err && !out_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { credential = malloc (sizeof (*credential)); if (!credential) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { *credential = kim_credential_initializer; *out_credential = credential; credential = NULL; } - + kim_credential_free (&credential); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -220,34 +220,34 @@ static void kim_credential_remember_prefs (kim_identity in_identity, kim_preferences prefs = NULL; kim_boolean remember_identity = 0; kim_boolean remember_options = 0; - + err = kim_preferences_create (&prefs); - + if (!err && in_options) { - err = kim_preferences_get_remember_options (prefs, + err = kim_preferences_get_remember_options (prefs, &remember_options); } - + if (!err && in_identity) { - err = kim_preferences_get_remember_client_identity (prefs, + err = kim_preferences_get_remember_client_identity (prefs, &remember_identity); } - + if (!err && remember_options) { err = kim_preferences_set_options (prefs, in_options); } - + if (!err && remember_identity) { err = kim_preferences_set_client_identity (prefs, in_identity); - - } - + + } + if (!err && (remember_options || remember_identity)) { err = kim_preferences_synchronize (prefs); } - + kim_preferences_free (&prefs); - + check_error (err); } @@ -266,15 +266,15 @@ kim_error kim_credential_create_new_with_password (kim_credential *out_credentia kim_boolean done_with_identity = 0; if (!err && !out_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_allocate (&credential); } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&credential->context)); } - + if (!err) { if (in_options) { options = in_options; @@ -282,48 +282,48 @@ kim_error kim_credential_create_new_with_password (kim_credential *out_credentia err = kim_options_create (&options); } } - + if (!err) { err = kim_ui_init (&context); if (!err) { ui_inited = 1; } } - + while (!err && !done_with_identity) { kim_identity identity = in_identity; kim_boolean done_with_credentials = 0; if (identity) { done_with_identity = 1; - + } else while (!err && !identity) { kim_boolean user_wants_change_password = 0; - - err = kim_ui_enter_identity (&context, options, - &identity, + + err = kim_ui_enter_identity (&context, options, + &identity, &user_wants_change_password); - + if (!err && user_wants_change_password) { - err = kim_identity_change_password_common (identity, 0, - &context, + err = kim_identity_change_password_common (identity, 0, + &context, NULL); - + /* reenter enter_identity so just forget this identity * even if we got an error */ - if (err == KIM_USER_CANCELED_ERR || - err == KIM_DUPLICATE_UI_REQUEST_ERR) { - err = KIM_NO_ERROR; + if (err == KIM_USER_CANCELED_ERR || + err == KIM_DUPLICATE_UI_REQUEST_ERR) { + err = KIM_NO_ERROR; } - + kim_identity_free (&identity); } - + } - + if (!err) { context.identity = identity; /* used by kim_ui_prompter */ } - - while (!err && !done_with_credentials) { + + while (!err && !done_with_credentials) { krb5_creds creds; kim_boolean free_creds = 0; kim_count prompt_count; @@ -331,149 +331,149 @@ kim_error kim_credential_create_new_with_password (kim_credential *out_credentia krb5_get_init_creds_opt *opts = kim_options_init_cred_options (options); char *service = kim_options_service_name (options); kim_time start_time = kim_options_start_time (options); - + /* set counter to zero so we can tell if we got prompted */ context.prompt_count = 0; context.password_to_save = NULL; - + err = krb5_error (credential->context, - krb5_get_init_creds_password (credential->context, + krb5_get_init_creds_password (credential->context, &creds, principal, - (char *) in_password, - kim_ui_prompter, + (char *) in_password, + kim_ui_prompter, &context, - start_time, - service, + start_time, + service, opts)); - + prompt_count = context.prompt_count; /* remember if we got prompts */ if (!err) { free_creds = 1; } - + if (!err) { err = krb5_error (credential->context, krb5_copy_creds (credential->context, - &creds, + &creds, &credential->creds)); } - + if (!err && context.password_to_save) { /* If we were successful, save any password we got */ err = kim_os_identity_set_saved_password (identity, context.password_to_save); - - - } - + + + } + if (err == KRB5KDC_ERR_KEY_EXP) { kim_string new_password = NULL; - - err = kim_identity_change_password_common (identity, 1, - &context, + + err = kim_identity_change_password_common (identity, 1, + &context, &new_password); - + if (!err) { /* set counter to zero so we can tell if we got prompted */ context.prompt_count = 0; - + err = krb5_error (credential->context, - krb5_get_init_creds_password (credential->context, + krb5_get_init_creds_password (credential->context, &creds, principal, - (char *) new_password, - kim_ui_prompter, + (char *) new_password, + kim_ui_prompter, &context, - start_time, - service, + start_time, + service, opts)); - + prompt_count = context.prompt_count; /* remember if we got prompts */ if (!err) { free_creds = 1; } - + if (!err) { err = krb5_error (credential->context, krb5_copy_creds (credential->context, - &creds, + &creds, &credential->creds)); - } + } } - + kim_string_free (&new_password); } - - if (!err || err == KIM_USER_CANCELED_ERR || + + if (!err || err == KIM_USER_CANCELED_ERR || err == KIM_DUPLICATE_UI_REQUEST_ERR) { /* new creds obtained or the user gave up */ done_with_credentials = 1; - + if (!err) { /* remember identity and options if the user wanted to */ kim_credential_remember_prefs (identity, options); } - - if (err == KIM_DUPLICATE_UI_REQUEST_ERR) { + + if (err == KIM_DUPLICATE_UI_REQUEST_ERR) { kim_ccache ccache = NULL; - /* credential for this identity was obtained, but via a different + /* credential for this identity was obtained, but via a different * dialog. Find it. */ - - err = kim_ccache_create_from_client_identity (&ccache, + + err = kim_ccache_create_from_client_identity (&ccache, identity); - + if (!err) { - err = kim_ccache_get_valid_credential (ccache, + err = kim_ccache_get_valid_credential (ccache, &credential); } - + kim_ccache_free (&ccache); - } - + } + } else if (prompt_count) { - /* User was prompted and might have entered bad info + /* User was prompted and might have entered bad info * so report error and try again. */ - - err = kim_ui_handle_kim_error (&context, identity, + + err = kim_ui_handle_kim_error (&context, identity, kim_ui_error_type_authentication, err); } - - if (err == KRB5KRB_AP_ERR_BAD_INTEGRITY || + + if (err == KRB5KRB_AP_ERR_BAD_INTEGRITY || err == KRB5KDC_ERR_PREAUTH_FAILED || err == KIM_BAD_PASSWORD_ERR || err == KIM_PREAUTH_FAILED_ERR) { /* if the password could have failed, remove any saved ones * or the user will get stuck. */ kim_os_identity_remove_saved_password (identity); } - + if (free_creds) { krb5_free_cred_contents (credential->context, &creds); } } - + if (!err || err == KIM_USER_CANCELED_ERR) { /* identity obtained or the user gave up */ done_with_identity = 1; - + } else if (!in_identity) { /* User entered an identity so report error and try again */ - err = kim_ui_handle_kim_error (&context, identity, + err = kim_ui_handle_kim_error (&context, identity, kim_ui_error_type_authentication, err); - } - + } + if (identity != in_identity) { kim_identity_free (&identity); } } - + if (ui_inited) { kim_error fini_err = kim_ui_fini (&context); if (!err) { err = check_error (fini_err); } } - + if (!err) { *out_credential = credential; credential = NULL; } - + if (options != in_options) { kim_options_free (&options); } kim_credential_free (&credential); - + return check_error (err); } @@ -493,91 +493,91 @@ kim_error kim_credential_create_from_keytab (kim_credential *out_credential, kim_boolean free_creds = FALSE; krb5_principal principal = NULL; kim_options options = in_options; - + if (!err && !out_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_allocate (&credential); } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&credential->context)); } - + if (!err && !options) { err = kim_options_create (&options); } - + if (!err) { if (in_keytab) { err = krb5_error (credential->context, - krb5_kt_resolve (credential->context, + krb5_kt_resolve (credential->context, in_keytab, &keytab)); } else { err = krb5_error (credential->context, krb5_kt_default (credential->context, &keytab)); } } - + if (!err) { if (in_identity) { - err = kim_identity_get_krb5_principal (in_identity, - credential->context, + err = kim_identity_get_krb5_principal (in_identity, + credential->context, &principal); } else { krb5_kt_cursor cursor = NULL; krb5_keytab_entry entry; kim_boolean entry_allocated = FALSE; - + err = krb5_error (credential->context, - krb5_kt_start_seq_get (credential->context, - keytab, + krb5_kt_start_seq_get (credential->context, + keytab, &cursor)); - + if (!err) { err = krb5_error (credential->context, - krb5_kt_next_entry (credential->context, - keytab, - &entry, + krb5_kt_next_entry (credential->context, + keytab, + &entry, &cursor)); entry_allocated = (err == KIM_NO_ERROR); /* remember to free later */ } - + if (!err) { err = krb5_error (credential->context, - krb5_copy_principal (credential->context, - entry.principal, + krb5_copy_principal (credential->context, + entry.principal, &principal)); } - + if (entry_allocated) { krb5_free_keytab_entry_contents (credential->context, &entry); } if (cursor ) { krb5_kt_end_seq_get (credential->context, keytab, &cursor); } } } - + if (!err) { krb5_get_init_creds_opt *opts = kim_options_init_cred_options (options); char *service = kim_options_service_name (options); kim_time start_time = kim_options_start_time (options); - + err = krb5_error (credential->context, - krb5_get_init_creds_keytab (credential->context, - &creds, - principal, - keytab, - start_time, - service, + krb5_get_init_creds_keytab (credential->context, + &creds, + principal, + keytab, + start_time, + service, opts)); if (!err) { free_creds = TRUE; } } - + if (!err) { err = krb5_error (credential->context, krb5_copy_creds (credential->context, - &creds, + &creds, &credential->creds)); } - + if (principal ) { krb5_free_principal (credential->context, principal); } if (free_creds) { krb5_free_cred_contents (credential->context, &creds); } @@ -585,10 +585,10 @@ kim_error kim_credential_create_from_keytab (kim_credential *out_credential, *out_credential = credential; credential = NULL; } - + if (options != in_options) { kim_options_free (&options); } kim_credential_free (&credential); - + return check_error (err); } @@ -602,33 +602,33 @@ kim_error kim_credential_create_from_krb5_creds (kim_credential *out_credential, { kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; - + if (!err && !out_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_krb5_creds ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_krb5_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_allocate (&credential); } - + if (!err) { - err = krb5_error (in_krb5_context, + err = krb5_error (in_krb5_context, krb5_copy_context (in_krb5_context, &credential->context)); } - + if (!err) { err = krb5_error (credential->context, - krb5_copy_creds (credential->context, - in_krb5_creds, + krb5_copy_creds (credential->context, + in_krb5_creds, &credential->creds)); } - + if (!err) { *out_credential = credential; credential = NULL; } - + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -644,76 +644,76 @@ kim_error kim_credential_create_for_change_password (kim_credential *out_creden kim_string realm = NULL; kim_string service = NULL; kim_string service_format = "kadmin/changepw@%s"; - + if (!err && !out_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_old_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_user_was_prompted) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_allocate (&credential); } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&credential->context)); } - + if (!err) { err = kim_identity_get_realm (in_identity, &realm); } - + if (!err) { err = kim_string_create_from_format (&service, service_format, realm); } - + if (!err) { krb5_creds creds; kim_boolean free_creds = 0; krb5_principal principal = kim_identity_krb5_principal (in_identity); krb5_get_init_creds_opt opts; - + krb5_get_init_creds_opt_init (&opts); krb5_get_init_creds_opt_set_tkt_life (&opts, 5*60); krb5_get_init_creds_opt_set_renew_life (&opts, 0); krb5_get_init_creds_opt_set_forwardable (&opts, 0); krb5_get_init_creds_opt_set_proxiable (&opts, 0); - + /* set counter to zero so we can tell if we got prompted */ - in_ui_context->prompt_count = 0; + in_ui_context->prompt_count = 0; in_ui_context->identity = in_identity; err = krb5_error (credential->context, - krb5_get_init_creds_password (credential->context, + krb5_get_init_creds_password (credential->context, &creds, principal, - (char *) in_old_password, - kim_ui_prompter, - in_ui_context, 0, - (char *) service, - &opts)); - + (char *) in_old_password, + kim_ui_prompter, + in_ui_context, 0, + (char *) service, + &opts)); + if (!err) { free_creds = 1; } - + if (!err) { err = krb5_error (credential->context, krb5_copy_creds (credential->context, - &creds, + &creds, &credential->creds)); } - + if (free_creds) { krb5_free_cred_contents (credential->context, &creds); } } - + if (!err) { *out_user_was_prompted = (in_ui_context->prompt_count > 0); *out_credential = credential; credential = NULL; } - + kim_string_free (&realm); kim_string_free (&service); kim_credential_free (&credential); - + return check_error (err); } @@ -724,32 +724,32 @@ kim_error kim_credential_copy (kim_credential *out_credential, { kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; - + if (!err && !out_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_allocate (&credential); } - + if (!err) { - err = krb5_error (in_credential->context, + err = krb5_error (in_credential->context, krb5_copy_context (in_credential->context, &credential->context)); } - + if (!err) { err = krb5_error (credential->context, - krb5_copy_creds (credential->context, - in_credential->creds, + krb5_copy_creds (credential->context, + in_credential->creds, &credential->creds)); } - + if (!err) { *out_credential = credential; credential = NULL; } - + return check_error (err); } @@ -760,18 +760,18 @@ kim_error kim_credential_get_krb5_creds (kim_credential in_credential, krb5_creds **out_krb5_creds) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_krb5_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_krb5_creds ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5_error (in_krb5_context, - krb5_copy_creds (in_krb5_context, - in_credential->creds, + krb5_copy_creds (in_krb5_context, + in_credential->creds, out_krb5_creds)); } - + return check_error (err); } @@ -781,16 +781,16 @@ kim_error kim_credential_get_client_identity (kim_credential in_credential, kim_identity *out_client_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_client_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_create_from_krb5_principal (out_client_identity, in_credential->context, in_credential->creds->client); } - + return check_error (err); } @@ -800,16 +800,16 @@ kim_error kim_credential_get_service_identity (kim_credential in_credential, kim_identity *out_service_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_service_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_create_from_krb5_principal (out_service_identity, in_credential->context, in_credential->creds->server); } - + return check_error (err); } @@ -820,20 +820,20 @@ kim_error kim_credential_is_tgt (kim_credential in_credential, { kim_error err = KIM_NO_ERROR; kim_identity service = NULL; - + if (!err && !in_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_is_tgt ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_get_service_identity (in_credential, &service); } - + if (!err) { err = kim_identity_is_tgt_service (service, out_is_tgt); } - + kim_identity_free (&service); - + return check_error (err); } @@ -846,70 +846,70 @@ kim_error kim_credential_get_state (kim_credential in_credential, kim_time expiration_time = 0; kim_time start_time = 0; krb5_timestamp now = 0; - + if (!err && !in_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_state ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_get_expiration_time (in_credential, &expiration_time); } - + if (!err) { err = kim_credential_get_start_time (in_credential, &start_time); } - + if (!err) { krb5_int32 usec; - + err = krb5_error (in_credential->context, - krb5_us_timeofday (in_credential->context, + krb5_us_timeofday (in_credential->context, &now, &usec)); } - + if (!err) { *out_state = kim_credentials_state_valid; - + if (expiration_time <= now) { *out_state = kim_credentials_state_expired; - - } else if ((in_credential->creds->ticket_flags & TKT_FLG_POSTDATED) && + + } else if ((in_credential->creds->ticket_flags & TKT_FLG_POSTDATED) && (in_credential->creds->ticket_flags & TKT_FLG_INVALID)) { - if (start_time > now) { + if (start_time > now) { *out_state = kim_credentials_state_not_yet_valid; } else { *out_state = kim_credentials_state_needs_validation; } - + } else if (in_credential->creds->addresses) { /* ticket contains addresses */ krb5_address **laddresses = NULL; - - krb5_error_code code = krb5_os_localaddr (in_credential->context, + + krb5_error_code code = krb5_os_localaddr (in_credential->context, &laddresses); if (!code) { laddresses = NULL; } - + if (laddresses) { /* assume valid if the local host has no addresses */ kim_boolean found_match = FALSE; kim_count i = 0; - + for (i = 0; in_credential->creds->addresses[i]; i++) { - if (!krb5_address_search (in_credential->context, - in_credential->creds->addresses[i], + if (!krb5_address_search (in_credential->context, + in_credential->creds->addresses[i], laddresses)) { found_match = TRUE; break; } } - + if (!found_match) { *out_state = kim_credentials_state_address_mismatch; } } - - if (laddresses) { krb5_free_addresses (in_credential->context, + + if (laddresses) { krb5_free_addresses (in_credential->context, laddresses); } } } - + return check_error (err); } @@ -919,16 +919,16 @@ kim_error kim_credential_get_start_time (kim_credential in_credential, kim_time *out_start_time) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_start_time) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - *out_start_time = (in_credential->creds->times.starttime ? + *out_start_time = (in_credential->creds->times.starttime ? in_credential->creds->times.starttime : in_credential->creds->times.authtime); } - + return check_error (err); } @@ -938,13 +938,13 @@ kim_error kim_credential_get_expiration_time (kim_credential in_credential, kim_time *out_expiration_time) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_expiration_time = in_credential->creds->times.endtime; } - + return check_error (err); } @@ -954,10 +954,10 @@ kim_error kim_credential_get_renewal_expiration_time (kim_credential in_credent kim_time *out_renewal_expiration_time) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_renewal_expiration_time) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { if (in_credential->creds->ticket_flags & TKT_FLG_RENEWABLE) { *out_renewal_expiration_time = in_credential->creds->times.renew_till; @@ -965,7 +965,7 @@ kim_error kim_credential_get_renewal_expiration_time (kim_credential in_credent *out_renewal_expiration_time = 0; } } - + return check_error (err); } @@ -977,95 +977,95 @@ kim_error kim_credential_get_options (kim_credential in_credential, kim_error err = KIM_NO_ERROR; kim_options options = NULL; krb5_creds *creds = NULL; - + if (!err && !in_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { creds = in_credential->creds; - + err = kim_options_create (&options); } - + if (!err) { err = kim_options_set_start_time (options, creds->times.starttime); } - + if (!err) { kim_lifetime lifetime = (creds->times.endtime - (creds->times.starttime ? creds->times.starttime : creds->times.authtime)); - + err = kim_options_set_lifetime (options, lifetime); } - + if (!err) { kim_boolean renewable = (creds->ticket_flags & TKT_FLG_RENEWABLE); - + err = kim_options_set_renewable (options, renewable); } - + if (!err) { kim_lifetime rlifetime = (creds->ticket_flags & TKT_FLG_RENEWABLE ? creds->times.renew_till - (creds->times.starttime ? creds->times.starttime : creds->times.authtime) : 0); - + err = kim_options_set_renewal_lifetime (options, rlifetime); } - + if (!err) { kim_boolean forwardable = (creds->ticket_flags & TKT_FLG_FORWARDABLE); - + err = kim_options_set_forwardable (options, forwardable); } - + if (!err) { kim_boolean proxiable = (creds->ticket_flags & TKT_FLG_PROXIABLE); - + err = kim_options_set_proxiable (options, proxiable); } - + if (!err) { kim_boolean addressless = (!creds->addresses || !creds->addresses[0]); err = kim_options_set_addressless (options, addressless); } - + if (!err) { kim_boolean is_tgt = 0; kim_string service = NULL; /* tgt service */ - + err = kim_credential_is_tgt (in_credential, &is_tgt); - + if (!err && !is_tgt) { kim_identity identity = NULL; - + err = kim_credential_get_service_identity (in_credential, &identity); - + if (!err) { err = kim_identity_get_string (identity, &service); } kim_identity_free (&identity); } - + if (!err) { err = kim_options_set_service_name (options, service); } - + kim_string_free (&service); } - + if (!err) { *out_options = options; options = NULL; } - + kim_options_free (&options); - + return check_error (err); } @@ -1078,70 +1078,70 @@ kim_error kim_credential_store (kim_credential in_credential, kim_error err = KIM_NO_ERROR; krb5_ccache k5ccache = NULL; kim_boolean destroy_ccache_on_error = FALSE; - + if (!err && !in_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { char *environment_ccache = getenv ("KRB5CCNAME"); - + if (environment_ccache) { err = krb5_error (in_credential->context, - krb5_cc_resolve (in_credential->context, - environment_ccache, + krb5_cc_resolve (in_credential->context, + environment_ccache, &k5ccache)); - + } else { kim_ccache ccache = NULL; - - err = kim_ccache_create_from_client_identity (&ccache, + + err = kim_ccache_create_from_client_identity (&ccache, in_identity); - + if (!err) { - err = kim_ccache_get_krb5_ccache (ccache, - in_credential->context, + err = kim_ccache_get_krb5_ccache (ccache, + in_credential->context, &k5ccache); - + } else if (err == KIM_NO_SUCH_PRINCIPAL_ERR) { /* Nothing to replace, create a new ccache */ err = krb5_error (in_credential->context, - krb5_cc_new_unique (in_credential->context, + krb5_cc_new_unique (in_credential->context, "API", NULL, &k5ccache)); if (!err) { destroy_ccache_on_error = TRUE; } } - + kim_ccache_free (&ccache); } } - + if (!err) { krb5_principal principal = kim_identity_krb5_principal (in_identity); - + err = krb5_error (in_credential->context, - krb5_cc_initialize (in_credential->context, + krb5_cc_initialize (in_credential->context, k5ccache, principal)); } - + if (!err) { err = krb5_error (in_credential->context, - krb5_cc_store_cred (in_credential->context, + krb5_cc_store_cred (in_credential->context, k5ccache, in_credential->creds)); } - + if (!err && out_ccache) { - err = kim_ccache_create_from_krb5_ccache (out_ccache, - in_credential->context, + err = kim_ccache_create_from_krb5_ccache (out_ccache, + in_credential->context, k5ccache); } - - if (k5ccache) { + + if (k5ccache) { if (err && destroy_ccache_on_error) { - krb5_cc_destroy (in_credential->context, k5ccache); + krb5_cc_destroy (in_credential->context, k5ccache); } else { - krb5_cc_close (in_credential->context, k5ccache); + krb5_cc_close (in_credential->context, k5ccache); } } - + return check_error (err); } @@ -1157,89 +1157,89 @@ kim_error kim_credential_verify (kim_credential in_credential, kim_error err = KIM_NO_ERROR; krb5_context scontext = NULL; krb5_keytab keytab = NULL; - + if (!err && !in_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5_error (NULL, krb5_init_secure_context (&scontext)); } - + if (in_keytab) { - err = krb5_error (scontext, + err = krb5_error (scontext, krb5_kt_resolve (scontext, in_keytab, &keytab)); } - + if (!err) { krb5_principal sprincipal = NULL; krb5_verify_init_creds_opt options; - + /* That's "no key == fail" not "no fail" >.< */ krb5_verify_init_creds_opt_init (&options); krb5_verify_init_creds_opt_set_ap_req_nofail (&options, in_fail_if_no_service_key); - - if (in_service_identity) { - sprincipal = kim_identity_krb5_principal (in_service_identity); + + if (in_service_identity) { + sprincipal = kim_identity_krb5_principal (in_service_identity); } - + err = krb5_error (scontext, - krb5_verify_init_creds (scontext, - in_credential->creds, + krb5_verify_init_creds (scontext, + in_credential->creds, sprincipal, keytab, NULL /* don't store creds in ccache */, &options)); - + if (err && !in_service_identity && in_fail_if_no_service_key) { /* If the service principal wasn't specified but we are supposed to - * fail without a key we should walk the keytab trying to find one + * fail without a key we should walk the keytab trying to find one * that succeeds. */ krb5_error_code terr = 0; kim_boolean verified = 0; krb5_kt_cursor cursor = NULL; krb5_keytab_entry entry; - - + + if (!keytab) { terr = krb5_kt_default (scontext, &keytab); } - + if (!terr) { terr = krb5_kt_start_seq_get (scontext, keytab, &cursor); } - + while (!terr && !verified) { kim_boolean free_entry = 0; - + terr = krb5_kt_next_entry (scontext, keytab, &entry, &cursor); free_entry = !terr; /* remember to free */ - + if (!terr) { terr = krb5_verify_init_creds (scontext, in_credential->creds, - entry.principal /* get principal for the 1st entry */, + entry.principal /* get principal for the 1st entry */, keytab, NULL /* don't store creds in ccache */, &options); } - + if (!terr) { verified = 1; } - + if (free_entry) { krb5_free_keytab_entry_contents (scontext, &entry); } } - + if (!terr && verified) { /* We found a key that verified! */ err = KIM_NO_ERROR; } - + if (cursor) { krb5_kt_end_seq_get (scontext, keytab, &cursor); } } } - + if (keytab ) { krb5_kt_close (scontext, keytab); } if (scontext) { krb5_free_context (scontext); } - + return check_error (err); } @@ -1253,71 +1253,71 @@ kim_error kim_credential_renew (kim_credential *io_credential, kim_error err = KIM_NO_ERROR; kim_string service_name = NULL; krb5_ccache ccache = NULL; - + if (!err && !io_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_options options = in_options; - + if (!options) { err = kim_options_create (&options); } - + if (!err) { err = kim_options_get_service_name (options, &service_name); } - + if (options != in_options) { kim_options_free (&options); } } - + if (!err) { err = krb5_error ((*io_credential)->context, - krb5_cc_new_unique ((*io_credential)->context, - "MEMORY", NULL, + krb5_cc_new_unique ((*io_credential)->context, + "MEMORY", NULL, &ccache)); } - + if (!err) { err = krb5_error ((*io_credential)->context, - krb5_cc_initialize ((*io_credential)->context, ccache, + krb5_cc_initialize ((*io_credential)->context, ccache, (*io_credential)->creds->client)); } - + if (!err) { err = krb5_error ((*io_credential)->context, - krb5_cc_store_cred ((*io_credential)->context, ccache, + krb5_cc_store_cred ((*io_credential)->context, ccache, (*io_credential)->creds)); } - + if (!err) { krb5_creds creds; krb5_creds *renewed_creds = NULL; kim_boolean free_creds = 0; - + err = krb5_error ((*io_credential)->context, - krb5_get_renewed_creds ((*io_credential)->context, + krb5_get_renewed_creds ((*io_credential)->context, &creds, (*io_credential)->creds->client, ccache, (char *) service_name)); if (!err) { free_creds = 1; } - + if (!err) { err = krb5_error ((*io_credential)->context, - krb5_copy_creds ((*io_credential)->context, + krb5_copy_creds ((*io_credential)->context, &creds, &renewed_creds)); } - + if (!err) { /* replace the credentials */ - krb5_free_creds ((*io_credential)->context, (*io_credential)->creds); + krb5_free_creds ((*io_credential)->context, (*io_credential)->creds); (*io_credential)->creds = renewed_creds; } - + if (free_creds) { krb5_free_cred_contents ((*io_credential)->context, &creds); } } - + if (ccache) { krb5_cc_destroy ((*io_credential)->context, ccache); } kim_string_free (&service_name); - + return check_error (err); } @@ -1329,73 +1329,73 @@ kim_error kim_credential_validate (kim_credential *io_credential, kim_error err = KIM_NO_ERROR; kim_string service_name = NULL; krb5_ccache ccache = NULL; - + if (!err && !io_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_options options = in_options; - + if (!options) { err = kim_options_create (&options); } - + if (!err) { err = kim_options_get_service_name (options, &service_name); } - + if (options != in_options) { kim_options_free (&options); } } - + if (!err) { err = krb5_error ((*io_credential)->context, - krb5_cc_new_unique ((*io_credential)->context, - "MEMORY", NULL, + krb5_cc_new_unique ((*io_credential)->context, + "MEMORY", NULL, &ccache)); } - + if (!err) { err = krb5_error ((*io_credential)->context, - krb5_cc_initialize ((*io_credential)->context, ccache, + krb5_cc_initialize ((*io_credential)->context, ccache, (*io_credential)->creds->client)); } - + if (!err) { err = krb5_error ((*io_credential)->context, - krb5_cc_store_cred ((*io_credential)->context, ccache, + krb5_cc_store_cred ((*io_credential)->context, ccache, (*io_credential)->creds)); } - + if (!err) { krb5_creds creds; krb5_creds *validated_creds = NULL; kim_boolean free_creds = 0; - + err = krb5_error ((*io_credential)->context, - krb5_get_validated_creds ((*io_credential)->context, - &creds, - (*io_credential)->creds->client, - ccache, + krb5_get_validated_creds ((*io_credential)->context, + &creds, + (*io_credential)->creds->client, + ccache, (char *) service_name)); if (!err) { free_creds = 1; } - + if (!err) { err = krb5_error ((*io_credential)->context, - krb5_copy_creds ((*io_credential)->context, + krb5_copy_creds ((*io_credential)->context, &creds, &validated_creds)); } - + if (!err) { /* replace the credentials */ - krb5_free_creds ((*io_credential)->context, (*io_credential)->creds); + krb5_free_creds ((*io_credential)->context, (*io_credential)->creds); (*io_credential)->creds = validated_creds; } - + if (free_creds) { krb5_free_cred_contents ((*io_credential)->context, &creds); } } - + if (ccache) { krb5_cc_destroy ((*io_credential)->context, ccache); } kim_string_free (&service_name); - + return check_error (err); } diff --git a/src/kim/lib/kim_debug.c b/src/kim/lib/kim_debug.c index 645a51f43..1fe658293 100644 --- a/src/kim/lib/kim_debug.c +++ b/src/kim/lib/kim_debug.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -28,49 +28,49 @@ /* ------------------------------------------------------------------------ */ -kim_error _check_error (kim_error in_err, - kim_string in_function, - kim_string in_file, +kim_error _check_error (kim_error in_err, + kim_string in_function, + kim_string in_file, int in_line) { if (in_err) { - kim_debug_printf ("%s(): got %d ('%s') at %s: %d", - in_function, in_err, kim_error_message (in_err), + kim_debug_printf ("%s(): got %d ('%s') at %s: %d", + in_function, in_err, kim_error_message (in_err), in_file, in_line); } - + return in_err; } /* ------------------------------------------------------------------------ */ -void __kim_debug_printf (kim_string in_function, - kim_string in_format, +void __kim_debug_printf (kim_string in_function, + kim_string in_format, ...) { kim_error err = KIM_NO_ERROR; kim_string format = NULL; kim_string string = NULL; - + if (!err && !in_function) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_format ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_string_create_from_format (&format, "%s(): %s", + err = kim_string_create_from_format (&format, "%s(): %s", in_function, in_format); } - + if (!err) { va_list args; va_start (args, in_format); err = kim_string_create_from_format_va (&string, format, args); va_end (args); } - + if (!err) { kim_os_debug_print (string); } - + kim_string_free (&format); kim_string_free (&string); } diff --git a/src/kim/lib/kim_debug_private.h b/src/kim/lib/kim_debug_private.h index f9b67f0d9..451bf34d4 100644 --- a/src/kim/lib/kim_debug_private.h +++ b/src/kim/lib/kim_debug_private.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -25,13 +25,13 @@ */ #define kim_debug_printf(format, ...) __kim_debug_printf(__FUNCTION__, format, ## __VA_ARGS__) -void __kim_debug_printf (kim_string in_function, - kim_string in_format, +void __kim_debug_printf (kim_string in_function, + kim_string in_format, ...); -kim_error _check_error (kim_error in_err, - kim_string in_function, - kim_string in_file, +kim_error _check_error (kim_error in_err, + kim_string in_function, + kim_string in_file, int in_line); #define check_error(err) _check_error(err, __FUNCTION__, __FILE__, __LINE__) diff --git a/src/kim/lib/kim_error_message.c b/src/kim/lib/kim_error_message.c index 6a891aa48..d07ad1933 100644 --- a/src/kim/lib/kim_error_message.c +++ b/src/kim/lib/kim_error_message.c @@ -48,13 +48,13 @@ static kim_error kim_error_set_message (kim_error in_error, { int lock_err = 0; kim_error err = KIM_NO_ERROR; - kim_last_error last_error = NULL; - + kim_last_error last_error = NULL; + err = lock_err = k5_mutex_lock (&kim_error_lock); - + if (!err) { last_error = k5_getspecific (K5_KEY_KIM_ERROR_MESSAGE); - + if (!last_error) { last_error = malloc (sizeof (*last_error)); if (!last_error) { @@ -65,15 +65,15 @@ static kim_error kim_error_set_message (kim_error in_error, } } } - + if (!err) { strncpy (last_error->message, in_message, sizeof (last_error->message)); last_error->message[sizeof (last_error->message)-1] = '\0'; last_error->code = in_error; } - + if (!lock_err) { k5_mutex_unlock (&kim_error_lock); } - + return err; } @@ -82,7 +82,7 @@ static kim_error kim_error_set_message (kim_error in_error, static void kim_error_free_message (void *io_error) { kim_last_error error = io_error; - + if (error) { if (error->message) { free (error->message); @@ -110,14 +110,14 @@ static kim_error kim_error_remap (kim_error in_error) switch (in_error) { case KRB5KRB_AP_ERR_BAD_INTEGRITY: return KIM_BAD_PASSWORD_ERR; - + case KRB5KDC_ERR_PREAUTH_FAILED: return KIM_PREAUTH_FAILED_ERR; - + case KRB5KRB_AP_ERR_SKEW: return KIM_CLOCK_SKEW_ERR; } - + return in_error; } @@ -126,43 +126,43 @@ static kim_error kim_error_remap (kim_error in_error) kim_string kim_error_message (kim_error in_error) { int lock_err = 0; - kim_last_error last_error = NULL; + kim_last_error last_error = NULL; kim_string message = NULL; - + lock_err = k5_mutex_lock (&kim_error_lock); - + if (!lock_err) { last_error = k5_getspecific (K5_KEY_KIM_ERROR_MESSAGE); if (last_error && last_error->code == in_error) { message = last_error->message; } } - + if (!lock_err) { k5_mutex_unlock (&kim_error_lock); } - - return message ? message : error_message (kim_error_remap (in_error)); + + return message ? message : error_message (kim_error_remap (in_error)); } #pragma mark -- Generic Functions -- /* ------------------------------------------------------------------------ */ -kim_error kim_error_set_message_for_code (kim_error in_error, +kim_error kim_error_set_message_for_code (kim_error in_error, ...) { kim_error err = KIM_NO_ERROR; va_list args; - + va_start (args, in_error); err = kim_error_set_message_for_code_va (in_error, args); va_end (args); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_error_set_message_for_code_va (kim_error in_code, +kim_error kim_error_set_message_for_code_va (kim_error in_code, va_list in_args) { kim_error err = KIM_NO_ERROR; @@ -170,44 +170,44 @@ kim_error kim_error_set_message_for_code_va (kim_error in_code, if (!kim_error_is_builtin (code)) { kim_string message = NULL; - - err = kim_string_create_from_format_va_retcode (&message, - error_message (code), + + err = kim_string_create_from_format_va_retcode (&message, + error_message (code), in_args); - + if (!err) { err = kim_error_set_message (code, message); } - + kim_string_free (&message); } - + return err ? err : code; } /* ------------------------------------------------------------------------ */ -kim_error kim_error_set_message_for_krb5_error (krb5_context in_context, +kim_error kim_error_set_message_for_krb5_error (krb5_context in_context, krb5_error_code in_code) { kim_error err = KIM_NO_ERROR; krb5_error_code code = kim_error_remap (in_code); - + if (code != in_code) { /* error was remapped to a KIM error */ err = kim_error_set_message (code, error_message (code)); } else if (!kim_error_is_builtin (code)) { const char *message = krb5_get_error_message (in_context, code); - + if (message) { err = kim_error_set_message (code, message); - + krb5_free_error_message (in_context, message); } } - + return err ? err : code; } @@ -218,16 +218,16 @@ kim_error kim_error_set_message_for_krb5_error (krb5_context in_context, int kim_error_initialize (void) { int err = 0; - + if (!err) { err = k5_mutex_finish_init (&kim_error_lock); } - + if (!err) { - err = k5_key_register (K5_KEY_KIM_ERROR_MESSAGE, + err = k5_key_register (K5_KEY_KIM_ERROR_MESSAGE, kim_error_free_message); } - + return err; } @@ -238,8 +238,7 @@ void kim_error_terminate (void) if (!INITIALIZER_RAN (kim_error_initialize) || PROGRAM_EXITING ()) { return; } - + k5_key_delete (K5_KEY_KIM_ERROR_MESSAGE); k5_mutex_destroy (&kim_error_lock); } - diff --git a/src/kim/lib/kim_error_private.h b/src/kim/lib/kim_error_private.h index 72e409954..e4aa272eb 100644 --- a/src/kim/lib/kim_error_private.h +++ b/src/kim/lib/kim_error_private.h @@ -29,11 +29,11 @@ #include -kim_error kim_error_set_message_for_code (kim_error in_code, +kim_error kim_error_set_message_for_code (kim_error in_code, ...); -kim_error kim_error_set_message_for_code_va (kim_error in_code, +kim_error kim_error_set_message_for_code_va (kim_error in_code, va_list in_args); -kim_error kim_error_set_message_for_krb5_error (krb5_context in_context, +kim_error kim_error_set_message_for_krb5_error (krb5_context in_context, krb5_error_code in_code); #define krb5_error(context,code) kim_error_set_message_for_krb5_error(context, code) diff --git a/src/kim/lib/kim_identity.c b/src/kim/lib/kim_identity.c index 2a1ad5e3f..60572639e 100644 --- a/src/kim/lib/kim_identity.c +++ b/src/kim/lib/kim_identity.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -43,23 +43,23 @@ static inline kim_error kim_identity_allocate (kim_identity *out_identity) { kim_error err = kim_library_init (); kim_identity identity = NULL; - + if (!err && !out_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { identity = malloc (sizeof (*identity)); if (!identity) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { *identity = kim_identity_initializer; *out_identity = identity; identity = NULL; } - + kim_identity_free (&identity); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -69,60 +69,60 @@ kim_error kim_identity_create_from_string (kim_identity *out_identity, { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; - + if (!err && !out_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_allocate (&identity); } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&identity->context)); } - + if (!err) { krb5_error_code code = krb5_parse_name (identity->context, in_string, &identity->principal); if (code == KRB5_PARSE_MALFORMED) { - err = kim_error_set_message_for_code (KIM_BAD_PRINCIPAL_STRING_ERR, + err = kim_error_set_message_for_code (KIM_BAD_PRINCIPAL_STRING_ERR, in_string); } else if (code) { err = krb5_error (identity->context, code); } } - + if (!err) { *out_identity = identity; identity = NULL; } - + if (identity) { kim_identity_free (&identity); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ kim_error kim_identity_create_from_components (kim_identity *out_identity, - kim_string in_realm, + kim_string in_realm, kim_string in_1st_component, ...) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; - + if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_realm ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_1st_component) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_allocate (&identity); } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&identity->context)); } - + if (!err) { va_list args; @@ -135,15 +135,15 @@ kim_error kim_identity_create_from_components (kim_identity *out_identity, in_1st_component, args)); va_end (args); - } + } if (!err) { *out_identity = identity; identity = NULL; } - + kim_identity_free (&identity); - + return check_error (err); } @@ -155,40 +155,40 @@ kim_error kim_identity_create_from_krb5_principal (kim_identity *out_identity, { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; - + if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_krb5_principal) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* KLCreatePrincipalFromKerberos5Principal passes NULL in_krb5_context */ - + if (!err) { err = kim_identity_allocate (&identity); } - + if (!err) { if (in_krb5_context) { - err = krb5_error (in_krb5_context, + err = krb5_error (in_krb5_context, krb5_copy_context (in_krb5_context, &identity->context)); } else { - err = krb5_error (NULL, + err = krb5_error (NULL, krb5_init_context (&identity->context)); } } - + if (!err) { err = krb5_error (identity->context, - krb5_copy_principal (identity->context, - in_krb5_principal, + krb5_copy_principal (identity->context, + in_krb5_principal, &identity->principal)); } - + if (!err) { *out_identity = identity; identity = NULL; } - + kim_identity_free (&identity); - + return check_error (err); } @@ -199,33 +199,33 @@ kim_error kim_identity_copy (kim_identity *out_identity, { kim_error err = KIM_NO_ERROR; kim_identity identity = KIM_IDENTITY_ANY; - + if (!err && !out_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && in_identity != KIM_IDENTITY_ANY) { err = kim_identity_allocate (&identity); - + if (!err) { - err = krb5_error (in_identity->context, + err = krb5_error (in_identity->context, krb5_copy_context (in_identity->context, &identity->context)); } - + if (!err) { err = krb5_error (identity->context, - krb5_copy_principal (identity->context, - in_identity->principal, + krb5_copy_principal (identity->context, + in_identity->principal, &identity->principal)); } } - + if (!err) { *out_identity = identity; identity = NULL; } - + kim_identity_free (&identity); - + return check_error (err); } @@ -236,35 +236,35 @@ kim_error kim_identity_compare (kim_identity in_identity, kim_comparison *out_comparison) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_compare_to_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_comparison ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - if (krb5_principal_compare (in_identity->context, - in_identity->principal, + if (krb5_principal_compare (in_identity->context, + in_identity->principal, in_compare_to_identity->principal)) { *out_comparison = 0; } else { kim_string string = NULL; kim_string compare_to_string = NULL; - + err = kim_identity_get_string (in_identity, &string); - + if (!err) { err = kim_identity_get_string (in_compare_to_identity, &compare_to_string); } - + if (!err) { err = kim_string_compare (string, compare_to_string, out_comparison); } - + kim_string_free (&string); kim_string_free (&compare_to_string); } } - + return check_error (err); } @@ -275,23 +275,23 @@ kim_error kim_identity_get_string (kim_identity in_identity, { kim_error err = KIM_NO_ERROR; char *unparsed_name = NULL; - + if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5_error (in_identity->context, - krb5_unparse_name (in_identity->context, - in_identity->principal, + krb5_unparse_name (in_identity->context, + in_identity->principal, &unparsed_name)); } - + if (!err) { err = kim_string_copy (out_string, unparsed_name); } - + if (unparsed_name) { krb5_free_unparsed_name (in_identity->context, unparsed_name); } - + return check_error (err); } @@ -302,22 +302,22 @@ kim_error kim_identity_get_display_string (kim_identity in_identity, { kim_error err = KIM_NO_ERROR; kim_string string = NULL; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_display_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_get_string (in_identity, &string); } - + if (!err) { kim_count i, j; kim_count length = strlen (string) + 1; /* Copy the '\0' */ char *display_string = (char *) string; /* so we can modify it */ - + /* In place copy, skipping escaped separators. * Note that we do not want to remove other escaped characters - * (tab, break, newline, NULL) because they are less readable + * (tab, break, newline, NULL) because they are less readable * when unescaped (and NULL isn't a valid string character). */ for (i = 0, j = 0; i < length; i++) { if (string[i] == '\\') { @@ -327,16 +327,16 @@ kim_error kim_identity_get_display_string (kim_identity in_identity, continue; /* skip the '\' */ } } - + display_string[j++] = string[i]; /* Copy this char */ - } - + } + *out_display_string = string; string = NULL; } - + if (string) { kim_string_free (&string); } - + return check_error (err); } @@ -346,16 +346,16 @@ kim_error kim_identity_get_realm (kim_identity in_identity, kim_string *out_realm_string) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_realm_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { krb5_data *realm = krb5_princ_realm (in_identity->context, in_identity->principal); - + err = kim_string_create_from_buffer (out_realm_string, realm->data, realm->length); } - + return check_error (err); } @@ -365,14 +365,14 @@ kim_error kim_identity_get_number_of_components (kim_identity in_identity, kim_count *out_number_of_components) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_number_of_components) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_number_of_components = krb5_princ_size (in_identity->context, in_identity->principal); } - + return check_error (err); } @@ -384,22 +384,22 @@ kim_error kim_identity_get_component_at_index (kim_identity in_identity, { kim_error err = KIM_NO_ERROR; krb5_data *component = NULL; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_component_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { krb5_int32 i = in_index; component = krb5_princ_component (in_identity->context, in_identity->principal, i); - if (!component) { - err = kim_error_set_message_for_code (KIM_BAD_COMPONENT_INDEX_ERR, i); + if (!component) { + err = kim_error_set_message_for_code (KIM_BAD_COMPONENT_INDEX_ERR, i); } } - + if (!err) { err = kim_string_create_from_buffer (out_component_string, component->data, component->length); } - + return check_error (err); } @@ -411,46 +411,46 @@ kim_error kim_identity_get_components_string (kim_identity in_identity, kim_error err = KIM_NO_ERROR; kim_string components = NULL; kim_count count, i; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_components) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_get_number_of_components (in_identity, &count); } - + if (!err) { err = kim_identity_get_component_at_index (in_identity, 0, &components); } - + for (i = 1; !err && i < count; i++) { kim_string new_components = NULL; kim_string component = NULL; - + err = kim_identity_get_component_at_index (in_identity, i, &component); - + if (!err) { err = kim_string_create_from_format (&new_components, "%s/%s", components, component); } - + if (!err) { kim_string_free (&components); components = new_components; new_components = NULL; } - + if (component ) { kim_string_free (&component); } if (new_components) { kim_string_free (&new_components); } } - + if (!err) { *out_components = components; components = NULL; } - + if (components) { kim_string_free (&components); } - + return check_error (err); } @@ -461,18 +461,18 @@ kim_error kim_identity_get_krb5_principal (kim_identity in_identity, krb5_principal *out_krb5_principal) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_krb5_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_krb5_principal) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5_error (in_krb5_context, - krb5_copy_principal (in_krb5_context, - in_identity->principal, + krb5_copy_principal (in_krb5_context, + in_identity->principal, out_krb5_principal)); - } - + } + return check_error (err); } @@ -493,20 +493,20 @@ kim_error kim_identity_is_tgt_service (kim_identity in_identity, kim_boolean *out_is_tgt_service) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_is_tgt_service) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_count count = krb5_princ_size (in_identity->context, in_identity->principal); krb5_data *name = krb5_princ_name (in_identity->context, in_identity->principal); - + /* krbtgt/@ (usually REALM1 == REALM2, but not always) */ *out_is_tgt_service = ((count == 2) && (strlen (KRB5_TGS_NAME) == name->length) && (strncmp (name->data, KRB5_TGS_NAME, name->length) == 0)); } - + return check_error (err); } @@ -526,13 +526,13 @@ kim_error kim_identity_change_password_with_credential (kim_identity in_ident int rejected_err = 0; krb5_data message_data; krb5_data description_data; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_new_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_ui_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_rejected_err) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_credential_get_krb5_creds (in_credential, in_identity->context, @@ -540,68 +540,68 @@ kim_error kim_identity_change_password_with_credential (kim_identity in_ident } if (!err) { - if (krb5_principal_compare (in_identity->context, + if (krb5_principal_compare (in_identity->context, in_identity->principal, creds->client)) { /* Same principal, change the password normally */ err = krb5_error (in_identity->context, - krb5_change_password (in_identity->context, - creds, - (char *) in_new_password, - &rejected_err, - &message_data, + krb5_change_password (in_identity->context, + creds, + (char *) in_new_password, + &rejected_err, + &message_data, &description_data)); } else { /* Different principal, use set change password protocol */ err = krb5_error (in_identity->context, - krb5_set_password (in_identity->context, - creds, - (char *) in_new_password, + krb5_set_password (in_identity->context, + creds, + (char *) in_new_password, in_identity->principal, - &rejected_err, - &message_data, + &rejected_err, + &message_data, &description_data)); } - + } - + if (!err && rejected_err) { kim_string rejected_message = NULL; kim_string rejected_description = NULL; - + if (message_data.data && message_data.length > 0) { - err = kim_string_create_from_buffer (&rejected_message, - message_data.data, + err = kim_string_create_from_buffer (&rejected_message, + message_data.data, message_data.length); } else { err = kim_os_string_create_localized (&rejected_message, "Kerberos Change Password Failed:"); } - + if (!err) { if (description_data.data && description_data.length > 0) { err = kim_string_create_from_buffer (&rejected_description, - description_data.data, + description_data.data, description_data.length); } else { err = kim_os_string_create_localized (&rejected_description, "New password rejected."); } } - + if (!err && in_ui_context->type != kim_ui_type_cli) { char *c; - + // replace all \n and \r characters with spaces for (c = (char *) rejected_message; *c != '\0'; c++) { if ((*c == '\n') || (*c == '\r')) { *c = ' '; } } - + for (c = (char *) rejected_description; *c != '\0'; c++) { if ((*c == '\n') || (*c == '\r')) { *c = ' '; } } } - + if (!err) { if (out_rejected_message) { *out_rejected_message = rejected_message; @@ -612,21 +612,21 @@ kim_error kim_identity_change_password_with_credential (kim_identity in_ident rejected_description = NULL; } } - + kim_string_free (&rejected_message); kim_string_free (&rejected_description); - + krb5_free_data_contents (in_identity->context, &message_data); krb5_free_data_contents (in_identity->context, &description_data); } - + if (!err) { /* do this after reporting errors so we don't double report rejection */ *out_rejected_err = rejected_err; } - + if (creds) { krb5_free_creds (in_identity->context, creds); } - + return check_error (err); } @@ -639,10 +639,10 @@ kim_error kim_identity_change_password_common (kim_identity in_identity, { kim_error err = KIM_NO_ERROR; kim_boolean done = 0; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_ui_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + while (!err && !done) { char *old_password = NULL; char *new_password = NULL; @@ -651,28 +651,28 @@ kim_error kim_identity_change_password_common (kim_identity in_identity, kim_string rejected_message = NULL; kim_string rejected_description = NULL; kim_boolean was_prompted = 0; /* ignore because we always prompt */ - + err = kim_ui_change_password (in_ui_context, in_identity, in_old_password_expired, &old_password, &new_password, &verify_password); - + if (!err) { kim_comparison comparison; - - err = kim_string_compare (new_password, - verify_password, + + err = kim_string_compare (new_password, + verify_password, &comparison); if (!err && !kim_comparison_is_equal_to (comparison)) { err = check_error (KIM_PASSWORD_MISMATCH_ERR); } } - + if (!err) { kim_credential credential = NULL; - + if (in_ui_context->type == kim_ui_type_cli && in_ui_context->tcontext) { /* command line has already gotten the credentials for us */ credential = (kim_credential) in_ui_context->tcontext; @@ -683,74 +683,74 @@ kim_error kim_identity_change_password_common (kim_identity in_identity, in_ui_context, &was_prompted); } - + if (!err) { err = kim_identity_change_password_with_credential (in_identity, - credential, + credential, new_password, in_ui_context, &rejected_err, &rejected_message, &rejected_description); - } - + } + kim_credential_free (&credential); - if (in_ui_context->type == kim_ui_type_cli) { + if (in_ui_context->type == kim_ui_type_cli) { in_ui_context->tcontext = NULL; /* just freed our creds */ } } - + if (!err && rejected_err) { /* Password rejected, report it to the user */ err = kim_ui_handle_error (in_ui_context, in_identity, rejected_err, - rejected_message, + rejected_message, rejected_description); - - } else if (err && err != KIM_USER_CANCELED_ERR && + + } else if (err && err != KIM_USER_CANCELED_ERR && err != KIM_DUPLICATE_UI_REQUEST_ERR) { /* New creds failed, report error to user. * Overwrite error so we loop and let the user try again. * The user always gets prompted so we always loop. */ - err = kim_ui_handle_kim_error (in_ui_context, in_identity, + err = kim_ui_handle_kim_error (in_ui_context, in_identity, kim_ui_error_type_change_password, err); - + } else { /* password change succeeded or the user gave up */ done = 1; - + if (!err && out_new_password) { err = kim_string_copy (out_new_password, new_password); } - + if (!err) { kim_error terr = KIM_NO_ERROR; kim_string saved_password = NULL; - - terr = kim_os_identity_get_saved_password (in_identity, + + terr = kim_os_identity_get_saved_password (in_identity, &saved_password); - if (!terr) { + if (!terr) { /* We changed the password and the user had their * old password saved. Update it. */ terr = kim_os_identity_set_saved_password (in_identity, new_password); } - + kim_string_free (&saved_password); } if (err == KIM_DUPLICATE_UI_REQUEST_ERR) { err = KIM_NO_ERROR; } } - + kim_string_free (&rejected_message); kim_string_free (&rejected_description); - + kim_ui_free_string (in_ui_context, &old_password); kim_ui_free_string (in_ui_context, &new_password); - kim_ui_free_string (in_ui_context, &verify_password); + kim_ui_free_string (in_ui_context, &verify_password); } - + return check_error (err); } @@ -763,22 +763,22 @@ kim_error kim_identity_change_password (kim_identity in_identity) kim_boolean ui_inited = 0; if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ui_init (&context); if (!err) { ui_inited = 1; } } - + if (!err) { - err = kim_identity_change_password_common (in_identity, 0, + err = kim_identity_change_password_common (in_identity, 0, &context, NULL); } - + if (ui_inited) { kim_error fini_err = kim_ui_fini (&context); if (!err) { err = check_error (fini_err); } } - + return check_error (err); } @@ -786,16 +786,16 @@ kim_error kim_identity_change_password (kim_identity in_identity) void kim_identity_free (kim_identity *io_identity) { - if (io_identity && *io_identity) { + if (io_identity && *io_identity) { kim_identity identity = *io_identity; - - if (identity->context) { - if (identity->principal) { - krb5_free_principal (identity->context, identity->principal); + + if (identity->context) { + if (identity->principal) { + krb5_free_principal (identity->context, identity->principal); } krb5_free_context (identity->context); } - + free (identity); *io_identity = NULL; } diff --git a/src/kim/lib/kim_library.c b/src/kim/lib/kim_library.c index 0272aa7fd..78996d8fa 100644 --- a/src/kim/lib/kim_library.c +++ b/src/kim/lib/kim_library.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +47,7 @@ static int kim_error_init (void) { add_error_table (&et_KIM_error_table); #if KIM_TO_KLL_SHIM - add_error_table (&et_KLL_error_table); + add_error_table (&et_KLL_error_table); #endif return 0; } @@ -93,23 +93,23 @@ MAKE_FINI_FUNCTION(kim_thread_fini); static int kim_thread_init (void) { kim_error err = KIM_NO_ERROR; - + if (!err) { err = k5_mutex_finish_init (&g_allow_home_directory_access_mutex); } - + if (!err) { err = k5_mutex_finish_init (&g_allow_automatic_prompting_mutex); } - + if (!err) { err = k5_mutex_finish_init (&g_ui_environment_mutex); } - + if (!err) { err = k5_mutex_finish_init (&g_application_name_mutex); } - + return err; } @@ -120,7 +120,7 @@ static void kim_thread_fini (void) if (!INITIALIZER_RAN (kim_thread_init) || PROGRAM_EXITING ()) { return; } - + k5_mutex_destroy (&g_allow_home_directory_access_mutex); k5_mutex_destroy (&g_allow_automatic_prompting_mutex); k5_mutex_destroy (&g_ui_environment_mutex); @@ -135,16 +135,16 @@ kim_error kim_library_set_allow_home_directory_access (kim_boolean in_allow_acce { kim_error err = CALL_INIT_FUNCTION (kim_thread_init); kim_error mutex_err = KIM_NO_ERROR; - + if (!err) { mutex_err = k5_mutex_lock (&g_allow_home_directory_access_mutex); if (mutex_err) { err = mutex_err; } } - + if (!err) { g_allow_home_directory_access = in_allow_access; } - + if (!mutex_err) { k5_mutex_unlock (&g_allow_home_directory_access_mutex); } return check_error (err); } @@ -155,18 +155,18 @@ static kim_error kim_library_get_allow_home_directory_access (kim_boolean *out_a { kim_error err = CALL_INIT_FUNCTION (kim_thread_init); kim_error mutex_err = KIM_NO_ERROR; - + if (!err && !out_allow_access) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { mutex_err = k5_mutex_lock (&g_allow_home_directory_access_mutex);; if (mutex_err) { err = mutex_err; } } - + if (!err) { *out_allow_access = g_allow_home_directory_access; } - + if (!mutex_err) { k5_mutex_unlock (&g_allow_home_directory_access_mutex); } return check_error (err); } @@ -177,7 +177,7 @@ kim_boolean kim_library_allow_home_directory_access (void) { kim_boolean allow_access = FALSE; kim_error err = kim_library_get_allow_home_directory_access (&allow_access); - + return !err ? allow_access : FALSE; } @@ -191,16 +191,16 @@ kim_error kim_library_set_allow_automatic_prompting (kim_boolean in_allow_automa { kim_error err = CALL_INIT_FUNCTION (kim_thread_init); kim_error mutex_err = KIM_NO_ERROR; - + if (!err) { mutex_err = k5_mutex_lock (&g_allow_automatic_prompting_mutex); if (mutex_err) { err = mutex_err; } } - + if (!err) { g_allow_automatic_prompting = in_allow_automatic_prompting; } - + if (!mutex_err) { k5_mutex_unlock (&g_allow_automatic_prompting_mutex); } return check_error (err); } @@ -211,18 +211,18 @@ static kim_error kim_library_get_allow_automatic_prompting (kim_boolean *out_all { kim_error err = CALL_INIT_FUNCTION (kim_thread_init); kim_error mutex_err = KIM_NO_ERROR; - + if (!err && !out_allow_automatic_prompting) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { mutex_err = k5_mutex_lock (&g_allow_automatic_prompting_mutex);; if (mutex_err) { err = mutex_err; } } - + if (!err) { *out_allow_automatic_prompting = g_allow_automatic_prompting; } - + if (!mutex_err) { k5_mutex_unlock (&g_allow_automatic_prompting_mutex); } return check_error (err); } @@ -234,45 +234,45 @@ kim_boolean kim_library_allow_automatic_prompting (void) kim_boolean allow_automatic_prompting = TRUE; kim_error err = kim_library_get_allow_automatic_prompting (&allow_automatic_prompting); if (err) { allow_automatic_prompting = TRUE; } - + if (allow_automatic_prompting && getenv ("KERBEROSLOGIN_NEVER_PROMPT")) { kim_debug_printf ("KERBEROSLOGIN_NEVER_PROMPT is set."); allow_automatic_prompting = FALSE; } - + if (allow_automatic_prompting && getenv ("KIM_NEVER_PROMPT")) { kim_debug_printf ("KIM_NEVER_PROMPT is set."); allow_automatic_prompting = FALSE; } - + if (allow_automatic_prompting && !kim_os_library_caller_uses_gui ()) { kim_debug_printf ("Caller is not using gui."); allow_automatic_prompting = FALSE; } if (allow_automatic_prompting) { - /* Make sure there is at least 1 config file. We don't support DNS + /* Make sure there is at least 1 config file. We don't support DNS * domain-realm lookup, so if there is no config, Kerberos won't work. */ - + kim_boolean kerberos_config_exists = FALSE; char **files = NULL; profile_t profile = NULL; - + if (krb5_get_default_config_files (&files) == 0) { if (profile_init ((const_profile_filespec_t *) files, &profile) == 0) { kerberos_config_exists = TRUE; } } - + if (!kerberos_config_exists) { kim_debug_printf ("No valid config file."); allow_automatic_prompting = FALSE; } - + if (profile) { profile_abandon (profile); } - if (files ) { krb5_free_config_files (files); } + if (files ) { krb5_free_config_files (files); } } - + return allow_automatic_prompting; } @@ -284,16 +284,16 @@ kim_error kim_library_set_ui_environment (kim_ui_environment in_ui_environment) { kim_error err = CALL_INIT_FUNCTION (kim_thread_init); kim_error mutex_err = KIM_NO_ERROR; - + if (!err) { mutex_err = k5_mutex_lock (&g_ui_environment_mutex); if (mutex_err) { err = mutex_err; } } - + if (!err) { g_ui_environment = in_ui_environment; } - + if (!mutex_err) { k5_mutex_unlock (&g_ui_environment_mutex); } return check_error (err); } @@ -304,18 +304,18 @@ static kim_error kim_library_get_ui_environment (kim_ui_environment *out_ui_envi { kim_error err = CALL_INIT_FUNCTION (kim_thread_init); kim_error mutex_err = KIM_NO_ERROR; - + if (!err && !out_ui_environment) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { mutex_err = k5_mutex_lock (&g_ui_environment_mutex);; if (mutex_err) { err = mutex_err; } } - + if (!err) { *out_ui_environment = g_ui_environment; } - + if (!mutex_err) { k5_mutex_unlock (&g_ui_environment_mutex); } return check_error (err); } @@ -326,13 +326,13 @@ kim_ui_environment kim_library_ui_environment (void) { kim_error err = KIM_NO_ERROR; kim_ui_environment ui_environment = KIM_UI_ENVIRONMENT_AUTO; - + err = kim_library_get_ui_environment (&ui_environment); - + if (!err && ui_environment == KIM_UI_ENVIRONMENT_AUTO) { ui_environment = kim_os_library_get_ui_environment (); } - + return !err ? ui_environment : KIM_UI_ENVIRONMENT_NONE; } @@ -344,15 +344,15 @@ kim_error kim_library_set_application_name (kim_string in_application_name) { kim_error err = CALL_INIT_FUNCTION (kim_thread_init); kim_error mutex_err = KIM_NO_ERROR; - + if (!err) { mutex_err = k5_mutex_lock (&g_application_name_mutex); if (mutex_err) { err = mutex_err; } } - + if (!err) { kim_string old_application_name = g_application_name; - + if (in_application_name) { err = kim_string_copy (&g_application_name, in_application_name); } else { @@ -361,7 +361,7 @@ kim_error kim_library_set_application_name (kim_string in_application_name) if (!err) { kim_string_free (&old_application_name); } } - + if (!mutex_err) { k5_mutex_unlock (&g_application_name_mutex); } return check_error (err); } @@ -373,31 +373,31 @@ kim_error kim_library_get_application_name (kim_string *out_application_name) kim_error err = CALL_INIT_FUNCTION (kim_thread_init); kim_error mutex_err = KIM_NO_ERROR; kim_string application_name = NULL; - + if (!err && !out_application_name) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { mutex_err = k5_mutex_lock (&g_application_name_mutex); if (mutex_err) { err = mutex_err; } } - + if (!err && g_application_name) { err = kim_string_copy (&application_name, g_application_name); } - + if (!mutex_err) { k5_mutex_unlock (&g_application_name_mutex); } - + if (!err && !application_name) { err = kim_os_library_get_caller_name (&application_name); } - + if (!err) { *out_application_name = application_name; application_name = NULL; - + } - + kim_string_free (&application_name); - + return check_error (err); } diff --git a/src/kim/lib/kim_library_private.h b/src/kim/lib/kim_library_private.h index 146474b0e..75ea4fd3e 100644 --- a/src/kim/lib/kim_library_private.h +++ b/src/kim/lib/kim_library_private.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/kim/lib/kim_options.c b/src/kim/lib/kim_options.c index 5c45fb35a..989c163fa 100644 --- a/src/kim/lib/kim_options.c +++ b/src/kim/lib/kim_options.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -41,10 +41,10 @@ struct kim_options_opaque { krb5_get_init_creds_opt *init_cred_options; }; -struct kim_options_opaque kim_options_initializer = { -0, -kim_default_lifetime, -kim_default_renewable, +struct kim_options_opaque kim_options_initializer = { +0, +kim_default_lifetime, +kim_default_renewable, kim_default_renewal_lifetime, kim_default_forwardable, kim_default_proxiable, @@ -59,23 +59,23 @@ static inline kim_error kim_options_allocate (kim_options *out_options) { kim_error err = kim_library_init (); kim_options options = NULL; - + if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { options = malloc (sizeof (*options)); if (!options) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { *options = kim_options_initializer; *out_options = options; options = NULL; } - + kim_options_free (&options); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -92,29 +92,29 @@ kim_error kim_options_create (kim_options *out_options) kim_error err = KIM_NO_ERROR; kim_preferences preferences = NULL; kim_options options = KIM_OPTIONS_DEFAULT; - + if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_preferences_create (&preferences); } - + if (!err) { err = kim_preferences_get_options (preferences, &options); } - + if (!err && !options) { err = kim_options_allocate (&options); } - + if (!err) { *out_options = options; options = NULL; /* caller takes ownership */ } - + kim_options_free (&options); kim_preferences_free (&preferences); - + return check_error (err); } @@ -125,12 +125,12 @@ kim_error kim_options_copy (kim_options *out_options, { kim_error err = KIM_NO_ERROR; kim_options options = KIM_OPTIONS_DEFAULT; - + if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && in_options != KIM_OPTIONS_DEFAULT) { err = kim_options_allocate (&options); - + if (!err) { options->start_time = in_options->start_time; options->lifetime = in_options->lifetime; @@ -139,21 +139,21 @@ kim_error kim_options_copy (kim_options *out_options, options->forwardable = in_options->forwardable; options->proxiable = in_options->proxiable; options->addressless = in_options->addressless; - + if (in_options->service_name) { - err = kim_string_copy (&options->service_name, + err = kim_string_copy (&options->service_name, in_options->service_name); } } } - + if (!err) { *out_options = options; options = NULL; } - + kim_options_free (&options); - + return check_error (err); } @@ -163,13 +163,13 @@ kim_error kim_options_set_start_time (kim_options io_options, kim_time in_start_time) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_options->start_time = in_start_time; } - + return check_error (err); } @@ -179,14 +179,14 @@ kim_error kim_options_get_start_time (kim_options in_options, kim_time *out_start_time) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_start_time) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_start_time = in_options->start_time; } - + return check_error (err); } @@ -196,13 +196,13 @@ kim_error kim_options_set_lifetime (kim_options io_options, kim_lifetime in_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_options->lifetime = in_lifetime; } - + return check_error (err); } @@ -212,14 +212,14 @@ kim_error kim_options_get_lifetime (kim_options in_options, kim_lifetime *out_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_lifetime) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_lifetime = in_options->lifetime; } - + return check_error (err); } @@ -229,13 +229,13 @@ kim_error kim_options_set_renewable (kim_options io_options, kim_boolean in_renewable) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_options->renewable = in_renewable; } - + return check_error (err); } @@ -245,14 +245,14 @@ kim_error kim_options_get_renewable (kim_options in_options, kim_boolean *out_renewable) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_renewable) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_renewable = in_options->renewable; } - + return check_error (err); } @@ -262,13 +262,13 @@ kim_error kim_options_set_renewal_lifetime (kim_options io_options, kim_lifetime in_renewal_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_options->renewal_lifetime = in_renewal_lifetime; } - + return check_error (err); } @@ -278,14 +278,14 @@ kim_error kim_options_get_renewal_lifetime (kim_options in_options, kim_lifetime *out_renewal_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_renewal_lifetime) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_renewal_lifetime = in_options->renewal_lifetime; } - + return check_error (err); } @@ -295,13 +295,13 @@ kim_error kim_options_set_forwardable (kim_options io_options, kim_boolean in_forwardable) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_options->forwardable = in_forwardable; } - + return check_error (err); } @@ -311,14 +311,14 @@ kim_error kim_options_get_forwardable (kim_options in_options, kim_boolean *out_forwardable) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_forwardable) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_forwardable = in_options->forwardable; } - + return check_error (err); } @@ -328,13 +328,13 @@ kim_error kim_options_set_proxiable (kim_options io_options, kim_boolean in_proxiable) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_options->proxiable = in_proxiable; } - + return check_error (err); } @@ -344,14 +344,14 @@ kim_error kim_options_get_proxiable (kim_options in_options, kim_boolean *out_proxiable) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_proxiable) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_proxiable = in_options->proxiable; } - + return check_error (err); } @@ -361,13 +361,13 @@ kim_error kim_options_set_addressless (kim_options io_options, kim_boolean in_addressless) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_options->addressless = in_addressless; } - + return check_error (err); } @@ -377,14 +377,14 @@ kim_error kim_options_get_addressless (kim_options in_options, kim_boolean *out_addressless) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_addressless) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_addressless = in_options->addressless; } - + return check_error (err); } @@ -394,9 +394,9 @@ kim_error kim_options_set_service_name (kim_options io_options, kim_string in_service_name) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_string_free (&io_options->service_name); if (in_service_name) { @@ -405,7 +405,7 @@ kim_error kim_options_set_service_name (kim_options io_options, io_options->service_name = kim_empty_string; } } - + return check_error (err); } @@ -415,19 +415,19 @@ kim_error kim_options_get_service_name (kim_options in_options, kim_string *out_service_name) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_service_name) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - if (in_options->service_name && + if (in_options->service_name && in_options->service_name != kim_empty_string) { err = kim_string_copy (out_service_name, in_options->service_name); } else { *out_service_name = NULL; } } - + return check_error (err); } @@ -465,64 +465,64 @@ krb5_get_init_creds_opt *kim_options_init_cred_options (kim_options in_options) { kim_error err = KIM_NO_ERROR; krb5_address **addresses = NULL; - + if (!err && !in_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && !in_options->init_cred_context) { err = krb5_error (NULL, krb5_init_context (&in_options->init_cred_context)); } - + if (!err && !in_options->addressless) { - err = krb5_error (in_options->init_cred_context, - krb5_os_localaddr (in_options->init_cred_context, + err = krb5_error (in_options->init_cred_context, + krb5_os_localaddr (in_options->init_cred_context, &addresses)); } - + if (!err && !in_options->init_cred_options) { err = krb5_error (in_options->init_cred_context, - krb5_get_init_creds_opt_alloc (in_options->init_cred_context, + krb5_get_init_creds_opt_alloc (in_options->init_cred_context, &in_options->init_cred_options)); } - + if (!err) { - krb5_get_init_creds_opt_set_tkt_life (in_options->init_cred_options, + krb5_get_init_creds_opt_set_tkt_life (in_options->init_cred_options, in_options->lifetime); - krb5_get_init_creds_opt_set_renew_life (in_options->init_cred_options, + krb5_get_init_creds_opt_set_renew_life (in_options->init_cred_options, in_options->renewable ? in_options->renewal_lifetime : 0); - krb5_get_init_creds_opt_set_forwardable (in_options->init_cred_options, + krb5_get_init_creds_opt_set_forwardable (in_options->init_cred_options, in_options->forwardable); - krb5_get_init_creds_opt_set_proxiable (in_options->init_cred_options, + krb5_get_init_creds_opt_set_proxiable (in_options->init_cred_options, in_options->proxiable); - krb5_get_init_creds_opt_set_address_list (in_options->init_cred_options, + krb5_get_init_creds_opt_set_address_list (in_options->init_cred_options, addresses); addresses = NULL; } - - if (addresses) { krb5_free_addresses (in_options->init_cred_context, + + if (addresses) { krb5_free_addresses (in_options->init_cred_context, addresses); } - - return !check_error (err) ? in_options->init_cred_options : NULL; + + return !check_error (err) ? in_options->init_cred_options : NULL; } /* ------------------------------------------------------------------------ */ void kim_options_free (kim_options *io_options) { - if (io_options && *io_options) { - kim_string_free (&(*io_options)->service_name); + if (io_options && *io_options) { + kim_string_free (&(*io_options)->service_name); if ((*io_options)->init_cred_context) { if ((*io_options)->init_cred_options) { if ((*io_options)->init_cred_options->address_list) { - krb5_free_addresses ((*io_options)->init_cred_context, + krb5_free_addresses ((*io_options)->init_cred_context, (*io_options)->init_cred_options->address_list); } - krb5_get_init_creds_opt_free ((*io_options)->init_cred_context, + krb5_get_init_creds_opt_free ((*io_options)->init_cred_context, (*io_options)->init_cred_options); } krb5_free_context ((*io_options)->init_cred_context); } - + free (*io_options); *io_options = NULL; } @@ -539,47 +539,47 @@ kim_error kim_options_write_to_stream (kim_options in_options, kim_options options = in_options; if (!err && !io_stream ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && !in_options) { err = kim_options_create (&options); } - + if (!err) { err = krb5int_ipc_stream_write_int64 (io_stream, options->start_time); } - + if (!err) { err = krb5int_ipc_stream_write_int64 (io_stream, options->lifetime); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (io_stream, options->renewable); } - + if (!err) { - err = krb5int_ipc_stream_write_int64 (io_stream, + err = krb5int_ipc_stream_write_int64 (io_stream, options->renewal_lifetime); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (io_stream, options->forwardable); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (io_stream, options->proxiable); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (io_stream, options->addressless); } - + if (!err) { err = krb5int_ipc_stream_write_string (io_stream, options->service_name); } - + if (options != in_options) { kim_options_free (&options); } - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -588,43 +588,43 @@ kim_error kim_options_read_from_stream (kim_options io_options, k5_ipc_stream io_stream) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_stream ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5int_ipc_stream_read_int64 (io_stream, &io_options->start_time); } - + if (!err) { err = krb5int_ipc_stream_read_int64 (io_stream, &io_options->lifetime); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (io_stream, &io_options->renewable); } - + if (!err) { - err = krb5int_ipc_stream_read_int64 (io_stream, + err = krb5int_ipc_stream_read_int64 (io_stream, &io_options->renewal_lifetime); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (io_stream, &io_options->forwardable); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (io_stream, &io_options->proxiable); } - + if (!err) { err = krb5int_ipc_stream_read_int32 (io_stream, &io_options->addressless); } - + if (!err) { char *service_name = NULL; err = krb5int_ipc_stream_read_string (io_stream, &service_name); - + if (!err) { kim_string_free (&io_options->service_name); if (service_name[0]) { @@ -633,21 +633,21 @@ kim_error kim_options_read_from_stream (kim_options io_options, io_options->service_name = kim_empty_string; } } - + krb5int_ipc_stream_free_string (service_name); } - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ kim_error kim_options_create_from_stream (kim_options *out_options, - k5_ipc_stream io_stream) + k5_ipc_stream io_stream) { kim_error err = KIM_NO_ERROR; kim_options options = NULL; - + if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_stream ) { err = check_error (KIM_NULL_PARAMETER_ERR); } @@ -658,13 +658,13 @@ kim_error kim_options_create_from_stream (kim_options *out_options, if (!err) { kim_options_read_from_stream (options, io_stream); } - + if (!err) { *out_options = options; options = NULL; } - - kim_options_free (&options); - + + kim_options_free (&options); + return check_error (err); } diff --git a/src/kim/lib/kim_preferences.c b/src/kim/lib/kim_preferences.c index a9bd6ce55..19ee9030b 100644 --- a/src/kim/lib/kim_preferences.c +++ b/src/kim/lib/kim_preferences.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -53,14 +53,14 @@ struct kim_preferences_opaque { const struct kim_favorites_opaque kim_default_favorites = { 0, NULL, NULL }; -struct kim_preferences_opaque kim_preferences_initializer = { -KIM_OPTIONS_DEFAULT, +struct kim_preferences_opaque kim_preferences_initializer = { +KIM_OPTIONS_DEFAULT, FALSE, -kim_default_remember_options, +kim_default_remember_options, FALSE, -kim_default_client_identity, +kim_default_client_identity, FALSE, -kim_default_remember_client_identity, +kim_default_remember_client_identity, FALSE, kim_default_minimum_lifetime, kim_default_maximum_lifetime, @@ -79,13 +79,13 @@ static kim_error kim_favorites_resize (kim_favorites io_favorites, kim_count in_new_count) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && io_favorites->count != in_new_count) { kim_identity *identities = NULL; kim_options *options = NULL; - + if (in_new_count == 0) { if (io_favorites->identities) { free (io_favorites->identities); @@ -97,22 +97,22 @@ static kim_error kim_favorites_resize (kim_favorites io_favorites, if (!io_favorites->identities) { identities = malloc (sizeof (*identities) * in_new_count); } else { - identities = realloc (io_favorites->identities, + identities = realloc (io_favorites->identities, sizeof (*identities) * in_new_count); } if (!identities) { err = KIM_OUT_OF_MEMORY_ERR; } - + if (!err) { if (!io_favorites->options) { options = malloc (sizeof (*options) * in_new_count); } else { - options = realloc (io_favorites->options, + options = realloc (io_favorites->options, sizeof (*options) * in_new_count); } if (!options) { err = KIM_OUT_OF_MEMORY_ERR; } } } - + if (!err) { io_favorites->count = in_new_count; io_favorites->identities = identities; @@ -120,12 +120,12 @@ static kim_error kim_favorites_resize (kim_favorites io_favorites, identities = NULL; options = NULL; } - + if (identities) { free (identities); } if (options ) { free (options); } } - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -134,28 +134,28 @@ static kim_error kim_favorites_copy (kim_favorites in_favorites, kim_favorites io_favorites) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_favorites_resize (io_favorites, in_favorites->count); } - + if (!err) { kim_count i; - + for (i = 0; !err && i < io_favorites->count; i++) { - err = kim_identity_copy (&io_favorites->identities[i], + err = kim_identity_copy (&io_favorites->identities[i], in_favorites->identities[i]); - + if (!err) { - err = kim_options_copy (&io_favorites->options[i], + err = kim_options_copy (&io_favorites->options[i], in_favorites->options[i]); } } } - + return check_error (err); } @@ -165,14 +165,14 @@ kim_error kim_favorites_get_number_of_identities (kim_favorites in_favorites, kim_count *out_number_of_identities) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_favorites ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_number_of_identities) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_number_of_identities = in_favorites->count; } - + return check_error (err); } @@ -186,39 +186,39 @@ kim_error kim_favorites_get_identity_at_index (kim_favorites in_favorites, kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_options options = KIM_OPTIONS_DEFAULT; - + if (!err && !in_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* out_options may be NULL */ - + if (!err) { if (in_index >= in_favorites->count) { - err = kim_error_set_message_for_code (KIM_BAD_IDENTITY_INDEX_ERR, + err = kim_error_set_message_for_code (KIM_BAD_IDENTITY_INDEX_ERR, in_index); } } - + if (!err) { err = kim_identity_copy (&identity, in_favorites->identities[in_index]); } - + if (!err && in_favorites->options[in_index]) { err = kim_options_copy (&options, in_favorites->options[in_index]); } - + if (!err) { *out_identity = identity; identity = NULL; - + if (out_options) { *out_options = options; options = NULL; } } - + kim_identity_free (&identity); kim_options_free (&options); - + return check_error (err); } @@ -232,78 +232,78 @@ kim_error kim_favorites_add_identity (kim_favorites io_favorites, kim_identity identity = NULL; kim_options options = KIM_OPTIONS_DEFAULT; kim_count insert_at = 0; - + if (!err && !io_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* in_options may be KIM_OPTIONS_DEFAULT (NULL) */ - + if (!err) { err = kim_identity_copy (&identity, in_identity); } - + if (!err) { err = kim_options_copy (&options, in_options); } - + if (!err) { kim_count i; - + for (i = 0; !err && i < io_favorites->count; i++) { kim_comparison comparison = 0; - + err = kim_identity_compare (io_favorites->identities[i], - in_identity, + in_identity, &comparison); - + if (!err) { if (kim_comparison_is_greater_than (comparison)) { /* insert before the first entry that is greater than us */ - break; - + break; + } else if (kim_comparison_is_equal_to (comparison)) { /* already in list */ kim_string display_string = NULL; - - err = kim_identity_get_display_string (in_identity, + + err = kim_identity_get_display_string (in_identity, &display_string); - + if (!err) { - err = kim_error_set_message_for_code (KIM_IDENTITY_ALREADY_IN_LIST_ERR, + err = kim_error_set_message_for_code (KIM_IDENTITY_ALREADY_IN_LIST_ERR, display_string); } - + kim_string_free (&display_string); } } } - + insert_at = i; /* Remember where we are going to insert */ } - + if (!err) { - err = kim_favorites_resize (io_favorites, + err = kim_favorites_resize (io_favorites, io_favorites->count + 1); } - + if (!err) { kim_count move_count = io_favorites->count - 1 - insert_at; - + memmove (&io_favorites->identities[insert_at + 1], &io_favorites->identities[insert_at], move_count * sizeof (*io_favorites->identities)); io_favorites->identities[insert_at] = identity; identity = NULL; - + memmove (&io_favorites->options[insert_at + 1], &io_favorites->options[insert_at], move_count * sizeof (*io_favorites->options)); io_favorites->options[insert_at] = options; options = NULL; } - + kim_options_free (&options); kim_identity_free (&identity); - + return check_error (err); } @@ -315,56 +315,56 @@ kim_error kim_favorites_remove_identity (kim_favorites io_favorites, kim_error err = KIM_NO_ERROR; kim_boolean found = 0; kim_count i; - + if (!err && !io_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { for (i = 0; !err && !found && i < io_favorites->count; i++) { kim_identity identity = io_favorites->identities[i]; kim_options options = io_favorites->options[i]; kim_comparison comparison; - + err = kim_identity_compare (in_identity, identity, &comparison); - + if (!err && kim_comparison_is_equal_to (comparison)) { kim_error terr = KIM_NO_ERROR; kim_count new_count = io_favorites->count - 1; - + found = 1; - - memmove (&io_favorites->identities[i], + + memmove (&io_favorites->identities[i], &io_favorites->identities[i + 1], (new_count - i) * sizeof (*io_favorites->identities)); - - memmove (&io_favorites->options[i], + + memmove (&io_favorites->options[i], &io_favorites->options[i + 1], (new_count - i) * sizeof (*io_favorites->options)); - + terr = kim_favorites_resize (io_favorites, new_count); if (terr) { kim_debug_printf ("failed to resize list to %d. Continuing.", new_count); } - + kim_options_free (&options); kim_identity_free (&identity); } } } - + if (!err && !found) { kim_string display_string = NULL; - + err = kim_identity_get_display_string (in_identity, &display_string); - + if (!err) { - err = kim_error_set_message_for_code (KIM_IDENTITY_NOT_IN_LIST_ERR, + err = kim_error_set_message_for_code (KIM_IDENTITY_NOT_IN_LIST_ERR, display_string); } - + kim_string_free (&display_string); } - + return check_error (err); } @@ -373,12 +373,12 @@ kim_error kim_favorites_remove_identity (kim_favorites io_favorites, kim_error kim_favorites_remove_all_identities (kim_favorites io_favorites) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_count i; - + for (i = 0; i < io_favorites->count; i++) { kim_identity_free (&io_favorites->identities[i]); kim_options_free (&io_favorites->options[i]); @@ -389,7 +389,7 @@ kim_error kim_favorites_remove_all_identities (kim_favorites io_favorites) io_favorites->identities = NULL; io_favorites->options = NULL; } - + return check_error (err); } @@ -398,7 +398,7 @@ kim_error kim_favorites_remove_all_identities (kim_favorites io_favorites) static void kim_favorites_free (kim_favorites io_favorites) { kim_count i; - + for (i = 0; i < io_favorites->count; i++) { kim_identity_free (&io_favorites->identities[i]); kim_options_free (&io_favorites->options[i]); @@ -414,91 +414,91 @@ static void kim_favorites_free (kim_favorites io_favorites) static kim_error kim_preferences_read (kim_preferences in_preferences) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_options options = NULL; - + err = kim_os_preferences_get_options_for_key (kim_preference_key_options, &options); - + if (!err) { kim_options_free (&in_preferences->options); in_preferences->options = options; } } - + if (!err) { err = kim_os_preferences_get_boolean_for_key (kim_preference_key_remember_options, kim_default_remember_options, &in_preferences->remember_options); } - + if (!err) { kim_identity default_identity = kim_default_client_identity; kim_identity identity = NULL; - + err = kim_os_identity_create_for_username (&default_identity); - + if (!err) { err = kim_os_preferences_get_identity_for_key (kim_preference_key_client_identity, default_identity, &identity); } - + if (!err) { kim_identity_free (&in_preferences->client_identity); in_preferences->client_identity = identity; identity = NULL; } - + kim_identity_free (&default_identity); kim_identity_free (&identity); } - + if (!err) { err = kim_os_preferences_get_boolean_for_key (kim_preference_key_remember_client_identity, kim_default_remember_client_identity, &in_preferences->remember_client_identity); } - + if (!err) { struct kim_favorites_opaque favorites = kim_default_favorites; - + err = kim_os_preferences_get_favorites_for_key (kim_preference_key_favorites, &favorites); - + if (!err) { kim_favorites_remove_all_identities (&in_preferences->favorites); in_preferences->favorites = favorites; } } - + if (!err) { err = kim_os_preferences_get_lifetime_for_key (kim_preference_key_minimum_lifetime, kim_default_minimum_lifetime, &in_preferences->minimum_lifetime); } - + if (!err) { err = kim_os_preferences_get_lifetime_for_key (kim_preference_key_maximum_lifetime, kim_default_maximum_lifetime, &in_preferences->maximum_lifetime); } - + if (!err) { err = kim_os_preferences_get_lifetime_for_key (kim_preference_key_minimum_renewal_lifetime, kim_default_minimum_renewal_lifetime, &in_preferences->minimum_renewal_lifetime); } - + if (!err) { err = kim_os_preferences_get_lifetime_for_key (kim_preference_key_maximum_renewal_lifetime, kim_default_maximum_renewal_lifetime, &in_preferences->maximum_renewal_lifetime); } - + return check_error (err); } @@ -507,60 +507,60 @@ static kim_error kim_preferences_read (kim_preferences in_preferences) static kim_error kim_preferences_write (kim_preferences in_preferences) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && in_preferences->options_changed) { err = kim_os_preferences_set_options_for_key (kim_preference_key_options, - in_preferences->options); + in_preferences->options); } - + if (!err && in_preferences->remember_options_changed) { - err = kim_os_preferences_set_boolean_for_key (kim_preference_key_remember_options, + err = kim_os_preferences_set_boolean_for_key (kim_preference_key_remember_options, in_preferences->remember_options); } - + if (!err && in_preferences->client_identity_changed) { kim_identity default_identity = kim_default_client_identity; - + err = kim_os_identity_create_for_username (&default_identity); - + if (!err) { - err = kim_os_preferences_set_identity_for_key (kim_preference_key_client_identity, + err = kim_os_preferences_set_identity_for_key (kim_preference_key_client_identity, in_preferences->client_identity); } - + kim_identity_free (&default_identity); } - + if (!err && in_preferences->remember_client_identity_changed) { - err = kim_os_preferences_set_boolean_for_key (kim_preference_key_remember_client_identity, + err = kim_os_preferences_set_boolean_for_key (kim_preference_key_remember_client_identity, in_preferences->remember_client_identity); } - + if (!err && in_preferences->favorites_changed) { - err = kim_os_preferences_set_favorites_for_key (kim_preference_key_favorites, + err = kim_os_preferences_set_favorites_for_key (kim_preference_key_favorites, &in_preferences->favorites); } - + if (!err && in_preferences->lifetime_range_changed) { - err = kim_os_preferences_set_lifetime_for_key (kim_preference_key_minimum_lifetime, + err = kim_os_preferences_set_lifetime_for_key (kim_preference_key_minimum_lifetime, in_preferences->minimum_lifetime); if (!err) { - err = kim_os_preferences_set_lifetime_for_key (kim_preference_key_maximum_lifetime, + err = kim_os_preferences_set_lifetime_for_key (kim_preference_key_maximum_lifetime, in_preferences->maximum_lifetime); } } - + if (!err && in_preferences->renewal_lifetime_range_changed) { - err = kim_os_preferences_set_lifetime_for_key (kim_preference_key_minimum_renewal_lifetime, + err = kim_os_preferences_set_lifetime_for_key (kim_preference_key_minimum_renewal_lifetime, in_preferences->minimum_renewal_lifetime); if (!err) { - err = kim_os_preferences_set_lifetime_for_key (kim_preference_key_maximum_renewal_lifetime, + err = kim_os_preferences_set_lifetime_for_key (kim_preference_key_maximum_renewal_lifetime, in_preferences->maximum_renewal_lifetime); } } - + if (!err) { in_preferences->options_changed = 0; in_preferences->remember_options_changed = 0; @@ -570,7 +570,7 @@ static kim_error kim_preferences_write (kim_preferences in_preferences) in_preferences->renewal_lifetime_range_changed = 0; in_preferences->favorites_changed = 0; } - + return check_error (err); } @@ -582,23 +582,23 @@ static inline kim_error kim_preferences_allocate (kim_preferences *out_preferenc { kim_error err = kim_library_init (); kim_preferences preferences = NULL; - + if (!err && !out_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { preferences = malloc (sizeof (*preferences)); if (!preferences) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { *preferences = kim_preferences_initializer; *out_preferences = preferences; preferences = NULL; } - + kim_preferences_free (&preferences); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -607,25 +607,25 @@ kim_error kim_preferences_create (kim_preferences *out_preferences) { kim_error err = KIM_NO_ERROR; kim_preferences preferences = NULL; - + if (!err && !out_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_preferences_allocate (&preferences); } - + if (!err) { err = kim_preferences_read (preferences); } - + if (!err) { *out_preferences = preferences; preferences = NULL; } - + kim_preferences_free (&preferences); - - + + return check_error (err); } @@ -636,37 +636,37 @@ kim_error kim_preferences_copy (kim_preferences *out_preferences, { kim_error err = KIM_NO_ERROR; kim_preferences preferences = NULL; - + if (!err && !out_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_preferences_allocate (&preferences); } - + if (!err) { preferences->remember_options = in_preferences->remember_options; err = kim_options_copy (&preferences->options, in_preferences->options); } - + if (!err) { preferences->remember_client_identity = in_preferences->remember_client_identity; err = kim_identity_copy (&preferences->client_identity, in_preferences->client_identity); } - + if (!err) { - err = kim_favorites_copy (&preferences->favorites, + err = kim_favorites_copy (&preferences->favorites, &in_preferences->favorites); } - + if (!err) { *out_preferences = preferences; preferences = NULL; } - + kim_preferences_free (&preferences); - - + + return check_error (err); } @@ -677,20 +677,20 @@ kim_error kim_preferences_set_options (kim_preferences io_preferences, { kim_error err = KIM_NO_ERROR; kim_options options = NULL; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_options_copy (&options, in_options); } - + if (!err) { kim_options_free (&io_preferences->options); io_preferences->options = options; io_preferences->options_changed = TRUE; } - + return check_error (err); } @@ -700,14 +700,14 @@ kim_error kim_preferences_get_options (kim_preferences in_preferences, kim_options *out_options) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_options_copy (out_options, in_preferences->options); } - + return check_error (err); } @@ -717,14 +717,14 @@ kim_error kim_preferences_set_remember_options (kim_preferences io_preferences, kim_boolean in_remember_options) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_preferences->remember_options = in_remember_options; io_preferences->remember_options_changed = TRUE; } - + return check_error (err); } @@ -734,14 +734,14 @@ kim_error kim_preferences_get_remember_options (kim_preferences in_preferences, kim_boolean *out_remember_options) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_remember_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_remember_options = in_preferences->remember_options; } - + return check_error (err); } @@ -752,20 +752,20 @@ kim_error kim_preferences_set_client_identity (kim_preferences io_preferences, { kim_error err = KIM_NO_ERROR; kim_identity identity = KIM_IDENTITY_ANY; - + if (!err && !io_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* in_client_identity may be KIM_IDENTITY_ANY */ - + if (!err && in_client_identity) { err = kim_identity_copy (&identity, in_client_identity); } - + if (!err) { kim_identity_free (&io_preferences->client_identity); io_preferences->client_identity = identity; io_preferences->client_identity_changed = TRUE; } - + return check_error (err); } @@ -775,14 +775,14 @@ kim_error kim_preferences_get_client_identity (kim_preferences in_preferences, kim_identity *out_client_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_client_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_copy (out_client_identity, in_preferences->client_identity); } - + return check_error (err); } @@ -792,14 +792,14 @@ kim_error kim_preferences_set_remember_client_identity (kim_preferences io_prefe kim_boolean in_remember_client_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_preferences->remember_client_identity = in_remember_client_identity; io_preferences->remember_client_identity_changed = TRUE; } - + return check_error (err); } @@ -809,14 +809,14 @@ kim_error kim_preferences_get_remember_client_identity (kim_preferences in_pref kim_boolean *out_remember_client_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_remember_client_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_remember_client_identity = in_preferences->remember_client_identity; } - + return check_error (err); } @@ -826,14 +826,14 @@ kim_error kim_preferences_set_minimum_lifetime (kim_preferences io_preferences, kim_lifetime in_minimum_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_preferences->minimum_lifetime = in_minimum_lifetime; io_preferences->lifetime_range_changed = TRUE; } - + return check_error (err); } @@ -843,14 +843,14 @@ kim_error kim_preferences_get_minimum_lifetime (kim_preferences in_preferences, kim_lifetime *out_minimum_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_minimum_lifetime) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_minimum_lifetime = in_preferences->minimum_lifetime; } - + return check_error (err); } @@ -860,14 +860,14 @@ kim_error kim_preferences_set_maximum_lifetime (kim_preferences io_preferences, kim_lifetime in_maximum_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_preferences->maximum_lifetime = in_maximum_lifetime; io_preferences->lifetime_range_changed = TRUE; } - + return check_error (err); } @@ -877,14 +877,14 @@ kim_error kim_preferences_get_maximum_lifetime (kim_preferences in_preferences, kim_lifetime *out_maximum_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_maximum_lifetime) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_maximum_lifetime = in_preferences->maximum_lifetime; } - + return check_error (err); } @@ -894,14 +894,14 @@ kim_error kim_preferences_set_minimum_renewal_lifetime (kim_preferences io_prefe kim_lifetime in_minimum_renewal_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_preferences->minimum_renewal_lifetime = in_minimum_renewal_lifetime; io_preferences->renewal_lifetime_range_changed = TRUE; } - + return check_error (err); } @@ -911,14 +911,14 @@ kim_error kim_preferences_get_minimum_renewal_lifetime (kim_preferences in_pref kim_lifetime *out_minimum_renewal_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_minimum_renewal_lifetime) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_minimum_renewal_lifetime = in_preferences->minimum_renewal_lifetime; } - + return check_error (err); } @@ -928,14 +928,14 @@ kim_error kim_preferences_set_maximum_renewal_lifetime (kim_preferences io_prefe kim_lifetime in_maximum_renewal_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_preferences->maximum_renewal_lifetime = in_maximum_renewal_lifetime; io_preferences->renewal_lifetime_range_changed = TRUE; } - + return check_error (err); } @@ -945,14 +945,14 @@ kim_error kim_preferences_get_maximum_renewal_lifetime (kim_preferences in_pref kim_lifetime *out_maximum_renewal_lifetime) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_maximum_renewal_lifetime) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_maximum_renewal_lifetime = in_preferences->maximum_renewal_lifetime; } - + return check_error (err); } @@ -973,18 +973,18 @@ kim_error kim_preferences_get_favorite_identity_at_index (kim_preferences in_pr kim_options *out_options) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* out_options may be NULL */ - + if (!err) { err = kim_favorites_get_identity_at_index (&in_preferences->favorites, in_index, out_identity, out_options); } - + return check_error (err); } @@ -995,20 +995,20 @@ kim_error kim_preferences_add_favorite_identity (kim_preferences io_preferences, kim_options in_options) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* in_options may be KIM_OPTIONS_DEFAULT (NULL) */ - + if (!err) { err = kim_favorites_add_identity (&io_preferences->favorites, in_identity, in_options); } - + if (!err) { io_preferences->favorites_changed = 1; } - + return check_error (err); } @@ -1018,19 +1018,19 @@ kim_error kim_preferences_remove_favorite_identity (kim_preferences io_preferenc kim_identity in_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_favorites_remove_identity (&io_preferences->favorites, in_identity); } - + if (!err) { io_preferences->favorites_changed = 1; } - + return check_error (err); } @@ -1039,17 +1039,17 @@ kim_error kim_preferences_remove_favorite_identity (kim_preferences io_preferenc kim_error kim_preferences_remove_all_favorite_identities (kim_preferences io_preferences) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_favorites_remove_all_identities (&io_preferences->favorites); } - + if (!err) { io_preferences->favorites_changed = 1; } - + return check_error (err); } @@ -1058,17 +1058,17 @@ kim_error kim_preferences_remove_all_favorite_identities (kim_preferences io_pre kim_error kim_preferences_synchronize (kim_preferences in_preferences) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_preferences) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_preferences_write (in_preferences); } - + if (!err) { err = kim_preferences_read (in_preferences); } - + return check_error (err); } @@ -1085,4 +1085,3 @@ void kim_preferences_free (kim_preferences *io_preferences) *io_preferences = NULL; } } - diff --git a/src/kim/lib/kim_preferences_private.h b/src/kim/lib/kim_preferences_private.h index 239098829..1b7e247d7 100644 --- a/src/kim/lib/kim_preferences_private.h +++ b/src/kim/lib/kim_preferences_private.h @@ -90,37 +90,37 @@ kim_error kim_favorites_remove_all_identities (kim_favorites io_favorites); /* OS-specific functions to be implemented per-platform */ -kim_error kim_os_preferences_get_options_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_options_for_key (kim_preference_key in_key, kim_options *out_options); -kim_error kim_os_preferences_set_options_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_options_for_key (kim_preference_key in_key, kim_options in_options); -kim_error kim_os_preferences_get_identity_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_identity_for_key (kim_preference_key in_key, kim_identity in_hardcoded_default, kim_identity *out_identity); -kim_error kim_os_preferences_set_identity_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_identity_for_key (kim_preference_key in_key, kim_identity in_identity); -kim_error kim_os_preferences_get_favorites_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_favorites_for_key (kim_preference_key in_key, kim_favorites io_favorites); -kim_error kim_os_preferences_set_favorites_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_favorites_for_key (kim_preference_key in_key, kim_favorites in_favorites); -kim_error kim_os_preferences_get_lifetime_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_lifetime_for_key (kim_preference_key in_key, kim_lifetime in_hardcoded_default, kim_lifetime *out_lifetime); -kim_error kim_os_preferences_set_lifetime_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_lifetime_for_key (kim_preference_key in_key, kim_lifetime in_lifetime); -kim_error kim_os_preferences_get_boolean_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_boolean_for_key (kim_preference_key in_key, kim_boolean in_hardcoded_default, kim_boolean *out_boolean); -kim_error kim_os_preferences_set_boolean_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_boolean_for_key (kim_preference_key in_key, kim_boolean in_boolean); #endif /* KIM_PREFERENCES_PRIVATE_H */ diff --git a/src/kim/lib/kim_selection_hints.c b/src/kim/lib/kim_selection_hints.c index 3704d87e9..6aba4420d 100644 --- a/src/kim/lib/kim_selection_hints.c +++ b/src/kim/lib/kim_selection_hints.c @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -40,7 +40,7 @@ struct kim_selection_hints_opaque { kim_string server; }; -struct kim_selection_hints_opaque kim_selection_hints_initializer = { +struct kim_selection_hints_opaque kim_selection_hints_initializer = { NULL, kim_empty_string, KIM_OPTIONS_DEFAULT, @@ -60,23 +60,23 @@ static inline kim_error kim_selection_hints_allocate (kim_selection_hints *out_s { kim_error err = kim_library_init (); kim_selection_hints selection_hints = NULL; - + if (!err && !out_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { selection_hints = malloc (sizeof (*selection_hints)); if (!selection_hints) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { *selection_hints = kim_selection_hints_initializer; *out_selection_hints = selection_hints; selection_hints = NULL; } - + kim_selection_hints_free (&selection_hints); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -86,27 +86,27 @@ kim_error kim_selection_hints_create (kim_selection_hints *out_selection_hints, { kim_error err = KIM_NO_ERROR; kim_selection_hints selection_hints = NULL; - + if (!err && !out_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_application_identifier) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_selection_hints_allocate (&selection_hints); } - + if (!err) { - err = kim_string_copy (&selection_hints->application_identifier, + err = kim_string_copy (&selection_hints->application_identifier, in_application_identifier); } - + if (!err) { *out_selection_hints = selection_hints; selection_hints = NULL; } - + kim_selection_hints_free (&selection_hints); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -116,70 +116,70 @@ kim_error kim_selection_hints_copy (kim_selection_hints *out_selection_hints, { kim_error err = KIM_NO_ERROR; kim_selection_hints selection_hints = NULL; - + if (!err && !out_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_selection_hints_allocate (&selection_hints); } - + if (!err) { - err = kim_string_copy (&selection_hints->application_identifier, + err = kim_string_copy (&selection_hints->application_identifier, in_selection_hints->application_identifier); } - + if (!err && in_selection_hints->explanation) { - err = kim_string_copy (&selection_hints->explanation, + err = kim_string_copy (&selection_hints->explanation, in_selection_hints->explanation); } - + if (!err && in_selection_hints->options) { - err = kim_options_copy (&selection_hints->options, + err = kim_options_copy (&selection_hints->options, in_selection_hints->options); } - + if (!err && in_selection_hints->service_identity) { - err = kim_string_copy (&selection_hints->service_identity, + err = kim_string_copy (&selection_hints->service_identity, in_selection_hints->service_identity); } - + if (!err && in_selection_hints->client_realm) { - err = kim_string_copy (&selection_hints->client_realm, + err = kim_string_copy (&selection_hints->client_realm, in_selection_hints->client_realm); } - + if (!err && in_selection_hints->user) { - err = kim_string_copy (&selection_hints->user, + err = kim_string_copy (&selection_hints->user, in_selection_hints->user); } - + if (!err && in_selection_hints->service_realm) { - err = kim_string_copy (&selection_hints->service_realm, + err = kim_string_copy (&selection_hints->service_realm, in_selection_hints->service_realm); } - + if (!err && in_selection_hints->service) { - err = kim_string_copy (&selection_hints->service, + err = kim_string_copy (&selection_hints->service, in_selection_hints->service); } - + if (!err && in_selection_hints->server) { - err = kim_string_copy (&selection_hints->server, + err = kim_string_copy (&selection_hints->server, in_selection_hints->server); } - + if (!err) { selection_hints->allow_user_interaction = in_selection_hints->allow_user_interaction; selection_hints->use_cached_results = in_selection_hints->use_cached_results; - + *out_selection_hints = selection_hints; selection_hints = NULL; } - + kim_selection_hints_free (&selection_hints); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -189,48 +189,48 @@ kim_error kim_selection_hints_set_hint (kim_selection_hints io_selection_hints, kim_string in_hint_string) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_hint_key ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_hint_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { if (!strcmp (in_hint_key, kim_hint_key_client_realm)) { kim_string_free (&io_selection_hints->client_realm); - err = kim_string_copy (&io_selection_hints->client_realm, + err = kim_string_copy (&io_selection_hints->client_realm, in_hint_string); - + } else if (!strcmp (in_hint_key, kim_hint_key_user)) { kim_string_free (&io_selection_hints->user); - err = kim_string_copy (&io_selection_hints->user, + err = kim_string_copy (&io_selection_hints->user, in_hint_string); - + } else if (!strcmp (in_hint_key, kim_hint_key_service_realm)) { kim_string_free (&io_selection_hints->service_realm); - err = kim_string_copy (&io_selection_hints->service_realm, + err = kim_string_copy (&io_selection_hints->service_realm, in_hint_string); - + } else if (!strcmp (in_hint_key, kim_hint_key_service)) { kim_string_free (&io_selection_hints->service); - err = kim_string_copy (&io_selection_hints->service, + err = kim_string_copy (&io_selection_hints->service, in_hint_string); - + } else if (!strcmp (in_hint_key, kim_hint_key_server)) { kim_string_free (&io_selection_hints->server); - err = kim_string_copy (&io_selection_hints->server, + err = kim_string_copy (&io_selection_hints->server, in_hint_string); - + } else if (!strcmp (in_hint_key, kim_hint_key_service_identity)) { kim_string_free (&io_selection_hints->service_identity); - err = kim_string_copy (&io_selection_hints->service_identity, + err = kim_string_copy (&io_selection_hints->service_identity, in_hint_string); - + } else { err = kim_error_set_message_for_code (KIM_UNSUPPORTED_HINT_ERR, in_hint_key); } } - + return check_error (err); } @@ -242,36 +242,36 @@ kim_error kim_selection_hints_get_hint (kim_selection_hints in_selection_hints, { kim_error err = KIM_NO_ERROR; kim_string hint = NULL; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_hint_key ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_hint_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { if (!strcmp (in_hint_key, kim_hint_key_client_realm)) { hint = in_selection_hints->client_realm; - + } else if (!strcmp (in_hint_key, kim_hint_key_user)) { hint = in_selection_hints->user; - + } else if (!strcmp (in_hint_key, kim_hint_key_service_realm)) { hint = in_selection_hints->service_realm; - + } else if (!strcmp (in_hint_key, kim_hint_key_service)) { hint = in_selection_hints->service; - + } else if (!strcmp (in_hint_key, kim_hint_key_server)) { hint = in_selection_hints->server; - + } else if (!strcmp (in_hint_key, kim_hint_key_service_identity)) { hint = in_selection_hints->service_identity; - + } else { err = kim_error_set_message_for_code (KIM_UNSUPPORTED_HINT_ERR, in_hint_key); } } - + if (!err) { if (hint && hint != kim_empty_string) { err = kim_string_copy (out_hint_string, hint); @@ -279,7 +279,7 @@ kim_error kim_selection_hints_get_hint (kim_selection_hints in_selection_hints, *out_hint_string = NULL; } } - + return check_error (err); } @@ -289,14 +289,14 @@ kim_error kim_selection_hints_set_explanation (kim_selection_hints io_selection_ kim_string in_explanation) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_explanation ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_string_copy (&io_selection_hints->explanation, in_explanation); } - + return check_error (err); } @@ -306,19 +306,19 @@ kim_error kim_selection_hints_get_explanation (kim_selection_hints in_selection kim_string *out_explanation) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_explanation ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - if (in_selection_hints->explanation && + if (in_selection_hints->explanation && in_selection_hints->explanation != kim_empty_string) { err = kim_string_copy (out_explanation, in_selection_hints->explanation); } else { *out_explanation = NULL; } } - + return check_error (err); } @@ -328,19 +328,19 @@ kim_error kim_selection_hints_get_application_id (kim_selection_hints in_select kim_string *out_application_id) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_application_id) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { if (in_selection_hints->application_identifier) { - err = kim_string_copy (out_application_id, + err = kim_string_copy (out_application_id, in_selection_hints->application_identifier); } else { *out_application_id = NULL; } } - + return check_error (err); } @@ -350,14 +350,14 @@ kim_error kim_selection_hints_set_options (kim_selection_hints io_selection_hint kim_options in_options) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_options_copy (&io_selection_hints->options, in_options); } - + return check_error (err); } @@ -367,14 +367,14 @@ kim_error kim_selection_hints_get_options (kim_selection_hints in_selection_hin kim_options *out_options) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_options_copy (out_options, in_selection_hints->options); } - + return check_error (err); } @@ -384,13 +384,13 @@ kim_error kim_selection_hints_set_allow_user_interaction (kim_selection_hints io kim_boolean in_allow_user_interaction) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_selection_hints->allow_user_interaction = in_allow_user_interaction; } - + return check_error (err); } @@ -400,14 +400,14 @@ kim_error kim_selection_hints_get_allow_user_interaction (kim_selection_hints i kim_boolean *out_allow_user_interaction) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_allow_user_interaction) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_allow_user_interaction = in_selection_hints->allow_user_interaction; } - + return check_error (err); } @@ -417,13 +417,13 @@ kim_error kim_selection_hints_set_remember_identity (kim_selection_hints io_sele kim_boolean in_use_cached_results) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_selection_hints->use_cached_results = in_use_cached_results; } - + return check_error (err); } @@ -433,14 +433,14 @@ kim_error kim_selection_hints_get_remember_identity (kim_selection_hints in_sel kim_boolean *out_use_cached_results) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_use_cached_results) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { *out_use_cached_results = in_selection_hints->use_cached_results; } - + return check_error (err); } @@ -452,56 +452,56 @@ kim_error kim_selection_hints_get_identity (kim_selection_hints in_selection_hi kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_ccache ccache = NULL; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && in_selection_hints->use_cached_results) { err = kim_os_selection_hints_lookup_identity (in_selection_hints, &identity); } - + if (!err && !identity && in_selection_hints->allow_user_interaction) { kim_ui_context context; - + err = kim_ui_init (&context); - + while (!err && !identity) { kim_boolean user_wants_change_password = 0; - err = kim_ui_select_identity (&context, - in_selection_hints, + err = kim_ui_select_identity (&context, + in_selection_hints, &identity, &user_wants_change_password); - + if (!err && user_wants_change_password) { - err = kim_identity_change_password_common (identity, 0, - &context, + err = kim_identity_change_password_common (identity, 0, + &context, NULL); - + /* reenter select_identity so just forget this identity * even if we got an error */ - if (err == KIM_USER_CANCELED_ERR || + if (err == KIM_USER_CANCELED_ERR || err == KIM_DUPLICATE_UI_REQUEST_ERR) { err = KIM_NO_ERROR; } kim_identity_free (&identity); } - + } - + if (context.initialized) { kim_error terr = KIM_NO_ERROR; terr = kim_ui_fini (&context); err = (terr != KIM_NO_ERROR) ? terr : err; } } - + if (!err) { *out_identity = identity; identity = NULL; } - + kim_identity_free (&identity); kim_ccache_free (&ccache); - + return check_error (err); } @@ -511,15 +511,15 @@ kim_error kim_selection_hints_remember_identity (kim_selection_hints in_selectio kim_identity in_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_os_selection_hints_remember_identity (in_selection_hints, + err = kim_os_selection_hints_remember_identity (in_selection_hints, in_identity); } - + return check_error (err); } @@ -528,13 +528,13 @@ kim_error kim_selection_hints_remember_identity (kim_selection_hints in_selectio kim_error kim_selection_hints_forget_identity (kim_selection_hints in_selection_hints) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_os_selection_hints_forget_identity (in_selection_hints); } - + return check_error (err); } @@ -544,10 +544,10 @@ kim_error kim_selection_hints_get_preference_strings (kim_selection_hints kim_selection_hints_preference_strings *io_preference_strings) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_preference_strings) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { io_preference_strings->application_identifier = in_selection_hints->application_identifier; io_preference_strings->service_identity = in_selection_hints->service_identity; @@ -557,7 +557,7 @@ kim_error kim_selection_hints_get_preference_strings (kim_selection_hints io_preference_strings->service = in_selection_hints->service; io_preference_strings->server = in_selection_hints->server; } - + return check_error (err); } @@ -588,56 +588,56 @@ kim_error kim_selection_hints_write_to_stream (kim_selection_hints in_selection_ k5_ipc_stream io_stream) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_stream ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err) { - err = krb5int_ipc_stream_write_string (io_stream, + err = krb5int_ipc_stream_write_string (io_stream, in_selection_hints->application_identifier); } - + if (!err) { - err = krb5int_ipc_stream_write_string (io_stream, + err = krb5int_ipc_stream_write_string (io_stream, in_selection_hints->explanation); } - + if (!err) { - err = kim_options_write_to_stream (in_selection_hints->options, + err = kim_options_write_to_stream (in_selection_hints->options, io_stream); } - + if (!err) { - err = krb5int_ipc_stream_write_string (io_stream, + err = krb5int_ipc_stream_write_string (io_stream, in_selection_hints->service_identity); } - + if (!err) { - err = krb5int_ipc_stream_write_string (io_stream, + err = krb5int_ipc_stream_write_string (io_stream, in_selection_hints->client_realm); } - + if (!err) { - err = krb5int_ipc_stream_write_string (io_stream, + err = krb5int_ipc_stream_write_string (io_stream, in_selection_hints->user); } - + if (!err) { - err = krb5int_ipc_stream_write_string (io_stream, + err = krb5int_ipc_stream_write_string (io_stream, in_selection_hints->service_realm); } - + if (!err) { - err = krb5int_ipc_stream_write_string (io_stream, + err = krb5int_ipc_stream_write_string (io_stream, in_selection_hints->service); } - + if (!err) { - err = krb5int_ipc_stream_write_string (io_stream, + err = krb5int_ipc_stream_write_string (io_stream, in_selection_hints->server); } - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -646,114 +646,114 @@ kim_error kim_selection_hints_read_from_stream (kim_selection_hints io_selection k5_ipc_stream io_stream) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_stream ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { char *application_identifier = NULL; err = krb5int_ipc_stream_read_string (io_stream, &application_identifier); - + if (!err) { - err = kim_string_copy (&io_selection_hints->application_identifier, + err = kim_string_copy (&io_selection_hints->application_identifier, application_identifier); } - + krb5int_ipc_stream_free_string (application_identifier); } - + if (!err) { char *explanation = NULL; err = krb5int_ipc_stream_read_string (io_stream, &explanation); - + if (!err) { - err = kim_string_copy (&io_selection_hints->explanation, + err = kim_string_copy (&io_selection_hints->explanation, explanation); } - + krb5int_ipc_stream_free_string (explanation); } - + if (!err) { if (io_selection_hints->options) { - err = kim_options_read_from_stream (io_selection_hints->options, + err = kim_options_read_from_stream (io_selection_hints->options, io_stream); } else { - err = kim_options_create_from_stream (&io_selection_hints->options, + err = kim_options_create_from_stream (&io_selection_hints->options, io_stream); } } - + if (!err) { char *service_identity = NULL; err = krb5int_ipc_stream_read_string (io_stream, &service_identity); - + if (!err) { - err = kim_string_copy (&io_selection_hints->service_identity, + err = kim_string_copy (&io_selection_hints->service_identity, service_identity); } - + krb5int_ipc_stream_free_string (service_identity); } - + if (!err) { char *client_realm = NULL; err = krb5int_ipc_stream_read_string (io_stream, &client_realm); - + if (!err) { - err = kim_string_copy (&io_selection_hints->client_realm, + err = kim_string_copy (&io_selection_hints->client_realm, client_realm); } - + krb5int_ipc_stream_free_string (client_realm); } - + if (!err) { char *user = NULL; err = krb5int_ipc_stream_read_string (io_stream, &user); - + if (!err) { err = kim_string_copy (&io_selection_hints->user, user); } - + krb5int_ipc_stream_free_string (user); } - + if (!err) { char *service_realm = NULL; err = krb5int_ipc_stream_read_string (io_stream, &service_realm); - + if (!err) { - err = kim_string_copy (&io_selection_hints->service_realm, + err = kim_string_copy (&io_selection_hints->service_realm, service_realm); } - + krb5int_ipc_stream_free_string (service_realm); } - + if (!err) { char *service = NULL; err = krb5int_ipc_stream_read_string (io_stream, &service); - + if (!err) { err = kim_string_copy (&io_selection_hints->service, service); } - + krb5int_ipc_stream_free_string (service); } - + if (!err) { char *server = NULL; err = krb5int_ipc_stream_read_string (io_stream, &server); - + if (!err) { err = kim_string_copy (&io_selection_hints->server, server); } - + krb5int_ipc_stream_free_string (server); } - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -763,25 +763,24 @@ kim_error kim_selection_hints_create_from_stream (kim_selection_hints *out_selec { kim_error err = KIM_NO_ERROR; kim_selection_hints selection_hints = NULL; - + if (!err && !out_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_stream ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_selection_hints_allocate (&selection_hints); } - + if (!err) { err = kim_selection_hints_read_from_stream (selection_hints, io_stream); } - + if (!err) { *out_selection_hints = selection_hints; selection_hints = NULL; } - + kim_selection_hints_free (&selection_hints); - - return check_error (err); -} + return check_error (err); +} diff --git a/src/kim/lib/kim_string.c b/src/kim/lib/kim_string.c index 8b9af7010..6cf18c46e 100644 --- a/src/kim/lib/kim_string.c +++ b/src/kim/lib/kim_string.c @@ -30,87 +30,87 @@ const char kim_empty_string[1] = ""; /* ------------------------------------------------------------------------ */ -kim_error kim_string_create_from_format (kim_string *out_string, +kim_error kim_string_create_from_format (kim_string *out_string, kim_string in_format, ...) { kim_error err = kim_library_init (); va_list args; - + va_start (args, in_format); err = kim_string_create_from_format_va (out_string, in_format, args); va_end (args); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_string_create_from_format_va_retcode (kim_string *out_string, +kim_error kim_string_create_from_format_va_retcode (kim_string *out_string, kim_string in_format, va_list in_args) { kim_error err = kim_library_init (); - + int count = vasprintf ((char **) out_string, in_format, in_args); if (count < 0) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } - + return err; } /* ------------------------------------------------------------------------ */ -kim_error kim_string_create_from_format_va (kim_string *out_string, +kim_error kim_string_create_from_format_va (kim_string *out_string, kim_string in_format, va_list in_args) { kim_error err = kim_library_init (); kim_string string = NULL; - + if (!err && !out_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_format ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_string_create_from_format_va_retcode (&string, - in_format, + err = kim_string_create_from_format_va_retcode (&string, + in_format, in_args); } - + if (!err) { *out_string = string; string = NULL; } - + if (string) { kim_string_free (&string); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_string_create_from_buffer (kim_string *out_string, - const char *in_buffer, +kim_error kim_string_create_from_buffer (kim_string *out_string, + const char *in_buffer, kim_count in_length) { kim_error err = kim_library_init (); kim_string string = NULL; - + if (!err && !out_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_buffer ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { string = calloc (in_length + 1, sizeof (char *)); if (!string) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } } - + if (!err) { memcpy ((char *) string, in_buffer, in_length * sizeof (char)); *out_string = string; string = NULL; } - + kim_string_free (&string); - + return check_error (err); } @@ -128,20 +128,20 @@ kim_error kim_string_create_for_last_error (kim_string *out_string, /* ------------------------------------------------------------------------ */ -kim_error kim_string_copy (kim_string *out_string, +kim_error kim_string_copy (kim_string *out_string, kim_string in_string) { kim_error err = kim_library_init (); kim_string string = NULL; - + if (!err && !out_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { if (in_string[0]) { string = calloc (strlen (in_string) + 1, sizeof (char *)); if (!string) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } - + if (!err) { strncpy ((char *) string, in_string, strlen (in_string) + 1); } @@ -149,25 +149,25 @@ kim_error kim_string_copy (kim_string *out_string, string = kim_empty_string; } } - + if (!err) { *out_string = string; string = NULL; } - + kim_string_free (&string); - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_string_compare (kim_string in_string, +kim_error kim_string_compare (kim_string in_string, kim_string in_compare_to_string, kim_comparison *out_comparison) { - return kim_os_string_compare (in_string, - in_compare_to_string, + return kim_os_string_compare (in_string, + in_compare_to_string, 0, /* case sensitive */ out_comparison); } @@ -176,7 +176,7 @@ kim_error kim_string_compare (kim_string in_string, void kim_string_free (kim_string *io_string) { - if (io_string && *io_string && *io_string != kim_empty_string) { + if (io_string && *io_string && *io_string != kim_empty_string) { free ((char *) *io_string); *io_string = NULL; } diff --git a/src/kim/lib/kim_string_private.h b/src/kim/lib/kim_string_private.h index 6f4e0ad36..f6dba7975 100644 --- a/src/kim/lib/kim_string_private.h +++ b/src/kim/lib/kim_string_private.h @@ -40,20 +40,20 @@ static inline kim_count kim_string_buflen (kim_string in_string) /* ------------------------------------------------------------------------ */ -kim_error kim_string_create_from_format (kim_string *out_string, +kim_error kim_string_create_from_format (kim_string *out_string, kim_string in_format, ...); -kim_error kim_string_create_from_format_va_retcode (kim_string *out_string, +kim_error kim_string_create_from_format_va_retcode (kim_string *out_string, kim_string in_format, va_list in_args); -kim_error kim_string_create_from_format_va (kim_string *out_string, +kim_error kim_string_create_from_format_va (kim_string *out_string, kim_string in_format, va_list in_args); -kim_error kim_string_create_from_buffer (kim_string *out_string, - const char *in_buffer, +kim_error kim_string_create_from_buffer (kim_string *out_string, + const char *in_buffer, kim_count in_length); /* OS-specific because it should use UTF8-safe sorting where possible */ diff --git a/src/kim/lib/kim_ui.c b/src/kim/lib/kim_ui.c index 0bac3d819..b0e93f094 100644 --- a/src/kim/lib/kim_ui.c +++ b/src/kim/lib/kim_ui.c @@ -33,7 +33,7 @@ static kim_prompt_type kim_ui_ptype2ktype (krb5_prompt_type type) { if (type == KRB5_PROMPT_TYPE_PASSWORD) { return kim_prompt_type_password; - + } else if (type == KRB5_PROMPT_TYPE_PREAUTH) { return kim_prompt_type_preauth; } @@ -47,42 +47,42 @@ static kim_prompt_type kim_ui_ptype2ktype (krb5_prompt_type type) static kim_error kim_ui_init_lazy (kim_ui_context *io_context) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && !io_context->initialized) { #ifdef KIM_BUILTIN_UI kim_ui_environment environment = kim_library_ui_environment (); - + if (environment == KIM_UI_ENVIRONMENT_GUI) { #endif /* KIM_BUILTIN_UI */ io_context->type = kim_ui_type_gui_plugin; - + err = kim_ui_plugin_init (io_context); -#ifdef KIM_BUILTIN_UI - if (err) { +#ifdef KIM_BUILTIN_UI + if (err) { io_context->type = kim_ui_type_gui_builtin; - + err = kim_os_ui_gui_init (io_context); } - + } else if (environment == KIM_UI_ENVIRONMENT_CLI) { io_context->type = kim_ui_type_cli; - - err = kim_ui_cli_init (io_context); - + + err = kim_ui_cli_init (io_context); + } else { io_context->type = kim_ui_type_none; - + err = check_error (KIM_NO_UI_ERR); } #endif /* KIM_BUILTIN_UI */ if (!err) { io_context->initialized = 1; - } + } } - + return check_error (err); } @@ -93,9 +93,9 @@ static kim_error kim_ui_init_lazy (kim_ui_context *io_context) kim_error kim_ui_init (kim_ui_context *io_context) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { /* Lazy initialization so we only actually initialize if a prompt * gets called. This is important because krb5_get_init_creds_* @@ -105,7 +105,7 @@ kim_error kim_ui_init (kim_ui_context *io_context) io_context->prompt_count = 0; io_context->password_to_save = NULL; } - + return check_error (err); } @@ -117,42 +117,42 @@ kim_error kim_ui_enter_identity (kim_ui_context *in_context, kim_boolean *out_change_password) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_change_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ui_init_lazy (in_context); } - + if (!err) { if (in_context->type == kim_ui_type_gui_plugin) { - err = kim_ui_plugin_enter_identity (in_context, + err = kim_ui_plugin_enter_identity (in_context, io_options, out_identity, out_change_password); - + #ifdef KIM_BUILTIN_UI } else if (in_context->type == kim_ui_type_gui_builtin) { - err = kim_os_ui_gui_enter_identity (in_context, + err = kim_os_ui_gui_enter_identity (in_context, io_options, out_identity, out_change_password); - + } else if (in_context->type == kim_ui_type_cli) { - err = kim_ui_cli_enter_identity (in_context, + err = kim_ui_cli_enter_identity (in_context, io_options, out_identity, out_change_password); - + #endif /* KIM_BUILTIN_UI */ - + } else { err = check_error (KIM_NO_UI_ERR); } } - + return check_error (err); } @@ -164,43 +164,43 @@ kim_error kim_ui_select_identity (kim_ui_context *in_context, kim_boolean *out_change_password) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_change_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ui_init_lazy (in_context); } - + if (!err) { if (in_context->type == kim_ui_type_gui_plugin) { - err = kim_ui_plugin_select_identity (in_context, + err = kim_ui_plugin_select_identity (in_context, io_hints, out_identity, out_change_password); - + #ifdef KIM_BUILTIN_UI } else if (in_context->type == kim_ui_type_gui_builtin) { - err = kim_os_ui_gui_select_identity (in_context, + err = kim_os_ui_gui_select_identity (in_context, io_hints, out_identity, out_change_password); - + } else if (in_context->type == kim_ui_type_cli) { - err = kim_ui_cli_select_identity (in_context, + err = kim_ui_cli_select_identity (in_context, io_hints, out_identity, out_change_password); - + #endif /* KIM_BUILTIN_UI */ - + } else { err = check_error (KIM_NO_UI_ERR); } } - + return check_error (err); } @@ -218,42 +218,42 @@ krb5_error_code kim_ui_prompter (krb5_context in_krb5_context, krb5_prompt_type *types = NULL; kim_ui_context *context = (kim_ui_context *) in_context; int i; - + if (!err && !in_krb5_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_prompts ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { types = krb5_get_prompt_types (in_krb5_context); if (!types) { err = check_error (KIM_NULL_PARAMETER_ERR); } } - + for (i = 0; !err && i < in_num_prompts; i++) { char *reply = NULL; kim_prompt_type type = kim_ui_ptype2ktype (types[i]); kim_boolean got_saved_password = 0; - + if (type == kim_prompt_type_password) { /* Check for saved password on OSes that support it */ kim_error terr = KIM_NO_ERROR; - - terr = kim_os_identity_get_saved_password (context->identity, + + terr = kim_os_identity_get_saved_password (context->identity, (kim_string *) &reply); if (!terr && reply) { got_saved_password = 1; } } - + if (!got_saved_password) { kim_boolean save_reply = FALSE; kim_boolean allow_save_password = kim_os_identity_allow_save_password (); - + context->prompt_count++; err = kim_ui_init_lazy (in_context); if (!err) { if (context->type == kim_ui_type_gui_plugin) { - err = kim_ui_plugin_auth_prompt (context, - context->identity, + err = kim_ui_plugin_auth_prompt (context, + context->identity, type, allow_save_password, in_prompts[i].hidden, @@ -262,11 +262,11 @@ krb5_error_code kim_ui_prompter (krb5_context in_krb5_context, in_prompts[i].prompt, &reply, &save_reply); - + #ifdef KIM_BUILTIN_UI } else if (context->type == kim_ui_type_gui_builtin) { - err = kim_os_ui_gui_auth_prompt (context, - context->identity, + err = kim_os_ui_gui_auth_prompt (context, + context->identity, type, allow_save_password, in_prompts[i].hidden, @@ -275,10 +275,10 @@ krb5_error_code kim_ui_prompter (krb5_context in_krb5_context, in_prompts[i].prompt, &reply, &save_reply); - + } else if (context->type == kim_ui_type_cli) { - err = kim_ui_cli_auth_prompt (context, - context->identity, + err = kim_ui_cli_auth_prompt (context, + context->identity, type, allow_save_password, in_prompts[i].hidden, @@ -288,12 +288,12 @@ krb5_error_code kim_ui_prompter (krb5_context in_krb5_context, &reply, &save_reply); #endif /* KIM_BUILTIN_UI */ - + } else { err = check_error (KIM_NO_UI_ERR); } } - + if (!err && type == kim_prompt_type_password) { kim_string_free (&context->password_to_save); @@ -302,21 +302,21 @@ krb5_error_code kim_ui_prompter (krb5_context in_krb5_context, } } } - + if (!err) { uint32_t reply_len = strlen (reply); - + if ((reply_len + 1) > in_prompts[i].reply->length) { kim_debug_printf ("%s(): reply %d is too long (is %d, should be %d)\n", - __FUNCTION__, i, + __FUNCTION__, i, reply_len, in_prompts[i].reply->length); reply_len = in_prompts[i].reply->length; } - + memmove (in_prompts[i].reply->data, reply, reply_len + 1); in_prompts[i].reply->length = reply_len; } - + /* Clean up reply buffer. Saved passwords are allocated by KIM. */ if (reply) { if (got_saved_password) { @@ -327,7 +327,7 @@ krb5_error_code kim_ui_prompter (krb5_context in_krb5_context, } } } - + return check_error (err); } @@ -341,49 +341,49 @@ kim_error kim_ui_change_password (kim_ui_context *in_context, char **out_verify_password) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_old_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_new_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_verify_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ui_init_lazy (in_context); } if (!err) { if (in_context->type == kim_ui_type_gui_plugin) { - err = kim_ui_plugin_change_password (in_context, - in_identity, + err = kim_ui_plugin_change_password (in_context, + in_identity, in_old_password_expired, out_old_password, out_new_password, out_verify_password); - + #ifdef KIM_BUILTIN_UI } else if (in_context->type == kim_ui_type_gui_builtin) { - err = kim_os_ui_gui_change_password (in_context, - in_identity, + err = kim_os_ui_gui_change_password (in_context, + in_identity, in_old_password_expired, out_old_password, out_new_password, out_verify_password); - + } else if (in_context->type == kim_ui_type_cli) { err = kim_ui_cli_change_password (in_context, - in_identity, + in_identity, in_old_password_expired, out_old_password, out_new_password, out_verify_password); #endif /* KIM_BUILTIN_UI */ - + } else { err = check_error (KIM_NO_UI_ERR); } } - + return check_error (err); } @@ -396,44 +396,44 @@ kim_error kim_ui_handle_error (kim_ui_context *in_context, kim_string in_error_description) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_error_message ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_error_description) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ui_init_lazy (in_context); } - + if (!err) { if (in_context->type == kim_ui_type_gui_plugin) { - err = kim_ui_plugin_handle_error (in_context, - in_identity, + err = kim_ui_plugin_handle_error (in_context, + in_identity, in_error, in_error_message, in_error_description); - + #ifdef KIM_BUILTIN_UI } else if (in_context->type == kim_ui_type_gui_builtin) { - err = kim_os_ui_gui_handle_error (in_context, - in_identity, + err = kim_os_ui_gui_handle_error (in_context, + in_identity, in_error, in_error_message, in_error_description); - + } else if (in_context->type == kim_ui_type_cli) { - err = kim_ui_cli_handle_error (in_context, - in_identity, + err = kim_ui_cli_handle_error (in_context, + in_identity, in_error, in_error_message, in_error_description); -#endif /* KIM_BUILTIN_UI */ - +#endif /* KIM_BUILTIN_UI */ + } else { err = check_error (KIM_NO_UI_ERR); } } - + return check_error (err); } @@ -443,24 +443,24 @@ void kim_ui_free_string (kim_ui_context *in_context, char **io_string) { kim_error err = kim_ui_init_lazy (in_context); - + if (!err && in_context && io_string && *io_string) { /* most ui strings are auth information so zero before freeing */ memset (*io_string, '\0', strlen (*io_string)); - + if (in_context->type == kim_ui_type_gui_plugin) { - kim_ui_plugin_free_string (in_context, + kim_ui_plugin_free_string (in_context, io_string); - + #ifdef KIM_BUILTIN_UI } else if (in_context->type == kim_ui_type_gui_builtin) { - kim_os_ui_gui_free_string (in_context, + kim_os_ui_gui_free_string (in_context, io_string); - + } else if (in_context->type == kim_ui_type_cli) { - kim_ui_cli_free_string (in_context, + kim_ui_cli_free_string (in_context, io_string); -#endif /* KIM_BUILTIN_UI */ +#endif /* KIM_BUILTIN_UI */ } } } @@ -470,28 +470,28 @@ void kim_ui_free_string (kim_ui_context *in_context, kim_error kim_ui_fini (kim_ui_context *io_context) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && io_context->initialized) { if (io_context->type == kim_ui_type_gui_plugin) { err = kim_ui_plugin_fini (io_context); - + #ifdef KIM_BUILTIN_UI } else if (io_context->type == kim_ui_type_gui_builtin) { err = kim_os_ui_gui_fini (io_context); - + } else if (io_context->type == kim_ui_type_cli) { err = kim_ui_cli_fini (io_context); #endif /* KIM_BUILTIN_UI */ - + } else { err = check_error (KIM_NO_UI_ERR); } - + kim_string_free (&io_context->password_to_save); } - + return check_error (err); } @@ -508,43 +508,43 @@ kim_error kim_ui_handle_kim_error (kim_ui_context *in_context, kim_error err = KIM_NO_ERROR; kim_string message = NULL; kim_string description = NULL; - + if (!err) { /* Do this first so last error doesn't get overwritten */ err = kim_string_create_for_last_error (&description, in_error); } - + if (!err && !in_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_string key = NULL; - + switch (in_type) { case kim_ui_error_type_authentication: key = "Kerberos Login Failed:"; break; - + case kim_ui_error_type_change_password: key = "Kerberos Change Password Failed:"; break; - + case kim_ui_error_type_selection: case kim_ui_error_type_generic: default: key = "Kerberos Operation Failed:"; break; } - + err = kim_os_string_create_localized (&message, key); } - + if (!err) { err = kim_ui_handle_error (in_context, in_identity, - in_error, message, description); + in_error, message, description); } - + kim_string_free (&description); kim_string_free (&message); - + return check_error (err); } diff --git a/src/kim/lib/kim_ui_cli.c b/src/kim/lib/kim_ui_cli.c index 0bb5eebbb..0b258c3b5 100644 --- a/src/kim/lib/kim_ui_cli.c +++ b/src/kim/lib/kim_ui_cli.c @@ -30,8 +30,8 @@ // --------------------------------------------------------------------------- -static kim_error kim_ui_cli_read_string (kim_string *out_string, - kim_boolean in_hide_reply, +static kim_error kim_ui_cli_read_string (kim_string *out_string, + kim_boolean in_hide_reply, const char *in_format, ...) { kim_error err = KIM_NO_ERROR; @@ -40,30 +40,30 @@ static kim_error kim_ui_cli_read_string (kim_string *out_string, char prompt_string [BUFSIZ]; krb5_data reply_data; char reply_string [BUFSIZ]; - + if (!err && !out_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_format ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5_init_context (&k5context); } - + if (!err) { unsigned int count; va_list args; - + va_start (args, in_format); - count = vsnprintf (prompt_string, sizeof (prompt_string), + count = vsnprintf (prompt_string, sizeof (prompt_string), in_format, args); va_end (args); - + if (count > sizeof (prompt_string)) { - kim_debug_printf ("%s(): WARNING! Prompt should be %d characters\n", + kim_debug_printf ("%s(): WARNING! Prompt should be %d characters\n", __FUNCTION__, count); prompt_string [sizeof (prompt_string) - 1] = '\0'; } } - + if (!err) { /* Build the prompt structures */ prompts[0].prompt = prompt_string; @@ -71,21 +71,21 @@ static kim_error kim_ui_cli_read_string (kim_string *out_string, prompts[0].reply = &reply_data; prompts[0].reply->data = reply_string; prompts[0].reply->length = sizeof (reply_string); - + err = krb5_prompter_posix (k5context, NULL, NULL, NULL, 1, prompts); - if (err == KRB5_LIBOS_PWDINTR || err == KRB5_LIBOS_CANTREADPWD) { - err = check_error (KIM_USER_CANCELED_ERR); + if (err == KRB5_LIBOS_PWDINTR || err == KRB5_LIBOS_CANTREADPWD) { + err = check_error (KIM_USER_CANCELED_ERR); } } - + if (!err) { - err = kim_string_create_from_buffer (out_string, - prompts[0].reply->data, + err = kim_string_create_from_buffer (out_string, + prompts[0].reply->data, prompts[0].reply->length); } - + if (k5context) { krb5_free_context (k5context); } - + return check_error (err); } @@ -96,7 +96,7 @@ kim_error kim_ui_cli_init (kim_ui_context *io_context) if (io_context) { io_context->tcontext = NULL; } - + return KIM_NO_ERROR; } @@ -110,32 +110,32 @@ kim_error kim_ui_cli_enter_identity (kim_ui_context *in_context, kim_error err = KIM_NO_ERROR; kim_string enter_identity_string = NULL; kim_string identity_string = NULL; - + if (!err && !io_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_change_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_os_string_create_localized (&enter_identity_string, + err = kim_os_string_create_localized (&enter_identity_string, "Please enter your Kerberos identity"); } - + if (!err) { - err = kim_ui_cli_read_string (&identity_string, + err = kim_ui_cli_read_string (&identity_string, 0, enter_identity_string); } - + if (!err) { err = kim_identity_create_from_string (out_identity, identity_string); } - + if (!err) { *out_change_password = 0; } - + kim_string_free (&identity_string); kim_string_free (&enter_identity_string); - + return check_error (err); } @@ -148,27 +148,27 @@ kim_error kim_ui_cli_select_identity (kim_ui_context *in_context, { kim_error err = KIM_NO_ERROR; kim_options options = NULL; - + if (!err && !io_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_change_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_selection_hints_get_options (io_hints, &options); } - + if (!err) { - err = kim_ui_cli_enter_identity (in_context, options, + err = kim_ui_cli_enter_identity (in_context, options, out_identity, out_change_password); } - + if (!err) { err = kim_selection_hints_set_options (io_hints, options); } - + kim_options_free (&options); - + return check_error (err); } @@ -177,8 +177,8 @@ kim_error kim_ui_cli_select_identity (kim_ui_context *in_context, kim_error kim_ui_cli_auth_prompt (kim_ui_context *in_context, kim_identity in_identity, kim_prompt_type in_type, - kim_boolean in_allow_save_reply, - kim_boolean in_hide_reply, + kim_boolean in_allow_save_reply, + kim_boolean in_hide_reply, kim_string in_title, kim_string in_message, kim_string in_description, @@ -186,33 +186,33 @@ kim_error kim_ui_cli_auth_prompt (kim_ui_context *in_context, kim_boolean *out_save_reply) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_reply ) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* in_title, in_message or in_description may be NULL */ - + if (!err) { if (in_type == kim_prompt_type_password) { kim_string enter_password_format = NULL; kim_string identity_string = NULL; - - err = kim_os_string_create_localized (&enter_password_format, + + err = kim_os_string_create_localized (&enter_password_format, "Please enter the password for %s"); - + if (!err) { - err = kim_identity_get_display_string (in_identity, + err = kim_identity_get_display_string (in_identity, &identity_string); } - + if (!err) { - err = kim_ui_cli_read_string ((kim_string *) out_reply, - 1, enter_password_format, + err = kim_ui_cli_read_string ((kim_string *) out_reply, + 1, enter_password_format, identity_string); - } - + } + kim_string_free (&identity_string); kim_string_free (&enter_password_format); - + } else { krb5_context k5context = NULL; krb5_prompt prompts[1]; @@ -228,28 +228,28 @@ kim_error kim_ui_cli_auth_prompt (kim_ui_context *in_context, err = krb5_init_context (&k5context); if (!err) { - err = krb5_prompter_posix (k5context, in_context, in_title, + err = krb5_prompter_posix (k5context, in_context, in_title, in_message, 1, prompts); - if (err == KRB5_LIBOS_PWDINTR || err == KRB5_LIBOS_CANTREADPWD) { - err = check_error (KIM_USER_CANCELED_ERR); + if (err == KRB5_LIBOS_PWDINTR || err == KRB5_LIBOS_CANTREADPWD) { + err = check_error (KIM_USER_CANCELED_ERR); } } - + if (!err) { - err = kim_string_create_from_buffer ((kim_string *) out_reply, - prompts[0].reply->data, + err = kim_string_create_from_buffer ((kim_string *) out_reply, + prompts[0].reply->data, prompts[0].reply->length); if (!err) { /* always allow password saving */ - *out_save_reply = (in_allow_save_reply && + *out_save_reply = (in_allow_save_reply && in_type == kim_prompt_type_password); } } - + if (k5context) { krb5_free_context (k5context); } } } - + return check_error (err); } @@ -264,58 +264,58 @@ static kim_error kim_ui_cli_ask_change_password (kim_string in_identity_string) kim_string unknown_response = NULL; kim_boolean done = 0; kim_comparison no_comparison, yes_comparison; - + if (!err) { - err = kim_os_string_create_localized (&ask_change_password, - "Your password has expired, would you like to change it? (yes/no)"); + err = kim_os_string_create_localized (&ask_change_password, + "Your password has expired, would you like to change it? (yes/no)"); } - + if (!err) { - err = kim_os_string_create_localized (&yes, "yes"); + err = kim_os_string_create_localized (&yes, "yes"); } - + if (!err) { - err = kim_os_string_create_localized (&no, "no"); + err = kim_os_string_create_localized (&no, "no"); } - + if (!err) { - err = kim_os_string_create_localized (&unknown_response, - "%s is not a response I understand. Please try again."); + err = kim_os_string_create_localized (&unknown_response, + "%s is not a response I understand. Please try again."); } - + while (!err && !done) { kim_string answer = NULL; - + err = kim_ui_cli_read_string (&answer, 0, ask_change_password); - + if (!err) { - err = kim_os_string_compare (answer, no, - 1 /* case insensitive */, + err = kim_os_string_compare (answer, no, + 1 /* case insensitive */, &no_comparison); } - + if (!err && kim_comparison_is_equal_to (no_comparison)) { err = check_error (KIM_USER_CANCELED_ERR); } if (!err) { - err = kim_os_string_compare (answer, yes, - 1 /* case insensitive */, + err = kim_os_string_compare (answer, yes, + 1 /* case insensitive */, &yes_comparison); } - + if (!err) { if (kim_comparison_is_equal_to (yes_comparison)) { done = 1; } else { fprintf (stdout, unknown_response, answer); - fprintf (stdout, "\n"); + fprintf (stdout, "\n"); } } - + kim_string_free (&answer); } - + kim_string_free (&ask_change_password); kim_string_free (&yes); kim_string_free (&no); @@ -342,7 +342,7 @@ kim_error kim_ui_cli_change_password (kim_ui_context *in_context, kim_string new_password = NULL; kim_string verify_password = NULL; kim_boolean done = 0; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_old_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_new_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } @@ -355,36 +355,36 @@ kim_error kim_ui_cli_change_password (kim_ui_context *in_context, if (!err && in_old_password_expired) { err = kim_ui_cli_ask_change_password (identity_string); } - + if (!err) { - err = kim_os_string_create_localized (&enter_old_password_format, + err = kim_os_string_create_localized (&enter_old_password_format, "Please enter the old password for %s"); } - + if (!err) { - err = kim_os_string_create_localized (&enter_new_password_format, + err = kim_os_string_create_localized (&enter_new_password_format, "Please enter the new password for %s"); } - + if (!err) { - err = kim_os_string_create_localized (&enter_verify_password_format, + err = kim_os_string_create_localized (&enter_verify_password_format, "Verifying, please re-enter the new password for %s again"); } - + while (!err && !done) { kim_boolean was_prompted = 0; /* ignore because we always prompt */ - + kim_string_free (&old_password); - err = kim_ui_cli_read_string (&old_password, - 1, enter_old_password_format, + err = kim_ui_cli_read_string (&old_password, + 1, enter_old_password_format, identity_string); - + if (!err && strlen (old_password) < 1) { /* Empty password: Synthesize bad password err */ - err = KRB5KRB_AP_ERR_BAD_INTEGRITY; + err = KRB5KRB_AP_ERR_BAD_INTEGRITY; } - + if (!err) { err = kim_credential_create_for_change_password ((kim_credential *) &in_context->tcontext, in_identity, @@ -392,10 +392,10 @@ kim_error kim_ui_cli_change_password (kim_ui_context *in_context, in_context, &was_prompted); } - + if (err && err != KIM_USER_CANCELED_ERR) { /* new creds failed, report error to user */ - err = kim_ui_handle_kim_error (in_context, in_identity, + err = kim_ui_handle_kim_error (in_context, in_identity, kim_ui_error_type_change_password, err); @@ -403,19 +403,19 @@ kim_error kim_ui_cli_change_password (kim_ui_context *in_context, done = 1; } } - + if (!err) { - err = kim_ui_cli_read_string (&new_password, - 1, enter_new_password_format, + err = kim_ui_cli_read_string (&new_password, + 1, enter_new_password_format, identity_string); - } - + } + if (!err) { - err = kim_ui_cli_read_string (&verify_password, - 1, enter_verify_password_format, + err = kim_ui_cli_read_string (&verify_password, + 1, enter_verify_password_format, identity_string); - } - + } + if (!err) { *out_old_password = (char *) old_password; old_password = NULL; @@ -424,7 +424,7 @@ kim_error kim_ui_cli_change_password (kim_ui_context *in_context, *out_verify_password = (char *) verify_password; verify_password = NULL; } - + kim_string_free (&old_password); kim_string_free (&new_password); kim_string_free (&verify_password); @@ -432,7 +432,7 @@ kim_error kim_ui_cli_change_password (kim_ui_context *in_context, kim_string_free (&enter_old_password_format); kim_string_free (&enter_new_password_format); kim_string_free (&enter_verify_password_format); - + return check_error (err); } @@ -445,14 +445,14 @@ kim_error kim_ui_cli_handle_error (kim_ui_context *in_context, kim_string in_error_description) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_error_message ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_error_description) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { fprintf (stdout, "%s\n%s\n\n", in_error_message, in_error_description); } - + return check_error (err); } @@ -471,7 +471,7 @@ kim_error kim_ui_cli_fini (kim_ui_context *io_context) if (io_context) { kim_credential_free ((kim_credential *) &io_context->tcontext); } - + return KIM_NO_ERROR; } diff --git a/src/kim/lib/kim_ui_cli_private.h b/src/kim/lib/kim_ui_cli_private.h index 26970cf79..b66527a9b 100644 --- a/src/kim/lib/kim_ui_cli_private.h +++ b/src/kim/lib/kim_ui_cli_private.h @@ -49,8 +49,8 @@ kim_error kim_ui_cli_select_identity (kim_ui_context *in_context, kim_error kim_ui_cli_auth_prompt (kim_ui_context *in_context, kim_identity in_identity, kim_prompt_type in_type, - kim_boolean in_allow_save_reply, - kim_boolean in_hide_reply, + kim_boolean in_allow_save_reply, + kim_boolean in_hide_reply, kim_string in_title, kim_string in_message, kim_string in_description, diff --git a/src/kim/lib/kim_ui_gui_private.h b/src/kim/lib/kim_ui_gui_private.h index ecb324339..2f0bdbc4a 100644 --- a/src/kim/lib/kim_ui_gui_private.h +++ b/src/kim/lib/kim_ui_gui_private.h @@ -49,8 +49,8 @@ kim_error kim_os_ui_gui_select_identity (kim_ui_context *in_context, kim_error kim_os_ui_gui_auth_prompt (kim_ui_context *in_context, kim_identity in_identity, kim_prompt_type in_type, - kim_boolean in_allow_save_reply, - kim_boolean in_hide_reply, + kim_boolean in_allow_save_reply, + kim_boolean in_hide_reply, kim_string in_title, kim_string in_message, kim_string in_description, diff --git a/src/kim/lib/kim_ui_plugin.c b/src/kim/lib/kim_ui_plugin.c index c307dd189..94a455c04 100644 --- a/src/kim/lib/kim_ui_plugin.c +++ b/src/kim/lib/kim_ui_plugin.c @@ -50,15 +50,15 @@ struct kim_ui_plugin_context { static void kim_ui_plugin_context_free (kim_ui_plugin_context *io_context) { - if (io_context && *io_context) { + if (io_context && *io_context) { if ((*io_context)->ftables) { krb5int_free_plugin_dir_data ((*io_context)->ftables); } - if (PLUGIN_DIR_OPEN (&(*io_context)->plugins)) { - krb5int_close_plugin_dirs (&(*io_context)->plugins); + if (PLUGIN_DIR_OPEN (&(*io_context)->plugins)) { + krb5int_close_plugin_dirs (&(*io_context)->plugins); } - if ((*io_context)->kcontext) { - krb5_free_context ((*io_context)->kcontext); + if ((*io_context)->kcontext) { + krb5_free_context ((*io_context)->kcontext); } free (*io_context); *io_context = NULL; @@ -71,31 +71,31 @@ static kim_error kim_ui_plugin_context_allocate (kim_ui_plugin_context *out_cont { kim_error err = KIM_NO_ERROR; kim_ui_plugin_context context = NULL; - + if (!err && !out_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { context = malloc (sizeof (*context)); if (!context) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { err = krb5_error (NULL, krb5_init_context (&context->kcontext)); } - + if (!err) { PLUGIN_DIR_INIT(&context->plugins); context->ftable = NULL; context->ftables = NULL; context->plugin_context = NULL; - + *out_context = context; context = NULL; } - + kim_ui_plugin_context_free (&context); - - return check_error (err); + + return check_error (err); } #pragma mark - @@ -106,60 +106,60 @@ kim_error kim_ui_plugin_init (kim_ui_context *io_context) { kim_error err = KIM_NO_ERROR; kim_ui_plugin_context context = NULL; - + if (!err && !io_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_ui_plugin_context_allocate (&context); } - + if (!err) { PLUGIN_DIR_INIT(&context->plugins); err = krb5_error (context->kcontext, - krb5int_open_plugin_dirs (kim_ui_plugin_dirs, - kim_ui_plugin_files, - &context->plugins, + krb5int_open_plugin_dirs (kim_ui_plugin_dirs, + kim_ui_plugin_files, + &context->plugins, &context->kcontext->err)); } - + if (!err) { err = krb5_error (context->kcontext, krb5int_get_plugin_dir_data (&context->plugins, "kim_ui_0", - &context->ftables, + &context->ftables, &context->kcontext->err)); } - + if (!err && context->ftables) { int i; - + for (i = 0; context->ftables[i]; i++) { struct kim_ui_plugin_ftable_v0 *ftable = context->ftables[i]; context->plugin_context = NULL; - + err = ftable->init (&context->plugin_context); - + if (!err) { context->ftable = ftable; break; /* use first plugin that initializes correctly */ } - + err = KIM_NO_ERROR; /* ignore failed plugins */ } } - + if (!err && !context->ftable) { err = check_error (KRB5_PLUGIN_NO_HANDLE); } - + if (!err) { io_context->tcontext = context; context = NULL; } - + kim_ui_plugin_context_free (&context); - + return check_error (err); } @@ -171,12 +171,12 @@ kim_error kim_ui_plugin_enter_identity (kim_ui_context *in_context, kim_boolean *out_change_password) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_change_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_ui_plugin_context context = (kim_ui_plugin_context) in_context->tcontext; @@ -185,7 +185,7 @@ kim_error kim_ui_plugin_enter_identity (kim_ui_context *in_context, out_identity, out_change_password); } - + return check_error (err); } @@ -197,21 +197,21 @@ kim_error kim_ui_plugin_select_identity (kim_ui_context *in_context, kim_boolean *out_change_password) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_change_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_ui_plugin_context context = (kim_ui_plugin_context) in_context->tcontext; - + err = context->ftable->select_identity (context->plugin_context, - io_hints, + io_hints, out_identity, out_change_password); } - + return check_error (err); } @@ -220,8 +220,8 @@ kim_error kim_ui_plugin_select_identity (kim_ui_context *in_context, kim_error kim_ui_plugin_auth_prompt (kim_ui_context *in_context, kim_identity in_identity, kim_prompt_type in_type, - kim_boolean in_allow_save_reply, - kim_boolean in_hide_reply, + kim_boolean in_allow_save_reply, + kim_boolean in_hide_reply, kim_string in_title, kim_string in_message, kim_string in_description, @@ -229,17 +229,17 @@ kim_error kim_ui_plugin_auth_prompt (kim_ui_context *in_context, kim_boolean *out_save_reply) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_reply ) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* in_title, in_message or in_description may be NULL */ - + if (!err) { kim_ui_plugin_context context = (kim_ui_plugin_context) in_context->tcontext; - + err = context->ftable->auth_prompt (context->plugin_context, - in_identity, + in_identity, in_type, in_allow_save_reply, in_hide_reply, @@ -249,7 +249,7 @@ kim_error kim_ui_plugin_auth_prompt (kim_ui_context *in_context, out_reply, out_save_reply); } - + return check_error (err); } @@ -263,24 +263,24 @@ kim_error kim_ui_plugin_change_password (kim_ui_context *in_context, char **out_verify_password) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_old_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_new_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_verify_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_ui_plugin_context context = (kim_ui_plugin_context) in_context->tcontext; - + err = context->ftable->change_password (context->plugin_context, - in_identity, + in_identity, in_old_password_expired, out_old_password, out_new_password, out_verify_password); } - + return check_error (err); } @@ -293,21 +293,21 @@ kim_error kim_ui_plugin_handle_error (kim_ui_context *in_context, kim_string in_error_description) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_error_message ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_error_description) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_ui_plugin_context context = (kim_ui_plugin_context) in_context->tcontext; - + err = context->ftable->handle_error (context->plugin_context, - in_identity, + in_identity, in_error, in_error_message, in_error_description); } - + return check_error (err); } @@ -317,14 +317,14 @@ void kim_ui_plugin_free_string (kim_ui_context *in_context, char **io_string) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_ui_plugin_context context = (kim_ui_plugin_context) in_context->tcontext; - - context->ftable->free_string (context->plugin_context, + + context->ftable->free_string (context->plugin_context, io_string); } } @@ -334,12 +334,12 @@ void kim_ui_plugin_free_string (kim_ui_context *in_context, kim_error kim_ui_plugin_fini (kim_ui_context *io_context) { kim_error err = KIM_NO_ERROR; - + if (!err && !io_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_ui_plugin_context context = (kim_ui_plugin_context) io_context->tcontext; - + if (context) { err = context->ftable->fini (context->plugin_context); } @@ -349,6 +349,6 @@ kim_error kim_ui_plugin_fini (kim_ui_context *io_context) io_context->tcontext = NULL; } } - + return check_error (err); } diff --git a/src/kim/lib/kim_ui_plugin_private.h b/src/kim/lib/kim_ui_plugin_private.h index 397a7ad91..9248e08df 100644 --- a/src/kim/lib/kim_ui_plugin_private.h +++ b/src/kim/lib/kim_ui_plugin_private.h @@ -48,8 +48,8 @@ kim_error kim_ui_plugin_select_identity (kim_ui_context *in_context, kim_error kim_ui_plugin_auth_prompt (kim_ui_context *in_context, kim_identity in_identity, kim_prompt_type in_type, - kim_boolean in_allow_save_reply, - kim_boolean in_hide_reply, + kim_boolean in_allow_save_reply, + kim_boolean in_hide_reply, kim_string in_title, kim_string in_message, kim_string in_description, diff --git a/src/kim/lib/mac/KerberosLogin.c b/src/kim/lib/mac/KerberosLogin.c index de05e57dd..73d9b8056 100644 --- a/src/kim/lib/mac/KerberosLogin.c +++ b/src/kim/lib/mac/KerberosLogin.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -34,8 +34,8 @@ #include "k5-thread.h" #include -/* - * Deprecated Error codes +/* + * Deprecated Error codes */ enum { /* Carbon Dialog errors */ @@ -44,7 +44,7 @@ enum { klNotInForegroundErr, klNoAppearanceErr, klFatalDialogErr, - klCarbonUnavailableErr + klCarbonUnavailableErr }; krb5_get_init_creds_opt *__KLLoginOptionsGetKerberos5Options (KLLoginOptions ioOptions); @@ -57,33 +57,33 @@ char *__KLLoginOptionsGetServiceName (KLLoginOptions ioOptions); static KLStatus kl_check_error_ (kim_error inError, const char *function, const char *file, int line) { kim_error err = inError; - + switch (err) { case ccNoError: err = klNoErr; break; - + case ccErrBadName: err = klPrincipalDoesNotExistErr; break; - + case ccErrCCacheNotFound: err = klCacheDoesNotExistErr; break; - + case ccErrCredentialsNotFound: err = klNoCredentialsErr; break; - + case KIM_OUT_OF_MEMORY_ERR: case ccErrNoMem: err = klMemFullErr; break; - + case ccErrBadCredentialsVersion: err = klInvalidVersionErr; break; - + case KIM_NULL_PARAMETER_ERR: case ccErrBadParam: case ccIteratorEnd: @@ -103,19 +103,19 @@ static KLStatus kl_check_error_ (kim_error inError, const char *function, const case ccErrNeverDefault: err = klParameterErr; break; - + case KIM_USER_CANCELED_ERR: case KRB5_LIBOS_PWDINTR: err = klUserCanceledErr; break; } - + if (err) { - kim_debug_printf ("%s() remapped %d to %d ('%s') at %s: %d", - function, inError, err, kim_error_message (err), + kim_debug_printf ("%s() remapped %d to %d ('%s') at %s: %d", + function, inError, err, kim_error_message (err), file, line); } - + return err; } #define kl_check_error(err) kl_check_error_(err, __FUNCTION__, __FILE__, __LINE__) @@ -126,9 +126,9 @@ KLStatus KLAcquireTickets (KLPrincipal inPrincipal, KLPrincipal *outPrincipal, char **outCredCacheName) { - return kl_check_error (KLAcquireInitialTickets (inPrincipal, - NULL, - outPrincipal, + return kl_check_error (KLAcquireInitialTickets (inPrincipal, + NULL, + outPrincipal, outCredCacheName)); } @@ -138,9 +138,9 @@ KLStatus KLAcquireNewTickets (KLPrincipal inPrincipal, KLPrincipal *outPrincipal, char **outCredCacheName) { - return kl_check_error (KLAcquireNewInitialTickets (inPrincipal, - NULL, - outPrincipal, + return kl_check_error (KLAcquireNewInitialTickets (inPrincipal, + NULL, + outPrincipal, outCredCacheName)); } @@ -151,9 +151,9 @@ KLStatus KLAcquireTicketsWithPassword (KLPrincipal inPrincipal, const char *inPassword, char **outCredCacheName) { - return kl_check_error (KLAcquireInitialTicketsWithPassword (inPrincipal, - inLoginOptions, - inPassword, + return kl_check_error (KLAcquireInitialTicketsWithPassword (inPrincipal, + inLoginOptions, + inPassword, outCredCacheName)); } @@ -164,9 +164,9 @@ KLStatus KLAcquireNewTicketsWithPassword (KLPrincipal inPrincipal, const char *inPassword, char **outCredCacheName) { - return kl_check_error (KLAcquireNewInitialTicketsWithPassword (inPrincipal, - inLoginOptions, - inPassword, + return kl_check_error (KLAcquireNewInitialTicketsWithPassword (inPrincipal, + inLoginOptions, + inPassword, outCredCacheName)); } @@ -201,21 +201,21 @@ KLStatus KLAcquireInitialTickets (KLPrincipal inPrincipal, kim_ccache ccache = NULL; kim_string name = NULL; kim_identity identity = NULL; - + if (!err) { - err = kim_ccache_create_new_if_needed (&ccache, + err = kim_ccache_create_new_if_needed (&ccache, inPrincipal, inLoginOptions); } - + if (!err && outPrincipal) { err = kim_ccache_get_client_identity (ccache, &identity); } - + if (!err && outCredCacheName) { err = kim_ccache_get_display_name (ccache, &name); } - + if (!err) { if (outPrincipal) { *outPrincipal = identity; @@ -226,11 +226,11 @@ KLStatus KLAcquireInitialTickets (KLPrincipal inPrincipal, name = NULL; } } - + kim_string_free (&name); - kim_identity_free (&identity); + kim_identity_free (&identity); kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -245,17 +245,17 @@ KLStatus KLAcquireNewInitialTickets (KLPrincipal inPrincipal, kim_ccache ccache = NULL; kim_string name = NULL; kim_identity identity = NULL; - + err = kim_ccache_create_new (&ccache, inPrincipal, inLoginOptions); - + if (!err && outPrincipal) { err = kim_ccache_get_client_identity (ccache, &identity); } - + if (!err && outCredCacheName) { err = kim_ccache_get_display_name (ccache, &name); } - + if (!err) { if (outPrincipal) { *outPrincipal = identity; @@ -266,11 +266,11 @@ KLStatus KLAcquireNewInitialTickets (KLPrincipal inPrincipal, name = NULL; } } - + kim_string_free (&name); - kim_identity_free (&identity); + kim_identity_free (&identity); kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -280,15 +280,15 @@ KLStatus KLDestroyTickets (KLPrincipal inPrincipal) { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - + if (!err) { err = kim_ccache_create_from_client_identity (&ccache, inPrincipal); } - + if (!err) { err = kim_ccache_destroy (&ccache); } - + return kl_check_error (err); } @@ -308,21 +308,21 @@ KLStatus KLAcquireInitialTicketsWithPassword (KLPrincipal inPrincipal, { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - + if (!err) { - err = kim_ccache_create_new_if_needed_with_password (&ccache, + err = kim_ccache_create_new_if_needed_with_password (&ccache, inPrincipal, inLoginOptions, inPassword); } - + if (!err && outCredCacheName) { - err = kim_ccache_get_display_name (ccache, + err = kim_ccache_get_display_name (ccache, (kim_string *) outCredCacheName); - } - + } + kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -335,19 +335,19 @@ KLStatus KLAcquireNewInitialTicketsWithPassword (KLPrincipal inPrincipal, { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - - err = kim_ccache_create_new_with_password (&ccache, - inPrincipal, + + err = kim_ccache_create_new_with_password (&ccache, + inPrincipal, inLoginOptions, inPassword); - + if (!err && outCredCacheName) { - err = kim_ccache_get_display_name (ccache, + err = kim_ccache_get_display_name (ccache, (kim_string *) outCredCacheName); - } - + } + kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -365,20 +365,20 @@ KLStatus KLAcquireNewInitialTicketCredentialsWithPassword (KLPrincipal inPr kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; krb5_creds *creds = NULL; - + if (!err) { err = kim_credential_create_new_with_password (&credential, inPrincipal, inLoginOptions, inPassword); } - + if (!err) { - err = kim_credential_get_krb5_creds (credential, + err = kim_credential_get_krb5_creds (credential, inV5Context, &creds); } - + if (!err) { *outGotV5Credentials = 1; *outGotV4Credentials = 0; @@ -386,9 +386,9 @@ KLStatus KLAcquireNewInitialTicketCredentialsWithPassword (KLPrincipal inPr free (creds); /* eeeew */ creds = NULL; } - + kim_credential_free (&credential); - + return kl_check_error (err); } @@ -403,23 +403,23 @@ KLStatus KLStoreNewInitialTicketCredentials (KLPrincipal inPrincipal, kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; kim_ccache ccache = NULL; - + err = kim_credential_create_from_krb5_creds (&credential, - inV5Context, + inV5Context, inV5Credentials); - + if (!err) { err = kim_credential_store (credential, inPrincipal, &ccache); } - + if (!err && outCredCacheName) { - err = kim_ccache_get_display_name (ccache, + err = kim_ccache_get_display_name (ccache, (kim_string *) outCredCacheName); - } - + } + kim_ccache_free (&ccache); kim_credential_free (&credential); - + return kl_check_error (err); } @@ -431,23 +431,23 @@ KLStatus KLVerifyInitialTickets (KLPrincipal inPrincipal, { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - + err = kim_ccache_create_from_client_identity (&ccache, inPrincipal); - + if (!err) { - err = kim_ccache_verify (ccache, - KIM_IDENTITY_ANY, - NULL, + err = kim_ccache_verify (ccache, + KIM_IDENTITY_ANY, + NULL, inFailIfNoHostKey); } - + if (!err && outCredCacheName) { - err = kim_ccache_get_display_name (ccache, + err = kim_ccache_get_display_name (ccache, (kim_string *) outCredCacheName); - } - + } + kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -460,23 +460,23 @@ KLStatus KLVerifyInitialTicketCredentials (void *inV4Credentials, kim_error err = KIM_NO_ERROR; kim_credential credential = NULL; krb5_context context = NULL; - + err = krb5_error (NULL, krb5_init_context (&context)); - + if (!err) { err = kim_credential_create_from_krb5_creds (&credential, - context, + context, inV5Credentials); } - + if (!err) { - err = kim_credential_verify (credential, KIM_IDENTITY_ANY, + err = kim_credential_verify (credential, KIM_IDENTITY_ANY, NULL, inFailIfNoHostKey); } - + if (context) { krb5_free_context (context); } kim_credential_free (&credential); - + return kl_check_error (err); } @@ -489,19 +489,19 @@ KLStatus KLAcquireNewInitialTicketsWithKeytab (KLPrincipal inPrincipal, { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - - err = kim_ccache_create_from_keytab (&ccache, - inPrincipal, + + err = kim_ccache_create_from_keytab (&ccache, + inPrincipal, inLoginOptions, inKeytabName); - + if (!err && outCredCacheName) { - err = kim_ccache_get_display_name (ccache, + err = kim_ccache_get_display_name (ccache, (kim_string *) outCredCacheName); - } - + } + kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -516,21 +516,21 @@ KLStatus KLRenewInitialTickets (KLPrincipal inPrincipal, kim_ccache ccache = NULL; kim_string name = NULL; kim_identity identity = NULL; - + err = kim_ccache_create_from_client_identity (&ccache, inPrincipal); - + if (!err) { err = kim_ccache_renew (ccache, inLoginOptions); } - + if (!err && outPrincipal) { err = kim_ccache_get_client_identity (ccache, &identity); } - + if (!err && outCredCacheName) { err = kim_ccache_get_display_name (ccache, &name); } - + if (!err) { if (outPrincipal) { *outPrincipal = identity; @@ -541,11 +541,11 @@ KLStatus KLRenewInitialTickets (KLPrincipal inPrincipal, name = NULL; } } - + kim_string_free (&name); kim_identity_free (&identity); kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -557,20 +557,20 @@ KLStatus KLValidateInitialTickets (KLPrincipal inPrincipal, { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - + err = kim_ccache_create_from_client_identity (&ccache, inPrincipal); - + if (!err) { err = kim_ccache_validate (ccache, inLoginOptions); } - + if (!err && outCredCacheName) { - err = kim_ccache_get_display_name (ccache, + err = kim_ccache_get_display_name (ccache, (kim_string *) outCredCacheName); - } - + } + kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -586,7 +586,7 @@ MAKE_FINI_FUNCTION(kim_change_time_fini); static int kim_change_time_init (void) { g_kl_change_time = time (NULL); - + return k5_mutex_finish_init(&g_change_time_mutex); } @@ -597,7 +597,7 @@ static void kim_change_time_fini (void) if (!INITIALIZER_RAN (kim_change_time_init) || PROGRAM_EXITING ()) { return; } - + k5_mutex_destroy(&g_change_time_mutex); } @@ -609,9 +609,9 @@ KLStatus KLLastChangedTime (KLTime *outLastChangedTime) kim_error mutex_err = KIM_NO_ERROR; cc_context_t context = NULL; cc_time_t ccChangeTime = 0; - + if (!err && !outLastChangedTime) { err = kl_check_error (klParameterErr); } - + if (!err) { mutex_err = k5_mutex_lock (&g_change_time_mutex); if (mutex_err) { err = mutex_err; } @@ -620,11 +620,11 @@ KLStatus KLLastChangedTime (KLTime *outLastChangedTime) if (!err) { err = cc_initialize (&context, ccapi_version_4, NULL, NULL); } - + if (!err) { err = cc_context_get_change_time (context, &ccChangeTime); } - + if (!err) { /* cc_context_get_change_time returns 0 if there are no tickets * but KLLastChangedTime always returned the current time. So @@ -638,13 +638,13 @@ KLStatus KLLastChangedTime (KLTime *outLastChangedTime) } g_cc_change_time = ccChangeTime; } - + *outLastChangedTime = g_kl_change_time; } - + if (context ) { cc_context_release (context); } if (!mutex_err) { k5_mutex_unlock (&g_change_time_mutex); } - + return kl_check_error (err); } @@ -661,29 +661,29 @@ KLStatus KLCacheHasValidTickets (KLPrincipal inPrincipal, kim_credential_state state = kim_credentials_state_valid; kim_identity identity = NULL; kim_string name = NULL; - + if (!outFoundValidTickets) { err = kl_check_error (klParameterErr); } - + if (!err) { err = kim_ccache_create_from_client_identity (&ccache, inPrincipal); } - + if (!err) { err = kim_ccache_get_state (ccache, &state); } - + if (!err && outPrincipal) { err = kim_ccache_get_client_identity (ccache, &identity); if (err) { err = KIM_NO_ERROR; identity = NULL; - } + } } - + if (!err && outCredCacheName) { err = kim_ccache_get_display_name (ccache, &name); } - + if (!err) { *outFoundValidTickets = (state == kim_credentials_state_valid); if (outPrincipal) { @@ -695,11 +695,11 @@ KLStatus KLCacheHasValidTickets (KLPrincipal inPrincipal, name = NULL; } } - + kim_string_free (&name); kim_identity_free (&identity); kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -712,21 +712,21 @@ KLStatus KLTicketStartTime (KLPrincipal inPrincipal, kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; kim_time start_time = 0; - + if (!err) { err = kim_ccache_create_from_client_identity (&ccache, inPrincipal); } - + if (!err) { err = kim_ccache_get_start_time (ccache, &start_time); } - + if (!err) { *outStartTime = start_time; } - + kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -739,21 +739,21 @@ KLStatus KLTicketExpirationTime (KLPrincipal inPrincipal, kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; kim_time expiration_time = 0; - + if (!err) { err = kim_ccache_create_from_client_identity (&ccache, inPrincipal); } - + if (!err) { err = kim_ccache_get_expiration_time (ccache, &expiration_time); } - + if (!err) { *outExpirationTime = expiration_time; } - + kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -763,17 +763,17 @@ KLStatus KLSetSystemDefaultCache (KLPrincipal inPrincipal) { kim_error err = KIM_NO_ERROR; kim_ccache ccache = NULL; - + if (!err) { err = kim_ccache_create_from_client_identity (&ccache, inPrincipal); } - + if (!err) { err = kim_ccache_set_default (ccache); } - + kim_ccache_free (&ccache); - + return kl_check_error (err); } @@ -786,15 +786,15 @@ KLStatus KLHandleError (KLStatus inError, kim_error err = KIM_NO_ERROR; kim_ui_context context; kim_boolean ui_inited = 0; - + if (!err) { err = kim_ui_init (&context); if (!err) { ui_inited = 1; } } - + if (!err) { int type = kim_ui_error_type_generic; - + switch (inDialogIdentifier) { case loginLibrary_LoginDialog: type = kim_ui_error_type_authentication; @@ -806,16 +806,16 @@ KLStatus KLHandleError (KLStatus inError, type = kim_ui_error_type_generic; break; } - - err = kim_ui_handle_kim_error (&context, + + err = kim_ui_handle_kim_error (&context, KIM_IDENTITY_ANY, type, inError); } - + if (ui_inited) { kim_error fini_err = kim_ui_fini (&context); if (!err) { err = kl_check_error (fini_err); } } - + return kl_check_error (err); } @@ -853,36 +853,36 @@ KLStatus KLChangePasswordWithPasswords (KLPrincipal inPrincipal, kim_error rejected_err = KIM_NO_ERROR; kim_string rejected_message = NULL; kim_string rejected_description = NULL; - + if (!inOldPassword) { err = kl_check_error (klParameterErr); } if (!inNewPassword) { err = kl_check_error (klParameterErr); } if (!outRejected ) { err = kl_check_error (klParameterErr); } - + if (!err) { err = kim_ui_init (&context); if (!err) { ui_inited = 1; } } - + if (!err) { kim_boolean was_prompted = 0; - + err = kim_credential_create_for_change_password (&credential, inPrincipal, inOldPassword, &context, &was_prompted); } - + if (!err) { err = kim_identity_change_password_with_credential (inPrincipal, - credential, + credential, inNewPassword, &context, &rejected_err, &rejected_message, &rejected_description); - } - + } + if (!err) { *outRejected = (rejected_err != 0); if (rejected_err) { @@ -896,16 +896,16 @@ KLStatus KLChangePasswordWithPasswords (KLPrincipal inPrincipal, } } } - + if (ui_inited) { kim_error fini_err = kim_ui_fini (&context); if (!err) { err = kl_check_error (fini_err); } } - + kim_string_free (&rejected_message); kim_string_free (&rejected_description); kim_credential_free (&credential); - + return kl_check_error (err); } @@ -949,23 +949,23 @@ KLStatus KLGetDefaultLoginOption (const KLDefaultLoginOption inOption, kim_preferences prefs = NULL; KLSize targetSize = 0; KLBoolean returnSizeOnly = (ioBuffer == NULL); - + if (!ioBufferSize) { err = kl_check_error (klParameterErr); } - + if (!err) { err = kim_preferences_create (&prefs); } - + if (!err && inOption == loginOption_LoginName) { kim_identity identity = NULL; kim_string string = ""; - + err = kim_preferences_get_client_identity (prefs, &identity); - + if (!err && identity) { err = kim_identity_get_components_string (identity, &string); } - + if (!err) { targetSize = strlen (string); if (!returnSizeOnly) { @@ -976,12 +976,12 @@ KLStatus KLGetDefaultLoginOption (const KLDefaultLoginOption inOption, } } } - + if (string && string[0]) { kim_string_free (&string); } - + } else if (!err && inOption == loginOption_LoginInstance) { targetSize = 0; /* Deprecated */ - + } else if (!err && (inOption == loginOption_ShowOptions || inOption == loginOption_RememberShowOptions || inOption == loginOption_LongTicketLifetimeDisplay || @@ -989,25 +989,25 @@ KLStatus KLGetDefaultLoginOption (const KLDefaultLoginOption inOption, inOption == loginOption_RememberExtras || inOption == loginOption_RememberPassword)) { targetSize = sizeof(KLBoolean); - + if (!returnSizeOnly) { kim_boolean boolean = 0; - + if (inOption == loginOption_ShowOptions || inOption == loginOption_RememberShowOptions || inOption == loginOption_LongTicketLifetimeDisplay) { boolean = 1; /* Deprecated */ - + } else if (inOption == loginOption_RememberPrincipal) { err = kim_preferences_get_remember_client_identity (prefs, &boolean); - + } else if (inOption == loginOption_RememberExtras) { err = kim_preferences_get_remember_options (prefs, &boolean); - + } else if (inOption == loginOption_RememberPassword) { boolean = kim_os_identity_allow_save_password (); } - + if (!err) { if (*ioBufferSize < targetSize) { err = kl_check_error (klBufferTooSmallErr); @@ -1016,29 +1016,29 @@ KLStatus KLGetDefaultLoginOption (const KLDefaultLoginOption inOption, } } } - + } else if (!err && (inOption == loginOption_MinimalTicketLifetime || inOption == loginOption_MaximalTicketLifetime || inOption == loginOption_MinimalRenewableLifetime || inOption == loginOption_MaximalRenewableLifetime)) { targetSize = sizeof(KLLifetime); - + if (!returnSizeOnly) { kim_lifetime lifetime = 0; - + if (inOption == loginOption_MinimalTicketLifetime) { err = kim_preferences_get_minimum_lifetime (prefs, &lifetime); - + } else if (inOption == loginOption_MaximalTicketLifetime) { err = kim_preferences_get_maximum_lifetime (prefs, &lifetime); - + } else if (inOption == loginOption_MinimalRenewableLifetime) { err = kim_preferences_get_minimum_renewal_lifetime (prefs, &lifetime); - + } else if (inOption == loginOption_MaximalRenewableLifetime) { err = kim_preferences_get_maximum_renewal_lifetime (prefs, &lifetime); - } - + } + if (!err) { if (*ioBufferSize < targetSize) { err = kl_check_error (klBufferTooSmallErr); @@ -1047,32 +1047,32 @@ KLStatus KLGetDefaultLoginOption (const KLDefaultLoginOption inOption, } } } - + } else if (!err && (inOption == loginOption_DefaultRenewableTicket || inOption == loginOption_DefaultForwardableTicket || inOption == loginOption_DefaultProxiableTicket || inOption == loginOption_DefaultAddresslessTicket)) { targetSize = sizeof(KLBoolean); - + if (!returnSizeOnly) { kim_options options = NULL; kim_boolean boolean = 0; - + err = kim_preferences_get_options (prefs, &options); - + if (!err && inOption == loginOption_DefaultRenewableTicket) { err = kim_options_get_renewable (options, &boolean); - + } else if (!err && inOption == loginOption_DefaultForwardableTicket) { err = kim_options_get_forwardable (options, &boolean); - + } else if (!err && inOption == loginOption_DefaultProxiableTicket) { err = kim_options_get_proxiable (options, &boolean); - + } else if (!err && inOption == loginOption_DefaultAddresslessTicket) { err = kim_options_get_addressless (options, &boolean); - } - + } + if (!err) { if (*ioBufferSize < targetSize) { err = kl_check_error (klBufferTooSmallErr); @@ -1080,28 +1080,28 @@ KLStatus KLGetDefaultLoginOption (const KLDefaultLoginOption inOption, *(KLBoolean *)ioBuffer = boolean; } } - + kim_options_free (&options); } - - + + } else if (!err && (inOption == loginOption_DefaultTicketLifetime || inOption == loginOption_DefaultRenewableLifetime)) { targetSize = sizeof(KLLifetime); - + if (!returnSizeOnly) { kim_options options = NULL; kim_lifetime lifetime = 0; - + err = kim_preferences_get_options (prefs, &options); - + if (!err && inOption == loginOption_DefaultTicketLifetime) { err = kim_options_get_lifetime (options, &lifetime); - + } else if (!err && inOption == loginOption_DefaultRenewableLifetime) { err = kim_options_get_renewal_lifetime (options, &lifetime); - } - + } + if (!err) { if (*ioBufferSize < targetSize) { err = kl_check_error (klBufferTooSmallErr); @@ -1109,18 +1109,18 @@ KLStatus KLGetDefaultLoginOption (const KLDefaultLoginOption inOption, *(KLLifetime *)ioBuffer = lifetime; } } - + kim_options_free (&options); } - - } else { + + } else { err = kl_check_error (klInvalidOptionErr); } - + if (!err) { *ioBufferSize = targetSize; } - + return kl_check_error (err); } @@ -1132,56 +1132,56 @@ KLStatus KLSetDefaultLoginOption (const KLDefaultLoginOption inOption, { KLStatus err = klNoErr; kim_preferences prefs = NULL; - + if (inBuffer == NULL) { err = kl_check_error (klParameterErr); } if (inBufferSize < 0) { err = kl_check_error (klParameterErr); } - + if (!err) { err = kim_preferences_create (&prefs); } - + if (!err && inOption == loginOption_LoginName) { kim_identity old_identity = NULL; kim_identity new_identity = NULL; kim_string new_identity_string = NULL; kim_string realm = NULL; kim_string components = NULL; - + err = kim_string_create_from_buffer (&components, inBuffer, inBufferSize); - + if (!err) { err = kim_preferences_get_client_identity (prefs, &old_identity); - + if (!err && old_identity) { err = kim_identity_get_realm (old_identity, &realm); } } - + if (!err && realm) { - err = kim_string_create_from_format (&new_identity_string, + err = kim_string_create_from_format (&new_identity_string, "%s@%s", components, realm); } - + if (!err) { err = kim_identity_create_from_string (&new_identity, (new_identity_string ? new_identity_string : components)); } - + if (!err) { err = kim_preferences_set_client_identity (prefs, new_identity); } - + kim_string_free (&components); kim_string_free (&realm); kim_string_free (&new_identity_string); kim_identity_free (&old_identity); kim_identity_free (&new_identity); - + } else if (!err && inOption == loginOption_LoginInstance) { /* Ignored */ - + } else if (!err && (inOption == loginOption_ShowOptions || inOption == loginOption_RememberShowOptions || inOption == loginOption_LongTicketLifetimeDisplay || @@ -1193,14 +1193,14 @@ KLStatus KLSetDefaultLoginOption (const KLDefaultLoginOption inOption, } else if (inBufferSize < sizeof (KLBoolean)) { err = kl_check_error (klBufferTooSmallErr); } - + if (!err && inOption == loginOption_RememberPrincipal) { err = kim_preferences_set_remember_client_identity (prefs, *(KLBoolean *)inBuffer); - + } else if (!err && inOption == loginOption_RememberExtras) { err = kim_preferences_set_remember_options (prefs, *(KLBoolean *)inBuffer); } - + } else if (!err && (inOption == loginOption_MinimalTicketLifetime || inOption == loginOption_MaximalTicketLifetime || inOption == loginOption_MinimalRenewableLifetime || @@ -1210,92 +1210,92 @@ KLStatus KLSetDefaultLoginOption (const KLDefaultLoginOption inOption, } else if (inBufferSize < sizeof (KLLifetime)) { err = kl_check_error (klBufferTooSmallErr); } - + if (!err && inOption == loginOption_MinimalTicketLifetime) { err = kim_preferences_set_minimum_lifetime (prefs, *(KLLifetime *)inBuffer); - + } else if (!err && inOption == loginOption_MaximalTicketLifetime) { err = kim_preferences_set_maximum_lifetime (prefs, *(KLLifetime *)inBuffer); - + } else if (!err && inOption == loginOption_MinimalRenewableLifetime) { err = kim_preferences_set_minimum_renewal_lifetime (prefs, *(KLLifetime *)inBuffer); - + } else if (!err && inOption == loginOption_MaximalRenewableLifetime) { err = kim_preferences_set_maximum_renewal_lifetime (prefs, *(KLLifetime *)inBuffer); - } - + } + } else if (!err && (inOption == loginOption_DefaultRenewableTicket || inOption == loginOption_DefaultForwardableTicket || inOption == loginOption_DefaultProxiableTicket || inOption == loginOption_DefaultAddresslessTicket)) { kim_options options = NULL; - + if (inBufferSize > sizeof (KLBoolean)) { err = kl_check_error (klBufferTooLargeErr); } else if (inBufferSize < sizeof (KLBoolean)) { err = kl_check_error (klBufferTooSmallErr); } - + if (!err) { err = kim_preferences_get_options (prefs, &options); } - + if (!err && inOption == loginOption_DefaultRenewableTicket) { err = kim_options_set_renewable (options, *(KLBoolean *)inBuffer); - + } else if (!err && inOption == loginOption_DefaultForwardableTicket) { err = kim_options_set_forwardable (options, *(KLBoolean *)inBuffer); - + } else if (!err && inOption == loginOption_DefaultProxiableTicket) { err = kim_options_set_proxiable (options, *(KLBoolean *)inBuffer); - + } else if (!err && inOption == loginOption_DefaultAddresslessTicket) { err = kim_options_set_addressless (options, *(KLBoolean *)inBuffer); - } - + } + if (!err) { err = kim_preferences_set_options (prefs, options); } - + kim_options_free (&options); - + } else if (!err && (inOption == loginOption_DefaultTicketLifetime || inOption == loginOption_DefaultRenewableLifetime)) { kim_options options = NULL; - + if (inBufferSize > sizeof (KLLifetime)) { err = kl_check_error (klBufferTooLargeErr); } else if (inBufferSize < sizeof (KLLifetime)) { err = kl_check_error (klBufferTooSmallErr); } - + if (!err) { err = kim_preferences_get_options (prefs, &options); } - + if (!err && inOption == loginOption_DefaultTicketLifetime) { err = kim_options_set_lifetime (options, *(KLLifetime *)inBuffer); - + } else if (!err && inOption == loginOption_DefaultRenewableLifetime) { err = kim_options_set_renewal_lifetime (options, *(KLLifetime *)inBuffer); - } - + } + if (!err) { err = kim_preferences_set_options (prefs, options); } - + kim_options_free (&options); - - } else { + + } else { err = kl_check_error (klInvalidOptionErr); } - + if (!err) { err = kim_preferences_synchronize (prefs); - } - + } + kim_preferences_free (&prefs); - + return kl_check_error (err); } @@ -1308,11 +1308,11 @@ KLStatus KLFindKerberosRealmByName (const char *inRealmName, { kim_error err = KIM_NO_ERROR; char *realm = NULL; - + if (!err) { err = KLGetKerberosDefaultRealmByName (&realm); } - + if (!err) { if (!strcmp (inRealmName, realm)) { *outIndex = 0; @@ -1320,9 +1320,9 @@ KLStatus KLFindKerberosRealmByName (const char *inRealmName, err = kl_check_error (klRealmDoesNotExistErr); } } - + kim_string_free ((kim_string *) &realm); - + return kl_check_error (err); } @@ -1332,14 +1332,14 @@ KLStatus KLGetKerberosRealm (KLIndex inIndex, char **outRealmName) { kim_error err = KIM_NO_ERROR; - + if (!outRealmName) { err = kl_check_error (klParameterErr); } if (!err && inIndex != 0) { err = kl_check_error (klRealmDoesNotExistErr); } - + if (!err) { err = KLGetKerberosDefaultRealmByName (outRealmName); } - + return kl_check_error (err); } @@ -1385,13 +1385,13 @@ KLSize KLCountKerberosRealms (void) KLStatus KLGetKerberosDefaultRealm(KLIndex *outIndex) { kim_error err = KIM_NO_ERROR; - + if (!outIndex) { err = kl_check_error (klParameterErr); } - + if (!err) { *outIndex = 0; } - + return kl_check_error (klNoErr); } @@ -1402,24 +1402,24 @@ KLStatus KLGetKerberosDefaultRealmByName (char **outRealmName) kim_error err = KIM_NO_ERROR; krb5_context context = NULL; char *realm = NULL; - + if (!outRealmName) { err = kl_check_error (klParameterErr); } - + if (!err) { err = krb5_init_context (&context); } - + if (!err) { err = krb5_get_default_realm(context, &realm); } - + if (!err) { err = kim_string_copy ((kim_string *) outRealmName, realm); } - + if (realm ) { krb5_free_default_realm (context, realm); } if (context) { krb5_free_context (context); } - + return kl_check_error (err); } @@ -1449,14 +1449,14 @@ KLStatus KLCreatePrincipalFromTriplet (const char *inName, if (inInstance && strlen (inInstance) > 0) { return kl_check_error (kim_identity_create_from_components (outPrincipal, inRealm, - inName, + inName, inInstance, NULL)); } else { return kl_check_error (kim_identity_create_from_components (outPrincipal, inRealm, - inName, - NULL)); + inName, + NULL)); } } @@ -1466,7 +1466,7 @@ KLStatus KLCreatePrincipalFromString (const char *inFullPrincipal, KLKerberosVersion inKerberosVersion, KLPrincipal *outPrincipal) { - return kl_check_error (kim_identity_create_from_string (outPrincipal, + return kl_check_error (kim_identity_create_from_string (outPrincipal, inFullPrincipal)); } @@ -1475,7 +1475,7 @@ KLStatus KLCreatePrincipalFromString (const char *inFullPrincipal, KLStatus KLCreatePrincipalFromKerberos5Principal (krb5_principal inKerberos5Principal, KLPrincipal *outPrincipal) { - return kl_check_error (kim_identity_create_from_krb5_principal (outPrincipal, + return kl_check_error (kim_identity_create_from_krb5_principal (outPrincipal, NULL, /* context */ inKerberos5Principal)); } @@ -1500,29 +1500,29 @@ KLStatus KLGetTripletFromPrincipal (KLPrincipal inPrincipal, kim_string instance = NULL; kim_string realm = NULL; kim_count count = 0; - + if (!inPrincipal) { return kl_check_error (klBadPrincipalErr); } if (!outName ) { return kl_check_error (klParameterErr); } if (!outInstance) { return kl_check_error (klParameterErr); } if (!outRealm ) { return kl_check_error (klParameterErr); } - + if (!err) { err = kim_identity_get_number_of_components (inPrincipal, &count); if (!err && count > 2) { err = kl_check_error (klBadPrincipalErr); } } - + if (!err) { err = kim_identity_get_realm (inPrincipal, &realm); } - + if (!err) { err = kim_identity_get_component_at_index (inPrincipal, 0, &name); } - + if (!err && count > 1) { err = kim_identity_get_component_at_index (inPrincipal, 1, &instance); } - + if (!err) { *outName = (char *) name; name = NULL; @@ -1531,11 +1531,11 @@ KLStatus KLGetTripletFromPrincipal (KLPrincipal inPrincipal, *outRealm = (char *) realm; realm = NULL; } - + kim_string_free (&name); kim_string_free (&instance); kim_string_free (&realm); - + return kl_check_error (err); } @@ -1545,7 +1545,7 @@ KLStatus KLGetStringFromPrincipal (KLPrincipal inPrincipal, KLKerberosVersion inKerberosVersion, char **outFullPrincipal) { - return kl_check_error (kim_identity_get_string (inPrincipal, + return kl_check_error (kim_identity_get_string (inPrincipal, (kim_string *) outFullPrincipal)); } @@ -1555,7 +1555,7 @@ KLStatus KLGetDisplayStringFromPrincipal (KLPrincipal inPrincipal, KLKerberosVersion inKerberosVersion, char **outFullPrincipal) { - return kl_check_error (kim_identity_get_display_string (inPrincipal, + return kl_check_error (kim_identity_get_display_string (inPrincipal, (kim_string *) outFullPrincipal)); } @@ -1567,14 +1567,14 @@ KLStatus KLComparePrincipal (KLPrincipal inFirstPrincipal, { kim_error err = KIM_NO_ERROR; kim_comparison comparison; - - err = kim_identity_compare (inFirstPrincipal, inSecondPrincipal, + + err = kim_identity_compare (inFirstPrincipal, inSecondPrincipal, &comparison); - + if (!err) { *outAreEquivalent = kim_comparison_is_equal_to (comparison); } - + return kl_check_error (err); } @@ -1625,13 +1625,13 @@ KLStatus KLLoginOptionsSetRenewableLifetime (KLLoginOptions ioOptions, KLLifetime inRenewableLifetime) { KLStatus err = klNoErr; - + err = kim_options_set_renewable (ioOptions, inRenewableLifetime > 0); - + if (!err && inRenewableLifetime > 0) { err = kim_options_set_renewal_lifetime (ioOptions, inRenewableLifetime); - } - + } + return kl_check_error (err); } @@ -1733,7 +1733,7 @@ KLStatus __KLSetPromptMechanism (KLPromptMechanism inPromptMechanism) KLPromptMechanism __KLPromptMechanism (void) { kim_ui_environment environment = kim_library_ui_environment (); - + if (environment == KIM_UI_ENVIRONMENT_GUI) { return klPromptMechanism_GUI; } else if (environment == KIM_UI_ENVIRONMENT_CLI) { @@ -1759,7 +1759,7 @@ KLStatus __KLCreatePrincipalFromTriplet (const char *inName, { return kl_check_error (kim_identity_create_from_components (outPrincipal, inRealm, - inName, + inName, inInstance, NULL)); } @@ -1772,7 +1772,7 @@ KLStatus __KLGetTripletFromPrincipal (KLPrincipal inPrincipal, char **outInstance, char **outRealm) { - return KLGetTripletFromPrincipal (inPrincipal, + return KLGetTripletFromPrincipal (inPrincipal, outName, outInstance, outRealm); } @@ -1782,17 +1782,17 @@ KLStatus __KLCreatePrincipalFromKerberos5Principal (krb5_principal inPrincipal, KLPrincipal *outPrincipal) { return KLCreatePrincipalFromKerberos5Principal (inPrincipal, outPrincipal); - + } /* ------------------------------------------------------------------------ */ -KLStatus __KLGetKerberos5PrincipalFromPrincipal (KLPrincipal inPrincipal, - krb5_context inContext, +KLStatus __KLGetKerberos5PrincipalFromPrincipal (KLPrincipal inPrincipal, + krb5_context inContext, krb5_principal *outKrb5Principal) { - return kl_check_error (kim_identity_get_krb5_principal (inPrincipal, - inContext, + return kl_check_error (kim_identity_get_krb5_principal (inPrincipal, + inContext, outKrb5Principal)); } @@ -1802,8 +1802,8 @@ KLBoolean __KLPrincipalIsTicketGrantingService (KLPrincipal inPrincipal) { kim_boolean is_tgt = FALSE; kim_error err = kim_identity_is_tgt_service (inPrincipal, &is_tgt); - - return !err ? is_tgt : FALSE; + + return !err ? is_tgt : FALSE; } /* ------------------------------------------------------------------------ */ diff --git a/src/kim/lib/mac/KerberosLogin.h b/src/kim/lib/mac/KerberosLogin.h index 8dc49e18d..6d98c1878 100644 --- a/src/kim/lib/mac/KerberosLogin.h +++ b/src/kim/lib/mac/KerberosLogin.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. -* +* * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -51,7 +51,7 @@ extern "C" { # pragma pack(push,2) #endif -/* +/* * Kerberos version constants */ enum { @@ -62,8 +62,8 @@ enum { }; typedef int32_t KLEKerberosVersion; -/* - * Dialog identifier constants +/* + * Dialog identifier constants */ enum { loginLibrary_LoginDialog, @@ -76,35 +76,35 @@ enum { typedef int32_t KLEDialogIdentifiers; -/* - * Option identifier constants +/* + * Option identifier constants */ enum { /* Initial values and ranges */ loginOption_LoginName = 'name', loginOption_LoginInstance = 'inst', - + loginOption_RememberPrincipal = 'prin', loginOption_RememberExtras = 'extr', - + loginOption_MinimalTicketLifetime = '-lif', loginOption_MaximalTicketLifetime = '+lif', loginOption_DefaultTicketLifetime = '0lif', - + loginOption_DefaultRenewableTicket = '0rtx', loginOption_MinimalRenewableLifetime = '-rlf', loginOption_MaximalRenewableLifetime = '+rlf', loginOption_DefaultRenewableLifetime = '0rlf', - + loginOption_DefaultForwardableTicket = '0fwd', loginOption_DefaultProxiableTicket = '0prx', - loginOption_DefaultAddresslessTicket = '0adr' + loginOption_DefaultAddresslessTicket = '0adr' }; typedef int32_t KLEDefaultLoginOptions; -/* - * Realm list constants +/* + * Realm list constants */ enum { realmList_Start = 0, @@ -115,12 +115,12 @@ typedef int32_t KLERealmListIndexes; #define klFirstError 19276 #define klLastError 19876 -/* - * Error codes +/* + * Error codes */ enum { klNoErr = 0, - + /* Parameter errors */ klParameterErr = 19276, klBadPrincipalErr, @@ -129,13 +129,13 @@ enum { klInvalidVersionErr, klCapsLockErr, klBadV5ContextErr, - + /* Get/SetKerberosOption errors */ klBufferTooSmallErr = 19376, klBufferTooLargeErr, klInvalidOptionErr, klBadOptionValueErr, - + /* Runtime Login errors */ klUserCanceledErr = 19476, klMemFullErr, @@ -152,17 +152,17 @@ enum { klCacheDoesNotExistErr, klNoHostnameErr, klCredentialsNeedValidationErr, - + /* Password changing errors */ klPasswordMismatchErr = 19576, klInsecurePasswordErr, klPasswordChangeFailedErr, - + /* Login IPC errors */ klCantContactServerErr = 19776, klCantDisplayUIErr, klServerInsecureErr - + }; typedef int32_t KLEStatus; @@ -203,30 +203,30 @@ typedef kim_options KLLoginOptions; KLStatus KLAcquireTickets (KLPrincipal inPrincipal, KLPrincipal *outPrincipal, - char **outCredCacheName) + char **outCredCacheName) KERBEROSLOGIN_DEPRECATED; KLStatus KLAcquireNewTickets (KLPrincipal inPrincipal, KLPrincipal *outPrincipal, - char **outCredCacheName) + char **outCredCacheName) KERBEROSLOGIN_DEPRECATED; KLStatus KLAcquireTicketsWithPassword (KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, const char *inPassword, - char **outCredCacheName) + char **outCredCacheName) KERBEROSLOGIN_DEPRECATED; KLStatus KLAcquireNewTicketsWithPassword (KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, const char *inPassword, - char **outCredCacheName) + char **outCredCacheName) KERBEROSLOGIN_DEPRECATED; -KLStatus KLSetApplicationOptions (const void *inAppOptions) +KLStatus KLSetApplicationOptions (const void *inAppOptions) KERBEROSLOGIN_DEPRECATED; -KLStatus KLGetApplicationOptions (void *outAppOptions) +KLStatus KLGetApplicationOptions (void *outAppOptions) KERBEROSLOGIN_DEPRECATED; diff --git a/src/kim/lib/mac/KerberosLoginPrivate.h b/src/kim/lib/mac/KerberosLoginPrivate.h index 52e10fcd1..09048397f 100644 --- a/src/kim/lib/mac/KerberosLoginPrivate.h +++ b/src/kim/lib/mac/KerberosLoginPrivate.h @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. -* +* * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -62,7 +62,7 @@ typedef krb5_error_code (*KLPrompterProcPtr) (krb5_context context, KLStatus __KLSetApplicationPrompter (KLPrompterProcPtr inPrompter); #endif /* KERBEROSLOGIN_DEPRECATED */ - + /*****************/ /*** Functions ***/ /*****************/ @@ -93,8 +93,8 @@ KLStatus __KLGetTripletFromPrincipal (KLPrincipal inPrincipal, KLStatus __KLCreatePrincipalFromKerberos5Principal (krb5_principal inPrincipal, KLPrincipal *outPrincipal); -KLStatus __KLGetKerberos5PrincipalFromPrincipal (KLPrincipal inPrincipal, - krb5_context inContext, +KLStatus __KLGetKerberos5PrincipalFromPrincipal (KLPrincipal inPrincipal, + krb5_context inContext, krb5_principal *outKrb5Principal); KLStatus __KLGetRealmFromPrincipal (KLPrincipal inPrincipal, char **outRealm); @@ -120,4 +120,3 @@ KLStatus __KLRemoveKeychainPasswordForPrincipal (KLPrincipal inPrincipal); #endif #endif /* __KERBEROSLOGINPRIVATE__ */ - diff --git a/src/kim/lib/mac/kim_os_debug.c b/src/kim/lib/mac/kim_os_debug.c index e4236872f..b4d0db21c 100644 --- a/src/kim/lib/mac/kim_os_debug.c +++ b/src/kim/lib/mac/kim_os_debug.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/kim/lib/mac/kim_os_identity.c b/src/kim/lib/mac/kim_os_identity.c index a9c92d73a..c0f97b4fe 100644 --- a/src/kim/lib/mac/kim_os_identity.c +++ b/src/kim/lib/mac/kim_os_identity.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -36,38 +36,38 @@ kim_boolean kim_os_identity_allow_save_password (void) { kim_boolean disabled = 0; CFPropertyListRef disable_pref = NULL; - - disable_pref = CFPreferencesCopyValue (CFSTR ("SavePasswordDisabled"), + + disable_pref = CFPreferencesCopyValue (CFSTR ("SavePasswordDisabled"), KIM_PREFERENCES_FILE, kCFPreferencesAnyUser, kCFPreferencesAnyHost); if (!disable_pref) { - disable_pref = CFPreferencesCopyValue (CFSTR ("SavePasswordDisabled"), + disable_pref = CFPreferencesCopyValue (CFSTR ("SavePasswordDisabled"), KIM_PREFERENCES_FILE, kCFPreferencesAnyUser, - kCFPreferencesCurrentHost); + kCFPreferencesCurrentHost); } - + if (!disable_pref) { - disable_pref = CFPreferencesCopyValue (CFSTR ("SavePasswordDisabled"), + disable_pref = CFPreferencesCopyValue (CFSTR ("SavePasswordDisabled"), KA_PREFERENCES_FILE, kCFPreferencesAnyUser, - kCFPreferencesAnyHost); + kCFPreferencesAnyHost); } - + if (!disable_pref) { - disable_pref = CFPreferencesCopyValue (CFSTR ("SavePasswordDisabled"), + disable_pref = CFPreferencesCopyValue (CFSTR ("SavePasswordDisabled"), KA_PREFERENCES_FILE, kCFPreferencesAnyUser, - kCFPreferencesCurrentHost); + kCFPreferencesCurrentHost); } - disabled = (disable_pref && + disabled = (disable_pref && CFGetTypeID (disable_pref) == CFBooleanGetTypeID () && CFBooleanGetValue (disable_pref)); - + if (disable_pref) { CFRelease (disable_pref); } - + return !disabled; } @@ -81,47 +81,47 @@ kim_error kim_os_identity_get_saved_password (kim_identity in_identity, kim_string name = NULL; void *buffer = NULL; UInt32 length = 0; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && !kim_library_allow_home_directory_access ()) { err = check_error (ENOENT); /* simulate no password found */ } - + if (!err && !kim_os_identity_allow_save_password ()) { err = kim_os_identity_remove_saved_password (in_identity); if (!err) { err = check_error (ENOENT); /* simulate no password found */ } } - + if (!err) { err = kim_identity_get_components_string (in_identity, &name); } - + if (!err) { err = kim_identity_get_realm (in_identity, &realm); } - + if (!err) { - err = SecKeychainFindGenericPassword (nil, + err = SecKeychainFindGenericPassword (nil, strlen (realm), realm, strlen (name), name, - &length, &buffer, + &length, &buffer, nil); - + if (!err && !buffer) { err = check_error (ENOENT); } } - + if (!err) { err = kim_string_create_from_buffer (out_password, buffer, length); } - + kim_string_free (&name); kim_string_free (&realm); if (buffer) { SecKeychainItemFreeContent (NULL, buffer); } - + return check_error (err); } @@ -133,63 +133,63 @@ kim_error kim_os_identity_set_saved_password (kim_identity in_identity, kim_error err = KIM_NO_ERROR; kim_string realm = NULL; kim_string name = NULL; - + if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && !kim_library_allow_home_directory_access ()) { return KIM_NO_ERROR; /* simulate no error */ } - + if (!err && !kim_os_identity_allow_save_password ()) { return kim_os_identity_remove_saved_password (in_identity); } - + if (!err) { err = kim_identity_get_components_string (in_identity, &name); } - + if (!err) { err = kim_identity_get_realm (in_identity, &realm); } - + if (!err) { SecKeychainItemRef itemRef = NULL; UInt32 namelen = strlen (name); UInt32 realmlen = strlen (realm); - + /* Add the password to the keychain */ - err = SecKeychainAddGenericPassword (nil, + err = SecKeychainAddGenericPassword (nil, realmlen, realm, namelen, name, strlen (in_password), in_password, - &itemRef); - + &itemRef); + if (err == errSecDuplicateItem) { /* We've already stored a password for this principal * but it might have changed so update it */ void *buffer = NULL; UInt32 length = 0; - - err = SecKeychainFindGenericPassword (nil, + + err = SecKeychainFindGenericPassword (nil, realmlen, realm, namelen, name, - &length, &buffer, + &length, &buffer, &itemRef); - + if (!err) { SecKeychainAttribute attrs[] = { { kSecAccountItemAttr, namelen, (char *) name }, { kSecServiceItemAttr, realmlen, (char *) realm } }; UInt32 count = sizeof(attrs) / sizeof(attrs[0]); const SecKeychainAttributeList attrList = { count, attrs }; - + err = SecKeychainItemModifyAttributesAndData (itemRef, &attrList, - strlen (in_password), + strlen (in_password), in_password); } - + } else if (!err) { /* We added a new entry, add a descriptive label */ SecKeychainAttributeList *copiedAttrs = NULL; @@ -197,50 +197,50 @@ kim_error kim_os_identity_set_saved_password (kim_identity in_identity, UInt32 tag = 7; UInt32 format = CSSM_DB_ATTRIBUTE_FORMAT_STRING; kim_string label = NULL; - + attrInfo.count = 1; attrInfo.tag = &tag; attrInfo.format = &format; - - err = SecKeychainItemCopyAttributesAndData (itemRef, &attrInfo, - NULL, &copiedAttrs, + + err = SecKeychainItemCopyAttributesAndData (itemRef, &attrInfo, + NULL, &copiedAttrs, 0, NULL); - + if (!err) { /* Label format used by Apple patches */ - err = kim_string_create_from_format (&label, "%s (%s)", + err = kim_string_create_from_format (&label, "%s (%s)", realm, name); } - + if (!err) { SecKeychainAttributeList attrList; SecKeychainAttribute attr; - + /* Copy the tag they gave us and copy in our label */ attr.tag = copiedAttrs->attr->tag; attr.length = strlen (label); attr.data = (char *) label; - + attrList.count = 1; attrList.attr = &attr; - + /* And modify. */ - err = SecKeychainItemModifyAttributesAndData (itemRef, &attrList, + err = SecKeychainItemModifyAttributesAndData (itemRef, &attrList, 0, NULL); } - + if (label ) { kim_string_free (&label); } - if (copiedAttrs) { SecKeychainItemFreeAttributesAndData (copiedAttrs, NULL); } + if (copiedAttrs) { SecKeychainItemFreeAttributesAndData (copiedAttrs, NULL); } } - + if (itemRef) { CFRelease (itemRef); } } - + kim_string_free (&name); kim_string_free (&realm); - + return check_error (err); -} +} /* ------------------------------------------------------------------------ */ @@ -249,58 +249,58 @@ kim_error kim_os_identity_remove_saved_password (kim_identity in_identity) kim_error err = KIM_NO_ERROR; kim_string realm = NULL; kim_string name = NULL; - + if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && !kim_library_allow_home_directory_access ()) { return KIM_NO_ERROR; /* simulate no error */ } - + if (!err) { err = kim_identity_get_components_string (in_identity, &name); } - + if (!err) { err = kim_identity_get_realm (in_identity, &realm); } - + if (!err) { SecKeychainItemRef itemRef = NULL; UInt32 namelen = strlen (name); UInt32 realmlen = strlen (realm); void *buffer = NULL; UInt32 length = 0; - - err = SecKeychainFindGenericPassword (nil, + + err = SecKeychainFindGenericPassword (nil, realmlen, realm, namelen, name, - &length, &buffer, + &length, &buffer, &itemRef); - + if (!err) { err = SecKeychainItemDelete (itemRef); - + } else if (err == errSecItemNotFound) { err = KIM_NO_ERROR; /* No password not an error */ } - + if (itemRef) { CFRelease (itemRef); } } - + kim_string_free (&name); kim_string_free (&realm); - + return check_error (err); -} +} /* ------------------------------------------------------------------------ */ kim_error kim_os_identity_create_for_username (kim_identity *out_identity) { kim_error err = KIM_NO_ERROR; - + if (!err && !out_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { struct passwd *pw = getpwuid (getuid ()); if (pw) { @@ -310,5 +310,5 @@ kim_error kim_os_identity_create_for_username (kim_identity *out_identity) } } - return check_error (err); + return check_error (err); } diff --git a/src/kim/lib/mac/kim_os_library.c b/src/kim/lib/mac/kim_os_library.c index f3b269084..edecf2be0 100644 --- a/src/kim/lib/mac/kim_os_library.c +++ b/src/kim/lib/mac/kim_os_library.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -44,11 +44,11 @@ MAKE_FINI_FUNCTION(kim_os_library_thread_fini); static int kim_os_library_thread_init (void) { kim_error err = KIM_NO_ERROR; - + if (!err) { err = k5_mutex_finish_init (&g_bundle_lookup_mutex); } - + return err; } @@ -69,11 +69,11 @@ static void kim_os_library_thread_fini (void) kim_error kim_os_library_lock_for_bundle_lookup (void) { kim_error err = CALL_INIT_FUNCTION (kim_os_library_thread_init); - + if (!err) { err = k5_mutex_lock (&g_bundle_lookup_mutex); } - + return err; } @@ -82,11 +82,11 @@ kim_error kim_os_library_lock_for_bundle_lookup (void) kim_error kim_os_library_unlock_for_bundle_lookup (void) { kim_error err = CALL_INIT_FUNCTION (kim_os_library_thread_init); - + if (!err) { err = k5_mutex_unlock (&g_bundle_lookup_mutex); } - + return err; } @@ -97,20 +97,20 @@ kim_error kim_os_library_unlock_for_bundle_lookup (void) kim_boolean kim_os_library_caller_uses_gui (void) { kim_boolean caller_uses_gui = 0; - - /* Check for the HIToolbox (Carbon) or AppKit (Cocoa). + + /* Check for the HIToolbox (Carbon) or AppKit (Cocoa). * If either is loaded, we are a GUI app! */ CFBundleRef appKitBundle = CFBundleGetBundleWithIdentifier (CFSTR ("com.apple.AppKit")); CFBundleRef hiToolBoxBundle = CFBundleGetBundleWithIdentifier (CFSTR ("com.apple.HIToolbox")); - + if (hiToolBoxBundle && CFBundleIsExecutableLoaded (hiToolBoxBundle)) { caller_uses_gui = 1; /* Using Carbon */ } - + if (appKitBundle && CFBundleIsExecutableLoaded (appKitBundle)) { caller_uses_gui = 1; /* Using Cocoa */ - } - + } + return caller_uses_gui; } @@ -120,33 +120,33 @@ kim_ui_environment kim_os_library_get_ui_environment (void) { #ifdef KIM_BUILTIN_UI kim_boolean has_gui_access = 0; - SessionAttributeBits sattrs = 0L; - - has_gui_access = ((SessionGetInfo (callerSecuritySession, - NULL, &sattrs) == noErr) && + SessionAttributeBits sattrs = 0L; + + has_gui_access = ((SessionGetInfo (callerSecuritySession, + NULL, &sattrs) == noErr) && (sattrs & sessionHasGraphicAccess)); - + if (has_gui_access && kim_os_library_caller_uses_gui ()) { return KIM_UI_ENVIRONMENT_GUI; } - + { int fd_stdin = fileno (stdin); int fd_stdout = fileno (stdout); char *fd_stdin_name = ttyname (fd_stdin); - + /* Session info isn't reliable for remote sessions. * Check manually for terminal access with file descriptors */ if (isatty (fd_stdin) && isatty (fd_stdout) && fd_stdin_name) { return KIM_UI_ENVIRONMENT_CLI; } } - + /* If we don't have a CLI but can talk to the GUI, use that */ if (has_gui_access) { return KIM_UI_ENVIRONMENT_GUI; } - + kim_debug_printf ("kim_os_library_get_ui_environment(): no way to talk to the user."); #endif return KIM_UI_ENVIRONMENT_NONE; @@ -167,7 +167,7 @@ kim_boolean kim_os_library_caller_is_server (void) } } } - + return FALSE; } @@ -180,7 +180,7 @@ kim_error kim_os_library_get_application_path (kim_string *out_path) kim_error err = KIM_NO_ERROR; kim_string path = NULL; CFBundleRef bundle = CFBundleGetMainBundle (); - + if (!err && !out_path) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* Check if the caller is a bundle */ @@ -190,42 +190,42 @@ kim_error kim_os_library_get_application_path (kim_string *out_path) CFURLRef executable_url = CFBundleCopyExecutableURL (bundle); CFURLRef absolute_url = NULL; CFStringRef cfpath = NULL; - + if (bundle_url && resources_url && !CFEqual (bundle_url, resources_url)) { absolute_url = CFURLCopyAbsoluteURL (bundle_url); } else if (executable_url) { absolute_url = CFURLCopyAbsoluteURL (executable_url); } - + if (absolute_url) { - cfpath = CFURLCopyFileSystemPath (absolute_url, + cfpath = CFURLCopyFileSystemPath (absolute_url, kCFURLPOSIXPathStyle); if (!cfpath) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } } - + if (!err && cfpath) { err = kim_os_string_create_from_cfstring (&path, cfpath); } - - if (cfpath ) { CFRelease (cfpath); } + + if (cfpath ) { CFRelease (cfpath); } if (absolute_url ) { CFRelease (absolute_url); } if (bundle_url ) { CFRelease (bundle_url); } if (resources_url ) { CFRelease (resources_url); } if (executable_url) { CFRelease (executable_url); } } - + /* Caller is not a bundle, try _NSGetExecutablePath */ /* Note: this does not work on CFM applications */ if (!err && !path) { char *buffer = NULL; uint32_t len = 0; - + /* Tiny stupid buffer to get the length of the path */ if (!err) { buffer = malloc (1); if (!buffer) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } } - + /* Get the length of the path */ if (!err) { if (_NSGetExecutablePath (buffer, &len) != 0) { @@ -237,7 +237,7 @@ kim_error kim_os_library_get_application_path (kim_string *out_path) } } } - + /* Get the path */ if (!err) { if (_NSGetExecutablePath (buffer, &len) != 0) { @@ -246,18 +246,18 @@ kim_error kim_os_library_get_application_path (kim_string *out_path) err = kim_string_copy (&path, buffer); } } - + if (buffer) { free (buffer); } } - + if (!err) { *out_path = path; path = NULL; } - + kim_string_free (&path); - - return check_error (err); + + return check_error (err); } /* ------------------------------------------------------------------------ */ @@ -268,65 +268,65 @@ kim_error kim_os_library_get_caller_name (kim_string *out_application_name) kim_string name = NULL; CFBundleRef bundle = CFBundleGetMainBundle (); CFStringRef cfname = NULL; - + if (!err && !out_application_name) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err && bundle) { - cfname = CFBundleGetValueForInfoDictionaryKey (bundle, + cfname = CFBundleGetValueForInfoDictionaryKey (bundle, kCFBundleNameKey); - + if (!cfname || CFGetTypeID (cfname) != CFStringGetTypeID ()) { - cfname = CFBundleGetValueForInfoDictionaryKey (bundle, + cfname = CFBundleGetValueForInfoDictionaryKey (bundle, kCFBundleExecutableKey); } - + if (cfname) { cfname = CFStringCreateCopy (kCFAllocatorDefault, cfname); } } - + if (!err && !cfname) { kim_string path = NULL; CFURLRef cfpath = NULL; CFURLRef cfpathnoext = NULL; - + err = kim_os_library_get_application_path (&path); - + if (!err) { cfpath = CFURLCreateFromFileSystemRepresentation (kCFAllocatorDefault, (const UInt8 *) path, strlen (path), 0); - + if (cfpath) { cfpathnoext = CFURLCreateCopyDeletingPathExtension (kCFAllocatorDefault, cfpath); } - + if (cfpathnoext) { cfname = CFURLCopyLastPathComponent (cfpathnoext); } else { cfname = CFURLCopyLastPathComponent (cfpath); } } - + if (cfpathnoext) { CFRelease (cfpathnoext); } if (cfpath ) { CFRelease (cfpath); } kim_string_free (&path); } - + if (!err && cfname) { err = kim_os_string_create_from_cfstring (&name, cfname); } - + if (!err) { *out_application_name = name; name = NULL; - + } if (cfname) { CFRelease (cfname); } kim_string_free (&name); - + return check_error (err); } diff --git a/src/kim/lib/mac/kim_os_preferences.c b/src/kim/lib/mac/kim_os_preferences.c index 87700ef89..4cbac8b61 100644 --- a/src/kim/lib/mac/kim_os_preferences.c +++ b/src/kim/lib/mac/kim_os_preferences.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -38,51 +38,51 @@ static CFStringRef kim_os_preferences_cfstring_for_key (kim_preference_key in_ke { if (in_key == kim_preference_key_options) { return CFSTR ("CredentialOptions"); - + } else if (in_key == kim_preference_key_lifetime) { return CFSTR ("CredentialLifetime"); - + } else if (in_key == kim_preference_key_renewable) { return CFSTR ("RenewableCredentials"); - + } else if (in_key == kim_preference_key_renewal_lifetime) { return CFSTR ("CredentialRenewalLifetime"); - + } else if (in_key == kim_preference_key_forwardable) { return CFSTR ("ForwardableCredentials"); - + } else if (in_key == kim_preference_key_proxiable) { return CFSTR ("ProxiableCredentials"); - + } else if (in_key == kim_preference_key_addressless) { return CFSTR ("AddresslessCredentials"); - + } else if (in_key == kim_preference_key_remember_options) { return CFSTR ("RememberCredentialAttributes"); - + } else if (in_key == kim_preference_key_client_identity) { return CFSTR ("ClientIdentity"); - + } else if (in_key == kim_preference_key_remember_client_identity) { return CFSTR ("RememberClientIdentity"); - + } else if (in_key == kim_preference_key_favorites) { return CFSTR ("FavoriteIdentities"); - + } else if (in_key == kim_preference_key_minimum_lifetime) { return CFSTR ("MinimumLifetime"); - + } else if (in_key == kim_preference_key_maximum_lifetime) { return CFSTR ("MaximumLifetime"); - + } else if (in_key == kim_preference_key_minimum_renewal_lifetime) { return CFSTR ("MinimumRenewalLifetime"); - + } else if (in_key == kim_preference_key_maximum_renewal_lifetime) { return CFSTR ("MaximumRenewalLifetime"); - + } - + return NULL; /* ignore unsupported keys */ } @@ -92,95 +92,95 @@ static CFStringRef kim_os_preferences_compat_cfstring_for_key (kim_preference_ke { if (in_key == kim_preference_key_lifetime) { return CFSTR ("KLDefaultTicketLifetime"); - + } else if (in_key == kim_preference_key_renewable) { return CFSTR ("KLGetRenewableTickets"); - + } else if (in_key == kim_preference_key_renewal_lifetime) { return CFSTR ("KLDefaultRenewableLifetime"); - + } else if (in_key == kim_preference_key_forwardable) { return CFSTR ("KLDefaultForwardableTicket"); - + } else if (in_key == kim_preference_key_proxiable) { return CFSTR ("KLGetProxiableTickets"); - + } else if (in_key == kim_preference_key_addressless) { return CFSTR ("KLGetAddresslessTickets"); - + } else if (in_key == kim_preference_key_remember_options) { return CFSTR ("KLRememberExtras"); - + } else if (in_key == kim_preference_key_client_identity) { return CFSTR ("KLName"); - + } else if (in_key == kim_preference_key_remember_client_identity) { return CFSTR ("KLRememberPrincipal"); - + } else if (in_key == kim_preference_key_favorites) { return CFSTR ("KLFavoriteIdentities"); - + } else if (in_key == kim_preference_key_minimum_lifetime) { return CFSTR ("KLMinimumTicketLifetime"); - + } else if (in_key == kim_preference_key_maximum_lifetime) { return CFSTR ("KLMaximumTicketLifetime"); - + } else if (in_key == kim_preference_key_minimum_renewal_lifetime) { return CFSTR ("KLMinimumRenewableLifetime"); - + } else if (in_key == kim_preference_key_maximum_renewal_lifetime) { return CFSTR ("KLMaximumRenewableLifetime"); - + } - + return NULL; /* ignore unsupported keys */ } /* ------------------------------------------------------------------------ */ -static kim_error kim_os_preferences_copy_value_for_file (CFStringRef in_key, - CFTypeID in_type, +static kim_error kim_os_preferences_copy_value_for_file (CFStringRef in_key, + CFTypeID in_type, CFStringRef in_file, CFPropertyListRef *out_value) { - + kim_error err = KIM_NO_ERROR; CFPropertyListRef value = NULL; CFStringRef users[] = { kCFPreferencesCurrentUser, kCFPreferencesAnyUser, NULL }; CFStringRef hosts[] = { kCFPreferencesCurrentHost, kCFPreferencesAnyHost, NULL }; - + if (!err && !in_key ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_file ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_value) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_count u, h; - + if (!kim_library_allow_home_directory_access()) { users[0] = kCFPreferencesAnyUser; users[1] = NULL; } - + for (u = 0; !value && users[u]; u++) { for (h = 0; !value && hosts[h]; h++) { value = CFPreferencesCopyValue (in_key, in_file, users[u], hosts[h]); } - } - + } + if (value && CFGetTypeID (value) != in_type) { err = check_error (KIM_PREFERENCES_READ_ERR); } } - - + + if (!err) { *out_value = value; value = NULL; } - + if (value) { CFRelease (value); } - + return check_error (err); } @@ -188,61 +188,61 @@ static kim_error kim_os_preferences_copy_value_for_file (CFStringRef in_ /* ------------------------------------------------------------------------ */ -static kim_error kim_os_preferences_copy_value (kim_preference_key in_key, - CFTypeID in_type, +static kim_error kim_os_preferences_copy_value (kim_preference_key in_key, + CFTypeID in_type, CFPropertyListRef *out_value) { kim_error err = KIM_NO_ERROR; CFStringRef key = kim_os_preferences_cfstring_for_key (in_key); - + err = kim_os_preferences_copy_value_for_file (key, in_type, KIM_PREFERENCES_FILE, out_value); - + return check_error (err); } /* ------------------------------------------------------------------------ */ -static kim_error kim_os_preferences_copy_value_compat (kim_preference_key in_key, - CFTypeID in_type, +static kim_error kim_os_preferences_copy_value_compat (kim_preference_key in_key, + CFTypeID in_type, CFPropertyListRef *out_value) { kim_error err = KIM_NO_ERROR; CFStringRef key = kim_os_preferences_compat_cfstring_for_key (in_key); - + err = kim_os_preferences_copy_value_for_file (key, in_type, KLL_PREFERENCES_FILE, out_value); - + return check_error (err); } /* ------------------------------------------------------------------------ */ -static kim_error kim_os_preferences_set_value (kim_preference_key in_key, +static kim_error kim_os_preferences_set_value (kim_preference_key in_key, CFPropertyListRef in_value) { kim_error err = KIM_NO_ERROR; CFStringRef key = NULL; - + /* in_value may be NULL if removing the key */ - + if (!err) { key = kim_os_preferences_cfstring_for_key (in_key); } - + if (!err && key) { kim_boolean homedir_ok = kim_library_allow_home_directory_access(); CFStringRef user = homedir_ok ? kCFPreferencesCurrentUser : kCFPreferencesAnyUser; CFStringRef host = homedir_ok ? kCFPreferencesAnyHost : kCFPreferencesCurrentHost; - + CFPreferencesSetValue (key, in_value, KIM_PREFERENCES_FILE, user, host); if (!CFPreferencesSynchronize (KIM_PREFERENCES_FILE, user, host)) { err = check_error (KIM_PREFERENCES_WRITE_ERR); } } - + return check_error (err); } @@ -250,35 +250,35 @@ static kim_error kim_os_preferences_set_value (kim_preference_key in_key, /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_get_identity_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_identity_for_key (kim_preference_key in_key, kim_identity in_hardcoded_default, kim_identity *out_identity) { kim_error err = KIM_NO_ERROR; kim_string string = NULL; CFStringRef value = NULL; - + if (!err && !out_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_os_preferences_copy_value (in_key, CFStringGetTypeID (), + err = kim_os_preferences_copy_value (in_key, CFStringGetTypeID (), (CFPropertyListRef *) &value); - + } - + if (!err && !value) { - err = kim_os_preferences_copy_value_compat (in_key, CFStringGetTypeID (), + err = kim_os_preferences_copy_value_compat (in_key, CFStringGetTypeID (), (CFPropertyListRef *) &value); } - + if (!err) { if (value) { err = kim_os_string_create_from_cfstring (&string, value); - + if (!err) { if (!strcmp (kim_os_preference_any_identity, string)) { *out_identity = KIM_IDENTITY_ANY; - + } else { err = kim_identity_create_from_string (out_identity, string); } @@ -287,68 +287,68 @@ kim_error kim_os_preferences_get_identity_for_key (kim_preference_key in_key, err = kim_identity_copy (out_identity, in_hardcoded_default); } } - + kim_string_free (&string); if (value) { CFRelease (value); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_set_identity_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_identity_for_key (kim_preference_key in_key, kim_identity in_identity) { kim_error err = KIM_NO_ERROR; CFStringRef value = NULL; kim_string string = NULL; - + /* in_identity can be KIM_IDENTITY_ANY */ - + if (!err) { if (in_identity) { err = kim_identity_get_string (in_identity, &string); - + } else { err = kim_string_copy (&string, kim_os_preference_any_identity); } } - + if (!err) { err = kim_os_string_get_cfstring (string, &value); } - + if (!err) { err = kim_os_preferences_set_value (in_key, value); } - + if (value) { CFRelease (value); } kim_string_free (&string); - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_get_lifetime_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_lifetime_for_key (kim_preference_key in_key, kim_lifetime in_hardcoded_default, kim_lifetime *out_lifetime) { kim_error err = KIM_NO_ERROR; CFNumberRef value = NULL; - + if (!err && !out_lifetime) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_os_preferences_copy_value (in_key, CFNumberGetTypeID (), + err = kim_os_preferences_copy_value (in_key, CFNumberGetTypeID (), (CFPropertyListRef *) &value); } - + if (!err && !value) { - err = kim_os_preferences_copy_value_compat (in_key, CFNumberGetTypeID (), + err = kim_os_preferences_copy_value_compat (in_key, CFNumberGetTypeID (), (CFPropertyListRef *) &value); } - + if (!err) { if (value) { SInt32 number; // CFNumbers are signed so we need to cast @@ -361,56 +361,56 @@ kim_error kim_os_preferences_get_lifetime_for_key (kim_preference_key in_key, *out_lifetime = in_hardcoded_default; } } - + if (value) { CFRelease (value); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_set_lifetime_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_lifetime_for_key (kim_preference_key in_key, kim_lifetime in_lifetime) { kim_error err = KIM_NO_ERROR; CFNumberRef value = NULL; SInt32 number = (SInt32) in_lifetime; - + if (!err) { value = CFNumberCreate (kCFAllocatorDefault, kCFNumberSInt32Type, &number); if (!value) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { err = kim_os_preferences_set_value (in_key, value); } - + if (value) { CFRelease (value); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_get_boolean_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_boolean_for_key (kim_preference_key in_key, kim_boolean in_hardcoded_default, kim_boolean *out_boolean) { kim_error err = KIM_NO_ERROR; CFBooleanRef value = NULL; - + if (!err && !out_boolean) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_os_preferences_copy_value (in_key, CFBooleanGetTypeID (), + err = kim_os_preferences_copy_value (in_key, CFBooleanGetTypeID (), (CFPropertyListRef *) &value); } - + if (!err && !value) { - err = kim_os_preferences_copy_value_compat (in_key, CFBooleanGetTypeID (), + err = kim_os_preferences_copy_value_compat (in_key, CFBooleanGetTypeID (), (CFPropertyListRef *) &value); } - + if (!err) { if (value) { *out_boolean = CFBooleanGetValue (value); @@ -418,24 +418,24 @@ kim_error kim_os_preferences_get_boolean_for_key (kim_preference_key in_key, *out_boolean = in_hardcoded_default; } } - + if (value) { CFRelease (value); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_set_boolean_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_boolean_for_key (kim_preference_key in_key, kim_boolean in_boolean) { kim_error err = KIM_NO_ERROR; CFBooleanRef value = in_boolean ? kCFBooleanTrue : kCFBooleanFalse; - + if (!err) { err = kim_os_preferences_set_value (in_key, value); } - + return check_error (err); } @@ -444,167 +444,167 @@ kim_error kim_os_preferences_set_boolean_for_key (kim_preference_key in_key, /* ------------------------------------------------------------------------ */ static kim_error kim_os_preferences_copy_value_for_dict_key (CFDictionaryRef in_dictionary, - kim_preference_key in_key, - CFTypeID in_type, + kim_preference_key in_key, + CFTypeID in_type, CFPropertyListRef *out_value) { kim_error err = KIM_NO_ERROR; CFPropertyListRef value = NULL; - + if (!err && !in_dictionary) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_value ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { CFStringRef key = kim_os_preferences_cfstring_for_key (in_key); - + value = CFDictionaryGetValue (in_dictionary, key); if (value && CFGetTypeID (value) != in_type) { err = check_error (KIM_PREFERENCES_READ_ERR); } } - + if (!err) { *out_value = value; } - + return check_error (err); } /* ------------------------------------------------------------------------ */ static kim_error kim_os_preferences_set_value_for_dict_key (CFMutableDictionaryRef in_dictionary, - kim_preference_key in_key, + kim_preference_key in_key, CFPropertyListRef in_value) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_dictionary) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_value ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { CFStringRef key = kim_os_preferences_cfstring_for_key (in_key); - + CFDictionarySetValue (in_dictionary, key, in_value); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -static kim_error kim_os_preferences_dictionary_to_options (CFDictionaryRef in_dictionary, +static kim_error kim_os_preferences_dictionary_to_options (CFDictionaryRef in_dictionary, kim_options *out_options) { kim_error err = KIM_NO_ERROR; kim_options options = KIM_OPTIONS_DEFAULT; kim_boolean found_options = 0; - + if (!err && !in_dictionary) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_options_create_empty (&options); } - + if (!err) { CFBooleanRef value = NULL; - + err = kim_os_preferences_copy_value_for_dict_key (in_dictionary, - kim_preference_key_renewable, - CFBooleanGetTypeID (), + kim_preference_key_renewable, + CFBooleanGetTypeID (), (CFPropertyListRef *) &value); - + if (!err && value) { found_options = 1; err = kim_options_set_renewable (options, CFBooleanGetValue (value)); } } - + if (!err) { CFNumberRef value = NULL; SInt32 lifetime; // CFNumbers are signed so we need to cast - + err = kim_os_preferences_copy_value_for_dict_key (in_dictionary, - kim_preference_key_lifetime, - CFNumberGetTypeID (), + kim_preference_key_lifetime, + CFNumberGetTypeID (), (CFPropertyListRef *) &value); - - if (!err && value && CFNumberGetValue (value, kCFNumberSInt32Type, + + if (!err && value && CFNumberGetValue (value, kCFNumberSInt32Type, &lifetime)) { found_options = 1; err = kim_options_set_lifetime (options, lifetime); } } - + if (!err) { CFNumberRef value = NULL; SInt32 lifetime; // CFNumbers are signed so we need to cast - + err = kim_os_preferences_copy_value_for_dict_key (in_dictionary, - kim_preference_key_renewal_lifetime, - CFNumberGetTypeID (), + kim_preference_key_renewal_lifetime, + CFNumberGetTypeID (), (CFPropertyListRef *) &value); - - if (!err && value && CFNumberGetValue (value, kCFNumberSInt32Type, + + if (!err && value && CFNumberGetValue (value, kCFNumberSInt32Type, &lifetime)) { found_options = 1; err = kim_options_set_renewal_lifetime (options, lifetime); } } - + if (!err) { CFBooleanRef value = NULL; - + err = kim_os_preferences_copy_value_for_dict_key (in_dictionary, - kim_preference_key_forwardable, - CFBooleanGetTypeID (), + kim_preference_key_forwardable, + CFBooleanGetTypeID (), (CFPropertyListRef *) &value); - + if (!err && value) { found_options = 1; err = kim_options_set_forwardable (options, CFBooleanGetValue (value)); } } - + if (!err) { CFBooleanRef value = NULL; - + err = kim_os_preferences_copy_value_for_dict_key (in_dictionary, - kim_preference_key_proxiable, - CFBooleanGetTypeID (), + kim_preference_key_proxiable, + CFBooleanGetTypeID (), (CFPropertyListRef *) &value); - + if (!err && value) { found_options = 1; err = kim_options_set_proxiable (options, CFBooleanGetValue (value)); } } - + if (!err) { CFBooleanRef value = NULL; - + err = kim_os_preferences_copy_value_for_dict_key (in_dictionary, - kim_preference_key_addressless, - CFBooleanGetTypeID (), + kim_preference_key_addressless, + CFBooleanGetTypeID (), (CFPropertyListRef *) &value); - + if (!err && value) { found_options = 1; err = kim_options_set_addressless (options, CFBooleanGetValue (value)); } } - + if (!err && !found_options) { kim_options_free (&options); options = KIM_OPTIONS_DEFAULT; } - + if (!err) { *out_options = options; options = NULL; } - + kim_options_free (&options); - + return check_error (err); } @@ -614,112 +614,112 @@ static kim_error kim_os_preferences_options_to_dictionary (kim_options CFMutableDictionaryRef io_dictionary) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !io_dictionary) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { CFNumberRef value = NULL; kim_lifetime lifetime; - + err = kim_options_get_lifetime (in_options, &lifetime); - + if (!err) { SInt32 number = (SInt32) lifetime; - - value = CFNumberCreate (kCFAllocatorDefault, + + value = CFNumberCreate (kCFAllocatorDefault, kCFNumberSInt32Type, &number); if (!value) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { - err = kim_os_preferences_set_value_for_dict_key (io_dictionary, - kim_preference_key_lifetime, + err = kim_os_preferences_set_value_for_dict_key (io_dictionary, + kim_preference_key_lifetime, value); } - - if (value) { CFRelease (value); } + + if (value) { CFRelease (value); } } - + if (!err) { kim_boolean boolean; - + err = kim_options_get_renewable (in_options, &boolean); - + if (!err) { CFBooleanRef value = boolean ? kCFBooleanTrue : kCFBooleanFalse; - - err = kim_os_preferences_set_value_for_dict_key (io_dictionary, - kim_preference_key_renewable, + + err = kim_os_preferences_set_value_for_dict_key (io_dictionary, + kim_preference_key_renewable, value); } - } - + } + if (!err) { CFNumberRef value = NULL; kim_lifetime lifetime; - + err = kim_options_get_renewal_lifetime (in_options, &lifetime); - + if (!err) { SInt32 number = (SInt32) lifetime; - - value = CFNumberCreate (kCFAllocatorDefault, + + value = CFNumberCreate (kCFAllocatorDefault, kCFNumberSInt32Type, &number); if (!value) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { - err = kim_os_preferences_set_value_for_dict_key (io_dictionary, - kim_preference_key_renewal_lifetime, + err = kim_os_preferences_set_value_for_dict_key (io_dictionary, + kim_preference_key_renewal_lifetime, value); } - - if (value) { CFRelease (value); } + + if (value) { CFRelease (value); } } - + if (!err) { kim_boolean boolean; - + err = kim_options_get_forwardable (in_options, &boolean); - + if (!err) { CFBooleanRef value = boolean ? kCFBooleanTrue : kCFBooleanFalse; - - err = kim_os_preferences_set_value_for_dict_key (io_dictionary, - kim_preference_key_forwardable, + + err = kim_os_preferences_set_value_for_dict_key (io_dictionary, + kim_preference_key_forwardable, value); } - } - + } + if (!err) { kim_boolean boolean; - + err = kim_options_get_proxiable (in_options, &boolean); - + if (!err) { CFBooleanRef value = boolean ? kCFBooleanTrue : kCFBooleanFalse; - - err = kim_os_preferences_set_value_for_dict_key (io_dictionary, - kim_preference_key_proxiable, + + err = kim_os_preferences_set_value_for_dict_key (io_dictionary, + kim_preference_key_proxiable, value); } } - + if (!err) { kim_boolean boolean; - + err = kim_options_get_addressless (in_options, &boolean); - + if (!err) { CFBooleanRef value = boolean ? kCFBooleanTrue : kCFBooleanFalse; - - err = kim_os_preferences_set_value_for_dict_key (io_dictionary, - kim_preference_key_addressless, + + err = kim_os_preferences_set_value_for_dict_key (io_dictionary, + kim_preference_key_addressless, value); } - } - + } + return check_error (err); } @@ -734,164 +734,164 @@ static kim_error kim_os_preferences_get_options_compat (kim_options *out_options kim_error err = KIM_NO_ERROR; kim_options options = KIM_OPTIONS_DEFAULT; kim_boolean found_options = 0; - + if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_options_create_empty (&options); } - - if (!err) { + + if (!err) { CFNumberRef value = NULL; SInt32 lifetime; // CFNumbers are signed so we need to cast - - err = kim_os_preferences_copy_value_compat (kim_preference_key_lifetime, - CFNumberGetTypeID (), + + err = kim_os_preferences_copy_value_compat (kim_preference_key_lifetime, + CFNumberGetTypeID (), (CFPropertyListRef *) &value); - - if (!err && value && CFNumberGetValue (value, kCFNumberSInt32Type, + + if (!err && value && CFNumberGetValue (value, kCFNumberSInt32Type, &lifetime)) { found_options = 1; err = kim_options_set_lifetime (options, lifetime); } - + if (value) { CFRelease (value); } } - + if (!err) { CFBooleanRef value = NULL; - - err = kim_os_preferences_copy_value_compat (kim_preference_key_renewable, - CFBooleanGetTypeID (), + + err = kim_os_preferences_copy_value_compat (kim_preference_key_renewable, + CFBooleanGetTypeID (), (CFPropertyListRef *) &value); - + if (!err && value) { found_options = 1; err = kim_options_set_renewable (options, CFBooleanGetValue (value)); } - + if (value) { CFRelease (value); } } - + if (!err) { CFNumberRef value = NULL; SInt32 lifetime; // CFNumbers are signed so we need to cast - - err = kim_os_preferences_copy_value_compat (kim_preference_key_renewal_lifetime, - CFNumberGetTypeID (), + + err = kim_os_preferences_copy_value_compat (kim_preference_key_renewal_lifetime, + CFNumberGetTypeID (), (CFPropertyListRef *) &value); - - if (!err && value && CFNumberGetValue (value, kCFNumberSInt32Type, + + if (!err && value && CFNumberGetValue (value, kCFNumberSInt32Type, &lifetime)) { found_options = 1; err = kim_options_set_renewal_lifetime (options, lifetime); } - + if (value) { CFRelease (value); } } - + if (!err) { CFBooleanRef value = NULL; - - err = kim_os_preferences_copy_value_compat (kim_preference_key_forwardable, - CFBooleanGetTypeID (), + + err = kim_os_preferences_copy_value_compat (kim_preference_key_forwardable, + CFBooleanGetTypeID (), (CFPropertyListRef *) &value); - + if (!err && value) { found_options = 1; err = kim_options_set_forwardable (options, CFBooleanGetValue (value)); } - + if (value) { CFRelease (value); } } - + if (!err) { CFBooleanRef value = NULL; - - err = kim_os_preferences_copy_value_compat (kim_preference_key_proxiable, - CFBooleanGetTypeID (), + + err = kim_os_preferences_copy_value_compat (kim_preference_key_proxiable, + CFBooleanGetTypeID (), (CFPropertyListRef *) &value); - + if (!err && value) { found_options = 1; err = kim_options_set_proxiable (options, CFBooleanGetValue (value)); } - + if (value) { CFRelease (value); } } - + if (!err) { CFBooleanRef value = NULL; - - err = kim_os_preferences_copy_value_compat (kim_preference_key_addressless, - CFBooleanGetTypeID (), + + err = kim_os_preferences_copy_value_compat (kim_preference_key_addressless, + CFBooleanGetTypeID (), (CFPropertyListRef *) &value); - + if (!err && value) { found_options = 1; err = kim_options_set_addressless (options, CFBooleanGetValue (value)); } - + if (value) { CFRelease (value); } } - + if (!err && !found_options) { kim_options_free (&options); options = KIM_OPTIONS_DEFAULT; } - + if (!err) { *out_options = options; } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_get_options_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_options_for_key (kim_preference_key in_key, kim_options *out_options) { kim_error err = KIM_NO_ERROR; CFDictionaryRef dictionary = NULL; kim_options options = KIM_OPTIONS_DEFAULT; - + if (!err && !out_options) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_os_preferences_copy_value (in_key, CFDictionaryGetTypeID (), + err = kim_os_preferences_copy_value (in_key, CFDictionaryGetTypeID (), (CFPropertyListRef *) &dictionary); - + if (!err && dictionary) { err = kim_os_preferences_dictionary_to_options (dictionary, &options); } } - + if (!err && !dictionary) { err = kim_os_preferences_get_options_compat (&options); } - + if (!err) { *out_options = options; } - + if (dictionary) { CFRelease (dictionary); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_set_options_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_options_for_key (kim_preference_key in_key, kim_options in_options) { kim_error err = KIM_NO_ERROR; CFMutableDictionaryRef dictionary = NULL; - + /* in_options may be KIM_OPTIONS_DEFAULT, in which case we empty the dict */ - + if (!err && in_options) { - dictionary = CFDictionaryCreateMutable (kCFAllocatorDefault, 0, + dictionary = CFDictionaryCreateMutable (kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (!dictionary) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } @@ -900,14 +900,14 @@ kim_error kim_os_preferences_set_options_for_key (kim_preference_key in_key, err = kim_os_preferences_options_to_dictionary (in_options, dictionary); } } - + if (!err) { /* NULL dictioray will remove any entry for this key */ err = kim_os_preferences_set_value (in_key, dictionary); } - + if (dictionary) { CFRelease (dictionary); } - + return check_error (err); } @@ -915,145 +915,145 @@ kim_error kim_os_preferences_set_options_for_key (kim_preference_key in_key, /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_get_favorites_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_get_favorites_for_key (kim_preference_key in_key, kim_favorites io_favorites) { kim_error err = KIM_NO_ERROR; CFArrayRef value = NULL; - + if (!err && !io_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_os_preferences_copy_value (in_key, CFArrayGetTypeID (), + err = kim_os_preferences_copy_value (in_key, CFArrayGetTypeID (), (CFPropertyListRef *) &value); } - + if (!err && value) { if (!value || CFArrayGetCount (value) < 1) { err = kim_favorites_remove_all_identities (io_favorites); - + } else { CFIndex count = CFArrayGetCount (value); CFIndex i; - + for (i = 0; !err && i < count; i++) { CFDictionaryRef dictionary = NULL; CFStringRef cfstring = NULL; - + dictionary = (CFDictionaryRef) CFArrayGetValueAtIndex (value, i); if (!dictionary || CFGetTypeID (dictionary) != CFDictionaryGetTypeID ()) { err = check_error (KIM_PREFERENCES_READ_ERR); } - + if (!err) { err = kim_os_preferences_copy_value_for_dict_key (dictionary, kim_preference_key_client_identity, CFStringGetTypeID (), - (CFPropertyListRef *) &cfstring); + (CFPropertyListRef *) &cfstring); } - + if (!err && cfstring) { kim_string string = NULL; kim_identity identity = NULL; kim_options options = KIM_OPTIONS_DEFAULT; - + err = kim_os_string_create_from_cfstring (&string, cfstring); - + if (!err) { err = kim_identity_create_from_string (&identity, string); } - + if (!err && (CFDictionaryGetCount (dictionary) > 1)) { - err = kim_os_preferences_dictionary_to_options (dictionary, + err = kim_os_preferences_dictionary_to_options (dictionary, &options); } - + if (!err) { err = kim_favorites_add_identity (io_favorites, identity, options); } - + kim_string_free (&string); kim_options_free (&options); kim_identity_free (&identity); } } - + if (err) { kim_favorites_remove_all_identities (io_favorites); } } } - + if (value) { CFRelease (value); } - + return check_error (err); } /* ------------------------------------------------------------------------ */ -kim_error kim_os_preferences_set_favorites_for_key (kim_preference_key in_key, +kim_error kim_os_preferences_set_favorites_for_key (kim_preference_key in_key, kim_favorites in_favorites) { kim_error err = KIM_NO_ERROR; kim_count count = 0; CFMutableArrayRef array = NULL; - + if (!err && !in_favorites) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_favorites_get_number_of_identities (in_favorites, &count); } - + if (!err) { - array = CFArrayCreateMutable (kCFAllocatorDefault, count, + array = CFArrayCreateMutable (kCFAllocatorDefault, count, &kCFTypeArrayCallBacks); if (!array) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { kim_count i; - + for (i = 0; !err && i < count; i++) { kim_identity identity = NULL; kim_options options = NULL; kim_string string = NULL; CFStringRef cfstring = NULL; CFMutableDictionaryRef dictionary = NULL; - - err = kim_favorites_get_identity_at_index (in_favorites, i, + + err = kim_favorites_get_identity_at_index (in_favorites, i, &identity, &options); - + if (!err) { err = kim_identity_get_string (identity, &string); } - + if (!err) { err = kim_os_string_get_cfstring (string, &cfstring); } - + if (!err) { - dictionary = CFDictionaryCreateMutable (kCFAllocatorDefault, 0, + dictionary = CFDictionaryCreateMutable (kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (!dictionary) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } } - + if (!err) { err = kim_os_preferences_set_value_for_dict_key (dictionary, kim_preference_key_client_identity, - cfstring); + cfstring); } - + if (!err && options) { - err = kim_os_preferences_options_to_dictionary (options, + err = kim_os_preferences_options_to_dictionary (options, dictionary); } - + if (!err) { CFArrayAppendValue (array, dictionary); } - + if (dictionary) { CFRelease (dictionary); } if (cfstring ) { CFRelease (cfstring); } kim_string_free (&string); @@ -1061,13 +1061,12 @@ kim_error kim_os_preferences_set_favorites_for_key (kim_preference_key in_key, kim_identity_free (&identity); } } - + if (!err) { err = kim_os_preferences_set_value (in_key, array); } - + if (array) { CFRelease (array); } - + return check_error (err); } - diff --git a/src/kim/lib/mac/kim_os_selection_hints.c b/src/kim/lib/mac/kim_os_selection_hints.c index bc1a64868..27a62461d 100644 --- a/src/kim/lib/mac/kim_os_selection_hints.c +++ b/src/kim/lib/mac/kim_os_selection_hints.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -51,37 +51,37 @@ static kim_error kim_os_selection_hints_get_selection_hints_array (CFArrayRef *o CFPropertyListRef value = NULL; CFStringRef users[] = { kCFPreferencesCurrentUser, kCFPreferencesAnyUser, NULL }; CFStringRef hosts[] = { kCFPreferencesCurrentHost, kCFPreferencesAnyHost, NULL }; - + if (!err && !out_selection_hints_array) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_count u, h; - + if (!kim_library_allow_home_directory_access()) { users[0] = kCFPreferencesAnyUser; users[1] = NULL; } - + for (u = 0; !value && users[u]; u++) { for (h = 0; !value && hosts[h]; h++) { - value = CFPreferencesCopyValue (KIM_SELECTION_HINTS_ARRAY, - KIM_SELECTION_HINTS_FILE, + value = CFPreferencesCopyValue (KIM_SELECTION_HINTS_ARRAY, + KIM_SELECTION_HINTS_FILE, users[u], hosts[h]); } - } - + } + if (value && CFGetTypeID (value) != CFArrayGetTypeID ()) { err = check_error (KIM_PREFERENCES_READ_ERR); } } - + if (!err) { *out_selection_hints_array = value; value = NULL; } - + if (value) { CFRelease (value); } - + return check_error (err); } @@ -90,21 +90,21 @@ static kim_error kim_os_selection_hints_get_selection_hints_array (CFArrayRef *o static kim_error kim_os_selection_hints_set_selection_hints_array (CFArrayRef in_selection_hints_array) { kim_error err = KIM_NO_ERROR; - + if (!err && !in_selection_hints_array) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { kim_boolean homedir_ok = kim_library_allow_home_directory_access(); CFStringRef user = homedir_ok ? kCFPreferencesCurrentUser : kCFPreferencesAnyUser; CFStringRef host = homedir_ok ? kCFPreferencesAnyHost : kCFPreferencesCurrentHost; - - CFPreferencesSetValue (KIM_SELECTION_HINTS_ARRAY, in_selection_hints_array, + + CFPreferencesSetValue (KIM_SELECTION_HINTS_ARRAY, in_selection_hints_array, KIM_SELECTION_HINTS_FILE, user, host); if (!CFPreferencesSynchronize (KIM_SELECTION_HINTS_FILE, user, host)) { err = check_error (KIM_PREFERENCES_WRITE_ERR); } } - + return check_error (err); } @@ -122,71 +122,71 @@ static kim_error kim_os_selection_hints_create_dictionary (kim_selection_hints CFStringRef keys[KIM_MAX_HINTS] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; CFStringRef values[KIM_MAX_HINTS] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; CFIndex i = 0; - + if (!err && !in_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_hints_dictionary) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_selection_hints_get_preference_strings (in_selection_hints, &preference_strings); } - + if (!err) { err = kim_identity_get_string (in_identity, &identity_string); } - + if (!err) { keys[i] = KIM_APPLICATION_ID_HINT; err = kim_os_string_get_cfstring (preference_strings.application_identifier, &values[i]); } - + if (!err) { keys[++i] = KIM_IDENTITY_HINT; err = kim_os_string_get_cfstring (identity_string, &values[i]); } - + if (!err && preference_strings.service_identity) { keys[++i] = KIM_SERVICE_IDENTITY_HINT; err = kim_os_string_get_cfstring (preference_strings.service_identity, &values[i]); } - + if (!err && preference_strings.user) { keys[++i] = KIM_USER_HINT; err = kim_os_string_get_cfstring (preference_strings.user, &values[i]); } - + if (!err && preference_strings.client_realm) { keys[++i] = KIM_CLIENT_REALM_HINT; err = kim_os_string_get_cfstring (preference_strings.client_realm, &values[i]); } - + if (!err && preference_strings.service) { keys[++i] = KIM_SERVICE_HINT; err = kim_os_string_get_cfstring (preference_strings.service, &values[i]); } - + if (!err && preference_strings.service_realm) { keys[++i] = KIM_SERVICE_REALM_HINT; err = kim_os_string_get_cfstring (preference_strings.service_realm, &values[i]); } - + if (!err && preference_strings.server) { keys[++i] = KIM_SERVER_HINT; err = kim_os_string_get_cfstring (preference_strings.server, &values[i]); } - + if (!err) { - *out_hints_dictionary = CFDictionaryCreate (kCFAllocatorDefault, - (const void **) keys, - (const void **) values, + *out_hints_dictionary = CFDictionaryCreate (kCFAllocatorDefault, + (const void **) keys, + (const void **) values, i+1, /* number of hints */ - &kCFTypeDictionaryKeyCallBacks, - &kCFTypeDictionaryValueCallBacks); + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); } - + for (i = 0; i < KIM_MAX_HINTS; i++) { if (values[i]) { CFRelease (values[i]); } } kim_string_free (&identity_string); - + return check_error (err); } @@ -196,17 +196,17 @@ static kim_boolean kim_os_selection_hints_compare_hint (kim_string in_string, CFStringRef in_value) { kim_boolean equal = 0; - - if (!in_string && !in_value) { - equal = 1; - + + if (!in_string && !in_value) { + equal = 1; + } else if (in_string && in_value) { if (CFGetTypeID (in_value) == CFStringGetTypeID ()) { kim_comparison comparison; - - kim_error err = kim_os_string_compare_to_cfstring (in_string, in_value, + + kim_error err = kim_os_string_compare_to_cfstring (in_string, in_value, &comparison); - + if (!err && kim_comparison_is_equal_to (comparison)) { equal = 1; } @@ -214,7 +214,7 @@ static kim_boolean kim_os_selection_hints_compare_hint (kim_string in_string, kim_debug_printf ("%s: Malformed string in hints dictionary.", __FUNCTION__); } } - + return equal; } @@ -227,61 +227,61 @@ static kim_error kim_os_selection_hints_compare_to_dictionary (kim_selection_hin kim_error err = KIM_NO_ERROR; kim_selection_hints_preference_strings preference_strings = { NULL, NULL, NULL, NULL, NULL, NULL, NULL }; kim_boolean hints_equal = 1; - + if (!err && !in_selection_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_hints_dictionary) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_hints_equal ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_selection_hints_get_preference_strings (in_selection_hints, &preference_strings); } - + if (!err && hints_equal) { - hints_equal = kim_os_selection_hints_compare_hint (preference_strings.application_identifier, - CFDictionaryGetValue (in_hints_dictionary, + hints_equal = kim_os_selection_hints_compare_hint (preference_strings.application_identifier, + CFDictionaryGetValue (in_hints_dictionary, KIM_APPLICATION_ID_HINT)); } - + if (!err && hints_equal) { - hints_equal = kim_os_selection_hints_compare_hint (preference_strings.service_identity, - CFDictionaryGetValue (in_hints_dictionary, + hints_equal = kim_os_selection_hints_compare_hint (preference_strings.service_identity, + CFDictionaryGetValue (in_hints_dictionary, KIM_SERVICE_IDENTITY_HINT)); } - + if (!err && hints_equal) { - hints_equal = kim_os_selection_hints_compare_hint (preference_strings.user, - CFDictionaryGetValue (in_hints_dictionary, + hints_equal = kim_os_selection_hints_compare_hint (preference_strings.user, + CFDictionaryGetValue (in_hints_dictionary, KIM_USER_HINT)); } - + if (!err && hints_equal) { - hints_equal = kim_os_selection_hints_compare_hint (preference_strings.client_realm, - CFDictionaryGetValue (in_hints_dictionary, + hints_equal = kim_os_selection_hints_compare_hint (preference_strings.client_realm, + CFDictionaryGetValue (in_hints_dictionary, KIM_CLIENT_REALM_HINT)); } - + if (!err && hints_equal) { - hints_equal = kim_os_selection_hints_compare_hint (preference_strings.service, - CFDictionaryGetValue (in_hints_dictionary, + hints_equal = kim_os_selection_hints_compare_hint (preference_strings.service, + CFDictionaryGetValue (in_hints_dictionary, KIM_SERVICE_HINT)); } - + if (!err && hints_equal) { - hints_equal = kim_os_selection_hints_compare_hint (preference_strings.service_realm, - CFDictionaryGetValue (in_hints_dictionary, + hints_equal = kim_os_selection_hints_compare_hint (preference_strings.service_realm, + CFDictionaryGetValue (in_hints_dictionary, KIM_SERVICE_REALM_HINT)); } - + if (!err && hints_equal) { - hints_equal = kim_os_selection_hints_compare_hint (preference_strings.server, - CFDictionaryGetValue (in_hints_dictionary, + hints_equal = kim_os_selection_hints_compare_hint (preference_strings.server, + CFDictionaryGetValue (in_hints_dictionary, KIM_SERVER_HINT)); } - + if (!err) { *out_hints_equal = hints_equal; } - + return check_error (err); } @@ -293,23 +293,23 @@ static kim_error kim_os_selection_hints_get_dictionary_identity (CFDictionaryRef kim_error err = KIM_NO_ERROR; CFStringRef identity_cfstr = NULL; kim_string identity_string = NULL; - + identity_cfstr = CFDictionaryGetValue (in_dictionary, KIM_IDENTITY_HINT); if (!identity_cfstr || CFGetTypeID (identity_cfstr) != CFStringGetTypeID ()) { kim_debug_printf ("%s: Malformed hints dictionary (invalid identity).", __FUNCTION__); err = check_error (KIM_PREFERENCES_READ_ERR); } - + if (!err) { err = kim_os_string_create_from_cfstring (&identity_string, identity_cfstr); } - + if (!err) { err = kim_identity_create_from_string (out_identity, identity_string); } - + kim_string_free (&identity_string); - + return check_error (err); } @@ -326,47 +326,47 @@ kim_error kim_os_selection_hints_lookup_identity (kim_selection_hints in_select CFIndex count = 0; kim_boolean found = 0; CFDictionaryRef found_dictionary = NULL; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_os_selection_hints_get_selection_hints_array (&hints_array); } - + if (!err && hints_array) { count = CFArrayGetCount (hints_array); } - + for (i = 0; !err && !found && i < count; i++) { CFDictionaryRef dictionary = NULL; - + dictionary = CFArrayGetValueAtIndex (hints_array, i); if (!dictionary) { err = KIM_OUT_OF_MEMORY_ERR; } - + if (!err && CFGetTypeID (dictionary) != CFDictionaryGetTypeID ()) { kim_debug_printf ("%s: Malformed entry in hints array.", __FUNCTION__); continue; /* skip entries which aren't dictionaries */ } - + if (!err) { - err = kim_os_selection_hints_compare_to_dictionary (in_selection_hints, + err = kim_os_selection_hints_compare_to_dictionary (in_selection_hints, dictionary, &found); } - + if (!err && found) { found_dictionary = dictionary; } } - + if (!err && found) { err = kim_os_selection_hints_get_dictionary_identity (found_dictionary, out_identity); } - + if (hints_array) { CFRelease (hints_array); } - + return check_error (err); } @@ -382,58 +382,58 @@ kim_error kim_os_selection_hints_remember_identity (kim_selection_hints in_selec CFIndex i = 0; kim_boolean hint_already_exists = 0; kim_boolean hints_array_changed = 0; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_os_selection_hints_get_selection_hints_array (&old_hints_array); } - + if (!err) { if (old_hints_array) { - new_hints_array = CFArrayCreateMutableCopy (kCFAllocatorDefault, 0, + new_hints_array = CFArrayCreateMutableCopy (kCFAllocatorDefault, 0, old_hints_array); } else { - new_hints_array = CFArrayCreateMutable (kCFAllocatorDefault, 0, - &kCFTypeArrayCallBacks); + new_hints_array = CFArrayCreateMutable (kCFAllocatorDefault, 0, + &kCFTypeArrayCallBacks); } if (!new_hints_array) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { count = CFArrayGetCount (new_hints_array); } - + for (i = 0; !err && i < count; i++) { CFDictionaryRef dictionary = NULL; kim_identity identity = NULL; kim_boolean hints_equal = 0; - + dictionary = CFArrayGetValueAtIndex (new_hints_array, i); if (!dictionary) { err = KIM_OUT_OF_MEMORY_ERR; } - + if (!err && CFGetTypeID (dictionary) != CFDictionaryGetTypeID ()) { kim_debug_printf ("%s: Malformed entry in hints array.", __FUNCTION__); continue; /* skip entries which aren't dictionaries */ } - + if (!err) { - err = kim_os_selection_hints_compare_to_dictionary (in_selection_hints, + err = kim_os_selection_hints_compare_to_dictionary (in_selection_hints, dictionary, &hints_equal); } - + if (!err && hints_equal) { kim_comparison comparison; - + err = kim_os_selection_hints_get_dictionary_identity (dictionary, &identity); - + if (!err) { err = kim_identity_compare (in_identity, identity, &comparison); } - + if (!err) { if (kim_comparison_is_equal_to (comparison) && !hint_already_exists) { hint_already_exists = 1; @@ -444,33 +444,33 @@ kim_error kim_os_selection_hints_remember_identity (kim_selection_hints in_selec hints_array_changed = 1; } } - + kim_identity_free (&identity); } } - + if (!err && !hint_already_exists) { CFDictionaryRef new_hint_dictionary = NULL; - - err = kim_os_selection_hints_create_dictionary (in_selection_hints, + + err = kim_os_selection_hints_create_dictionary (in_selection_hints, in_identity, &new_hint_dictionary); - + if (!err) { CFArrayInsertValueAtIndex (new_hints_array, 0, new_hint_dictionary); hints_array_changed = 1; } - + if (new_hint_dictionary) { CFRelease (new_hint_dictionary); } } - + if (!err && hints_array_changed) { err = kim_os_selection_hints_set_selection_hints_array (new_hints_array); } - + if (new_hints_array ) { CFRelease (new_hints_array); } if (old_hints_array ) { CFRelease (old_hints_array); } - + return check_error (err); } @@ -483,54 +483,53 @@ kim_error kim_os_selection_hints_forget_identity (kim_selection_hints in_selecti CFMutableArrayRef new_hints_array = NULL; CFIndex count = 0; CFIndex i = 0; - + if (!err && !in_selection_hints) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_os_selection_hints_get_selection_hints_array (&old_hints_array); } - + if (!err) { - new_hints_array = CFArrayCreateMutableCopy (kCFAllocatorDefault, 0, + new_hints_array = CFArrayCreateMutableCopy (kCFAllocatorDefault, 0, old_hints_array); if (!new_hints_array) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { count = CFArrayGetCount (new_hints_array); } - + for (i = 0; !err && i < count; i++) { CFDictionaryRef dictionary = NULL; kim_boolean hints_equal = 0; - + dictionary = CFArrayGetValueAtIndex (new_hints_array, i); if (!dictionary) { err = KIM_OUT_OF_MEMORY_ERR; } - + if (!err && CFGetTypeID (dictionary) != CFDictionaryGetTypeID ()) { kim_debug_printf ("%s: Malformed entry in hints array.", __FUNCTION__); continue; /* skip entries which aren't dictionaries */ } - + if (!err) { - err = kim_os_selection_hints_compare_to_dictionary (in_selection_hints, + err = kim_os_selection_hints_compare_to_dictionary (in_selection_hints, dictionary, &hints_equal); } - + if (!err && hints_equal) { CFArrayRemoveValueAtIndex (new_hints_array, i); i--; /* back up one index so we don't skip */ count = CFArrayGetCount (new_hints_array); /* count changed */ } } - + if (!err) { err = kim_os_selection_hints_set_selection_hints_array (new_hints_array); } - + if (new_hints_array) { CFRelease (new_hints_array); } - + return check_error (err); } - diff --git a/src/kim/lib/mac/kim_os_string.c b/src/kim/lib/mac/kim_os_string.c index 96573eec9..944b8c995 100644 --- a/src/kim/lib/mac/kim_os_string.c +++ b/src/kim/lib/mac/kim_os_string.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -37,14 +37,14 @@ kim_error kim_os_string_create_localized (kim_string *out_string, kim_error err = lock_err; kim_string string = NULL; CFStringRef cfkey = NULL; - + if (!err && !out_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_os_string_get_cfstring (in_string, &cfkey); } - + if (!err && kim_library_allow_home_directory_access ()) { CFStringRef cfstring = NULL; CFBundleRef framework = CFBundleGetBundleWithIdentifier (CFSTR ("edu.mit.Kerberos")); @@ -56,35 +56,35 @@ kim_error kim_os_string_create_localized (kim_string *out_string, framework, ""); } - + if (main_bundle && !cfstring) { cfstring = CFCopyLocalizedStringFromTableInBundle (cfkey, CFSTR ("InfoPlist"), main_bundle, ""); - } - + } + if (!err && cfstring) { err = kim_os_string_create_from_cfstring (&string, cfstring); } - + if (cfstring) { CFRelease (cfstring); } } - + if (!err && !string) { err = kim_string_copy (&string, in_string); } - + if (!err) { *out_string = string; string = NULL; } - + if (cfkey) { CFRelease (cfkey); } kim_string_free (&string); - + if (!lock_err) { kim_os_library_unlock_for_bundle_lookup (); } - + return check_error (err); } @@ -96,47 +96,47 @@ kim_error kim_os_string_create_from_cfstring (kim_string *out_string, kim_error err = KIM_NO_ERROR; kim_string string = NULL; CFIndex length = 0; - + if (!err && !out_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_cfstring) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { char *ptr = NULL; - - /* check if in_cfstring is a C string internally so we can + + /* check if in_cfstring is a C string internally so we can * avoid using CFStringGetMaximumSizeForEncoding which is wasteful */ - ptr = (char *) CFStringGetCStringPtr(in_cfstring, + ptr = (char *) CFStringGetCStringPtr(in_cfstring, kCFStringEncodingUTF8); if (ptr) { string = strdup (ptr); if (!string) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } } else { - length = CFStringGetMaximumSizeForEncoding (CFStringGetLength (in_cfstring), + length = CFStringGetMaximumSizeForEncoding (CFStringGetLength (in_cfstring), kCFStringEncodingUTF8) + 1; - + string = (char *) calloc (length, sizeof (char)); if (!string) { err = check_error (KIM_OUT_OF_MEMORY_ERR); } - + if (!err) { - if (!CFStringGetCString (in_cfstring, - (char *) string, - length, + if (!CFStringGetCString (in_cfstring, + (char *) string, + length, kCFStringEncodingUTF8)) { err = KIM_OUT_OF_MEMORY_ERR; - } - } + } + } } } - - + + if (!err) { *out_string = string; string = NULL; } - + kim_string_free (&string); - + return check_error (err); } @@ -147,24 +147,24 @@ kim_error kim_os_string_get_cfstring (kim_string in_string, { kim_error err = KIM_NO_ERROR; CFStringRef cfstring = NULL; - + if (!err && !in_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_cfstring) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - cfstring = CFStringCreateWithCString (kCFAllocatorDefault, - in_string, + cfstring = CFStringCreateWithCString (kCFAllocatorDefault, + in_string, kCFStringEncodingUTF8); if (!cfstring) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { *out_cfstring = cfstring; cfstring = NULL; } - + if (cfstring) { CFRelease (cfstring); } - + return check_error (err); } @@ -178,34 +178,34 @@ kim_error kim_os_string_compare (kim_string in_string, kim_error err = KIM_NO_ERROR; CFStringRef cfstring = NULL; CFStringRef compare_to_cfstring = NULL; - + if (!err && !in_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_compare_to_string) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_comparison ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { - err = kim_os_string_get_cfstring (in_string, + err = kim_os_string_get_cfstring (in_string, &cfstring); } - + if (!err) { - err = kim_os_string_get_cfstring (in_compare_to_string, + err = kim_os_string_get_cfstring (in_compare_to_string, &compare_to_cfstring); } - + if (!err) { - CFOptionFlags options = (in_case_insensitive ? + CFOptionFlags options = (in_case_insensitive ? 1 : kCFCompareCaseInsensitive); - + /* Returned CFComparisonResult is compatible with kim_comparison_t */ - *out_comparison = CFStringCompare (cfstring, - compare_to_cfstring, - options); + *out_comparison = CFStringCompare (cfstring, + compare_to_cfstring, + options); } - + if (cfstring ) { CFRelease (cfstring); } if (compare_to_cfstring) { CFRelease (compare_to_cfstring); } - + return check_error (err); } @@ -217,21 +217,21 @@ kim_error kim_os_string_compare_to_cfstring (kim_string in_string, { kim_error err = KIM_NO_ERROR; CFStringRef cfstring = NULL; - + if (!err && !in_string ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_compare_to_cfstring) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_comparison ) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_os_string_get_cfstring (in_string, &cfstring); } - + if (!err) { /* Returned CFComparisonResult is compatible with kim_comparison_t */ - *out_comparison = CFStringCompare (cfstring, in_compare_to_cfstring, 0); + *out_comparison = CFStringCompare (cfstring, in_compare_to_cfstring, 0); } - + if (cfstring) { CFRelease (cfstring); } - + return check_error (err); } diff --git a/src/kim/lib/mac/kim_os_ui_gui.c b/src/kim/lib/mac/kim_os_ui_gui.c index 1f9122570..5de8ef191 100644 --- a/src/kim/lib/mac/kim_os_ui_gui.c +++ b/src/kim/lib/mac/kim_os_ui_gui.c @@ -56,59 +56,59 @@ kim_error kim_os_ui_gui_init (kim_ui_context *io_context) kim_string path = NULL; k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; - + if (!err && !io_context) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_library_get_application_name (&name); } - + if (!err) { err = kim_os_library_get_application_path (&path); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, "init"); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (request, getpid()); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, name ? name : ""); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, path ? path : ""); } - + if (!err) { err = kim_os_ui_gui_send_request (1 /* launch server */, request, &reply); } - + if (!err) { int32_t result = 0; err = krb5int_ipc_stream_read_int32 (reply, &result); if (!err) { err = check_error (result); } } - + if (!err) { io_context->tcontext = NULL; } - + krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); kim_string_free (&name); kim_string_free (&path); - + return check_error (err); } @@ -125,15 +125,15 @@ kim_error kim_os_ui_gui_enter_identity (kim_ui_context *in_context, char *identity_string = NULL; kim_identity identity = NULL; uint32_t change_password = 0; - + if (!err && !io_options ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_change_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, "enter_identity"); } @@ -141,21 +141,21 @@ kim_error kim_os_ui_gui_enter_identity (kim_ui_context *in_context, if (!err) { err = kim_options_write_to_stream (io_options, request); } - + if (!err) { err = kim_os_ui_gui_send_request (0 /* don't launch server */, request, &reply); if (!reply) { err = check_error (KIM_NO_SERVER_ERR); } } - + if (!err) { int32_t result = 0; - + err = krb5int_ipc_stream_read_int32 (reply, &result); if (!err) { err = check_error (result); } } - + if (!err) { err = krb5int_ipc_stream_read_string (reply, &identity_string); } @@ -163,21 +163,21 @@ kim_error kim_os_ui_gui_enter_identity (kim_ui_context *in_context, if (!err) { err = krb5int_ipc_stream_read_uint32 (reply, &change_password); } - + if (!err) { err = kim_options_read_from_stream (io_options, reply); } - + if (!err) { err = kim_identity_create_from_string (&identity, identity_string); } - + if (!err) { *out_identity = identity; identity = NULL; *out_change_password = change_password; } - + kim_identity_free (&identity); krb5int_ipc_stream_free_string (identity_string); krb5int_ipc_stream_release (request); @@ -200,45 +200,45 @@ kim_error kim_os_ui_gui_select_identity (kim_ui_context *in_context, kim_options options = NULL; kim_identity identity = NULL; uint32_t change_password = 0; - + if (!err && !io_hints ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_change_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, "select_identity"); } - + if (!err) { err = kim_selection_hints_write_to_stream (io_hints, request); } - + if (!err) { err = kim_os_ui_gui_send_request (0 /* don't launch server */, request, &reply); if (!reply) { err = check_error (KIM_NO_SERVER_ERR); } } - + if (!err) { int32_t result = 0; - + err = krb5int_ipc_stream_read_int32 (reply, &result); if (!err) { err = check_error (result); } } - + if (!err) { err = krb5int_ipc_stream_read_string (reply, &identity_string); } - + if (!err) { err = kim_identity_create_from_string (&identity, identity_string); } - + if (!err) { err = krb5int_ipc_stream_read_uint32 (reply, &change_password); } @@ -246,23 +246,23 @@ kim_error kim_os_ui_gui_select_identity (kim_ui_context *in_context, if (!err) { err = kim_options_create_from_stream (&options, reply); } - + if (!err) { err = kim_selection_hints_set_options (io_hints, options); } - + if (!err) { *out_identity = identity; identity = NULL; *out_change_password = change_password; } - - kim_identity_free (&identity); + + kim_identity_free (&identity); kim_options_free (&options); - krb5int_ipc_stream_free_string (identity_string); + krb5int_ipc_stream_free_string (identity_string); krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); - + return check_error (err); } @@ -271,8 +271,8 @@ kim_error kim_os_ui_gui_select_identity (kim_ui_context *in_context, kim_error kim_os_ui_gui_auth_prompt (kim_ui_context *in_context, kim_identity in_identity, kim_prompt_type in_type, - kim_boolean in_allow_save_reply, - kim_boolean in_hide_reply, + kim_boolean in_allow_save_reply, + kim_boolean in_hide_reply, kim_string in_title, kim_string in_message, kim_string in_description, @@ -283,76 +283,76 @@ kim_error kim_os_ui_gui_auth_prompt (kim_ui_context *in_context, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; kim_string identity_string = NULL; - + if (!err && !in_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_reply ) { err = check_error (KIM_NULL_PARAMETER_ERR); } /* in_title, in_message or in_description may be NULL */ - + if (!err) { err = kim_identity_get_string (in_identity, &identity_string); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, "auth_prompt"); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, identity_string); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (request, in_type); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (request, in_allow_save_reply); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (request, in_hide_reply); } - + if (!err) { - err = krb5int_ipc_stream_write_string (request, + err = krb5int_ipc_stream_write_string (request, in_title ? in_title : ""); } - + if (!err) { - err = krb5int_ipc_stream_write_string (request, + err = krb5int_ipc_stream_write_string (request, in_message ? in_message : ""); } - + if (!err) { - err = krb5int_ipc_stream_write_string (request, + err = krb5int_ipc_stream_write_string (request, in_description ? in_description : ""); } - + if (!err) { err = kim_os_ui_gui_send_request (0 /* don't launch server */, request, &reply); if (!reply) { err = check_error (KIM_NO_SERVER_ERR); } } - + if (!err) { int32_t result = 0; - + err = krb5int_ipc_stream_read_int32 (reply, &result); if (!err) { err = check_error (result); } } - + if (!err) { err = krb5int_ipc_stream_read_string (reply, out_reply); - } - + } + if (!err) { err = krb5int_ipc_stream_read_int32 (reply, out_save_reply); - } - + } + kim_string_free (&identity_string); krb5int_ipc_stream_release (request); @@ -374,62 +374,62 @@ kim_error kim_os_ui_gui_change_password (kim_ui_context *in_context, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; kim_string identity_string = NULL; - + char *old_password = NULL; char *new_password = NULL; char *vfy_password = NULL; - + if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_old_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_new_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_vfy_password) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_get_string (in_identity, &identity_string); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, "change_password"); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, identity_string); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (request, in_old_password_expired); } - + if (!err) { err = kim_os_ui_gui_send_request (0 /* don't launch server */, request, &reply); if (!reply) { err = check_error (KIM_NO_SERVER_ERR); } } - + if (!err) { int32_t result = 0; - + err = krb5int_ipc_stream_read_int32 (reply, &result); if (!err) { err = check_error (result); } } - + if (!err) { err = krb5int_ipc_stream_read_string (reply, &old_password); - } - + } + if (!err) { err = krb5int_ipc_stream_read_string (reply, &new_password); - } - + } + if (!err) { err = krb5int_ipc_stream_read_string (reply, &vfy_password); - } - + } + if (!err) { *out_old_password = (char *) old_password; old_password = NULL; @@ -438,12 +438,12 @@ kim_error kim_os_ui_gui_change_password (kim_ui_context *in_context, *out_vfy_password = (char *) vfy_password; vfy_password = NULL; } - - kim_string_free (&identity_string); - krb5int_ipc_stream_free_string (old_password); - krb5int_ipc_stream_free_string (new_password); - krb5int_ipc_stream_free_string (vfy_password); - + + kim_string_free (&identity_string); + krb5int_ipc_stream_free_string (old_password); + krb5int_ipc_stream_free_string (new_password); + krb5int_ipc_stream_free_string (vfy_password); + krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); @@ -462,26 +462,26 @@ kim_error kim_os_ui_gui_handle_error (kim_ui_context *in_context, k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; kim_string identity_string = NULL; - + if (!err && !in_error_message ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_error_description) { err = check_error (KIM_NULL_PARAMETER_ERR); } - + if (!err) { err = kim_identity_get_string (in_identity, &identity_string); } - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, "handle_error"); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, identity_string); } - + if (!err) { err = krb5int_ipc_stream_write_int32 (request, in_error); } @@ -489,26 +489,26 @@ kim_error kim_os_ui_gui_handle_error (kim_ui_context *in_context, if (!err) { err = krb5int_ipc_stream_write_string (request, in_error_message); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, in_error_description); } - + if (!err) { err = kim_os_ui_gui_send_request (0 /* don't launch server */, request, &reply); if (!reply) { err = check_error (KIM_NO_SERVER_ERR); } } - + if (!err) { int32_t result = 0; - + err = krb5int_ipc_stream_read_int32 (reply, &result); if (!err) { err = check_error (result); } } - - kim_string_free (&identity_string); + + kim_string_free (&identity_string); krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); @@ -531,29 +531,29 @@ kim_error kim_os_ui_gui_fini (kim_ui_context *io_context) kim_error err = KIM_NO_ERROR; k5_ipc_stream request = NULL; k5_ipc_stream reply = NULL; - + if (!err) { err = krb5int_ipc_stream_new (&request); } - + if (!err) { err = krb5int_ipc_stream_write_string (request, "fini"); } - + if (!err) { err = kim_os_ui_gui_send_request (0 /* don't launch server */, request, &reply); if (!reply) { err = check_error (KIM_NO_SERVER_ERR); } } - + if (!err) { int32_t result = 0; - + err = krb5int_ipc_stream_read_int32 (reply, &result); if (!err) { err = check_error (result); } - } - + } + krb5int_ipc_stream_release (request); krb5int_ipc_stream_release (reply); diff --git a/src/kim/test/main.c b/src/kim/test/main.c index e3efbd7f6..8eb5a42b7 100644 --- a/src/kim/test/main.c +++ b/src/kim/test/main.c @@ -28,51 +28,51 @@ #include "test_kim_preferences.h" #include "test_kim_selection_hints.h" -int main (int argc, const char * argv[]) +int main (int argc, const char * argv[]) { kim_test_state_t state = NULL; - + if (test_init (&state)) { return 1; } - + test_kim_identity_create_from_krb5_principal (state); test_kim_identity_create_from_string (state); - + test_kim_identity_create_from_components (state); - + test_kim_identity_copy (state); - + test_kim_identity_compare (state); - + test_kim_identity_get_display_string (state); - + test_kim_identity_get_realm (state); - + test_kim_identity_get_number_of_components (state); - + test_kim_identity_get_component_at_index (state); - + test_kim_identity_get_krb5_principal (state); - + test_kim_preferences_create (state); - + test_kim_preferences_copy (state); - + test_kim_preferences_set_options (state); - + test_kim_preferences_set_remember_options (state); - + test_kim_preferences_set_client_identity (state); - + test_kim_selection_hints_set_hint (state); - + test_kim_selection_hints_remember_identity (state); - + test_kim_preferences_add_favorite_identity (state); - + test_kim_preferences_remove_favorite_identity(state); - + return test_cleanup (state); } diff --git a/src/kim/test/test_kim_common.c b/src/kim/test/test_kim_common.c index 802d41564..e62a237a4 100644 --- a/src/kim/test/test_kim_common.c +++ b/src/kim/test/test_kim_common.c @@ -33,23 +33,23 @@ const char *k_no_test_name = "No test name set"; int test_init (kim_test_state_t *out_state) { kim_test_state_t state = NULL; - + printf ("Initializing tests... "); state = malloc (sizeof (*state)); - if (!state) { + if (!state) { printf ("out of memory.\n\n"); - return 1; + return 1; } - + state->test_name = k_no_test_name; state->global_fail_count = 0; state->test_fail_count = 0; - + *out_state = state; - + printf ("done.\n\n"); - + return 0; } @@ -58,7 +58,7 @@ int test_init (kim_test_state_t *out_state) int test_cleanup (kim_test_state_t io_state) { int global_fail_count = io_state->global_fail_count; - + printf ("Exiting. %d total failures.", global_fail_count); free (io_state); @@ -72,7 +72,7 @@ void start_test (kim_test_state_t in_state, { in_state->test_name = in_test_name; in_state->test_fail_count = 0; - + printf ("Testing %s...\n", in_state->test_name); } @@ -80,58 +80,58 @@ void start_test (kim_test_state_t in_state, void end_test (kim_test_state_t in_state) { - printf ("Finished testing %s. %d failures.\n\n", + printf ("Finished testing %s. %d failures.\n\n", in_state->test_name, in_state->test_fail_count); - + in_state->test_name = k_no_test_name; in_state->global_fail_count += in_state->test_fail_count; - in_state->test_fail_count = 0; + in_state->test_fail_count = 0; } /* ------------------------------------------------------------------------ */ -void fail_if_error (kim_test_state_t in_state, +void fail_if_error (kim_test_state_t in_state, const char *in_function, - kim_error in_err, + kim_error in_err, const char *in_format, ...) { if (in_err) { va_list args; kim_string message = NULL; - + kim_error err = kim_string_create_for_last_error (&message, in_err); - + printf ("\tFAILURE: "); printf ("%s() got %d (%s) ", in_function, in_err, !err ? message : "Unknown"); - + va_start (args, in_format); vprintf (in_format, args); va_end (args); - + printf ("\n"); - + in_state->test_fail_count++; - + kim_string_free (&message); } } /* ------------------------------------------------------------------------ */ -void log_failure (kim_test_state_t in_state, +void log_failure (kim_test_state_t in_state, const char *in_format, ...) { va_list args; - + printf ("\tFAILURE: "); - + va_start (args, in_format); vprintf (in_format, args); va_end (args); - + printf ("\n"); in_state->test_fail_count++; diff --git a/src/kim/test/test_kim_common.h b/src/kim/test/test_kim_common.h index e7ac3eb30..8364094b5 100644 --- a/src/kim/test/test_kim_common.h +++ b/src/kim/test/test_kim_common.h @@ -47,9 +47,9 @@ void start_test (kim_test_state_t in_state, void end_test (kim_test_state_t in_state); -void fail_if_error (kim_test_state_t in_state, +void fail_if_error (kim_test_state_t in_state, const char *in_function, - kim_error in_err, + kim_error in_err, const char *in_format, ...) #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7) @@ -57,7 +57,7 @@ __attribute__ ((__format__ (__printf__, 4, 5))) #endif ; -void log_failure (kim_test_state_t in_state, +void log_failure (kim_test_state_t in_state, const char *in_format, ...) #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7) diff --git a/src/kim/test/test_kim_identity.c b/src/kim/test/test_kim_identity.c index 2f1ac089f..81be6b11d 100644 --- a/src/kim/test/test_kim_identity.c +++ b/src/kim/test/test_kim_identity.c @@ -51,8 +51,8 @@ test_identity test_identities[] = { {"user/i1/i2@EXAMPLE.COM", "user/i1/i2@EXAMPLE.COM", 0, "EXAMPLE.COM", 3, { "user", "i1", "i2", NULL, NULL } }, {"user/i1/i2/i3/i4@EXAMPLE.COM", "user/i1/i2/i3/i4@EXAMPLE.COM", 0, "EXAMPLE.COM", 5, { "user", "i1", "i2", "i3", "i4" } }, {"an insanely long principal for testing icky hex key principals/an insanely long instance for testing icky hex key principals@AN-INSANELY-LONG-REALM-NAME-FOR-TESTING-AUTOGENERATED-REALM-NAMES", - "an insanely long principal for testing icky hex key principals/an insanely long instance for testing icky hex key principals@AN-INSANELY-LONG-REALM-NAME-FOR-TESTING-AUTOGENERATED-REALM-NAMES", - 0, "AN-INSANELY-LONG-REALM-NAME-FOR-TESTING-AUTOGENERATED-REALM-NAMES", + "an insanely long principal for testing icky hex key principals/an insanely long instance for testing icky hex key principals@AN-INSANELY-LONG-REALM-NAME-FOR-TESTING-AUTOGENERATED-REALM-NAMES", + 0, "AN-INSANELY-LONG-REALM-NAME-FOR-TESTING-AUTOGENERATED-REALM-NAMES", 2, { "an insanely long principal for testing icky hex key principals", "an insanely long instance for testing icky hex key principals", NULL, NULL, NULL } }, { NULL, NULL, 0, NULL, 0, { NULL, NULL, NULL, NULL, NULL } }, }; @@ -62,56 +62,56 @@ test_identity test_identities[] = { void test_kim_identity_create_from_krb5_principal (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_create_from_krb5_principal"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; krb5_context context = NULL; krb5_principal principal = NULL; kim_identity identity = NULL; kim_string string = NULL; - + printf ("."); - + err = krb5_init_context (&context); - fail_if_error (state, "krb5_init_context", err, + fail_if_error (state, "krb5_init_context", err, "while initializing context"); - + if (!err) { err = krb5_parse_name (context, test_identities[i].string, &principal); - fail_if_error (state, "krb5_parse_name", err, - "while creating krb5_principal for %s", + fail_if_error (state, "krb5_parse_name", err, + "while creating krb5_principal for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_create_from_krb5_principal (&identity, context, principal); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_get_string (identity, &string); - fail_if_error (state, "kim_identity_get_string", err, - "while getting the string for %s", + fail_if_error (state, "kim_identity_get_string", err, + "while getting the string for %s", test_identities[i].string); } - + if (!err && strcmp (string, test_identities[i].string)) { - log_failure (state, "Unexpected string (got '%s', expected '%s')", + log_failure (state, "Unexpected string (got '%s', expected '%s')", string, test_identities[i].string); } - + kim_string_free (&string); kim_identity_free (&identity); if (principal) { krb5_free_principal (context, principal); } if (context ) { krb5_free_context (context); } } - + printf ("\n"); - + end_test (state); } @@ -120,41 +120,41 @@ void test_kim_identity_create_from_krb5_principal (kim_test_state_t state) void test_kim_identity_create_from_string (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_create_from_string"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_string string = NULL; - + printf ("."); - + if (!err) { err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_get_string (identity, &string); - fail_if_error (state, "kim_identity_get_string", err, - "while getting the string for %s", + fail_if_error (state, "kim_identity_get_string", err, + "while getting the string for %s", test_identities[i].string); } - + if (!err && strcmp (string, test_identities[i].string)) { - log_failure (state, "Unexpected string (got '%s', expected '%s')", + log_failure (state, "Unexpected string (got '%s', expected '%s')", string, test_identities[i].string); } - + kim_string_free (&string); kim_identity_free (&identity); } - + printf ("\n"); - + end_test (state); } @@ -164,48 +164,48 @@ void test_kim_identity_create_from_string (kim_test_state_t state) void test_kim_identity_create_from_components (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_create_from_components"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_string string = NULL; - + printf ("."); - + if (!err) { - err = kim_identity_create_from_components (&identity, - test_identities[i].realm, - test_identities[i].components[0], - test_identities[i].components[1], - test_identities[i].components[2], - test_identities[i].components[3], + err = kim_identity_create_from_components (&identity, + test_identities[i].realm, + test_identities[i].components[0], + test_identities[i].components[1], + test_identities[i].components[2], + test_identities[i].components[3], test_identities[i].components[4], NULL); - fail_if_error (state, "kim_identity_create_from_components", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_components", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_get_string (identity, &string); - fail_if_error (state, "kim_identity_get_string", err, - "while getting the string for %s", + fail_if_error (state, "kim_identity_get_string", err, + "while getting the string for %s", test_identities[i].string); } - + if (!err && strcmp (string, test_identities[i].string)) { - log_failure (state, "Unexpected string (got '%s', expected '%s')", + log_failure (state, "Unexpected string (got '%s', expected '%s')", string, test_identities[i].string); } - + kim_string_free (&string); kim_identity_free (&identity); } - + printf ("\n"); - + end_test (state); } @@ -214,49 +214,49 @@ void test_kim_identity_create_from_components (kim_test_state_t state) void test_kim_identity_copy (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_copy"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_identity identity_copy = NULL; kim_string string = NULL; - + printf ("."); - + if (!err) { err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_copy (&identity_copy, identity); - fail_if_error (state, "kim_identity_copy", err, + fail_if_error (state, "kim_identity_copy", err, "while copying %s", test_identities[i].string); } - + if (!err) { err = kim_identity_get_string (identity_copy, &string); - fail_if_error (state, "kim_identity_get_string", err, - "while getting the string for the copy of %s", + fail_if_error (state, "kim_identity_get_string", err, + "while getting the string for the copy of %s", test_identities[i].string); } - + if (!err && strcmp (string, test_identities[i].string)) { - log_failure (state, "Unexpected string (got '%s', expected '%s')", + log_failure (state, "Unexpected string (got '%s', expected '%s')", string, test_identities[i].string); } - + kim_string_free (&string); kim_identity_free (&identity_copy); kim_identity_free (&identity); } - + printf ("\n"); - + end_test (state); } @@ -265,55 +265,55 @@ void test_kim_identity_copy (kim_test_state_t state) void test_kim_identity_compare (kim_test_state_t state) { kim_count i, j = 0; - + start_test (state, "kim_identity_create_from_string"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; - + printf ("."); - + err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); - + for (j = 0; !err && test_identities[j].string; j++) { kim_identity compare_to_identity = NULL; kim_comparison comparison = 0; - + err = kim_identity_create_from_string (&compare_to_identity, test_identities[j].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[j].string); - + if (!err) { err = kim_identity_compare (identity, compare_to_identity, &comparison); - fail_if_error (state, "kim_identity_compare", err, - "while comparing %s and %s", + fail_if_error (state, "kim_identity_compare", err, + "while comparing %s and %s", test_identities[i].string, test_identities[j].string); } - + if (!err) { if (i == j && !kim_comparison_is_equal_to (comparison)) { - log_failure (state, "Expected %s and %s to be equal but kim_identity_compare returned %d", + log_failure (state, "Expected %s and %s to be equal but kim_identity_compare returned %d", test_identities[i].string, test_identities[j].string, comparison); - + } else if (i != j && kim_comparison_is_equal_to (comparison)) { - log_failure (state, "Expected %s and %s to be NOT equal but kim_identity_compare returned %d", + log_failure (state, "Expected %s and %s to be NOT equal but kim_identity_compare returned %d", test_identities[i].string, test_identities[j].string, comparison); } } - + kim_identity_free (&compare_to_identity); } - + kim_identity_free (&identity); } - + printf ("\n"); - + end_test (state); } @@ -322,41 +322,41 @@ void test_kim_identity_compare (kim_test_state_t state) void test_kim_identity_get_display_string (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_get_display_string"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_string string = NULL; - + printf ("."); - + if (!err) { err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_get_display_string (identity, &string); - fail_if_error (state, "kim_identity_get_display_string", err, - "while getting the display string for %s", + fail_if_error (state, "kim_identity_get_display_string", err, + "while getting the display string for %s", test_identities[i].string); } - + if (!err && strcmp (string, test_identities[i].display_string)) { - log_failure (state, "Unexpected display string for %s (got '%s', expected '%s')", + log_failure (state, "Unexpected display string for %s (got '%s', expected '%s')", test_identities[i].string, string, test_identities[i].display_string); } - + kim_string_free (&string); kim_identity_free (&identity); } - + printf ("\n"); - + end_test (state); } @@ -365,40 +365,40 @@ void test_kim_identity_get_display_string (kim_test_state_t state) void test_kim_identity_get_realm (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_get_realm"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_string realm = NULL; - + printf ("."); - + if (!err) { err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_get_realm (identity, &realm); - fail_if_error (state, "kim_identity_get_realm", err, + fail_if_error (state, "kim_identity_get_realm", err, "while getting the realm for %s", test_identities[i].string); } - + if (!err && strcmp (realm, test_identities[i].realm)) { - log_failure (state, "Unexpected realm string (got '%s', expected '%s')", + log_failure (state, "Unexpected realm string (got '%s', expected '%s')", realm, test_identities[i].realm); } - + kim_string_free (&realm); kim_identity_free (&identity); } - + printf ("\n"); - + end_test (state); } @@ -407,40 +407,40 @@ void test_kim_identity_get_realm (kim_test_state_t state) void test_kim_identity_get_number_of_components (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_get_number_of_components"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_count count = 0; - + printf ("."); - + if (!err) { err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_get_number_of_components (identity, &count); - fail_if_error (state, "kim_identity_get_number_of_components", err, - "while getting number of components of %s", + fail_if_error (state, "kim_identity_get_number_of_components", err, + "while getting number of components of %s", test_identities[i].string); } - + if (!err && (count != test_identities[i].component_count)) { - log_failure (state, "Unexpected component count of %s (got %d, expected %d)", + log_failure (state, "Unexpected component count of %s (got %d, expected %d)", test_identities[i].string, (int) count, (int) test_identities[i].component_count); } - + kim_identity_free (&identity); } - + printf ("\n"); - + end_test (state); } @@ -449,45 +449,45 @@ void test_kim_identity_get_number_of_components (kim_test_state_t state) void test_kim_identity_get_component_at_index (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_get_component_at_index"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_count c = 0; - + printf ("."); - + if (!err) { err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + for (c = 0; !err && c < test_identities[i].component_count; c++) { kim_string component = NULL; - + err = kim_identity_get_component_at_index (identity, c, &component); - fail_if_error (state, "kim_identity_get_component_at_index", err, + fail_if_error (state, "kim_identity_get_component_at_index", err, "while getting component %d of %s", (int) c, test_identities[i].string); - + if (!err && strcmp (component, test_identities[i].components[c])) { - log_failure (state, "Unexpected component %d of %s (got '%s', expected '%s')", - (int) c, test_identities[i].string, + log_failure (state, "Unexpected component %d of %s (got '%s', expected '%s')", + (int) c, test_identities[i].string, component, test_identities[i].components[c]); } - + kim_string_free (&component); } - + kim_identity_free (&identity); } - + printf ("\n"); - + end_test (state); } @@ -496,58 +496,58 @@ void test_kim_identity_get_component_at_index (kim_test_state_t state) void test_kim_identity_get_krb5_principal (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_get_krb5_principal"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; krb5_context context = NULL; krb5_principal principal = NULL; krb5_principal identity_principal = NULL; kim_identity identity = NULL; - + printf ("."); - + err = krb5_init_context (&context); - fail_if_error (state, "krb5_init_context", err, + fail_if_error (state, "krb5_init_context", err, "while initializing context"); - + if (!err) { err = krb5_parse_name (context, test_identities[i].string, &principal); - fail_if_error (state, "krb5_parse_name", err, - "while creating krb5_principal for %s", + fail_if_error (state, "krb5_parse_name", err, + "while creating krb5_principal for %s", test_identities[i].string); } - + if (!err && !err) { err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err && !err) { err = kim_identity_get_krb5_principal (identity, context, &identity_principal); - fail_if_error (state, "kim_identity_get_krb5_principal", err, - "while getting the krb5_principal for %s", + fail_if_error (state, "kim_identity_get_krb5_principal", err, + "while getting the krb5_principal for %s", test_identities[i].string); } - + if (!err && !err) { if (!krb5_principal_compare (context, principal, identity_principal)) { - log_failure (state, "Principal and identity principal for %s do not match", + log_failure (state, "Principal and identity principal for %s do not match", test_identities[i].string); } } - + kim_identity_free (&identity); if (identity_principal) { krb5_free_principal (context, identity_principal); } if (principal ) { krb5_free_principal (context, principal); } if (context ) { krb5_free_context (context); } } - + printf ("\n"); - + end_test (state); } @@ -556,38 +556,38 @@ void test_kim_identity_get_krb5_principal (kim_test_state_t state) void test_kim_identity_is_tgt_service (kim_test_state_t state) { kim_count i = 0; - + start_test (state, "kim_identity_is_tgt_service"); - + for (i = 0; test_identities[i].string; i++) { kim_error err = KIM_NO_ERROR; kim_identity_t identity = NULL; kim_boolean_t is_tgt_service = 0; - + printf ("."); - + if (!err) { err = kim_identity_create_from_string (&identity, test_identities[i].string); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", test_identities[i].string); } - + if (!err) { err = kim_identity_is_tgt_service (identity, &is_tgt_service); - fail_if_error (state, "kim_identity_is_tgt_service", err, - "while determining if %s is a tgt service", + fail_if_error (state, "kim_identity_is_tgt_service", err, + "while determining if %s is a tgt service", test_identities[i].string); } - + if (!err && (is_tgt_service != test_identities[i].is_tgt_service)) { - log_failure (state, "Unexpected result from kim_identity_is_tgt_service for %s (got %d, expected %d)", + log_failure (state, "Unexpected result from kim_identity_is_tgt_service for %s (got %d, expected %d)", test_identities[i].string, is_tgt_service, test_identities[i].is_tgt_service); } - + kim_identity_free (&identity); } - + printf ("\n"); end_test (state); diff --git a/src/kim/test/test_kim_preferences.c b/src/kim/test/test_kim_preferences.c index 2766ad4d1..967cbc057 100644 --- a/src/kim/test/test_kim_preferences.c +++ b/src/kim/test/test_kim_preferences.c @@ -39,39 +39,39 @@ void print_favorites(kim_test_state_t state) kim_preferences prefs = NULL; kim_count count, j; kim_string string; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_number_of_favorite_identities (prefs, &count); - fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, + fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, "while getting number of favorite identities"); printf("%qu favorites...\n", count); } - - + + for (j = 0; j < count; j++) { kim_identity compare_identity = NULL; kim_options compare_options = NULL; - err = kim_preferences_get_favorite_identity_at_index (prefs, j, - &compare_identity, + err = kim_preferences_get_favorite_identity_at_index (prefs, j, + &compare_identity, &compare_options); - fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, + fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, "while getting favorite identity %d", (int) j); - + if (!err) { kim_identity_get_display_string(compare_identity, &string); printf(" %2qu: %s\n", j, string); } - + kim_identity_free (&compare_identity); kim_options_free (&compare_options); } - - kim_preferences_free (&prefs); + + kim_preferences_free (&prefs); } /* ------------------------------------------------------------------------ */ @@ -82,50 +82,50 @@ kim_boolean favorites_contains_identity(kim_test_state_t state, kim_identity ide kim_preferences prefs = NULL; kim_count count, j; kim_boolean found = 0; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_number_of_favorite_identities (prefs, &count); - fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, + fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, "while getting number of favorite identities"); } - + for (j = 0; j < count; j++) { kim_identity compare_identity = NULL; kim_options compare_options = NULL; kim_comparison comparison = 0; - - err = kim_preferences_get_favorite_identity_at_index (prefs, j, - &compare_identity, + + err = kim_preferences_get_favorite_identity_at_index (prefs, j, + &compare_identity, &compare_options); - fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, + fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, "while getting favorite identity %d", (int) j); - + if (!err) { kim_string display_string = NULL; - err = kim_identity_compare (identity, compare_identity, + err = kim_identity_compare (identity, compare_identity, &comparison); if (err) { kim_identity_get_display_string(identity, &display_string); - fail_if_error (state, "kim_identity_compare", err, - "while comparing %s to favorite identity %d", + fail_if_error (state, "kim_identity_compare", err, + "while comparing %s to favorite identity %d", display_string, (int) j); } } - + if (!err && kim_comparison_is_equal_to (comparison)) { found = 1; } - + kim_identity_free (&compare_identity); kim_options_free (&compare_options); } - + kim_preferences_free (&prefs); - + return found; } @@ -133,7 +133,7 @@ kim_boolean favorites_contains_identity(kim_test_state_t state, kim_identity ide void test_kim_preferences_create (kim_test_state_t state) { - + start_test (state, "kim_preferences_create"); { @@ -141,12 +141,12 @@ void test_kim_preferences_create (kim_test_state_t state) kim_preferences prefs = NULL; err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + kim_preferences_free (&prefs); } - + end_test (state); } @@ -154,28 +154,28 @@ void test_kim_preferences_create (kim_test_state_t state) void test_kim_preferences_copy (kim_test_state_t state) { - + start_test (state, "test_kim_preferences_copy"); - + { kim_error err = KIM_NO_ERROR; kim_preferences prefs = NULL; kim_preferences prefs_copy = NULL; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_copy (&prefs_copy, prefs); - fail_if_error (state, "kim_preferences_copy", err, - "while copying preferences"); + fail_if_error (state, "kim_preferences_copy", err, + "while copying preferences"); } - + kim_preferences_free (&prefs_copy); kim_preferences_free (&prefs); } - + end_test (state); } @@ -184,76 +184,76 @@ void test_kim_preferences_copy (kim_test_state_t state) void test_kim_preferences_set_options (kim_test_state_t state) { kim_error err = KIM_NO_ERROR; - + start_test (state, "kim_preferences_set_options"); - + if (!err) { kim_preferences prefs = NULL; kim_options options = NULL; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_options (prefs, &options); - fail_if_error (state, "kim_preferences_get_options", err, + fail_if_error (state, "kim_preferences_get_options", err, "while getting old options"); } - + if (!err) { err = kim_options_set_lifetime (options, TEST_LIFETIME); - fail_if_error (state, "kim_options_set_lifetime", err, - "while setting the lifetime to %d", TEST_LIFETIME); + fail_if_error (state, "kim_options_set_lifetime", err, + "while setting the lifetime to %d", TEST_LIFETIME); } - + if (!err) { err = kim_preferences_set_options (prefs, options); - fail_if_error (state, "kim_preferences_set_options", err, + fail_if_error (state, "kim_preferences_set_options", err, "while setting the new options"); } - + if (!err) { err = kim_preferences_synchronize (prefs); - fail_if_error (state, "kim_preferences_synchronize", err, + fail_if_error (state, "kim_preferences_synchronize", err, "while setting the identity to KIM_IDENTITY_ANY"); } - + kim_options_free (&options); kim_preferences_free (&prefs); } - + if (!err) { kim_preferences prefs = NULL; kim_options verify_options = NULL; kim_lifetime lifetime = 0; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - - + + if (!err) { err = kim_preferences_get_options (prefs, &verify_options); - fail_if_error (state, "kim_preferences_get_options", err, + fail_if_error (state, "kim_preferences_get_options", err, "while getting options for verification"); } - + if (!err) { err = kim_options_get_lifetime (verify_options, &lifetime); - fail_if_error (state, "kim_options_get_data", err, - "while getting the custom data of the verify options"); + fail_if_error (state, "kim_options_get_data", err, + "while getting the custom data of the verify options"); } - + if (!err && lifetime != TEST_LIFETIME) { - log_failure (state, "Unexpected lifetime in options (got %d, expected %d)", + log_failure (state, "Unexpected lifetime in options (got %d, expected %d)", (int) lifetime, TEST_LIFETIME); } - + kim_options_free (&verify_options); kim_preferences_free (&prefs); } - + end_test (state); } @@ -261,99 +261,99 @@ void test_kim_preferences_set_options (kim_test_state_t state) void test_kim_preferences_set_remember_options (kim_test_state_t state) { - + kim_error err = KIM_NO_ERROR; - + start_test (state, "kim_preferences_set_remember_options"); - + if (!err) { kim_preferences prefs = NULL; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_set_remember_options (prefs, TRUE); - fail_if_error (state, "kim_preferences_set_remember_options", err, + fail_if_error (state, "kim_preferences_set_remember_options", err, "while setting the preference to remember options"); } - + if (!err) { err = kim_preferences_synchronize (prefs); - fail_if_error (state, "kim_preferences_synchronize", err, + fail_if_error (state, "kim_preferences_synchronize", err, "while setting the identity to KIM_IDENTITY_ANY"); } - + kim_preferences_free (&prefs); } - + if (!err) { kim_preferences prefs = NULL; kim_boolean remember_options = TRUE; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_remember_options (prefs, &remember_options); - fail_if_error (state, "kim_preferences_get_remember_options", err, + fail_if_error (state, "kim_preferences_get_remember_options", err, "while getting the preference to remember options"); } - + if (!err && !remember_options) { - log_failure (state, "Unexpected remember options preference (got %d, expected TRUE)", + log_failure (state, "Unexpected remember options preference (got %d, expected TRUE)", remember_options); } - + kim_preferences_free (&prefs); } - + if (!err) { kim_preferences prefs = NULL; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_set_remember_options (prefs, FALSE); - fail_if_error (state, "kim_preferences_set_remember_options", err, + fail_if_error (state, "kim_preferences_set_remember_options", err, "while setting the preference to remember options"); } - + if (!err) { err = kim_preferences_synchronize (prefs); - fail_if_error (state, "kim_preferences_synchronize", err, + fail_if_error (state, "kim_preferences_synchronize", err, "while setting the identity to KIM_IDENTITY_ANY"); } - + kim_preferences_free (&prefs); } - + if (!err) { kim_preferences prefs = NULL; kim_boolean remember_options = FALSE; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_remember_options (prefs, &remember_options); - fail_if_error (state, "kim_preferences_get_remember_options", err, + fail_if_error (state, "kim_preferences_get_remember_options", err, "while getting the preference to remember options"); } - + if (!err && remember_options) { - log_failure (state, "Unexpected remember options preference (got %d, expected 0)", + log_failure (state, "Unexpected remember options preference (got %d, expected 0)", remember_options); } - + kim_preferences_free (&prefs); } - + end_test (state); } @@ -361,118 +361,118 @@ void test_kim_preferences_set_remember_options (kim_test_state_t state) void test_kim_preferences_set_client_identity (kim_test_state_t state) { - + kim_error err = KIM_NO_ERROR; kim_string test_string = "user@EXAMPLE.COM"; kim_identity test_identity = KIM_IDENTITY_ANY; kim_identity identity = KIM_IDENTITY_ANY; kim_comparison comparison = 0; - + start_test (state, "kim_preferences_set_client_identity"); - - + + if (!err) { err = kim_identity_create_from_string (&test_identity, test_string); - fail_if_error (state, "kim_identity_create_from_string", err, + fail_if_error (state, "kim_identity_create_from_string", err, "while creating the identity for %s", test_string); } - + if (!err) { kim_preferences prefs = NULL; err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_set_client_identity (prefs, KIM_IDENTITY_ANY); - fail_if_error (state, "kim_preferences_set_client_identity", err, + fail_if_error (state, "kim_preferences_set_client_identity", err, "while setting the identity to KIM_IDENTITY_ANY"); } - + if (!err) { err = kim_preferences_synchronize (prefs); - fail_if_error (state, "kim_preferences_synchronize", err, + fail_if_error (state, "kim_preferences_synchronize", err, "while setting the identity to KIM_IDENTITY_ANY"); } - + kim_preferences_free (&prefs); } - + if (!err) { kim_preferences prefs = NULL; err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_client_identity (prefs, &identity); - fail_if_error (state, "kim_preferences_get_client_identity", err, + fail_if_error (state, "kim_preferences_get_client_identity", err, "while getting the client identity preference"); } - + if (!err && identity != KIM_IDENTITY_ANY) { - log_failure (state, "Unexpected client identity preference (got %p, expected %p)", + log_failure (state, "Unexpected client identity preference (got %p, expected %p)", identity, KIM_IDENTITY_ANY); kim_identity_free (&identity); } - + kim_preferences_free (&prefs); } - + if (!err) { kim_preferences prefs = NULL; err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_set_client_identity (prefs, test_identity); - fail_if_error (state, "kim_preferences_set_client_identity", err, + fail_if_error (state, "kim_preferences_set_client_identity", err, "while setting the identity to %s", test_string); } - + if (!err) { err = kim_preferences_synchronize (prefs); - fail_if_error (state, "kim_preferences_synchronize", err, + fail_if_error (state, "kim_preferences_synchronize", err, "while setting the identity to KIM_IDENTITY_ANY"); } - + kim_preferences_free (&prefs); } - - + + if (!err) { kim_preferences prefs = NULL; kim_string string = NULL; err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_client_identity (prefs, &identity); - fail_if_error (state, "kim_preferences_get_client_identity", err, + fail_if_error (state, "kim_preferences_get_client_identity", err, "while getting the client identity preference"); } - + if (!err && identity) { err = kim_identity_get_string (identity, &string); - fail_if_error (state, "kim_identity_get_string", err, + fail_if_error (state, "kim_identity_get_string", err, "while getting the string for client identity preference"); } - + if (!err) { err = kim_identity_compare (identity, test_identity, &comparison); - fail_if_error (state, "kim_identity_compare", err, - "while comparing %s to the identity preference %s", + fail_if_error (state, "kim_identity_compare", err, + "while comparing %s to the identity preference %s", test_string, string ? string : "NULL"); } - + if (!err && !kim_comparison_is_equal_to (comparison)) { - log_failure (state, "Unexpected client identity preference (got %s, expected %s)", + log_failure (state, "Unexpected client identity preference (got %s, expected %s)", string ? string : "NULL", test_string); kim_identity_free (&identity); } @@ -480,7 +480,7 @@ void test_kim_preferences_set_client_identity (kim_test_state_t state) kim_string_free (&string); kim_preferences_free (&prefs); } - + kim_identity_free (&identity); kim_identity_free (&test_identity); @@ -507,95 +507,95 @@ struct favorite_identity fids[] = { void test_kim_preferences_add_favorite_identity (kim_test_state_t state) { kim_error err = KIM_NO_ERROR; - + start_test (state, "kim_preferences_add_favorite_identity"); - + if (!err) { kim_preferences prefs = NULL; kim_options options = NULL; kim_count i; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_remove_all_favorite_identities (prefs); - fail_if_error (state, "kim_preferences_remove_all_favorite_identities", err, + fail_if_error (state, "kim_preferences_remove_all_favorite_identities", err, "while removing all favorite identities"); } - + if (!err) { err = kim_options_create (&options); - fail_if_error (state, "kim_options_create", err, + fail_if_error (state, "kim_options_create", err, "while creating options"); - } - + } + for (i = 0; !err && fids[i].identity; i++) { kim_identity identity = NULL; - + err = kim_identity_create_from_string (&identity, fids[i].identity); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", fids[i].identity); - + if (!err) { err = kim_options_set_lifetime (options, fids[i].lifetime); - fail_if_error (state, "kim_options_set_lifetime", err, - "while setting the lifetime to %d", - (int) fids[i].lifetime); + fail_if_error (state, "kim_options_set_lifetime", err, + "while setting the lifetime to %d", + (int) fids[i].lifetime); } - + if (!err) { err = kim_options_set_renewal_lifetime (options, fids[i].renewal_lifetime); - fail_if_error (state, "kim_options_set_renewal_lifetime", err, - "while setting the renewal lifetime to %d", - (int) fids[i].renewal_lifetime); + fail_if_error (state, "kim_options_set_renewal_lifetime", err, + "while setting the renewal lifetime to %d", + (int) fids[i].renewal_lifetime); } - + if (!err) { err = kim_preferences_add_favorite_identity (prefs, identity, options); - fail_if_error (state, "kim_preferences_add_favorite_identity", err, - "while adding %s to the favorite identities", - fids[i].identity); + fail_if_error (state, "kim_preferences_add_favorite_identity", err, + "while adding %s to the favorite identities", + fids[i].identity); } - + kim_identity_free (&identity); } - + if (!err) { err = kim_preferences_synchronize (prefs); - fail_if_error (state, "kim_preferences_synchronize", err, + fail_if_error (state, "kim_preferences_synchronize", err, "while setting the favorite identities"); } - + kim_options_free (&options); kim_preferences_free (&prefs); } - + if (!err) { kim_preferences prefs = NULL; kim_count count, i; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_number_of_favorite_identities (prefs, &count); - fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, + fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, "while getting number of favorite identities"); } - - + + for (i = 0; !err && fids[i].identity; i++) { kim_identity identity = NULL; kim_count j; kim_boolean found = 0; - + err = kim_identity_create_from_string (&identity, fids[i].identity); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", fids[i].identity); for (j = 0; j < count; j++) { @@ -603,73 +603,73 @@ void test_kim_preferences_add_favorite_identity (kim_test_state_t state) kim_options compare_options = NULL; kim_comparison comparison; - err = kim_preferences_get_favorite_identity_at_index (prefs, j, - &compare_identity, + err = kim_preferences_get_favorite_identity_at_index (prefs, j, + &compare_identity, &compare_options); - fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, + fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, "while getting favorite identity %d", (int) j); - + if (!err) { - err = kim_identity_compare (identity, compare_identity, + err = kim_identity_compare (identity, compare_identity, &comparison); - fail_if_error (state, "kim_identity_compare", err, - "while comparing %s to favorite identity %d", + fail_if_error (state, "kim_identity_compare", err, + "while comparing %s to favorite identity %d", fids[i].identity, (int) i); } - + if (!err && kim_comparison_is_equal_to (comparison)) { kim_lifetime compare_lifetime; kim_lifetime compare_renewal_lifetime; - + found = 1; - + err = kim_options_get_lifetime (compare_options, &compare_lifetime); - fail_if_error (state, "kim_options_get_lifetime", err, - "while getting the lifetime for %s", - fids[i].identity); - + fail_if_error (state, "kim_options_get_lifetime", err, + "while getting the lifetime for %s", + fids[i].identity); + if (!err && fids[i].lifetime != compare_lifetime) { - log_failure (state, "Unexpected lifetime for %s (got %d, expected %d)", + log_failure (state, "Unexpected lifetime for %s (got %d, expected %d)", fids[i].identity, (int) compare_lifetime, - (int) fids[i].lifetime); + (int) fids[i].lifetime); } - + if (!err) { - err = kim_options_get_renewal_lifetime (compare_options, + err = kim_options_get_renewal_lifetime (compare_options, &compare_renewal_lifetime); - fail_if_error (state, "kim_options_get_renewal_lifetime", err, - "while getting the lifetime for %s", - fids[i].identity); + fail_if_error (state, "kim_options_get_renewal_lifetime", err, + "while getting the lifetime for %s", + fids[i].identity); } - + if (!err && fids[i].renewal_lifetime != compare_renewal_lifetime) { - log_failure (state, "Unexpected renewal lifetime for %s (got %d, expected %d)", - fids[i].identity, + log_failure (state, "Unexpected renewal lifetime for %s (got %d, expected %d)", + fids[i].identity, (int) compare_renewal_lifetime, - (int) fids[i].renewal_lifetime); + (int) fids[i].renewal_lifetime); } } - + kim_identity_free (&compare_identity); kim_options_free (&compare_options); } - + if (!err && !found) { - log_failure (state, "Favorite identity %s not found in favorite identities list", + log_failure (state, "Favorite identity %s not found in favorite identities list", fids[i].identity); } - + kim_identity_free (&identity); } - + if (!err && i != count) { - log_failure (state, "Unexpected number of favorite identities (got %d, expected %d)", + log_failure (state, "Unexpected number of favorite identities (got %d, expected %d)", (int) count, (int) i); } - + kim_preferences_free (&prefs); } - + end_test (state); } @@ -678,7 +678,7 @@ void test_kim_preferences_add_favorite_identity (kim_test_state_t state) void test_kim_preferences_remove_favorite_identity (kim_test_state_t state) { kim_error err = KIM_NO_ERROR; - + start_test (state, "kim_preferences_remove_favorite_identity"); /* * 1. Remove all favorites to start with a clean slate @@ -686,233 +686,233 @@ void test_kim_preferences_remove_favorite_identity (kim_test_state_t state) * 3. Verify added favorites * 4. Remove those favorites one by one, checking each time to make sure they were removed */ - + // Remove old and add new if (!err) { kim_preferences prefs = NULL; kim_options options = NULL; kim_count i; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_remove_all_favorite_identities (prefs); - fail_if_error (state, "kim_preferences_remove_all_favorite_identities", err, + fail_if_error (state, "kim_preferences_remove_all_favorite_identities", err, "while removing all favorite identities"); } - + if (!err) { err = kim_preferences_get_number_of_favorite_identities (prefs, &i); - fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, + fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, "while getting number of favorite identities after clearing"); - } - + } + if (!err) { err = kim_options_create (&options); - fail_if_error (state, "kim_options_create", err, + fail_if_error (state, "kim_options_create", err, "while creating options"); - } - + } + for (i = 0; !err && fids[i].identity; i++) { kim_identity identity = NULL; - + err = kim_identity_create_from_string (&identity, fids[i].identity); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", fids[i].identity); - + if (!err) { err = kim_options_set_lifetime (options, fids[i].lifetime); - fail_if_error (state, "kim_options_set_lifetime", err, - "while setting the lifetime to %d", - (int) fids[i].lifetime); + fail_if_error (state, "kim_options_set_lifetime", err, + "while setting the lifetime to %d", + (int) fids[i].lifetime); } - + if (!err) { err = kim_options_set_renewal_lifetime (options, fids[i].renewal_lifetime); - fail_if_error (state, "kim_options_set_renewal_lifetime", err, - "while setting the renewal lifetime to %d", - (int) fids[i].renewal_lifetime); + fail_if_error (state, "kim_options_set_renewal_lifetime", err, + "while setting the renewal lifetime to %d", + (int) fids[i].renewal_lifetime); } - + if (!err) { err = kim_preferences_add_favorite_identity (prefs, identity, options); - fail_if_error (state, "kim_preferences_add_favorite_identity", err, - "while adding %s to the favorite identities", - fids[i].identity); + fail_if_error (state, "kim_preferences_add_favorite_identity", err, + "while adding %s to the favorite identities", + fids[i].identity); } - + kim_identity_free (&identity); } - + if (!err) { err = kim_preferences_synchronize (prefs); - fail_if_error (state, "kim_preferences_synchronize", err, + fail_if_error (state, "kim_preferences_synchronize", err, "while setting the favorite identities"); } - + kim_options_free (&options); kim_preferences_free (&prefs); } - + // Verify add if (!err) { kim_preferences prefs = NULL; kim_count count, i; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_number_of_favorite_identities (prefs, &count); - fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, + fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, "while getting number of favorite identities"); } - - + + for (i = 0; !err && fids[i].identity; i++) { kim_identity identity = NULL; kim_count j; kim_boolean found = 0; - + err = kim_identity_create_from_string (&identity, fids[i].identity); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating the identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating the identity for %s", fids[i].identity); - + for (j = 0; j < count; j++) { kim_identity compare_identity = NULL; kim_options compare_options = NULL; kim_comparison comparison; - - err = kim_preferences_get_favorite_identity_at_index (prefs, j, - &compare_identity, + + err = kim_preferences_get_favorite_identity_at_index (prefs, j, + &compare_identity, &compare_options); - fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, + fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, "while getting favorite identity %d", (int) j); - + if (!err) { - err = kim_identity_compare (identity, compare_identity, + err = kim_identity_compare (identity, compare_identity, &comparison); - fail_if_error (state, "kim_identity_compare", err, - "while comparing %s to favorite identity %d", + fail_if_error (state, "kim_identity_compare", err, + "while comparing %s to favorite identity %d", fids[i].identity, (int) i); } - + if (!err && kim_comparison_is_equal_to (comparison)) { kim_lifetime compare_lifetime; kim_lifetime compare_renewal_lifetime; - + found = 1; - + err = kim_options_get_lifetime (compare_options, &compare_lifetime); - fail_if_error (state, "kim_options_get_lifetime", err, - "while getting the lifetime for %s", - fids[i].identity); - + fail_if_error (state, "kim_options_get_lifetime", err, + "while getting the lifetime for %s", + fids[i].identity); + if (!err && fids[i].lifetime != compare_lifetime) { - log_failure (state, "Unexpected lifetime for %s (got %d, expected %d)", + log_failure (state, "Unexpected lifetime for %s (got %d, expected %d)", fids[i].identity, (int) compare_lifetime, - (int) fids[i].lifetime); + (int) fids[i].lifetime); } - + if (!err) { - err = kim_options_get_renewal_lifetime (compare_options, + err = kim_options_get_renewal_lifetime (compare_options, &compare_renewal_lifetime); - fail_if_error (state, "kim_options_get_renewal_lifetime", err, - "while getting the lifetime for %s", - fids[i].identity); + fail_if_error (state, "kim_options_get_renewal_lifetime", err, + "while getting the lifetime for %s", + fids[i].identity); } - + if (!err && fids[i].renewal_lifetime != compare_renewal_lifetime) { - log_failure (state, "Unexpected renewal lifetime for %s (got %d, expected %d)", - fids[i].identity, + log_failure (state, "Unexpected renewal lifetime for %s (got %d, expected %d)", + fids[i].identity, (int) compare_renewal_lifetime, - (int) fids[i].renewal_lifetime); + (int) fids[i].renewal_lifetime); } } - + kim_identity_free (&compare_identity); kim_options_free (&compare_options); } - + if (!err && !found) { - log_failure (state, "Favorite identity %s not found in favorite identities list", + log_failure (state, "Favorite identity %s not found in favorite identities list", fids[i].identity); } - + kim_identity_free (&identity); } - + if (!err && i != count) { - log_failure (state, "Unexpected number of favorite identities (got %d, expected %d)", + log_failure (state, "Unexpected number of favorite identities (got %d, expected %d)", (int) count, (int) i); } - + kim_preferences_free (&prefs); } - + // Remove one by one if (!err) { kim_preferences prefs = NULL; kim_count count, j; - + err = kim_preferences_create (&prefs); - fail_if_error (state, "kim_preferences_create", err, + fail_if_error (state, "kim_preferences_create", err, "while creating preferences"); - + if (!err) { err = kim_preferences_get_number_of_favorite_identities (prefs, &count); - fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, + fail_if_error (state, "kim_preferences_get_number_of_favorite_identities", err, "while getting number of favorite identities"); } - + for (j = 0; j < count; j++) { kim_identity compare_identity = NULL; kim_options compare_options = NULL; kim_string string = NULL; - - err = kim_preferences_get_favorite_identity_at_index (prefs, 0, - &compare_identity, + + err = kim_preferences_get_favorite_identity_at_index (prefs, 0, + &compare_identity, &compare_options); - fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, + fail_if_error (state, "kim_preferences_get_favorite_identity_at_index", err, "while getting favorite identity %d", (int) j); - + if (!err) { err = kim_identity_get_display_string(compare_identity, &string); - fail_if_error (state, "kim_identity_get_display_string", err, + fail_if_error (state, "kim_identity_get_display_string", err, "while getting the display string for identity %d", (int) j); } - + if (!err) { err = kim_preferences_remove_favorite_identity(prefs, compare_identity); - fail_if_error (state, "kim_preferences_remove_favorite_identity", err, + fail_if_error (state, "kim_preferences_remove_favorite_identity", err, "while removing favorite identity %d \"%s\"", (int) j, string); } if (!err) { err = kim_preferences_synchronize (prefs); - fail_if_error (state, "kim_preferences_synchronize", err, + fail_if_error (state, "kim_preferences_synchronize", err, "while removing favorite %qu: %s", j, string); } - + if (!err && favorites_contains_identity(state, compare_identity)) { kim_string display_string = NULL; kim_identity_get_display_string(compare_identity, &display_string); - log_failure (state, "Favorite identities still contains %s after removal", + log_failure (state, "Favorite identities still contains %s after removal", display_string); } - + kim_string_free (&string); kim_identity_free (&compare_identity); kim_options_free (&compare_options); } - + kim_preferences_free (&prefs); } - + end_test (state); } diff --git a/src/kim/test/test_kim_selection_hints.c b/src/kim/test/test_kim_selection_hints.c index 2a24a610e..655980e26 100644 --- a/src/kim/test/test_kim_selection_hints.c +++ b/src/kim/test/test_kim_selection_hints.c @@ -51,53 +51,53 @@ void test_kim_selection_hints_set_hint (kim_test_state_t state) { kim_error err = KIM_NO_ERROR; kim_count i = 0; - + start_test (state, "test_kim_selection_hints_set_hint"); for (i = 0; !err && test_hints[i].key; i++) { kim_selection_hints hints = NULL; kim_string string = NULL; kim_comparison comparison = 0; - + printf ("."); err = kim_selection_hints_create (&hints, KSH_TEST_ID); - fail_if_error (state, "kim_selection_hints_create", err, + fail_if_error (state, "kim_selection_hints_create", err, "while creating selection hints for %s", KSH_TEST_ID); - + if (!err) { err = kim_selection_hints_set_hint (hints, test_hints[i].key, test_hints[i].hint); - fail_if_error (state, "kim_selection_hints_set_hint", - err, "while setting hint %s to %s", - test_hints[i].key, test_hints[i].hint); + fail_if_error (state, "kim_selection_hints_set_hint", + err, "while setting hint %s to %s", + test_hints[i].key, test_hints[i].hint); } - + if (!err) { err = kim_selection_hints_get_hint (hints, test_hints[i].key, &string); - fail_if_error (state, "kim_selection_hints_get_hint", + fail_if_error (state, "kim_selection_hints_get_hint", err, "while getting hint %s", test_hints[i].key); } - + if (!err) { err = kim_string_compare (test_hints[i].hint, string, &comparison); - fail_if_error (state, "kim_identity_compare", err, - "while comparing %s to %s (hint %s)", - test_hints[i].hint, + fail_if_error (state, "kim_identity_compare", err, + "while comparing %s to %s (hint %s)", + test_hints[i].hint, string ? string : "NULL", test_hints[i].key); } - + if (!err && !kim_comparison_is_equal_to (comparison)) { - log_failure (state, "Unexpected hint %s (got %s, expected %s)", - test_hints[i].key, - string ? string : "NULL", + log_failure (state, "Unexpected hint %s (got %s, expected %s)", + test_hints[i].key, + string ? string : "NULL", test_hints[i].hint); } - + kim_string_free (&string); kim_selection_hints_free (&hints); } - - end_test (state); + + end_test (state); } @@ -113,66 +113,66 @@ void test_kim_selection_hints_remember_identity (kim_test_state_t state) kim_string string = NULL; kim_identity identity = KIM_IDENTITY_ANY; kim_comparison comparison = 0; - + start_test (state, "kim_selection_hints_remember_identity"); - + if (!err) { err = kim_selection_hints_create (&hints, KSH_TEST_ID); - fail_if_error (state, "kim_selection_hints_create", err, + fail_if_error (state, "kim_selection_hints_create", err, "while creating selection hints for %s", KSH_TEST_ID); } - - for (i = 0; !err && test_hints[i].key; i++) { + + for (i = 0; !err && test_hints[i].key; i++) { err = kim_selection_hints_set_hint (hints, test_hints[i].key, test_hints[i].hint); - fail_if_error (state, "kim_selection_hints_set_hint", - err, "while setting hint %s to %s", + fail_if_error (state, "kim_selection_hints_set_hint", + err, "while setting hint %s to %s", test_hints[i].key, test_hints[i].hint); } - + if (!err) { - err = kim_identity_create_from_string (&client_identity, + err = kim_identity_create_from_string (&client_identity, KSH_IDENTITY); - fail_if_error (state, "kim_identity_create_from_string", err, - "while creating an identity for %s", + fail_if_error (state, "kim_identity_create_from_string", err, + "while creating an identity for %s", KSH_IDENTITY); } - + if (!err) { err = kim_selection_hints_remember_identity (hints, client_identity); - fail_if_error (state, "kim_selection_hints_remember_identity", - err, "while remembering identity %s", + fail_if_error (state, "kim_selection_hints_remember_identity", + err, "while remembering identity %s", KSH_IDENTITY); } - + if (!err) { err = kim_selection_hints_get_identity (hints, &identity); - fail_if_error (state, "kim_selection_hints_get_identity", - err, "while checking if identity is %s", + fail_if_error (state, "kim_selection_hints_get_identity", + err, "while checking if identity is %s", KSH_IDENTITY); } - + if (!err && identity) { err = kim_identity_get_string (identity, &string); - fail_if_error (state, "kim_identity_get_string", err, + fail_if_error (state, "kim_identity_get_string", err, "while getting the string for the client identity hint"); } - + if (!err) { err = kim_identity_compare (client_identity, identity, &comparison); - fail_if_error (state, "kim_identity_compare", err, - "while comparing %s to the identity hint %s", + fail_if_error (state, "kim_identity_compare", err, + "while comparing %s to the identity hint %s", KSH_IDENTITY, string ? string : "NULL"); } - + if (!err && !kim_comparison_is_equal_to (comparison)) { - log_failure (state, "Unexpected client identity hint (got %s, expected %s)", + log_failure (state, "Unexpected client identity hint (got %s, expected %s)", string ? string : "NULL", KSH_IDENTITY); } - + kim_string_free (&string); kim_identity_free (&identity); kim_identity_free (&client_identity); kim_selection_hints_free (&hints); - + end_test (state); } diff --git a/src/kim/test/test_kll.c b/src/kim/test/test_kll.c index d1773ae30..e0261480c 100644 --- a/src/kim/test/test_kll.c +++ b/src/kim/test/test_kll.c @@ -21,10 +21,10 @@ int main(void) KLTime t; KLStatus err; KLPrincipal principal; - + /* force use of UI */ - fclose (stdin); - + fclose (stdin); + err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &principal); printf ("KLCreatePrincipalFromTriplet(nobody@TEST-KERBEROS-1.3.1) (err = %d)\n", err); if (err == klNoErr) { @@ -32,58 +32,58 @@ int main(void) printf ("KLChangePassword() (err = %d)\n", err); KLDisposePrincipal (principal); } - + err = KLLastChangedTime(&t); printf ("KLLastChangedTime returned %d (err = %d)\n", t, err); - + TestKLPrincipal (); TestLoginOptions (); TestApplicationOptions (); TestErrorHandling (); TestKerberosRealms (); TestHighLevelAPI (); - + err = KLLastChangedTime(&t); printf ("KLLastChangedTime returned %d (err = %d)\n", t, err); - - return 0; + + return 0; } void TestErrorHandling (void) { long err; char* errorString; - + err = KLGetErrorString (KRB5KRB_AP_ERR_BAD_INTEGRITY, &errorString); printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); if (!err) { KLDisposeString (errorString); } - + err = KLGetErrorString (klCredentialsBadAddressErr, &errorString); - printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); + printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); if (!err) { KLDisposeString (errorString); } - + err = KLGetErrorString (klCacheDoesNotExistErr, &errorString); - printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); + printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); if (!err) { KLDisposeString (errorString); } - + err = KLGetErrorString (klPasswordMismatchErr, &errorString); - printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); + printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); if (!err) { KLDisposeString (errorString); } - + err = KLGetErrorString (klInsecurePasswordErr, &errorString); - printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); + printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); if (!err) { KLDisposeString (errorString); } - + err = KLGetErrorString (klPasswordChangeFailedErr, &errorString); - printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); + printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); if (!err) { KLDisposeString (errorString); } - + err = KLGetErrorString (klCantContactServerErr, &errorString); - printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); + printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); if (!err) { KLDisposeString (errorString); } - + err = KLGetErrorString (klCantDisplayUIErr, &errorString); - printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); + printf ("KLGetErrorString() returned %s (err = %ld)\n", errorString, err); if (!err) { KLDisposeString (errorString); } } @@ -96,7 +96,7 @@ void TestHighLevelAPI (void) char* principalString; char timeString[256]; KLBoolean valid; - + err = KLCreatePrincipalFromTriplet ("grail", "", "TESTV5-KERBEROS-1.3.1", &inPrincipal); printf ("KLCreatePrincipalFromTriplet(grail@TESTV5-KERBEROS-1.3.1) (err = %d)\n", err); if (err == klNoErr) { @@ -109,7 +109,7 @@ void TestHighLevelAPI (void) } KLDisposePrincipal (inPrincipal); } - + err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal); printf ("KLCreatePrincipalFromTriplet(nobody@TEST-KERBEROS-1.3.1) (err = %d)\n", err); if (err == klNoErr) { @@ -122,7 +122,7 @@ void TestHighLevelAPI (void) } KLDisposePrincipal (inPrincipal); } - + err = KLAcquireNewInitialTickets (NULL, NULL, &inPrincipal, &outCredCacheName); printf ("KLAcquireNewInitialTickets() (err = %d)\n", err); if (err == klNoErr) { @@ -135,21 +135,21 @@ void TestHighLevelAPI (void) } KLDisposePrincipal (inPrincipal); } - + err = KLSetDefaultLoginOption (loginOption_LoginName, "testname", 3); printf ("KLSetDefaultLoginOption(loginOption_LoginName) to testname (err = %d)\n", err); if (err == klNoErr) { err = KLSetDefaultLoginOption (loginOption_LoginInstance, "testinstance", 6); printf ("KLSetDefaultLoginOption(loginOption_LoginInstance) to testinstance (err = %d)\n", err); } - + err = KLAcquireNewInitialTickets (NULL, NULL, &inPrincipal, &outCredCacheName); printf ("KLAcquireNewInitialTickets() (err = %d)\n", err); if (err == klNoErr) { KLDisposeString (outCredCacheName); KLDisposePrincipal (inPrincipal); } - + // Principal == NULL while (KLAcquireNewInitialTickets (NULL, NULL, &outPrincipal, &outCredCacheName) == klNoErr) { err = KLTicketExpirationTime (outPrincipal, kerberosVersion_All, &expirationTime); @@ -171,14 +171,14 @@ void TestHighLevelAPI (void) KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } - + err = KLAcquireNewInitialTickets (NULL, NULL, &outPrincipal, &outCredCacheName); if (err == klNoErr) { KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } - - + + err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal); printf ("KLCreatePrincipalFromTriplet(nobody@TEST-KERBEROS-1.3.1) (err = %d)\n", err); if (err == klNoErr) { @@ -189,10 +189,10 @@ void TestHighLevelAPI (void) KLDisposePrincipal (outPrincipal); } err = KLDestroyTickets (inPrincipal); - + KLDisposePrincipal (inPrincipal); } - + err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal); printf ("KLCreatePrincipalFromTriplet(nobody@TEST-KERBEROS-1.3.1) (err = %d)\n", err); if (err == klNoErr) { @@ -202,7 +202,7 @@ void TestHighLevelAPI (void) KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } - + err = KLAcquireNewInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName); if (err == klNoErr) { err = KLGetStringFromPrincipal (outPrincipal, kerberosVersion_V5, &principalString); @@ -210,22 +210,22 @@ void TestHighLevelAPI (void) err = KLTicketExpirationTime (outPrincipal, kerberosVersion_All, &expirationTime); printf ("Tickets for principal '%s' expire on %s\n", principalString, TimeToString(timeString, expirationTime)); - + KLDisposeString (principalString); } KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } - + err = KLChangePassword (inPrincipal); printf ("KLChangePassword() (err = %d)\n", err); - + err = KLDestroyTickets (inPrincipal); printf ("KLDestroyTickets() (err = %d)\n", err); - + KLDisposePrincipal (inPrincipal); } - + } @@ -241,22 +241,22 @@ void TestKLPrincipal (void) char *user = NULL; char *instance = NULL; char *realm = NULL; - + printf ("Entering TestKLPrincipal()\n"); printf ("----------------------------------------------------------------\n"); - + err = KLCreatePrincipalFromString ("thisprincipalnameislongerthanissupportedbyKerberos4@TEST-KERBEROS-1.3.1", kerberosVersion_V5, &extraLongPrincipal); printf ("KLCreatePrincipalFromString " "('thisprincipalnameislongerthanissupportedbyKerberos4@TEST-KERBEROS-1.3.1') " "(err = %s)\n", error_message(err)); - + printf ("----------------------------------------------------------------\n"); - + err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &principal); printf ("KLCreatePrincipalFromTriplet ('nobody' '' 'TEST-KERBEROS-1.3.1') (err = %s)\n", error_message(err)); - + if (err == klNoErr) { err = KLGetStringFromPrincipal (principal, kerberosVersion_V5, &principalString); if (err == klNoErr) { @@ -265,7 +265,7 @@ void TestKLPrincipal (void) } else { printf ("KLGetStringFromPrincipal(nobody@TEST-KERBEROS-1.3.1, v5) returned (err = %s)\n", error_message(err)); } - + err = KLGetStringFromPrincipal (principal, kerberosVersion_V4, &principalString); if (err == klNoErr) { printf ("KLGetStringFromPrincipal (nobody@TEST-KERBEROS-1.3.1, v4) returned string '%s'\n", principalString); @@ -273,7 +273,7 @@ void TestKLPrincipal (void) } else { printf ("KLGetStringFromPrincipal(nobody@TEST-KERBEROS-1.3.1, v4) returned (err = %s)\n", error_message(err)); } - + err = KLGetTripletFromPrincipal (principal, &user, &instance, &realm); if (err == klNoErr) { printf ("KLGetTripletFromPrincipal (nobody@TEST-KERBEROS-1.3.1) returned triplet %s' '%s' '%s'\n", @@ -283,14 +283,14 @@ void TestKLPrincipal (void) KLDisposeString (realm); } else { printf ("KLGetTripletFromPrincipal(nobody@TEST-KERBEROS-1.3.1) returned (err = %s)\n", error_message(err)); - } + } } - + printf ("----------------------------------------------------------------\n"); - + err = KLCreatePrincipalFromTriplet ("nobody", "admin", "TEST-KERBEROS-1.3.1", &adminPrincipal); printf ("KLCreatePrincipalFromTriplet ('nobody' 'admin' 'TEST-KERBEROS-1.3.1') (err = %d)\n", err); - + if (err == klNoErr) { err = KLGetStringFromPrincipal (adminPrincipal, kerberosVersion_V5, &principalString); if (err == klNoErr) { @@ -299,7 +299,7 @@ void TestKLPrincipal (void) } else { printf ("KLGetStringFromPrincipal(nobody/admin@TEST-KERBEROS-1.3.1, v5) returned (err = %d)\n", err); } - + err = KLGetStringFromPrincipal (adminPrincipal, kerberosVersion_V4, &principalString); if (err == klNoErr) { printf ("KLGetStringFromPrincipal (nobody/admin@TEST-KERBEROS-1.3.1, v4) returned string '%s'\n", principalString); @@ -307,7 +307,7 @@ void TestKLPrincipal (void) } else { printf ("KLGetStringFromPrincipal(nobody/admin@TEST-KERBEROS-1.3.1, v4) returned (err = %d)\n", err); } - + err = KLGetTripletFromPrincipal (adminPrincipal, &user, &instance, &realm); if (err == klNoErr) { printf ("KLGetTripletFromPrincipal (nobody/admin@TEST-KERBEROS-1.3.1) returned triplet %s' '%s' '%s'\n", @@ -319,9 +319,9 @@ void TestKLPrincipal (void) printf ("KLGetTripletFromPrincipal(lxs/admin@TEST-KERBEROS-1.3.1) returned (err = %d)\n", err); } } - + printf ("----------------------------------------------------------------\n"); - + err = KLCreatePrincipalFromString ("nobody/root@TEST-KERBEROS-1.3.1", kerberosVersion_V5, &adminPrincipalV5); printf ("KLCreatePrincipalFromString ('nobody/root@TEST-KERBEROS-1.3.1', v5) (err = %d)\n", err); if (err == klNoErr) { @@ -332,7 +332,7 @@ void TestKLPrincipal (void) } else { printf ("KLGetStringFromPrincipal(nobody/root@TEST-KERBEROS-1.3.1, v5) returned (err = %d)\n", err); } - + err = KLGetStringFromPrincipal (adminPrincipalV5, kerberosVersion_V4, &principalString); if (err == klNoErr) { printf ("KLGetStringFromPrincipal (nobody/admin@TEST-KERBEROS-1.3.1, v4) returned string '%s'\n", principalString); @@ -340,7 +340,7 @@ void TestKLPrincipal (void) } else { printf ("KLGetStringFromPrincipal(nobody/admin@TEST-KERBEROS-1.3.1, v4) returned (err = %d)\n", err); } - + err = KLGetTripletFromPrincipal (adminPrincipalV5, &user, &instance, &realm); if (err == klNoErr) { printf ("KLGetTripletFromPrincipal (nobody/admin@TEST-KERBEROS-1.3.1) returned triplet %s' '%s' '%s'\n", @@ -352,9 +352,9 @@ void TestKLPrincipal (void) printf ("KLGetTripletFromPrincipal(nobody/admin@TEST-KERBEROS-1.3.1) returned (err = %d)\n", err); } } - + printf ("----------------------------------------------------------------\n"); - + err = KLCreatePrincipalFromString ("nobody.admin@TEST-KERBEROS-1.3.1", kerberosVersion_V4, &adminPrincipalV4); printf ("KLCreatePrincipalFromString ('nobody.admin@TEST-KERBEROS-1.3.1') (err = %d)\n", err); if (err == klNoErr) { @@ -365,7 +365,7 @@ void TestKLPrincipal (void) } else { printf ("KLGetStringFromPrincipal(nobody.admin@TEST-KERBEROS-1.3.1, v5) returned (err = %d)\n", err); } - + err = KLGetStringFromPrincipal (adminPrincipalV4, kerberosVersion_V4, &principalString); if (err == klNoErr) { printf ("KLGetStringFromPrincipal (nobody.admin@TEST-KERBEROS-1.3.1, v4) returned string '%s'\n", principalString); @@ -373,7 +373,7 @@ void TestKLPrincipal (void) } else { printf ("KLGetStringFromPrincipal(nobody.admin@TEST-KERBEROS-1.3.1, v4) returned (err = %d)\n", err); } - + err = KLGetTripletFromPrincipal (adminPrincipalV4, &user, &instance, &realm); if (err == klNoErr) { printf ("KLGetTripletFromPrincipal (nobody.admin@TEST-KERBEROS-1.3.1) returned triplet %s' '%s' '%s'\n", @@ -385,12 +385,12 @@ void TestKLPrincipal (void) printf ("KLGetTripletFromPrincipal(nobody.admin@TEST-KERBEROS-1.3.1) returned (err = %d)\n", err); } } - + printf ("----------------------------------------------------------------\n"); - + if (adminPrincipalV4 != NULL && adminPrincipalV5 != NULL) { KLBoolean equivalent; - + err = KLComparePrincipal (adminPrincipalV5, adminPrincipalV4, &equivalent); if (err == klNoErr) { printf ("KLComparePrincipal %s comparing nobody/admin@TEST-KERBEROS-1.3.1 and nobody.admin@TEST-KERBEROS-1.3.1\n", @@ -399,10 +399,10 @@ void TestKLPrincipal (void) printf ("KLComparePrincipal returned (err = %d)\n", err); } } - + if (principal != NULL && adminPrincipalV5 != NULL) { KLBoolean equivalent; - + err = KLComparePrincipal (principal, adminPrincipalV4, &equivalent); if (err == klNoErr) { printf ("KLComparePrincipal %s comparing nobody@TEST-KERBEROS-1.3.1 and nobody.admin@TEST-KERBEROS-1.3.1\n", @@ -411,10 +411,10 @@ void TestKLPrincipal (void) printf ("KLComparePrincipal returned (err = %d)\n", err); } } - + if (principal != NULL && adminPrincipalV5 != NULL) { KLBoolean equivalent; - + err = KLComparePrincipal (principal, adminPrincipalV5, &equivalent); if (err == klNoErr) { printf ("KLComparePrincipal %s comparing nobody@TEST-KERBEROS-1.3.1 and nobody/admin@TEST-KERBEROS-1.3.1\n", @@ -423,10 +423,10 @@ void TestKLPrincipal (void) printf ("KLComparePrincipal returned (err = %d)\n", err); } } - + if (adminPrincipal != NULL && adminPrincipalV5 != NULL) { KLBoolean equivalent; - + err = KLComparePrincipal (adminPrincipalV5, principal, &equivalent); if (err == klNoErr) { printf ("KLComparePrincipal %s comparing nobody/admin@TEST-KERBEROS-1.3.1 and nobody@TEST-KERBEROS-1.3.1\n", @@ -435,9 +435,9 @@ void TestKLPrincipal (void) printf ("KLComparePrincipal returned (err = %d)\n", err); } } - + printf ("----------------------------------------------------------------\n\n"); - + if (extraLongPrincipal != NULL) KLDisposePrincipal (extraLongPrincipal); if (adminPrincipalV5 != NULL) KLDisposePrincipal (adminPrincipalV5); if (adminPrincipalV4 != NULL) KLDisposePrincipal (adminPrincipalV4); @@ -456,24 +456,24 @@ void TestKerberosRealms (void) printf ("About to test Kerberos realms\n"); KLRemoveAllKerberosRealms (); KLAcquireNewInitialTickets (NULL, NULL, NULL, NULL); - + KLInsertKerberosRealm (realmList_End, "FOO"); KLInsertKerberosRealm (realmList_End, "BAR"); KLInsertKerberosRealm (realmList_End, "BAZ"); KLAcquireNewInitialTickets (NULL, NULL, NULL, NULL); - + KLInsertKerberosRealm (realmList_End, "FOO"); KLAcquireNewInitialTickets (NULL, NULL, NULL, NULL); - + KLSetKerberosRealm (0, "QUUX"); KLAcquireNewInitialTickets (NULL, NULL, NULL, NULL); - + KLRemoveKerberosRealm (0); KLAcquireNewInitialTickets (NULL, NULL, NULL, NULL); - + KLSetKerberosRealm (2, "TEST-KERBEROS-1.3.1"); KLAcquireNewInitialTickets (NULL, NULL, NULL, NULL); - + KLRemoveAllKerberosRealms (); KLInsertKerberosRealm (realmList_End, "TEST-KERBEROS-1.3.1"); KLInsertKerberosRealm (realmList_End, "TEST-KERBEROS-1.0.6"); @@ -485,7 +485,7 @@ void TestKerberosRealms (void) KLInsertKerberosRealm (realmList_End, "TEST-HEIMDAL-0.3D"); KLInsertKerberosRealm (realmList_End, "TESTV5-HEIMDAL-0.3D"); KLInsertKerberosRealm (realmList_End, "TEST-KTH-KRB-1.1"); -} +} void TestLoginOptions (void) @@ -493,25 +493,25 @@ void TestLoginOptions (void) KLBoolean optionSetting; KLStatus err = klNoErr; KLLifetime lifetime; - + lifetime = 10*60; KLSetDefaultLoginOption(loginOption_MinimalTicketLifetime, &lifetime, sizeof(KLLifetime)); - + lifetime = 8*60*60; KLSetDefaultLoginOption(loginOption_MaximalTicketLifetime, &lifetime, sizeof(KLLifetime)); - + lifetime = 8*60*60; KLSetDefaultLoginOption(loginOption_DefaultTicketLifetime, &lifetime, sizeof(KLLifetime)); - + optionSetting = FALSE; KLSetDefaultLoginOption(loginOption_DefaultForwardableTicket, &optionSetting, sizeof(optionSetting)); - + optionSetting = TRUE; KLSetDefaultLoginOption(loginOption_RememberPrincipal, &optionSetting, sizeof(optionSetting)); - + optionSetting = TRUE; err = KLSetDefaultLoginOption(loginOption_RememberExtras, &optionSetting, sizeof(optionSetting)); - + if (err == klNoErr) { KLAcquireNewInitialTickets (NULL, NULL, NULL, NULL); optionSetting = TRUE; @@ -532,9 +532,9 @@ char* TimeToString (char* timeString, long t) /* we come in in 1970 time */ time_t timer = (time_t) t; struct tm tm; - + tm = *localtime (&timer); - + sprintf(timeString, "%.3s %.3s%3d %.2d:%.2d:%.2d %d", day_name[tm.tm_wday], month_name[tm.tm_mon], @@ -543,7 +543,7 @@ char* TimeToString (char* timeString, long t) tm.tm_min, tm.tm_sec, tm.tm_year + 1900); - + return timeString; } @@ -553,4 +553,3 @@ void MyKerberosLoginIdleCallback (KLRefCon inAppData) syslog (LOG_ALERT, "App got callback while waiting for Mach IPC (appData == %d)\n", inAppData); // KLCancelAllDialogs (); } - diff --git a/src/kim/test/test_kll_terminal.c b/src/kim/test/test_kll_terminal.c index 9c22625bf..20a5e7898 100644 --- a/src/kim/test/test_kll_terminal.c +++ b/src/kim/test/test_kll_terminal.c @@ -2,13 +2,13 @@ -int main (void) +int main (void) { KLStatus err; KLPrincipal principal; char *principalName; char *cacheName; - + printf ("Testing KLAcquireNewTickets (nil)...\n"); err = KLAcquireNewTickets (nil, &principal, &cacheName); @@ -18,22 +18,22 @@ int main (void) printf ("Got tickets for '%s' in cache '%s'\n", principalName, cacheName); KLDisposeString (principalName); } else { - printf ("KLGetStringFromPrincipal() returned (err = %ld)\n", err); + printf ("KLGetStringFromPrincipal() returned (err = %ld)\n", err); } KLDisposeString (cacheName); - + printf ("Testing KLChangePassword (principal)...\n"); - + err = KLChangePassword (principal); if (err != klNoErr) { printf ("KLChangePassword() returned (err = %ld)\n", err); } - + KLDisposePrincipal (principal); } else { printf ("KLAcquireNewTickets() returned (err = %ld)\n", err); } - - printf ("All done testing!\n"); - return 0; -} \ No newline at end of file + + printf ("All done testing!\n"); + return 0; +} diff --git a/src/kim/test/test_ui_plugin.c b/src/kim/test/test_ui_plugin.c index 9a6e3761d..a37fa7f83 100644 --- a/src/kim/test/test_ui_plugin.c +++ b/src/kim/test/test_ui_plugin.c @@ -43,18 +43,18 @@ const char *magic = "test_ui_context_magic"; /* ------------------------------------------------------------------------ */ static void test_ui_vlog (test_ui_context in_context, - const char *in_format, + const char *in_format, va_list in_args) { if (!in_context) { asl_log (NULL, NULL, ASL_LEVEL_ERR, "NULL context!"); - + } else if (strcmp (in_context->magic, magic)) { - asl_log (NULL, NULL, ASL_LEVEL_ERR, + asl_log (NULL, NULL, ASL_LEVEL_ERR, "Magic mismatch. Context corrupted!"); - + } else { - asl_vlog (in_context->asl_context, NULL, ASL_LEVEL_NOTICE, + asl_vlog (in_context->asl_context, NULL, ASL_LEVEL_NOTICE, in_format, in_args); } } @@ -62,19 +62,19 @@ static void test_ui_vlog (test_ui_context in_context, /* ------------------------------------------------------------------------ */ static void test_ui_log_ (void *in_context, - const char *in_function, + const char *in_function, const char *in_format, ...) { test_ui_context context = in_context; char *format = NULL; va_list args; - + asprintf (&format, "%s: %s", in_function, in_format); - - va_start (args, in_format); + + va_start (args, in_format); test_ui_vlog (context, format, args); va_end (args); - + free (format); } @@ -88,38 +88,38 @@ static kim_error test_ui_init (void **out_context) { kim_error err = KIM_NO_ERROR; test_ui_context context = NULL; - + if (!err) { context = malloc (sizeof (*context)); if (!context) { err = KIM_OUT_OF_MEMORY_ERR; } - } - + } + if (!err) { context->got_error = 0; context->magic = magic; - context->asl_context = asl_open (NULL, - "com.apple.console", + context->asl_context = asl_open (NULL, + "com.apple.console", ASL_OPT_NO_DELAY | ASL_OPT_STDERR); if (!context->asl_context) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { test_ui_log (context, "returning with no error."); } else { kim_string estring = NULL; - + kim_string_create_for_last_error (&estring, err); test_ui_log (NULL, "returning %d: %s", err, estring); kim_string_free (&estring); } - - if (!err) { + + if (!err) { *out_context = context; context = NULL; } - + free (context); - + return err; } @@ -132,9 +132,9 @@ static kim_error test_ui_enter_identity (void *in_context, { kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; - + test_ui_log (in_context, "entering..."); - + if (!err) { test_ui_context context = in_context; if (context->got_error > 1) { @@ -143,39 +143,39 @@ static kim_error test_ui_enter_identity (void *in_context, err = KIM_USER_CANCELED_ERR; } } - + if (!err) { err = kim_options_set_lifetime (io_options, 1800); } - + if (!err) { err = kim_options_set_renewal_lifetime (io_options, 3600); } - + if (!err) { err = kim_identity_create_from_string (&identity, "nobody@TEST-KERBEROS-1.5"); } - + if (!err) { *out_identity = identity; identity = NULL; *out_change_password = 0; } - + kim_identity_free (&identity); - + if (!err) { test_ui_log (in_context, "returning with no error."); } else { kim_string estring = NULL; - + kim_string_create_for_last_error (&estring, err); test_ui_log (in_context, "returning %d: %s", err, estring); kim_string_free (&estring); } - - return err; + + return err; } /* ------------------------------------------------------------------------ */ @@ -188,9 +188,9 @@ static kim_error test_ui_select_identity (void *in_context, kim_error err = KIM_NO_ERROR; kim_identity identity = NULL; kim_options options = NULL; - + test_ui_log (in_context, "entering..."); - + if (!err) { test_ui_context context = in_context; if (context->got_error > 1) { @@ -199,61 +199,61 @@ static kim_error test_ui_select_identity (void *in_context, err = KIM_USER_CANCELED_ERR; } } - + if (!err) { err = kim_selection_hints_get_options (io_hints, &options); } - + if (!err && !options) { err = kim_options_create (&options); } - + if (!err) { err = kim_options_set_lifetime (options, 1800); } - + if (!err) { err = kim_options_set_renewal_lifetime (options, 3600); } - + if (!err) { err = kim_selection_hints_set_options (io_hints, options); } - + if (!err) { err = kim_identity_create_from_string (&identity, "nobody@TEST-KERBEROS-1.5"); } - + if (!err) { *out_identity = identity; identity = NULL; *out_change_password = 0; } - + kim_options_free (&options); kim_identity_free (&identity); - + if (!err) { test_ui_log (in_context, "returning with no error."); } else { kim_string estring = NULL; - + kim_string_create_for_last_error (&estring, err); test_ui_log (in_context, "returning %d: %s", err, estring); kim_string_free (&estring); } - - return err; -} + + return err; +} /* ------------------------------------------------------------------------ */ static kim_error test_ui_auth_prompt (void *in_context, kim_identity in_identity, kim_prompt_type in_type, - kim_boolean in_allow_save_reply, - kim_boolean in_hide_reply, + kim_boolean in_allow_save_reply, + kim_boolean in_hide_reply, kim_string in_title, kim_string in_message, kim_string in_description, @@ -263,13 +263,13 @@ static kim_error test_ui_auth_prompt (void *in_context, kim_error err = KIM_NO_ERROR; kim_string string = NULL; char *reply = NULL; - + test_ui_log (in_context, "entering..."); - + if (!err) { err = kim_identity_get_display_string (in_identity, &string); } - + if (!err) { test_ui_log (in_context, "\tidentity = %s", string); test_ui_log (in_context, "\ttype = %d", in_type); @@ -278,11 +278,11 @@ static kim_error test_ui_auth_prompt (void *in_context, test_ui_log (in_context, "\ttitle = %s", in_title); test_ui_log (in_context, "\tmessage = %s", in_message); test_ui_log (in_context, "\tdescription = %s", in_description); - + reply = strdup ("ydobon"); if (!reply) { err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { test_ui_context context = in_context; if (context->got_error > 1) { @@ -291,26 +291,26 @@ static kim_error test_ui_auth_prompt (void *in_context, err = KIM_USER_CANCELED_ERR; } } - + if (!err) { *out_reply = reply; reply = NULL; *out_save_reply = 0; } - + free (reply); kim_string_free (&string); - + if (!err) { test_ui_log (in_context, "returning with no error."); } else { kim_string estring = NULL; - + kim_string_create_for_last_error (&estring, err); test_ui_log (in_context, "returning %d: %s", err, estring); kim_string_free (&estring); } - + return err; } @@ -328,26 +328,26 @@ static kim_error test_ui_change_password (void *in_context, char *old_password = NULL; char *new_password = NULL; char *vfy_password = NULL; - + test_ui_log (in_context, "entering..."); - + if (!err) { err = kim_identity_get_display_string (in_identity, &string); } - + if (!err) { test_ui_log (in_context, "\tidentity = %s", string); - test_ui_log (in_context, "\told_password_expired = %d", + test_ui_log (in_context, "\told_password_expired = %d", in_old_password_expired); old_password = strdup ("ydobon"); new_password = strdup ("foo"); vfy_password = strdup ("foo"); - if (!old_password || !new_password || !vfy_password) { - err = KIM_OUT_OF_MEMORY_ERR; + if (!old_password || !new_password || !vfy_password) { + err = KIM_OUT_OF_MEMORY_ERR; } } - + if (!err) { test_ui_context context = in_context; if (context->got_error > 1) { @@ -365,22 +365,22 @@ static kim_error test_ui_change_password (void *in_context, *out_verify_password = vfy_password; vfy_password = NULL; } - + free (old_password); free (new_password); free (vfy_password); kim_string_free (&string); - + if (!err) { test_ui_log (in_context, "returning with no error."); } else { kim_string estring = NULL; - + kim_string_create_for_last_error (&estring, err); test_ui_log (in_context, "returning %d: %s", err, estring); kim_string_free (&estring); } - + return err; } @@ -394,13 +394,13 @@ static kim_error test_ui_handle_error (void *in_context, { kim_error err = KIM_NO_ERROR; kim_string string = NULL; - + test_ui_log (in_context, "entering..."); - + if (!err) { err = kim_identity_get_display_string (in_identity, &string); } - + if (!err) { test_ui_context context = in_context; @@ -408,22 +408,22 @@ static kim_error test_ui_handle_error (void *in_context, test_ui_log (in_context, "\terror = %d", in_error); test_ui_log (in_context, "\tmessage = %s", in_error_message); test_ui_log (in_context, "\tdescription = %s", in_error_description); - + context->got_error++; } - + kim_string_free (&string); - + if (!err) { test_ui_log (in_context, "returning with no error."); } else { kim_string estring = NULL; - + kim_string_create_for_last_error (&estring, err); test_ui_log (in_context, "returning %d: %s", err, estring); kim_string_free (&estring); } - + return err; } @@ -446,14 +446,14 @@ static kim_error test_ui_fini (void *io_context) kim_error err = KIM_NO_ERROR; test_ui_log (io_context, "deallocating..."); - + if (io_context) { test_ui_context context = io_context; - + asl_close (context->asl_context); free (context); } - + return err; } diff --git a/src/lib/apputils/daemon.c b/src/lib/apputils/daemon.c index 00dde4882..42b2bbc22 100644 --- a/src/lib/apputils/daemon.c +++ b/src/lib/apputils/daemon.c @@ -62,7 +62,7 @@ daemon(nochdir, noclose) #else { int n; - + /* * The open below may hang on pseudo ttys if the person * who starts named logs out before this point. Thus, diff --git a/src/lib/crypto/builtin/aes/aes.h b/src/lib/crypto/builtin/aes/aes.h index ac1c1b89e..6009b986a 100644 --- a/src/lib/crypto/builtin/aes/aes.h +++ b/src/lib/crypto/builtin/aes/aes.h @@ -5,23 +5,23 @@ LICENSE TERMS - The free distribution and use of this software in both source and binary + The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: - 1. distributions of this source code include the above copyright + 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties - in respect of any properties, including, but not limited to, correctness + in respect of any properties, including, but not limited to, correctness and fitness for purpose. ------------------------------------------------------------------------- Issue Date: 21/01/2002 @@ -34,9 +34,9 @@ #include "uitypes.h" -/* BLOCK_SIZE is in BYTES: 16, 24, 32 or undefined for aes.c and 16, 20, - 24, 28, 32 or undefined for aespp.c. When left undefined a slower - version that provides variable block length is compiled. +/* BLOCK_SIZE is in BYTES: 16, 24, 32 or undefined for aes.c and 16, 20, + 24, 28, 32 or undefined for aespp.c. When left undefined a slower + version that provides variable block length is compiled. */ #define BLOCK_SIZE 16 diff --git a/src/lib/crypto/builtin/aes/aes_s2k.c b/src/lib/crypto/builtin/aes/aes_s2k.c index 14c7726bb..0eccdd941 100644 --- a/src/lib/crypto/builtin/aes/aes_s2k.c +++ b/src/lib/crypto/builtin/aes/aes_s2k.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5int_aes_string_to_key */ diff --git a/src/lib/crypto/builtin/aes/aescpp.h b/src/lib/crypto/builtin/aes/aescpp.h index e685485e1..c81dfa6d1 100644 --- a/src/lib/crypto/builtin/aes/aescpp.h +++ b/src/lib/crypto/builtin/aes/aescpp.h @@ -1,4 +1,3 @@ - /* ------------------------------------------------------------------------- Copyright (c) 2001, Dr Brian Gladman , Worcester, UK. @@ -6,21 +5,21 @@ TERMS - Redistribution and use in source and binary forms, with or without + Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 3. The copyright holder's name must not be used to endorse or promote - any products derived from this software without his specific prior - written permission. + 3. The copyright holder's name must not be used to endorse or promote + any products derived from this software without his specific prior + written permission. - This software is provided 'as is' with no express or implied warranties + This software is provided 'as is' with no express or implied warranties of correctness or fitness for purpose. ------------------------------------------------------------------------- Issue Date: 21/01/2002 diff --git a/src/lib/crypto/builtin/aes/aescrypp.c b/src/lib/crypto/builtin/aes/aescrypp.c index 87b634179..c1608df2a 100644 --- a/src/lib/crypto/builtin/aes/aescrypp.c +++ b/src/lib/crypto/builtin/aes/aescrypp.c @@ -5,23 +5,23 @@ LICENSE TERMS - The free distribution and use of this software in both source and binary + The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: - 1. distributions of this source code include the above copyright + 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties - in respect of any properties, including, but not limited to, correctness + in respect of any properties, including, but not limited to, correctness and fitness for purpose. ------------------------------------------------------------------------- Issue Date: 21/01/2002 @@ -44,7 +44,7 @@ #define locals(y,x) x[4],y[4] #else #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3 - /* + /* the following defines prevent the compiler requiring the declaration of generated but unused variables in the fwd_var and inv_var macros */ @@ -77,7 +77,7 @@ #define b17 unused #endif #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \ - s(y,2) = s(x,2); s(y,3) = s(x,3); s(y,4) = s(x,4); + s(y,2) = s(x,2); s(y,3) = s(x,3); s(y,4) = s(x,4); #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); si(y,x,k,4) #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); so(y,x,4) #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); rm(y,x,k,4) @@ -212,15 +212,15 @@ switch(nc) \ #if defined(ENCRYPTION) /* I am grateful to Frank Yellin for the following construction - (and that for decryption) which, given the column (c) of the - output state variable, gives the input state variables which + (and that for decryption) which, given the column (c) of the + output state variable, gives the input state variables which are needed for each row (r) of the state. - For the fixed block size options, compilers should reduce these - two expressions to fixed variable references. But for variable + For the fixed block size options, compilers should reduce these + two expressions to fixed variable references. But for variable block size code conditional clauses will sometimes be returned. - y = output word, x = input word, r = row, c = column for r = 0, + y = output word, x = input word, r = row, c = column for r = 0, 1, 2 and 3 = column accessed for row r. */ @@ -291,7 +291,7 @@ aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], cons #if (ENC_UNROLL == FULL) - state_in((cx->n_rnd & 1 ? b1 : b0), in_blk, kp); + state_in((cx->n_rnd & 1 ? b1 : b0), in_blk, kp); kp += (cx->n_rnd - 9) * nc; switch(cx->n_rnd) @@ -300,13 +300,13 @@ aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], cons case 13: round(fwd_rnd, b0, b1, kp - 3 * nc); case 12: round(fwd_rnd, b1, b0, kp - 2 * nc); case 11: round(fwd_rnd, b0, b1, kp - nc); - case 10: round(fwd_rnd, b1, b0, kp ); + case 10: round(fwd_rnd, b1, b0, kp ); round(fwd_rnd, b0, b1, kp + nc); - round(fwd_rnd, b1, b0, kp + 2 * nc); + round(fwd_rnd, b1, b0, kp + 2 * nc); round(fwd_rnd, b0, b1, kp + 3 * nc); - round(fwd_rnd, b1, b0, kp + 4 * nc); + round(fwd_rnd, b1, b0, kp + 4 * nc); round(fwd_rnd, b0, b1, kp + 5 * nc); - round(fwd_rnd, b1, b0, kp + 6 * nc); + round(fwd_rnd, b1, b0, kp + 6 * nc); round(fwd_rnd, b0, b1, kp + 7 * nc); round(fwd_rnd, b1, b0, kp + 8 * nc); round(fwd_lrnd, b0, b1, kp + 9 * nc); @@ -314,33 +314,33 @@ aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], cons #else { uint32_t rnd; - state_in(b0, in_blk, kp); + state_in(b0, in_blk, kp); #if (ENC_UNROLL == PARTIAL) for(rnd = 0; rnd < (cx->n_rnd - 1) >> 1; ++rnd) { kp += nc; - round(fwd_rnd, b1, b0, kp); + round(fwd_rnd, b1, b0, kp); kp += nc; - round(fwd_rnd, b0, b1, kp); + round(fwd_rnd, b0, b1, kp); } - if(cx->n_rnd & 1) + if(cx->n_rnd & 1) { l_copy(b1, b0); } else { kp += nc; - round(fwd_rnd, b1, b0, kp); + round(fwd_rnd, b1, b0, kp); } #else for(rnd = 0; rnd < cx->n_rnd - 1; ++rnd) { kp += nc; - round(fwd_rnd, b1, b0, kp); - l_copy(b0, b1); + round(fwd_rnd, b1, b0, kp); + l_copy(b0, b1); } #endif kp += nc; @@ -423,7 +423,7 @@ aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], cons #if (DEC_UNROLL == FULL) - state_in((cx->n_rnd & 1 ? b1 : b0), in_blk, kp); + state_in((cx->n_rnd & 1 ? b1 : b0), in_blk, kp); kp = cx->k_sch + 9 * nc; switch(cx->n_rnd) @@ -432,13 +432,13 @@ aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], cons case 13: round(inv_rnd, b0, b1, kp + 3 * nc); case 12: round(inv_rnd, b1, b0, kp + 2 * nc); case 11: round(inv_rnd, b0, b1, kp + nc); - case 10: round(inv_rnd, b1, b0, kp ); + case 10: round(inv_rnd, b1, b0, kp ); round(inv_rnd, b0, b1, kp - nc); - round(inv_rnd, b1, b0, kp - 2 * nc); + round(inv_rnd, b1, b0, kp - 2 * nc); round(inv_rnd, b0, b1, kp - 3 * nc); - round(inv_rnd, b1, b0, kp - 4 * nc); + round(inv_rnd, b1, b0, kp - 4 * nc); round(inv_rnd, b0, b1, kp - 5 * nc); - round(inv_rnd, b1, b0, kp - 6 * nc); + round(inv_rnd, b1, b0, kp - 6 * nc); round(inv_rnd, b0, b1, kp - 7 * nc); round(inv_rnd, b1, b0, kp - 8 * nc); round(inv_lrnd, b0, b1, kp - 9 * nc); @@ -446,33 +446,33 @@ aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], cons #else { uint32_t rnd; - state_in(b0, in_blk, kp); + state_in(b0, in_blk, kp); #if (DEC_UNROLL == PARTIAL) for(rnd = 0; rnd < (cx->n_rnd - 1) >> 1; ++rnd) { kp -= nc; - round(inv_rnd, b1, b0, kp); + round(inv_rnd, b1, b0, kp); kp -= nc; - round(inv_rnd, b0, b1, kp); + round(inv_rnd, b0, b1, kp); } - if(cx->n_rnd & 1) + if(cx->n_rnd & 1) { l_copy(b1, b0); } else - { + { kp -= nc; - round(inv_rnd, b1, b0, kp); + round(inv_rnd, b1, b0, kp); } #else for(rnd = 0; rnd < cx->n_rnd - 1; ++rnd) { kp -= nc; - round(inv_rnd, b1, b0, kp); - l_copy(b0, b1); + round(inv_rnd, b1, b0, kp); + l_copy(b0, b1); } #endif kp -= nc; diff --git a/src/lib/crypto/builtin/aes/aescrypt.c b/src/lib/crypto/builtin/aes/aescrypt.c index 9db66e284..2704b89cd 100644 --- a/src/lib/crypto/builtin/aes/aescrypt.c +++ b/src/lib/crypto/builtin/aes/aescrypt.c @@ -5,29 +5,29 @@ LICENSE TERMS - The free distribution and use of this software in both source and binary + The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: - 1. distributions of this source code include the above copyright + 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties - in respect of any properties, including, but not limited to, correctness + in respect of any properties, including, but not limited to, correctness and fitness for purpose. ------------------------------------------------------------------------- Issue Date: 21/01/2002 This file contains the code for implementing encryption and decryption - for AES (Rijndael) for block and key sizes of 16, 24 and 32 bytes. It + for AES (Rijndael) for block and key sizes of 16, 24 and 32 bytes. It can optionally be replaced by code written in assembler using NASM. */ @@ -35,7 +35,7 @@ #if defined(BLOCK_SIZE) && (BLOCK_SIZE & 7) #error An illegal block size has been specified. -#endif +#endif #define unused 77 /* Sunset Strip */ @@ -48,7 +48,7 @@ #define locals(y,x) x[4],y[4] #else #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3 - /* + /* the following defines prevent the compiler requiring the declaration of generated but unused variables in the fwd_var and inv_var macros */ @@ -162,18 +162,18 @@ switch(nc) \ #if defined(ENCRYPTION) /* I am grateful to Frank Yellin for the following construction - (and that for decryption) which, given the column (c) of the - output state variable, gives the input state variables which + (and that for decryption) which, given the column (c) of the + output state variable, gives the input state variables which are needed in its computation for each row (r) of the state. - For the fixed block size options, compilers should be able to - reduce this complex expression (and the equivalent one for - decryption) to a static variable reference at compile time. + For the fixed block size options, compilers should be able to + reduce this complex expression (and the equivalent one for + decryption) to a static variable reference at compile time. But for variable block size code, there will be some limbs on which conditional clauses will be returned. */ -/* y = output word, x = input word, r = row, c = column for r = 0, +/* y = output word, x = input word, r = row, c = column for r = 0, 1, 2 and 3 = column accessed for row r. */ @@ -242,7 +242,7 @@ aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], cons if(!(cx->n_blk & 1)) return aes_bad; - state_in(b0, in_blk, kp); + state_in(b0, in_blk, kp); #if (ENC_UNROLL == FULL) @@ -250,31 +250,31 @@ aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], cons switch(cx->n_rnd) { - case 14: round(fwd_rnd, b1, b0, kp - 4 * nc); + case 14: round(fwd_rnd, b1, b0, kp - 4 * nc); round(fwd_rnd, b0, b1, kp - 3 * nc); - case 12: round(fwd_rnd, b1, b0, kp - 2 * nc); + case 12: round(fwd_rnd, b1, b0, kp - 2 * nc); round(fwd_rnd, b0, b1, kp - nc); - case 10: round(fwd_rnd, b1, b0, kp ); + case 10: round(fwd_rnd, b1, b0, kp ); round(fwd_rnd, b0, b1, kp + nc); - round(fwd_rnd, b1, b0, kp + 2 * nc); + round(fwd_rnd, b1, b0, kp + 2 * nc); round(fwd_rnd, b0, b1, kp + 3 * nc); - round(fwd_rnd, b1, b0, kp + 4 * nc); + round(fwd_rnd, b1, b0, kp + 4 * nc); round(fwd_rnd, b0, b1, kp + 5 * nc); - round(fwd_rnd, b1, b0, kp + 6 * nc); + round(fwd_rnd, b1, b0, kp + 6 * nc); round(fwd_rnd, b0, b1, kp + 7 * nc); round(fwd_rnd, b1, b0, kp + 8 * nc); round(fwd_lrnd, b0, b1, kp + 9 * nc); } #else - + #if (ENC_UNROLL == PARTIAL) { uint32_t rnd; for(rnd = 0; rnd < (cx->n_rnd >> 1) - 1; ++rnd) { kp += nc; - round(fwd_rnd, b1, b0, kp); + round(fwd_rnd, b1, b0, kp); kp += nc; - round(fwd_rnd, b0, b1, kp); + round(fwd_rnd, b0, b1, kp); } kp += nc; round(fwd_rnd, b1, b0, kp); @@ -283,7 +283,7 @@ aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], cons for(rnd = 0; rnd < cx->n_rnd - 1; ++rnd) { kp += nc; - round(fwd_rnd, p1, p0, kp); + round(fwd_rnd, p1, p0, kp); pt = p0, p0 = p1, p1 = pt; } #endif @@ -376,27 +376,27 @@ aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], cons round(inv_rnd, b0, b1, kp + 3 * nc); case 12: round(inv_rnd, b1, b0, kp + 2 * nc); round(inv_rnd, b0, b1, kp + nc ); - case 10: round(inv_rnd, b1, b0, kp ); + case 10: round(inv_rnd, b1, b0, kp ); round(inv_rnd, b0, b1, kp - nc); - round(inv_rnd, b1, b0, kp - 2 * nc); + round(inv_rnd, b1, b0, kp - 2 * nc); round(inv_rnd, b0, b1, kp - 3 * nc); - round(inv_rnd, b1, b0, kp - 4 * nc); + round(inv_rnd, b1, b0, kp - 4 * nc); round(inv_rnd, b0, b1, kp - 5 * nc); - round(inv_rnd, b1, b0, kp - 6 * nc); + round(inv_rnd, b1, b0, kp - 6 * nc); round(inv_rnd, b0, b1, kp - 7 * nc); round(inv_rnd, b1, b0, kp - 8 * nc); round(inv_lrnd, b0, b1, kp - 9 * nc); } #else - + #if (DEC_UNROLL == PARTIAL) { uint32_t rnd; for(rnd = 0; rnd < (cx->n_rnd >> 1) - 1; ++rnd) { - kp -= nc; - round(inv_rnd, b1, b0, kp); - kp -= nc; - round(inv_rnd, b0, b1, kp); + kp -= nc; + round(inv_rnd, b1, b0, kp); + kp -= nc; + round(inv_rnd, b0, b1, kp); } kp -= nc; round(inv_rnd, b1, b0, kp); @@ -405,7 +405,7 @@ aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], cons for(rnd = 0; rnd < cx->n_rnd - 1; ++rnd) { kp -= nc; - round(inv_rnd, p1, p0, kp); + round(inv_rnd, p1, p0, kp); pt = p0, p0 = p1, p1 = pt; } #endif diff --git a/src/lib/crypto/builtin/aes/aeskey.c b/src/lib/crypto/builtin/aes/aeskey.c index 60f766b8a..36b6404b1 100644 --- a/src/lib/crypto/builtin/aes/aeskey.c +++ b/src/lib/crypto/builtin/aes/aeskey.c @@ -5,28 +5,28 @@ LICENSE TERMS - The free distribution and use of this software in both source and binary + The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: - 1. distributions of this source code include the above copyright + 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties - in respect of any properties, including, but not limited to, correctness + in respect of any properties, including, but not limited to, correctness and fitness for purpose. ------------------------------------------------------------------------- Issue Date: 21/01/2002 - This file contains the code for implementing the key schedule for AES + This file contains the code for implementing the key schedule for AES (Rijndael) for block and key sizes of 16, 24, and 32 bytes. */ @@ -34,10 +34,10 @@ #if defined(BLOCK_SIZE) && (BLOCK_SIZE & 7) #error An illegal block size has been specified. -#endif +#endif /* Subroutine to set the block size (if variable) in bytes, legal - values being 16, 24 and 32. + values being 16, 24 and 32. */ #if !defined(BLOCK_SIZE) && defined(SET_BLOCK_LENGTH) @@ -48,8 +48,8 @@ aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]) if(!tab_init) gen_tabs(); #endif - if((blen & 7) || blen < 16 || blen > 32) - { + if((blen & 7) || blen < 16 || blen > 32) + { cx->n_blk = 0; return aes_bad; } @@ -64,10 +64,10 @@ aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]) This corresponds to bit lengths of 128, 192 and 256 bits, and to Nk values of 4, 6 and 8 respectively. - The following macros implement a single cycle in the key - schedule generation process. The number of cycles needed + The following macros implement a single cycle in the key + schedule generation process. The number of cycles needed for each cx->n_col and nk value is: - + nk = 4 5 6 7 8 ------------------------------ cx->n_col = 4 10 9 8 7 7 @@ -110,7 +110,7 @@ aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]) } aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]) -{ uint32_t ss[8]; +{ uint32_t ss[8]; #if !defined(FIXED_TABLES) if(!tab_init) gen_tabs(); @@ -121,7 +121,7 @@ aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx #else cx->n_blk = BLOCK_SIZE; #endif - + cx->n_blk = (cx->n_blk & ~3U) | 1; cx->k_sch[0] = ss[0] = word_in(in_key ); @@ -133,29 +133,29 @@ aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx switch(klen) { - case 16: ke4(cx->k_sch, 0); ke4(cx->k_sch, 1); + case 16: ke4(cx->k_sch, 0); ke4(cx->k_sch, 1); ke4(cx->k_sch, 2); ke4(cx->k_sch, 3); - ke4(cx->k_sch, 4); ke4(cx->k_sch, 5); + ke4(cx->k_sch, 4); ke4(cx->k_sch, 5); ke4(cx->k_sch, 6); ke4(cx->k_sch, 7); - ke4(cx->k_sch, 8); kel4(cx->k_sch, 9); + ke4(cx->k_sch, 8); kel4(cx->k_sch, 9); cx->n_rnd = 10; break; case 24: cx->k_sch[4] = ss[4] = word_in(in_key + 16); cx->k_sch[5] = ss[5] = word_in(in_key + 20); - ke6(cx->k_sch, 0); ke6(cx->k_sch, 1); + ke6(cx->k_sch, 0); ke6(cx->k_sch, 1); ke6(cx->k_sch, 2); ke6(cx->k_sch, 3); - ke6(cx->k_sch, 4); ke6(cx->k_sch, 5); - ke6(cx->k_sch, 6); kel6(cx->k_sch, 7); + ke6(cx->k_sch, 4); ke6(cx->k_sch, 5); + ke6(cx->k_sch, 6); kel6(cx->k_sch, 7); cx->n_rnd = 12; break; case 32: cx->k_sch[4] = ss[4] = word_in(in_key + 16); cx->k_sch[5] = ss[5] = word_in(in_key + 20); cx->k_sch[6] = ss[6] = word_in(in_key + 24); cx->k_sch[7] = ss[7] = word_in(in_key + 28); - ke8(cx->k_sch, 0); ke8(cx->k_sch, 1); + ke8(cx->k_sch, 0); ke8(cx->k_sch, 1); ke8(cx->k_sch, 2); ke8(cx->k_sch, 3); - ke8(cx->k_sch, 4); ke8(cx->k_sch, 5); - kel8(cx->k_sch, 6); + ke8(cx->k_sch, 4); ke8(cx->k_sch, 5); + kel8(cx->k_sch, 6); cx->n_rnd = 14; break; - default: cx->n_rnd = 0; return aes_bad; + default: cx->n_rnd = 0; return aes_bad; } #else { uint32_t i, l; @@ -179,7 +179,7 @@ aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx for(i = 0; i < l; ++i) ke8(cx->k_sch, i); break; - default: cx->n_rnd = 0; return aes_bad; + default: cx->n_rnd = 0; return aes_bad; } } #endif @@ -277,7 +277,7 @@ aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx } aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]) -{ uint32_t ss[8]; +{ uint32_t ss[8]; d_vars #if !defined(FIXED_TABLES) @@ -301,20 +301,20 @@ aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx switch(klen) { - case 16: kdf4(cx->k_sch, 0); kd4(cx->k_sch, 1); + case 16: kdf4(cx->k_sch, 0); kd4(cx->k_sch, 1); kd4(cx->k_sch, 2); kd4(cx->k_sch, 3); - kd4(cx->k_sch, 4); kd4(cx->k_sch, 5); + kd4(cx->k_sch, 4); kd4(cx->k_sch, 5); kd4(cx->k_sch, 6); kd4(cx->k_sch, 7); - kd4(cx->k_sch, 8); kdl4(cx->k_sch, 9); + kd4(cx->k_sch, 8); kdl4(cx->k_sch, 9); cx->n_rnd = 10; break; case 24: ss[4] = word_in(in_key + 16); cx->k_sch[4] = ff(ss[4]); ss[5] = word_in(in_key + 20); cx->k_sch[5] = ff(ss[5]); - kdf6(cx->k_sch, 0); kd6(cx->k_sch, 1); + kdf6(cx->k_sch, 0); kd6(cx->k_sch, 1); kd6(cx->k_sch, 2); kd6(cx->k_sch, 3); - kd6(cx->k_sch, 4); kd6(cx->k_sch, 5); - kd6(cx->k_sch, 6); kdl6(cx->k_sch, 7); + kd6(cx->k_sch, 4); kd6(cx->k_sch, 5); + kd6(cx->k_sch, 6); kdl6(cx->k_sch, 7); cx->n_rnd = 12; break; case 32: ss[4] = word_in(in_key + 16); cx->k_sch[4] = ff(ss[4]); @@ -324,12 +324,12 @@ aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx cx->k_sch[6] = ff(ss[6]); ss[7] = word_in(in_key + 28); cx->k_sch[7] = ff(ss[7]); - kdf8(cx->k_sch, 0); kd8(cx->k_sch, 1); + kdf8(cx->k_sch, 0); kd8(cx->k_sch, 1); kd8(cx->k_sch, 2); kd8(cx->k_sch, 3); - kd8(cx->k_sch, 4); kd8(cx->k_sch, 5); - kdl8(cx->k_sch, 6); + kd8(cx->k_sch, 4); kd8(cx->k_sch, 5); + kdl8(cx->k_sch, 6); cx->n_rnd = 14; break; - default: cx->n_rnd = 0; return aes_bad; + default: cx->n_rnd = 0; return aes_bad; } #else { uint32_t i, l; @@ -338,7 +338,7 @@ aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx switch(klen) { - case 16: + case 16: for(i = 0; i < l; ++i) ke4(cx->k_sch, i); break; @@ -354,7 +354,7 @@ aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx for(i = 0; i < l; ++i) ke8(cx->k_sch, i); break; - default: cx->n_rnd = 0; return aes_bad; + default: cx->n_rnd = 0; return aes_bad; } #if (DEC_ROUND != NO_TABLES) for(i = nc; i < nc * cx->n_rnd; ++i) diff --git a/src/lib/crypto/builtin/aes/aeskeypp.c b/src/lib/crypto/builtin/aes/aeskeypp.c index 89fd9006d..589d7a392 100644 --- a/src/lib/crypto/builtin/aes/aeskeypp.c +++ b/src/lib/crypto/builtin/aes/aeskeypp.c @@ -5,41 +5,41 @@ LICENSE TERMS - The free distribution and use of this software in both source and binary + The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: - 1. distributions of this source code include the above copyright + 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties - in respect of any properties, including, but not limited to, correctness + in respect of any properties, including, but not limited to, correctness and fitness for purpose. ------------------------------------------------------------------------- Issue Date: 21/01/2002 - This file contains the code for implementing the key schedule for AES + This file contains the code for implementing the key schedule for AES (Rijndael) for block and key sizes of 16, 20, 24, 28 and 32 bytes. */ #include "aesopt.h" /* Subroutine to set the block size (if variable) in bytes, legal - values being 16, 24 and 32. + values being 16, 24 and 32. */ #if !defined(BLOCK_SIZE) && defined(SET_BLOCK_LENGTH) /* Subroutine to set the block size (if variable) in bytes, legal - values being 16, 24 and 32. + values being 16, 24 and 32. */ aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]) @@ -48,8 +48,8 @@ aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]) if(!tab_init) gen_tabs(); #endif - if((blen & 3) || blen < 16 || blen > 32) - { + if((blen & 3) || blen < 16 || blen > 32) + { cx->n_blk = 0; return aes_bad; } @@ -64,10 +64,10 @@ aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]) This corresponds to bit lengths of 128, 192 and 256 bits, and to Nk values of 4, 6 and 8 respectively. - The following macros implement a single cycle in the key - schedule generation process. The number of cycles needed + The following macros implement a single cycle in the key + schedule generation process. The number of cycles needed for each cx->n_blk and nk value is: - + nk = 4 5 6 7 8 ------------------------------ cx->n_blk = 4 10 9 8 7 7 @@ -78,7 +78,7 @@ aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]) */ /* Initialise the key schedule from the user supplied key. The key - length is now specified in bytes - 16, 20, 24, 28 or 32 as + length is now specified in bytes - 16, 20, 24, 28 or 32 as appropriate. This corresponds to bit lengths of 128, 160, 192, 224 and 256 bits, and to Nk values of 4, 5, 6, 7 & 8 respectively. */ @@ -133,10 +133,10 @@ switch(nc) \ #endif -/* The following macros implement a single cycle in the key - schedule generation process. The number of cycles needed +/* The following macros implement a single cycle in the key + schedule generation process. The number of cycles needed for each cx->n_blk and nk value is: - + nk = 4 5 6 7 8 ----------------------- cx->n_blk = 4 10 9 8 7 7 @@ -229,30 +229,30 @@ aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx { case 4: ks4(0); ks4(1); ks4(2); ks4(3); ks4(4); ks4(5); ks4(6); ks4(7); - ks4(8); ks4(9); + ks4(8); ks4(9); cx->n_rnd = 10; break; case 5: cx->k_sch[4] = t = word_in(in_key + 16); ks5(0); ks5(1); ks5(2); ks5(3); - ks5(4); ks5(5); ks5(6); ks5(7); - ks5(8); + ks5(4); ks5(5); ks5(6); ks5(7); + ks5(8); cx->n_rnd = 11; break; case 6: cx->k_sch[4] = t = word_in(in_key + 16); cx->k_sch[5] = u = word_in(in_key + 20); ks6(0); ks6(1); ks6(2); ks6(3); - ks6(4); ks6(5); ks6(6); ks6(7); + ks6(4); ks6(5); ks6(6); ks6(7); cx->n_rnd = 12; break; case 7: cx->k_sch[4] = t = word_in(in_key + 16); cx->k_sch[5] = u = word_in(in_key + 20); cx->k_sch[6] = v = word_in(in_key + 24); ks7(0); ks7(1); ks7(2); ks7(3); - ks7(4); ks7(5); ks7(6); + ks7(4); ks7(5); ks7(6); cx->n_rnd = 13; break; case 8: cx->k_sch[4] = t = word_in(in_key + 16); cx->k_sch[5] = u = word_in(in_key + 20); cx->k_sch[6] = v = word_in(in_key + 24); cx->k_sch[7] = w = word_in(in_key + 28); ks8(0); ks8(1); ks8(2); ks8(3); - ks8(4); ks8(5); ks8(6); + ks8(4); ks8(5); ks8(6); cx->n_rnd = 14; break; default:cx->n_rnd = 0; return aes_bad; } @@ -326,30 +326,30 @@ aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx { case 4: ks4(0); ks4(1); ks4(2); ks4(3); ks4(4); ks4(5); ks4(6); ks4(7); - ks4(8); ks4(9); + ks4(8); ks4(9); cx->n_rnd = 10; break; case 5: cx->k_sch[4] = t = word_in(in_key + 16); ks5(0); ks5(1); ks5(2); ks5(3); - ks5(4); ks5(5); ks5(6); ks5(7); - ks5(8); + ks5(4); ks5(5); ks5(6); ks5(7); + ks5(8); cx->n_rnd = 11; break; case 6: cx->k_sch[4] = t = word_in(in_key + 16); cx->k_sch[5] = u = word_in(in_key + 20); ks6(0); ks6(1); ks6(2); ks6(3); - ks6(4); ks6(5); ks6(6); ks6(7); + ks6(4); ks6(5); ks6(6); ks6(7); cx->n_rnd = 12; break; case 7: cx->k_sch[4] = t = word_in(in_key + 16); cx->k_sch[5] = u = word_in(in_key + 20); cx->k_sch[6] = v = word_in(in_key + 24); ks7(0); ks7(1); ks7(2); ks7(3); - ks7(4); ks7(5); ks7(6); + ks7(4); ks7(5); ks7(6); cx->n_rnd = 13; break; case 8: cx->k_sch[4] = t = word_in(in_key + 16); cx->k_sch[5] = u = word_in(in_key + 20); cx->k_sch[6] = v = word_in(in_key + 24); cx->k_sch[7] = w = word_in(in_key + 28); ks8(0); ks8(1); ks8(2); ks8(3); - ks8(4); ks8(5); ks8(6); + ks8(4); ks8(5); ks8(6); cx->n_rnd = 14; break; default:cx->n_rnd = 0; return aes_bad; } diff --git a/src/lib/crypto/builtin/aes/aesopt.h b/src/lib/crypto/builtin/aes/aesopt.h index 006fbb3eb..ede89f653 100644 --- a/src/lib/crypto/builtin/aes/aesopt.h +++ b/src/lib/crypto/builtin/aes/aesopt.h @@ -5,48 +5,48 @@ LICENSE TERMS - The free distribution and use of this software in both source and binary + The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: - 1. distributions of this source code include the above copyright + 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties - in respect of any properties, including, but not limited to, correctness + in respect of any properties, including, but not limited to, correctness and fitness for purpose. ------------------------------------------------------------------------- Issue Date: 07/02/2002 - This file contains the compilation options for AES (Rijndael) and code + This file contains the compilation options for AES (Rijndael) and code that is common across encryption, key scheduling and table generation. OPERATION - + These source code files implement the AES algorithm Rijndael designed by - Joan Daemen and Vincent Rijmen. The version in aes.c is designed for - block and key sizes of 128, 192 and 256 bits (16, 24 and 32 bytes) while - that in aespp.c provides for block and keys sizes of 128, 160, 192, 224 - and 256 bits (16, 20, 24, 28 and 32 bytes). This file is a common header - file for these two implementations and for aesref.c, which is a reference + Joan Daemen and Vincent Rijmen. The version in aes.c is designed for + block and key sizes of 128, 192 and 256 bits (16, 24 and 32 bytes) while + that in aespp.c provides for block and keys sizes of 128, 160, 192, 224 + and 256 bits (16, 20, 24, 28 and 32 bytes). This file is a common header + file for these two implementations and for aesref.c, which is a reference implementation. - + This version is designed for flexibility and speed using operations on - 32-bit words rather than operations on bytes. It provides aes_both fixed - and dynamic block and key lengths and can also run with either big or - little endian internal byte order (see aes.h). It inputs block and key - lengths in bytes with the legal values being 16, 24 and 32 for aes.c and + 32-bit words rather than operations on bytes. It provides aes_both fixed + and dynamic block and key lengths and can also run with either big or + little endian internal byte order (see aes.h). It inputs block and key + lengths in bytes with the legal values being 16, 24 and 32 for aes.c and 16, 20, 24, 28 and 32 for aespp.c - + THE CIPHER INTERFACE uint8_t (an unsigned 8-bit type) @@ -68,8 +68,8 @@ aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]); aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1]); - IMPORTANT NOTE: If you are using this C interface and your compiler does - not set the memory used for objects to zero before use, you will need to + IMPORTANT NOTE: If you are using this C interface and your compiler does + not set the memory used for objects to zero before use, you will need to ensure that cx.s_flg is set to zero before using these subroutine calls. C++ aes class subroutines: @@ -86,21 +86,21 @@ aes_rval blk(const unsigned char in_blk[], unsigned char out_blk[]); The block length inputs to set_block and set_key are in numbers of - BYTES, not bits. The calls to subroutines must be made in the above + BYTES, not bits. The calls to subroutines must be made in the above order but multiple calls can be made without repeating earlier calls if their parameters have not changed. If the cipher block length is variable but set_blk has not been called before cipher operations a - value of 16 is assumed (that is, the AES block size). In contrast to + value of 16 is assumed (that is, the AES block size). In contrast to earlier versions the block and key length parameters are now checked - for correctness and the encryption and decryption routines check to + for correctness and the encryption and decryption routines check to ensure that an appropriate key has been set before they are called. - COMPILATION + COMPILATION The files used to provide AES (Rijndael) are a. aes.h for the definitions needed for use in C. - b. aescpp.h for the definitions needed for use in C++. + b. aescpp.h for the definitions needed for use in C++. c. aesopt.h for setting compilation options (also includes common code). d. aescrypt.c for encryption and decrytpion, or @@ -113,7 +113,7 @@ block and key lengths of 16, 24 and 32 bytes (128, 192 and 256 bits). If aescrypp.c and aeskeypp.c are used instead of aescrypt.c and aeskey.c respectively, the block and key lengths can then be 16, 20, - 24, 28 or 32 bytes. However this code has not been optimised to the + 24, 28 or 32 bytes. However this code has not been optimised to the same extent and is hence slower (esepcially for the AES block size of 16 bytes). @@ -124,23 +124,23 @@ exclude the AES_DLL define in aes.h To compile AES (Rijndael) in C as a Dynamic Link Library DLL) use - aes.h, include the AES_DLL define and compile the DLL. If using + aes.h, include the AES_DLL define and compile the DLL. If using the test files to test the DLL, exclude aes.c from the test build - project and compile it with the same defines as used for the DLL + project and compile it with the same defines as used for the DLL (ensure that the DLL path is correct) CONFIGURATION OPTIONS (here and in aes.h) - a. define BLOCK_SIZE in aes.h to set the cipher block size (16, 24 - or 32 for the standard code, or 16, 20, 24, 28 or 32 for the - extended code) or leave this undefined for dynamically variable + a. define BLOCK_SIZE in aes.h to set the cipher block size (16, 24 + or 32 for the standard code, or 16, 20, 24, 28 or 32 for the + extended code) or leave this undefined for dynamically variable block size (this will result in much slower code). b. set AES_DLL in aes.h if AES (Rijndael) is to be compiled as a DLL - c. You may need to set PLATFORM_BYTE_ORDER to define the byte order. + c. You may need to set PLATFORM_BYTE_ORDER to define the byte order. d. If you want the code to run in a specific internal byte order, then INTERNAL_BYTE_ORDER must be set accordingly. e. set other configuration options decribed below. -*/ +*/ #ifndef _AESOPT_H #define _AESOPT_H @@ -148,7 +148,7 @@ /* START OF CONFIGURATION OPTIONS USE OF DEFINES - + Later in this section there are a number of defines that control the operation of the code. In each section, the purpose of each define is explained so that the relevant form can be included or @@ -199,11 +199,11 @@ /* 2. BYTE ORDER IN 32-BIT WORDS - To obtain the highest speed on processors with 32-bit words, this code + To obtain the highest speed on processors with 32-bit words, this code needs to determine the order in which bytes are packed into such words. - The following block of code is an attempt to capture the most obvious - ways in which various environemnts specify heir endian definitions. It - may well fail, in which case the definitions will need to be set by + The following block of code is an attempt to capture the most obvious + ways in which various environemnts specify heir endian definitions. It + may well fail, in which case the definitions will need to be set by editing at the points marked **** EDIT HERE IF NECESSARY **** below. */ #define AES_LITTLE_ENDIAN 1234 /* byte 0 is least significant (i386) */ @@ -219,7 +219,7 @@ # define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN # endif # endif -# elif defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) +# elif defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) # define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN # elif !defined(LITTLE_ENDIAN) && defined(BIG_ENDIAN) # define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN @@ -233,7 +233,7 @@ # define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN # endif # endif -# elif defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN) +# elif defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN) # define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN # elif !defined(_LITTLE_ENDIAN) && defined(_BIG_ENDIAN) # define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN @@ -249,8 +249,8 @@ #endif /* 3. ASSEMBLER SUPPORT - - If the assembler code is used for encryption and decryption this file only + + If the assembler code is used for encryption and decryption this file only provides key scheduling so the following defines are used */ #ifdef AES_ASM @@ -298,27 +298,27 @@ /* 5. BYTE ORDER WITHIN 32 BIT WORDS - The fundamental data processing units in Rijndael are 8-bit bytes. The - input, output and key input are all enumerated arrays of bytes in which - bytes are numbered starting at zero and increasing to one less than the - number of bytes in the array in question. This enumeration is only used - for naming bytes and does not imply any adjacency or order relationship - from one byte to another. When these inputs and outputs are considered - as bit sequences, bits 8*n to 8*n+7 of the bit sequence are mapped to - byte[n] with bit 8n+i in the sequence mapped to bit 7-i within the byte. - In this implementation bits are numbered from 0 to 7 starting at the + The fundamental data processing units in Rijndael are 8-bit bytes. The + input, output and key input are all enumerated arrays of bytes in which + bytes are numbered starting at zero and increasing to one less than the + number of bytes in the array in question. This enumeration is only used + for naming bytes and does not imply any adjacency or order relationship + from one byte to another. When these inputs and outputs are considered + as bit sequences, bits 8*n to 8*n+7 of the bit sequence are mapped to + byte[n] with bit 8n+i in the sequence mapped to bit 7-i within the byte. + In this implementation bits are numbered from 0 to 7 starting at the numerically least significant end of each byte (bit n represents 2^n). - However, Rijndael can be implemented more efficiently using 32-bit + However, Rijndael can be implemented more efficiently using 32-bit words by packing bytes into words so that bytes 4*n to 4*n+3 are placed - into word[n]. While in principle these bytes can be assembled into words - in any positions, this implementation only supports the two formats in + into word[n]. While in principle these bytes can be assembled into words + in any positions, this implementation only supports the two formats in which bytes in adjacent positions within words also have adjacent byte - numbers. This order is called big-endian if the lowest numbered bytes - in words have the highest numeric significance and little-endian if the - opposite applies. - - This code can work in either order irrespective of the order used by the + numbers. This order is called big-endian if the lowest numbered bytes + in words have the highest numeric significance and little-endian if the + opposite applies. + + This code can work in either order irrespective of the order used by the machine on which it runs. Normally the internal byte order will be set to the order of the processor on which the code is to be run but this define can be used to reverse this in special situations @@ -331,20 +331,20 @@ #define INTERNAL_BYTE_ORDER AES_BIG_ENDIAN #endif -/* 6. FAST INPUT/OUTPUT OPERATIONS. +/* 6. FAST INPUT/OUTPUT OPERATIONS. - On some machines it is possible to improve speed by transferring the - bytes in the input and output arrays to and from the internal 32-bit - variables by addressing these arrays as if they are arrays of 32-bit - words. On some machines this will always be possible but there may - be a large performance penalty if the byte arrays are not aligned on - the normal word boundaries. On other machines this technique will + On some machines it is possible to improve speed by transferring the + bytes in the input and output arrays to and from the internal 32-bit + variables by addressing these arrays as if they are arrays of 32-bit + words. On some machines this will always be possible but there may + be a large performance penalty if the byte arrays are not aligned on + the normal word boundaries. On other machines this technique will lead to memory access errors when such 32-bit word accesses are not - properly aligned. The option SAFE_IO avoids such problems but will - often be slower on those machines that support misaligned access - (especially so if care is taken to align the input and output byte - arrays on 32-bit word boundaries). If SAFE_IO is not defined it is - assumed that access to byte arrays as if they are arrays of 32-bit + properly aligned. The option SAFE_IO avoids such problems but will + often be slower on those machines that support misaligned access + (especially so if care is taken to align the input and output byte + arrays on 32-bit word boundaries). If SAFE_IO is not defined it is + assumed that access to byte arrays as if they are arrays of 32-bit words will not cause problems when such accesses are misaligned. */ #if 1 @@ -363,12 +363,12 @@ /* 7. LOOP UNROLLING The code for encryption and decrytpion cycles through a number of rounds - that can be implemented either in a loop or by expanding the code into a + that can be implemented either in a loop or by expanding the code into a long sequence of instructions, the latter producing a larger program but one that will often be much faster. The latter is called loop unrolling. There are also potential speed advantages in expanding two iterations in a loop with half the number of iterations, which is called partial loop - unrolling. The following options allow partial or full loop unrolling + unrolling. The following options allow partial or full loop unrolling to be set independently for encryption and decryption */ #if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO) @@ -389,8 +389,8 @@ /* 8. FIXED OR DYNAMIC TABLES - When this section is included the tables used by the code are compiled - statically into the binary file. Otherwise they are computed once when + When this section is included the tables used by the code are compiled + statically into the binary file. Otherwise they are computed once when the code is first used. */ #if 1 @@ -399,7 +399,7 @@ /* 9. FAST FINITE FIELD OPERATIONS - If this section is included, tables are used to provide faster finite + If this section is included, tables are used to provide faster finite field arithmetic (this has no effect if FIXED_TABLES is defined). */ #if 1 @@ -408,8 +408,8 @@ /* 10. INTERNAL STATE VARIABLE FORMAT - The internal state of Rijndael is stored in a number of local 32-bit - word varaibles which can be defined either as an array or as individual + The internal state of Rijndael is stored in a number of local 32-bit + word varaibles which can be defined either as an array or as individual names variables. Include this section if you want to store these local varaibles in arrays. Otherwise individual local variables will be used. */ @@ -419,10 +419,10 @@ /* In this implementation the columns of the state array are each held in 32-bit words. The state array can be held in various ways: in an array - of words, in a number of individual word variables or in a number of + of words, in a number of individual word variables or in a number of processor registers. The following define maps a variable name x and a column number c to the way the state array variable is to be held. - The first define below maps the state into an array x[c] whereas the + The first define below maps the state into an array x[c] whereas the second form maps the state into a number of individual variables x0, x1, etc. Another form could map individual state colums to machine register names. @@ -448,16 +448,16 @@ This cipher proceeds by repeating in a number of cycles known as 'rounds' which are implemented by a round function which can optionally be speeded - up using tables. The basic tables are each 256 32-bit words, with either + up using tables. The basic tables are each 256 32-bit words, with either one or four tables being required for each round function depending on how much speed is required. The encryption and decryption round functions are different and the last encryption and decrytpion round functions are different again making four different round functions in all. This means that: - 1. Normal encryption and decryption rounds can each use either 0, 1 + 1. Normal encryption and decryption rounds can each use either 0, 1 or 4 tables and table spaces of 0, 1024 or 4096 bytes each. - 2. The last encryption and decryption rounds can also use either 0, 1 + 2. The last encryption and decryption rounds can also use either 0, 1 or 4 tables and table spaces of 0, 1024 or 4096 bytes each. Include or exclude the appropriate definitions below to set the number @@ -497,7 +497,7 @@ #endif /* The decryption key schedule can be speeded up with tables in the same - way that the round functions can. Include or exclude the following + way that the round functions can. Include or exclude the following defines to set this requirement. */ #if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO) @@ -519,7 +519,7 @@ #if defined(BLOCK_SIZE) && ((BLOCK_SIZE & 3) || BLOCK_SIZE < 16 || BLOCK_SIZE > 32) #error An illegal block size has been specified. -#endif +#endif #if !defined(BLOCK_SIZE) #define RC_LENGTH 29 @@ -534,7 +534,7 @@ #define LAST_ENC_ROUND NO_TABLES #elif ENC_ROUND == ONE_TABLE && LAST_ENC_ROUND == FOUR_TABLES #undef LAST_ENC_ROUND -#define LAST_ENC_ROUND ONE_TABLE +#define LAST_ENC_ROUND ONE_TABLE #endif #if ENC_ROUND == NO_TABLES && ENC_UNROLL != NONE @@ -547,7 +547,7 @@ #define LAST_DEC_ROUND NO_TABLES #elif DEC_ROUND == ONE_TABLE && LAST_DEC_ROUND == FOUR_TABLES #undef LAST_DEC_ROUND -#define LAST_DEC_ROUND ONE_TABLE +#define LAST_DEC_ROUND ONE_TABLE #endif #if DEC_ROUND == NO_TABLES && DEC_UNROLL != NONE @@ -560,7 +560,7 @@ /* upr(x,n): rotates bytes within words by n positions, moving bytes to higher index positions with wrap around into low positions - ups(x,n): moves bytes by n positions to higher index positions in + ups(x,n): moves bytes by n positions to higher index positions in words but without wrap around bval(x,n): extracts a byte from a word */ @@ -602,7 +602,7 @@ #if !defined(_MSC_VER) #define _lrotl(x,n) (((x) << n) | ((x) >> (32 - n))) #endif -#define bswap_32(x) ((_lrotl((x),8) & 0x00ff00ff) | (_lrotl((x),24) & 0xff00ff00)) +#define bswap_32(x) ((_lrotl((x),8) & 0x00ff00ff) | (_lrotl((x),24) & 0xff00ff00)) #endif #define word_in(x) bswap_32(*(uint32_t*)(x)) @@ -625,9 +625,9 @@ give improved performance if a fast 32-bit multiply is not available. Note that a temporary variable u needs to be defined where FFmulX is used. -#define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6)) +#define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6)) #define m4 (0x01010101 * BPOLY) -#define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4) +#define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4) */ /* Work out which tables are needed for the different options */ diff --git a/src/lib/crypto/builtin/aes/aestab.c b/src/lib/crypto/builtin/aes/aestab.c index 7a5d69f7d..790288746 100644 --- a/src/lib/crypto/builtin/aes/aestab.c +++ b/src/lib/crypto/builtin/aes/aestab.c @@ -5,23 +5,23 @@ LICENSE TERMS - The free distribution and use of this software in both source and binary + The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: - 1. distributions of this source code include the above copyright + 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties - in respect of any properties, including, but not limited to, correctness + in respect of any properties, including, but not limited to, correctness and fitness for purpose. ------------------------------------------------------------------------- Issue Date: 07/02/2002 @@ -29,7 +29,7 @@ #include "aesopt.h" -#if defined(FIXED_TABLES) || !defined(FF_TABLES) +#if defined(FIXED_TABLES) || !defined(FF_TABLES) /* finite field arithmetic operations */ @@ -151,7 +151,7 @@ #define h0(x) (x) -/* These defines are used to ensure tables are generated in the +/* These defines are used to ensure tables are generated in the right format depending on the internal byte order required */ @@ -209,7 +209,7 @@ const uint8_t inv_s_box[256] = { isb_data(h0) }; const uint32_t ft_tab[256] = { sb_data(u0) }; #endif #ifdef FT4_SET -const uint32_t ft_tab[4][256] = +const uint32_t ft_tab[4][256] = { { sb_data(u0) }, { sb_data(u1) }, { sb_data(u2) }, { sb_data(u3) } }; #endif @@ -217,7 +217,7 @@ const uint32_t ft_tab[4][256] = const uint32_t fl_tab[256] = { sb_data(w0) }; #endif #ifdef FL4_SET -const uint32_t fl_tab[4][256] = +const uint32_t fl_tab[4][256] = { { sb_data(w0) }, { sb_data(w1) }, { sb_data(w2) }, { sb_data(w3) } }; #endif @@ -233,7 +233,7 @@ const uint32_t it_tab[4][256] = const uint32_t il_tab[256] = { isb_data(w0) }; #endif #ifdef IL4_SET -const uint32_t il_tab[4][256] = +const uint32_t il_tab[4][256] = { { isb_data(w0) }, { isb_data(w1) }, { isb_data(w2) }, { isb_data(w3) } }; #endif @@ -249,7 +249,7 @@ const uint32_t ls_tab[4][256] = const uint32_t im_tab[256] = { mm_data(v0) }; #endif #ifdef IM4_SET -const uint32_t im_tab[4][256] = +const uint32_t im_tab[4][256] = { { mm_data(v0) }, { mm_data(v1) }, { mm_data(v2) }, { mm_data(v3) } }; #endif @@ -314,8 +314,8 @@ uint32_t im_tab[4][256]; /* Generate the tables for the dynamic table option - It will generally be sensible to use tables to compute finite - field multiplies and inverses but where memory is scarse this + It will generally be sensible to use tables to compute finite + field multiplies and inverses but where memory is scarse this code might sometimes be better. But it only has effect during initialisation so its pretty unimportant in overall terms. */ @@ -327,7 +327,7 @@ uint32_t im_tab[4][256]; static uint8_t hibit(const uint32_t x) { uint8_t r = (uint8_t)((x >> 1) | (x >> 2)); - + r |= (r >> 2); r |= (r >> 4); return (r + 1) >> 1; @@ -345,14 +345,14 @@ static uint8_t fi(const uint8_t x) if(!n1) return v1; while(n2 >= n1) - { + { n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2); } - + if(!n2) return v2; while(n1 >= n2) - { + { n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1); } } @@ -392,9 +392,9 @@ void gen_tabs(void) root is 0x03, used here to generate the tables */ - i = 0; w = 1; + i = 0; w = 1; do - { + { pow[i] = (uint8_t)w; pow[i + 255] = (uint8_t)w; log[w] = (uint8_t)i++; diff --git a/src/lib/crypto/builtin/aes/uitypes.h b/src/lib/crypto/builtin/aes/uitypes.h index 3a7292183..fe8f9bacf 100644 --- a/src/lib/crypto/builtin/aes/uitypes.h +++ b/src/lib/crypto/builtin/aes/uitypes.h @@ -5,28 +5,28 @@ LICENSE TERMS - The free distribution and use of this software in both source and binary + The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: - 1. distributions of this source code include the above copyright + 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties - in respect of any properties, including, but not limited to, correctness + in respect of any properties, including, but not limited to, correctness and fitness for purpose. ------------------------------------------------------------------------- Issue Date: 01/02/2002 - This file contains code to obtain or set the definitions for fixed length + This file contains code to obtain or set the definitions for fixed length unsigned integer types. */ diff --git a/src/lib/crypto/builtin/arcfour/arcfour.c b/src/lib/crypto/builtin/arcfour/arcfour.c index ff2f4378c..1f49812eb 100644 --- a/src/lib/crypto/builtin/arcfour/arcfour.c +++ b/src/lib/crypto/builtin/arcfour/arcfour.c @@ -337,4 +337,3 @@ krb5int_arcfour_decrypt(const struct krb5_enc_provider *enc, free(plaintext.data); return (ret); } - diff --git a/src/lib/crypto/builtin/arcfour/arcfour_aead.c b/src/lib/crypto/builtin/arcfour/arcfour_aead.c index c01fc001b..7ede21d57 100644 --- a/src/lib/crypto/builtin/arcfour/arcfour_aead.c +++ b/src/lib/crypto/builtin/arcfour/arcfour_aead.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -106,7 +106,7 @@ krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead, * Caller must have provided space for the header, padding * and trailer; per RFC 4757 we will arrange it as: * - * Checksum | E(Confounder | Plaintext) + * Checksum | E(Confounder | Plaintext) */ header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER); @@ -246,7 +246,7 @@ krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead, trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); if (trailer != NULL && trailer->data.length != 0) return KRB5_BAD_MSIZE; - + ret = alloc_derived_key(enc, &k1, &d1, &key->keyblock); if (ret != 0) goto cleanup; @@ -334,4 +334,3 @@ const struct krb5_aead_provider krb5int_aead_arcfour = { krb5int_arcfour_encrypt_iov, krb5int_arcfour_decrypt_iov }; - diff --git a/src/lib/crypto/builtin/arcfour/arcfour_s2k.c b/src/lib/crypto/builtin/arcfour/arcfour_s2k.c index 09c9b7689..1aaaa1cc4 100644 --- a/src/lib/crypto/builtin/arcfour/arcfour_s2k.c +++ b/src/lib/crypto/builtin/arcfour/arcfour_s2k.c @@ -19,7 +19,7 @@ krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc, if (params != NULL) return KRB5_ERR_BAD_S2K_PARAMS; - + if (key->length != 16) return (KRB5_BAD_MSIZE); @@ -40,7 +40,7 @@ krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc, krb5int_MD4Final(&md4_context); memcpy(key->contents, md4_context.digest, 16); -#if 0 +#if 0 /* test the string_to_key function */ printf("Hash="); { diff --git a/src/lib/crypto/builtin/des/afsstring2key.c b/src/lib/crypto/builtin/des/afsstring2key.c index eb6c37f33..4b61a2fd4 100644 --- a/src/lib/crypto/builtin/des/afsstring2key.c +++ b/src/lib/crypto/builtin/des/afsstring2key.c @@ -1,7 +1,7 @@ /* * lib/crypto/des/string2key.c * - * based on lib/crypto/des/string2key.c from MIT V5 + * based on lib/crypto/des/string2key.c from MIT V5 * and on lib/des/afs_string_to_key.c from UMD. * constructed by Mark Eichin, Cygnus Support, 1995. * made thread-safe by Ken Raeburn, MIT, 2001. @@ -15,7 +15,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -33,14 +33,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -51,7 +51,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -72,10 +72,10 @@ mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data, const krb5_data *salt) { /* totally different approach from MIT string2key. */ - /* much of the work has already been done by the only caller - which is mit_des_string_to_key; in particular, *keyblock is already + /* much of the work has already been done by the only caller + which is mit_des_string_to_key; in particular, *keyblock is already set up. */ - + char *realm = salt->data; unsigned int i, j; krb5_octet *key = keyblock->contents; @@ -129,7 +129,7 @@ mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data, if (isupper(password[i])) password[i] = tolower(password[i]); } - + memcpy (ikey, "kerberos", sizeof(ikey)); memcpy (tkey, ikey, sizeof(tkey)); mit_des_fixup_key_parity (tkey); @@ -140,13 +140,13 @@ mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data, mit_des_fixup_key_parity (tkey); (void) mit_des_key_sched (tkey, key_sked); (void) mit_des_cbc_cksum (password, key, i, key_sked, ikey); - + /* erase key_sked */ memset(key_sked, 0,sizeof(key_sked)); /* now fix up key parity again */ mit_des_fixup_key_parity(key); - + /* clean & free the input string */ memset(password, 0, (size_t) pw_len); free(password); @@ -162,7 +162,7 @@ mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data, /* Portions of this code: Copyright 1989 by the Massachusetts Institute of Technology */ - + /* * Copyright (c) 1990 Regents of The University of Michigan. * All Rights Reserved. @@ -201,7 +201,7 @@ static const char IP[] = { 61,53,45,37,29,21,13, 5, 63,55,47,39,31,23,15, 7, }; - + /* * Final permutation, FP = IP^(-1) */ @@ -215,7 +215,7 @@ static const char FP[] = { 34, 2,42,10,50,18,58,26, 33, 1,41, 9,49,17,57,25, }; - + /* * Permuted-choice 1 from the key bits to yield C and D. * Note that bits 8,16... are left out: They are intended for a parity check. @@ -226,21 +226,21 @@ static const char PC1_C[] = { 10, 2,59,51,43,35,27, 19,11, 3,60,52,44,36, }; - + static const char PC1_D[] = { 63,55,47,39,31,23,15, 7,62,54,46,38,30,22, 14, 6,61,53,45,37,29, 21,13, 5,28,20,12, 4, }; - + /* * Sequence of shifts used for the key schedule. */ static const char shifts[] = { 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1, }; - + /* * Permuted-choice 2, to pick out the bits from * the CD array that generate the key schedule. @@ -251,14 +251,14 @@ static const char PC2_C[] = { 23,19,12, 4,26, 8, 16, 7,27,20,13, 2, }; - + static const char PC2_D[] = { 41,52,31,37,47,55, 30,40,51,45,33,48, 44,49,39,56,34,53, 46,42,50,36,29,32, }; - + /* * The E bit-selection table. */ @@ -272,7 +272,7 @@ static const char e[] = { 24,25,26,27,28,29, 28,29,30,31,32, 1, }; - + /* * P is a permutation on the selected combination * of the current L and key. @@ -287,7 +287,7 @@ static const char P[] = { 19,13,30, 6, 22,11, 4,25, }; - + /* * The 8 selection functions. * For some reason, they give a 0-origin @@ -298,44 +298,44 @@ static const char S[8][64] = { 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8, 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0, 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13}, - + {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10, 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5, 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15, 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9}, - + {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8, 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1, 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7, 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12}, - + { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15, 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9, 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4, 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14}, - + { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9, 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6, 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14, 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3}, - + {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11, 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8, 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6, 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13}, - + { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1, 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6, 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2, 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12}, - + {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7, 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2, 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8, 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11}, }; - - + + char *afs_crypt(const char *pw, const char *salt, /* must be at least 16 bytes */ char *iobuf) @@ -349,7 +349,7 @@ char *afs_crypt(const char *pw, const char *salt, * Generated from the key. */ char KS[16][48]; - + for(i=0; i<66; i++) block[i] = 0; for(i=0; (c= *pw) && i<64; pw++){ @@ -357,7 +357,7 @@ char *afs_crypt(const char *pw, const char *salt, block[i] = (c>>(6-j)) & 01; i++; } - + krb5_afs_crypt_setkey(block, E, KS); for(i=0; i<66; i++) @@ -377,10 +377,10 @@ char *afs_crypt(const char *pw, const char *salt, } } } - + for(i=0; i<25; i++) krb5_afs_encrypt(block,E,KS); - + for(i=0; i<11; i++){ c = 0; for(j=0; j<6; j++){ @@ -401,7 +401,7 @@ char *afs_crypt(const char *pw, const char *salt, /* * Set up the key schedule from the key. */ - + static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48]) { register int i, j, k; @@ -410,7 +410,7 @@ static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48]) * The C and D arrays used to calculate the key schedule. */ char C[28], D[28]; - + /* * First, generate C and D by permuting * the key. The low order bit of each @@ -448,7 +448,7 @@ static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48]) KS[i][j+24] = D[PC2_D[j]-28-1]; } } - + #if 0 for(i=0;i<48;i++) { E[i] = e[i]; @@ -457,11 +457,11 @@ static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48]) memcpy(E, e, 48); #endif } - + /* * The payoff: encrypt a block. */ - + static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48]) { const long edflag = 0; diff --git a/src/lib/crypto/builtin/des/d3_aead.c b/src/lib/crypto/builtin/des/d3_aead.c index 22452837e..3eb942256 100644 --- a/src/lib/crypto/builtin/des/d3_aead.c +++ b/src/lib/crypto/builtin/des/d3_aead.c @@ -7,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/builtin/des/d3_cbc.c b/src/lib/crypto/builtin/des/d3_cbc.c index 077e78d2c..f90d8e5b5 100644 --- a/src/lib/crypto/builtin/des/d3_cbc.c +++ b/src/lib/crypto/builtin/des/d3_cbc.c @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/builtin/des/d3_kysched.c b/src/lib/crypto/builtin/des/d3_kysched.c index f18cc2419..2a9cc5a2d 100644 --- a/src/lib/crypto/builtin/des/d3_kysched.c +++ b/src/lib/crypto/builtin/des/d3_kysched.c @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h index fd2024a45..d6fa04aa5 100644 --- a/src/lib/crypto/builtin/des/des_int.h +++ b/src/lib/crypto/builtin/des/des_int.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +22,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Private include file for the Data Encryption Standard library. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -112,7 +112,7 @@ KRB5INT_DES_DEPRECATED; * have an exact 32-bit int, and nothing should be looking inside a * des_key_schedule anyway. */ -typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] +typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] KRB5INT_DES_DEPRECATED; typedef des_cblock mit_des_cblock; @@ -176,7 +176,7 @@ extern int mit_des_cbc_encrypt (const mit_des_cblock *in, unsigned long length, const mit_des_key_schedule schedule, const mit_des_cblock ivec, int enc); - + #define mit_des_zeroblock krb5int_c_mit_des_zeroblock extern const mit_des_cblock mit_des_zeroblock; @@ -214,7 +214,7 @@ extern krb5_error_code mit_des_random_key /* string2key.c */ extern krb5_error_code mit_des_string_to_key - ( const krb5_encrypt_block *, + ( const krb5_encrypt_block *, krb5_keyblock *, const krb5_data *, const krb5_data *); extern krb5_error_code mit_des_string_to_key_int (krb5_keyblock *, const krb5_data *, const krb5_data *); diff --git a/src/lib/crypto/builtin/des/destest.c b/src/lib/crypto/builtin/des/destest.c index ef8785838..287a4e93d 100644 --- a/src/lib/crypto/builtin/des/destest.c +++ b/src/lib/crypto/builtin/des/destest.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Test a DES implementation against known inputs & outputs */ @@ -30,14 +30,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -48,7 +48,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -101,7 +101,7 @@ main(argc, argv) sched, zeroblock, 1); if (memcmp((char *)output2, (char *)output, 8)) { - fprintf(stderr, + fprintf(stderr, "DES ENCRYPT ERROR, key %s, text %s, real cipher %s, computed cyphertext %02X%02X%02X%02X%02X%02X%02X%02X\n", block1, block2, block3, output2[0],output2[1],output2[2],output2[3], @@ -116,7 +116,7 @@ main(argc, argv) sched, zeroblock, 0); if (memcmp((char *)output2, (char *)input, 8)) { - fprintf(stderr, + fprintf(stderr, "DES DECRYPT ERROR, key %s, text %s, real cipher %s, computed cleartext %02X%02X%02X%02X%02X%02X%02X%02X\n", block1, block2, block3, output2[0],output2[1],output2[2],output2[3], @@ -127,7 +127,7 @@ main(argc, argv) num++; } - if (error) + if (error) printf("destest: failed to pass the test\n"); else printf("destest: %d tests passed successfully\n", num); @@ -217,13 +217,13 @@ mit_des_check_key_parity(key) register mit_des_cblock key; { int i; - + for (i=0; i> 14) & 0xf) | ((d >> 15) & 0x30)] | PC2_D[2][((d >> 7) & 0x3f)] | PC2_D[3][((d ) & 0x3) | ((d >> 1) & 0x3c)]; - + /* * Make up two words of the key schedule, with a * byte order which is convenient for the DES diff --git a/src/lib/crypto/builtin/des/key_sched.c b/src/lib/crypto/builtin/des/key_sched.c index 26449a94c..dc6f3490f 100644 --- a/src/lib/crypto/builtin/des/key_sched.c +++ b/src/lib/crypto/builtin/des/key_sched.c @@ -9,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -23,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This routine computes the DES key schedule given a key. The * permutations and shifts have been done at compile time, resulting diff --git a/src/lib/crypto/builtin/des/string2key.c b/src/lib/crypto/builtin/des/string2key.c index 0ce413685..c817806fa 100644 --- a/src/lib/crypto/builtin/des/string2key.c +++ b/src/lib/crypto/builtin/des/string2key.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Compute encryption key from salt and pass phrase. */ diff --git a/src/lib/crypto/builtin/des/t_verify.c b/src/lib/crypto/builtin/des/t_verify.c index a6ad07cb8..6c1f17b50 100644 --- a/src/lib/crypto/builtin/des/t_verify.c +++ b/src/lib/crypto/builtin/des/t_verify.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Program to test the correctness of the DES library * implementation. @@ -33,14 +33,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -51,7 +51,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -118,7 +118,7 @@ unsigned char mresult[8] = { 0xa3, 0x80, 0xe0, 0x2a, 0x6b, 0xe5, 0x46, 0x96 }; - + /* * Can also add : * plaintext = 0, key = 0, cipher = 0x8ca64de9c1b123a7 (or is it a 1?) @@ -237,7 +237,7 @@ main(argc,argv) printf("verify: error in ECB encryption\n"); exit(-1); } - else + else printf("verify: ECB encryption is correct\n\n"); } @@ -261,7 +261,7 @@ main(argc,argv) printf("verify: error in ECB encryption\n"); exit(-1); } - else + else printf("verify: ECB encryption is correct\n\n"); } @@ -277,7 +277,7 @@ main(argc,argv) in_length = strlen((char *)input); if ((retval = mit_des_cbc_encrypt((const mit_des_cblock *) input, (mit_des_cblock *) cipher_text, - (size_t) in_length, + (size_t) in_length, sched, ivec, MIT_DES_ENCRYPT))) { @@ -294,7 +294,7 @@ main(argc,argv) } if ((retval = mit_des_cbc_encrypt((const mit_des_cblock *) cipher_text, (mit_des_cblock *) clear_text, - (size_t) in_length, + (size_t) in_length, sched, ivec, MIT_DES_DECRYPT))) { @@ -307,7 +307,7 @@ main(argc,argv) printf("verify: error in CBC encryption\n"); exit(-1); } - else + else printf("verify: CBC encryption is correct\n\n"); printf("EXAMPLE CBC checksum"); @@ -327,7 +327,7 @@ main(argc,argv) printf("verify: error in CBC cheksum\n"); exit(-1); } - else + else printf("verify: CBC checksum is correct\n\n"); exit(0); diff --git a/src/lib/crypto/builtin/des/weak_key.c b/src/lib/crypto/builtin/des/weak_key.c index 2eab9f543..7086789cf 100644 --- a/src/lib/crypto/builtin/des/weak_key.c +++ b/src/lib/crypto/builtin/des/weak_key.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Under U.S. law, this software may not be exported outside the US * without license from the U.S. Commerce department. diff --git a/src/lib/crypto/builtin/enc_provider/aes.c b/src/lib/crypto/builtin/enc_provider/aes.c index 52fb2259d..b735cc98e 100644 --- a/src/lib/crypto/builtin/enc_provider/aes.c +++ b/src/lib/crypto/builtin/enc_provider/aes.c @@ -403,4 +403,3 @@ const struct krb5_enc_provider krb5int_enc_aes256 = { krb5int_aes_encrypt_iov, krb5int_aes_decrypt_iov }; - diff --git a/src/lib/crypto/builtin/enc_provider/des.c b/src/lib/crypto/builtin/enc_provider/des.c index d73a1d290..f531c061f 100644 --- a/src/lib/crypto/builtin/enc_provider/des.c +++ b/src/lib/crypto/builtin/enc_provider/des.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/builtin/enc_provider/des3.c b/src/lib/crypto/builtin/enc_provider/des3.c index eae504b8c..c73163988 100644 --- a/src/lib/crypto/builtin/enc_provider/des3.c +++ b/src/lib/crypto/builtin/enc_provider/des3.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -187,4 +187,3 @@ const struct krb5_enc_provider krb5int_enc_des3 = { k5_des3_encrypt_iov, k5_des3_decrypt_iov }; - diff --git a/src/lib/crypto/builtin/enc_provider/enc_provider.h b/src/lib/crypto/builtin/enc_provider/enc_provider.h index 92022b3c8..49ffaafea 100644 --- a/src/lib/crypto/builtin/enc_provider/enc_provider.h +++ b/src/lib/crypto/builtin/enc_provider/enc_provider.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -33,4 +33,3 @@ extern const struct krb5_enc_provider krb5int_enc_aes128; extern const struct krb5_enc_provider krb5int_enc_aes256; extern const struct krb5_enc_provider krb5int_enc_aes128_ctr; extern const struct krb5_enc_provider krb5int_enc_aes256_ctr; - diff --git a/src/lib/crypto/builtin/enc_provider/rc4.c b/src/lib/crypto/builtin/enc_provider/rc4.c index 47c131da4..3c3e0f131 100644 --- a/src/lib/crypto/builtin/enc_provider/rc4.c +++ b/src/lib/crypto/builtin/enc_provider/rc4.c @@ -1,4 +1,4 @@ -/* arcfour.c +/* arcfour.c * * Copyright (c) 2000 by Computer Science Laboratory, * Rensselaer Polytechnic Institute @@ -20,11 +20,11 @@ static unsigned int k5_arcfour_byte(ArcfourContext *); #endif /* gcc inlines*/ /* Initializes the context and sets the key. */ -static krb5_error_code k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, +static krb5_error_code k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, unsigned int keylen); /* Encrypts/decrypts data. */ -static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, +static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len); /* Interface layer to kerb5 crypto layer */ @@ -61,7 +61,7 @@ static inline unsigned int k5_arcfour_byte(ArcfourContext * ctx) return state[(sx + sy) & 0xff]; } -static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, +static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len) { unsigned int i; @@ -71,7 +71,7 @@ static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, static krb5_error_code -k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, +k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, unsigned int key_len) { unsigned int t, u; @@ -153,7 +153,7 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, memset(arcfour_ctx, 0, sizeof (ArcfourContext)); free(arcfour_ctx); } - + return 0; } @@ -234,7 +234,7 @@ k5_arcfour_init_state (const krb5_keyblock *key, return 0; } -/* Since the arcfour cipher is identical going forwards and backwards, +/* Since the arcfour cipher is identical going forwards and backwards, we just call "docrypt" directly */ const struct krb5_enc_provider krb5int_enc_arcfour = { @@ -254,4 +254,3 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { k5_arcfour_docrypt_iov, k5_arcfour_docrypt_iov }; - diff --git a/src/lib/crypto/builtin/hash_provider/hash_crc32.c b/src/lib/crypto/builtin/hash_provider/hash_crc32.c index 780e1589d..771a7d6f3 100644 --- a/src/lib/crypto/builtin/hash_provider/hash_crc32.c +++ b/src/lib/crypto/builtin/hash_provider/hash_crc32.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -34,7 +34,7 @@ k5_crc32_hash(unsigned int icount, const krb5_data *input, { unsigned long c, cn; unsigned int i; - + if (output->length != CRC32_CKSUM_LENGTH) return(KRB5_CRYPTO_INTERNAL); diff --git a/src/lib/crypto/builtin/hash_provider/hash_md4.c b/src/lib/crypto/builtin/hash_provider/hash_md4.c index 3a4a4d530..916da0fa5 100644 --- a/src/lib/crypto/builtin/hash_provider/hash_md4.c +++ b/src/lib/crypto/builtin/hash_provider/hash_md4.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/builtin/hash_provider/hash_md5.c b/src/lib/crypto/builtin/hash_provider/hash_md5.c index 10840d0d9..e1e29f06e 100644 --- a/src/lib/crypto/builtin/hash_provider/hash_md5.c +++ b/src/lib/crypto/builtin/hash_provider/hash_md5.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/builtin/hash_provider/hash_provider.h b/src/lib/crypto/builtin/hash_provider/hash_provider.h index 4fa46097d..1023d1a45 100644 --- a/src/lib/crypto/builtin/hash_provider/hash_provider.h +++ b/src/lib/crypto/builtin/hash_provider/hash_provider.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/builtin/hash_provider/hash_sha1.c b/src/lib/crypto/builtin/hash_provider/hash_sha1.c index 00ab72bda..1f1fc62bd 100644 --- a/src/lib/crypto/builtin/hash_provider/hash_sha1.c +++ b/src/lib/crypto/builtin/hash_provider/hash_sha1.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/builtin/hmac.c b/src/lib/crypto/builtin/hmac.c index d1be17e9c..3e58a5998 100644 --- a/src/lib/crypto/builtin/hmac.c +++ b/src/lib/crypto/builtin/hmac.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -98,7 +98,7 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash, hashin[0].length = blocksize; hashin[0].data = (char *) xorkey; - for (i=0; ii[0] = mdContext->i[1] = (krb5_ui_4)0; diff --git a/src/lib/crypto/builtin/pbkdf2.c b/src/lib/crypto/builtin/pbkdf2.c index 96409ba28..7b45fe8b0 100644 --- a/src/lib/crypto/builtin/pbkdf2.c +++ b/src/lib/crypto/builtin/pbkdf2.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Implementation of PBKDF2 from RFC 2898. */ diff --git a/src/lib/crypto/builtin/sha1/t_shs3.c b/src/lib/crypto/builtin/sha1/t_shs3.c index 96b36a76e..cf9787eda 100644 --- a/src/lib/crypto/builtin/sha1/t_shs3.c +++ b/src/lib/crypto/builtin/sha1/t_shs3.c @@ -43,7 +43,7 @@ static void longReverse( SHS_LONG *buffer, int byteCount ) byteCount /= sizeof( SHS_LONG ); while( byteCount-- ) { value = *buffer; - value = ( ( value & 0xFF00FF00L ) >> 8 ) | + value = ( ( value & 0xFF00FF00L ) >> 8 ) | ( ( value & 0x00FF00FFL ) << 8 ); *buffer++ = ( value << 16 ) | ( value >> 16 ); } diff --git a/src/lib/crypto/builtin/t_cf2.c b/src/lib/crypto/builtin/t_cf2.c index 2e171c275..0c968ea84 100644 --- a/src/lib/crypto/builtin/t_cf2.c +++ b/src/lib/crypto/builtin/t_cf2.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * This file contains tests for theKRB-FX-CF2 code in Kerberos, based *on the PRF regression tests. It reads an input file, and writes an *output file. It is assumed that the output file will be diffed @@ -77,7 +77,7 @@ int main () { krb5_free_keyblock(0,out); out = NULL; - + krb5_free_keyblock(0, k1); k1 = NULL; krb5_free_keyblock(0, k2); diff --git a/src/lib/crypto/crypto_tests/aes-test.c b/src/lib/crypto/crypto_tests/aes-test.c index 8999bd757..3ccacd858 100644 --- a/src/lib/crypto/crypto_tests/aes-test.c +++ b/src/lib/crypto/crypto_tests/aes-test.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Subset of NIST tests for AES; specifically, the variable-key and * variable-text tests for 128- and 256-bit keys. diff --git a/src/lib/crypto/crypto_tests/t_crc.c b/src/lib/crypto/crypto_tests/t_crc.c index e8a353a0b..cf837f8dd 100644 --- a/src/lib/crypto/crypto_tests/t_crc.c +++ b/src/lib/crypto/crypto_tests/t_crc.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/crypto_tests/t_cts.c b/src/lib/crypto/crypto_tests/t_cts.c index 596ca3b7d..d948532cb 100644 --- a/src/lib/crypto/crypto_tests/t_cts.c +++ b/src/lib/crypto/crypto_tests/t_cts.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Test vectors for crypto code, matching data submitted for inclusion * with RFC1510bis. diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c index aac31fb21..5615bc8d7 100644 --- a/src/lib/crypto/crypto_tests/t_encrypt.c +++ b/src/lib/crypto/crypto_tests/t_encrypt.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,11 +22,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * <<< Description >>> */ -/* +/* * Some black-box tests of crypto systems. Make sure that we can decrypt things we encrypt, etc. */ @@ -125,7 +125,7 @@ main () enc_out.ciphertext = out; enc_out2.ciphertext = out2; - /* We use an intermediate `len' because size_t may be different size + /* We use an intermediate `len' because size_t may be different size than `int' */ krb5_c_encrypt_length (context, keyblock->enctype, in.length, &len); enc_out.ciphertext.length = len; @@ -200,7 +200,7 @@ main () krb5_c_decrypt_iov(context, keyblock, 7, 0, iov, 5)); test("Comparing results", compare_results(&in, &iov[1].data)); - + /* Try again with opaque-key-using variants. */ test("iov encrypting (k)", krb5_k_encrypt_iov(context, key, 7, 0, iov, 5)); @@ -261,5 +261,3 @@ main () free(check2.data); return 0; } - - diff --git a/src/lib/crypto/crypto_tests/t_hmac.c b/src/lib/crypto/crypto_tests/t_hmac.c index d09adb080..55b47b8eb 100644 --- a/src/lib/crypto/crypto_tests/t_hmac.c +++ b/src/lib/crypto/crypto_tests/t_hmac.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Test vectors for HMAC-MD5 and HMAC-SHA1 (placeholder only). * Tests taken from RFC 2202. @@ -91,7 +91,7 @@ struct hmac_test { const char *hexdigest; }; -static krb5_error_code hmac1(const struct krb5_hash_provider *h, +static krb5_error_code hmac1(const struct krb5_hash_provider *h, krb5_keyblock *key, krb5_data *in, krb5_data *out) { @@ -223,7 +223,7 @@ static void test_hmac() 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, }, - 73, + 73, "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data", "0x6f630fad67cda0ee1fb1f562db3aa53e" }, diff --git a/src/lib/crypto/crypto_tests/t_kperf.c b/src/lib/crypto/crypto_tests/t_kperf.c index f56aa3cd1..4c99d72aa 100644 --- a/src/lib/crypto/crypto_tests/t_kperf.c +++ b/src/lib/crypto/crypto_tests/t_kperf.c @@ -9,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/crypto_tests/t_mddriver.c b/src/lib/crypto/crypto_tests/t_mddriver.c index 2c0210cac..3fab84721 100644 --- a/src/lib/crypto/crypto_tests/t_mddriver.c +++ b/src/lib/crypto/crypto_tests/t_mddriver.c @@ -117,7 +117,7 @@ struct md_test_entry md_test_suite[] = { { "abcdefghijklmnopqrstuvwxyz", {0xc3, 0xfc, 0xd3, 0xd7, 0x61, 0x92, 0xe4, 0x00, 0x7d, 0xfb, 0x49, 0x6c, 0xca, 0x67, 0xe1, 0x3b }}, - { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", {0xd1, 0x74, 0xab, 0x98, 0xd2, 0x77, 0xd9, 0xf5, 0xa5, 0x61, 0x1c, 0x2c, 0x9f, 0x41, 0x9d, 0x9f }}, { "12345678901234567890123456789012345678901234567890123456789012345678901234567890", @@ -125,7 +125,7 @@ struct md_test_entry md_test_suite[] = { 0xac, 0x49, 0xda, 0x2e, 0x21, 0x07, 0xb6, 0x7a }}, { 0, {0} } }; - + #endif /* Main driver. @@ -185,7 +185,7 @@ static void MDTimeTrial () time_t endTime, startTime; unsigned char block[TEST_BLOCK_LEN]; unsigned int i; - + printf("MD%d time trial. Digesting %d %d-byte blocks ...", MD, TEST_BLOCK_LEN, TEST_BLOCK_COUNT); @@ -222,7 +222,7 @@ static void MDTestSuite () MD_CTX context; struct md_test_entry *entry; int i, num_tests = 0, num_failed = 0; - + printf ("MD%d test suite:\n\n", MD); for (entry = md_test_suite; entry->string; entry++) { unsigned int len = strlen (entry->string); @@ -254,7 +254,7 @@ static void MDTestSuite () exit(0); } #else - + printf ("MD%d test suite:\n", MD); MDString (""); MDString ("a"); diff --git a/src/lib/crypto/crypto_tests/t_nfold.c b/src/lib/crypto/crypto_tests/t_nfold.c index 2b5b0e3f8..27a5760c4 100644 --- a/src/lib/crypto/crypto_tests/t_nfold.c +++ b/src/lib/crypto/crypto_tests/t_nfold.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Program to test the correctness of nfold implementation. * @@ -139,7 +139,7 @@ main(argc, argv) printf("N-fold\n"); for (i=0; inum_sources; sid++ ) { source = &y->source[ sid ]; - printf( "#%d=%d/%d, ", sid, source->entropy[pool], - pool == YARROW_SLOW_POOL ? + printf( "#%d=%d/%d, ", sid, source->entropy[pool], + pool == YARROW_SLOW_POOL ? y->slow_thresh : y->fast_thresh ); } } @@ -44,8 +44,8 @@ int Instrumented_krb5int_yarrow_input( Yarrow_CTX* y, int sid, void* sample, { int ret; - VERBOSE( printf( "krb5int_yarrow_input( #%d, %d bits, %s ) = [", sid, entropy, - y->source[sid].pool == + VERBOSE( printf( "krb5int_yarrow_input( #%d, %d bits, %s ) = [", sid, entropy, + y->source[sid].pool == YARROW_SLOW_POOL ? "slow" : "fast" ); ); ret = krb5int_yarrow_input( y, sid, sample, size, entropy ); @@ -95,15 +95,15 @@ int main( int argc, char* argv[] ) int done_some_tests = 0; int i; int ret; - + for ( argvp = argv+1, i = 1; i < argc; i++, argvp++ ) { arg = *argvp; - if ( arg[0] == '-' ) + if ( arg[0] == '-' ) { switch ( arg[1] ) { - case 'v': yarrow_verbose = 1; continue; + case 'v': yarrow_verbose = 1; continue; default: fprintf( stderr, "usage: test [-v] [[test] ... ]\n" ); THROW( YARROW_FAIL ); } @@ -193,7 +193,7 @@ int test_3( void ) VERBOSE( printf( "\nkrb5int_yarrow_stretch\n\n" ); ); THROW( YARROW_NOT_IMPL ); - + CATCH: EXCEP_RET; } @@ -232,18 +232,18 @@ int test_4( void ) VERBOSE( printf( "krb5int_yarrow_new_source() = [%s]\n", krb5int_yarrow_str_error( ret ) ); ); if ( ret != YARROW_OK ) { THROW( ret ); } - + VERBOSE( printf( "Yarrow_Poll( #%d ) = [", user ); ); ret = Yarrow_Poll( &yarrow, user ); VERBOSE( printf( "%s]\n", krb5int_yarrow_str_error( ret ) ); ); ret = krb5int_yarrow_new_source( &yarrow, &mouse ); - VERBOSE( printf( "krb5int_yarrow_new_source() = [%s]\n", + VERBOSE( printf( "krb5int_yarrow_new_source() = [%s]\n", krb5int_yarrow_str_error( ret ) ); ); if ( ret != YARROW_OK ) { THROW( ret ); } ret = krb5int_yarrow_new_source( &yarrow, &keyboard ); - VERBOSE( printf( "krb5int_yarrow_new_source() = [%s]\n", + VERBOSE( printf( "krb5int_yarrow_new_source() = [%s]\n", krb5int_yarrow_str_error( ret ) ); ); if ( ret != YARROW_OK ) { THROW( ret ); } @@ -255,22 +255,22 @@ int test_4( void ) ret = krb5int_yarrow_output( &yarrow, random, sizeof( random ) ); VERBOSE( printf( "%s]\n", krb5int_yarrow_str_error( ret ) ); ); -/* do it twice so that we some slow samples +/* do it twice so that we some slow samples * (first sample goes to fast pool, and then samples alternate) */ for ( i = 0; i < 2; i++ ) { - TRY( Instrumented_krb5int_yarrow_input( &yarrow, mouse, mouse_sample, + TRY( Instrumented_krb5int_yarrow_input( &yarrow, mouse, mouse_sample, sizeof( mouse_sample ), 2 ) ); - - TRY( Instrumented_krb5int_yarrow_input( &yarrow, keyboard, keyboard_sample, + + TRY( Instrumented_krb5int_yarrow_input( &yarrow, keyboard, keyboard_sample, sizeof( keyboard_sample ), 2 ) ); - TRY( Instrumented_krb5int_yarrow_input( &yarrow, user, user_sample, + TRY( Instrumented_krb5int_yarrow_input( &yarrow, user, user_sample, sizeof( user_sample ), 2 ) ); } - + #if defined( YARROW_DEBUG ) dump_yarrow_state( stdout, &yarrow ); #endif @@ -282,8 +282,8 @@ int test_4( void ) for ( i = 0; i < 7; i++ ) { - TRY( Instrumented_krb5int_yarrow_input( &yarrow, user, user_sample, - sizeof( user_sample ), + TRY( Instrumented_krb5int_yarrow_input( &yarrow, user, user_sample, + sizeof( user_sample ), sizeof( user_sample ) * 3 ) ); } @@ -295,8 +295,8 @@ int test_4( void ) for ( i = 0; i < 40; i++ ) { - TRY( Instrumented_krb5int_yarrow_input( &yarrow, mouse, mouse_sample, - sizeof( mouse_sample ), + TRY( Instrumented_krb5int_yarrow_input( &yarrow, mouse, mouse_sample, + sizeof( mouse_sample ), sizeof( mouse_sample )*2 ) ); } @@ -320,20 +320,20 @@ int test_4( void ) if ( i % 16 == 0 ) { - TRY( Instrumented_krb5int_yarrow_input( &yarrow, mouse, junk, - sizeof( junk ), + TRY( Instrumented_krb5int_yarrow_input( &yarrow, mouse, junk, + sizeof( junk ), sizeof( junk ) * 3 ) ); } else { - TRY( Instrumented_krb5int_yarrow_input( &yarrow, user, junk, - sizeof( junk ), + TRY( Instrumented_krb5int_yarrow_input( &yarrow, user, junk, + sizeof( junk ), sizeof( junk ) * 3 ) ); } } VERBOSE( printf( "\nPrint some random output\n\n" ); ); - + VERBOSE( printf( "krb5int_yarrow_output( %d ) = [", sizeof( random ) ); ); ret = krb5int_yarrow_output( &yarrow, random, sizeof( random ) ); VERBOSE( printf( "%s]\n", krb5int_yarrow_str_error( ret ) ); ); @@ -365,7 +365,7 @@ void hex_print( FILE* f, const char* var, void* data, size_t size ) size_t i; char* p = (char*) data; char c, d; - + fprintf( f, var ); fprintf( f, " = " ); for ( i = 0; i < size; i++ ) diff --git a/src/lib/crypto/krb/aead.c b/src/lib/crypto/krb/aead.c index fd9a50e0b..f3ca11b6e 100644 --- a/src/lib/crypto/krb/aead.c +++ b/src/lib/crypto/krb/aead.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -91,7 +91,7 @@ make_unkeyed_checksum_iov(const struct krb5_hash_provider *hash_provider, return ret; } -krb5_error_code +krb5_error_code krb5int_c_make_checksum_iov(const struct krb5_cksumtypes *cksum_type, krb5_key key, krb5_keyusage usage, @@ -382,7 +382,7 @@ krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead, iov[i].data.data = stream->data.data; iov[i].data.length = header_len; i++; - + for (j = 0; j < num_data; j++) { if (data[j].flags == KRB5_CRYPTO_TYPE_DATA) { if (got_data) { @@ -570,4 +570,3 @@ krb5int_c_encrypt_length_aead_compat(const struct krb5_aead_provider *aead, *length = header_len + inputlen + padding_len + trailer_len; } - diff --git a/src/lib/crypto/krb/aead.h b/src/lib/crypto/krb/aead.h index cc43875e2..f9e92bdc5 100644 --- a/src/lib/crypto/krb/aead.h +++ b/src/lib/crypto/krb/aead.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/krb/block_size.c b/src/lib/crypto/krb/block_size.c index 336dbc2a2..6f889458c 100644 --- a/src/lib/crypto/krb/block_size.c +++ b/src/lib/crypto/krb/block_size.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/cf2.c b/src/lib/crypto/krb/cf2.c index 1c6896c16..b5724a391 100644 --- a/src/lib/crypto/krb/cf2.c +++ b/src/lib/crypto/krb/cf2.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +22,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * Implement KRB_FX_CF2 function per *draft-ietf-krb-wg-preauth-framework-09. Take two keys and two @@ -37,7 +37,7 @@ /* * Call the PRF function multiple times with the pepper prefixed with - * a count byte to get enough bits of output. + * a count byte to get enough bits of output. */ static krb5_error_code prf_plus(krb5_context context, krb5_keyblock *k, const char *pepper, @@ -90,7 +90,7 @@ cleanup: return retval; } - + krb5_error_code KRB5_CALLCONV krb5_c_fx_cf2_simple(krb5_context context, krb5_keyblock *k1, const char *pepper1, diff --git a/src/lib/crypto/krb/checksum_length.c b/src/lib/crypto/krb/checksum_length.c index aeb057cbb..bc1c9d34e 100644 --- a/src/lib/crypto/krb/checksum_length.c +++ b/src/lib/crypto/krb/checksum_length.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -50,4 +50,3 @@ krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, return 0; } - diff --git a/src/lib/crypto/krb/cksumtype_to_string.c b/src/lib/crypto/krb/cksumtype_to_string.c index d97476623..d5bb702df 100644 --- a/src/lib/crypto/krb/cksumtype_to_string.c +++ b/src/lib/crypto/krb/cksumtype_to_string.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/cksumtypes.c b/src/lib/crypto/krb/cksumtypes.c index e03c0adc8..2c1924ded 100644 --- a/src/lib/crypto/krb/cksumtypes.c +++ b/src/lib/crypto/krb/cksumtypes.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -69,21 +69,21 @@ const struct krb5_cksumtypes krb5int_cksumtypes_list[] = { &krb5int_hash_sha1 }, { CKSUMTYPE_HMAC_MD5_ARCFOUR, 0, "hmac-md5-rc4", { "hmac-md5-enc", "hmac-md5-earcfour" }, - "Microsoft HMAC MD5 (RC4 key)", + "Microsoft HMAC MD5 (RC4 key)", ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_hmac_md5, NULL }, { CKSUMTYPE_HMAC_SHA1_96_AES128, KRB5_CKSUMFLAG_DERIVE, "hmac-sha1-96-aes128", { 0 }, "HMAC-SHA1 AES128 key", - 0, NULL, + 0, NULL, &krb5int_hash_sha1, 12 }, { CKSUMTYPE_HMAC_SHA1_96_AES256, KRB5_CKSUMFLAG_DERIVE, "hmac-sha1-96-aes256", { 0 }, "HMAC-SHA1 AES256 key", - 0, NULL, + 0, NULL, &krb5int_hash_sha1, 12 }, { CKSUMTYPE_MD5_HMAC_ARCFOUR, 0, "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC (RC4 key)", - ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_md5_hmac, + ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_md5_hmac, NULL } }; diff --git a/src/lib/crypto/krb/cksumtypes.h b/src/lib/crypto/krb/cksumtypes.h index 10d8ccd53..f3e1f57b6 100644 --- a/src/lib/crypto/krb/cksumtypes.h +++ b/src/lib/crypto/krb/cksumtypes.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/coll_proof_cksum.c b/src/lib/crypto/krb/coll_proof_cksum.c index 08b4ccb11..e5d7ed13c 100644 --- a/src/lib/crypto/krb/coll_proof_cksum.c +++ b/src/lib/crypto/krb/coll_proof_cksum.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/combine_keys.c b/src/lib/crypto/krb/combine_keys.c index 4f2692ab2..3aa24da5c 100644 --- a/src/lib/crypto/krb/combine_keys.c +++ b/src/lib/crypto/krb/combine_keys.c @@ -5,7 +5,7 @@ * documentation is hereby granted, provided that both the copyright * notice and this permission notice appear in all copies of the software, * derivative works or modified versions, and any portions thereof. - * + * * NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND * DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER * RESULTING FROM THE USE OF THIS SOFTWARE. @@ -276,4 +276,3 @@ cleanup: krb5_k_free_key(NULL, key); return ret; } - diff --git a/src/lib/crypto/krb/crc32/crc-32.h b/src/lib/crypto/krb/crc32/crc-32.h index 0efc00625..5c8c5bcf8 100644 --- a/src/lib/crypto/krb/crc32/crc-32.h +++ b/src/lib/crypto/krb/crc32/crc-32.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +22,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Definitions for the CRC-32 checksum */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/crc32/crc32.c b/src/lib/crypto/krb/crc32/crc32.c index ef65476d9..ee7e53f1f 100644 --- a/src/lib/crypto/krb/crc32/crc32.c +++ b/src/lib/crypto/krb/crc32/crc32.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * CRC-32/AUTODIN-II routines */ diff --git a/src/lib/crypto/krb/crypto_length.c b/src/lib/crypto/krb/crypto_length.c index 23e8c1ca9..00de30c7c 100644 --- a/src/lib/crypto/krb/crypto_length.c +++ b/src/lib/crypto/krb/crypto_length.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -142,4 +142,3 @@ krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, return 0; } - diff --git a/src/lib/crypto/krb/decrypt.c b/src/lib/crypto/krb/decrypt.c index 36c3bf0ab..9ad68adc7 100644 --- a/src/lib/crypto/krb/decrypt.c +++ b/src/lib/crypto/krb/decrypt.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/decrypt_iov.c b/src/lib/crypto/krb/decrypt_iov.c index fcc997377..1813af956 100644 --- a/src/lib/crypto/krb/decrypt_iov.c +++ b/src/lib/crypto/krb/decrypt_iov.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/krb/default_state.c b/src/lib/crypto/krb/default_state.c index 33a189f26..9995b2795 100644 --- a/src/lib/crypto/krb/default_state.c +++ b/src/lib/crypto/krb/default_state.c @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,7 +20,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Section 6 (Encryption) of the Kerberos revisions document defines * cipher states to be used to chain encryptions and decryptions * together. Examples of cipher states include initialization vectors @@ -58,6 +58,3 @@ krb5_error_code krb5int_default_free_state } return 0; } - - - diff --git a/src/lib/crypto/krb/dk/checksum.c b/src/lib/crypto/krb/dk/checksum.c index e5087e742..538060dbd 100644 --- a/src/lib/crypto/krb/dk/checksum.c +++ b/src/lib/crypto/krb/dk/checksum.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -54,7 +54,7 @@ krb5int_dk_make_checksum(const struct krb5_hash_provider *hash, */ /* Derive the key. */ - + datain.data = (char *) constantdata; datain.length = K5CLENGTH; @@ -102,7 +102,7 @@ krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash, */ /* Derive the key. */ - + datain.data = (char *) constantdata; datain.length = K5CLENGTH; diff --git a/src/lib/crypto/krb/dk/derive.c b/src/lib/crypto/krb/dk/derive.c index bcd111435..5019975f2 100644 --- a/src/lib/crypto/krb/dk/derive.c +++ b/src/lib/crypto/krb/dk/derive.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/dk/dk.h b/src/lib/crypto/krb/dk/dk.h index 288072abd..76937dac1 100644 --- a/src/lib/crypto/krb/dk/dk.h +++ b/src/lib/crypto/krb/dk/dk.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/dk/dk_decrypt.c b/src/lib/crypto/krb/dk/dk_decrypt.c index 9535a7554..b080d5f4f 100644 --- a/src/lib/crypto/krb/dk/dk_decrypt.c +++ b/src/lib/crypto/krb/dk/dk_decrypt.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/dk/dk_encrypt.c b/src/lib/crypto/krb/dk/dk_encrypt.c index b44671abe..e84a092b5 100644 --- a/src/lib/crypto/krb/dk/dk_encrypt.c +++ b/src/lib/crypto/krb/dk/dk_encrypt.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -305,4 +305,3 @@ cleanup: zapfree(plaintext, plainlen); return ret; } - diff --git a/src/lib/crypto/krb/dk/stringtokey.c b/src/lib/crypto/krb/dk/stringtokey.c index 7589b4b80..59404e489 100644 --- a/src/lib/crypto/krb/dk/stringtokey.c +++ b/src/lib/crypto/krb/dk/stringtokey.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/enc_provider/aes.c b/src/lib/crypto/krb/enc_provider/aes.c index 060d119c4..fac85b359 100644 --- a/src/lib/crypto/krb/enc_provider/aes.c +++ b/src/lib/crypto/krb/enc_provider/aes.c @@ -412,4 +412,3 @@ const struct krb5_enc_provider krb5int_enc_aes256 = { krb5int_aes_encrypt_iov, krb5int_aes_decrypt_iov }; - diff --git a/src/lib/crypto/krb/enc_provider/des.c b/src/lib/crypto/krb/enc_provider/des.c index 547f6b976..cd41471c1 100644 --- a/src/lib/crypto/krb/enc_provider/des.c +++ b/src/lib/crypto/krb/enc_provider/des.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/enc_provider/des3.c b/src/lib/crypto/krb/enc_provider/des3.c index 412c994a7..b0325fbdf 100644 --- a/src/lib/crypto/krb/enc_provider/des3.c +++ b/src/lib/crypto/krb/enc_provider/des3.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -218,4 +218,3 @@ const struct krb5_enc_provider krb5int_enc_des3 = { k5_des3_encrypt_iov, k5_des3_decrypt_iov }; - diff --git a/src/lib/crypto/krb/enc_provider/enc_provider.h b/src/lib/crypto/krb/enc_provider/enc_provider.h index 92022b3c8..49ffaafea 100644 --- a/src/lib/crypto/krb/enc_provider/enc_provider.h +++ b/src/lib/crypto/krb/enc_provider/enc_provider.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -33,4 +33,3 @@ extern const struct krb5_enc_provider krb5int_enc_aes128; extern const struct krb5_enc_provider krb5int_enc_aes256; extern const struct krb5_enc_provider krb5int_enc_aes128_ctr; extern const struct krb5_enc_provider krb5int_enc_aes256_ctr; - diff --git a/src/lib/crypto/krb/enc_provider/rc4.c b/src/lib/crypto/krb/enc_provider/rc4.c index b950a605b..c718871b7 100644 --- a/src/lib/crypto/krb/enc_provider/rc4.c +++ b/src/lib/crypto/krb/enc_provider/rc4.c @@ -1,4 +1,4 @@ -/* arcfour.c +/* arcfour.c * * Copyright (c) 2000 by Computer Science Laboratory, * Rensselaer Polytechnic Institute @@ -18,11 +18,11 @@ static unsigned int k5_arcfour_byte(ArcfourContext *); #endif /* gcc inlines*/ /* Initializes the context and sets the key. */ -static krb5_error_code k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, +static krb5_error_code k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, unsigned int keylen); /* Encrypts/decrypts data. */ -static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, +static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len); /* Interface layer to kerb5 crypto layer */ @@ -63,7 +63,7 @@ static inline unsigned int k5_arcfour_byte(ArcfourContext * ctx) return state[(sx + sy) & 0xff]; } -static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, +static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len) { unsigned int i; @@ -73,7 +73,7 @@ static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, static krb5_error_code -k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, +k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, unsigned int key_len) { unsigned int t, u; @@ -153,7 +153,7 @@ k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state, memset(arcfour_ctx, 0, sizeof (ArcfourContext)); free(arcfour_ctx); } - + return 0; } @@ -248,7 +248,7 @@ k5_arcfour_init_state (const krb5_keyblock *key, return 0; } -/* Since the arcfour cipher is identical going forwards and backwards, +/* Since the arcfour cipher is identical going forwards and backwards, we just call "docrypt" directly */ const struct krb5_enc_provider krb5int_enc_arcfour = { @@ -268,4 +268,3 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { k5_arcfour_docrypt_iov, k5_arcfour_docrypt_iov }; - diff --git a/src/lib/crypto/krb/encrypt.c b/src/lib/crypto/krb/encrypt.c index 3c39838cf..ee9e0e265 100644 --- a/src/lib/crypto/krb/encrypt.c +++ b/src/lib/crypto/krb/encrypt.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/encrypt_iov.c b/src/lib/crypto/krb/encrypt_iov.c index b7b2f5814..64cb12653 100644 --- a/src/lib/crypto/krb/encrypt_iov.c +++ b/src/lib/crypto/krb/encrypt_iov.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/krb/encrypt_length.c b/src/lib/crypto/krb/encrypt_length.c index bb9a10212..f2aad024e 100644 --- a/src/lib/crypto/krb/encrypt_length.c +++ b/src/lib/crypto/krb/encrypt_length.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/enctype_compare.c b/src/lib/crypto/krb/enctype_compare.c index b724c3d29..6d47f9d4f 100644 --- a/src/lib/crypto/krb/enctype_compare.c +++ b/src/lib/crypto/krb/enctype_compare.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/enctype_to_string.c b/src/lib/crypto/krb/enctype_to_string.c index 427a30d7f..c40878257 100644 --- a/src/lib/crypto/krb/enctype_to_string.c +++ b/src/lib/crypto/krb/enctype_to_string.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c index 8552c0f16..a1acdc02d 100644 --- a/src/lib/crypto/krb/etypes.c +++ b/src/lib/crypto/krb/etypes.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -116,7 +116,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { 0, NULL, ETYPE_WEAK }, - { ENCTYPE_ARCFOUR_HMAC, + { ENCTYPE_ARCFOUR_HMAC, "arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" }, "ArcFour with HMAC/md5", &krb5int_enc_arcfour, @@ -128,7 +128,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, 0 /*flags*/ }, - { ENCTYPE_ARCFOUR_HMAC_EXP, + { ENCTYPE_ARCFOUR_HMAC_EXP, "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" }, "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, diff --git a/src/lib/crypto/krb/etypes.h b/src/lib/crypto/krb/etypes.h index 16dbae9ce..68dcdd412 100644 --- a/src/lib/crypto/krb/etypes.h +++ b/src/lib/crypto/krb/etypes.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/key.c b/src/lib/crypto/krb/key.c index d6adcba74..43d9ce632 100644 --- a/src/lib/crypto/krb/key.c +++ b/src/lib/crypto/krb/key.c @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,7 +20,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Functions for manipulating krb5_key structures */ diff --git a/src/lib/crypto/krb/keyblocks.c b/src/lib/crypto/krb/keyblocks.c index 51e31d301..d9db694e6 100644 --- a/src/lib/crypto/krb/keyblocks.c +++ b/src/lib/crypto/krb/keyblocks.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,10 +22,10 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * * - * krb5_init_keyblock- a function to set up + * + * + * krb5_init_keyblock- a function to set up * an empty keyblock */ @@ -62,14 +62,14 @@ krb5int_c_init_keyblock(krb5_context context, krb5_enctype enctype, return 0; } -void +void krb5int_c_free_keyblock(krb5_context context, register krb5_keyblock *val) { krb5int_c_free_keyblock_contents(context, val); free(val); } -void +void krb5int_c_free_keyblock_contents(krb5_context context, krb5_keyblock *key) { if (key && key->contents) { diff --git a/src/lib/crypto/krb/keyed_checksum_types.c b/src/lib/crypto/krb/keyed_checksum_types.c index 48743722a..4da6e2510 100644 --- a/src/lib/crypto/krb/keyed_checksum_types.c +++ b/src/lib/crypto/krb/keyed_checksum_types.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/keyed_cksum.c b/src/lib/crypto/krb/keyed_cksum.c index dcf72b533..97292769b 100644 --- a/src/lib/crypto/krb/keyed_cksum.c +++ b/src/lib/crypto/krb/keyed_cksum.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/keyhash_provider/descbc.c b/src/lib/crypto/krb/keyhash_provider/descbc.c index b08e30b7c..c54e27f93 100644 --- a/src/lib/crypto/krb/keyhash_provider/descbc.c +++ b/src/lib/crypto/krb/keyhash_provider/descbc.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -52,10 +52,10 @@ k5_descbc_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec, /* this has a return value, but it's useless to us */ - mit_des_cbc_cksum((unsigned char *) input->data, + mit_des_cbc_cksum((unsigned char *) input->data, (unsigned char *) output->data, input->length, - schedule, - ivec? (const unsigned char *)ivec->data: + schedule, + ivec? (const unsigned char *)ivec->data: (const unsigned char *)mit_des_zeroblock); memset(schedule, 0, sizeof(schedule)); diff --git a/src/lib/crypto/krb/keyhash_provider/hmac_md5.c b/src/lib/crypto/krb/keyhash_provider/hmac_md5.c index 8318dc0e7..1aa7e3cbe 100644 --- a/src/lib/crypto/krb/keyhash_provider/hmac_md5.c +++ b/src/lib/crypto/krb/keyhash_provider/hmac_md5.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Implementation of the Microsoft hmac-md5 checksum type. * Implemented based on draft-brezak-win2k-krb-rc4-hmac-03 @@ -47,7 +47,7 @@ k5_hmac_md5_hash (krb5_key key, krb5_keyusage usage, krb5_data ds, ks_constant, md5tmp; krb5_MD5_CTX ctx; char t[4]; - + ds.length = key->keyblock.length; ds.data = malloc(ds.length); diff --git a/src/lib/crypto/krb/keyhash_provider/k5_md4des.c b/src/lib/crypto/krb/keyhash_provider/k5_md4des.c index f3c6d62da..ef10a6898 100644 --- a/src/lib/crypto/krb/keyhash_provider/k5_md4des.c +++ b/src/lib/crypto/krb/keyhash_provider/k5_md4des.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/keyhash_provider/k5_md5des.c b/src/lib/crypto/krb/keyhash_provider/k5_md5des.c index 1a2089a02..eb189c26a 100644 --- a/src/lib/crypto/krb/keyhash_provider/k5_md5des.c +++ b/src/lib/crypto/krb/keyhash_provider/k5_md5des.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -147,7 +147,7 @@ k5_md5des_verify(krb5_key key, krb5_keyusage usage, const krb5_data *ivec, (memcmp(plaintext+CONFLENGTH, ctx.digest, RSA_MD5_CKSUM_LENGTH) == 0); } else { - *valid = + *valid = (memcmp(plaintext, ctx.digest, RSA_MD5_CKSUM_LENGTH) == 0); } memset(plaintext, 0, sizeof(plaintext)); diff --git a/src/lib/crypto/krb/keyhash_provider/keyhash_provider.h b/src/lib/crypto/krb/keyhash_provider/keyhash_provider.h index 8ac91e19d..94424bd1b 100644 --- a/src/lib/crypto/krb/keyhash_provider/keyhash_provider.h +++ b/src/lib/crypto/krb/keyhash_provider/keyhash_provider.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/keyhash_provider/md5_hmac.c b/src/lib/crypto/krb/keyhash_provider/md5_hmac.c index 50eb2ecfd..b384574d1 100644 --- a/src/lib/crypto/krb/keyhash_provider/md5_hmac.c +++ b/src/lib/crypto/krb/keyhash_provider/md5_hmac.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Implementation of Microsoft KERB_CHECKSUM_MD5_HMAC */ @@ -62,4 +62,3 @@ const struct krb5_keyhash_provider krb5int_keyhash_md5_hmac = { k5_md5_hmac_hash, NULL /*checksum again*/ }; - diff --git a/src/lib/crypto/krb/keylengths.c b/src/lib/crypto/krb/keylengths.c index d28d595d4..f38a28c99 100644 --- a/src/lib/crypto/krb/keylengths.c +++ b/src/lib/crypto/krb/keylengths.c @@ -2,7 +2,7 @@ * COPYRIGHT (c) 2006 * The Regents of the University of Michigan * ALL RIGHTS RESERVED - * + * * Permission is granted to use, copy, create derivative works * and redistribute this software and such derivative works * for any purpose, so long as the name of The University of @@ -13,7 +13,7 @@ * University of Michigan is included in any copy of any * portion of this software, then the disclaimer below must * also be included. - * + * * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF diff --git a/src/lib/crypto/krb/make_checksum.c b/src/lib/crypto/krb/make_checksum.c index def88a18d..06a5247eb 100644 --- a/src/lib/crypto/krb/make_checksum.c +++ b/src/lib/crypto/krb/make_checksum.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/make_checksum_iov.c b/src/lib/crypto/krb/make_checksum_iov.c index e4e2c2d00..192f91091 100644 --- a/src/lib/crypto/krb/make_checksum_iov.c +++ b/src/lib/crypto/krb/make_checksum_iov.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/krb/make_random_key.c b/src/lib/crypto/krb/make_random_key.c index 0c3a26203..de2e6bb86 100644 --- a/src/lib/crypto/krb/make_random_key.c +++ b/src/lib/crypto/krb/make_random_key.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/mandatory_sumtype.c b/src/lib/crypto/krb/mandatory_sumtype.c index 45ea0b82b..e3e3707c1 100644 --- a/src/lib/crypto/krb/mandatory_sumtype.c +++ b/src/lib/crypto/krb/mandatory_sumtype.c @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/krb/nfold.c b/src/lib/crypto/krb/nfold.c index 01e897217..976e131af 100644 --- a/src/lib/crypto/krb/nfold.c +++ b/src/lib/crypto/krb/nfold.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -127,4 +127,3 @@ krb5int_nfold(unsigned int inbits, const unsigned char *in, unsigned int outbits } } } - diff --git a/src/lib/crypto/krb/old/des_stringtokey.c b/src/lib/crypto/krb/old/des_stringtokey.c index 2bacb4ef9..6a5c669d7 100644 --- a/src/lib/crypto/krb/old/des_stringtokey.c +++ b/src/lib/crypto/krb/old/des_stringtokey.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/old/old.h b/src/lib/crypto/krb/old/old.h index a5f3f7889..953e61ee6 100644 --- a/src/lib/crypto/krb/old/old.h +++ b/src/lib/crypto/krb/old/old.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/old/old_decrypt.c b/src/lib/crypto/krb/old/old_decrypt.c index 42a755a4a..97fbe6df2 100644 --- a/src/lib/crypto/krb/old/old_decrypt.c +++ b/src/lib/crypto/krb/old/old_decrypt.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/old/old_encrypt.c b/src/lib/crypto/krb/old/old_encrypt.c index b3a1c5bea..137d6ed43 100644 --- a/src/lib/crypto/krb/old/old_encrypt.c +++ b/src/lib/crypto/krb/old/old_encrypt.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/old_api_glue.c b/src/lib/crypto/krb/old_api_glue.c index 0688d7fe3..73f4fd7b2 100644 --- a/src/lib/crypto/krb/old_api_glue.c +++ b/src/lib/crypto/krb/old_api_glue.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -235,7 +235,7 @@ krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, outcksum->length = cksum.length; free(cksum.contents); - + return(0); } diff --git a/src/lib/crypto/krb/prf.c b/src/lib/crypto/krb/prf.c index 12ec22b65..141390f63 100644 --- a/src/lib/crypto/krb/prf.c +++ b/src/lib/crypto/krb/prf.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +22,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * This contains the implementation of krb5_c_prf, which will find *the enctype-specific PRF and then generate pseudo-random data. This diff --git a/src/lib/crypto/krb/prf/des_prf.c b/src/lib/crypto/krb/prf/des_prf.c index dd9907bda..47130864e 100644 --- a/src/lib/crypto/krb/prf/des_prf.c +++ b/src/lib/crypto/krb/prf/des_prf.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +22,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * This file contains an implementation of the RFC 3961 PRF for * des-cbc-crc, des-cbc-md4, and des-cbc-md5 enctypes. diff --git a/src/lib/crypto/krb/prf/dk_prf.c b/src/lib/crypto/krb/prf/dk_prf.c index 379cc1cbe..80f9d5075 100644 --- a/src/lib/crypto/krb/prf/dk_prf.c +++ b/src/lib/crypto/krb/prf/dk_prf.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +22,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * This file contains an implementation of the RFC 3961 PRF for *simplified profile enctypes. @@ -41,7 +41,7 @@ krb5int_dk_prf (const struct krb5_enc_provider *enc, krb5_data prfconst; krb5_key kp = NULL; krb5_error_code ret = 0; - + prfconst.data = (char *) "prf"; prfconst.length = 3; tmp.length = hash->hashsize; diff --git a/src/lib/crypto/krb/prf/prf_int.h b/src/lib/crypto/krb/prf/prf_int.h index 97bbf049d..e21035fbc 100644 --- a/src/lib/crypto/krb/prf/prf_int.h +++ b/src/lib/crypto/krb/prf/prf_int.h @@ -29,7 +29,7 @@ #include "k5-int.h" -krb5_error_code +krb5_error_code krb5int_arcfour_prf(const struct krb5_enc_provider *enc, const struct krb5_hash_provider *hash, krb5_key key, const krb5_data *in, krb5_data *out); @@ -45,5 +45,3 @@ krb5int_dk_prf(const struct krb5_enc_provider *enc, krb5_key key, const krb5_data *in, krb5_data *out); #endif /*PRF_INTERNAL_DEFS*/ - - diff --git a/src/lib/crypto/krb/prf/rc4_prf.c b/src/lib/crypto/krb/prf/rc4_prf.c index 8a79b553a..caeaa44ab 100644 --- a/src/lib/crypto/krb/prf/rc4_prf.c +++ b/src/lib/crypto/krb/prf/rc4_prf.c @@ -29,7 +29,7 @@ #include "k5-int.h" #include -krb5_error_code +krb5_error_code krb5int_arcfour_prf(const struct krb5_enc_provider *enc, const struct krb5_hash_provider *hash, krb5_key key, const krb5_data *in, krb5_data *out) @@ -37,5 +37,3 @@ krb5int_arcfour_prf(const struct krb5_enc_provider *enc, assert(out->length == 20); return krb5int_hmac(&krb5int_hash_sha1, key, 1, in, out); } - - diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c index b52dabc26..00534ca0c 100644 --- a/src/lib/crypto/krb/prng.c +++ b/src/lib/crypto/krb/prng.c @@ -2,12 +2,12 @@ * Copyright (C) 2001, 2002, 2004, 2007, 2008 by the Massachusetts Institute of Technology. * All rights reserved. * - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -190,7 +190,7 @@ read_entropy_from_device(krb5_context context, const char *device) return (krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND, &data) == 0); } - + krb5_error_code KRB5_CALLCONV krb5_c_random_os_entropy(krb5_context context, int strong, int *success) { diff --git a/src/lib/crypto/krb/rand2key/aes_rand2key.c b/src/lib/crypto/krb/rand2key/aes_rand2key.c index 25c72cff3..c5028e57b 100644 --- a/src/lib/crypto/krb/rand2key/aes_rand2key.c +++ b/src/lib/crypto/krb/rand2key/aes_rand2key.c @@ -41,4 +41,3 @@ krb5int_aes_make_key(const krb5_data *randombits, krb5_keyblock *key) return(0); } - diff --git a/src/lib/crypto/krb/rand2key/des3_rand2key.c b/src/lib/crypto/krb/rand2key/des3_rand2key.c index b505f1a45..fe84c3a14 100644 --- a/src/lib/crypto/krb/rand2key/des3_rand2key.c +++ b/src/lib/crypto/krb/rand2key/des3_rand2key.c @@ -57,4 +57,3 @@ krb5int_des3_make_key(const krb5_data *randombits, krb5_keyblock *key) } return(0); } - diff --git a/src/lib/crypto/krb/rand2key/des_rand2key.c b/src/lib/crypto/krb/rand2key/des_rand2key.c index 9af247702..1485965b6 100644 --- a/src/lib/crypto/krb/rand2key/des_rand2key.c +++ b/src/lib/crypto/krb/rand2key/des_rand2key.c @@ -51,5 +51,3 @@ krb5int_des_make_key(const krb5_data *randombits, krb5_keyblock *key) return(0); } - - diff --git a/src/lib/crypto/krb/rand2key/rand2key.h b/src/lib/crypto/krb/rand2key/rand2key.h index d452940b3..01208f6a4 100644 --- a/src/lib/crypto/krb/rand2key/rand2key.h +++ b/src/lib/crypto/krb/rand2key/rand2key.h @@ -13,6 +13,3 @@ krb5int_des3_make_key(const krb5_data *randombits, krb5_keyblock *key); krb5_error_code krb5int_aes_make_key(const krb5_data *randombits, krb5_keyblock *key); - - - diff --git a/src/lib/crypto/krb/rand2key/rc4_rand2key.c b/src/lib/crypto/krb/rand2key/rc4_rand2key.c index 0e66d887d..d498f0526 100644 --- a/src/lib/crypto/krb/rand2key/rc4_rand2key.c +++ b/src/lib/crypto/krb/rand2key/rc4_rand2key.c @@ -42,4 +42,3 @@ krb5int_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key) return(0); } - diff --git a/src/lib/crypto/krb/random_to_key.c b/src/lib/crypto/krb/random_to_key.c index 18e4c6959..f94229a1e 100644 --- a/src/lib/crypto/krb/random_to_key.c +++ b/src/lib/crypto/krb/random_to_key.c @@ -2,7 +2,7 @@ * COPYRIGHT (c) 2006 * The Regents of the University of Michigan * ALL RIGHTS RESERVED - * + * * Permission is granted to use, copy, create derivative works * and redistribute this software and such derivative works * for any purpose, so long as the name of The University of @@ -13,7 +13,7 @@ * University of Michigan is included in any copy of any * portion of this software, then the disclaimer below must * also be included. - * + * * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF diff --git a/src/lib/crypto/krb/raw/raw.h b/src/lib/crypto/krb/raw/raw.h index 3c2618874..d5575e13a 100644 --- a/src/lib/crypto/krb/raw/raw.h +++ b/src/lib/crypto/krb/raw/raw.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -46,4 +46,3 @@ krb5_error_code krb5int_raw_decrypt krb5_data *arg_output); extern const struct krb5_aead_provider krb5int_aead_raw; - diff --git a/src/lib/crypto/krb/raw/raw_aead.c b/src/lib/crypto/krb/raw/raw_aead.c index 68070d1da..f15e4868e 100644 --- a/src/lib/crypto/krb/raw/raw_aead.c +++ b/src/lib/crypto/krb/raw/raw_aead.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/krb/raw/raw_decrypt.c b/src/lib/crypto/krb/raw/raw_decrypt.c index 58ee6f82c..34598bbfb 100644 --- a/src/lib/crypto/krb/raw/raw_decrypt.c +++ b/src/lib/crypto/krb/raw/raw_decrypt.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/raw/raw_encrypt.c b/src/lib/crypto/krb/raw/raw_encrypt.c index b02258d4b..6e8516c4c 100644 --- a/src/lib/crypto/krb/raw/raw_encrypt.c +++ b/src/lib/crypto/krb/raw/raw_encrypt.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/state.c b/src/lib/crypto/krb/state.c index 152ebecf7..12638a43b 100644 --- a/src/lib/crypto/krb/state.c +++ b/src/lib/crypto/krb/state.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +22,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express - * - * + * + * * * * Section 6 (Encryption) of the Kerberos revisions document defines * cipher states to be used to chain encryptions and decryptions diff --git a/src/lib/crypto/krb/string_to_cksumtype.c b/src/lib/crypto/krb/string_to_cksumtype.c index 796cc2a44..ae5da6de5 100644 --- a/src/lib/crypto/krb/string_to_cksumtype.c +++ b/src/lib/crypto/krb/string_to_cksumtype.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/string_to_enctype.c b/src/lib/crypto/krb/string_to_enctype.c index 4978ac785..159c36b13 100644 --- a/src/lib/crypto/krb/string_to_enctype.c +++ b/src/lib/crypto/krb/string_to_enctype.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/string_to_key.c b/src/lib/crypto/krb/string_to_key.c index bf8f8ce91..e81568b35 100644 --- a/src/lib/crypto/krb/string_to_key.c +++ b/src/lib/crypto/krb/string_to_key.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/valid_cksumtype.c b/src/lib/crypto/krb/valid_cksumtype.c index d32e8f589..69cc18667 100644 --- a/src/lib/crypto/krb/valid_cksumtype.c +++ b/src/lib/crypto/krb/valid_cksumtype.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/valid_enctype.c b/src/lib/crypto/krb/valid_enctype.c index 2657fd084..a6445111e 100644 --- a/src/lib/crypto/krb/valid_enctype.c +++ b/src/lib/crypto/krb/valid_enctype.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/verify_checksum.c b/src/lib/crypto/krb/verify_checksum.c index d8a9cc8b7..a4869eb41 100644 --- a/src/lib/crypto/krb/verify_checksum.c +++ b/src/lib/crypto/krb/verify_checksum.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/krb/verify_checksum_iov.c b/src/lib/crypto/krb/verify_checksum_iov.c index f72ca652f..cbac1db47 100644 --- a/src/lib/crypto/krb/verify_checksum_iov.c +++ b/src/lib/crypto/krb/verify_checksum_iov.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/crypto/krb/yarrow/yarrow.c b/src/lib/crypto/krb/yarrow/yarrow.c index b1533daf4..4b1fcf1dc 100644 --- a/src/lib/crypto/krb/yarrow/yarrow.c +++ b/src/lib/crypto/krb/yarrow/yarrow.c @@ -14,7 +14,7 @@ * permission. Zero-Knowledge Systems, Inc. makes no representations * about the suitability of this software for any purpose. It is * provided "as is" without express or implied warranty. - * + * * See the accompanying LICENSE file for more information. */ @@ -47,7 +47,7 @@ extern int yarrow_verbose; #define TRACE( x ) do { if (yarrow_verbose) { x } } while (0) #else -#define TRACE( x ) +#define TRACE( x ) #endif #if defined(macintosh) @@ -246,8 +246,8 @@ int krb5int_yarrow_init(Yarrow_CTX* y, const char *filename) } static -int yarrow_input_maybe_locking( Yarrow_CTX* y, unsigned source_id, - const void* sample, +int yarrow_input_maybe_locking( Yarrow_CTX* y, unsigned source_id, + const void* sample, size_t size, size_t entropy_bits, int do_lock ) { @@ -257,7 +257,7 @@ int yarrow_input_maybe_locking( Yarrow_CTX* y, unsigned source_id, Source* source; size_t new_entropy; size_t estimate; - + if (do_lock) { TRY( LOCK() ); locked = 1; @@ -267,7 +267,7 @@ int yarrow_input_maybe_locking( Yarrow_CTX* y, unsigned source_id, if (!y) { THROW( YARROW_BAD_ARG ); } if (source_id >= y->num_sources) { THROW( YARROW_BAD_SOURCE ); } - + source = &y->source[source_id]; if(source->pool != YARROW_FAST_POOL && source->pool != YARROW_SLOW_POOL) @@ -278,10 +278,10 @@ int yarrow_input_maybe_locking( Yarrow_CTX* y, unsigned source_id, /* hash in the sample */ HASH_Update(&y->pool[source->pool], (const void*)sample, size); - + /* only update entropy estimate if pool is not full */ - if ( (source->pool == YARROW_FAST_POOL && + if ( (source->pool == YARROW_FAST_POOL && source->entropy[source->pool] < y->fast_thresh) || (source->pool == YARROW_SLOW_POOL && source->entropy[source->pool] < y->slow_thresh) ) @@ -311,7 +311,7 @@ int yarrow_input_maybe_locking( Yarrow_CTX* y, unsigned source_id, } else { - if (!source->reached_slow_thresh && + if (!source->reached_slow_thresh && source->entropy[YARROW_SLOW_POOL] >= y->slow_thresh) { source->reached_slow_thresh = 1; @@ -328,19 +328,19 @@ int yarrow_input_maybe_locking( Yarrow_CTX* y, unsigned source_id, } } } - + /* put samples in alternate pools */ source->pool = (source->pool + 1) % 2; - + CATCH: if ( locked ) { TRY( UNLOCK() ); } EXCEP_RET; } YARROW_DLL -int krb5int_yarrow_input( Yarrow_CTX* y, unsigned source_id, - const void* sample, +int krb5int_yarrow_input( Yarrow_CTX* y, unsigned source_id, + const void* sample, size_t size, size_t entropy_bits ) { return yarrow_input_maybe_locking(y, source_id, sample, size, @@ -389,7 +389,7 @@ CATCH: EXCEP_RET; } -int krb5int_yarrow_register_source_estimator(Yarrow_CTX* y, unsigned source_id, +int krb5int_yarrow_register_source_estimator(Yarrow_CTX* y, unsigned source_id, estimator_fn* fptr) { EXCEP_DECL; @@ -401,7 +401,7 @@ int krb5int_yarrow_register_source_estimator(Yarrow_CTX* y, unsigned source_id, source = &y->source[source_id]; source->estimator = fptr; - + CATCH: EXCEP_RET; } @@ -428,15 +428,15 @@ static int krb5int_yarrow_output_Block( Yarrow_CTX* y, void* out ) if ( y->gate_count >= y->gates_limit ) { y->gate_count = 0; - - /* not defined whether to do slow or fast reseed */ - + + /* not defined whether to do slow or fast reseed */ + TRACE( printf( "OUTPUT LIMIT REACHED," ); ); TRY( yarrow_reseed_locked( y, YARROW_SLOW_POOL ) ); } } - + /* C <- (C + 1) mod 2^n */ block_increment( y->C, CIPHER_BLOCK_SIZE ); @@ -541,7 +541,7 @@ int yarrow_output_locked( Yarrow_CTX* y, void* out, size_t size ) outp += use; } - for ( ; + for ( ; left >= CIPHER_BLOCK_SIZE; left -= CIPHER_BLOCK_SIZE, outp += CIPHER_BLOCK_SIZE) { @@ -565,7 +565,7 @@ static int yarrow_gate_locked(Yarrow_CTX* y) byte new_K[CIPHER_KEY_SIZE]; if (!y) { THROW( YARROW_BAD_ARG ); } - + TRACE( printf( "GATE[" ); ); /* K <- Next k bits of PRNG output */ @@ -589,7 +589,7 @@ int krb5int_yarrow_gate(Yarrow_CTX* y) byte new_K[CIPHER_KEY_SIZE]; if (!y) { THROW( YARROW_BAD_ARG ); } - + TRACE( printf( "GATE[" ); ); /* K <- Next k bits of PRNG output */ @@ -612,7 +612,7 @@ static int Yarrow_Load_State( Yarrow_CTX *y ) { EXCEP_DECL; Yarrow_STATE state; - + if ( !y ) { THROW( YARROW_BAD_ARG ); } if ( y->entropyfile ) @@ -623,11 +623,11 @@ static int Yarrow_Load_State( Yarrow_CTX *y ) #if defined( YARROW_DEBUG ) hex_print( stderr, "state.load", state.seed, sizeof(state.seed)); #endif - + /* what to do here is not defined by the Yarrow paper */ /* this is a place holder until we get some clarification */ - - HASH_Update( &y->pool[YARROW_FAST_POOL], + + HASH_Update( &y->pool[YARROW_FAST_POOL], state.seed, sizeof(state.seed) ); Yarrow_Make_Seeded( y ); @@ -643,10 +643,10 @@ static int Yarrow_Save_State( Yarrow_CTX *y ) { EXCEP_DECL; Yarrow_STATE state; - + if ( !y ) { THROW( YARROW_BAD_ARG ); } - if ( y->entropyfile && y->seeded ) + if ( y->entropyfile && y->seeded ) { TRACE( printf( "SAVE STATE[" ); ); TRY( krb5int_yarrow_output( y, state.seed, sizeof(state.seed) ) ); @@ -685,8 +685,8 @@ static int yarrow_reseed_locked(Yarrow_CTX* y, int pool) { THROW( YARROW_BAD_ARG ); } - - TRACE( printf( "%s RESEED,", + + TRACE( printf( "%s RESEED,", pool == YARROW_SLOW_POOL ? "SLOW" : "FAST" ); ); if (pool == YARROW_SLOW_POOL) @@ -715,7 +715,7 @@ static int yarrow_reseed_locked(Yarrow_CTX* y, int pool) /* step 1. v_0 <- hash of all inputs into fast pool */ HASH_Final(fast_pool, &v_0); - HASH_Init(fast_pool); /* reinitialize fast pool */ + HASH_Init(fast_pool); /* reinitialize fast pool */ /* v_i <- v_0 */ @@ -772,7 +772,7 @@ static int yarrow_reseed_locked(Yarrow_CTX* y, int pool) #endif /* discard part output from previous key */ - + y->out_left = 0; /* step 5. Reset all entropy estimate accumulators of the entropy @@ -833,13 +833,13 @@ int krb5int_yarrow_stretch(const byte* m, size_t size, byte* out, size_t out_siz unsigned int use; HASH_CTX hash, save; byte digest[HASH_DIGEST_SIZE]; - + if (m == NULL || size == 0 || out == NULL || out_size == 0) { THROW( YARROW_BAD_ARG ); } - - /* + + /* * s_0 = m * s_1 = h(s_0 | ... | s_{i-1}) * @@ -849,7 +849,7 @@ int krb5int_yarrow_stretch(const byte* m, size_t size, byte* out, size_t out_siz outp = out; left = out_size; - + use = min(out_size, size); mem_copy(outp, m, use); /* get k bits or as many as available */ @@ -863,7 +863,7 @@ int krb5int_yarrow_stretch(const byte* m, size_t size, byte* out, size_t out_siz left -= HASH_DIGEST_SIZE) { HASH_Update(&hash, s_i, use); - + /* have to save hash state to one side as HASH_final changes state */ mem_copy(&save, &hash, sizeof(hash)); @@ -879,7 +879,7 @@ int krb5int_yarrow_stretch(const byte* m, size_t size, byte* out, size_t out_siz s_i = outp; /* retain pointer to s_i */ outp += use; } - + CATCH: mem_zero(&hash, sizeof(hash)); mem_zero(digest, sizeof(digest)); @@ -891,7 +891,7 @@ static void block_increment(void* block, const int sz) { byte* b = block; int i; - + for (i = sz-1; (++b[i]) == 0 && i > 0; i--) { ; /* nothing */ @@ -916,7 +916,7 @@ int krb5int_yarrow_final(Yarrow_CTX* y) #endif CATCH: - if ( y ) + if ( y ) { krb5int_yarrow_cipher_final(&y->cipher); mem_zero( y, sizeof(Yarrow_CTX) ); @@ -932,7 +932,7 @@ const char* krb5int_yarrow_str_error( int err ) if ( err < 0 || err >= sizeof( yarrow_str_error ) / sizeof( char* ) ) { err = 1-YARROW_FAIL; - } + } return yarrow_str_error[ err ]; } diff --git a/src/lib/crypto/krb/yarrow/yarrow.h b/src/lib/crypto/krb/yarrow/yarrow.h index bb8c63ac0..081a06ba5 100644 --- a/src/lib/crypto/krb/yarrow/yarrow.h +++ b/src/lib/crypto/krb/yarrow/yarrow.h @@ -135,7 +135,7 @@ int krb5int_yarrow_init( Yarrow_CTX* y, const char *filename ); YARROW_DLL int krb5int_yarrow_input( Yarrow_CTX* y, unsigned source_id, - const void* sample, + const void* sample, size_t size, size_t entropy_bits ); YARROW_DLL @@ -149,7 +149,7 @@ YARROW_DLL int krb5int_yarrow_new_source( Yarrow_CTX* y, unsigned* source_id ); YARROW_DLL -int krb5int_yarrow_register_source_estimator( Yarrow_CTX* y, unsigned source_id, +int krb5int_yarrow_register_source_estimator( Yarrow_CTX* y, unsigned source_id, estimator_fn* fptr ); YARROW_DLL diff --git a/src/lib/crypto/krb/yarrow/ycipher.c b/src/lib/crypto/krb/yarrow/ycipher.c index 84cadd13f..8da7b711a 100644 --- a/src/lib/crypto/krb/yarrow/ycipher.c +++ b/src/lib/crypto/krb/yarrow/ycipher.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +22,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * Routines to implement krb5 cipher operations. */ diff --git a/src/lib/crypto/krb/yarrow/ycipher.h b/src/lib/crypto/krb/yarrow/ycipher.h index ad0d307fc..554cf9aed 100644 --- a/src/lib/crypto/krb/yarrow/ycipher.h +++ b/src/lib/crypto/krb/yarrow/ycipher.h @@ -5,7 +5,7 @@ /* block cipher interface */ -typedef struct +typedef struct { krb5_key key; } CIPHER_CTX; diff --git a/src/lib/crypto/krb/yarrow/yexcep.h b/src/lib/crypto/krb/yarrow/yexcep.h index d27de2d5e..b066c91d5 100644 --- a/src/lib/crypto/krb/yarrow/yexcep.h +++ b/src/lib/crypto/krb/yarrow/yexcep.h @@ -17,18 +17,18 @@ * * EXCEP_OK - success return value (=1) * - * EXCEP_FAIL - failure return value (=0), other user exceptions are + * EXCEP_FAIL - failure return value (=0), other user exceptions are * given negative values (<0) * - * TRY( x ) - if code returns value <= 0 TRY sets return value to - * that value and goes to function cleanup section + * TRY( x ) - if code returns value <= 0 TRY sets return value to + * that value and goes to function cleanup section * (CATCH: block). In the catch block, TRY does not goto * the catch label to avoid loops, and instead * falls through to the next statement. The * return value is set to the first non success value * returned by a TRY, unless this is overridden by a THROW. * - * CATCH: - start of catch block, also switches behavior of + * CATCH: - start of catch block, also switches behavior of * TRY and THROW to not goto CATCH: inside the catch * block to avoid loops * @@ -45,40 +45,40 @@ /* example usage */ /* - * + * * #define EXCEP_OK_COMMENT 2 * #define EXCEP_NULL_PTR -1 * #define EXCEP_OUT_OF_MEM -2 - * + * * int bar( char *c ) * { * EXCEP_DECL; - * + * * if ( !c ) { THROW( EXCEP_NULL_PTR ); } * if ( *c == '\0' ) { THROW( EXCEP_FAIL ); ); * if ( *c == '#' ) { SET( EXCEP_COMMENT ); } * CATCH: * EXCEP_RET; * } - * + * * int foo( char *c ) * { * EXCEP_DECL; * int *p = NULL; - * + * * if ( !c ) { THROW( EXCEP_NULL_PTR ); } * TRY( bar( c ) ); * if ( RETURN == EXCEP_COMMENT ) { print( "comment\n" ); } * p = strdup( c ); * if ( !p ) { THROW( EXCEP_OUT_OF_MEM ); } - * + * * CATCH: * if ( p ) { TRY( bar( p ) ); free( p ); } * THROW( EXCEP_BOOL ); * if ( EXCEPTION == EXCEP_OK ) { printf( "success\n" ); } * EXCEP_RET; * } - * + * */ #define EXCEP_FAIL 0 diff --git a/src/lib/crypto/krb/yarrow/ytypes.h b/src/lib/crypto/krb/yarrow/ytypes.h index 9265e5a84..23c1bdf7e 100644 --- a/src/lib/crypto/krb/yarrow/ytypes.h +++ b/src/lib/crypto/krb/yarrow/ytypes.h @@ -10,7 +10,7 @@ #include #endif -#define byte unsigned char +#define byte unsigned char #define uint8 unsigned char #define int8 signed char diff --git a/src/lib/crypto/openssl/aes/aes_s2k.c b/src/lib/crypto/openssl/aes/aes_s2k.c index 348acade9..9dd1402bd 100644 --- a/src/lib/crypto/openssl/aes/aes_s2k.c +++ b/src/lib/crypto/openssl/aes/aes_s2k.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5int_aes_string_to_key */ diff --git a/src/lib/crypto/openssl/arcfour/arcfour-int.h b/src/lib/crypto/openssl/arcfour/arcfour-int.h index d9db0be8a..bb4cf4201 100644 --- a/src/lib/crypto/openssl/arcfour/arcfour-int.h +++ b/src/lib/crypto/openssl/arcfour/arcfour-int.h @@ -19,8 +19,8 @@ typedef struct EVP_CIPHER_CTX evp_ctx; unsigned int x; unsigned int y; - unsigned char state[256]; - + unsigned char state[256]; + } ArcfourContext; typedef struct { diff --git a/src/lib/crypto/openssl/arcfour/arcfour.c b/src/lib/crypto/openssl/arcfour/arcfour.c index 68feb4985..ac96c8605 100644 --- a/src/lib/crypto/openssl/arcfour/arcfour.c +++ b/src/lib/crypto/openssl/arcfour/arcfour.c @@ -61,7 +61,7 @@ case 7: /* tgs-req authenticator */ } } -/* RFC 4757 */ +/* RFC 4757 */ krb5_error_code krb5int_arcfour_encrypt(const struct krb5_enc_provider *enc, const struct krb5_hash_provider *hash, @@ -338,4 +338,3 @@ krb5int_arcfour_decrypt(const struct krb5_enc_provider *enc, free(plaintext.data); return (ret); } - diff --git a/src/lib/crypto/openssl/arcfour/arcfour_aead.c b/src/lib/crypto/openssl/arcfour/arcfour_aead.c index da8261f02..66eb3576b 100644 --- a/src/lib/crypto/openssl/arcfour/arcfour_aead.c +++ b/src/lib/crypto/openssl/arcfour/arcfour_aead.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -106,7 +106,7 @@ krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead, * Caller must have provided space for the header, padding * and trailer; per RFC 4757 we will arrange it as: * - * Checksum | E(Confounder | Plaintext) + * Checksum | E(Confounder | Plaintext) */ header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER); @@ -246,7 +246,7 @@ krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead, trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); if (trailer != NULL && trailer->data.length != 0) return KRB5_BAD_MSIZE; - + ret = alloc_derived_key(enc, &k1, &d1, &key->keyblock); if (ret != 0) goto cleanup; @@ -334,4 +334,3 @@ const struct krb5_aead_provider krb5int_aead_arcfour = { krb5int_arcfour_encrypt_iov, krb5int_arcfour_decrypt_iov }; - diff --git a/src/lib/crypto/openssl/arcfour/arcfour_s2k.c b/src/lib/crypto/openssl/arcfour/arcfour_s2k.c index 09c9b7689..1aaaa1cc4 100644 --- a/src/lib/crypto/openssl/arcfour/arcfour_s2k.c +++ b/src/lib/crypto/openssl/arcfour/arcfour_s2k.c @@ -19,7 +19,7 @@ krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc, if (params != NULL) return KRB5_ERR_BAD_S2K_PARAMS; - + if (key->length != 16) return (KRB5_BAD_MSIZE); @@ -40,7 +40,7 @@ krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc, krb5int_MD4Final(&md4_context); memcpy(key->contents, md4_context.digest, 16); -#if 0 +#if 0 /* test the string_to_key function */ printf("Hash="); { diff --git a/src/lib/crypto/openssl/des/des_int.h b/src/lib/crypto/openssl/des/des_int.h index 67d776053..84d678c99 100644 --- a/src/lib/crypto/openssl/des/des_int.h +++ b/src/lib/crypto/openssl/des/des_int.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +22,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Private include file for the Data Encryption Standard library. */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -112,7 +112,7 @@ KRB5INT_DES_DEPRECATED; * have an exact 32-bit int, and nothing should be looking inside a * des_key_schedule anyway. */ -typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] +typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] KRB5INT_DES_DEPRECATED; typedef des_cblock mit_des_cblock; @@ -162,7 +162,7 @@ extern int mit_des_check_key_parity (mit_des_cblock ); /* string2key.c */ extern krb5_error_code mit_des_string_to_key - ( const krb5_encrypt_block *, + ( const krb5_encrypt_block *, krb5_keyblock *, const krb5_data *, const krb5_data *); extern krb5_error_code mit_des_string_to_key_int (krb5_keyblock *, const krb5_data *, const krb5_data *); diff --git a/src/lib/crypto/openssl/des/des_oldapis.c b/src/lib/crypto/openssl/des/des_oldapis.c index b08a6d004..c931efc3d 100644 --- a/src/lib/crypto/openssl/des/des_oldapis.c +++ b/src/lib/crypto/openssl/des/des_oldapis.c @@ -37,7 +37,7 @@ mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out, const krb5_octet *ivec) { /* Unsupported operation */ - return KRB5_CRYPTO_INTERNAL; + return KRB5_CRYPTO_INTERNAL; } krb5_error_code @@ -53,4 +53,3 @@ mit_des_key_sched(mit_des_cblock k, mit_des_key_schedule schedule) /* Unsupported operation */ return KRB5_CRYPTO_INTERNAL; } - diff --git a/src/lib/crypto/openssl/des/f_parity.c b/src/lib/crypto/openssl/des/f_parity.c index ceb6a37c5..bc33eb80c 100644 --- a/src/lib/crypto/openssl/des/f_parity.c +++ b/src/lib/crypto/openssl/des/f_parity.c @@ -45,4 +45,3 @@ mit_des_check_key_parity(mit_des_cblock key) return(0); return (1); } - diff --git a/src/lib/crypto/openssl/des/string2key.c b/src/lib/crypto/openssl/des/string2key.c index 008449a0f..6034e86c7 100644 --- a/src/lib/crypto/openssl/des/string2key.c +++ b/src/lib/crypto/openssl/des/string2key.c @@ -37,7 +37,6 @@ mit_des_string_to_key_int (krb5_keyblock *key, if ( key->length < sizeof(outkey)) return KRB5_CRYPTO_INTERNAL; key->length = sizeof(outkey); - memcpy(key->contents, outkey, key->length); + memcpy(key->contents, outkey, key->length); return 0; } - diff --git a/src/lib/crypto/openssl/des/weak_key.c b/src/lib/crypto/openssl/des/weak_key.c index 7f9708392..4d7e99b8b 100644 --- a/src/lib/crypto/openssl/des/weak_key.c +++ b/src/lib/crypto/openssl/des/weak_key.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Under U.S. law, this software may not be exported outside the US * without license from the U.S. Commerce department. @@ -76,7 +76,7 @@ mit_des_is_weak_key(mit_des_cblock key) const mit_des_cblock *weak_p = weak; for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) { - if (!memcmp(weak_p++,key,sizeof(mit_des_cblock))) + if (!memcmp(weak_p++,key,sizeof(mit_des_cblock))) return 1; } if ( DES_is_weak_key(key) == 1) /* Also OpenSSL's check */ @@ -84,4 +84,3 @@ mit_des_is_weak_key(mit_des_cblock key) return 0; } - diff --git a/src/lib/crypto/openssl/enc_provider/aes.c b/src/lib/crypto/openssl/enc_provider/aes.c index 21d71f8a3..51ba8afa6 100644 --- a/src/lib/crypto/openssl/enc_provider/aes.c +++ b/src/lib/crypto/openssl/enc_provider/aes.c @@ -88,7 +88,7 @@ cbc_enc(krb5_key key, const krb5_data *ivec, NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); if (ret == 1){ - EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)input->data, input->length); output->length = tmp_len; @@ -130,7 +130,7 @@ cbc_decr(krb5_key key, const krb5_data *ivec, ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length), NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); if (ret == 1) { - EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)input->data, input->length); output->length = tmp_len; @@ -515,4 +515,3 @@ const struct krb5_enc_provider krb5int_enc_aes256 = { krb5int_aes_encrypt_iov, krb5int_aes_decrypt_iov }; - diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c index 208a0d16d..9c30ef172 100644 --- a/src/lib/crypto/openssl/enc_provider/des.c +++ b/src/lib/crypto/openssl/enc_provider/des.c @@ -354,4 +354,3 @@ const struct krb5_enc_provider krb5int_enc_des = { k5_des_encrypt_iov, k5_des_decrypt_iov }; - diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c index 4d08bc4b1..7228a46b2 100644 --- a/src/lib/crypto/openssl/enc_provider/des3.c +++ b/src/lib/crypto/openssl/enc_provider/des3.c @@ -365,4 +365,3 @@ const struct krb5_enc_provider krb5int_enc_des3 = { k5_des3_encrypt_iov, k5_des3_decrypt_iov }; - diff --git a/src/lib/crypto/openssl/enc_provider/enc_provider.h b/src/lib/crypto/openssl/enc_provider/enc_provider.h index d46e1b446..49ffaafea 100644 --- a/src/lib/crypto/openssl/enc_provider/enc_provider.h +++ b/src/lib/crypto/openssl/enc_provider/enc_provider.h @@ -33,4 +33,3 @@ extern const struct krb5_enc_provider krb5int_enc_aes128; extern const struct krb5_enc_provider krb5int_enc_aes256; extern const struct krb5_enc_provider krb5int_enc_aes128_ctr; extern const struct krb5_enc_provider krb5int_enc_aes256_ctr; - diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c index 42a3aea1c..a7c3020ea 100644 --- a/src/lib/crypto/openssl/enc_provider/rc4.c +++ b/src/lib/crypto/openssl/enc_provider/rc4.c @@ -40,7 +40,7 @@ #include #define RC4_KEY_SIZE 16 -#define RC4_BLOCK_SIZE 1 +#define RC4_BLOCK_SIZE 1 /* Interface layer to kerb5 crypto layer */ @@ -48,7 +48,7 @@ static krb5_error_code k5_arcfour_docrypt(krb5_key, const krb5_data *, const krb5_data *, krb5_data *); -static krb5_error_code +static krb5_error_code k5_arcfour_free_state ( krb5_data *state); static krb5_error_code k5_arcfour_init_state (const krb5_keyblock *key, @@ -160,7 +160,7 @@ k5_arcfour_init_state (const krb5_keyblock *key, } -/* Since the arcfour cipher is identical going forwards and backwards, +/* Since the arcfour cipher is identical going forwards and backwards, we just call "docrypt" directly */ const struct krb5_enc_provider krb5int_enc_arcfour = { @@ -171,7 +171,7 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { system, and to attempt to work with the MSFT system forces us to 16byte/128bit. Since there is no parity in the key, the byte and length are the same. */ - RC4_KEY_SIZE, RC4_KEY_SIZE, + RC4_KEY_SIZE, RC4_KEY_SIZE, k5_arcfour_docrypt, k5_arcfour_docrypt, krb5int_arcfour_make_key, @@ -180,4 +180,3 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { k5_arcfour_docrypt_iov, k5_arcfour_docrypt_iov }; - diff --git a/src/lib/crypto/openssl/hash_provider/hash_crc32.c b/src/lib/crypto/openssl/hash_provider/hash_crc32.c index a3d3028e8..771a7d6f3 100644 --- a/src/lib/crypto/openssl/hash_provider/hash_crc32.c +++ b/src/lib/crypto/openssl/hash_provider/hash_crc32.c @@ -34,7 +34,7 @@ k5_crc32_hash(unsigned int icount, const krb5_data *input, { unsigned long c, cn; unsigned int i; - + if (output->length != CRC32_CKSUM_LENGTH) return(KRB5_CRYPTO_INTERNAL); diff --git a/src/lib/crypto/openssl/hash_provider/hash_md4.c b/src/lib/crypto/openssl/hash_provider/hash_md4.c index 3a4a4d530..916da0fa5 100644 --- a/src/lib/crypto/openssl/hash_provider/hash_md4.c +++ b/src/lib/crypto/openssl/hash_provider/hash_md4.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/openssl/hash_provider/hash_md5.c b/src/lib/crypto/openssl/hash_provider/hash_md5.c index 10840d0d9..e1e29f06e 100644 --- a/src/lib/crypto/openssl/hash_provider/hash_md5.c +++ b/src/lib/crypto/openssl/hash_provider/hash_md5.c @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/openssl/hash_provider/hash_provider.h b/src/lib/crypto/openssl/hash_provider/hash_provider.h index 4fa46097d..1023d1a45 100644 --- a/src/lib/crypto/openssl/hash_provider/hash_provider.h +++ b/src/lib/crypto/openssl/hash_provider/hash_provider.h @@ -1,13 +1,13 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +18,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. diff --git a/src/lib/crypto/openssl/hash_provider/hash_sha1.c b/src/lib/crypto/openssl/hash_provider/hash_sha1.c index d217086e6..18ee830f6 100644 --- a/src/lib/crypto/openssl/hash_provider/hash_sha1.c +++ b/src/lib/crypto/openssl/hash_provider/hash_sha1.c @@ -1,14 +1,14 @@ /* lib/crypto/openssl/hash/yhash.h * * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -19,7 +19,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -58,4 +58,3 @@ const struct krb5_hash_provider krb5int_hash_sha1 = { SHS_DATASIZE, k5_sha1_hash }; - diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c index 0f374d80f..b1768e0e9 100644 --- a/src/lib/crypto/openssl/hmac.c +++ b/src/lib/crypto/openssl/hmac.c @@ -85,7 +85,7 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash, const krb5_keyblock *key, unsigned int icount, const krb5_data *input, krb5_data *output) { - unsigned int i = 0, md_len = 0; + unsigned int i = 0, md_len = 0; unsigned char md[EVP_MAX_MD_SIZE]; HMAC_CTX c; size_t hashsize, blocksize; diff --git a/src/lib/crypto/openssl/md4/md4.c b/src/lib/crypto/openssl/md4/md4.c index f38900fb5..cd7684d66 100644 --- a/src/lib/crypto/openssl/md4/md4.c +++ b/src/lib/crypto/openssl/md4/md4.c @@ -48,4 +48,3 @@ krb5int_MD4Final (krb5_MD4_CTX *mdContext) EVP_DigestFinal_ex(&mdContext->ossl_md4_ctx, mdContext->digest , NULL); EVP_MD_CTX_cleanup(&mdContext->ossl_md4_ctx ); } - diff --git a/src/lib/crypto/openssl/md4/rsa-md4.h b/src/lib/crypto/openssl/md4/rsa-md4.h index ec4e0458f..93737e68b 100644 --- a/src/lib/crypto/openssl/md4/rsa-md4.h +++ b/src/lib/crypto/openssl/md4/rsa-md4.h @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * RSA MD4 header file, with Kerberos/STDC additions. */ diff --git a/src/lib/crypto/openssl/md5/md5.c b/src/lib/crypto/openssl/md5/md5.c index 472acc34d..84c6d4919 100644 --- a/src/lib/crypto/openssl/md5/md5.c +++ b/src/lib/crypto/openssl/md5/md5.c @@ -31,7 +31,7 @@ /* The routine krb5int_MD5Init initializes the message-digest context mdContext. All fields are set to zero. */ -void +void krb5int_MD5Init (krb5_MD5_CTX *mdContext) { EVP_MD_CTX_init(&mdContext->ossl_md5_ctx); @@ -57,4 +57,3 @@ krb5int_MD5Final (krb5_MD5_CTX *mdContext) EVP_DigestFinal_ex(&mdContext->ossl_md5_ctx, mdContext->digest, NULL); EVP_MD_CTX_cleanup(&mdContext->ossl_md5_ctx); } - diff --git a/src/lib/crypto/openssl/pbkdf2.c b/src/lib/crypto/openssl/pbkdf2.c index b80f5015a..2681739a5 100644 --- a/src/lib/crypto/openssl/pbkdf2.c +++ b/src/lib/crypto/openssl/pbkdf2.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Implementation of PBKDF2 from RFC 2898. * Not currently used; likely to be used when we get around to AES support. @@ -42,12 +42,11 @@ krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count, const krb5_data *pass, const krb5_data *salt) { /* - * This is an implementation of PKCS#5 v2.0 + * This is an implementation of PKCS#5 v2.0 * Does not return an error */ PKCS5_PBKDF2_HMAC_SHA1(pass->data, pass->length, (unsigned char *)salt->data, salt->length, count, out->length, (unsigned char *)out->data); - return 0; + return 0; } - diff --git a/src/lib/crypto/openssl/sha1/shs.c b/src/lib/crypto/openssl/sha1/shs.c index 5dcf4b9a0..98eeef39a 100644 --- a/src/lib/crypto/openssl/sha1/shs.c +++ b/src/lib/crypto/openssl/sha1/shs.c @@ -57,5 +57,3 @@ void shsFinal(SHS_INFO *shsInfo) EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx ,(unsigned char *)shsInfo->digestBuf , &shsInfo->digestLen); EVP_MD_CTX_cleanup(&shsInfo->ossl_sha1_ctx ); } - - diff --git a/src/lib/crypto/openssl/yhash.h b/src/lib/crypto/openssl/yhash.h index 94c557c64..95fee18c9 100644 --- a/src/lib/crypto/openssl/yhash.h +++ b/src/lib/crypto/openssl/yhash.h @@ -22,9 +22,8 @@ HASH_CTX *ctx = (x); \ shsFinal(ctx); \ memcpy(out2, ctx->digestBuf, ctx->digestLen); \ - } while(0) + } while(0) #define HASH_DIGEST_SIZE SHS_DIGESTSIZE #endif /* YHASH_H */ - diff --git a/src/lib/glue4.c b/src/lib/glue4.c index bf9bbd8a0..7b8095304 100644 --- a/src/lib/glue4.c +++ b/src/lib/glue4.c @@ -14,6 +14,6 @@ krb5_data string_list2[3] = { }; krb5_data *princ2[] = {&string_list2[0], &string_list2[1], &string_list2[2], 0}; - + krb5_last_req_entry lrentries[] = { {32000, 1}, {0, 3}, {10, 2} }; krb5_last_req_entry *lrfoo1[] = {&lrentries[0], &lrentries[1], &lrentries[2], 0}; diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c index 14724619a..8b1e4def4 100644 --- a/src/lib/gssapi/generic/gssapi_generic.c +++ b/src/lib/gssapi/generic/gssapi_generic.c @@ -152,4 +152,3 @@ GSS_DLLIMP gss_OID GSS_C_NT_EXPORT_NAME = oids+6; gss_OID gss_nt_exported_name = oids+6; GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY = oids+7; - diff --git a/src/lib/gssapi/generic/oid_ops.c b/src/lib/gssapi/generic/oid_ops.c index 8390e7ba0..bda3a5ab5 100644 --- a/src/lib/gssapi/generic/oid_ops.c +++ b/src/lib/gssapi/generic/oid_ops.c @@ -444,7 +444,7 @@ generic_gss_oid_compose( i = -1; while (suffix) { op[i] = (unsigned char)suffix & 0x7f; - if (i != -1) + if (i != -1) op[i] |= 0x80; i--; suffix >>= 7; @@ -566,4 +566,3 @@ done: return (major); } - diff --git a/src/lib/gssapi/generic/util_buffer_set.c b/src/lib/gssapi/generic/util_buffer_set.c index edb61b80f..41875c9eb 100644 --- a/src/lib/gssapi/generic/util_buffer_set.c +++ b/src/lib/gssapi/generic/util_buffer_set.c @@ -123,4 +123,3 @@ OM_uint32 generic_gss_release_buffer_set return GSS_S_COMPLETE; } - diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index ef80116ad..2c5ca9a66 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -766,4 +766,3 @@ gss_krb5int_set_cred_rcache(OM_uint32 *minor_status, *minor_status = 0; return GSS_S_COMPLETE; } - diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index eaf1c4d02..5cec4b927 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -300,4 +300,3 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *minor_status, return generic_gss_add_buffer_set_member(minor_status, &rep, data_set); } - diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c index 034550122..f9bf03016 100644 --- a/src/lib/gssapi/krb5/krb5_gss_glue.c +++ b/src/lib/gssapi/krb5/krb5_gss_glue.c @@ -416,4 +416,3 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, return GSS_S_COMPLETE; } - diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c index 14b9b006d..4e7247e42 100644 --- a/src/lib/gssapi/krb5/naming_exts.c +++ b/src/lib/gssapi/krb5/naming_exts.c @@ -719,4 +719,3 @@ krb5_gss_display_name_ext(OM_uint32 *minor_status, { } #endif - diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c index cae45039c..866159f04 100644 --- a/src/lib/gssapi/krb5/s4u_gss_glue.c +++ b/src/lib/gssapi/krb5/s4u_gss_glue.c @@ -365,4 +365,3 @@ cleanup: return major_status; } - diff --git a/src/lib/gssapi/krb5/seal.c b/src/lib/gssapi/krb5/seal.c index d84e2eecf..7bdcb344b 100644 --- a/src/lib/gssapi/krb5/seal.c +++ b/src/lib/gssapi/krb5/seal.c @@ -79,4 +79,3 @@ krb5_gss_wrap_iov_length(OM_uint32 *minor_status, qop_req, conf_state, iov, iov_count); return major_status; } - diff --git a/src/lib/gssapi/krb5/unseal.c b/src/lib/gssapi/krb5/unseal.c index 5366effc1..4b612a241 100644 --- a/src/lib/gssapi/krb5/unseal.c +++ b/src/lib/gssapi/krb5/unseal.c @@ -64,4 +64,3 @@ krb5_gss_unwrap_iov(OM_uint32 *minor_status, return major_status; } - diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c index dc4391593..b4b152551 100644 --- a/src/lib/gssapi/mechglue/g_accept_sec_context.c +++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -144,9 +144,9 @@ gss_cred_id_t * d_cred; * underlying mechanism context handle. Otherwise, cast the * value of *context_handle to the union context variable. */ - + if(*context_handle == GSS_C_NO_CONTEXT) { - + if (input_token_buffer == GSS_C_NO_BUFFER) return (GSS_S_CALL_INACCESSIBLE_READ); @@ -177,20 +177,20 @@ gss_cred_id_t * d_cred; union_ctx_id = (gss_union_ctx_id_t)*context_handle; token_mech_type = union_ctx_id->mech_type; } - - /* + + /* * get the appropriate cred handle from the union cred struct. * defaults to GSS_C_NO_CREDENTIAL if there is no cred, which will * use the default credential. */ union_cred = (gss_union_cred_t) verifier_cred_handle; input_cred_handle = gssint_get_mechanism_cred(union_cred, token_mech_type); - + /* * now select the approprate underlying mechanism routine and * call it. */ - + mech = gssint_get_mechanism (token_mech_type); if (mech && mech->gss_accept_sec_context) { @@ -209,7 +209,7 @@ gss_cred_id_t * d_cred; /* If there's more work to do, keep going... */ if (status == GSS_S_CONTINUE_NEEDED) return GSS_S_CONTINUE_NEEDED; - + /* if the call failed, return with failure */ if (status != GSS_S_COMPLETE) { map_error(minor_status, mech); @@ -344,7 +344,7 @@ gss_cred_id_t * d_cred; status = GSS_S_BAD_MECH; } - + error_out: if (union_ctx_id) { if (union_ctx_id->mech_type) { @@ -369,4 +369,3 @@ error_out: return (status); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/gssapi/mechglue/g_buffer_set.c b/src/lib/gssapi/mechglue/g_buffer_set.c index 1b2621c6b..38d744dc1 100644 --- a/src/lib/gssapi/mechglue/g_buffer_set.c +++ b/src/lib/gssapi/mechglue/g_buffer_set.c @@ -54,4 +54,3 @@ OM_uint32 KRB5_CALLCONV gss_release_buffer_set { return generic_gss_release_buffer_set(minor_status, buffer_set); } - diff --git a/src/lib/gssapi/mechglue/g_compare_name.c b/src/lib/gssapi/mechglue/g_compare_name.c index 153e9b615..af2e76bbd 100644 --- a/src/lib/gssapi/mechglue/g_compare_name.c +++ b/src/lib/gssapi/mechglue/g_compare_name.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -74,7 +74,7 @@ int * name_equal; gss_union_name_t union_name1, union_name2; gss_mechanism mech = NULL; gss_name_t internal_name; - + major_status = val_comp_name_args(minor_status, name1, name2, name_equal); if (major_status != GSS_S_COMPLETE) @@ -102,7 +102,7 @@ int * name_equal; if (!mech->gss_compare_name) return (GSS_S_UNAVAILABLE); } - + *name_equal = 0; /* Default to *not* equal.... */ /* @@ -129,7 +129,7 @@ int * name_equal; /* * Second case... both names are NOT mechanism specific. - * + * * All we do here is make sure the two name_types are equal and then * that the external_names are equal. Note the we do not take care * of the case where two different external names map to the same @@ -176,7 +176,7 @@ int * name_equal; /* * Final case... one name is mechanism specific, the other isn't. - * + * * We attempt to convert the general name to the mechanism type of * the mechanism-specific name, and then do the compare. If we * can't import the general name, then we return that the name is @@ -206,5 +206,5 @@ int * name_equal; gssint_release_internal_name(&temp_minor, union_name1->mech_type, &internal_name); return (major_status); - + } diff --git a/src/lib/gssapi/mechglue/g_context_time.c b/src/lib/gssapi/mechglue/g_context_time.c index 4293b078e..2ff8d0996 100644 --- a/src/lib/gssapi/mechglue/g_context_time.c +++ b/src/lib/gssapi/mechglue/g_context_time.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -56,10 +56,10 @@ OM_uint32 * time_rec; * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); - + if (mech) { if (mech->gss_context_time) { @@ -74,6 +74,6 @@ OM_uint32 * time_rec; return(status); } - + return (GSS_S_BAD_MECH); } diff --git a/src/lib/gssapi/mechglue/g_del_name_attr.c b/src/lib/gssapi/mechglue/g_del_name_attr.c index 4c5064217..b72ee3b51 100644 --- a/src/lib/gssapi/mechglue/g_del_name_attr.c +++ b/src/lib/gssapi/mechglue/g_del_name_attr.c @@ -67,4 +67,3 @@ gss_delete_name_attribute(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_delete_sec_context.c b/src/lib/gssapi/mechglue/g_delete_sec_context.c index 2fcd3c2d1..4bf0dec5c 100644 --- a/src/lib/gssapi/mechglue/g_delete_sec_context.c +++ b/src/lib/gssapi/mechglue/g_delete_sec_context.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -61,7 +61,7 @@ val_del_sec_ctx_args( } -OM_uint32 KRB5_CALLCONV +OM_uint32 KRB5_CALLCONV gss_delete_sec_context (minor_status, context_handle, output_token) @@ -82,11 +82,11 @@ gss_buffer_t output_token; * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) *context_handle; if (GSSINT_CHK_LOOP(ctx)) return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - + status = gssint_delete_internal_sec_context(minor_status, ctx->mech_type, &ctx->internal_ctx_id, diff --git a/src/lib/gssapi/mechglue/g_dsp_status.c b/src/lib/gssapi/mechglue/g_dsp_status.c index 49b79e15d..435726609 100644 --- a/src/lib/gssapi/mechglue/g_dsp_status.c +++ b/src/lib/gssapi/mechglue/g_dsp_status.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c index f2ee5a5b7..03a6f2b7e 100644 --- a/src/lib/gssapi/mechglue/g_exp_sec_context.c +++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -93,14 +93,14 @@ gss_buffer_t interprocess_token; * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) *context_handle; mech = gssint_get_mechanism (ctx->mech_type); if (!mech) return GSS_S_BAD_MECH; if (!mech->gss_export_sec_context) return (GSS_S_UNAVAILABLE); - + status = mech->gss_export_sec_context(minor_status, &ctx->internal_ctx_id, &token); if (status != GSS_S_COMPLETE) { @@ -133,7 +133,7 @@ gss_buffer_t interprocess_token; free(ctx->mech_type); free(ctx); *context_handle = 0; - + return(GSS_S_COMPLETE); } #endif /*LEAN_CLIENT */ diff --git a/src/lib/gssapi/mechglue/g_export_name.c b/src/lib/gssapi/mechglue/g_export_name.c index d9545b798..c845f8caf 100644 --- a/src/lib/gssapi/mechglue/g_export_name.c +++ b/src/lib/gssapi/mechglue/g_export_name.c @@ -56,4 +56,3 @@ gss_buffer_t exported_name; return gssint_export_internal_name(minor_status, union_name->mech_type, union_name->mech_name, exported_name); } - diff --git a/src/lib/gssapi/mechglue/g_export_name_comp.c b/src/lib/gssapi/mechglue/g_export_name_comp.c index 24eaf247e..ab538a095 100644 --- a/src/lib/gssapi/mechglue/g_export_name_comp.c +++ b/src/lib/gssapi/mechglue/g_export_name_comp.c @@ -70,4 +70,3 @@ gss_export_name_composite(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_get_name_attr.c b/src/lib/gssapi/mechglue/g_get_name_attr.c index 66238f0aa..fcd9558dd 100644 --- a/src/lib/gssapi/mechglue/g_get_name_attr.c +++ b/src/lib/gssapi/mechglue/g_get_name_attr.c @@ -86,4 +86,3 @@ gss_get_name_attribute(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c index 711c58fd8..3de298cb5 100644 --- a/src/lib/gssapi/mechglue/g_glue.c +++ b/src/lib/gssapi/mechglue/g_glue.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -190,7 +190,7 @@ OM_uint32 gssint_get_mech_type_oid(OID, token) { unsigned char * buffer_ptr; int length; - + /* * This routine reads the prefix of "token" in order to determine * its mechanism type. It assumes the encoding suggested in @@ -213,15 +213,15 @@ OM_uint32 gssint_get_mech_type_oid(OID, token) * * The routine fills in the OID value and returns an error as necessary. */ - + if (OID == NULL) return (GSS_S_CALL_INACCESSIBLE_WRITE); if ((token == NULL) || (token->value == NULL)) return (GSS_S_DEFECTIVE_TOKEN); - + /* Skip past the APP/Sequnce byte and the token length */ - + buffer_ptr = (unsigned char *) token->value; if (*(buffer_ptr++) != 0x60) @@ -237,10 +237,10 @@ OM_uint32 gssint_get_mech_type_oid(OID, token) return (GSS_S_DEFECTIVE_TOKEN); buffer_ptr += length & 0x7f; } - + if (*(buffer_ptr++) != 0x06) return (GSS_S_DEFECTIVE_TOKEN); - + OID->length = (OM_uint32) *(buffer_ptr++); OID->elements = (void *) buffer_ptr; return (GSS_S_COMPLETE); @@ -329,7 +329,7 @@ import_internal_name_composite(OM_uint32 *minor_status, } #endif -OM_uint32 gssint_import_internal_name (minor_status, mech_type, union_name, +OM_uint32 gssint_import_internal_name (minor_status, mech_type, union_name, internal_name) OM_uint32 *minor_status; gss_OID mech_type; @@ -487,7 +487,7 @@ OM_uint32 gssint_export_internal_name(minor_status, mech_type, return (GSS_S_COMPLETE); } /* gssint_export_internal_name */ -OM_uint32 gssint_display_internal_name (minor_status, mech_type, internal_name, +OM_uint32 gssint_display_internal_name (minor_status, mech_type, internal_name, external_name, name_type) OM_uint32 *minor_status; gss_OID mech_type; @@ -609,7 +609,7 @@ OM_uint32 gssint_convert_name_to_union_name(minor_status, mech, major_status = GSS_S_FAILURE; goto allocation_failure; } - + major_status = mech->gss_display_name(minor_status, internal_name, union_name->external_name, @@ -710,4 +710,3 @@ gssint_create_copy_buffer(srcBuf, destBuf, addNullChar) return (GSS_S_COMPLETE); } /* ****** gssint_create_copy_buffer ****** */ - diff --git a/src/lib/gssapi/mechglue/g_imp_name.c b/src/lib/gssapi/mechglue/g_imp_name.c index 6137b9825..e5179e7c9 100644 --- a/src/lib/gssapi/mechglue/g_imp_name.c +++ b/src/lib/gssapi/mechglue/g_imp_name.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -364,4 +364,3 @@ importExportName(minor, unionName) } return major; } /* importExportName */ - diff --git a/src/lib/gssapi/mechglue/g_imp_sec_context.c b/src/lib/gssapi/mechglue/g_imp_sec_context.c index 7aa1165b0..7679c92de 100644 --- a/src/lib/gssapi/mechglue/g_imp_sec_context.c +++ b/src/lib/gssapi/mechglue/g_imp_sec_context.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -132,7 +132,7 @@ gss_ctx_id_t * context_handle; * select the approprate underlying mechanism routine and * call it. */ - + mech = gssint_get_mechanism (ctx->mech_type); if (!mech) { status = GSS_S_BAD_MECH; @@ -142,7 +142,7 @@ gss_ctx_id_t * context_handle; status = GSS_S_UNAVAILABLE; goto error_out; } - + status = mech->gss_import_sec_context(minor_status, &token, &ctx->internal_ctx_id); @@ -152,7 +152,7 @@ gss_ctx_id_t * context_handle; return (GSS_S_COMPLETE); } map_error(minor_status, mech); - + error_out: if (ctx) { if (ctx->mech_type) { diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c index 10c8bf971..21bc345e6 100644 --- a/src/lib/gssapi/mechglue/g_init_sec_context.c +++ b/src/lib/gssapi/mechglue/g_init_sec_context.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -140,7 +140,7 @@ OM_uint32 * time_rec; mech_type = (gss_OID)req_mech_type; union_name = (gss_union_name_t)target_name; - + /* * obtain the gss mechanism information for the requested * mechanism. If mech_type is NULL, set it to the resultant @@ -177,7 +177,7 @@ OM_uint32 * time_rec; * underlying mechanism context handle. Otherwise, cast the * value of *context_handle to the union context variable. */ - + if(*context_handle == GSS_C_NO_CONTEXT) { status = GSS_S_FAILURE; union_ctx_id = (gss_union_ctx_id_t) @@ -195,19 +195,19 @@ OM_uint32 * time_rec; union_ctx_id->internal_ctx_id = GSS_C_NO_CONTEXT; } else union_ctx_id = *context_handle; - - /* + + /* * get the appropriate cred handle from the union cred struct. * defaults to GSS_C_NO_CREDENTIAL if there is no cred, which will * use the default credential. */ union_cred = (gss_union_cred_t) claimant_cred_handle; input_cred_handle = gssint_get_mechanism_cred(union_cred, mech_type); - + /* - * now call the approprate underlying mechanism routine + * now call the approprate underlying mechanism routine */ - + status = mech->gss_init_sec_context( minor_status, input_cred_handle, diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c index 41aa6821b..3929f761b 100644 --- a/src/lib/gssapi/mechglue/g_initialize.c +++ b/src/lib/gssapi/mechglue/g_initialize.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -567,9 +567,9 @@ updateMechList(void) { char *fileName; struct stat fileInfo; - + fileName = MECH_CONF; - + /* check if mechList needs updating */ if (stat(fileName, &fileInfo) == 0 && (fileInfo.st_mtime > g_confFileModTime)) { diff --git a/src/lib/gssapi/mechglue/g_inq_context.c b/src/lib/gssapi/mechglue/g_inq_context.c index 013b1768b..fbb4127d8 100644 --- a/src/lib/gssapi/mechglue/g_inq_context.c +++ b/src/lib/gssapi/mechglue/g_inq_context.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -101,10 +101,10 @@ gss_inquire_context( * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); - + if (!mech || !mech->gss_inquire_context || !mech->gss_display_name || !mech->gss_release_name) { return (GSS_S_UNAVAILABLE); @@ -157,4 +157,3 @@ gss_inquire_context( *mech_type = &mech->mech_type; return(GSS_S_COMPLETE); } - diff --git a/src/lib/gssapi/mechglue/g_inq_context_oid.c b/src/lib/gssapi/mechglue/g_inq_context_oid.c index 379ec419c..469aa7080 100644 --- a/src/lib/gssapi/mechglue/g_inq_context_oid.c +++ b/src/lib/gssapi/mechglue/g_inq_context_oid.c @@ -69,4 +69,3 @@ gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, return GSS_S_BAD_MECH; } - diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c index a14424399..bce6e5b79 100644 --- a/src/lib/gssapi/mechglue/g_inq_cred.c +++ b/src/lib/gssapi/mechglue/g_inq_cred.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -85,7 +85,7 @@ gss_OID_set * mechanisms; if (!mech->gss_inquire_cred) return (GSS_S_UNAVAILABLE); - + status = mech->gss_inquire_cred(minor_status, GSS_C_NO_CREDENTIAL, name ? &internal_name : NULL, @@ -115,33 +115,33 @@ gss_OID_set * mechanisms; } } return(GSS_S_COMPLETE); - } - + } + /* get the cred_handle cast as a union_credentials structure */ - + union_cred = (gss_union_cred_t) cred_handle; - + /* * get the information out of the union_cred structure that was * placed there during gss_acquire_cred. */ - + if(cred_usage != NULL) *cred_usage = union_cred->auxinfo.cred_usage; - + if(lifetime != NULL) { elapsed_time = time(0) - union_cred->auxinfo.creation_time; *lifetime = union_cred->auxinfo.time_rec < elapsed_time ? 0 : union_cred->auxinfo.time_rec - elapsed_time; } - + /* * if name is non_null, * call gss_import_name(), giving it the printable name held within * union_cred in order to get an internal name to pass back to the * caller. If this call fails, return failure to our caller. */ - + if(name != NULL) { if (union_cred->auxinfo.name.length == 0) { *name = GSS_C_NO_NAME; @@ -161,7 +161,7 @@ gss_OID_set * mechanisms; * copy the mechanism set in union_cred into an OID set and return in * the mechanisms parameter. */ - + if(mechanisms != NULL) { status = GSS_S_FAILURE; *mechanisms = (gss_OID_set) malloc(sizeof(gss_OID_set_desc)); @@ -189,7 +189,7 @@ gss_OID_set * mechanisms; (*mechanisms)->count++; } } - + return(GSS_S_COMPLETE); error: @@ -239,7 +239,7 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, return (GSS_S_BAD_MECH); if (!mech->gss_inquire_cred_by_mech) return (GSS_S_BAD_BINDINGS); - + union_cred = (gss_union_cred_t) cred_handle; mech_cred = gssint_get_mechanism_cred(union_cred, mech_type); @@ -253,7 +253,7 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, name ? &internal_name : NULL, initiator_lifetime, acceptor_lifetime, cred_usage); - + if (status != GSS_S_COMPLETE) { map_error(minor_status, mech); return (status); @@ -275,4 +275,3 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, return (GSS_S_COMPLETE); } - diff --git a/src/lib/gssapi/mechglue/g_inq_cred_oid.c b/src/lib/gssapi/mechglue/g_inq_cred_oid.c index c2cc27d33..288c08044 100644 --- a/src/lib/gssapi/mechglue/g_inq_cred_oid.c +++ b/src/lib/gssapi/mechglue/g_inq_cred_oid.c @@ -53,7 +53,7 @@ static OM_uint32 append_to_buffer_set(OM_uint32 *minor_status, status = GSS_S_COMPLETE; - for (i = 0; i < src->count; i++) { + for (i = 0; i < src->count; i++) { status = gss_add_buffer_set_member(minor_status, &src->elements[i], dst); @@ -61,7 +61,7 @@ static OM_uint32 append_to_buffer_set(OM_uint32 *minor_status, break; } - return status; + return status; } OM_uint32 KRB5_CALLCONV @@ -121,7 +121,7 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status, break; } - status = append_to_buffer_set(minor_status, &union_set, ret_set); + status = append_to_buffer_set(minor_status, &union_set, ret_set); gss_release_buffer_set(&minor, &ret_set); if (status != GSS_S_COMPLETE) break; @@ -134,4 +134,3 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_inq_name.c b/src/lib/gssapi/mechglue/g_inq_name.c index 260ef20c6..b2681ead9 100644 --- a/src/lib/gssapi/mechglue/g_inq_name.c +++ b/src/lib/gssapi/mechglue/g_inq_name.c @@ -98,4 +98,3 @@ gss_inquire_name(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_inq_names.c b/src/lib/gssapi/mechglue/g_inq_names.c index 597ab9919..d70dc407b 100644 --- a/src/lib/gssapi/mechglue/g_inq_names.c +++ b/src/lib/gssapi/mechglue/g_inq_names.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -62,9 +62,9 @@ gss_OID_set * name_types; * select the approprate underlying mechanism routine and * call it. */ - + mech = gssint_get_mechanism (mechanism); - + if (mech) { if (mech->gss_inquire_names_for_mech) { @@ -79,7 +79,7 @@ gss_OID_set * name_types; return(status); } - + return (GSS_S_BAD_MECH); } diff --git a/src/lib/gssapi/mechglue/g_map_name_to_any.c b/src/lib/gssapi/mechglue/g_map_name_to_any.c index b0fa2be64..3ed19e3c4 100644 --- a/src/lib/gssapi/mechglue/g_map_name_to_any.c +++ b/src/lib/gssapi/mechglue/g_map_name_to_any.c @@ -77,4 +77,3 @@ gss_map_name_to_any(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_mech_invoke.c b/src/lib/gssapi/mechglue/g_mech_invoke.c index d753347d1..0b8019f92 100644 --- a/src/lib/gssapi/mechglue/g_mech_invoke.c +++ b/src/lib/gssapi/mechglue/g_mech_invoke.c @@ -67,4 +67,3 @@ gssspi_mech_invoke (OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_mechname.c b/src/lib/gssapi/mechglue/g_mechname.c index 9ade23456..cfb0a0d2a 100644 --- a/src/lib/gssapi/mechglue/g_mechname.c +++ b/src/lib/gssapi/mechglue/g_mechname.c @@ -84,7 +84,7 @@ gss_add_mech_name_type(minor_status, name_type, mech) } p->name_type = 0; p->mech = 0; - + major_status = generic_gss_copy_oid(minor_status, name_type, &p->name_type); if (major_status) { @@ -103,7 +103,7 @@ gss_add_mech_name_type(minor_status, name_type, mech) name_list = p; return GSS_S_COMPLETE; - + allocation_failure: if (p) { if (p->mech) @@ -114,4 +114,3 @@ allocation_failure: } return GSS_S_FAILURE; } - diff --git a/src/lib/gssapi/mechglue/g_oid_ops.c b/src/lib/gssapi/mechglue/g_oid_ops.c index bd195239c..a68aca9ed 100644 --- a/src/lib/gssapi/mechglue/g_oid_ops.c +++ b/src/lib/gssapi/mechglue/g_oid_ops.c @@ -108,4 +108,3 @@ gssint_copy_oid_set( { return generic_gss_copy_oid_set(minor_status, oidset, new_oidset); } - diff --git a/src/lib/gssapi/mechglue/g_process_context.c b/src/lib/gssapi/mechglue/g_process_context.c index 9ed350c02..bc260aeb1 100644 --- a/src/lib/gssapi/mechglue/g_process_context.c +++ b/src/lib/gssapi/mechglue/g_process_context.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -41,7 +41,7 @@ gss_buffer_t token_buffer; OM_uint32 status; gss_union_ctx_id_t ctx; gss_mechanism mech; - + if (minor_status == NULL) return (GSS_S_CALL_INACCESSIBLE_WRITE); *minor_status = 0; @@ -59,7 +59,7 @@ gss_buffer_t token_buffer; * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); @@ -77,6 +77,6 @@ gss_buffer_t token_buffer; return(status); } - + return (GSS_S_BAD_MECH); } diff --git a/src/lib/gssapi/mechglue/g_rel_buffer.c b/src/lib/gssapi/mechglue/g_rel_buffer.c index 6f8367a1d..c1104fd8a 100644 --- a/src/lib/gssapi/mechglue/g_rel_buffer.c +++ b/src/lib/gssapi/mechglue/g_rel_buffer.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR diff --git a/src/lib/gssapi/mechglue/g_rel_cred.c b/src/lib/gssapi/mechglue/g_rel_cred.c index df208a0df..2e9a0c75b 100644 --- a/src/lib/gssapi/mechglue/g_rel_cred.c +++ b/src/lib/gssapi/mechglue/g_rel_cred.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -44,7 +44,7 @@ gss_cred_id_t * cred_handle; int j; gss_union_cred_t union_cred; gss_mechanism mech; - + if (minor_status == NULL) return (GSS_S_CALL_INACCESSIBLE_WRITE); @@ -52,13 +52,13 @@ gss_cred_id_t * cred_handle; if (cred_handle == NULL) return (GSS_S_NO_CRED | GSS_S_CALL_INACCESSIBLE_READ); - + /* - * Loop through the union_cred struct, selecting the approprate + * Loop through the union_cred struct, selecting the approprate * underlying mechanism routine and calling it. At the end, * release all of the storage taken by the union_cred struct. */ - + union_cred = (gss_union_cred_t) *cred_handle; if (union_cred == (gss_union_cred_t)GSS_C_NO_CREDENTIAL) return (GSS_S_COMPLETE); @@ -68,7 +68,7 @@ gss_cred_id_t * cred_handle; *cred_handle = NULL; status = GSS_S_COMPLETE; - + for(j=0; j < union_cred->count; j++) { mech = gssint_get_mechanism (&union_cred->mechs_array[j]); @@ -97,6 +97,6 @@ gss_cred_id_t * cred_handle; free(union_cred->cred_array); free(union_cred->mechs_array); free(union_cred); - + return(status); } diff --git a/src/lib/gssapi/mechglue/g_rel_name.c b/src/lib/gssapi/mechglue/g_rel_name.c index 84d1af839..e8ac6c34a 100644 --- a/src/lib/gssapi/mechglue/g_rel_name.c +++ b/src/lib/gssapi/mechglue/g_rel_name.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -42,11 +42,11 @@ gss_name_t * input_name; { gss_union_name_t union_name; - + if (minor_status == NULL) return (GSS_S_CALL_INACCESSIBLE_WRITE); *minor_status = 0; - + /* if input_name is NULL, return error */ if (input_name == NULL) return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); @@ -58,7 +58,7 @@ gss_name_t * input_name; * free up the space for the external_name and then * free the union_name descriptor */ - + union_name = (gss_union_name_t) *input_name; if (GSSINT_CHK_LOOP(union_name)) return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); diff --git a/src/lib/gssapi/mechglue/g_rel_name_mapping.c b/src/lib/gssapi/mechglue/g_rel_name_mapping.c index b9159a115..9420ae80d 100644 --- a/src/lib/gssapi/mechglue/g_rel_name_mapping.c +++ b/src/lib/gssapi/mechglue/g_rel_name_mapping.c @@ -75,4 +75,3 @@ gss_release_any_name_mapping(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_rel_oid_set.c b/src/lib/gssapi/mechglue/g_rel_oid_set.c index 84c6ce6c9..fa008d6bb 100644 --- a/src/lib/gssapi/mechglue/g_rel_oid_set.c +++ b/src/lib/gssapi/mechglue/g_rel_oid_set.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR diff --git a/src/lib/gssapi/mechglue/g_seal.c b/src/lib/gssapi/mechglue/g_seal.c index 9faa5ddb0..acb4c3651 100644 --- a/src/lib/gssapi/mechglue/g_seal.c +++ b/src/lib/gssapi/mechglue/g_seal.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -100,10 +100,10 @@ gss_buffer_t output_message_buffer; * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); - + if (mech) { if (mech->gss_wrap) { status = mech->gss_wrap( @@ -133,7 +133,7 @@ gss_buffer_t output_message_buffer; return(status); } /* EXPORT DELETE END */ - + return (GSS_S_BAD_MECH); } @@ -236,7 +236,7 @@ gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, if (minor_status == NULL) return (GSS_S_CALL_INACCESSIBLE_WRITE); *minor_status = 0; - + if (context_handle == GSS_C_NO_CONTEXT) return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); @@ -247,7 +247,7 @@ gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); diff --git a/src/lib/gssapi/mechglue/g_set_context_option.c b/src/lib/gssapi/mechglue/g_set_context_option.c index 2f4ba36ae..6a666dcd5 100644 --- a/src/lib/gssapi/mechglue/g_set_context_option.c +++ b/src/lib/gssapi/mechglue/g_set_context_option.c @@ -108,4 +108,3 @@ gss_set_sec_context_option (OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_set_cred_option.c b/src/lib/gssapi/mechglue/g_set_cred_option.c index bac8c5b50..fc8ed4c76 100644 --- a/src/lib/gssapi/mechglue/g_set_cred_option.c +++ b/src/lib/gssapi/mechglue/g_set_cred_option.c @@ -82,4 +82,3 @@ gssspi_set_cred_option(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_set_name_attr.c b/src/lib/gssapi/mechglue/g_set_name_attr.c index 14df2319d..1ec72fc27 100644 --- a/src/lib/gssapi/mechglue/g_set_name_attr.c +++ b/src/lib/gssapi/mechglue/g_set_name_attr.c @@ -71,4 +71,3 @@ gss_set_name_attribute(OM_uint32 *minor_status, return status; } - diff --git a/src/lib/gssapi/mechglue/g_sign.c b/src/lib/gssapi/mechglue/g_sign.c index eec0f49b4..86d641aa2 100644 --- a/src/lib/gssapi/mechglue/g_sign.c +++ b/src/lib/gssapi/mechglue/g_sign.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -132,4 +132,3 @@ gss_buffer_t msg_token; return (gss_get_mic(minor_status, context_handle, (gss_qop_t) qop_req, message_buffer, msg_token)); } - diff --git a/src/lib/gssapi/mechglue/g_unseal.c b/src/lib/gssapi/mechglue/g_unseal.c index c6b33506b..3e8053c6e 100644 --- a/src/lib/gssapi/mechglue/g_unseal.c +++ b/src/lib/gssapi/mechglue/g_unseal.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR diff --git a/src/lib/gssapi/mechglue/g_unwrap_aead.c b/src/lib/gssapi/mechglue/g_unwrap_aead.c index 7dcc27701..8be6d6ab1 100644 --- a/src/lib/gssapi/mechglue/g_unwrap_aead.c +++ b/src/lib/gssapi/mechglue/g_unwrap_aead.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -149,7 +149,7 @@ gssint_unwrap_aead (gss_mechanism mech, } else status = GSS_S_UNAVAILABLE; /* EXPORT DELETE END */ - + return (status); } @@ -187,7 +187,7 @@ gss_qop_t *qop_state; */ ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); - + if (!mech) return (GSS_S_BAD_MECH); @@ -195,4 +195,3 @@ gss_qop_t *qop_state; input_message_buffer, input_assoc_buffer, output_payload_buffer, conf_state, qop_state); } - diff --git a/src/lib/gssapi/mechglue/g_unwrap_iov.c b/src/lib/gssapi/mechglue/g_unwrap_iov.c index ebef1a70a..aad9c7695 100644 --- a/src/lib/gssapi/mechglue/g_unwrap_iov.c +++ b/src/lib/gssapi/mechglue/g_unwrap_iov.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -87,10 +87,10 @@ int iov_count; * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); - + if (mech) { if (mech->gss_unwrap_iov) { status = mech->gss_unwrap_iov( @@ -104,11 +104,10 @@ int iov_count; map_error(minor_status, mech); } else status = GSS_S_UNAVAILABLE; - + return(status); } /* EXPORT DELETE END */ - + return (GSS_S_BAD_MECH); } - diff --git a/src/lib/gssapi/mechglue/g_userok.c b/src/lib/gssapi/mechglue/g_userok.c index 90fa90335..dbb0f02ec 100644 --- a/src/lib/gssapi/mechglue/g_userok.c +++ b/src/lib/gssapi/mechglue/g_userok.c @@ -111,4 +111,3 @@ gssint_userok(OM_uint32 *minor, return (major); } /* gss_userok */ - diff --git a/src/lib/gssapi/mechglue/g_verify.c b/src/lib/gssapi/mechglue/g_verify.c index da3279cc7..1578ae111 100644 --- a/src/lib/gssapi/mechglue/g_verify.c +++ b/src/lib/gssapi/mechglue/g_verify.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c index ff170e237..7c059b469 100644 --- a/src/lib/gssapi/mechglue/g_wrap_aead.c +++ b/src/lib/gssapi/mechglue/g_wrap_aead.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -219,7 +219,7 @@ gssint_wrap_aead (gss_mechanism mech, /* EXPORT DELETE END */ - return status; + return status; } OM_uint32 KRB5_CALLCONV @@ -264,4 +264,4 @@ gss_buffer_t output_message_buffer; conf_req_flag, qop_req, input_assoc_buffer, input_payload_buffer, conf_state, output_message_buffer); -} +} diff --git a/src/lib/gssapi/mechglue/g_wrap_iov.c b/src/lib/gssapi/mechglue/g_wrap_iov.c index 8d054b259..9586c587e 100644 --- a/src/lib/gssapi/mechglue/g_wrap_iov.c +++ b/src/lib/gssapi/mechglue/g_wrap_iov.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -91,10 +91,10 @@ int iov_count; * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); - + if (mech) { if (mech->gss_wrap_iov) { status = mech->gss_wrap_iov( @@ -109,11 +109,11 @@ int iov_count; map_error(minor_status, mech); } else status = GSS_S_UNAVAILABLE; - + return(status); } /* EXPORT DELETE END */ - + return (GSS_S_BAD_MECH); } @@ -149,10 +149,10 @@ int iov_count; * select the approprate underlying mechanism routine and * call it. */ - + ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); - + if (mech) { if (mech->gss_wrap_iov_length) { status = mech->gss_wrap_iov_length( @@ -167,11 +167,11 @@ int iov_count; map_error(minor_status, mech); } else status = GSS_S_UNAVAILABLE; - + return(status); } /* EXPORT DELETE END */ - + return (GSS_S_BAD_MECH); } @@ -204,4 +204,3 @@ int iov_count; return status; } - diff --git a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c index c310f1630..8b8277f75 100644 --- a/src/lib/gssapi/mechglue/gssd_pname_to_uid.c +++ b/src/lib/gssapi/mechglue/gssd_pname_to_uid.c @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -26,7 +26,7 @@ * glue routines that test the mech id either passed in to * gss_init_sec_contex() or gss_accept_sec_context() or within the glue * routine supported version of the security context and then call - * the appropriate underlying mechanism library procedure. + * the appropriate underlying mechanism library procedure. * */ @@ -64,4 +64,3 @@ uid_t * uid; return(status); } - diff --git a/src/lib/gssapi/mechglue/mechglue.h b/src/lib/gssapi/mechglue/mechglue.h index 7f3334aec..85983694a 100644 --- a/src/lib/gssapi/mechglue/mechglue.h +++ b/src/lib/gssapi/mechglue/mechglue.h @@ -2,7 +2,7 @@ /* * Copyright 1996 by Sun Microsystems, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -12,7 +12,7 @@ * without specific, written prior permission. Sun Microsystems makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h index 177db62cc..f35ac1447 100644 --- a/src/lib/gssapi/mechglue/mglueP.h +++ b/src/lib/gssapi/mechglue/mglueP.h @@ -114,9 +114,9 @@ OM_uint32 gssint_get_mech_type_oid(gss_OID OID, gss_buffer_t token); * * This contants all of the functions defined in gssapi.h except for * gss_release_buffer() and gss_release_oid_set(), which I am - * assuming, for now, to be equal across mechanisms. + * assuming, for now, to be equal across mechanisms. */ - + typedef struct gss_config { gss_OID_desc mech_type; void * context; diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 999a5e3e8..2aa8ad5dd 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -6,7 +6,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -216,7 +216,7 @@ static struct gss_config spnego_mechanism = #ifndef LEAN_CLIENT spnego_gss_accept_sec_context, #else - NULL, + NULL, #endif /* LEAN_CLIENT */ NULL, /* gss_process_context_token */ spnego_gss_delete_sec_context, /* gss_delete_sec_context */ @@ -2571,7 +2571,7 @@ get_available_mechs(OM_uint32 *minor_status, */ if (found > 0 && major_status == GSS_S_COMPLETE && creds != NULL) { major_status = gss_acquire_cred(minor_status, - name, GSS_C_INDEFINITE, + name, GSS_C_INDEFINITE, *rmechs, usage, creds, &goodmechs, NULL); @@ -3704,9 +3704,9 @@ is_kerb_mech(gss_OID oid) int answer = 0; OM_uint32 minor; extern const gss_OID_set_desc * const gss_mech_set_krb5_both; - + (void) gss_test_oid_set_member(&minor, oid, (gss_OID_set)gss_mech_set_krb5_both, &answer); - + return (answer); } diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index 5105c5e45..4196a19e2 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm5/admin.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved @@ -42,18 +43,18 @@ #ifndef __KADM5_ADMIN_H__ #define __KADM5_ADMIN_H__ -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include +#include +#include +#include #ifndef KADM5INT_BEGIN_DECLS #if defined(__cplusplus) -#define KADM5INT_BEGIN_DECLS extern "C" { -#define KADM5INT_END_DECLS } +#define KADM5INT_BEGIN_DECLS extern "C" { +#define KADM5INT_END_DECLS } #else #define KADM5INT_BEGIN_DECLS #define KADM5INT_END_DECLS @@ -62,210 +63,210 @@ KADM5INT_BEGIN_DECLS -#define KADM5_ADMIN_SERVICE "kadmin/admin" -#define KADM5_CHANGEPW_SERVICE "kadmin/changepw" -#define KADM5_HIST_PRINCIPAL "kadmin/history" +#define KADM5_ADMIN_SERVICE "kadmin/admin" +#define KADM5_CHANGEPW_SERVICE "kadmin/changepw" +#define KADM5_HIST_PRINCIPAL "kadmin/history" #define KADM5_KIPROP_HOST_SERVICE "kiprop" -typedef krb5_principal kadm5_princ_t; -typedef char *kadm5_policy_t; -typedef long kadm5_ret_t; +typedef krb5_principal kadm5_princ_t; +typedef char *kadm5_policy_t; +typedef long kadm5_ret_t; -#define KADM5_PW_FIRST_PROMPT \ - (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) -#define KADM5_PW_SECOND_PROMPT \ - (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) +#define KADM5_PW_FIRST_PROMPT \ + (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) +#define KADM5_PW_SECOND_PROMPT \ + (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) /* * Successful return code */ -#define KADM5_OK 0 +#define KADM5_OK 0 /* * Field masks */ /* kadm5_principal_ent_t */ -#define KADM5_PRINCIPAL 0x000001 -#define KADM5_PRINC_EXPIRE_TIME 0x000002 -#define KADM5_PW_EXPIRATION 0x000004 -#define KADM5_LAST_PWD_CHANGE 0x000008 -#define KADM5_ATTRIBUTES 0x000010 -#define KADM5_MAX_LIFE 0x000020 -#define KADM5_MOD_TIME 0x000040 -#define KADM5_MOD_NAME 0x000080 -#define KADM5_KVNO 0x000100 -#define KADM5_MKVNO 0x000200 -#define KADM5_AUX_ATTRIBUTES 0x000400 -#define KADM5_POLICY 0x000800 -#define KADM5_POLICY_CLR 0x001000 +#define KADM5_PRINCIPAL 0x000001 +#define KADM5_PRINC_EXPIRE_TIME 0x000002 +#define KADM5_PW_EXPIRATION 0x000004 +#define KADM5_LAST_PWD_CHANGE 0x000008 +#define KADM5_ATTRIBUTES 0x000010 +#define KADM5_MAX_LIFE 0x000020 +#define KADM5_MOD_TIME 0x000040 +#define KADM5_MOD_NAME 0x000080 +#define KADM5_KVNO 0x000100 +#define KADM5_MKVNO 0x000200 +#define KADM5_AUX_ATTRIBUTES 0x000400 +#define KADM5_POLICY 0x000800 +#define KADM5_POLICY_CLR 0x001000 /* version 2 masks */ -#define KADM5_MAX_RLIFE 0x002000 -#define KADM5_LAST_SUCCESS 0x004000 -#define KADM5_LAST_FAILED 0x008000 -#define KADM5_FAIL_AUTH_COUNT 0x010000 -#define KADM5_KEY_DATA 0x020000 -#define KADM5_TL_DATA 0x040000 +#define KADM5_MAX_RLIFE 0x002000 +#define KADM5_LAST_SUCCESS 0x004000 +#define KADM5_LAST_FAILED 0x008000 +#define KADM5_FAIL_AUTH_COUNT 0x010000 +#define KADM5_KEY_DATA 0x020000 +#define KADM5_TL_DATA 0x040000 #ifdef notyet /* Novell */ #define KADM5_CPW_FUNCTION 0x080000 #define KADM5_RANDKEY_USED 0x100000 #endif -#define KADM5_LOAD 0x200000 +#define KADM5_LOAD 0x200000 /* all but KEY_DATA, TL_DATA, LOAD */ #define KADM5_PRINCIPAL_NORMAL_MASK 0x41ffff /* kadm5_policy_ent_t */ -#define KADM5_PW_MAX_LIFE 0x004000 -#define KADM5_PW_MIN_LIFE 0x008000 -#define KADM5_PW_MIN_LENGTH 0x010000 -#define KADM5_PW_MIN_CLASSES 0x020000 -#define KADM5_PW_HISTORY_NUM 0x040000 -#define KADM5_REF_COUNT 0x080000 -#define KADM5_PW_MAX_FAILURE 0x100000 -#define KADM5_PW_FAILURE_COUNT_INTERVAL 0x200000 -#define KADM5_PW_LOCKOUT_DURATION 0x400000 +#define KADM5_PW_MAX_LIFE 0x004000 +#define KADM5_PW_MIN_LIFE 0x008000 +#define KADM5_PW_MIN_LENGTH 0x010000 +#define KADM5_PW_MIN_CLASSES 0x020000 +#define KADM5_PW_HISTORY_NUM 0x040000 +#define KADM5_REF_COUNT 0x080000 +#define KADM5_PW_MAX_FAILURE 0x100000 +#define KADM5_PW_FAILURE_COUNT_INTERVAL 0x200000 +#define KADM5_PW_LOCKOUT_DURATION 0x400000 /* kadm5_config_params */ -#define KADM5_CONFIG_REALM 0x00000001 -#define KADM5_CONFIG_DBNAME 0x00000002 -#define KADM5_CONFIG_MKEY_NAME 0x00000004 -#define KADM5_CONFIG_MAX_LIFE 0x00000008 -#define KADM5_CONFIG_MAX_RLIFE 0x00000010 -#define KADM5_CONFIG_EXPIRATION 0x00000020 -#define KADM5_CONFIG_FLAGS 0x00000040 -#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080 -#define KADM5_CONFIG_STASH_FILE 0x00000100 -#define KADM5_CONFIG_ENCTYPE 0x00000200 -#define KADM5_CONFIG_ADBNAME 0x00000400 -#define KADM5_CONFIG_ADB_LOCKFILE 0x00000800 -/*#define KADM5_CONFIG_PROFILE 0x00001000*/ -#define KADM5_CONFIG_ACL_FILE 0x00002000 -#define KADM5_CONFIG_KADMIND_PORT 0x00004000 -#define KADM5_CONFIG_ENCTYPES 0x00008000 -#define KADM5_CONFIG_ADMIN_SERVER 0x00010000 -#define KADM5_CONFIG_DICT_FILE 0x00020000 -#define KADM5_CONFIG_MKEY_FROM_KBD 0x00040000 -#define KADM5_CONFIG_KPASSWD_PORT 0x00080000 -#define KADM5_CONFIG_OLD_AUTH_GSSAPI 0x00100000 -#define KADM5_CONFIG_NO_AUTH 0x00200000 -#define KADM5_CONFIG_AUTH_NOFALLBACK 0x00400000 +#define KADM5_CONFIG_REALM 0x00000001 +#define KADM5_CONFIG_DBNAME 0x00000002 +#define KADM5_CONFIG_MKEY_NAME 0x00000004 +#define KADM5_CONFIG_MAX_LIFE 0x00000008 +#define KADM5_CONFIG_MAX_RLIFE 0x00000010 +#define KADM5_CONFIG_EXPIRATION 0x00000020 +#define KADM5_CONFIG_FLAGS 0x00000040 +#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080 +#define KADM5_CONFIG_STASH_FILE 0x00000100 +#define KADM5_CONFIG_ENCTYPE 0x00000200 +#define KADM5_CONFIG_ADBNAME 0x00000400 +#define KADM5_CONFIG_ADB_LOCKFILE 0x00000800 +/*#define KADM5_CONFIG_PROFILE 0x00001000*/ +#define KADM5_CONFIG_ACL_FILE 0x00002000 +#define KADM5_CONFIG_KADMIND_PORT 0x00004000 +#define KADM5_CONFIG_ENCTYPES 0x00008000 +#define KADM5_CONFIG_ADMIN_SERVER 0x00010000 +#define KADM5_CONFIG_DICT_FILE 0x00020000 +#define KADM5_CONFIG_MKEY_FROM_KBD 0x00040000 +#define KADM5_CONFIG_KPASSWD_PORT 0x00080000 +#define KADM5_CONFIG_OLD_AUTH_GSSAPI 0x00100000 +#define KADM5_CONFIG_NO_AUTH 0x00200000 +#define KADM5_CONFIG_AUTH_NOFALLBACK 0x00400000 #ifdef notyet /* Novell */ #define KADM5_CONFIG_KPASSWD_SERVER 0x00800000 #endif -#define KADM5_CONFIG_IPROP_ENABLED 0x01000000 -#define KADM5_CONFIG_ULOG_SIZE 0x02000000 -#define KADM5_CONFIG_POLL_TIME 0x04000000 -#define KADM5_CONFIG_IPROP_LOGFILE 0x08000000 -#define KADM5_CONFIG_IPROP_PORT 0x10000000 -#define KADM5_CONFIG_KVNO 0x20000000 +#define KADM5_CONFIG_IPROP_ENABLED 0x01000000 +#define KADM5_CONFIG_ULOG_SIZE 0x02000000 +#define KADM5_CONFIG_POLL_TIME 0x04000000 +#define KADM5_CONFIG_IPROP_LOGFILE 0x08000000 +#define KADM5_CONFIG_IPROP_PORT 0x10000000 +#define KADM5_CONFIG_KVNO 0x20000000 /* * permission bits */ -#define KADM5_PRIV_GET 0x01 -#define KADM5_PRIV_ADD 0x02 -#define KADM5_PRIV_MODIFY 0x04 -#define KADM5_PRIV_DELETE 0x08 +#define KADM5_PRIV_GET 0x01 +#define KADM5_PRIV_ADD 0x02 +#define KADM5_PRIV_MODIFY 0x04 +#define KADM5_PRIV_DELETE 0x08 /* * API versioning constants */ -#define KADM5_MASK_BITS 0xffffff00 +#define KADM5_MASK_BITS 0xffffff00 -#define KADM5_STRUCT_VERSION_MASK 0x12345600 -#define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) -#define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 +#define KADM5_STRUCT_VERSION_MASK 0x12345600 +#define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) +#define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 -#define KADM5_API_VERSION_MASK 0x12345700 -#define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) -#define KADM5_API_VERSION_3 (KADM5_API_VERSION_MASK|0x03) +#define KADM5_API_VERSION_MASK 0x12345700 +#define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) +#define KADM5_API_VERSION_3 (KADM5_API_VERSION_MASK|0x03) typedef struct _kadm5_principal_ent_t { - krb5_principal principal; - krb5_timestamp princ_expire_time; - krb5_timestamp last_pwd_change; - krb5_timestamp pw_expiration; - krb5_deltat max_life; - krb5_principal mod_name; - krb5_timestamp mod_date; - krb5_flags attributes; - krb5_kvno kvno; - krb5_kvno mkvno; - char *policy; - long aux_attributes; - - /* version 2 fields */ - krb5_deltat max_renewable_life; - krb5_timestamp last_success; - krb5_timestamp last_failed; - krb5_kvno fail_auth_count; - krb5_int16 n_key_data; - krb5_int16 n_tl_data; - krb5_tl_data *tl_data; - krb5_key_data *key_data; + krb5_principal principal; + krb5_timestamp princ_expire_time; + krb5_timestamp last_pwd_change; + krb5_timestamp pw_expiration; + krb5_deltat max_life; + krb5_principal mod_name; + krb5_timestamp mod_date; + krb5_flags attributes; + krb5_kvno kvno; + krb5_kvno mkvno; + char *policy; + long aux_attributes; + + /* version 2 fields */ + krb5_deltat max_renewable_life; + krb5_timestamp last_success; + krb5_timestamp last_failed; + krb5_kvno fail_auth_count; + krb5_int16 n_key_data; + krb5_int16 n_tl_data; + krb5_tl_data *tl_data; + krb5_key_data *key_data; } kadm5_principal_ent_rec, *kadm5_principal_ent_t; typedef struct _kadm5_policy_ent_t { - char *policy; - long pw_min_life; - long pw_max_life; - long pw_min_length; - long pw_min_classes; - long pw_history_num; - long policy_refcnt; - - /* version 3 fields */ - krb5_kvno pw_max_fail; - krb5_deltat pw_failcnt_interval; - krb5_deltat pw_lockout_duration; + char *policy; + long pw_min_life; + long pw_max_life; + long pw_min_length; + long pw_min_classes; + long pw_history_num; + long policy_refcnt; + + /* version 3 fields */ + krb5_kvno pw_max_fail; + krb5_deltat pw_failcnt_interval; + krb5_deltat pw_lockout_duration; } kadm5_policy_ent_rec, *kadm5_policy_ent_t; /* * Data structure returned by kadm5_get_config_params() */ typedef struct _kadm5_config_params { - long mask; - char * realm; - int kadmind_port; - int kpasswd_port; + long mask; + char * realm; + int kadmind_port; + int kpasswd_port; - char * admin_server; + char * admin_server; #ifdef notyet /* Novell */ /* ABI change? */ - char * kpasswd_server; + char * kpasswd_server; #endif - /* Deprecated except for db2 backwards compatibility. Don't add - new uses except as fallbacks for parameters that should be - specified in the database module section of the config - file. */ - char * dbname; - - /* dummy fields to preserve abi for now */ - char * admin_dbname_was_here; - char * admin_lockfile_was_here; - - char * admin_keytab; - char * acl_file; - char * dict_file; - - int mkey_from_kbd; - char * stash_file; - char * mkey_name; - krb5_enctype enctype; - krb5_deltat max_life; - krb5_deltat max_rlife; - krb5_timestamp expiration; - krb5_flags flags; - krb5_key_salt_tuple *keysalts; - krb5_int32 num_keysalts; - krb5_kvno kvno; - bool_t iprop_enabled; - uint32_t iprop_ulogsize; - krb5_deltat iprop_poll_time; - char * iprop_logfile; -/* char * iprop_server;*/ - int iprop_port; + /* Deprecated except for db2 backwards compatibility. Don't add + new uses except as fallbacks for parameters that should be + specified in the database module section of the config + file. */ + char * dbname; + + /* dummy fields to preserve abi for now */ + char * admin_dbname_was_here; + char * admin_lockfile_was_here; + + char * admin_keytab; + char * acl_file; + char * dict_file; + + int mkey_from_kbd; + char * stash_file; + char * mkey_name; + krb5_enctype enctype; + krb5_deltat max_life; + krb5_deltat max_rlife; + krb5_timestamp expiration; + krb5_flags flags; + krb5_key_salt_tuple *keysalts; + krb5_int32 num_keysalts; + krb5_kvno kvno; + bool_t iprop_enabled; + uint32_t iprop_ulogsize; + krb5_deltat iprop_poll_time; + char * iprop_logfile; +/* char * iprop_server;*/ + int iprop_port; } kadm5_config_params; /*********************************************************************** @@ -278,31 +279,31 @@ typedef struct _kadm5_config_params { * Data structure returned by krb5_read_realm_params() */ typedef struct __krb5_realm_params { - char * realm_profile; - char * realm_dbname; - char * realm_mkey_name; - char * realm_stash_file; - char * realm_kdc_ports; - char * realm_kdc_tcp_ports; - char * realm_acl_file; + char * realm_profile; + char * realm_dbname; + char * realm_mkey_name; + char * realm_stash_file; + char * realm_kdc_ports; + char * realm_kdc_tcp_ports; + char * realm_acl_file; char * realm_host_based_services; char * realm_no_host_referral; - krb5_int32 realm_kadmind_port; - krb5_enctype realm_enctype; - krb5_deltat realm_max_life; - krb5_deltat realm_max_rlife; - krb5_timestamp realm_expiration; - krb5_flags realm_flags; - krb5_key_salt_tuple *realm_keysalts; - unsigned int realm_reject_bad_transit:1; - unsigned int realm_kadmind_port_valid:1; - unsigned int realm_enctype_valid:1; - unsigned int realm_max_life_valid:1; - unsigned int realm_max_rlife_valid:1; - unsigned int realm_expiration_valid:1; - unsigned int realm_flags_valid:1; - unsigned int realm_reject_bad_transit_valid:1; - krb5_int32 realm_num_keysalts; + krb5_int32 realm_kadmind_port; + krb5_enctype realm_enctype; + krb5_deltat realm_max_life; + krb5_deltat realm_max_rlife; + krb5_timestamp realm_expiration; + krb5_flags realm_flags; + krb5_key_salt_tuple *realm_keysalts; + unsigned int realm_reject_bad_transit:1; + unsigned int realm_kadmind_port_valid:1; + unsigned int realm_enctype_valid:1; + unsigned int realm_max_life_valid:1; + unsigned int realm_max_rlife_valid:1; + unsigned int realm_expiration_valid:1; + unsigned int realm_flags_valid:1; + unsigned int realm_reject_bad_transit_valid:1; + krb5_int32 realm_num_keysalts; } krb5_realm_params; /* @@ -310,18 +311,18 @@ typedef struct __krb5_realm_params { */ krb5_error_code kadm5_get_config_params(krb5_context context, - int use_kdc_config, - kadm5_config_params *params_in, - kadm5_config_params *params_out); + int use_kdc_config, + kadm5_config_params *params_in, + kadm5_config_params *params_out); -krb5_error_code kadm5_free_config_params(krb5_context context, - kadm5_config_params *params); +krb5_error_code kadm5_free_config_params(krb5_context context, + kadm5_config_params *params); krb5_error_code kadm5_free_realm_params(krb5_context kcontext, - kadm5_config_params *params); + kadm5_config_params *params); krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, - char *, size_t); + char *, size_t); /* * For all initialization functions, the caller must first initialize @@ -331,109 +332,109 @@ krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, */ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, - char *pass, char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle); + char *pass, char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle); kadm5_ret_t kadm5_init_with_password(krb5_context context, - char *client_name, - char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle); + char *client_name, + char *pass, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle); kadm5_ret_t kadm5_init_with_skey(krb5_context context, - char *client_name, - char *keytab, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle); + char *client_name, + char *keytab, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle); kadm5_ret_t kadm5_init_with_creds(krb5_context context, - char *client_name, - krb5_ccache cc, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle); + char *client_name, + krb5_ccache cc, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle); kadm5_ret_t kadm5_lock(void *server_handle); kadm5_ret_t kadm5_unlock(void *server_handle); kadm5_ret_t kadm5_flush(void *server_handle); kadm5_ret_t kadm5_destroy(void *server_handle); kadm5_ret_t kadm5_create_principal(void *server_handle, - kadm5_principal_ent_t ent, - long mask, char *pass); + kadm5_principal_ent_t ent, + long mask, char *pass); kadm5_ret_t kadm5_create_principal_3(void *server_handle, - kadm5_principal_ent_t ent, - long mask, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *pass); + kadm5_principal_ent_t ent, + long mask, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *pass); kadm5_ret_t kadm5_delete_principal(void *server_handle, - krb5_principal principal); + krb5_principal principal); kadm5_ret_t kadm5_modify_principal(void *server_handle, - kadm5_principal_ent_t ent, - long mask); + kadm5_principal_ent_t ent, + long mask); kadm5_ret_t kadm5_rename_principal(void *server_handle, - krb5_principal,krb5_principal); + krb5_principal,krb5_principal); kadm5_ret_t kadm5_get_principal(void *server_handle, - krb5_principal principal, - kadm5_principal_ent_t ent, - long mask); + krb5_principal principal, + kadm5_principal_ent_t ent, + long mask); kadm5_ret_t kadm5_chpass_principal(void *server_handle, - krb5_principal principal, - char *pass); + krb5_principal principal, + char *pass); kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *pass); + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *pass); kadm5_ret_t kadm5_randkey_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock **keyblocks, - int *n_keys); + krb5_principal principal, + krb5_keyblock **keyblocks, + int *n_keys); kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keyblocks, - int *n_keys); + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keyblocks, + int *n_keys); kadm5_ret_t kadm5_setv4key_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock *keyblock); + krb5_principal principal, + krb5_keyblock *keyblock); kadm5_ret_t kadm5_setkey_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock *keyblocks, - int n_keys); + krb5_principal principal, + krb5_keyblock *keyblocks, + int n_keys); kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock *keyblocks, - int n_keys); + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock *keyblocks, + int n_keys); kadm5_ret_t kadm5_decrypt_key(void *server_handle, - kadm5_principal_ent_t entry, krb5_int32 - ktype, krb5_int32 stype, krb5_int32 - kvno, krb5_keyblock *keyblock, - krb5_keysalt *keysalt, int *kvnop); + kadm5_principal_ent_t entry, krb5_int32 + ktype, krb5_int32 stype, krb5_int32 + kvno, krb5_keyblock *keyblock, + krb5_keysalt *keysalt, int *kvnop); kadm5_ret_t kadm5_create_policy(void *server_handle, - kadm5_policy_ent_t ent, - long mask); + kadm5_policy_ent_t ent, + long mask); /* * kadm5_create_policy_internal is not part of the supported, * exposed API. It is available only in the server library, and you @@ -441,13 +442,13 @@ kadm5_ret_t kadm5_create_policy(void *server_handle, * different from kadm5_create_policy. */ kadm5_ret_t kadm5_create_policy_internal(void *server_handle, - kadm5_policy_ent_t - entry, long mask); + kadm5_policy_ent_t + entry, long mask); kadm5_ret_t kadm5_delete_policy(void *server_handle, - kadm5_policy_t policy); + kadm5_policy_t policy); kadm5_ret_t kadm5_modify_policy(void *server_handle, - kadm5_policy_ent_t ent, - long mask); + kadm5_policy_ent_t ent, + long mask); /* * kadm5_modify_policy_internal is not part of the supported, * exposed API. It is available only in the server library, and you @@ -455,41 +456,41 @@ kadm5_ret_t kadm5_modify_policy(void *server_handle, * different from kadm5_modify_policy. */ kadm5_ret_t kadm5_modify_policy_internal(void *server_handle, - kadm5_policy_ent_t - entry, long mask); + kadm5_policy_ent_t + entry, long mask); kadm5_ret_t kadm5_get_policy(void *server_handle, - kadm5_policy_t policy, - kadm5_policy_ent_t ent); + kadm5_policy_t policy, + kadm5_policy_ent_t ent); kadm5_ret_t kadm5_get_privs(void *server_handle, - long *privs); + long *privs); kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, - krb5_principal princ, - char *new_pw, - char **ret_pw, - char *msg_ret, - unsigned int msg_len); + krb5_principal princ, + char *new_pw, + char **ret_pw, + char *msg_ret, + unsigned int msg_len); kadm5_ret_t kadm5_free_principal_ent(void *server_handle, - kadm5_principal_ent_t - ent); + kadm5_principal_ent_t + ent); kadm5_ret_t kadm5_free_policy_ent(void *server_handle, - kadm5_policy_ent_t ent); + kadm5_policy_ent_t ent); kadm5_ret_t kadm5_get_principals(void *server_handle, - char *exp, char ***princs, - int *count); + char *exp, char ***princs, + int *count); kadm5_ret_t kadm5_get_policies(void *server_handle, - char *exp, char ***pols, - int *count); + char *exp, char ***pols, + int *count); kadm5_ret_t kadm5_free_key_data(void *server_handle, - krb5_int16 *n_key_data, - krb5_key_data *key_data); + krb5_int16 *n_key_data, + krb5_key_data *key_data); -kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, - int count); +kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, + int count); krb5_error_code kadm5_init_krb5_context (krb5_context *); @@ -501,9 +502,9 @@ krb5_error_code kadm5_init_iprop(void *server_handle, char **db_args); * to the network protocol. */ kadm5_ret_t kadm5_get_principal_keys(void *server_handle, - krb5_principal principal, - krb5_keyblock **keyblocks, - int *n_keys); + krb5_principal principal, + krb5_keyblock **keyblocks, + int *n_keys); KADM5INT_END_DECLS diff --git a/src/lib/kadm5/admin_internal.h b/src/lib/kadm5/admin_internal.h index f08325c8b..dc21a65b3 100644 --- a/src/lib/kadm5/admin_internal.h +++ b/src/lib/kadm5/admin_internal.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -8,32 +9,32 @@ #include -#define KADM5_SERVER_HANDLE_MAGIC 0x12345800 +#define KADM5_SERVER_HANDLE_MAGIC 0x12345800 -#define GENERIC_CHECK_HANDLE(handle, old_api_version, new_api_version) \ -{ \ - kadm5_server_handle_t srvr = \ - (kadm5_server_handle_t) handle; \ - \ - if (! srvr) \ - return KADM5_BAD_SERVER_HANDLE; \ - if (srvr->magic_number != KADM5_SERVER_HANDLE_MAGIC) \ - return KADM5_BAD_SERVER_HANDLE; \ - if ((srvr->struct_version & KADM5_MASK_BITS) != \ - KADM5_STRUCT_VERSION_MASK) \ - return KADM5_BAD_STRUCT_VERSION; \ - if (srvr->struct_version < KADM5_STRUCT_VERSION_1) \ - return KADM5_OLD_STRUCT_VERSION; \ - if (srvr->struct_version > KADM5_STRUCT_VERSION_1) \ - return KADM5_NEW_STRUCT_VERSION; \ - if ((srvr->api_version & KADM5_MASK_BITS) != \ - KADM5_API_VERSION_MASK) \ - return KADM5_BAD_API_VERSION; \ - if (srvr->api_version < KADM5_API_VERSION_2) \ - return old_api_version; \ - if (srvr->api_version > KADM5_API_VERSION_3) \ - return new_api_version; \ -} +#define GENERIC_CHECK_HANDLE(handle, old_api_version, new_api_version) \ + { \ + kadm5_server_handle_t srvr = \ + (kadm5_server_handle_t) handle; \ + \ + if (! srvr) \ + return KADM5_BAD_SERVER_HANDLE; \ + if (srvr->magic_number != KADM5_SERVER_HANDLE_MAGIC) \ + return KADM5_BAD_SERVER_HANDLE; \ + if ((srvr->struct_version & KADM5_MASK_BITS) != \ + KADM5_STRUCT_VERSION_MASK) \ + return KADM5_BAD_STRUCT_VERSION; \ + if (srvr->struct_version < KADM5_STRUCT_VERSION_1) \ + return KADM5_OLD_STRUCT_VERSION; \ + if (srvr->struct_version > KADM5_STRUCT_VERSION_1) \ + return KADM5_NEW_STRUCT_VERSION; \ + if ((srvr->api_version & KADM5_MASK_BITS) != \ + KADM5_API_VERSION_MASK) \ + return KADM5_BAD_API_VERSION; \ + if (srvr->api_version < KADM5_API_VERSION_2) \ + return old_api_version; \ + if (srvr->api_version > KADM5_API_VERSION_3) \ + return new_api_version; \ + } /* * _KADM5_CHECK_HANDLE calls the function _kadm5_check_handle and @@ -53,28 +54,28 @@ * * Got that? */ -#define _KADM5_CHECK_HANDLE(handle) \ -{ int ecode; if ((ecode = _kadm5_check_handle((void *)handle))) return ecode;} +#define _KADM5_CHECK_HANDLE(handle) \ + { int ecode; if ((ecode = _kadm5_check_handle((void *)handle))) return ecode;} int _kadm5_check_handle(void *handle); kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, - void *lhandle, - krb5_principal princ, - char *new_pw, - char **ret_pw, - char *msg_ret, - unsigned int msg_len); + void *lhandle, + krb5_principal princ, + char *new_pw, + char **ret_pw, + char *msg_ret, + unsigned int msg_len); /* this is needed by the alt_prof code I stole. The functions maybe shouldn't be named krb5_*, but they are. */ krb5_error_code krb5_string_to_keysalts(char *string, const char *tupleseps, - const char *ksaltseps, krb5_boolean dups, - krb5_key_salt_tuple **ksaltp, krb5_int32 *nksaltp); + const char *ksaltseps, krb5_boolean dups, + krb5_key_salt_tuple **ksaltp, krb5_int32 *nksaltp); krb5_error_code krb5_string_to_flags(char* string, const char* positive, const char* negative, - krb5_flags *flagsp); + krb5_flags *flagsp); #endif /* __KADM5_ADMIN_INTERNAL_H__ */ diff --git a/src/lib/kadm5/admin_xdr.h b/src/lib/kadm5/admin_xdr.h index 05d1a7ea6..cff22e733 100644 --- a/src/lib/kadm5/admin_xdr.h +++ b/src/lib/kadm5/admin_xdr.h @@ -2,7 +2,7 @@ * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * * $Header$ - * + * */ #include diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 55a850d62..5b967a0ce 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm/alt_prof.c * @@ -41,15 +42,15 @@ krb5_boolean krb5_match_config_pattern(const char *, const char*); static krb5_key_salt_tuple *copy_key_salt_tuple(ksalt, len) -krb5_key_salt_tuple *ksalt; -krb5_int32 len; + krb5_key_salt_tuple *ksalt; + krb5_int32 len; { - krb5_key_salt_tuple *knew; + krb5_key_salt_tuple *knew; if((knew = (krb5_key_salt_tuple *) - malloc((len ) * sizeof(krb5_key_salt_tuple)))) { - memcpy(knew, ksalt, len * sizeof(krb5_key_salt_tuple)); - return knew; + malloc((len ) * sizeof(krb5_key_salt_tuple)))) { + memcpy(knew, ksalt, len * sizeof(krb5_key_salt_tuple)); + return knew; } return 0; } @@ -275,8 +276,8 @@ krb5_aprof_get_string(acontext, hierarchy, uselast, stringp) } /* - * krb5_aprof_get_string_all() - When the attr identified by "hierarchy" is specified multiple times, - * collect all its string values from the alternate profile. + * krb5_aprof_get_string_all() - When the attr identified by "hierarchy" is specified multiple times, + * collect all its string values from the alternate profile. * * Parameters: * acontext - opaque context for alternate profile. @@ -297,16 +298,16 @@ krb5_aprof_get_string_all(acontext, hierarchy, stringp) char **values; int lastidx = 0; char *tmp = NULL ; - size_t buf_size = 0; + size_t buf_size = 0; kret = krb5_aprof_getvals(acontext, hierarchy, &values); if (!kret) { for (lastidx=0; values[lastidx]; lastidx++); lastidx--; - + buf_size = strlen(values[0])+3; for (lastidx=1; values[lastidx]; lastidx++){ buf_size += strlen(values[lastidx]) + 3; - } + } } if (buf_size > 0) { *stringp = calloc(1,buf_size); @@ -319,12 +320,12 @@ krb5_aprof_get_string_all(acontext, hierarchy, stringp) for (lastidx=1; values[lastidx]; lastidx++){ tmp = strcat(tmp, " "); tmp = strcat(tmp, values[lastidx]); - } + } /* Free the string storage */ profile_free_list(values); } return(kret); -} +} /* @@ -510,9 +511,9 @@ get_deltat_param(krb5_deltat *param_out, krb5_deltat param_in, */ krb5_error_code kadm5_get_config_params(context, use_kdc_config, params_in, params_out) - krb5_context context; - int use_kdc_config; - kadm5_config_params *params_in, *params_out; + krb5_context context; + int use_kdc_config; + kadm5_config_params *params_in, *params_out; { char *filename; char *envname; @@ -531,15 +532,15 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, if (params_in == NULL) params_in = &empty_params; if (params_in->mask & KADM5_CONFIG_REALM) { - lrealm = params.realm = strdup(params_in->realm); - if (params.realm) - params.mask |= KADM5_CONFIG_REALM; + lrealm = params.realm = strdup(params_in->realm); + if (params.realm) + params.mask |= KADM5_CONFIG_REALM; } else { - kret = krb5_get_default_realm(context, &lrealm); - if (kret) - goto cleanup; - params.realm = lrealm; - params.mask |= KADM5_CONFIG_REALM; + kret = krb5_get_default_realm(context, &lrealm); + if (kret) + goto cleanup; + params.realm = lrealm; + params.mask |= KADM5_CONFIG_REALM; } if (params_in->mask & KADM5_CONFIG_KVNO) { @@ -563,16 +564,16 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, kret = krb5_aprof_init(filename, envname, &aprofile); if (kret) - goto cleanup; - + goto cleanup; + /* Initialize realm parameters */ hierarchy[0] = KRB5_CONF_REALMS; hierarchy[1] = lrealm; hierarchy[3] = (char *) NULL; -#define GET_STRING_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ - get_string_param(¶ms.FIELD, params_in->FIELD, \ - ¶ms.mask, params_in->mask, BIT, \ +#define GET_STRING_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ + get_string_param(¶ms.FIELD, params_in->FIELD, \ + ¶ms.mask, params_in->mask, BIT, \ aprofile, hierarchy, CONFTAG, DEFAULT) /* Get the value for the admin server */ @@ -580,13 +581,13 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, NULL); if (params.mask & KADM5_CONFIG_ADMIN_SERVER) { - char *p; - p = strchr(params.admin_server, ':'); - if (p) { - params.kadmind_port = atoi(p+1); - params.mask |= KADM5_CONFIG_KADMIND_PORT; - *p = '\0'; - } + char *p; + p = strchr(params.admin_server, ':'); + if (p) { + params.kadmind_port = atoi(p+1); + params.mask |= KADM5_CONFIG_KADMIND_PORT; + *p = '\0'; + } } /* Get the value for the database */ @@ -607,7 +608,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, if (params.admin_keytab) params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; } - + /* Get the name of the acl file */ GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, KRB5_CONF_ACL_FILE, DEFAULT_KADM5_ACL_FILE); @@ -615,9 +616,9 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, /* Get the name of the dict file */ GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, KRB5_CONF_DICT_FILE, NULL); -#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ - get_port_param(¶ms.FIELD, params_in->FIELD, \ - ¶ms.mask, params_in->mask, BIT, \ +#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ + get_port_param(¶ms.FIELD, params_in->FIELD, \ + ¶ms.mask, params_in->mask, BIT, \ aprofile, hierarchy, CONFTAG, DEFAULT) /* Get the value for the kadmind port */ GET_PORT_PARAM(kadmind_port, KADM5_CONFIG_KADMIND_PORT, @@ -634,33 +635,33 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, /* Get the value for the master key type */ hierarchy[2] = KRB5_CONF_MASTER_KEY_TYPE; if (params_in->mask & KADM5_CONFIG_ENCTYPE) { - params.mask |= KADM5_CONFIG_ENCTYPE; - params.enctype = params_in->enctype; + params.mask |= KADM5_CONFIG_ENCTYPE; + params.enctype = params_in->enctype; } else if (aprofile && !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) { - params.mask |= KADM5_CONFIG_ENCTYPE; - free(svalue); - } + if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) { + params.mask |= KADM5_CONFIG_ENCTYPE; + free(svalue); + } } else { - params.mask |= KADM5_CONFIG_ENCTYPE; - params.enctype = DEFAULT_KDC_ENCTYPE; + params.mask |= KADM5_CONFIG_ENCTYPE; + params.enctype = DEFAULT_KDC_ENCTYPE; } - + /* Get the value for mkey_from_kbd */ if (params_in->mask & KADM5_CONFIG_MKEY_FROM_KBD) { - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - params.mkey_from_kbd = params_in->mkey_from_kbd; + params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + params.mkey_from_kbd = params_in->mkey_from_kbd; } - + /* Get the value for the stashfile */ GET_STRING_PARAM(stash_file, KADM5_CONFIG_STASH_FILE, KRB5_CONF_KEY_STASH_FILE, NULL); /* Get the value for maximum ticket lifetime. */ -#define GET_DELTAT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ - get_deltat_param(¶ms.FIELD, params_in->FIELD, \ - ¶ms.mask, params_in->mask, BIT, \ +#define GET_DELTAT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ + get_deltat_param(¶ms.FIELD, params_in->FIELD, \ + ¶ms.mask, params_in->mask, BIT, \ aprofile, hierarchy, CONFTAG, DEFAULT) GET_DELTAT_PARAM(max_life, KADM5_CONFIG_MAX_LIFE, KRB5_CONF_MAX_LIFE, @@ -673,159 +674,159 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, /* Get the value for the default principal expiration */ hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION; if (params_in->mask & KADM5_CONFIG_EXPIRATION) { - params.mask |= KADM5_CONFIG_EXPIRATION; - params.expiration = params_in->expiration; + params.mask |= KADM5_CONFIG_EXPIRATION; + params.expiration = params_in->expiration; } else if (aprofile && !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) { - params.mask |= KADM5_CONFIG_EXPIRATION; - free(svalue); - } + if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) { + params.mask |= KADM5_CONFIG_EXPIRATION; + free(svalue); + } } else { - params.mask |= KADM5_CONFIG_EXPIRATION; - params.expiration = 0; + params.mask |= KADM5_CONFIG_EXPIRATION; + params.expiration = 0; } - + /* Get the value for the default principal flags */ hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS; if (params_in->mask & KADM5_CONFIG_FLAGS) { - params.mask |= KADM5_CONFIG_FLAGS; - params.flags = params_in->flags; + params.mask |= KADM5_CONFIG_FLAGS; + params.flags = params_in->flags; } else if (aprofile && !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - char *sp, *ep, *tp; - - sp = svalue; - params.flags = 0; - while (sp) { - if ((ep = strchr(sp, (int) ',')) || - (ep = strchr(sp, (int) ' ')) || - (ep = strchr(sp, (int) '\t'))) { - /* Fill in trailing whitespace of sp */ - tp = ep - 1; - while (isspace((int) *tp) && (tp > sp)) { - *tp = '\0'; - tp--; - } - *ep = '\0'; - ep++; - /* Skip over trailing whitespace of ep */ - while (isspace((int) *ep) && (*ep)) ep++; - } - /* Convert this flag */ - if (krb5_string_to_flags(sp, - "+", - "-", - ¶ms.flags)) - break; - sp = ep; - } - if (!sp) - params.mask |= KADM5_CONFIG_FLAGS; - free(svalue); + char *sp, *ep, *tp; + + sp = svalue; + params.flags = 0; + while (sp) { + if ((ep = strchr(sp, (int) ',')) || + (ep = strchr(sp, (int) ' ')) || + (ep = strchr(sp, (int) '\t'))) { + /* Fill in trailing whitespace of sp */ + tp = ep - 1; + while (isspace((int) *tp) && (tp > sp)) { + *tp = '\0'; + tp--; + } + *ep = '\0'; + ep++; + /* Skip over trailing whitespace of ep */ + while (isspace((int) *ep) && (*ep)) ep++; + } + /* Convert this flag */ + if (krb5_string_to_flags(sp, + "+", + "-", + ¶ms.flags)) + break; + sp = ep; + } + if (!sp) + params.mask |= KADM5_CONFIG_FLAGS; + free(svalue); } else { - params.mask |= KADM5_CONFIG_FLAGS; - params.flags = KRB5_KDB_DEF_FLAGS; + params.mask |= KADM5_CONFIG_FLAGS; + params.flags = KRB5_KDB_DEF_FLAGS; } /* Get the value for the supported enctype/salttype matrix */ hierarchy[2] = KRB5_CONF_SUPPORTED_ENCTYPES; if (params_in->mask & KADM5_CONFIG_ENCTYPES) { - /* The following scenario is when the input keysalts are !NULL */ - if(params_in->keysalts) { - params.keysalts = copy_key_salt_tuple(params_in->keysalts, - params_in->num_keysalts); - if(params.keysalts) { - params.mask |= KADM5_CONFIG_ENCTYPES; - params.num_keysalts = params_in->num_keysalts; - } - } else { - params.mask |= KADM5_CONFIG_ENCTYPES; - params.keysalts = 0; - params.num_keysalts = params_in->num_keysalts; - } + /* The following scenario is when the input keysalts are !NULL */ + if(params_in->keysalts) { + params.keysalts = copy_key_salt_tuple(params_in->keysalts, + params_in->num_keysalts); + if(params.keysalts) { + params.mask |= KADM5_CONFIG_ENCTYPES; + params.num_keysalts = params_in->num_keysalts; + } + } else { + params.mask |= KADM5_CONFIG_ENCTYPES; + params.keysalts = 0; + params.num_keysalts = params_in->num_keysalts; + } } else { - svalue = NULL; - if (aprofile) - krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); - if (svalue == NULL) - svalue = strdup(KRB5_DEFAULT_SUPPORTED_ENCTYPES); - - params.keysalts = NULL; - params.num_keysalts = 0; - krb5_string_to_keysalts(svalue, - ", \t",/* Tuple separators */ - ":.-", /* Key/salt separators */ - 0, /* No duplicates */ - ¶ms.keysalts, - ¶ms.num_keysalts); - if (params.num_keysalts) - params.mask |= KADM5_CONFIG_ENCTYPES; - - free(svalue); + svalue = NULL; + if (aprofile) + krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); + if (svalue == NULL) + svalue = strdup(KRB5_DEFAULT_SUPPORTED_ENCTYPES); + + params.keysalts = NULL; + params.num_keysalts = 0; + krb5_string_to_keysalts(svalue, + ", \t",/* Tuple separators */ + ":.-", /* Key/salt separators */ + 0, /* No duplicates */ + ¶ms.keysalts, + ¶ms.num_keysalts); + if (params.num_keysalts) + params.mask |= KADM5_CONFIG_ENCTYPES; + + free(svalue); } - - hierarchy[2] = KRB5_CONF_IPROP_ENABLE; - params.iprop_enabled = FALSE; - params.mask |= KADM5_CONFIG_IPROP_ENABLED; + hierarchy[2] = KRB5_CONF_IPROP_ENABLE; - if (params_in->mask & KADM5_CONFIG_IPROP_ENABLED) { - params.mask |= KADM5_CONFIG_IPROP_ENABLED; - params.iprop_enabled = params_in->iprop_enabled; - } else { - krb5_boolean bvalue; - if (aprofile && - !krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { - params.iprop_enabled = bvalue; - params.mask |= KADM5_CONFIG_IPROP_ENABLED; - } + params.iprop_enabled = FALSE; + params.mask |= KADM5_CONFIG_IPROP_ENABLED; + + if (params_in->mask & KADM5_CONFIG_IPROP_ENABLED) { + params.mask |= KADM5_CONFIG_IPROP_ENABLED; + params.iprop_enabled = params_in->iprop_enabled; + } else { + krb5_boolean bvalue; + if (aprofile && + !krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { + params.iprop_enabled = bvalue; + params.mask |= KADM5_CONFIG_IPROP_ENABLED; } + } - if (!GET_STRING_PARAM(iprop_logfile, KADM5_CONFIG_IPROP_LOGFILE, - KRB5_CONF_IPROP_LOGFILE, NULL)) { - if (params.mask & KADM5_CONFIG_DBNAME) { - if (asprintf(¶ms.iprop_logfile, "%s.ulog", params.dbname) >= 0) { - params.mask |= KADM5_CONFIG_IPROP_LOGFILE; - } + if (!GET_STRING_PARAM(iprop_logfile, KADM5_CONFIG_IPROP_LOGFILE, + KRB5_CONF_IPROP_LOGFILE, NULL)) { + if (params.mask & KADM5_CONFIG_DBNAME) { + if (asprintf(¶ms.iprop_logfile, "%s.ulog", params.dbname) >= 0) { + params.mask |= KADM5_CONFIG_IPROP_LOGFILE; } } + } - GET_PORT_PARAM(iprop_port, KADM5_CONFIG_IPROP_PORT, - KRB5_CONF_IPROP_PORT, 0); + GET_PORT_PARAM(iprop_port, KADM5_CONFIG_IPROP_PORT, + KRB5_CONF_IPROP_PORT, 0); - hierarchy[2] = KRB5_CONF_IPROP_MASTER_ULOGSIZE; + hierarchy[2] = KRB5_CONF_IPROP_MASTER_ULOGSIZE; - params.iprop_ulogsize = DEF_ULOGENTRIES; - params.mask |= KADM5_CONFIG_ULOG_SIZE; + params.iprop_ulogsize = DEF_ULOGENTRIES; + params.mask |= KADM5_CONFIG_ULOG_SIZE; - if (params_in->mask & KADM5_CONFIG_ULOG_SIZE) { - params.mask |= KADM5_CONFIG_ULOG_SIZE; - params.iprop_ulogsize = params_in->iprop_ulogsize; - } else { - if (aprofile && !krb5_aprof_get_int32(aprofile, hierarchy, - TRUE, &ivalue)) { - if (ivalue > MAX_ULOGENTRIES) - params.iprop_ulogsize = MAX_ULOGENTRIES; - else if (ivalue <= 0) - params.iprop_ulogsize = DEF_ULOGENTRIES; - else - params.iprop_ulogsize = ivalue; - params.mask |= KADM5_CONFIG_ULOG_SIZE; - } + if (params_in->mask & KADM5_CONFIG_ULOG_SIZE) { + params.mask |= KADM5_CONFIG_ULOG_SIZE; + params.iprop_ulogsize = params_in->iprop_ulogsize; + } else { + if (aprofile && !krb5_aprof_get_int32(aprofile, hierarchy, + TRUE, &ivalue)) { + if (ivalue > MAX_ULOGENTRIES) + params.iprop_ulogsize = MAX_ULOGENTRIES; + else if (ivalue <= 0) + params.iprop_ulogsize = DEF_ULOGENTRIES; + else + params.iprop_ulogsize = ivalue; + params.mask |= KADM5_CONFIG_ULOG_SIZE; } + } - GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, - KRB5_CONF_IPROP_SLAVE_POLL, 2 * 60); /* 2m */ + GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, + KRB5_CONF_IPROP_SLAVE_POLL, 2 * 60); /* 2m */ *params_out = params; - + cleanup: if (aprofile) krb5_aprof_finish(aprofile); if (kret) { - kadm5_free_config_params(context, ¶ms); - params_out->mask = 0; + kadm5_free_config_params(context, ¶ms); + params_out->mask = 0; } return(kret); } @@ -922,7 +923,7 @@ krb5_read_realm_params(kcontext, realm, rparamp) char *kdcenv = 0; char *no_refrls = 0; char *host_based_srvcs = 0; - + krb5_error_code kret; @@ -944,7 +945,7 @@ krb5_read_realm_params(kcontext, realm, rparamp) kret = krb5_aprof_init(filename, envname, &aprofile); if (kret) goto cleanup; - + rparams = (krb5_realm_params *) malloc(sizeof(krb5_realm_params)); if (rparams == 0) { kret = ENOMEM; @@ -961,7 +962,7 @@ krb5_read_realm_params(kcontext, realm, rparamp) hierarchy[3] = (char *) NULL; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_dbname = svalue; - + /* Get the value for the KDC port list */ hierarchy[2] = KRB5_CONF_KDC_PORTS; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) @@ -974,19 +975,19 @@ krb5_read_realm_params(kcontext, realm, rparamp) hierarchy[2] = KRB5_CONF_ACL_FILE; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_acl_file = svalue; - + /* Get the value for the kadmind port */ hierarchy[2] = KRB5_CONF_KADMIND_PORT; if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { rparams->realm_kadmind_port = ivalue; rparams->realm_kadmind_port_valid = 1; } - + /* Get the value for the master key name */ hierarchy[2] = KRB5_CONF_MASTER_KEY_NAME; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_mkey_name = svalue; - + /* Get the value for the master key type */ hierarchy[2] = KRB5_CONF_MASTER_KEY_TYPE; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { @@ -994,26 +995,26 @@ krb5_read_realm_params(kcontext, realm, rparamp) rparams->realm_enctype_valid = 1; free(svalue); } - + /* Get the value for the stashfile */ hierarchy[2] = KRB5_CONF_KEY_STASH_FILE; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_stash_file = svalue; - + /* Get the value for maximum ticket lifetime. */ hierarchy[2] = KRB5_CONF_MAX_LIFE; if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { rparams->realm_max_life = dtvalue; rparams->realm_max_life_valid = 1; } - + /* Get the value for maximum renewable ticket lifetime. */ hierarchy[2] = KRB5_CONF_MAX_RENEWABLE_LIFE; if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { rparams->realm_max_rlife = dtvalue; rparams->realm_max_rlife_valid = 1; } - + /* Get the value for the default principal expiration */ hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { @@ -1030,10 +1031,10 @@ krb5_read_realm_params(kcontext, realm, rparamp) } hierarchy[2] = KRB5_CONF_NO_HOST_REFERRAL; - if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls)) - rparams->realm_no_host_referral = no_refrls; - else - no_refrls = 0; + if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls)) + rparams->realm_no_host_referral = no_refrls; + else + no_refrls = 0; if (!no_refrls || krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == FALSE) { hierarchy[2] = KRB5_CONF_HOST_BASED_SERVICES; @@ -1117,8 +1118,8 @@ krb5_free_realm_params(kcontext, rparams) } return(0); } -/* - * match_config_pattern - +/* + * match_config_pattern - * returns TRUE is the pattern is found in the attr's list of values. * Otherwise - FALSE. * In conf file the values are separates by commas or whitespaces. @@ -1129,17 +1130,14 @@ krb5_match_config_pattern(const char *string, const char *pattern) const char *ptr; char next = '\0'; int len = strlen(pattern); - + for (ptr = strstr(string,pattern); ptr != 0; ptr = strstr(ptr+len,pattern)) { - if (ptr == string || isspace(*(ptr-1)) || *(ptr-1) ==',') { - next = *(ptr + len); - if (next == '\0' || isspace(next) || next ==',') { - return TRUE; - } - } + if (ptr == string || isspace(*(ptr-1)) || *(ptr-1) ==',') { + next = *(ptr + len); + if (next == '\0' || isspace(next) || next ==',') { + return TRUE; + } + } } return FALSE; } - - - diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c index e1fbb5849..9e8111b3c 100644 --- a/src/lib/kadm5/chpass_util.c +++ b/src/lib/kadm5/chpass_util.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. */ @@ -25,234 +26,234 @@ * * Arguments: * - * princ (input) a krb5b_principal structure for the + * princ (input) a krb5b_principal structure for the * principal whose password we should change. * - * new_password (input) NULL or a null terminated string with the + * new_password (input) NULL or a null terminated string with the * the principal's desired new password. If new_password * is NULL then this routine will read a new password. - * - * pw_ret (output) if non-NULL, points to a static buffer - * containing the new password (if password is prompted - * internally), or to the new_password argument (if - * that is non-NULL). If the former, then the buffer - * is only valid until the next call to the function, - * and the caller should be sure to zero it when - * it is no longer needed. + * + * pw_ret (output) if non-NULL, points to a static buffer + * containing the new password (if password is prompted + * internally), or to the new_password argument (if + * that is non-NULL). If the former, then the buffer + * is only valid until the next call to the function, + * and the caller should be sure to zero it when + * it is no longer needed. * * msg_ret (output) a useful message is copied here. * - * exit status of 0 for success, else the com err code + * exit status of 0 for success, else the com err code * for the last significant routine called. - * + * * Requires: - * + * * A msg_ret should point to a buffer large enough for the messasge. * * Effects: - * + * * Modifies: * * */ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, - void *lhandle, - krb5_principal princ, - char *new_pw, - char **ret_pw, - char *msg_ret, - unsigned int msg_len) + void *lhandle, + krb5_principal princ, + char *new_pw, + char **ret_pw, + char *msg_ret, + unsigned int msg_len) { - int code, code2; - unsigned int pwsize; - static char buffer[255]; - char *new_password; - kadm5_principal_ent_rec princ_ent; - kadm5_policy_ent_rec policy_ent; - - _KADM5_CHECK_HANDLE(server_handle); - - if (ret_pw) - *ret_pw = NULL; - - if (new_pw != NULL) { - new_password = new_pw; - } else { /* read the password */ - krb5_context context; - - if ((code = (int) kadm5_init_krb5_context(&context)) == 0) { - pwsize = sizeof(buffer); - code = krb5_read_password(context, KADM5_PW_FIRST_PROMPT, - KADM5_PW_SECOND_PROMPT, - buffer, &pwsize); - krb5_free_context(context); + int code, code2; + unsigned int pwsize; + static char buffer[255]; + char *new_password; + kadm5_principal_ent_rec princ_ent; + kadm5_policy_ent_rec policy_ent; + + _KADM5_CHECK_HANDLE(server_handle); + + if (ret_pw) + *ret_pw = NULL; + + if (new_pw != NULL) { + new_password = new_pw; + } else { /* read the password */ + krb5_context context; + + if ((code = (int) kadm5_init_krb5_context(&context)) == 0) { + pwsize = sizeof(buffer); + code = krb5_read_password(context, KADM5_PW_FIRST_PROMPT, + KADM5_PW_SECOND_PROMPT, + buffer, &pwsize); + krb5_free_context(context); + } + + if (code == 0) + new_password = buffer; + else { +#ifdef ZEROPASSWD + memset(buffer, 0, sizeof(buffer)); +#endif + if (code == KRB5_LIBOS_BADPWDMATCH) { + strncpy(msg_ret, string_text(CHPASS_UTIL_NEW_PASSWORD_MISMATCH), + msg_len - 1); + msg_ret[msg_len - 1] = '\0'; + return(code); + } else { + strncpy(msg_ret, error_message(code), msg_len - 1); + strncat(msg_ret, " ", msg_len - 1); + strncat(msg_ret, string_text(CHPASS_UTIL_WHILE_READING_PASSWORD), + msg_len - 1); + strncat(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + msg_len - 1); + msg_ret[msg_len - 1] = '\0'; + return(code); + } + } + if (pwsize == 0) { +#ifdef ZEROPASSWD + memset(buffer, 0, sizeof(buffer)); +#endif + strncpy(msg_ret, string_text(CHPASS_UTIL_NO_PASSWORD_READ), msg_len - 1); + msg_ret[msg_len - 1] = '\0'; + return(KRB5_LIBOS_CANTREADPWD); /* could do better */ + } } - if (code == 0) - new_password = buffer; - else { -#ifdef ZEROPASSWD - memset(buffer, 0, sizeof(buffer)); -#endif - if (code == KRB5_LIBOS_BADPWDMATCH) { - strncpy(msg_ret, string_text(CHPASS_UTIL_NEW_PASSWORD_MISMATCH), - msg_len - 1); - msg_ret[msg_len - 1] = '\0'; - return(code); - } else { - strncpy(msg_ret, error_message(code), msg_len - 1); - strncat(msg_ret, " ", msg_len - 1); - strncat(msg_ret, string_text(CHPASS_UTIL_WHILE_READING_PASSWORD), - msg_len - 1); - strncat(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), - msg_len - 1); - msg_ret[msg_len - 1] = '\0'; - return(code); - } + if (ret_pw) + *ret_pw = new_password; + + code = kadm5_chpass_principal(server_handle, princ, new_password); + +#ifdef ZEROPASSWD + if (!ret_pw) + memset(buffer, 0, sizeof(buffer)); /* in case we read a new password */ +#endif + + if (code == KADM5_OK) { + strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_CHANGED), msg_len - 1); + msg_ret[msg_len - 1] = '\0'; + return(0); + } + + if ((code != KADM5_PASS_Q_TOOSHORT) && + (code != KADM5_PASS_REUSE) &&(code != KADM5_PASS_Q_CLASS) && + (code != KADM5_PASS_Q_DICT) && (code != KADM5_PASS_TOOSOON)) { + /* Can't get more info for other errors */ + snprintf(buffer, sizeof(buffer), "%s %s", error_message(code), + string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE)); + snprintf(msg_ret, msg_len, "%s\n%s\n", + string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + buffer); + return(code); } - if (pwsize == 0) { -#ifdef ZEROPASSWD - memset(buffer, 0, sizeof(buffer)); -#endif - strncpy(msg_ret, string_text(CHPASS_UTIL_NO_PASSWORD_READ), msg_len - 1); - msg_ret[msg_len - 1] = '\0'; - return(KRB5_LIBOS_CANTREADPWD); /* could do better */ + + /* Ok, we have a password quality error. Return a good message */ + + if (code == KADM5_PASS_REUSE) { + strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_REUSE), msg_len - 1); + msg_ret[msg_len - 1] = '\0'; + return(code); } - } - if (ret_pw) - *ret_pw = new_password; + if (code == KADM5_PASS_Q_DICT) { + strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_IN_DICTIONARY), + msg_len - 1); + msg_ret[msg_len - 1] = '\0'; + return(code); + } - code = kadm5_chpass_principal(server_handle, princ, new_password); + /* Look up policy for the remaining messages */ -#ifdef ZEROPASSWD - if (!ret_pw) - memset(buffer, 0, sizeof(buffer)); /* in case we read a new password */ -#endif - - if (code == KADM5_OK) { - strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_CHANGED), msg_len - 1); - msg_ret[msg_len - 1] = '\0'; - return(0); - } - - if ((code != KADM5_PASS_Q_TOOSHORT) && - (code != KADM5_PASS_REUSE) &&(code != KADM5_PASS_Q_CLASS) && - (code != KADM5_PASS_Q_DICT) && (code != KADM5_PASS_TOOSOON)) { - /* Can't get more info for other errors */ - snprintf(buffer, sizeof(buffer), "%s %s", error_message(code), - string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE)); - snprintf(msg_ret, msg_len, "%s\n%s\n", - string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), - buffer); - return(code); - } - - /* Ok, we have a password quality error. Return a good message */ - - if (code == KADM5_PASS_REUSE) { - strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_REUSE), msg_len - 1); - msg_ret[msg_len - 1] = '\0'; - return(code); - } + code2 = kadm5_get_principal (lhandle, princ, &princ_ent, + KADM5_PRINCIPAL_NORMAL_MASK); + if (code2 != 0) { + strncpy(msg_ret, error_message(code2), msg_len - 1); + strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, string_text(CHPASS_UTIL_GET_PRINC_INFO), msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, "\n", msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, error_message(code), msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE), + msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, "\n\n", msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, "\n", msg_len - 1 - strlen(msg_ret)); + msg_ret[msg_len - 1] = '\0'; + return(code); + } - if (code == KADM5_PASS_Q_DICT) { - strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_IN_DICTIONARY), - msg_len - 1); - msg_ret[msg_len - 1] = '\0'; - return(code); - } - - /* Look up policy for the remaining messages */ - - code2 = kadm5_get_principal (lhandle, princ, &princ_ent, - KADM5_PRINCIPAL_NORMAL_MASK); - if (code2 != 0) { - strncpy(msg_ret, error_message(code2), msg_len - 1); - strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, string_text(CHPASS_UTIL_GET_PRINC_INFO), msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, "\n", msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, error_message(code), msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE), - msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, "\n\n", msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), - msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, "\n", msg_len - 1 - strlen(msg_ret)); - msg_ret[msg_len - 1] = '\0'; - return(code); - } - - if ((princ_ent.aux_attributes & KADM5_POLICY) == 0) { - strncpy(msg_ret, error_message(code), msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret)); - strncpy(msg_ret, string_text(CHPASS_UTIL_NO_POLICY_YET_Q_ERROR), - msg_len - 1 - strlen(msg_ret)); - strncat(msg_ret, "\n\n", msg_len - 1 - strlen(msg_ret)); - strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), - msg_len - 1 - strlen(msg_ret)); - msg_ret[msg_len - 1] = '\0'; + if ((princ_ent.aux_attributes & KADM5_POLICY) == 0) { + strncpy(msg_ret, error_message(code), msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret)); + strncpy(msg_ret, string_text(CHPASS_UTIL_NO_POLICY_YET_Q_ERROR), + msg_len - 1 - strlen(msg_ret)); + strncat(msg_ret, "\n\n", msg_len - 1 - strlen(msg_ret)); + strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + msg_len - 1 - strlen(msg_ret)); + msg_ret[msg_len - 1] = '\0'; - (void) kadm5_free_principal_ent(lhandle, &princ_ent); - return(code); - } - - code2 = kadm5_get_policy(lhandle, princ_ent.policy, - &policy_ent); - if (code2 != 0) { - snprintf(msg_ret, msg_len, "%s %s\n%s %s\n\n%s\n ", error_message(code2), - string_text(CHPASS_UTIL_GET_POLICY_INFO), - error_message(code), - string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE), - string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED)); - (void) kadm5_free_principal_ent(lhandle, &princ_ent); - return(code); - } - - if (code == KADM5_PASS_Q_TOOSHORT) { - snprintf(msg_ret, msg_len, string_text(CHPASS_UTIL_PASSWORD_TOO_SHORT), - policy_ent.pw_min_length); - (void) kadm5_free_principal_ent(lhandle, &princ_ent); - (void) kadm5_free_policy_ent(lhandle, &policy_ent); - return(code); - } + (void) kadm5_free_principal_ent(lhandle, &princ_ent); + return(code); + } + + code2 = kadm5_get_policy(lhandle, princ_ent.policy, + &policy_ent); + if (code2 != 0) { + snprintf(msg_ret, msg_len, "%s %s\n%s %s\n\n%s\n ", error_message(code2), + string_text(CHPASS_UTIL_GET_POLICY_INFO), + error_message(code), + string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE), + string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED)); + (void) kadm5_free_principal_ent(lhandle, &princ_ent); + return(code); + } + + if (code == KADM5_PASS_Q_TOOSHORT) { + snprintf(msg_ret, msg_len, string_text(CHPASS_UTIL_PASSWORD_TOO_SHORT), + policy_ent.pw_min_length); + (void) kadm5_free_principal_ent(lhandle, &princ_ent); + (void) kadm5_free_policy_ent(lhandle, &policy_ent); + return(code); + } /* Can't get more info for other errors */ - if (code == KADM5_PASS_Q_CLASS) { - snprintf(msg_ret, msg_len, string_text(CHPASS_UTIL_TOO_FEW_CLASSES), - policy_ent.pw_min_classes); - (void) kadm5_free_principal_ent(lhandle, &princ_ent); - (void) kadm5_free_policy_ent(lhandle, &policy_ent); - return(code); - } + if (code == KADM5_PASS_Q_CLASS) { + snprintf(msg_ret, msg_len, string_text(CHPASS_UTIL_TOO_FEW_CLASSES), + policy_ent.pw_min_classes); + (void) kadm5_free_principal_ent(lhandle, &princ_ent); + (void) kadm5_free_policy_ent(lhandle, &policy_ent); + return(code); + } - if (code == KADM5_PASS_TOOSOON) { - time_t until; - char *time_string, *ptr; + if (code == KADM5_PASS_TOOSOON) { + time_t until; + char *time_string, *ptr; - until = princ_ent.last_pwd_change + policy_ent.pw_min_life; + until = princ_ent.last_pwd_change + policy_ent.pw_min_life; - time_string = ctime(&until); - if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') - *ptr = '\0'; + time_string = ctime(&until); + if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') + *ptr = '\0'; + + snprintf(msg_ret, msg_len, string_text(CHPASS_UTIL_PASSWORD_TOO_SOON), + time_string); + (void) kadm5_free_principal_ent(lhandle, &princ_ent); + (void) kadm5_free_policy_ent(lhandle, &policy_ent); + return(code); + } - snprintf(msg_ret, msg_len, string_text(CHPASS_UTIL_PASSWORD_TOO_SOON), - time_string); + /* We should never get here, but just in case ... */ + snprintf(buffer, sizeof(buffer), "%s %s", error_message(code), + string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE)); + snprintf(msg_ret, msg_len, "%s\n%s\n", + string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + buffer); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent); return(code); - } - - /* We should never get here, but just in case ... */ - snprintf(buffer, sizeof(buffer), "%s %s", error_message(code), - string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE)); - snprintf(msg_ret, msg_len, "%s\n%s\n", - string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), - buffer); - (void) kadm5_free_principal_ent(lhandle, &princ_ent); - (void) kadm5_free_policy_ent(lhandle, &policy_ent); - return(code); } diff --git a/src/lib/kadm5/clnt/client_handle.c b/src/lib/kadm5/clnt/client_handle.c index 895777a6e..48b76707e 100644 --- a/src/lib/kadm5/clnt/client_handle.c +++ b/src/lib/kadm5/clnt/client_handle.c @@ -1,9 +1,10 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include "client_internal.h" int _kadm5_check_handle(void *handle) { - CHECK_HANDLE(handle); - return 0; + CHECK_HANDLE(handle); + return 0; } diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index 0b817b8bc..99e8e15ba 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -1,17 +1,18 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -56,349 +57,349 @@ #include #include -#define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" +#define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS }; static kadm5_ret_t _kadm5_init_any(krb5_context context, - char *client_name, - enum init_type init_type, - char *pass, - krb5_ccache ccache_in, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle); + char *client_name, + enum init_type init_type, + char *pass, + krb5_ccache ccache_in, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle); static kadm5_ret_t kadm5_get_init_creds(kadm5_server_handle_t handle, - char *client_name, enum init_type init_type, - char *pass, krb5_ccache ccache_in, - char *svcname_in, char *realm, - char *full_svcname, unsigned int full_svcname_len); + char *client_name, enum init_type init_type, + char *pass, krb5_ccache ccache_in, + char *svcname_in, char *realm, + char *full_svcname, unsigned int full_svcname_len); static kadm5_ret_t kadm5_gic_iter(kadm5_server_handle_t handle, - enum init_type init_type, - krb5_ccache ccache, - krb5_principal client, char *pass, - char *svcname, char *realm, - char *full_svcname, unsigned int full_svcname_len); + enum init_type init_type, + krb5_ccache ccache, + krb5_principal client, char *pass, + char *svcname, char *realm, + char *full_svcname, unsigned int full_svcname_len); static kadm5_ret_t kadm5_setup_gss(kadm5_server_handle_t handle, - kadm5_config_params *params_in, - char *client_name, char *full_svcname); + kadm5_config_params *params_in, + char *client_name, char *full_svcname); static void kadm5_rpc_auth(kadm5_server_handle_t handle, - kadm5_config_params *params_in, - gss_cred_id_t gss_client_creds, - gss_name_t gss_target); + kadm5_config_params *params_in, + gss_cred_id_t gss_client_creds, + gss_name_t gss_target); kadm5_ret_t kadm5_init_with_creds(krb5_context context, - char *client_name, - krb5_ccache ccache, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + char *client_name, + krb5_ccache ccache, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { - return _kadm5_init_any(context, client_name, INIT_CREDS, NULL, ccache, - service_name, params, - struct_version, api_version, db_args, - server_handle); + return _kadm5_init_any(context, client_name, INIT_CREDS, NULL, ccache, + service_name, params, + struct_version, api_version, db_args, + server_handle); } kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name, - char *pass, char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + char *pass, char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { - return _kadm5_init_any(context, client_name, INIT_PASS, pass, NULL, - service_name, params, struct_version, - api_version, db_args, server_handle); + return _kadm5_init_any(context, client_name, INIT_PASS, pass, NULL, + service_name, params, struct_version, + api_version, db_args, server_handle); } kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { - return _kadm5_init_any(context, client_name, INIT_PASS, pass, NULL, - service_name, params, struct_version, - api_version, db_args, server_handle); + return _kadm5_init_any(context, client_name, INIT_PASS, pass, NULL, + service_name, params, struct_version, + api_version, db_args, server_handle); } kadm5_ret_t kadm5_init_with_skey(krb5_context context, char *client_name, - char *keytab, char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + char *keytab, char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { - return _kadm5_init_any(context, client_name, INIT_SKEY, keytab, NULL, - service_name, params, struct_version, - api_version, db_args, server_handle); + return _kadm5_init_any(context, client_name, INIT_SKEY, keytab, NULL, + service_name, params, struct_version, + api_version, db_args, server_handle); } static kadm5_ret_t _kadm5_init_any(krb5_context context, char *client_name, - enum init_type init_type, - char *pass, - krb5_ccache ccache_in, - char *service_name, - kadm5_config_params *params_in, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + enum init_type init_type, + char *pass, + krb5_ccache ccache_in, + char *service_name, + kadm5_config_params *params_in, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { - struct sockaddr_in addr; - struct hostent *hp; - int fd; - - char *iprop_svc; - int iprop_enable = 0; - char full_svcname[BUFSIZ]; - char *realm; - - kadm5_server_handle_t handle; - kadm5_config_params params_local; - - int code = 0; - generic_ret *r; - - initialize_ovk_error_table(); + struct sockaddr_in addr; + struct hostent *hp; + int fd; + + char *iprop_svc; + int iprop_enable = 0; + char full_svcname[BUFSIZ]; + char *realm; + + kadm5_server_handle_t handle; + kadm5_config_params params_local; + + int code = 0; + generic_ret *r; + + initialize_ovk_error_table(); /* initialize_adb_error_table(); */ - initialize_ovku_error_table(); - - if (! server_handle) { - return EINVAL; - } - - if (! (handle = malloc(sizeof(*handle)))) { - return ENOMEM; - } - memset(handle, 0, sizeof(*handle)); - if (! (handle->lhandle = malloc(sizeof(*handle)))) { - free(handle); - return ENOMEM; - } - - handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; - handle->struct_version = struct_version; - handle->api_version = api_version; - handle->clnt = 0; - handle->cache_name = 0; - handle->destroy_cache = 0; - handle->context = 0; - *handle->lhandle = *handle; - handle->lhandle->api_version = KADM5_API_VERSION_3; - handle->lhandle->struct_version = KADM5_STRUCT_VERSION; - handle->lhandle->lhandle = handle->lhandle; - - handle->context = context; - - if(client_name == NULL) { - free(handle); - return EINVAL; - } - - /* - * Verify the version numbers before proceeding; we can't use - * CHECK_HANDLE because not all fields are set yet. - */ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, - KADM5_NEW_LIB_API_VERSION); - - /* - * Acquire relevant profile entries. In version 2, merge values - * in params_in with values from profile, based on - * params_in->mask. - * - * In version 1, we've given a realm (which may be NULL) instead - * of params_in. So use that realm, make params_in contain an - * empty mask, and behave like version 2. - */ - memset(¶ms_local, 0, sizeof(params_local)); - if (params_in && (params_in->mask & KADM5_CONFIG_REALM)) - realm = params_in->realm; - else - realm = NULL; + initialize_ovku_error_table(); + + if (! server_handle) { + return EINVAL; + } + + if (! (handle = malloc(sizeof(*handle)))) { + return ENOMEM; + } + memset(handle, 0, sizeof(*handle)); + if (! (handle->lhandle = malloc(sizeof(*handle)))) { + free(handle); + return ENOMEM; + } + + handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; + handle->struct_version = struct_version; + handle->api_version = api_version; + handle->clnt = 0; + handle->cache_name = 0; + handle->destroy_cache = 0; + handle->context = 0; + *handle->lhandle = *handle; + handle->lhandle->api_version = KADM5_API_VERSION_3; + handle->lhandle->struct_version = KADM5_STRUCT_VERSION; + handle->lhandle->lhandle = handle->lhandle; + + handle->context = context; + + if(client_name == NULL) { + free(handle); + return EINVAL; + } + + /* + * Verify the version numbers before proceeding; we can't use + * CHECK_HANDLE because not all fields are set yet. + */ + GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, + KADM5_NEW_LIB_API_VERSION); + + /* + * Acquire relevant profile entries. In version 2, merge values + * in params_in with values from profile, based on + * params_in->mask. + * + * In version 1, we've given a realm (which may be NULL) instead + * of params_in. So use that realm, make params_in contain an + * empty mask, and behave like version 2. + */ + memset(¶ms_local, 0, sizeof(params_local)); + if (params_in && (params_in->mask & KADM5_CONFIG_REALM)) + realm = params_in->realm; + else + realm = NULL; #if 0 /* Since KDC config params can now be put in krb5.conf, these - could show up even when you're just using the remote kadmin - client. */ -#define ILLEGAL_PARAMS (KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \ - KADM5_CONFIG_ADB_LOCKFILE | \ - KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_DICT_FILE \ - | KADM5_CONFIG_ADMIN_KEYTAB | \ - KADM5_CONFIG_STASH_FILE | \ - KADM5_CONFIG_MKEY_NAME | KADM5_CONFIG_ENCTYPE \ - | KADM5_CONFIG_MAX_LIFE | \ - KADM5_CONFIG_MAX_RLIFE | \ - KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_FLAGS | \ - KADM5_CONFIG_ENCTYPES | KADM5_CONFIG_MKEY_FROM_KBD) - - if (params_in && params_in->mask & ILLEGAL_PARAMS) { - free(handle); - return KADM5_BAD_CLIENT_PARAMS; - } + could show up even when you're just using the remote kadmin + client. */ +#define ILLEGAL_PARAMS (KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \ + KADM5_CONFIG_ADB_LOCKFILE | \ + KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_DICT_FILE \ + | KADM5_CONFIG_ADMIN_KEYTAB | \ + KADM5_CONFIG_STASH_FILE | \ + KADM5_CONFIG_MKEY_NAME | KADM5_CONFIG_ENCTYPE \ + | KADM5_CONFIG_MAX_LIFE | \ + KADM5_CONFIG_MAX_RLIFE | \ + KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_FLAGS | \ + KADM5_CONFIG_ENCTYPES | KADM5_CONFIG_MKEY_FROM_KBD) + + if (params_in && params_in->mask & ILLEGAL_PARAMS) { + free(handle); + return KADM5_BAD_CLIENT_PARAMS; + } #endif - if ((code = kadm5_get_config_params(handle->context, 0, - params_in, &handle->params))) { - free(handle); - return(code); - } - -#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | \ - KADM5_CONFIG_ADMIN_SERVER | \ - KADM5_CONFIG_KADMIND_PORT) - - if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { - free(handle); - return KADM5_MISSING_KRB5_CONF_PARAMS; - } - - /* - * Get credentials. Also does some fallbacks in case kadmin/fqdn - * principal doesn't exist. - */ - code = kadm5_get_init_creds(handle, client_name, init_type, pass, - ccache_in, service_name, realm, - full_svcname, sizeof(full_svcname)); - if (code) - goto error; - /* - * We have ticket; open the RPC connection. - */ - - hp = gethostbyname(handle->params.admin_server); - if (hp == (struct hostent *) NULL) { - code = KADM5_BAD_SERVER_NAME; - goto cleanup; - } - - /* - * If the service_name and client_name are iprop-centric, - * we need to clnttcp_create to the appropriate RPC prog. - */ - iprop_svc = strdup(KIPROP_SVC_NAME); - if (iprop_svc == NULL) - return ENOMEM; - - if (service_name != NULL && - (strstr(service_name, iprop_svc) != NULL) && - (strstr(client_name, iprop_svc) != NULL)) - iprop_enable = 1; - else - iprop_enable = 0; - - memset(&addr, 0, sizeof(addr)); - addr.sin_family = hp->h_addrtype; - (void) memcpy(&addr.sin_addr, hp->h_addr, sizeof(addr.sin_addr)); - if (iprop_enable) - addr.sin_port = htons((u_short) handle->params.iprop_port); - else - addr.sin_port = htons((u_short) handle->params.kadmind_port); - - fd = RPC_ANYSOCK; - - if (iprop_enable) { - handle->clnt = clnttcp_create(&addr, KRB5_IPROP_PROG, KRB5_IPROP_VERS, - &fd, 0, 0); - } else - handle->clnt = clnttcp_create(&addr, KADM, KADMVERS, &fd, 0, 0); - if (handle->clnt == NULL) { - code = KADM5_RPC_ERROR; + if ((code = kadm5_get_config_params(handle->context, 0, + params_in, &handle->params))) { + free(handle); + return(code); + } + +#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | \ + KADM5_CONFIG_ADMIN_SERVER | \ + KADM5_CONFIG_KADMIND_PORT) + + if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { + free(handle); + return KADM5_MISSING_KRB5_CONF_PARAMS; + } + + /* + * Get credentials. Also does some fallbacks in case kadmin/fqdn + * principal doesn't exist. + */ + code = kadm5_get_init_creds(handle, client_name, init_type, pass, + ccache_in, service_name, realm, + full_svcname, sizeof(full_svcname)); + if (code) + goto error; + /* + * We have ticket; open the RPC connection. + */ + + hp = gethostbyname(handle->params.admin_server); + if (hp == (struct hostent *) NULL) { + code = KADM5_BAD_SERVER_NAME; + goto cleanup; + } + + /* + * If the service_name and client_name are iprop-centric, + * we need to clnttcp_create to the appropriate RPC prog. + */ + iprop_svc = strdup(KIPROP_SVC_NAME); + if (iprop_svc == NULL) + return ENOMEM; + + if (service_name != NULL && + (strstr(service_name, iprop_svc) != NULL) && + (strstr(client_name, iprop_svc) != NULL)) + iprop_enable = 1; + else + iprop_enable = 0; + + memset(&addr, 0, sizeof(addr)); + addr.sin_family = hp->h_addrtype; + (void) memcpy(&addr.sin_addr, hp->h_addr, sizeof(addr.sin_addr)); + if (iprop_enable) + addr.sin_port = htons((u_short) handle->params.iprop_port); + else + addr.sin_port = htons((u_short) handle->params.kadmind_port); + + fd = RPC_ANYSOCK; + + if (iprop_enable) { + handle->clnt = clnttcp_create(&addr, KRB5_IPROP_PROG, KRB5_IPROP_VERS, + &fd, 0, 0); + } else + handle->clnt = clnttcp_create(&addr, KADM, KADMVERS, &fd, 0, 0); + if (handle->clnt == NULL) { + code = KADM5_RPC_ERROR; #ifdef DEBUG - clnt_pcreateerror("clnttcp_create"); + clnt_pcreateerror("clnttcp_create"); #endif - goto error; - } - handle->lhandle->clnt = handle->clnt; - - /* now that handle->clnt is set, we can check the handle */ - if ((code = _kadm5_check_handle((void *) handle))) - goto error; - - /* - * The RPC connection is open; establish the GSS-API - * authentication context. - */ - code = kadm5_setup_gss(handle, params_in, client_name, full_svcname); - if (code) - goto error; - - /* - * Bypass the remainder of the code and return straightaway - * if the gss service requested is kiprop - */ - if (iprop_enable == 1) { - code = 0; - *server_handle = (void *) handle; - goto cleanup; - } - - r = init_2(&handle->api_version, handle->clnt); - if (r == NULL) { - code = KADM5_RPC_ERROR; + goto error; + } + handle->lhandle->clnt = handle->clnt; + + /* now that handle->clnt is set, we can check the handle */ + if ((code = _kadm5_check_handle((void *) handle))) + goto error; + + /* + * The RPC connection is open; establish the GSS-API + * authentication context. + */ + code = kadm5_setup_gss(handle, params_in, client_name, full_svcname); + if (code) + goto error; + + /* + * Bypass the remainder of the code and return straightaway + * if the gss service requested is kiprop + */ + if (iprop_enable == 1) { + code = 0; + *server_handle = (void *) handle; + goto cleanup; + } + + r = init_2(&handle->api_version, handle->clnt); + if (r == NULL) { + code = KADM5_RPC_ERROR; #ifdef DEBUG - clnt_perror(handle->clnt, "init_2 null resp"); + clnt_perror(handle->clnt, "init_2 null resp"); #endif - goto error; - } - /* Drop down to v2 wire protocol if server does not support v3 */ - if (r->code == KADM5_NEW_SERVER_API_VERSION && - handle->api_version == KADM5_API_VERSION_3) { - handle->api_version = KADM5_API_VERSION_2; - r = init_2(&handle->api_version, handle->clnt); - if (r == NULL) { - code = KADM5_RPC_ERROR; - goto error; - } - } - if (r->code) { - code = r->code; - goto error; - } - - *server_handle = (void *) handle; - - goto cleanup; + goto error; + } + /* Drop down to v2 wire protocol if server does not support v3 */ + if (r->code == KADM5_NEW_SERVER_API_VERSION && + handle->api_version == KADM5_API_VERSION_3) { + handle->api_version = KADM5_API_VERSION_2; + r = init_2(&handle->api_version, handle->clnt); + if (r == NULL) { + code = KADM5_RPC_ERROR; + goto error; + } + } + if (r->code) { + code = r->code; + goto error; + } + + *server_handle = (void *) handle; + + goto cleanup; error: - /* - * Note that it is illegal for this code to execute if "handle" - * has not been allocated and initialized. I.e., don't use "goto - * error" before the block of code at the top of the function - * that allocates and initializes "handle". - */ - if (handle->cache_name) - free(handle->cache_name); - if(handle->clnt && handle->clnt->cl_auth) - AUTH_DESTROY(handle->clnt->cl_auth); - if(handle->clnt) - clnt_destroy(handle->clnt); + /* + * Note that it is illegal for this code to execute if "handle" + * has not been allocated and initialized. I.e., don't use "goto + * error" before the block of code at the top of the function + * that allocates and initializes "handle". + */ + if (handle->cache_name) + free(handle->cache_name); + if(handle->clnt && handle->clnt->cl_auth) + AUTH_DESTROY(handle->clnt->cl_auth); + if(handle->clnt) + clnt_destroy(handle->clnt); cleanup: - if (code) - free(handle); + if (code) + free(handle); - return code; + return code; } /* @@ -409,91 +410,91 @@ cleanup: */ static kadm5_ret_t kadm5_get_init_creds(kadm5_server_handle_t handle, - char *client_name, enum init_type init_type, - char *pass, krb5_ccache ccache_in, - char *svcname_in, char *realm, - char *full_svcname, unsigned int full_svcname_len) + char *client_name, enum init_type init_type, + char *pass, krb5_ccache ccache_in, + char *svcname_in, char *realm, + char *full_svcname, unsigned int full_svcname_len) { - kadm5_ret_t code; - krb5_principal client; - krb5_ccache ccache; - char svcname[BUFSIZ]; - - client = NULL; - ccache = NULL; - /* NULL svcname means use host-based. */ - if (svcname_in == NULL) { - code = kadm5_get_admin_service_name(handle->context, - handle->params.realm, - svcname, sizeof(svcname)); - if (code) { - code = KADM5_MISSING_KRB5_CONF_PARAMS; - goto error; - } - } else { - strncpy(svcname, svcname_in, sizeof(svcname)); - svcname[sizeof(svcname)-1] = '\0'; - } - /* - * Acquire a service ticket for svcname@realm in the name of - * client_name, using password pass (which could be NULL), and - * create a ccache to store them in. If INIT_CREDS, use the - * ccache we were provided instead. - */ - code = krb5_parse_name(handle->context, client_name, &client); - if (code) - goto error; - - if (init_type == INIT_CREDS) { - ccache = ccache_in; - if (asprintf(&handle->cache_name, "%s:%s", - krb5_cc_get_type(handle->context, ccache), - krb5_cc_get_name(handle->context, ccache)) < 0) { - handle->cache_name = NULL; - code = ENOMEM; - goto error; - } - } else { - static int counter = 0; - - if (asprintf(&handle->cache_name, "MEMORY:kadm5_%u", counter++) < 0) { - handle->cache_name = NULL; - code = ENOMEM; - goto error; - } - code = krb5_cc_resolve(handle->context, handle->cache_name, - &ccache); - if (code) - goto error; - - code = krb5_cc_initialize (handle->context, ccache, client); - if (code) - goto error; - - handle->destroy_cache = 1; - } - handle->lhandle->cache_name = handle->cache_name; - - code = kadm5_gic_iter(handle, init_type, ccache, - client, pass, svcname, realm, - full_svcname, full_svcname_len); - if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) { - /* Retry with old host-independent service princpal. */ - code = kadm5_gic_iter(handle, init_type, ccache, - client, pass, - KADM5_ADMIN_SERVICE, realm, - full_svcname, full_svcname_len); - } - /* Improved error messages */ - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; - if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) - code = KADM5_SECURE_PRINC_MISSING; + kadm5_ret_t code; + krb5_principal client; + krb5_ccache ccache; + char svcname[BUFSIZ]; + + client = NULL; + ccache = NULL; + /* NULL svcname means use host-based. */ + if (svcname_in == NULL) { + code = kadm5_get_admin_service_name(handle->context, + handle->params.realm, + svcname, sizeof(svcname)); + if (code) { + code = KADM5_MISSING_KRB5_CONF_PARAMS; + goto error; + } + } else { + strncpy(svcname, svcname_in, sizeof(svcname)); + svcname[sizeof(svcname)-1] = '\0'; + } + /* + * Acquire a service ticket for svcname@realm in the name of + * client_name, using password pass (which could be NULL), and + * create a ccache to store them in. If INIT_CREDS, use the + * ccache we were provided instead. + */ + code = krb5_parse_name(handle->context, client_name, &client); + if (code) + goto error; + + if (init_type == INIT_CREDS) { + ccache = ccache_in; + if (asprintf(&handle->cache_name, "%s:%s", + krb5_cc_get_type(handle->context, ccache), + krb5_cc_get_name(handle->context, ccache)) < 0) { + handle->cache_name = NULL; + code = ENOMEM; + goto error; + } + } else { + static int counter = 0; + + if (asprintf(&handle->cache_name, "MEMORY:kadm5_%u", counter++) < 0) { + handle->cache_name = NULL; + code = ENOMEM; + goto error; + } + code = krb5_cc_resolve(handle->context, handle->cache_name, + &ccache); + if (code) + goto error; + + code = krb5_cc_initialize (handle->context, ccache, client); + if (code) + goto error; + + handle->destroy_cache = 1; + } + handle->lhandle->cache_name = handle->cache_name; + + code = kadm5_gic_iter(handle, init_type, ccache, + client, pass, svcname, realm, + full_svcname, full_svcname_len); + if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN + || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) { + /* Retry with old host-independent service princpal. */ + code = kadm5_gic_iter(handle, init_type, ccache, + client, pass, + KADM5_ADMIN_SERVICE, realm, + full_svcname, full_svcname_len); + } + /* Improved error messages */ + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; + if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) + code = KADM5_SECURE_PRINC_MISSING; error: - if (ccache != NULL && init_type != INIT_CREDS) - krb5_cc_close(handle->context, ccache); - return code; + if (ccache != NULL && init_type != INIT_CREDS) + krb5_cc_close(handle->context, ccache); + return code; } /* @@ -505,87 +506,87 @@ error: */ static kadm5_ret_t kadm5_gic_iter(kadm5_server_handle_t handle, - enum init_type init_type, - krb5_ccache ccache, - krb5_principal client, char *pass, - char *svcname, char *realm, - char *full_svcname, unsigned int full_svcname_len) + enum init_type init_type, + krb5_ccache ccache, + krb5_principal client, char *pass, + char *svcname, char *realm, + char *full_svcname, unsigned int full_svcname_len) { - kadm5_ret_t code; - krb5_context ctx; - krb5_keytab kt; - krb5_get_init_creds_opt opt; - krb5_creds mcreds, outcreds; - int n; - - ctx = handle->context; - kt = NULL; - memset(full_svcname, 0, full_svcname_len); - memset(&opt, 0, sizeof(opt)); - memset(&mcreds, 0, sizeof(mcreds)); - memset(&outcreds, 0, sizeof(outcreds)); - - code = ENOMEM; - if (realm) { - n = snprintf(full_svcname, full_svcname_len, "%s@%s", - svcname, realm); - if (n < 0 || n >= full_svcname_len) - goto error; - } else { - /* krb5_princ_realm(client) is not null terminated */ - n = snprintf(full_svcname, full_svcname_len, "%s@%.*s", - svcname, krb5_princ_realm(ctx, client)->length, - krb5_princ_realm(ctx, client)->data); - if (n < 0 || n >= full_svcname_len) - goto error; - } - - /* Credentials for kadmin don't need to be forwardable or proxiable. */ - if (init_type != INIT_CREDS) { - krb5_get_init_creds_opt_init(&opt); - krb5_get_init_creds_opt_set_forwardable(&opt, 0); - krb5_get_init_creds_opt_set_proxiable(&opt, 0); - } - - if (init_type == INIT_PASS) { - code = krb5_get_init_creds_password(ctx, &outcreds, client, pass, - krb5_prompter_posix, - NULL, 0, - full_svcname, &opt); - if (code) - goto error; - } else if (init_type == INIT_SKEY) { - if (pass) { - code = krb5_kt_resolve(ctx, pass, &kt); - if (code) - goto error; - } - code = krb5_get_init_creds_keytab(ctx, &outcreds, client, kt, - 0, full_svcname, &opt); - if (pass) - krb5_kt_close(ctx, kt); - if (code) - goto error; - } else if (init_type == INIT_CREDS) { - mcreds.client = client; - code = krb5_parse_name(ctx, full_svcname, &mcreds.server); - if (code) - goto error; - code = krb5_cc_retrieve_cred(ctx, ccache, 0, - &mcreds, &outcreds); - krb5_free_principal(ctx, mcreds.server); - if (code) - goto error; - } - if (init_type != INIT_CREDS) { - /* Caller has initialized ccache. */ - code = krb5_cc_store_cred(ctx, ccache, &outcreds); - if (code) - goto error; - } + kadm5_ret_t code; + krb5_context ctx; + krb5_keytab kt; + krb5_get_init_creds_opt opt; + krb5_creds mcreds, outcreds; + int n; + + ctx = handle->context; + kt = NULL; + memset(full_svcname, 0, full_svcname_len); + memset(&opt, 0, sizeof(opt)); + memset(&mcreds, 0, sizeof(mcreds)); + memset(&outcreds, 0, sizeof(outcreds)); + + code = ENOMEM; + if (realm) { + n = snprintf(full_svcname, full_svcname_len, "%s@%s", + svcname, realm); + if (n < 0 || n >= full_svcname_len) + goto error; + } else { + /* krb5_princ_realm(client) is not null terminated */ + n = snprintf(full_svcname, full_svcname_len, "%s@%.*s", + svcname, krb5_princ_realm(ctx, client)->length, + krb5_princ_realm(ctx, client)->data); + if (n < 0 || n >= full_svcname_len) + goto error; + } + + /* Credentials for kadmin don't need to be forwardable or proxiable. */ + if (init_type != INIT_CREDS) { + krb5_get_init_creds_opt_init(&opt); + krb5_get_init_creds_opt_set_forwardable(&opt, 0); + krb5_get_init_creds_opt_set_proxiable(&opt, 0); + } + + if (init_type == INIT_PASS) { + code = krb5_get_init_creds_password(ctx, &outcreds, client, pass, + krb5_prompter_posix, + NULL, 0, + full_svcname, &opt); + if (code) + goto error; + } else if (init_type == INIT_SKEY) { + if (pass) { + code = krb5_kt_resolve(ctx, pass, &kt); + if (code) + goto error; + } + code = krb5_get_init_creds_keytab(ctx, &outcreds, client, kt, + 0, full_svcname, &opt); + if (pass) + krb5_kt_close(ctx, kt); + if (code) + goto error; + } else if (init_type == INIT_CREDS) { + mcreds.client = client; + code = krb5_parse_name(ctx, full_svcname, &mcreds.server); + if (code) + goto error; + code = krb5_cc_retrieve_cred(ctx, ccache, 0, + &mcreds, &outcreds); + krb5_free_principal(ctx, mcreds.server); + if (code) + goto error; + } + if (init_type != INIT_CREDS) { + /* Caller has initialized ccache. */ + code = krb5_cc_store_cred(ctx, ccache, &outcreds); + if (code) + goto error; + } error: - krb5_free_cred_contents(ctx, &outcreds); - return code; + krb5_free_cred_contents(ctx, &outcreds); + return code; } /* @@ -595,138 +596,138 @@ error: */ static kadm5_ret_t kadm5_setup_gss(kadm5_server_handle_t handle, - kadm5_config_params *params_in, - char *client_name, char *full_svcname) + kadm5_config_params *params_in, + char *client_name, char *full_svcname) { - kadm5_ret_t code; - OM_uint32 gssstat, minor_stat; - gss_buffer_desc buf; - gss_name_t gss_client; - gss_name_t gss_target; - gss_cred_id_t gss_client_creds; - const char *c_ccname_orig; - char *ccname_orig; - - code = KADM5_GSS_ERROR; - gss_client_creds = GSS_C_NO_CREDENTIAL; - ccname_orig = NULL; - gss_client = gss_target = GSS_C_NO_NAME; - - /* Temporarily use the kadm5 cache. */ - gssstat = gss_krb5_ccache_name(&minor_stat, handle->cache_name, - &c_ccname_orig); - if (gssstat != GSS_S_COMPLETE) { - code = KADM5_GSS_ERROR; - goto error; - } - if (c_ccname_orig) - ccname_orig = strdup(c_ccname_orig); - else - ccname_orig = 0; - - buf.value = full_svcname; - buf.length = strlen((char *)buf.value) + 1; - gssstat = gss_import_name(&minor_stat, &buf, - (gss_OID) gss_nt_krb5_name, &gss_target); - if (gssstat != GSS_S_COMPLETE) { - code = KADM5_GSS_ERROR; - goto error; - } - - buf.value = client_name; - buf.length = strlen((char *)buf.value) + 1; - gssstat = gss_import_name(&minor_stat, &buf, - (gss_OID) gss_nt_krb5_name, &gss_client); - if (gssstat != GSS_S_COMPLETE) { - code = KADM5_GSS_ERROR; - goto error; - } - - gssstat = gss_acquire_cred(&minor_stat, gss_client, 0, - GSS_C_NULL_OID_SET, GSS_C_INITIATE, - &gss_client_creds, NULL, NULL); - if (gssstat != GSS_S_COMPLETE) { - code = KADM5_GSS_ERROR; + kadm5_ret_t code; + OM_uint32 gssstat, minor_stat; + gss_buffer_desc buf; + gss_name_t gss_client; + gss_name_t gss_target; + gss_cred_id_t gss_client_creds; + const char *c_ccname_orig; + char *ccname_orig; + + code = KADM5_GSS_ERROR; + gss_client_creds = GSS_C_NO_CREDENTIAL; + ccname_orig = NULL; + gss_client = gss_target = GSS_C_NO_NAME; + + /* Temporarily use the kadm5 cache. */ + gssstat = gss_krb5_ccache_name(&minor_stat, handle->cache_name, + &c_ccname_orig); + if (gssstat != GSS_S_COMPLETE) { + code = KADM5_GSS_ERROR; + goto error; + } + if (c_ccname_orig) + ccname_orig = strdup(c_ccname_orig); + else + ccname_orig = 0; + + buf.value = full_svcname; + buf.length = strlen((char *)buf.value) + 1; + gssstat = gss_import_name(&minor_stat, &buf, + (gss_OID) gss_nt_krb5_name, &gss_target); + if (gssstat != GSS_S_COMPLETE) { + code = KADM5_GSS_ERROR; + goto error; + } + + buf.value = client_name; + buf.length = strlen((char *)buf.value) + 1; + gssstat = gss_import_name(&minor_stat, &buf, + (gss_OID) gss_nt_krb5_name, &gss_client); + if (gssstat != GSS_S_COMPLETE) { + code = KADM5_GSS_ERROR; + goto error; + } + + gssstat = gss_acquire_cred(&minor_stat, gss_client, 0, + GSS_C_NULL_OID_SET, GSS_C_INITIATE, + &gss_client_creds, NULL, NULL); + if (gssstat != GSS_S_COMPLETE) { + code = KADM5_GSS_ERROR; #if 0 /* for debugging only */ - { - OM_uint32 maj_status, min_status, message_context = 0; - gss_buffer_desc status_string; - do { - maj_status = gss_display_status(&min_status, - gssstat, - GSS_C_GSS_CODE, - GSS_C_NO_OID, - &message_context, - &status_string); - if (maj_status == GSS_S_COMPLETE) { - fprintf(stderr, "MAJ: %.*s\n", - (int) status_string.length, - (char *)status_string.value); - gss_release_buffer(&min_status, &status_string); - } else { - fprintf(stderr, - "MAJ? gss_display_status returns 0x%lx?!\n", - (unsigned long) maj_status); - message_context = 0; - } - } while (message_context != 0); - do { - maj_status = gss_display_status(&min_status, - minor_stat, - GSS_C_MECH_CODE, - GSS_C_NO_OID, - &message_context, - &status_string); - if (maj_status == GSS_S_COMPLETE) { - fprintf(stderr, "MIN: %.*s\n", - (int) status_string.length, - (char *)status_string.value); - gss_release_buffer(&min_status, &status_string); - } else { - fprintf(stderr, - "MIN? gss_display_status returns 0x%lx?!\n", - (unsigned long) maj_status); - message_context = 0; - } - } while (message_context != 0); - } + { + OM_uint32 maj_status, min_status, message_context = 0; + gss_buffer_desc status_string; + do { + maj_status = gss_display_status(&min_status, + gssstat, + GSS_C_GSS_CODE, + GSS_C_NO_OID, + &message_context, + &status_string); + if (maj_status == GSS_S_COMPLETE) { + fprintf(stderr, "MAJ: %.*s\n", + (int) status_string.length, + (char *)status_string.value); + gss_release_buffer(&min_status, &status_string); + } else { + fprintf(stderr, + "MAJ? gss_display_status returns 0x%lx?!\n", + (unsigned long) maj_status); + message_context = 0; + } + } while (message_context != 0); + do { + maj_status = gss_display_status(&min_status, + minor_stat, + GSS_C_MECH_CODE, + GSS_C_NO_OID, + &message_context, + &status_string); + if (maj_status == GSS_S_COMPLETE) { + fprintf(stderr, "MIN: %.*s\n", + (int) status_string.length, + (char *)status_string.value); + gss_release_buffer(&min_status, &status_string); + } else { + fprintf(stderr, + "MIN? gss_display_status returns 0x%lx?!\n", + (unsigned long) maj_status); + message_context = 0; + } + } while (message_context != 0); + } #endif - goto error; - } + goto error; + } - /* - * Do actual creation of RPC auth handle. Implements auth flavor - * fallback. - */ - kadm5_rpc_auth(handle, params_in, gss_client_creds, gss_target); + /* + * Do actual creation of RPC auth handle. Implements auth flavor + * fallback. + */ + kadm5_rpc_auth(handle, params_in, gss_client_creds, gss_target); error: - if (gss_client_creds != GSS_C_NO_CREDENTIAL) - (void) gss_release_cred(&minor_stat, &gss_client_creds); - - if (gss_client) - gss_release_name(&minor_stat, &gss_client); - if (gss_target) - gss_release_name(&minor_stat, &gss_target); - - /* Revert to prior gss_krb5 ccache. */ - if (ccname_orig) { - gssstat = gss_krb5_ccache_name(&minor_stat, ccname_orig, NULL); - if (gssstat) { - return KADM5_GSS_ERROR; - } - free(ccname_orig); - } else { - gssstat = gss_krb5_ccache_name(&minor_stat, NULL, NULL); - if (gssstat) { - return KADM5_GSS_ERROR; - } - } - - if (handle->clnt->cl_auth == NULL) { - return KADM5_GSS_ERROR; - } - return 0; + if (gss_client_creds != GSS_C_NO_CREDENTIAL) + (void) gss_release_cred(&minor_stat, &gss_client_creds); + + if (gss_client) + gss_release_name(&minor_stat, &gss_client); + if (gss_target) + gss_release_name(&minor_stat, &gss_target); + + /* Revert to prior gss_krb5 ccache. */ + if (ccname_orig) { + gssstat = gss_krb5_ccache_name(&minor_stat, ccname_orig, NULL); + if (gssstat) { + return KADM5_GSS_ERROR; + } + free(ccname_orig); + } else { + gssstat = gss_krb5_ccache_name(&minor_stat, NULL, NULL); + if (gssstat) { + return KADM5_GSS_ERROR; + } + } + + if (handle->clnt->cl_auth == NULL) { + return KADM5_GSS_ERROR; + } + return 0; } /* @@ -736,77 +737,77 @@ error: */ static void kadm5_rpc_auth(kadm5_server_handle_t handle, - kadm5_config_params *params_in, - gss_cred_id_t gss_client_creds, - gss_name_t gss_target) + kadm5_config_params *params_in, + gss_cred_id_t gss_client_creds, + gss_name_t gss_target) { - OM_uint32 gssstat, minor_stat; - struct rpc_gss_sec sec; - - /* Allow unauthenticated option for testing. */ - if (params_in != NULL && (params_in->mask & KADM5_CONFIG_NO_AUTH)) - return; - - /* Use RPCSEC_GSS by default. */ - if (params_in == NULL || - !(params_in->mask & KADM5_CONFIG_OLD_AUTH_GSSAPI)) { - sec.mech = gss_mech_krb5; - sec.qop = GSS_C_QOP_DEFAULT; - sec.svc = RPCSEC_GSS_SVC_PRIVACY; - sec.cred = gss_client_creds; - sec.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; - - handle->clnt->cl_auth = authgss_create(handle->clnt, - gss_target, &sec); - if (handle->clnt->cl_auth != NULL) - return; - } - - if (params_in != NULL && (params_in->mask & KADM5_CONFIG_AUTH_NOFALLBACK)) - return; - - /* Fall back to old AUTH_GSSAPI. */ - handle->clnt->cl_auth = auth_gssapi_create(handle->clnt, - &gssstat, - &minor_stat, - gss_client_creds, - gss_target, - (gss_OID) gss_mech_krb5, - GSS_C_MUTUAL_FLAG - | GSS_C_REPLAY_FLAG, - 0, NULL, NULL, NULL); + OM_uint32 gssstat, minor_stat; + struct rpc_gss_sec sec; + + /* Allow unauthenticated option for testing. */ + if (params_in != NULL && (params_in->mask & KADM5_CONFIG_NO_AUTH)) + return; + + /* Use RPCSEC_GSS by default. */ + if (params_in == NULL || + !(params_in->mask & KADM5_CONFIG_OLD_AUTH_GSSAPI)) { + sec.mech = gss_mech_krb5; + sec.qop = GSS_C_QOP_DEFAULT; + sec.svc = RPCSEC_GSS_SVC_PRIVACY; + sec.cred = gss_client_creds; + sec.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; + + handle->clnt->cl_auth = authgss_create(handle->clnt, + gss_target, &sec); + if (handle->clnt->cl_auth != NULL) + return; + } + + if (params_in != NULL && (params_in->mask & KADM5_CONFIG_AUTH_NOFALLBACK)) + return; + + /* Fall back to old AUTH_GSSAPI. */ + handle->clnt->cl_auth = auth_gssapi_create(handle->clnt, + &gssstat, + &minor_stat, + gss_client_creds, + gss_target, + (gss_OID) gss_mech_krb5, + GSS_C_MUTUAL_FLAG + | GSS_C_REPLAY_FLAG, + 0, NULL, NULL, NULL); } kadm5_ret_t kadm5_destroy(void *server_handle) { - krb5_ccache ccache = NULL; - int code = KADM5_OK; - kadm5_server_handle_t handle = - (kadm5_server_handle_t) server_handle; - - CHECK_HANDLE(server_handle); - - if (handle->destroy_cache && handle->cache_name) { - if ((code = krb5_cc_resolve(handle->context, - handle->cache_name, &ccache)) == 0) - code = krb5_cc_destroy (handle->context, ccache); - } - if (handle->cache_name) - free(handle->cache_name); - if (handle->clnt && handle->clnt->cl_auth) - AUTH_DESTROY(handle->clnt->cl_auth); - if (handle->clnt) - clnt_destroy(handle->clnt); - if (handle->lhandle) - free (handle->lhandle); - - kadm5_free_config_params(handle->context, &handle->params); - - handle->magic_number = 0; - free(handle); - - return code; + krb5_ccache ccache = NULL; + int code = KADM5_OK; + kadm5_server_handle_t handle = + (kadm5_server_handle_t) server_handle; + + CHECK_HANDLE(server_handle); + + if (handle->destroy_cache && handle->cache_name) { + if ((code = krb5_cc_resolve(handle->context, + handle->cache_name, &ccache)) == 0) + code = krb5_cc_destroy (handle->context, ccache); + } + if (handle->cache_name) + free(handle->cache_name); + if (handle->clnt && handle->clnt->cl_auth) + AUTH_DESTROY(handle->clnt->cl_auth); + if (handle->clnt) + clnt_destroy(handle->clnt); + if (handle->lhandle) + free (handle->lhandle); + + kadm5_free_config_params(handle->context, &handle->params); + + handle->magic_number = 0; + free(handle); + + return code; } /* not supported on client */ kadm5_ret_t kadm5_lock(void *server_handle) @@ -822,13 +823,13 @@ kadm5_ret_t kadm5_unlock(void *server_handle) kadm5_ret_t kadm5_flush(void *server_handle) { - return KADM5_OK; + return KADM5_OK; } int _kadm5_check_handle(void *handle) { - CHECK_HANDLE(handle); - return 0; + CHECK_HANDLE(handle); + return 0; } krb5_error_code kadm5_init_krb5_context (krb5_context *ctx) @@ -843,5 +844,5 @@ krb5_error_code kadm5_init_krb5_context (krb5_context *ctx) krb5_error_code kadm5_init_iprop(void *handle, char **db_args) { - return (0); + return (0); } diff --git a/src/lib/kadm5/clnt/client_internal.h b/src/lib/kadm5/clnt/client_internal.h index c5ebfec77..c3f8999a6 100644 --- a/src/lib/kadm5/clnt/client_internal.h +++ b/src/lib/kadm5/clnt/client_internal.h @@ -1,12 +1,13 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * * $Header$ - * + * * $Log$ * Revision 1.1 1996/07/24 22:22:43 tlyu - * * Makefile.in, configure.in: break out client lib into a - * subdirectory + * * Makefile.in, configure.in: break out client lib into a + * subdirectory * * Revision 1.11 1996/07/22 20:35:46 marc * this commit includes all the changes on the OV_9510_INTEGRATION and @@ -65,33 +66,33 @@ #include "admin_internal.h" typedef struct _kadm5_server_handle_t { - krb5_ui_4 magic_number; - krb5_ui_4 struct_version; - krb5_ui_4 api_version; - char * cache_name; - int destroy_cache; - CLIENT * clnt; - krb5_context context; - kadm5_config_params params; - struct _kadm5_server_handle_t *lhandle; + krb5_ui_4 magic_number; + krb5_ui_4 struct_version; + krb5_ui_4 api_version; + char * cache_name; + int destroy_cache; + CLIENT * clnt; + krb5_context context; + kadm5_config_params params; + struct _kadm5_server_handle_t *lhandle; } kadm5_server_handle_rec, *kadm5_server_handle_t; -#define CLIENT_CHECK_HANDLE(handle) \ -{ \ - kadm5_server_handle_t srvr = \ - (kadm5_server_handle_t) handle; \ - \ - if (! srvr->clnt) \ - return KADM5_BAD_SERVER_HANDLE; \ - if (! srvr->cache_name) \ - return KADM5_BAD_SERVER_HANDLE; \ - if (! srvr->lhandle) \ - return KADM5_BAD_SERVER_HANDLE; \ -} +#define CLIENT_CHECK_HANDLE(handle) \ + { \ + kadm5_server_handle_t srvr = \ + (kadm5_server_handle_t) handle; \ + \ + if (! srvr->clnt) \ + return KADM5_BAD_SERVER_HANDLE; \ + if (! srvr->cache_name) \ + return KADM5_BAD_SERVER_HANDLE; \ + if (! srvr->lhandle) \ + return KADM5_BAD_SERVER_HANDLE; \ + } -#define CHECK_HANDLE(handle) \ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, \ - KADM5_NEW_LIB_API_VERSION) \ - CLIENT_CHECK_HANDLE(handle) +#define CHECK_HANDLE(handle) \ + GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, \ + KADM5_NEW_LIB_API_VERSION) \ + CLIENT_CHECK_HANDLE(handle) #endif /* __KADM5_CLIENT_INTERNAL_H__ */ diff --git a/src/lib/kadm5/clnt/client_principal.c b/src/lib/kadm5/clnt/client_principal.c index 56ad51219..95d5c2dbd 100644 --- a/src/lib/kadm5/clnt/client_principal.c +++ b/src/lib/kadm5/clnt/client_principal.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -26,11 +27,11 @@ static char *rcsid = "$Header$"; kadm5_ret_t kadm5_create_principal(void *server_handle, - kadm5_principal_ent_t princ, long mask, - char *pw) + kadm5_principal_ent_t princ, long mask, + char *pw) { - generic_ret *r; - cprinc_arg arg; + generic_ret *r; + cprinc_arg arg; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -41,38 +42,38 @@ kadm5_create_principal(void *server_handle, arg.api_version = handle->api_version; if(princ == NULL) - return EINVAL; + return EINVAL; memcpy(&arg.rec, princ, sizeof(kadm5_principal_ent_rec)); arg.rec.mod_name = NULL; - + if(!(mask & KADM5_POLICY)) - arg.rec.policy = NULL; + arg.rec.policy = NULL; if (! (mask & KADM5_KEY_DATA)) { - arg.rec.n_key_data = 0; - arg.rec.key_data = NULL; + arg.rec.n_key_data = 0; + arg.rec.key_data = NULL; } if (! (mask & KADM5_TL_DATA)) { - arg.rec.n_tl_data = 0; - arg.rec.tl_data = NULL; + arg.rec.n_tl_data = 0; + arg.rec.tl_data = NULL; } - + r = create_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_create_principal_3(void *server_handle, - kadm5_principal_ent_t princ, long mask, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *pw) + kadm5_principal_ent_t princ, long mask, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *pw) { - generic_ret *r; - cprinc3_arg arg; + generic_ret *r; + cprinc3_arg arg; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -85,54 +86,54 @@ kadm5_create_principal_3(void *server_handle, arg.ks_tuple = ks_tuple; if(princ == NULL) - return EINVAL; + return EINVAL; memcpy(&arg.rec, princ, sizeof(kadm5_principal_ent_rec)); arg.rec.mod_name = NULL; - + if(!(mask & KADM5_POLICY)) - arg.rec.policy = NULL; + arg.rec.policy = NULL; if (! (mask & KADM5_KEY_DATA)) { - arg.rec.n_key_data = 0; - arg.rec.key_data = NULL; + arg.rec.n_key_data = 0; + arg.rec.key_data = NULL; } if (! (mask & KADM5_TL_DATA)) { - arg.rec.n_tl_data = 0; - arg.rec.tl_data = NULL; + arg.rec.n_tl_data = 0; + arg.rec.tl_data = NULL; } - + r = create_principal3_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_delete_principal(void *server_handle, krb5_principal principal) { - dprinc_arg arg; - generic_ret *r; + dprinc_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); if(principal == NULL) - return EINVAL; + return EINVAL; arg.princ = principal; arg.api_version = handle->api_version; r = delete_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_modify_principal(void *server_handle, - kadm5_principal_ent_t princ, long mask) + kadm5_principal_ent_t princ, long mask) { - mprinc_arg arg; - generic_ret *r; + mprinc_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -141,87 +142,87 @@ kadm5_modify_principal(void *server_handle, arg.mask = mask; arg.api_version = handle->api_version; if(princ == NULL) - return EINVAL; + return EINVAL; memcpy(&arg.rec, princ, sizeof(kadm5_principal_ent_rec)); if(!(mask & KADM5_POLICY)) - arg.rec.policy = NULL; + arg.rec.policy = NULL; if (! (mask & KADM5_KEY_DATA)) { - arg.rec.n_key_data = 0; - arg.rec.key_data = NULL; + arg.rec.n_key_data = 0; + arg.rec.key_data = NULL; } if (! (mask & KADM5_TL_DATA)) { - arg.rec.n_tl_data = 0; - arg.rec.tl_data = NULL; + arg.rec.n_tl_data = 0; + arg.rec.tl_data = NULL; } arg.rec.mod_name = NULL; - + r = modify_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_get_principal(void *server_handle, - krb5_principal princ, kadm5_principal_ent_t ent, - long mask) + krb5_principal princ, kadm5_principal_ent_t ent, + long mask) { - gprinc_arg arg; - gprinc_ret *r; + gprinc_arg arg; + gprinc_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); if(princ == NULL) - return EINVAL; + return EINVAL; arg.princ = princ; arg.mask = mask; arg.api_version = handle->api_version; r = get_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); if (r->code == 0) - memcpy(ent, &r->rec, sizeof(r->rec)); - + memcpy(ent, &r->rec, sizeof(r->rec)); + return r->code; } kadm5_ret_t kadm5_get_principals(void *server_handle, - char *exp, char ***princs, int *count) + char *exp, char ***princs, int *count) { - gprincs_arg arg; - gprincs_ret *r; + gprincs_arg arg; + gprincs_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); if(princs == NULL || count == NULL) - return EINVAL; + return EINVAL; arg.exp = exp; arg.api_version = handle->api_version; r = get_princs_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); if(r->code == 0) { - *count = r->count; - *princs = r->princs; + *count = r->count; + *princs = r->princs; } else { - *count = 0; - *princs = NULL; + *count = 0; + *princs = NULL; } - + return r->code; } kadm5_ret_t kadm5_rename_principal(void *server_handle, - krb5_principal source, krb5_principal dest) + krb5_principal source, krb5_principal dest) { - rprinc_arg arg; - generic_ret *r; + rprinc_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -230,19 +231,19 @@ kadm5_rename_principal(void *server_handle, arg.dest = dest; arg.api_version = handle->api_version; if (source == NULL || dest == NULL) - return EINVAL; + return EINVAL; r = rename_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_chpass_principal(void *server_handle, - krb5_principal princ, char *password) + krb5_principal princ, char *password) { - chpass_arg arg; - generic_ret *r; + chpass_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -252,21 +253,21 @@ kadm5_chpass_principal(void *server_handle, arg.api_version = handle->api_version; if(princ == NULL) - return EINVAL; + return EINVAL; r = chpass_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, - krb5_principal princ, krb5_boolean keepold, - int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, - char *password) + krb5_principal princ, krb5_boolean keepold, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, + char *password) { - chpass3_arg arg; - generic_ret *r; + chpass3_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -279,20 +280,20 @@ kadm5_chpass_principal_3(void *server_handle, arg.ks_tuple = ks_tuple; if(princ == NULL) - return EINVAL; + return EINVAL; r = chpass_principal3_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_setv4key_principal(void *server_handle, - krb5_principal princ, - krb5_keyblock *keyblock) + krb5_principal princ, + krb5_keyblock *keyblock) { - setv4key_arg arg; - generic_ret *r; + setv4key_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -302,21 +303,21 @@ kadm5_setv4key_principal(void *server_handle, arg.api_version = handle->api_version; if(princ == NULL || keyblock == NULL) - return EINVAL; + return EINVAL; r = setv4key_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_setkey_principal(void *server_handle, - krb5_principal princ, - krb5_keyblock *keyblocks, - int n_keys) + krb5_principal princ, + krb5_keyblock *keyblocks, + int n_keys) { - setkey_arg arg; - generic_ret *r; + setkey_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -327,23 +328,23 @@ kadm5_setkey_principal(void *server_handle, arg.api_version = handle->api_version; if(princ == NULL || keyblocks == NULL) - return EINVAL; + return EINVAL; r = setkey_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, - krb5_principal princ, - krb5_boolean keepold, int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock *keyblocks, - int n_keys) + krb5_principal princ, + krb5_boolean keepold, int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock *keyblocks, + int n_keys) { - setkey3_arg arg; - generic_ret *r; + setkey3_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -357,24 +358,24 @@ kadm5_setkey_principal_3(void *server_handle, arg.ks_tuple = ks_tuple; if(princ == NULL || keyblocks == NULL) - return EINVAL; + return EINVAL; r = setkey_principal3_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); return r->code; } kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, - krb5_principal princ, - krb5_boolean keepold, int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **key, int *n_keys) + krb5_principal princ, + krb5_boolean keepold, int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **key, int *n_keys) { - chrand3_arg arg; - chrand_ret *r; + chrand3_arg arg; + chrand_ret *r; kadm5_server_handle_t handle = server_handle; - int i, ret; + int i, ret; CHECK_HANDLE(server_handle); @@ -385,27 +386,27 @@ kadm5_randkey_principal_3(void *server_handle, arg.ks_tuple = ks_tuple; if(princ == NULL) - return EINVAL; + return EINVAL; r = chrand_principal3_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); if (n_keys) - *n_keys = r->n_keys; + *n_keys = r->n_keys; if (key) { - if(r->n_keys) { - *key = malloc(r->n_keys * sizeof(krb5_keyblock)); - if (*key == NULL) - return ENOMEM; - for (i = 0; i < r->n_keys; i++) { - ret = krb5_copy_keyblock_contents(handle->context, &r->keys[i], - &(*key)[i]); - if (ret) { - free(*key); - return ENOMEM; - } - } - } else - *key = NULL; + if(r->n_keys) { + *key = malloc(r->n_keys * sizeof(krb5_keyblock)); + if (*key == NULL) + return ENOMEM; + for (i = 0; i < r->n_keys; i++) { + ret = krb5_copy_keyblock_contents(handle->context, &r->keys[i], + &(*key)[i]); + if (ret) { + free(*key); + return ENOMEM; + } + } + } else + *key = NULL; } return r->code; @@ -413,13 +414,13 @@ kadm5_randkey_principal_3(void *server_handle, kadm5_ret_t kadm5_randkey_principal(void *server_handle, - krb5_principal princ, - krb5_keyblock **key, int *n_keys) + krb5_principal princ, + krb5_keyblock **key, int *n_keys) { - chrand_arg arg; - chrand_ret *r; + chrand_arg arg; + chrand_ret *r; kadm5_server_handle_t handle = server_handle; - int i, ret; + int i, ret; CHECK_HANDLE(server_handle); @@ -427,27 +428,27 @@ kadm5_randkey_principal(void *server_handle, arg.api_version = handle->api_version; if(princ == NULL) - return EINVAL; + return EINVAL; r = chrand_principal_2(&arg, handle->clnt); if(r == NULL) - eret(); + eret(); if (n_keys) - *n_keys = r->n_keys; + *n_keys = r->n_keys; if (key) { - if(r->n_keys) { - *key = malloc(r->n_keys * sizeof(krb5_keyblock)); - if (*key == NULL) - return ENOMEM; - for (i = 0; i < r->n_keys; i++) { - ret = krb5_copy_keyblock_contents(handle->context, &r->keys[i], - &(*key)[i]); - if (ret) { - free(*key); - return ENOMEM; - } - } - } else - *key = NULL; + if(r->n_keys) { + *key = malloc(r->n_keys * sizeof(krb5_keyblock)); + if (*key == NULL) + return ENOMEM; + for (i = 0; i < r->n_keys; i++) { + ret = krb5_copy_keyblock_contents(handle->context, &r->keys[i], + &(*key)[i]); + if (ret) { + free(*key); + return ENOMEM; + } + } + } else + *key = NULL; } return r->code; @@ -455,10 +456,10 @@ kadm5_randkey_principal(void *server_handle, /* not supported on client side */ kadm5_ret_t kadm5_decrypt_key(void *server_handle, - kadm5_principal_ent_t entry, krb5_int32 - ktype, krb5_int32 stype, krb5_int32 - kvno, krb5_keyblock *keyblock, - krb5_keysalt *keysalt, int *kvnop) + kadm5_principal_ent_t entry, krb5_int32 + ktype, krb5_int32 stype, krb5_int32 + kvno, krb5_keyblock *keyblock, + krb5_keysalt *keysalt, int *kvnop) { - return EINVAL; + return EINVAL; } diff --git a/src/lib/kadm5/clnt/client_rpc.c b/src/lib/kadm5/clnt/client_rpc.c index 19c8b4703..752206b17 100644 --- a/src/lib/kadm5/clnt/client_rpc.c +++ b/src/lib/kadm5/clnt/client_rpc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include @@ -14,314 +15,314 @@ static struct timeval TIMEOUT = { 120, 0 }; generic_ret * create_principal_2(cprinc_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, CREATE_PRINCIPAL, - (xdrproc_t) xdr_cprinc_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, CREATE_PRINCIPAL, + (xdrproc_t) xdr_cprinc_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * create_principal3_2(cprinc3_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, CREATE_PRINCIPAL3, - (xdrproc_t) xdr_cprinc3_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, CREATE_PRINCIPAL3, + (xdrproc_t) xdr_cprinc3_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * delete_principal_2(dprinc_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, DELETE_PRINCIPAL, - (xdrproc_t) xdr_dprinc_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, DELETE_PRINCIPAL, + (xdrproc_t) xdr_dprinc_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * modify_principal_2(mprinc_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, MODIFY_PRINCIPAL, - (xdrproc_t) xdr_mprinc_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, MODIFY_PRINCIPAL, + (xdrproc_t) xdr_mprinc_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * rename_principal_2(rprinc_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, RENAME_PRINCIPAL, - (xdrproc_t) xdr_rprinc_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, RENAME_PRINCIPAL, + (xdrproc_t) xdr_rprinc_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } gprinc_ret * get_principal_2(gprinc_arg *argp, CLIENT *clnt) { - static gprinc_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, GET_PRINCIPAL, - (xdrproc_t) xdr_gprinc_arg, (caddr_t) argp, - (xdrproc_t) xdr_gprinc_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static gprinc_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, GET_PRINCIPAL, + (xdrproc_t) xdr_gprinc_arg, (caddr_t) argp, + (xdrproc_t) xdr_gprinc_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } gprincs_ret * get_princs_2(gprincs_arg *argp, CLIENT *clnt) { - static gprincs_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, GET_PRINCS, - (xdrproc_t) xdr_gprincs_arg, (caddr_t) argp, - (xdrproc_t) xdr_gprincs_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static gprincs_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, GET_PRINCS, + (xdrproc_t) xdr_gprincs_arg, (caddr_t) argp, + (xdrproc_t) xdr_gprincs_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * chpass_principal_2(chpass_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, CHPASS_PRINCIPAL, - (xdrproc_t) xdr_chpass_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, CHPASS_PRINCIPAL, + (xdrproc_t) xdr_chpass_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * chpass_principal3_2(chpass3_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, CHPASS_PRINCIPAL3, - (xdrproc_t) xdr_chpass3_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, CHPASS_PRINCIPAL3, + (xdrproc_t) xdr_chpass3_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * setv4key_principal_2(setv4key_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, SETV4KEY_PRINCIPAL, - (xdrproc_t) xdr_setv4key_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, SETV4KEY_PRINCIPAL, + (xdrproc_t) xdr_setv4key_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * setkey_principal_2(setkey_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, SETKEY_PRINCIPAL, - (xdrproc_t) xdr_setkey_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, SETKEY_PRINCIPAL, + (xdrproc_t) xdr_setkey_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * setkey_principal3_2(setkey3_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, SETKEY_PRINCIPAL3, - (xdrproc_t) xdr_setkey3_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, SETKEY_PRINCIPAL3, + (xdrproc_t) xdr_setkey3_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } chrand_ret * chrand_principal_2(chrand_arg *argp, CLIENT *clnt) { - static chrand_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, CHRAND_PRINCIPAL, - (xdrproc_t) xdr_chrand_arg, (caddr_t) argp, - (xdrproc_t) xdr_chrand_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static chrand_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, CHRAND_PRINCIPAL, + (xdrproc_t) xdr_chrand_arg, (caddr_t) argp, + (xdrproc_t) xdr_chrand_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } chrand_ret * chrand_principal3_2(chrand3_arg *argp, CLIENT *clnt) { - static chrand_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, CHRAND_PRINCIPAL3, - (xdrproc_t) xdr_chrand3_arg, (caddr_t) argp, - (xdrproc_t) xdr_chrand_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static chrand_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, CHRAND_PRINCIPAL3, + (xdrproc_t) xdr_chrand3_arg, (caddr_t) argp, + (xdrproc_t) xdr_chrand_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * create_policy_2(cpol_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, CREATE_POLICY, - (xdrproc_t) xdr_cpol_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, CREATE_POLICY, + (xdrproc_t) xdr_cpol_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * delete_policy_2(dpol_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, DELETE_POLICY, - (xdrproc_t) xdr_dpol_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, DELETE_POLICY, + (xdrproc_t) xdr_dpol_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * modify_policy_2(mpol_arg *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, MODIFY_POLICY, - (xdrproc_t) xdr_mpol_arg, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, MODIFY_POLICY, + (xdrproc_t) xdr_mpol_arg, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } gpol_ret * get_policy_2(gpol_arg *argp, CLIENT *clnt) { - static gpol_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, GET_POLICY, - (xdrproc_t) xdr_gpol_arg, (caddr_t) argp, - (xdrproc_t) xdr_gpol_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static gpol_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, GET_POLICY, + (xdrproc_t) xdr_gpol_arg, (caddr_t) argp, + (xdrproc_t) xdr_gpol_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } gpols_ret * get_pols_2(gpols_arg *argp, CLIENT *clnt) { - static gpols_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, GET_POLS, - (xdrproc_t) xdr_gpols_arg, (caddr_t) argp, - (xdrproc_t) xdr_gpols_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static gpols_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, GET_POLS, + (xdrproc_t) xdr_gpols_arg, (caddr_t) argp, + (xdrproc_t) xdr_gpols_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } getprivs_ret * get_privs_2(void *argp, CLIENT *clnt) { - static getprivs_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, GET_PRIVS, - (xdrproc_t) xdr_u_int32, (caddr_t) argp, - (xdrproc_t) xdr_getprivs_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static getprivs_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, GET_PRIVS, + (xdrproc_t) xdr_u_int32, (caddr_t) argp, + (xdrproc_t) xdr_getprivs_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } generic_ret * init_2(void *argp, CLIENT *clnt) { - static generic_ret clnt_res; - - memset(&clnt_res, 0, sizeof(clnt_res)); - if (clnt_call(clnt, INIT, - (xdrproc_t) xdr_u_int32, (caddr_t) argp, - (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, - TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&clnt_res); + static generic_ret clnt_res; + + memset(&clnt_res, 0, sizeof(clnt_res)); + if (clnt_call(clnt, INIT, + (xdrproc_t) xdr_u_int32, (caddr_t) argp, + (xdrproc_t) xdr_generic_ret, (caddr_t) &clnt_res, + TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); } diff --git a/src/lib/kadm5/clnt/clnt_chpass_util.c b/src/lib/kadm5/clnt/clnt_chpass_util.c index 71ab64937..618efda98 100644 --- a/src/lib/kadm5/clnt/clnt_chpass_util.c +++ b/src/lib/kadm5/clnt/clnt_chpass_util.c @@ -1,16 +1,17 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include "client_internal.h" kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, - krb5_principal princ, - char *new_pw, - char **ret_pw, - char *msg_ret, - unsigned int msg_len) + krb5_principal princ, + char *new_pw, + char **ret_pw, + char *msg_ret, + unsigned int msg_len) { - kadm5_server_handle_t handle = server_handle; + kadm5_server_handle_t handle = server_handle; - CHECK_HANDLE(server_handle); - return _kadm5_chpass_principal_util(handle, handle->lhandle, princ, - new_pw, ret_pw, msg_ret, msg_len); + CHECK_HANDLE(server_handle); + return _kadm5_chpass_principal_util(handle, handle->lhandle, princ, + new_pw, ret_pw, msg_ret, msg_len); } diff --git a/src/lib/kadm5/clnt/clnt_policy.c b/src/lib/kadm5/clnt/clnt_policy.c index fc91245e8..0b6796f27 100644 --- a/src/lib/kadm5/clnt/clnt_policy.c +++ b/src/lib/kadm5/clnt/clnt_policy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -12,29 +13,29 @@ static char *rcsid = "$Header$"; #include #include #include "client_internal.h" -#include -#include -#include +#include +#include +#include kadm5_ret_t kadm5_create_policy(void *server_handle, - kadm5_policy_ent_t policy, long mask) + kadm5_policy_ent_t policy, long mask) { - cpol_arg arg; - generic_ret *r; + cpol_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); if(policy == (kadm5_policy_ent_t) NULL) - return EINVAL; + return EINVAL; arg.mask = mask; arg.api_version = handle->api_version; memcpy(&arg.rec, policy, sizeof(kadm5_policy_ent_rec)); r = create_policy_2(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + return KADM5_RPC_ERROR; return r->code; } @@ -42,45 +43,45 @@ kadm5_create_policy(void *server_handle, kadm5_ret_t kadm5_delete_policy(void *server_handle, char *name) { - dpol_arg arg; - generic_ret *r; + dpol_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; - + CHECK_HANDLE(server_handle); if(name == NULL) - return EINVAL; + return EINVAL; arg.name = name; arg.api_version = handle->api_version; r = delete_policy_2(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + return KADM5_RPC_ERROR; return r->code; } kadm5_ret_t kadm5_modify_policy(void *server_handle, - kadm5_policy_ent_t policy, long mask) + kadm5_policy_ent_t policy, long mask) { - mpol_arg arg; - generic_ret *r; + mpol_arg arg; + generic_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); if(policy == (kadm5_policy_ent_t) NULL) - return EINVAL; - + return EINVAL; + arg.mask = mask; arg.api_version = handle->api_version; memcpy(&arg.rec, policy, sizeof(kadm5_policy_ent_rec)); r = modify_policy_2(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + return KADM5_RPC_ERROR; return r->code; } @@ -88,8 +89,8 @@ kadm5_modify_policy(void *server_handle, kadm5_ret_t kadm5_get_policy(void *server_handle, char *name, kadm5_policy_ent_t ent) { - gpol_arg arg; - gpol_ret *r; + gpol_arg arg; + gpol_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -98,41 +99,41 @@ kadm5_get_policy(void *server_handle, char *name, kadm5_policy_ent_t ent) arg.api_version = handle->api_version; if(name == NULL) - return EINVAL; - + return EINVAL; + r = get_policy_2(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + return KADM5_RPC_ERROR; if (r->code == 0) - memcpy(ent, &r->rec, sizeof(r->rec)); - + memcpy(ent, &r->rec, sizeof(r->rec)); + return r->code; } kadm5_ret_t kadm5_get_policies(void *server_handle, - char *exp, char ***pols, int *count) + char *exp, char ***pols, int *count) { - gpols_arg arg; - gpols_ret *r; + gpols_arg arg; + gpols_ret *r; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); if(pols == NULL || count == NULL) - return EINVAL; + return EINVAL; arg.exp = exp; arg.api_version = handle->api_version; r = get_pols_2(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + return KADM5_RPC_ERROR; if(r->code == 0) { - *count = r->count; - *pols = r->pols; + *count = r->count; + *pols = r->pols; } else { - *count = 0; - *pols = NULL; + *count = 0; + *pols = NULL; } - + return r->code; } diff --git a/src/lib/kadm5/clnt/clnt_privs.c b/src/lib/kadm5/clnt/clnt_privs.c index 5f7ed4370..15b16b1c9 100644 --- a/src/lib/kadm5/clnt/clnt_privs.c +++ b/src/lib/kadm5/clnt/clnt_privs.c @@ -1,9 +1,10 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * * $Id$ * $Source$ - * + * */ #if !defined(lint) && !defined(__CODECENTER__) @@ -17,14 +18,14 @@ static char *rcsid = "$Header$"; kadm5_ret_t kadm5_get_privs(void *server_handle, long *privs) { - getprivs_ret *r; - kadm5_server_handle_t handle = server_handle; + getprivs_ret *r; + kadm5_server_handle_t handle = server_handle; - r = get_privs_2(&handle->api_version, handle->clnt); - if (r == NULL) - return KADM5_RPC_ERROR; - else if (r->code == KADM5_OK) - *privs = r->privs; + r = get_privs_2(&handle->api_version, handle->clnt); + if (r == NULL) + return KADM5_RPC_ERROR; + else if (r->code == KADM5_OK) + *privs = r->privs; - return r->code; + return r->code; } diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index 8ddf33a24..41ab3f1f9 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -64,7 +64,7 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) } } return (xdr_opaque(xdrs, *objp, size)); - + case XDR_ENCODE: if (size != 0) return (xdr_opaque(xdrs, *objp, size)); @@ -226,15 +226,15 @@ xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp) static bool_t xdr_krb5_boolean(XDR *xdrs, krb5_boolean *kbool) { bool_t val; - + switch (xdrs->x_op) { case XDR_DECODE: if (!xdr_bool(xdrs, &val)) return FALSE; - + *kbool = (val == FALSE) ? FALSE : TRUE; return TRUE; - + case XDR_ENCODE: val = *kbool ? TRUE : FALSE; return xdr_bool(xdrs, &val); @@ -242,7 +242,7 @@ static bool_t xdr_krb5_boolean(XDR *xdrs, krb5_boolean *kbool) case XDR_FREE: return TRUE; } - + return FALSE; } @@ -283,13 +283,13 @@ bool_t xdr_krb5_key_data_nocontents(XDR *xdrs, krb5_key_data *objp) if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0], &tmp, ~0)) return FALSE; - + tmp = (unsigned int) objp->key_data_length[1]; if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1], &tmp, ~0)) return FALSE; } - + return (TRUE); } @@ -320,7 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) tl = tl2; } break; - + case XDR_ENCODE: tl = *tl_data_head; while (1) { @@ -394,7 +394,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, int v) { unsigned int n; - + if (!xdr_krb5_principal(xdrs, &objp->principal)) { return (FALSE); } @@ -625,7 +625,7 @@ xdr_gprincs_arg(XDR *xdrs, gprincs_arg *objp) } bool_t -xdr_gprincs_ret(XDR *xdrs, gprincs_ret *objp) +xdr_gprincs_ret(XDR *xdrs, gprincs_ret *objp) { if (!xdr_ui_4(xdrs, &objp->api_version)) { return (FALSE); @@ -810,7 +810,7 @@ xdr_gprinc_arg(XDR *xdrs, gprinc_arg *objp) if (!xdr_long(xdrs, &objp->mask)) { return FALSE; } - + return (TRUE); } @@ -920,7 +920,7 @@ xdr_gpols_arg(XDR *xdrs, gpols_arg *objp) } bool_t -xdr_gpols_ret(XDR *xdrs, gpols_ret *objp) +xdr_gpols_ret(XDR *xdrs, gpols_ret *objp) { if (!xdr_ui_4(xdrs, &objp->api_version)) { return (FALSE); @@ -972,7 +972,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) switch(xdrs->x_op) { case XDR_ENCODE: if (*objp) { - if((ret = krb5_unparse_name(context, *objp, &p)) != 0) + if((ret = krb5_unparse_name(context, *objp, &p)) != 0) return FALSE; } if(!xdr_nullstring(xdrs, &p)) @@ -984,7 +984,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) return FALSE; if (p) { ret = krb5_parse_name(context, p, &pr); - if(ret != 0) + if(ret != 0) return FALSE; *objp = pr; free(p); @@ -992,7 +992,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) *objp = NULL; break; case XDR_FREE: - if(*objp != NULL) + if(*objp != NULL) krb5_free_principal(context, *objp); break; } diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index efff81872..b8da20955 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm/logger.c * @@ -29,117 +30,117 @@ #define VERBOSE_LOGS /* - * logger.c - Handle logging functions for those who want it. + * logger.c - Handle logging functions for those who want it. */ #include "k5-int.h" #include "adm_proto.h" #include "com_err.h" #include #include -#ifdef HAVE_SYSLOG_H +#ifdef HAVE_SYSLOG_H #include -#endif /* HAVE_SYSLOG_H */ +#endif /* HAVE_SYSLOG_H */ #include -#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 -#ifndef MAXHOSTNAMELEN -#define MAXHOSTNAMELEN 256 -#endif /* MAXHOSTNAMELEN */ +#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 +#ifndef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN 256 +#endif /* MAXHOSTNAMELEN */ /* This is to assure that we have at least one match in the syslog stuff */ -#ifndef LOG_AUTH -#define LOG_AUTH 0 -#endif /* LOG_AUTH */ -#ifndef LOG_ERR -#define LOG_ERR 0 -#endif /* LOG_ERR */ - -#define lspec_parse_err_1 "%s: cannot parse <%s>\n" -#define lspec_parse_err_2 "%s: warning - logging entry syntax error\n" -#define log_file_err "%s: error writing to %s\n" -#define log_device_err "%s: error writing to %s device\n" -#define log_ufo_string "?\?\?" /* nb: avoid trigraphs */ -#define log_emerg_string "EMERGENCY" -#define log_alert_string "ALERT" -#define log_crit_string "CRITICAL" -#define log_err_string "Error" -#define log_warning_string "Warning" -#define log_notice_string "Notice" -#define log_info_string "info" -#define log_debug_string "debug" +#ifndef LOG_AUTH +#define LOG_AUTH 0 +#endif /* LOG_AUTH */ +#ifndef LOG_ERR +#define LOG_ERR 0 +#endif /* LOG_ERR */ + +#define lspec_parse_err_1 "%s: cannot parse <%s>\n" +#define lspec_parse_err_2 "%s: warning - logging entry syntax error\n" +#define log_file_err "%s: error writing to %s\n" +#define log_device_err "%s: error writing to %s device\n" +#define log_ufo_string "?\?\?" /* nb: avoid trigraphs */ +#define log_emerg_string "EMERGENCY" +#define log_alert_string "ALERT" +#define log_crit_string "CRITICAL" +#define log_err_string "Error" +#define log_warning_string "Warning" +#define log_notice_string "Notice" +#define log_info_string "info" +#define log_debug_string "debug" /* * Output logging. * * Output logging is now controlled by the configuration file. We can specify * the following syntaxes under the [logging]->entity specification. - * FILE - * SYSLOG[=[:]] - * STDERR - * CONSOLE - * DEVICE= + * FILE + * SYSLOG[=[:]] + * STDERR + * CONSOLE + * DEVICE= * * Where: - * is ":" for open/append, "=" for open/create. - * is a valid path name. - * is one of: (default = ERR) - * EMERG - * ALERT - * CRIT - * ERR - * WARNING - * NOTICE - * INFO - * DEBUG - * is one of: (default = AUTH) - * KERN - * USER - * MAIL - * DAEMON - * AUTH - * LPR - * NEWS - * UUCP - * CRON - * LOCAL0..LOCAL7 - * is a valid device specification. + * is ":" for open/append, "=" for open/create. + * is a valid path name. + * is one of: (default = ERR) + * EMERG + * ALERT + * CRIT + * ERR + * WARNING + * NOTICE + * INFO + * DEBUG + * is one of: (default = AUTH) + * KERN + * USER + * MAIL + * DAEMON + * AUTH + * LPR + * NEWS + * UUCP + * CRON + * LOCAL0..LOCAL7 + * is a valid device specification. */ struct log_entry { enum log_type { K_LOG_FILE, - K_LOG_SYSLOG, - K_LOG_STDERR, - K_LOG_CONSOLE, - K_LOG_DEVICE, - K_LOG_NONE } log_type; + K_LOG_SYSLOG, + K_LOG_STDERR, + K_LOG_CONSOLE, + K_LOG_DEVICE, + K_LOG_NONE } log_type; krb5_pointer log_2free; union log_union { - struct log_file { - FILE *lf_filep; - char *lf_fname; - } log_file; - struct log_syslog { - int ls_facility; - int ls_severity; - } log_syslog; - struct log_device { - FILE *ld_filep; - char *ld_devname; - } log_device; + struct log_file { + FILE *lf_filep; + char *lf_fname; + } log_file; + struct log_syslog { + int ls_facility; + int ls_severity; + } log_syslog; + struct log_device { + FILE *ld_filep; + char *ld_devname; + } log_device; } log_union; }; -#define lfu_filep log_union.log_file.lf_filep -#define lfu_fname log_union.log_file.lf_fname -#define lsu_facility log_union.log_syslog.ls_facility -#define lsu_severity log_union.log_syslog.ls_severity -#define ldu_filep log_union.log_device.ld_filep -#define ldu_devname log_union.log_device.ld_devname +#define lfu_filep log_union.log_file.lf_filep +#define lfu_fname log_union.log_file.lf_fname +#define lsu_facility log_union.log_syslog.ls_facility +#define lsu_severity log_union.log_syslog.ls_severity +#define ldu_filep log_union.log_device.ld_filep +#define ldu_devname log_union.log_device.ld_devname struct log_control { - struct log_entry *log_entries; - int log_nentries; - char *log_whoami; - char *log_hostname; - krb5_boolean log_opened; + struct log_entry *log_entries; + int log_nentries; + char *log_whoami; + char *log_hostname; + krb5_boolean log_opened; }; static struct log_control log_control = { @@ -149,23 +150,23 @@ static struct log_control log_control = { (char *) NULL, 0 }; -static struct log_entry def_log_entry; +static struct log_entry def_log_entry; /* * These macros define any special processing that needs to happen for * devices. For unix, of course, this is hardly anything. */ -#define DEVICE_OPEN(d, m) fopen(d, m) -#define CONSOLE_OPEN(m) fopen("/dev/console", m) -#define DEVICE_PRINT(f, m) ((fprintf(f, "%s\r\n", m) >= 0) ? \ - (fflush(f), 0) : \ - -1) -#define DEVICE_CLOSE(d) fclose(d) +#define DEVICE_OPEN(d, m) fopen(d, m) +#define CONSOLE_OPEN(m) fopen("/dev/console", m) +#define DEVICE_PRINT(f, m) ((fprintf(f, "%s\r\n", m) >= 0) ? \ + (fflush(f), 0) : \ + -1) +#define DEVICE_CLOSE(d) fclose(d) /* - * klog_com_err_proc() - Handle com_err(3) messages as specified by the - * profile. + * klog_com_err_proc() - Handle com_err(3) messages as specified by the + * profile. */ static krb5_context err_context; @@ -179,14 +180,14 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list static void klog_com_err_proc(const char *whoami, long int code, const char *format, va_list ap) { - char outbuf[KRB5_KLOG_MAX_ERRMSG_SIZE]; - int lindex; - const char *actual_format; -#ifdef HAVE_SYSLOG - int log_pri = -1; -#endif /* HAVE_SYSLOG */ - char *cp; - char *syslogp; + char outbuf[KRB5_KLOG_MAX_ERRMSG_SIZE]; + int lindex; + const char *actual_format; +#ifdef HAVE_SYSLOG + int log_pri = -1; +#endif /* HAVE_SYSLOG */ + char *cp; + char *syslogp; /* Make the header */ snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); @@ -201,15 +202,15 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list char *emsg; outbuf[sizeof(outbuf) - 1] = '\0'; - emsg = krb5_get_error_message (err_context, code); - strncat(outbuf, emsg, sizeof(outbuf) - 1 - strlen(outbuf)); - strncat(outbuf, " - ", sizeof(outbuf) - 1 - strlen(outbuf)); - krb5_free_error_message(err_context, emsg); + emsg = krb5_get_error_message (err_context, code); + strncat(outbuf, emsg, sizeof(outbuf) - 1 - strlen(outbuf)); + strncat(outbuf, " - ", sizeof(outbuf) - 1 - strlen(outbuf)); + krb5_free_error_message(err_context, emsg); } cp = &outbuf[strlen(outbuf)]; - + actual_format = format; -#ifdef HAVE_SYSLOG +#ifdef HAVE_SYSLOG /* * This is an unpleasant hack. If the first character is less than * 8, then we assume that it is a priority. @@ -219,50 +220,50 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list * intermediate representation. */ if ((((unsigned char) *format) > 0) && (((unsigned char) *format) <= 8)) { - actual_format = (format + 1); - switch ((unsigned char) *format) { -#ifdef LOG_EMERG - case 1: - log_pri = LOG_EMERG; - break; + actual_format = (format + 1); + switch ((unsigned char) *format) { +#ifdef LOG_EMERG + case 1: + log_pri = LOG_EMERG; + break; #endif /* LOG_EMERG */ -#ifdef LOG_ALERT - case 2: - log_pri = LOG_ALERT; - break; +#ifdef LOG_ALERT + case 2: + log_pri = LOG_ALERT; + break; #endif /* LOG_ALERT */ -#ifdef LOG_CRIT - case 3: - log_pri = LOG_CRIT; - break; +#ifdef LOG_CRIT + case 3: + log_pri = LOG_CRIT; + break; #endif /* LOG_CRIT */ - default: - case 4: - log_pri = LOG_ERR; - break; -#ifdef LOG_WARNING - case 5: - log_pri = LOG_WARNING; - break; + default: + case 4: + log_pri = LOG_ERR; + break; +#ifdef LOG_WARNING + case 5: + log_pri = LOG_WARNING; + break; #endif /* LOG_WARNING */ -#ifdef LOG_NOTICE - case 6: - log_pri = LOG_NOTICE; - break; +#ifdef LOG_NOTICE + case 6: + log_pri = LOG_NOTICE; + break; #endif /* LOG_NOTICE */ -#ifdef LOG_INFO - case 7: - log_pri = LOG_INFO; - break; +#ifdef LOG_INFO + case 7: + log_pri = LOG_INFO; + break; #endif /* LOG_INFO */ -#ifdef LOG_DEBUG - case 8: - log_pri = LOG_DEBUG; - break; +#ifdef LOG_DEBUG + case 8: + log_pri = LOG_DEBUG; + break; #endif /* LOG_DEBUG */ - } - } -#endif /* HAVE_SYSLOG */ + } + } +#endif /* HAVE_SYSLOG */ /* Now format the actual message */ vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); @@ -272,92 +273,92 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list * logging specification. */ for (lindex = 0; lindex < log_control.log_nentries; lindex++) { - switch (log_control.log_entries[lindex].log_type) { - case K_LOG_FILE: - case K_LOG_STDERR: - /* - * Files/standard error. - */ - if (fprintf(log_control.log_entries[lindex].lfu_filep, "%s\n", - outbuf) < 0) { - /* Attempt to report error */ - fprintf(stderr, log_file_err, whoami, - log_control.log_entries[lindex].lfu_fname); - } - else { - fflush(log_control.log_entries[lindex].lfu_filep); - } - break; - case K_LOG_CONSOLE: - case K_LOG_DEVICE: - /* - * Devices (may need special handling) - */ - if (DEVICE_PRINT(log_control.log_entries[lindex].ldu_filep, - outbuf) < 0) { - /* Attempt to report error */ - fprintf(stderr, log_device_err, whoami, - log_control.log_entries[lindex].ldu_devname); - } - break; -#ifdef HAVE_SYSLOG - case K_LOG_SYSLOG: - /* - * System log. - */ - /* - * If we have specified a priority through our hackery, then - * use it, otherwise use the default. - */ - if (log_pri >= 0) - log_pri |= log_control.log_entries[lindex].lsu_facility; - else - log_pri = log_control.log_entries[lindex].lsu_facility | - log_control.log_entries[lindex].lsu_severity; - - /* Log the message with our header trimmed off */ - syslog(log_pri, "%s", syslogp); - break; + switch (log_control.log_entries[lindex].log_type) { + case K_LOG_FILE: + case K_LOG_STDERR: + /* + * Files/standard error. + */ + if (fprintf(log_control.log_entries[lindex].lfu_filep, "%s\n", + outbuf) < 0) { + /* Attempt to report error */ + fprintf(stderr, log_file_err, whoami, + log_control.log_entries[lindex].lfu_fname); + } + else { + fflush(log_control.log_entries[lindex].lfu_filep); + } + break; + case K_LOG_CONSOLE: + case K_LOG_DEVICE: + /* + * Devices (may need special handling) + */ + if (DEVICE_PRINT(log_control.log_entries[lindex].ldu_filep, + outbuf) < 0) { + /* Attempt to report error */ + fprintf(stderr, log_device_err, whoami, + log_control.log_entries[lindex].ldu_devname); + } + break; +#ifdef HAVE_SYSLOG + case K_LOG_SYSLOG: + /* + * System log. + */ + /* + * If we have specified a priority through our hackery, then + * use it, otherwise use the default. + */ + if (log_pri >= 0) + log_pri |= log_control.log_entries[lindex].lsu_facility; + else + log_pri = log_control.log_entries[lindex].lsu_facility | + log_control.log_entries[lindex].lsu_severity; + + /* Log the message with our header trimmed off */ + syslog(log_pri, "%s", syslogp); + break; #endif /* HAVE_SYSLOG */ - default: - break; - } + default: + break; + } } } /* - * krb5_klog_init() - Initialize logging. + * krb5_klog_init() - Initialize logging. * * This routine parses the syntax described above to specify destinations for * com_err(3) or krb5_klog_syslog() messages generated by the caller. * * Parameters: - * kcontext - Kerberos context. - * ename - Entity name as it is to appear in the profile. - * whoami - Entity name as it is to appear in error output. - * do_com_err - Take over com_err(3) processing. + * kcontext - Kerberos context. + * ename - Entity name as it is to appear in the profile. + * whoami - Entity name as it is to appear in error output. + * do_com_err - Take over com_err(3) processing. * * Implicit inputs: - * stderr - This is where STDERR output goes. + * stderr - This is where STDERR output goes. * * Implicit outputs: - * log_nentries - Number of log entries, both valid and invalid. - * log_control - List of entries (log_nentries long) which contains - * data for klog_com_err_proc() to use to determine - * where/how to send output. + * log_nentries - Number of log entries, both valid and invalid. + * log_control - List of entries (log_nentries long) which contains + * data for klog_com_err_proc() to use to determine + * where/how to send output. */ krb5_error_code krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do_com_err) { - const char *logging_profent[3]; - const char *logging_defent[3]; - char **logging_specs; - int i, ngood; - char *cp, *cp2; - char savec = '\0'; - int error; - int do_openlog, log_facility; - FILE *f; + const char *logging_profent[3]; + const char *logging_defent[3]; + char **logging_specs; + int i, ngood; + char *cp, *cp2; + char savec = '\0'; + int error; + int do_openlog, log_facility; + FILE *f; /* Initialize */ do_openlog = 0; @@ -379,311 +380,311 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do ngood = 0; log_control.log_nentries = 0; if (!profile_get_values(kcontext->profile, - logging_profent, - &logging_specs) || - !profile_get_values(kcontext->profile, - logging_defent, - &logging_specs)) { - /* - * We have a match, so we first count the number of elements - */ - for (log_control.log_nentries = 0; - logging_specs[log_control.log_nentries]; - log_control.log_nentries++); - - /* - * Now allocate our structure. - */ - log_control.log_entries = (struct log_entry *) - malloc(log_control.log_nentries * sizeof(struct log_entry)); - if (log_control.log_entries) { - /* - * Scan through the list. - */ - for (i=0; i - * so, trim off the leading and trailing whitespace here. - */ - for (cp = logging_specs[i]; isspace((int) *cp); cp++); - for (cp2 = &logging_specs[i][strlen(logging_specs[i])-1]; - isspace((int) *cp2); cp2--); - cp2++; - *cp2 = '\0'; - /* - * Is this a file? - */ - if (!strncasecmp(cp, "FILE", 4)) { - /* - * Check for append/overwrite, then open the file. - */ - if (cp[4] == ':' || cp[4] == '=') { - f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); - if (f) { - set_cloexec_file(f); - log_control.log_entries[i].lfu_filep = f; - log_control.log_entries[i].log_type = K_LOG_FILE; - log_control.log_entries[i].lfu_fname = &cp[5]; - } else { - fprintf(stderr,"Couldn't open log file %s: %s\n", - &cp[5], error_message(errno)); - continue; - } - } - } -#ifdef HAVE_SYSLOG - /* - * Is this a syslog? - */ - else if (!strncasecmp(cp, "SYSLOG", 6)) { - error = 0; - log_control.log_entries[i].lsu_facility = LOG_AUTH; - log_control.log_entries[i].lsu_severity = LOG_ERR; - /* - * Is there a severify specified? - */ - if (cp[6] == ':') { - /* - * Find the end of the severity. - */ - cp2 = strchr(&cp[7], ':'); - if (cp2) { - savec = *cp2; - *cp2 = '\0'; - cp2++; - } - - /* - * Match a severity. - */ - if (!strcasecmp(&cp[7], "ERR")) { - log_control.log_entries[i].lsu_severity = LOG_ERR; - } -#ifdef LOG_EMERG - else if (!strcasecmp(&cp[7], "EMERG")) { - log_control.log_entries[i].lsu_severity = - LOG_EMERG; - } -#endif /* LOG_EMERG */ -#ifdef LOG_ALERT - else if (!strcasecmp(&cp[7], "ALERT")) { - log_control.log_entries[i].lsu_severity = - LOG_ALERT; - } -#endif /* LOG_ALERT */ -#ifdef LOG_CRIT - else if (!strcasecmp(&cp[7], "CRIT")) { - log_control.log_entries[i].lsu_severity = LOG_CRIT; - } -#endif /* LOG_CRIT */ -#ifdef LOG_WARNING - else if (!strcasecmp(&cp[7], "WARNING")) { - log_control.log_entries[i].lsu_severity = - LOG_WARNING; - } -#endif /* LOG_WARNING */ -#ifdef LOG_NOTICE - else if (!strcasecmp(&cp[7], "NOTICE")) { - log_control.log_entries[i].lsu_severity = - LOG_NOTICE; - } -#endif /* LOG_NOTICE */ -#ifdef LOG_INFO - else if (!strcasecmp(&cp[7], "INFO")) { - log_control.log_entries[i].lsu_severity = LOG_INFO; - } -#endif /* LOG_INFO */ -#ifdef LOG_DEBUG - else if (!strcasecmp(&cp[7], "DEBUG")) { - log_control.log_entries[i].lsu_severity = - LOG_DEBUG; - } -#endif /* LOG_DEBUG */ - else - error = 1; - - /* - * If there is a facility present, then parse that. - */ - if (cp2) { - static const struct { - const char *name; - int value; - } facilities[] = { - { "AUTH", LOG_AUTH }, -#ifdef LOG_AUTHPRIV - { "AUTHPRIV", LOG_AUTHPRIV }, -#endif /* LOG_AUTHPRIV */ -#ifdef LOG_KERN - { "KERN", LOG_KERN }, -#endif /* LOG_KERN */ -#ifdef LOG_USER - { "USER", LOG_USER }, -#endif /* LOG_USER */ -#ifdef LOG_MAIL - { "MAIL", LOG_MAIL }, -#endif /* LOG_MAIL */ -#ifdef LOG_DAEMON - { "DAEMON", LOG_DAEMON }, -#endif /* LOG_DAEMON */ -#ifdef LOG_FTP - { "FTP", LOG_FTP }, -#endif /* LOG_FTP */ -#ifdef LOG_LPR - { "LPR", LOG_LPR }, -#endif /* LOG_LPR */ -#ifdef LOG_NEWS - { "NEWS", LOG_NEWS }, -#endif /* LOG_NEWS */ -#ifdef LOG_UUCP - { "UUCP", LOG_UUCP }, -#endif /* LOG_UUCP */ -#ifdef LOG_CRON - { "CRON", LOG_CRON }, -#endif /* LOG_CRON */ -#ifdef LOG_LOCAL0 - { "LOCAL0", LOG_LOCAL0 }, -#endif /* LOG_LOCAL0 */ -#ifdef LOG_LOCAL1 - { "LOCAL1", LOG_LOCAL1 }, -#endif /* LOG_LOCAL1 */ -#ifdef LOG_LOCAL2 - { "LOCAL2", LOG_LOCAL2 }, -#endif /* LOG_LOCAL2 */ -#ifdef LOG_LOCAL3 - { "LOCAL3", LOG_LOCAL3 }, -#endif /* LOG_LOCAL3 */ -#ifdef LOG_LOCAL4 - { "LOCAL4", LOG_LOCAL4 }, -#endif /* LOG_LOCAL4 */ -#ifdef LOG_LOCAL5 - { "LOCAL5", LOG_LOCAL5 }, -#endif /* LOG_LOCAL5 */ -#ifdef LOG_LOCAL6 - { "LOCAL6", LOG_LOCAL6 }, -#endif /* LOG_LOCAL6 */ -#ifdef LOG_LOCAL7 - { "LOCAL7", LOG_LOCAL7 }, -#endif /* LOG_LOCAL7 */ - }; - unsigned int j; - - for (j = 0; j < sizeof(facilities)/sizeof(facilities[0]); j++) - if (!strcasecmp(cp2, facilities[j].name)) { - log_control.log_entries[i].lsu_facility = facilities[j].value; - break; - } - cp2--; - *cp2 = savec; - } - } - if (!error) { - log_control.log_entries[i].log_type = K_LOG_SYSLOG; - do_openlog = 1; - log_facility = log_control.log_entries[i].lsu_facility; - } - } -#endif /* HAVE_SYSLOG */ - /* - * Is this a standard error specification? - */ - else if (!strcasecmp(cp, "STDERR")) { - log_control.log_entries[i].lfu_filep = - fdopen(fileno(stderr), "a+"); - if (log_control.log_entries[i].lfu_filep) { - log_control.log_entries[i].log_type = K_LOG_STDERR; - log_control.log_entries[i].lfu_fname = - "standard error"; - } - } - /* - * Is this a specification of the console? - */ - else if (!strcasecmp(cp, "CONSOLE")) { - log_control.log_entries[i].ldu_filep = - CONSOLE_OPEN("a+"); - if (log_control.log_entries[i].ldu_filep) { - set_cloexec_file(log_control.log_entries[i].ldu_filep); - log_control.log_entries[i].log_type = K_LOG_CONSOLE; - log_control.log_entries[i].ldu_devname = "console"; - } - } - /* - * Is this a specification of a device? - */ - else if (!strncasecmp(cp, "DEVICE", 6)) { - /* - * We handle devices very similarly to files. - */ - if (cp[6] == '=') { - log_control.log_entries[i].ldu_filep = - DEVICE_OPEN(&cp[7], "w"); - if (log_control.log_entries[i].ldu_filep) { - set_cloexec_file(log_control.log_entries[i].ldu_filep); - log_control.log_entries[i].log_type = K_LOG_DEVICE; - log_control.log_entries[i].ldu_devname = &cp[7]; - } - } - } - /* - * See if we successfully parsed this specification. - */ - if (log_control.log_entries[i].log_type == K_LOG_NONE) { - fprintf(stderr, lspec_parse_err_1, whoami, cp); - fprintf(stderr, lspec_parse_err_2, whoami); - } - else - ngood++; - } - } - /* - * If we didn't find anything, then free our lists. - */ - if (ngood == 0) { - for (i=0; iprofile, + logging_defent, + &logging_specs)) { + /* + * We have a match, so we first count the number of elements + */ + for (log_control.log_nentries = 0; + logging_specs[log_control.log_nentries]; + log_control.log_nentries++); + + /* + * Now allocate our structure. + */ + log_control.log_entries = (struct log_entry *) + malloc(log_control.log_nentries * sizeof(struct log_entry)); + if (log_control.log_entries) { + /* + * Scan through the list. + */ + for (i=0; i + * so, trim off the leading and trailing whitespace here. + */ + for (cp = logging_specs[i]; isspace((int) *cp); cp++); + for (cp2 = &logging_specs[i][strlen(logging_specs[i])-1]; + isspace((int) *cp2); cp2--); + cp2++; + *cp2 = '\0'; + /* + * Is this a file? + */ + if (!strncasecmp(cp, "FILE", 4)) { + /* + * Check for append/overwrite, then open the file. + */ + if (cp[4] == ':' || cp[4] == '=') { + f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[i].lfu_filep = f; + log_control.log_entries[i].log_type = K_LOG_FILE; + log_control.log_entries[i].lfu_fname = &cp[5]; + } else { + fprintf(stderr,"Couldn't open log file %s: %s\n", + &cp[5], error_message(errno)); + continue; + } + } + } +#ifdef HAVE_SYSLOG + /* + * Is this a syslog? + */ + else if (!strncasecmp(cp, "SYSLOG", 6)) { + error = 0; + log_control.log_entries[i].lsu_facility = LOG_AUTH; + log_control.log_entries[i].lsu_severity = LOG_ERR; + /* + * Is there a severify specified? + */ + if (cp[6] == ':') { + /* + * Find the end of the severity. + */ + cp2 = strchr(&cp[7], ':'); + if (cp2) { + savec = *cp2; + *cp2 = '\0'; + cp2++; + } + + /* + * Match a severity. + */ + if (!strcasecmp(&cp[7], "ERR")) { + log_control.log_entries[i].lsu_severity = LOG_ERR; + } +#ifdef LOG_EMERG + else if (!strcasecmp(&cp[7], "EMERG")) { + log_control.log_entries[i].lsu_severity = + LOG_EMERG; + } +#endif /* LOG_EMERG */ +#ifdef LOG_ALERT + else if (!strcasecmp(&cp[7], "ALERT")) { + log_control.log_entries[i].lsu_severity = + LOG_ALERT; + } +#endif /* LOG_ALERT */ +#ifdef LOG_CRIT + else if (!strcasecmp(&cp[7], "CRIT")) { + log_control.log_entries[i].lsu_severity = LOG_CRIT; + } +#endif /* LOG_CRIT */ +#ifdef LOG_WARNING + else if (!strcasecmp(&cp[7], "WARNING")) { + log_control.log_entries[i].lsu_severity = + LOG_WARNING; + } +#endif /* LOG_WARNING */ +#ifdef LOG_NOTICE + else if (!strcasecmp(&cp[7], "NOTICE")) { + log_control.log_entries[i].lsu_severity = + LOG_NOTICE; + } +#endif /* LOG_NOTICE */ +#ifdef LOG_INFO + else if (!strcasecmp(&cp[7], "INFO")) { + log_control.log_entries[i].lsu_severity = LOG_INFO; + } +#endif /* LOG_INFO */ +#ifdef LOG_DEBUG + else if (!strcasecmp(&cp[7], "DEBUG")) { + log_control.log_entries[i].lsu_severity = + LOG_DEBUG; + } +#endif /* LOG_DEBUG */ + else + error = 1; + + /* + * If there is a facility present, then parse that. + */ + if (cp2) { + static const struct { + const char *name; + int value; + } facilities[] = { + { "AUTH", LOG_AUTH }, +#ifdef LOG_AUTHPRIV + { "AUTHPRIV", LOG_AUTHPRIV }, +#endif /* LOG_AUTHPRIV */ +#ifdef LOG_KERN + { "KERN", LOG_KERN }, +#endif /* LOG_KERN */ +#ifdef LOG_USER + { "USER", LOG_USER }, +#endif /* LOG_USER */ +#ifdef LOG_MAIL + { "MAIL", LOG_MAIL }, +#endif /* LOG_MAIL */ +#ifdef LOG_DAEMON + { "DAEMON", LOG_DAEMON }, +#endif /* LOG_DAEMON */ +#ifdef LOG_FTP + { "FTP", LOG_FTP }, +#endif /* LOG_FTP */ +#ifdef LOG_LPR + { "LPR", LOG_LPR }, +#endif /* LOG_LPR */ +#ifdef LOG_NEWS + { "NEWS", LOG_NEWS }, +#endif /* LOG_NEWS */ +#ifdef LOG_UUCP + { "UUCP", LOG_UUCP }, +#endif /* LOG_UUCP */ +#ifdef LOG_CRON + { "CRON", LOG_CRON }, +#endif /* LOG_CRON */ +#ifdef LOG_LOCAL0 + { "LOCAL0", LOG_LOCAL0 }, +#endif /* LOG_LOCAL0 */ +#ifdef LOG_LOCAL1 + { "LOCAL1", LOG_LOCAL1 }, +#endif /* LOG_LOCAL1 */ +#ifdef LOG_LOCAL2 + { "LOCAL2", LOG_LOCAL2 }, +#endif /* LOG_LOCAL2 */ +#ifdef LOG_LOCAL3 + { "LOCAL3", LOG_LOCAL3 }, +#endif /* LOG_LOCAL3 */ +#ifdef LOG_LOCAL4 + { "LOCAL4", LOG_LOCAL4 }, +#endif /* LOG_LOCAL4 */ +#ifdef LOG_LOCAL5 + { "LOCAL5", LOG_LOCAL5 }, +#endif /* LOG_LOCAL5 */ +#ifdef LOG_LOCAL6 + { "LOCAL6", LOG_LOCAL6 }, +#endif /* LOG_LOCAL6 */ +#ifdef LOG_LOCAL7 + { "LOCAL7", LOG_LOCAL7 }, +#endif /* LOG_LOCAL7 */ + }; + unsigned int j; + + for (j = 0; j < sizeof(facilities)/sizeof(facilities[0]); j++) + if (!strcasecmp(cp2, facilities[j].name)) { + log_control.log_entries[i].lsu_facility = facilities[j].value; + break; + } + cp2--; + *cp2 = savec; + } + } + if (!error) { + log_control.log_entries[i].log_type = K_LOG_SYSLOG; + do_openlog = 1; + log_facility = log_control.log_entries[i].lsu_facility; + } + } +#endif /* HAVE_SYSLOG */ + /* + * Is this a standard error specification? + */ + else if (!strcasecmp(cp, "STDERR")) { + log_control.log_entries[i].lfu_filep = + fdopen(fileno(stderr), "a+"); + if (log_control.log_entries[i].lfu_filep) { + log_control.log_entries[i].log_type = K_LOG_STDERR; + log_control.log_entries[i].lfu_fname = + "standard error"; + } + } + /* + * Is this a specification of the console? + */ + else if (!strcasecmp(cp, "CONSOLE")) { + log_control.log_entries[i].ldu_filep = + CONSOLE_OPEN("a+"); + if (log_control.log_entries[i].ldu_filep) { + set_cloexec_file(log_control.log_entries[i].ldu_filep); + log_control.log_entries[i].log_type = K_LOG_CONSOLE; + log_control.log_entries[i].ldu_devname = "console"; + } + } + /* + * Is this a specification of a device? + */ + else if (!strncasecmp(cp, "DEVICE", 6)) { + /* + * We handle devices very similarly to files. + */ + if (cp[6] == '=') { + log_control.log_entries[i].ldu_filep = + DEVICE_OPEN(&cp[7], "w"); + if (log_control.log_entries[i].ldu_filep) { + set_cloexec_file(log_control.log_entries[i].ldu_filep); + log_control.log_entries[i].log_type = K_LOG_DEVICE; + log_control.log_entries[i].ldu_devname = &cp[7]; + } + } + } + /* + * See if we successfully parsed this specification. + */ + if (log_control.log_entries[i].log_type == K_LOG_NONE) { + fprintf(stderr, lspec_parse_err_1, whoami, cp); + fprintf(stderr, lspec_parse_err_2, whoami); + } + else + ngood++; + } + } + /* + * If we didn't find anything, then free our lists. + */ + if (ngood == 0) { + for (i=0; ilog_type = K_LOG_SYSLOG; - log_control.log_entries->log_2free = (krb5_pointer) NULL; - log_facility = log_control.log_entries->lsu_facility = LOG_AUTH; - log_control.log_entries->lsu_severity = LOG_ERR; - do_openlog = 1; - log_control.log_nentries = 1; + if (log_control.log_entries) + free(log_control.log_entries); + log_control.log_entries = &def_log_entry; + log_control.log_entries->log_type = K_LOG_SYSLOG; + log_control.log_entries->log_2free = (krb5_pointer) NULL; + log_facility = log_control.log_entries->lsu_facility = LOG_AUTH; + log_control.log_entries->lsu_severity = LOG_ERR; + do_openlog = 1; + log_control.log_nentries = 1; } if (log_control.log_nentries) { - log_control.log_whoami = strdup(whoami); - log_control.log_hostname = (char *) malloc(MAXHOSTNAMELEN + 1); - if (log_control.log_hostname) { - gethostname(log_control.log_hostname, MAXHOSTNAMELEN); - log_control.log_hostname[MAXHOSTNAMELEN] = '\0'; - } -#ifdef HAVE_OPENLOG - if (do_openlog) { - openlog(whoami, LOG_NDELAY|LOG_PID, log_facility); - log_control.log_opened = 1; - } + log_control.log_whoami = strdup(whoami); + log_control.log_hostname = (char *) malloc(MAXHOSTNAMELEN + 1); + if (log_control.log_hostname) { + gethostname(log_control.log_hostname, MAXHOSTNAMELEN); + log_control.log_hostname[MAXHOSTNAMELEN] = '\0'; + } +#ifdef HAVE_OPENLOG + if (do_openlog) { + openlog(whoami, LOG_NDELAY|LOG_PID, log_facility); + log_control.log_opened = 1; + } #endif /* HAVE_OPENLOG */ - if (do_com_err) - (void) set_com_err_hook(klog_com_err_proc); + if (do_com_err) + (void) set_com_err_hook(klog_com_err_proc); } return((log_control.log_nentries) ? 0 : ENOENT); } /* - * krb5_klog_close() - Close the logging context and free all data. + * krb5_klog_close() - Close the logging context and free all data. */ void krb5_klog_close(krb5_context kcontext) @@ -691,52 +692,52 @@ krb5_klog_close(krb5_context kcontext) int lindex; (void) reset_com_err_hook(); for (lindex = 0; lindex < log_control.log_nentries; lindex++) { - switch (log_control.log_entries[lindex].log_type) { - case K_LOG_FILE: - case K_LOG_STDERR: - /* - * Files/standard error. - */ - fclose(log_control.log_entries[lindex].lfu_filep); - break; - case K_LOG_CONSOLE: - case K_LOG_DEVICE: - /* - * Devices (may need special handling) - */ - DEVICE_CLOSE(log_control.log_entries[lindex].ldu_filep); - break; -#ifdef HAVE_SYSLOG - case K_LOG_SYSLOG: - /* - * System log. - */ - break; -#endif /* HAVE_SYSLOG */ - default: - break; - } - if (log_control.log_entries[lindex].log_2free) - free(log_control.log_entries[lindex].log_2free); + switch (log_control.log_entries[lindex].log_type) { + case K_LOG_FILE: + case K_LOG_STDERR: + /* + * Files/standard error. + */ + fclose(log_control.log_entries[lindex].lfu_filep); + break; + case K_LOG_CONSOLE: + case K_LOG_DEVICE: + /* + * Devices (may need special handling) + */ + DEVICE_CLOSE(log_control.log_entries[lindex].ldu_filep); + break; +#ifdef HAVE_SYSLOG + case K_LOG_SYSLOG: + /* + * System log. + */ + break; +#endif /* HAVE_SYSLOG */ + default: + break; + } + if (log_control.log_entries[lindex].log_2free) + free(log_control.log_entries[lindex].log_2free); } if (log_control.log_entries != &def_log_entry) - free(log_control.log_entries); + free(log_control.log_entries); log_control.log_entries = (struct log_entry *) NULL; log_control.log_nentries = 0; if (log_control.log_whoami) - free(log_control.log_whoami); + free(log_control.log_whoami); log_control.log_whoami = (char *) NULL; if (log_control.log_hostname) - free(log_control.log_hostname); + free(log_control.log_hostname); log_control.log_hostname = (char *) NULL; -#ifdef HAVE_CLOSELOG +#ifdef HAVE_CLOSELOG if (log_control.log_opened) - closelog(); -#endif /* HAVE_CLOSELOG */ + closelog(); +#endif /* HAVE_CLOSELOG */ } /* - * severity2string() - Convert a severity to a string. + * severity2string() - Convert a severity to a string. */ static const char * severity2string(int severity) @@ -747,52 +748,52 @@ severity2string(int severity) s = severity & LOG_PRIMASK; ss = log_ufo_string; switch (s) { -#ifdef LOG_EMERG +#ifdef LOG_EMERG case LOG_EMERG: - ss = log_emerg_string; - break; -#endif /* LOG_EMERG */ -#ifdef LOG_ALERT + ss = log_emerg_string; + break; +#endif /* LOG_EMERG */ +#ifdef LOG_ALERT case LOG_ALERT: - ss = log_alert_string; - break; -#endif /* LOG_ALERT */ -#ifdef LOG_CRIT + ss = log_alert_string; + break; +#endif /* LOG_ALERT */ +#ifdef LOG_CRIT case LOG_CRIT: - ss = log_crit_string; - break; -#endif /* LOG_CRIT */ + ss = log_crit_string; + break; +#endif /* LOG_CRIT */ case LOG_ERR: - ss = log_err_string; - break; -#ifdef LOG_WARNING + ss = log_err_string; + break; +#ifdef LOG_WARNING case LOG_WARNING: - ss = log_warning_string; - break; -#endif /* LOG_WARNING */ -#ifdef LOG_NOTICE + ss = log_warning_string; + break; +#endif /* LOG_WARNING */ +#ifdef LOG_NOTICE case LOG_NOTICE: - ss = log_notice_string; - break; -#endif /* LOG_NOTICE */ -#ifdef LOG_INFO + ss = log_notice_string; + break; +#endif /* LOG_NOTICE */ +#ifdef LOG_INFO case LOG_INFO: - ss = log_info_string; - break; -#endif /* LOG_INFO */ -#ifdef LOG_DEBUG + ss = log_info_string; + break; +#endif /* LOG_INFO */ +#ifdef LOG_DEBUG case LOG_DEBUG: - ss = log_debug_string; - break; -#endif /* LOG_DEBUG */ + ss = log_debug_string; + break; +#endif /* LOG_DEBUG */ } return(ss); } /* - * krb5_klog_syslog() - Simulate the calling sequence of syslog(3), while - * also performing the logging redirection as specified - * by krb5_klog_init(). + * krb5_klog_syslog() - Simulate the calling sequence of syslog(3), while + * also performing the logging redirection as specified + * by krb5_klog_init(). */ static int klog_vsyslog(int priority, const char *format, va_list arglist) @@ -804,51 +805,51 @@ klog_vsyslog(int priority, const char *format, va_list arglist) static int klog_vsyslog(int priority, const char *format, va_list arglist) { - char outbuf[KRB5_KLOG_MAX_ERRMSG_SIZE]; - int lindex; - char *syslogp; - char *cp; - time_t now; -#ifdef HAVE_STRFTIME - size_t soff; -#endif /* HAVE_STRFTIME */ + char outbuf[KRB5_KLOG_MAX_ERRMSG_SIZE]; + int lindex; + char *syslogp; + char *cp; + time_t now; +#ifdef HAVE_STRFTIME + size_t soff; +#endif /* HAVE_STRFTIME */ /* * Format a syslog-esque message of the format: * * (verbose form) - * [](): + * [](): * * (short form) - * + * */ cp = outbuf; (void) time(&now); -#ifdef HAVE_STRFTIME +#ifdef HAVE_STRFTIME /* * Format the date: mon dd hh:mm:ss */ soff = strftime(outbuf, sizeof(outbuf), "%b %d %H:%M:%S", localtime(&now)); if (soff > 0) - cp += soff; + cp += soff; else - return(-1); -#else /* HAVE_STRFTIME */ + return(-1); +#else /* HAVE_STRFTIME */ /* * Format the date: * We ASSUME here that the output of ctime is of the format: - * dow mon dd hh:mm:ss tzs yyyy\n + * dow mon dd hh:mm:ss tzs yyyy\n * 012345678901234567890123456789 */ strncpy(outbuf, ctime(&now) + 4, 15); cp += 15; -#endif /* HAVE_STRFTIME */ +#endif /* HAVE_STRFTIME */ #ifdef VERBOSE_LOGS snprintf(cp, sizeof(outbuf) - (cp-outbuf), " %s %s[%ld](%s): ", - log_control.log_hostname ? log_control.log_hostname : "", - log_control.log_whoami ? log_control.log_whoami : "", - (long) getpid(), - severity2string(priority)); + log_control.log_hostname ? log_control.log_hostname : "", + log_control.log_whoami ? log_control.log_whoami : "", + (long) getpid(), + severity2string(priority)); #else snprintf(cp, sizeof(outbuf) - (cp-outbuf), " "); #endif @@ -863,8 +864,8 @@ klog_vsyslog(int priority, const char *format, va_list arglist) */ #ifdef HAVE_SYSLOG if (log_control.log_nentries == 0) { - /* Log the message with our header trimmed off */ - syslog(priority, "%s", syslogp); + /* Log the message with our header trimmed off */ + syslog(priority, "%s", syslogp); } #endif @@ -873,47 +874,47 @@ klog_vsyslog(int priority, const char *format, va_list arglist) * logging specification. */ for (lindex = 0; lindex < log_control.log_nentries; lindex++) { - switch (log_control.log_entries[lindex].log_type) { - case K_LOG_FILE: - case K_LOG_STDERR: - /* - * Files/standard error. - */ - if (fprintf(log_control.log_entries[lindex].lfu_filep, "%s\n", - outbuf) < 0) { - /* Attempt to report error */ - fprintf(stderr, log_file_err, log_control.log_whoami, - log_control.log_entries[lindex].lfu_fname); - } - else { - fflush(log_control.log_entries[lindex].lfu_filep); - } - break; - case K_LOG_CONSOLE: - case K_LOG_DEVICE: - /* - * Devices (may need special handling) - */ - if (DEVICE_PRINT(log_control.log_entries[lindex].ldu_filep, - outbuf) < 0) { - /* Attempt to report error */ - fprintf(stderr, log_device_err, log_control.log_whoami, - log_control.log_entries[lindex].ldu_devname); - } - break; -#ifdef HAVE_SYSLOG - case K_LOG_SYSLOG: - /* - * System log. - */ - - /* Log the message with our header trimmed off */ - syslog(priority, "%s", syslogp); - break; + switch (log_control.log_entries[lindex].log_type) { + case K_LOG_FILE: + case K_LOG_STDERR: + /* + * Files/standard error. + */ + if (fprintf(log_control.log_entries[lindex].lfu_filep, "%s\n", + outbuf) < 0) { + /* Attempt to report error */ + fprintf(stderr, log_file_err, log_control.log_whoami, + log_control.log_entries[lindex].lfu_fname); + } + else { + fflush(log_control.log_entries[lindex].lfu_filep); + } + break; + case K_LOG_CONSOLE: + case K_LOG_DEVICE: + /* + * Devices (may need special handling) + */ + if (DEVICE_PRINT(log_control.log_entries[lindex].ldu_filep, + outbuf) < 0) { + /* Attempt to report error */ + fprintf(stderr, log_device_err, log_control.log_whoami, + log_control.log_entries[lindex].ldu_devname); + } + break; +#ifdef HAVE_SYSLOG + case K_LOG_SYSLOG: + /* + * System log. + */ + + /* Log the message with our header trimmed off */ + syslog(priority, "%s", syslogp); + break; #endif /* HAVE_SYSLOG */ - default: - break; - } + default: + break; + } } return(0); } @@ -921,8 +922,8 @@ klog_vsyslog(int priority, const char *format, va_list arglist) int krb5_klog_syslog(int priority, const char *format, ...) { - int retval; - va_list pvar; + int retval; + va_list pvar; va_start(pvar, format); retval = klog_vsyslog(priority, format, pvar); @@ -948,21 +949,21 @@ krb5_klog_reopen(krb5_context kcontext) * and reopened in response to a SIGHUP */ for (lindex = 0; lindex < log_control.log_nentries; lindex++) { - if (log_control.log_entries[lindex].log_type == K_LOG_FILE) { - fclose(log_control.log_entries[lindex].lfu_filep); - /* - * In case the old logfile did not get moved out of the - * way, open for append to prevent squashing the old logs. - */ - f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); - if (f) { - set_cloexec_file(f); - log_control.log_entries[lindex].lfu_filep = f; - } else { - fprintf(stderr, "Couldn't open log file %s: %s\n", - log_control.log_entries[lindex].lfu_fname, - error_message(errno)); - } - } + if (log_control.log_entries[lindex].log_type == K_LOG_FILE) { + fclose(log_control.log_entries[lindex].lfu_filep); + /* + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ + f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[lindex].lfu_filep = f; + } else { + fprintf(stderr, "Couldn't open log file %s: %s\n", + log_control.log_entries[lindex].lfu_fname, + error_message(errno)); + } + } } } diff --git a/src/lib/kadm5/misc_free.c b/src/lib/kadm5/misc_free.c index b0e3d24ee..17c8cccac 100644 --- a/src/lib/kadm5/misc_free.c +++ b/src/lib/kadm5/misc_free.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -7,9 +8,9 @@ #if !defined(lint) && !defined(__CODECENTER__) static char *rcsid = "$Header$"; #endif -#include -#include -#include "server_internal.h" +#include +#include +#include "server_internal.h" kadm5_ret_t kadm5_free_policy_ent(void *server_handle, kadm5_policy_ent_t val) @@ -17,54 +18,54 @@ kadm5_free_policy_ent(void *server_handle, kadm5_policy_ent_t val) _KADM5_CHECK_HANDLE(server_handle); if (val) - free(val->policy); + free(val->policy); return KADM5_OK; } kadm5_ret_t - kadm5_free_name_list(void *server_handle, char **names, int count) +kadm5_free_name_list(void *server_handle, char **names, int count) { _KADM5_CHECK_HANDLE(server_handle); - + while (count--) - free(names[count]); - free(names); + free(names[count]); + free(names); return KADM5_OK; } /* XXX this ought to be in libkrb5.a, but isn't */ kadm5_ret_t krb5_free_key_data_contents(context, key) - krb5_context context; - krb5_key_data *key; + krb5_context context; + krb5_key_data *key; { - int i, idx; - - idx = (key->key_data_ver == 1 ? 1 : 2); - for (i = 0; i < idx; i++) { - if (key->key_data_contents[i]) { - memset(key->key_data_contents[i], 0, key->key_data_length[i]); - free(key->key_data_contents[i]); - } - } - return KADM5_OK; + int i, idx; + + idx = (key->key_data_ver == 1 ? 1 : 2); + for (i = 0; i < idx; i++) { + if (key->key_data_contents[i]) { + memset(key->key_data_contents[i], 0, key->key_data_length[i]); + free(key->key_data_contents[i]); + } + } + return KADM5_OK; } kadm5_ret_t kadm5_free_key_data(void *server_handle, - krb5_int16 *n_key_data, - krb5_key_data *key_data) + krb5_int16 *n_key_data, + krb5_key_data *key_data) { - kadm5_server_handle_t handle = server_handle; - int i, nkeys = (int) *n_key_data; - - _KADM5_CHECK_HANDLE(server_handle); - - if (key_data == NULL) - return KADM5_OK; - - for (i = 0; i < nkeys; i++) - krb5_free_key_data_contents(handle->context, &key_data[i]); - free(key_data); - return KADM5_OK; + kadm5_server_handle_t handle = server_handle; + int i, nkeys = (int) *n_key_data; + + _KADM5_CHECK_HANDLE(server_handle); + + if (key_data == NULL) + return KADM5_OK; + + for (i = 0; i < nkeys; i++) + krb5_free_key_data_contents(handle->context, &key_data[i]); + free(key_data); + return KADM5_OK; } kadm5_ret_t @@ -77,22 +78,22 @@ kadm5_free_principal_ent(void *server_handle, kadm5_principal_ent_t val) _KADM5_CHECK_HANDLE(server_handle); if (!val) - return KADM5_OK; + return KADM5_OK; krb5_free_principal(handle->context, val->principal); krb5_free_principal(handle->context, val->mod_name); free(val->policy); if (val->n_key_data) { - for (i = 0; i < val->n_key_data; i++) - krb5_free_key_data_contents(handle->context, &val->key_data[i]); - free(val->key_data); + for (i = 0; i < val->n_key_data; i++) + krb5_free_key_data_contents(handle->context, &val->key_data[i]); + free(val->key_data); } while (val->tl_data) { - tl = val->tl_data->tl_data_next; - free(val->tl_data->tl_data_contents); - free(val->tl_data); - val->tl_data = tl; + tl = val->tl_data->tl_data_next; + free(val->tl_data->tl_data_contents); + free(val->tl_data); + val->tl_data = tl; } return KADM5_OK; } diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h index c9bb073d3..7f5875031 100644 --- a/src/lib/kadm5/server_internal.h +++ b/src/lib/kadm5/server_internal.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -24,116 +25,116 @@ #include "admin_internal.h" typedef struct _kadm5_server_handle_t { - krb5_ui_4 magic_number; - krb5_ui_4 struct_version; - krb5_ui_4 api_version; - krb5_context context; - krb5_principal current_caller; - kadm5_config_params params; - struct _kadm5_server_handle_t *lhandle; - char **db_args; + krb5_ui_4 magic_number; + krb5_ui_4 struct_version; + krb5_ui_4 api_version; + krb5_context context; + krb5_principal current_caller; + kadm5_config_params params; + struct _kadm5_server_handle_t *lhandle; + char **db_args; } kadm5_server_handle_rec, *kadm5_server_handle_t; #define OSA_ADB_PRINC_VERSION_1 0x12345C01 typedef struct _osa_pw_hist_t { - int n_key_data; - krb5_key_data *key_data; + int n_key_data; + krb5_key_data *key_data; } osa_pw_hist_ent, *osa_pw_hist_t; typedef struct _osa_princ_ent_t { - int version; - char *policy; - long aux_attributes; - unsigned int old_key_len; - unsigned int old_key_next; - krb5_kvno admin_history_kvno; - osa_pw_hist_ent *old_keys; + int version; + char *policy; + long aux_attributes; + unsigned int old_key_len; + unsigned int old_key_next; + krb5_kvno admin_history_kvno; + osa_pw_hist_ent *old_keys; } osa_princ_ent_rec, *osa_princ_ent_t; kadm5_ret_t adb_policy_init(kadm5_server_handle_t handle); kadm5_ret_t adb_policy_close(kadm5_server_handle_t handle); kadm5_ret_t passwd_check(kadm5_server_handle_t handle, - char *pass, int use_policy, - kadm5_policy_ent_t policy, - krb5_principal principal); + char *pass, int use_policy, + kadm5_policy_ent_t policy, + krb5_principal principal); kadm5_ret_t principal_exists(krb5_principal principal); -krb5_error_code kdb_init_master(kadm5_server_handle_t handle, - char *r, int from_keyboard); -krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, - char *r); +krb5_error_code kdb_init_master(kadm5_server_handle_t handle, + char *r, int from_keyboard); +krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, + char *r); krb5_error_code kdb_get_entry(kadm5_server_handle_t handle, - krb5_principal principal, krb5_db_entry *kdb, - osa_princ_ent_rec *adb); + krb5_principal principal, krb5_db_entry *kdb, + osa_princ_ent_rec *adb); krb5_error_code kdb_free_entry(kadm5_server_handle_t handle, - krb5_db_entry *kdb, osa_princ_ent_rec *adb); + krb5_db_entry *kdb, osa_princ_ent_rec *adb); krb5_error_code kdb_put_entry(kadm5_server_handle_t handle, - krb5_db_entry *kdb, osa_princ_ent_rec *adb); + krb5_db_entry *kdb, osa_princ_ent_rec *adb); krb5_error_code kdb_delete_entry(kadm5_server_handle_t handle, - krb5_principal name); + krb5_principal name); krb5_error_code kdb_iter_entry(kadm5_server_handle_t handle, - char *match_entry, - void (*iter_fct)(void *, krb5_principal), - void *data); + char *match_entry, + void (*iter_fct)(void *, krb5_principal), + void *data); -int init_dict(kadm5_config_params *); -int find_word(const char *word); -void destroy_dict(void); +int init_dict(kadm5_config_params *); +int find_word(const char *word); +void destroy_dict(void); /* XXX this ought to be in libkrb5.a, but isn't */ kadm5_ret_t krb5_copy_key_data_contents(krb5_context context, - krb5_key_data *from, - krb5_key_data *to); -kadm5_ret_t krb5_free_key_data_contents(krb5_context context, - krb5_key_data *key); + krb5_key_data *from, + krb5_key_data *to); +kadm5_ret_t krb5_free_key_data_contents(krb5_context context, + krb5_key_data *key); /* - * *Warning* - * *Warning* This is going to break if we - * *Warning* ever go multi-threaded - * *Warning* + * *Warning* + * *Warning* This is going to break if we + * *Warning* ever go multi-threaded + * *Warning* */ -extern krb5_principal current_caller; +extern krb5_principal current_caller; /* * Why is this (or something similar) not defined *anywhere* in krb5? */ -#define KSUCCESS 0 -#define WORD_NOT_FOUND 1 +#define KSUCCESS 0 +#define WORD_NOT_FOUND 1 /* * all the various mask bits or'd together */ -#define ALL_PRINC_MASK \ - (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION | \ - KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | \ - KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO | \ - KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY | \ - KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT ) - -#define ALL_POLICY_MASK \ - (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE | \ - KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \ - KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \ - KADM5_PW_LOCKOUT_DURATION ) - -#define SERVER_CHECK_HANDLE(handle) \ -{ \ - kadm5_server_handle_t srvr = \ - (kadm5_server_handle_t) handle; \ - \ - if (! srvr->current_caller) \ - return KADM5_BAD_SERVER_HANDLE; \ - if (! srvr->lhandle) \ - return KADM5_BAD_SERVER_HANDLE; \ -} - -#define CHECK_HANDLE(handle) \ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, \ - KADM5_NEW_SERVER_API_VERSION) \ - SERVER_CHECK_HANDLE(handle) +#define ALL_PRINC_MASK \ + (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION | \ + KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | \ + KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO | \ + KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY | \ + KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT ) + +#define ALL_POLICY_MASK \ + (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE | \ + KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \ + KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \ + KADM5_PW_LOCKOUT_DURATION ) + +#define SERVER_CHECK_HANDLE(handle) \ + { \ + kadm5_server_handle_t srvr = \ + (kadm5_server_handle_t) handle; \ + \ + if (! srvr->current_caller) \ + return KADM5_BAD_SERVER_HANDLE; \ + if (! srvr->lhandle) \ + return KADM5_BAD_SERVER_HANDLE; \ + } + +#define CHECK_HANDLE(handle) \ + GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, \ + KADM5_NEW_SERVER_API_VERSION) \ + SERVER_CHECK_HANDLE(handle) bool_t xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp); diff --git a/src/lib/kadm5/srv/adb_xdr.c b/src/lib/kadm5/srv/adb_xdr.c index d5d17062a..87ed27a43 100644 --- a/src/lib/kadm5/srv/adb_xdr.c +++ b/src/lib/kadm5/srv/adb_xdr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -11,7 +12,7 @@ static char *rcsid = "$Header$"; #include #include #include -#include "server_internal.h" +#include "server_internal.h" #include "admin_xdr.h" #ifdef HAVE_MEMORY_H #include @@ -23,27 +24,27 @@ xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp) unsigned int tmp; if (!xdr_krb5_int16(xdrs, &objp->key_data_ver)) - return(FALSE); + return(FALSE); if (!xdr_krb5_int16(xdrs, &objp->key_data_kvno)) - return(FALSE); + return(FALSE); if (!xdr_krb5_int16(xdrs, &objp->key_data_type[0])) - return(FALSE); + return(FALSE); if (!xdr_krb5_int16(xdrs, &objp->key_data_type[1])) - return(FALSE); + return(FALSE); if (!xdr_krb5_ui_2(xdrs, &objp->key_data_length[0])) - return(FALSE); + return(FALSE); if (!xdr_krb5_ui_2(xdrs, &objp->key_data_length[1])) - return(FALSE); + return(FALSE); tmp = (unsigned int) objp->key_data_length[0]; if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0], - &tmp, ~0)) - return FALSE; + &tmp, ~0)) + return FALSE; tmp = (unsigned int) objp->key_data_length[1]; if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1], - &tmp, ~0)) - return FALSE; + &tmp, ~0)) + return FALSE; /* don't need to copy tmp out, since key_data_length will be set by the above encoding. */ @@ -55,10 +56,10 @@ bool_t xdr_osa_pw_hist_ent(XDR *xdrs, osa_pw_hist_ent *objp) { if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, - (u_int *) &objp->n_key_data, ~0, - sizeof(krb5_key_data), - xdr_krb5_key_data)) - return (FALSE); + (u_int *) &objp->n_key_data, ~0, + sizeof(krb5_key_data), + xdr_krb5_key_data)) + return (FALSE); return (TRUE); } @@ -67,33 +68,33 @@ xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp) { switch (xdrs->x_op) { case XDR_ENCODE: - objp->version = OSA_ADB_PRINC_VERSION_1; - /* fall through */ + objp->version = OSA_ADB_PRINC_VERSION_1; + /* fall through */ case XDR_FREE: - if (!xdr_int(xdrs, &objp->version)) - return FALSE; - break; + if (!xdr_int(xdrs, &objp->version)) + return FALSE; + break; case XDR_DECODE: - if (!xdr_int(xdrs, &objp->version)) - return FALSE; - if (objp->version != OSA_ADB_PRINC_VERSION_1) - return FALSE; - break; + if (!xdr_int(xdrs, &objp->version)) + return FALSE; + if (objp->version != OSA_ADB_PRINC_VERSION_1) + return FALSE; + break; } - + if (!xdr_nullstring(xdrs, &objp->policy)) - return (FALSE); + return (FALSE); if (!xdr_long(xdrs, &objp->aux_attributes)) - return (FALSE); + return (FALSE); if (!xdr_u_int(xdrs, &objp->old_key_next)) - return (FALSE); + return (FALSE); if (!xdr_krb5_kvno(xdrs, &objp->admin_history_kvno)) - return (FALSE); + return (FALSE); if (!xdr_array(xdrs, (caddr_t *) &objp->old_keys, - (unsigned int *) &objp->old_key_len, ~0, - sizeof(osa_pw_hist_ent), - xdr_osa_pw_hist_ent)) - return (FALSE); + (unsigned int *) &objp->old_key_len, ~0, + sizeof(osa_pw_hist_ent), + xdr_osa_pw_hist_ent)) + return (FALSE); return (TRUE); } @@ -101,10 +102,9 @@ void osa_free_princ_ent(osa_princ_ent_t val) { XDR xdrs; - + xdrmem_create(&xdrs, NULL, 0, XDR_FREE); - + xdr_osa_princ_ent_rec(&xdrs, val); free(val); } - diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c index 45f3879b8..b8abe8afd 100644 --- a/src/lib/kadm5/srv/server_acl.c +++ b/src/lib/kadm5/srv/server_acl.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm5/srv/server_acl.c * @@ -40,46 +41,46 @@ #include typedef struct _acl_op_table { - char ao_op; - krb5_int32 ao_mask; + char ao_op; + krb5_int32 ao_mask; } aop_t; typedef struct _acl_entry { - struct _acl_entry *ae_next; - char *ae_name; - krb5_boolean ae_name_bad; - krb5_principal ae_principal; - krb5_int32 ae_op_allowed; - char *ae_target; - krb5_boolean ae_target_bad; - krb5_principal ae_target_princ; - char *ae_restriction_string; - /* eg: "-maxlife 3h -service +proxiable" */ - krb5_boolean ae_restriction_bad; - restriction_t *ae_restrictions; + struct _acl_entry *ae_next; + char *ae_name; + krb5_boolean ae_name_bad; + krb5_principal ae_principal; + krb5_int32 ae_op_allowed; + char *ae_target; + krb5_boolean ae_target_bad; + krb5_principal ae_target_princ; + char *ae_restriction_string; + /* eg: "-maxlife 3h -service +proxiable" */ + krb5_boolean ae_restriction_bad; + restriction_t *ae_restrictions; } aent_t; static const aop_t acl_op_table[] = { - { 'a', ACL_ADD }, - { 'd', ACL_DELETE }, - { 'm', ACL_MODIFY }, - { 'c', ACL_CHANGEPW }, - { 'i', ACL_INQUIRE }, - { 'l', ACL_LIST }, - { 'p', ACL_IPROP }, - { 's', ACL_SETKEY }, - { 'x', ACL_ALL_MASK }, - { '*', ACL_ALL_MASK }, - { '\0', 0 } + { 'a', ACL_ADD }, + { 'd', ACL_DELETE }, + { 'm', ACL_MODIFY }, + { 'c', ACL_CHANGEPW }, + { 'i', ACL_INQUIRE }, + { 'l', ACL_LIST }, + { 'p', ACL_IPROP }, + { 's', ACL_SETKEY }, + { 'x', ACL_ALL_MASK }, + { '*', ACL_ALL_MASK }, + { '\0', 0 } }; typedef struct _wildstate { - int nwild; - krb5_data *backref[9]; + int nwild; + krb5_data *backref[9]; } wildstate_t; -static aent_t *acl_list_head = (aent_t *) NULL; -static aent_t *acl_list_tail = (aent_t *) NULL; +static aent_t *acl_list_head = (aent_t *) NULL; +static aent_t *acl_list_tail = (aent_t *) NULL; static const char *acl_acl_file = (char *) NULL; static int acl_inited = 0; @@ -99,65 +100,65 @@ static const char *acl_cantopen_msg = "%s while opening ACL file %s"; /* * kadm5int_acl_get_line() - Get a line from the ACL file. - * Lines ending with \ are continued on the next line + * Lines ending with \ are continued on the next line */ static char * kadm5int_acl_get_line(fp, lnp) - FILE *fp; - int *lnp; /* caller should set to 1 before first call */ + FILE *fp; + int *lnp; /* caller should set to 1 before first call */ { - int i, domore; - static int line_incr = 0; + int i, domore; + static int line_incr = 0; static char acl_buf[BUFSIZ]; *lnp += line_incr; line_incr = 0; for (domore = 1; domore && !feof(fp); ) { - /* Copy in the line, with continuations */ - for (i=0; ((i < sizeof acl_buf) && !feof(fp)); i++ ) { - int byte; - byte = fgetc(fp); - acl_buf[i] = byte; - if (byte == (char)EOF) { - if (i > 0 && acl_buf[i-1] == '\\') - i--; - break; /* it gets nulled-out below */ - } - else if (acl_buf[i] == '\n') { - if (i == 0 || acl_buf[i-1] != '\\') - break; /* empty line or normal end of line */ - else { - i -= 2; /* back up over "\\\n" and continue */ - line_incr++; - } - } - } - /* Check if we exceeded our buffer size */ - if (i == sizeof acl_buf && (i--, !feof(fp))) { - int c1 = acl_buf[i], c2; - - krb5_klog_syslog(LOG_ERR, acl_line2long_msg, acl_acl_file, *lnp); - while ((c2 = fgetc(fp)) != EOF) { - if (c2 == '\n') { - if (c1 != '\\') - break; - line_incr++; - } - c1 = c2; - } - } - acl_buf[i] = '\0'; - if (acl_buf[0] == (char) EOF) /* ptooey */ - acl_buf[0] = '\0'; - else - line_incr++; - if ((acl_buf[0] != '#') && (acl_buf[0] != '\0')) - domore = 0; + /* Copy in the line, with continuations */ + for (i=0; ((i < sizeof acl_buf) && !feof(fp)); i++ ) { + int byte; + byte = fgetc(fp); + acl_buf[i] = byte; + if (byte == (char)EOF) { + if (i > 0 && acl_buf[i-1] == '\\') + i--; + break; /* it gets nulled-out below */ + } + else if (acl_buf[i] == '\n') { + if (i == 0 || acl_buf[i-1] != '\\') + break; /* empty line or normal end of line */ + else { + i -= 2; /* back up over "\\\n" and continue */ + line_incr++; + } + } + } + /* Check if we exceeded our buffer size */ + if (i == sizeof acl_buf && (i--, !feof(fp))) { + int c1 = acl_buf[i], c2; + + krb5_klog_syslog(LOG_ERR, acl_line2long_msg, acl_acl_file, *lnp); + while ((c2 = fgetc(fp)) != EOF) { + if (c2 == '\n') { + if (c1 != '\\') + break; + line_incr++; + } + c1 = c2; + } + } + acl_buf[i] = '\0'; + if (acl_buf[0] == (char) EOF) /* ptooey */ + acl_buf[0] = '\0'; + else + line_incr++; + if ((acl_buf[0] != '#') && (acl_buf[0] != '\0')) + domore = 0; } if (domore || (strlen(acl_buf) == 0)) - return((char *) NULL); + return((char *) NULL); else - return(acl_buf); + return(acl_buf); } /* @@ -171,95 +172,95 @@ kadm5int_acl_parse_line(lp) static char acle_ops[BUFSIZ]; static char acle_object[BUFSIZ]; static char acle_restrictions[BUFSIZ]; - aent_t *acle; - char *op; - int t, found, opok, nmatch; + aent_t *acle; + char *op; + int t, found, opok, nmatch; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_parse_line(line=%20s)\n", lp)); + ("* kadm5int_acl_parse_line(line=%20s)\n", lp)); /* * Format is still simple: * entry ::= [] - * [ [ - * []]] + * [ [ + * []]] */ acle = (aent_t *) NULL; acle_object[0] = '\0'; nmatch = sscanf(lp, "%s %s %s %[^\n]", acle_principal, acle_ops, - acle_object, acle_restrictions); + acle_object, acle_restrictions); if (nmatch >= 2) { - acle = (aent_t *) malloc(sizeof(aent_t)); - if (acle) { - acle->ae_next = (aent_t *) NULL; - acle->ae_op_allowed = (krb5_int32) 0; - acle->ae_target = - (nmatch >= 3) ? strdup(acle_object) : (char *) NULL; - acle->ae_target_bad = 0; - acle->ae_target_princ = (krb5_principal) NULL; - opok = 1; - for (op=acle_ops; *op; op++) { - char rop; - - rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op; - found = 0; - for (t=0; acl_op_table[t].ao_op; t++) { - if (rop == acl_op_table[t].ao_op) { - found = 1; - if (rop == *op) - acle->ae_op_allowed |= acl_op_table[t].ao_mask; - else - acle->ae_op_allowed &= ~acl_op_table[t].ao_mask; - } - } - if (!found) { - krb5_klog_syslog(LOG_ERR, acl_op_bad_msg, *op, lp); - opok = 0; - } - } - if (opok) { - acle->ae_name = strdup(acle_principal); - if (acle->ae_name) { - acle->ae_principal = (krb5_principal) NULL; - acle->ae_name_bad = 0; - DPRINT(DEBUG_ACL, acl_debug_level, - ("A ACL entry %s -> opmask %x\n", - acle->ae_name, acle->ae_op_allowed)); - } - else { - if (acle->ae_target) - free(acle->ae_target); - free(acle); - acle = (aent_t *) NULL; - } - } - else { - if (acle->ae_target) - free(acle->ae_target); - free(acle); - acle = (aent_t *) NULL; - } - - if (acle) { - if ( nmatch >= 4 ) { - char *trailing; - - trailing = &acle_restrictions[strlen(acle_restrictions)-1]; - while ( isspace((int) *trailing) ) - trailing--; - trailing[1] = '\0'; - acle->ae_restriction_string = - strdup(acle_restrictions); - } - else { - acle->ae_restriction_string = (char *) NULL; - } - acle->ae_restriction_bad = 0; - acle->ae_restrictions = (restriction_t *) NULL; - } - } + acle = (aent_t *) malloc(sizeof(aent_t)); + if (acle) { + acle->ae_next = (aent_t *) NULL; + acle->ae_op_allowed = (krb5_int32) 0; + acle->ae_target = + (nmatch >= 3) ? strdup(acle_object) : (char *) NULL; + acle->ae_target_bad = 0; + acle->ae_target_princ = (krb5_principal) NULL; + opok = 1; + for (op=acle_ops; *op; op++) { + char rop; + + rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op; + found = 0; + for (t=0; acl_op_table[t].ao_op; t++) { + if (rop == acl_op_table[t].ao_op) { + found = 1; + if (rop == *op) + acle->ae_op_allowed |= acl_op_table[t].ao_mask; + else + acle->ae_op_allowed &= ~acl_op_table[t].ao_mask; + } + } + if (!found) { + krb5_klog_syslog(LOG_ERR, acl_op_bad_msg, *op, lp); + opok = 0; + } + } + if (opok) { + acle->ae_name = strdup(acle_principal); + if (acle->ae_name) { + acle->ae_principal = (krb5_principal) NULL; + acle->ae_name_bad = 0; + DPRINT(DEBUG_ACL, acl_debug_level, + ("A ACL entry %s -> opmask %x\n", + acle->ae_name, acle->ae_op_allowed)); + } + else { + if (acle->ae_target) + free(acle->ae_target); + free(acle); + acle = (aent_t *) NULL; + } + } + else { + if (acle->ae_target) + free(acle->ae_target); + free(acle); + acle = (aent_t *) NULL; + } + + if (acle) { + if ( nmatch >= 4 ) { + char *trailing; + + trailing = &acle_restrictions[strlen(acle_restrictions)-1]; + while ( isspace((int) *trailing) ) + trailing--; + trailing[1] = '\0'; + acle->ae_restriction_string = + strdup(acle_restrictions); + } + else { + acle->ae_restriction_string = (char *) NULL; + } + acle->ae_restriction_bad = 0; + acle->ae_restrictions = (restriction_t *) NULL; + } + } } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_parse_line() = %x\n", (long) acle)); + ("X kadm5int_acl_parse_line() = %x\n", (long) acle)); return(acle); } @@ -267,177 +268,177 @@ kadm5int_acl_parse_line(lp) * kadm5int_acl_parse_restrictions() - Parse optional restrictions field * * Allowed restrictions are: - * [+-]flagname (recognized by krb5_string_to_flags) - * flag is forced to indicated value - * -clearpolicy policy is forced clear - * -policy pol policy is forced to be "pol" - * -{expire,pwexpire,maxlife,maxrenewlife} deltat - * associated value will be forced to - * MIN(deltat, requested value) + * [+-]flagname (recognized by krb5_string_to_flags) + * flag is forced to indicated value + * -clearpolicy policy is forced clear + * -policy pol policy is forced to be "pol" + * -{expire,pwexpire,maxlife,maxrenewlife} deltat + * associated value will be forced to + * MIN(deltat, requested value) * * Returns: 0 on success, or system errors */ static krb5_error_code kadm5int_acl_parse_restrictions(s, rpp) - char *s; - restriction_t **rpp; + char *s; + restriction_t **rpp; { - char *sp = NULL, *tp, *ap, *save; - static const char *delims = "\t\n\f\v\r ,"; - krb5_deltat dt; - krb5_flags flag; - krb5_error_code code; + char *sp = NULL, *tp, *ap, *save; + static const char *delims = "\t\n\f\v\r ,"; + krb5_deltat dt; + krb5_flags flag; + krb5_error_code code; - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp)); + DPRINT(DEBUG_CALLS, acl_debug_level, + ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp)); *rpp = (restriction_t *) NULL; code = 0; if (s) { - if (!(sp = strdup(s)) /* Don't munge the original */ - || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) { - code = ENOMEM; - } else { - memset(*rpp, 0, sizeof(**rpp)); - for (tp = strtok_r(sp, delims, &save); tp; - tp = strtok_r(NULL, delims, &save)) { - flag = 0; - if (!krb5_string_to_flags(tp, "+", "-", &flag)) { - /* OK, but was it in the positive or negative sense? */ - if (flag) { - (*rpp)->require_attrs |= flag; - } else { - flag = ~0; - (void) krb5_string_to_flags(tp, "+", "-", &flag); - (*rpp)->forbid_attrs |= ~flag; - } - (*rpp)->mask |= KADM5_ATTRIBUTES; - } else if (!strcmp(tp, "-clearpolicy")) { - (*rpp)->mask |= KADM5_POLICY_CLR; - } else { - /* everything else needs an argument ... */ - if (!(ap = strtok_r(NULL, delims, &save))) { - code = EINVAL; - break; - } - if (!strcmp(tp, "-policy")) { - if (!((*rpp)->policy = strdup(ap))) { - code = ENOMEM; - break; - } - (*rpp)->mask |= KADM5_POLICY; - } else { - /* all other arguments must be a deltat ... */ - if (krb5_string_to_deltat(ap, &dt)) { - code = EINVAL; - break; - } - if (!strcmp(tp, "-expire")) { - (*rpp)->princ_lifetime = dt; - (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME; - } else if (!strcmp(tp, "-pwexpire")) { - (*rpp)->pw_lifetime = dt; - (*rpp)->mask |= KADM5_PW_EXPIRATION; - } else if (!strcmp(tp, "-maxlife")) { - (*rpp)->max_life = dt; - (*rpp)->mask |= KADM5_MAX_LIFE; - } else if (!strcmp(tp, "-maxrenewlife")) { - (*rpp)->max_renewable_life = dt; - (*rpp)->mask |= KADM5_MAX_RLIFE; - } else { - code = EINVAL; - break; - } - } - } - } - } + if (!(sp = strdup(s)) /* Don't munge the original */ + || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) { + code = ENOMEM; + } else { + memset(*rpp, 0, sizeof(**rpp)); + for (tp = strtok_r(sp, delims, &save); tp; + tp = strtok_r(NULL, delims, &save)) { + flag = 0; + if (!krb5_string_to_flags(tp, "+", "-", &flag)) { + /* OK, but was it in the positive or negative sense? */ + if (flag) { + (*rpp)->require_attrs |= flag; + } else { + flag = ~0; + (void) krb5_string_to_flags(tp, "+", "-", &flag); + (*rpp)->forbid_attrs |= ~flag; + } + (*rpp)->mask |= KADM5_ATTRIBUTES; + } else if (!strcmp(tp, "-clearpolicy")) { + (*rpp)->mask |= KADM5_POLICY_CLR; + } else { + /* everything else needs an argument ... */ + if (!(ap = strtok_r(NULL, delims, &save))) { + code = EINVAL; + break; + } + if (!strcmp(tp, "-policy")) { + if (!((*rpp)->policy = strdup(ap))) { + code = ENOMEM; + break; + } + (*rpp)->mask |= KADM5_POLICY; + } else { + /* all other arguments must be a deltat ... */ + if (krb5_string_to_deltat(ap, &dt)) { + code = EINVAL; + break; + } + if (!strcmp(tp, "-expire")) { + (*rpp)->princ_lifetime = dt; + (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME; + } else if (!strcmp(tp, "-pwexpire")) { + (*rpp)->pw_lifetime = dt; + (*rpp)->mask |= KADM5_PW_EXPIRATION; + } else if (!strcmp(tp, "-maxlife")) { + (*rpp)->max_life = dt; + (*rpp)->mask |= KADM5_MAX_LIFE; + } else if (!strcmp(tp, "-maxrenewlife")) { + (*rpp)->max_renewable_life = dt; + (*rpp)->mask |= KADM5_MAX_RLIFE; + } else { + code = EINVAL; + break; + } + } + } + } + } } if (sp) - free(sp); + free(sp); if (*rpp && code) { - if ((*rpp)->policy) - free((*rpp)->policy); - free(*rpp); - *rpp = (restriction_t *) NULL; + if ((*rpp)->policy) + free((*rpp)->policy); + free(*rpp); + *rpp = (restriction_t *) NULL; } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n", - code, (*rpp) ? (*rpp)->mask : 0)); + ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n", + code, (*rpp) ? (*rpp)->mask : 0)); return code; } /* - * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp + * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp * * Returns: 0 on success; - * malloc or timeofday errors + * malloc or timeofday errors */ krb5_error_code kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) - krb5_context kcontext; - kadm5_principal_ent_rec *recp; - long *maskp; - restriction_t *rp; + krb5_context kcontext; + kadm5_principal_ent_rec *recp; + long *maskp; + restriction_t *rp; { - krb5_error_code code; - krb5_int32 now; + krb5_error_code code; + krb5_int32 now; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", - *maskp, (long)rp)); + ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", + *maskp, (long)rp)); if (!rp) - return 0; + return 0; if (rp->mask & (KADM5_PRINC_EXPIRE_TIME|KADM5_PW_EXPIRATION)) - if ((code = krb5_timeofday(kcontext, &now))) - return code; + if ((code = krb5_timeofday(kcontext, &now))) + return code; if (rp->mask & KADM5_ATTRIBUTES) { - recp->attributes |= rp->require_attrs; - recp->attributes &= ~(rp->forbid_attrs); - *maskp |= KADM5_ATTRIBUTES; + recp->attributes |= rp->require_attrs; + recp->attributes &= ~(rp->forbid_attrs); + *maskp |= KADM5_ATTRIBUTES; } if (rp->mask & KADM5_POLICY_CLR) { - *maskp &= ~KADM5_POLICY; - *maskp |= KADM5_POLICY_CLR; + *maskp &= ~KADM5_POLICY; + *maskp |= KADM5_POLICY_CLR; } else if (rp->mask & KADM5_POLICY) { - if (recp->policy && strcmp(recp->policy, rp->policy)) { - free(recp->policy); - recp->policy = (char *) NULL; - } - if (!recp->policy) { - recp->policy = strdup(rp->policy); /* XDR will free it */ - if (!recp->policy) - return ENOMEM; - } - *maskp |= KADM5_POLICY; + if (recp->policy && strcmp(recp->policy, rp->policy)) { + free(recp->policy); + recp->policy = (char *) NULL; + } + if (!recp->policy) { + recp->policy = strdup(rp->policy); /* XDR will free it */ + if (!recp->policy) + return ENOMEM; + } + *maskp |= KADM5_POLICY; } if (rp->mask & KADM5_PRINC_EXPIRE_TIME) { - if (!(*maskp & KADM5_PRINC_EXPIRE_TIME) - || (recp->princ_expire_time > (now + rp->princ_lifetime))) - recp->princ_expire_time = now + rp->princ_lifetime; - *maskp |= KADM5_PRINC_EXPIRE_TIME; + if (!(*maskp & KADM5_PRINC_EXPIRE_TIME) + || (recp->princ_expire_time > (now + rp->princ_lifetime))) + recp->princ_expire_time = now + rp->princ_lifetime; + *maskp |= KADM5_PRINC_EXPIRE_TIME; } if (rp->mask & KADM5_PW_EXPIRATION) { - if (!(*maskp & KADM5_PW_EXPIRATION) - || (recp->pw_expiration > (now + rp->pw_lifetime))) - recp->pw_expiration = now + rp->pw_lifetime; - *maskp |= KADM5_PW_EXPIRATION; + if (!(*maskp & KADM5_PW_EXPIRATION) + || (recp->pw_expiration > (now + rp->pw_lifetime))) + recp->pw_expiration = now + rp->pw_lifetime; + *maskp |= KADM5_PW_EXPIRATION; } if (rp->mask & KADM5_MAX_LIFE) { - if (!(*maskp & KADM5_MAX_LIFE) - || (recp->max_life > rp->max_life)) - recp->max_life = rp->max_life; - *maskp |= KADM5_MAX_LIFE; + if (!(*maskp & KADM5_MAX_LIFE) + || (recp->max_life > rp->max_life)) + recp->max_life = rp->max_life; + *maskp |= KADM5_MAX_LIFE; } if (rp->mask & KADM5_MAX_RLIFE) { - if (!(*maskp & KADM5_MAX_RLIFE) - || (recp->max_renewable_life > rp->max_renewable_life)) - recp->max_renewable_life = rp->max_renewable_life; - *maskp |= KADM5_MAX_RLIFE; + if (!(*maskp & KADM5_MAX_RLIFE) + || (recp->max_renewable_life > rp->max_renewable_life)) + recp->max_renewable_life = rp->max_renewable_life; + *maskp |= KADM5_MAX_RLIFE; } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp)); + ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp)); return 0; } @@ -447,28 +448,28 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) static void kadm5int_acl_free_entries() { - aent_t *ap; - aent_t *np; + aent_t *ap; + aent_t *np; DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n")); for (ap=acl_list_head; ap; ap = np) { - if (ap->ae_name) - free(ap->ae_name); - if (ap->ae_principal) - krb5_free_principal((krb5_context) NULL, ap->ae_principal); - if (ap->ae_target) - free(ap->ae_target); - if (ap->ae_target_princ) - krb5_free_principal((krb5_context) NULL, ap->ae_target_princ); - if (ap->ae_restriction_string) - free(ap->ae_restriction_string); - if (ap->ae_restrictions) { - if (ap->ae_restrictions->policy) - free(ap->ae_restrictions->policy); - free(ap->ae_restrictions); - } - np = ap->ae_next; - free(ap); + if (ap->ae_name) + free(ap->ae_name); + if (ap->ae_principal) + krb5_free_principal((krb5_context) NULL, ap->ae_principal); + if (ap->ae_target) + free(ap->ae_target); + if (ap->ae_target_princ) + krb5_free_principal((krb5_context) NULL, ap->ae_target_princ); + if (ap->ae_restriction_string) + free(ap->ae_restriction_string); + if (ap->ae_restrictions) { + if (ap->ae_restrictions->policy) + free(ap->ae_restrictions->policy); + free(ap->ae_restrictions); + } + np = ap->ae_next; + free(ap); } acl_list_head = acl_list_tail = (aent_t *) NULL; acl_inited = 0; @@ -476,250 +477,250 @@ kadm5int_acl_free_entries() } /* - * kadm5int_acl_load_acl_file() - Open and parse the ACL file. + * kadm5int_acl_load_acl_file() - Open and parse the ACL file. */ static int kadm5int_acl_load_acl_file() { - FILE *afp; - char *alinep; - aent_t **aentpp; - int alineno; - int retval = 1; + FILE *afp; + char *alinep; + aent_t **aentpp; + int alineno; + int retval = 1; DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n")); /* Open the ACL file for read */ afp = fopen(acl_acl_file, "r"); if (afp) { - set_cloexec_file(afp); - alineno = 1; - aentpp = &acl_list_head; - - /* Get a non-comment line */ - while ((alinep = kadm5int_acl_get_line(afp, &alineno))) { - /* Parse it */ - *aentpp = kadm5int_acl_parse_line(alinep); - /* If syntax error, then fall out */ - if (!*aentpp) { - krb5_klog_syslog(LOG_ERR, acl_syn_err_msg, - acl_acl_file, alineno, alinep); - retval = 0; - break; - } - acl_list_tail = *aentpp; - aentpp = &(*aentpp)->ae_next; - } - - fclose(afp); - - if (acl_catchall_entry) { - *aentpp = kadm5int_acl_parse_line(acl_catchall_entry); - if (*aentpp) { - acl_list_tail = *aentpp; - } - else { - retval = 0; - DPRINT(DEBUG_OPERATION, acl_debug_level, - ("> catchall acl entry (%s) load failed\n", - acl_catchall_entry)); - } - } + set_cloexec_file(afp); + alineno = 1; + aentpp = &acl_list_head; + + /* Get a non-comment line */ + while ((alinep = kadm5int_acl_get_line(afp, &alineno))) { + /* Parse it */ + *aentpp = kadm5int_acl_parse_line(alinep); + /* If syntax error, then fall out */ + if (!*aentpp) { + krb5_klog_syslog(LOG_ERR, acl_syn_err_msg, + acl_acl_file, alineno, alinep); + retval = 0; + break; + } + acl_list_tail = *aentpp; + aentpp = &(*aentpp)->ae_next; + } + + fclose(afp); + + if (acl_catchall_entry) { + *aentpp = kadm5int_acl_parse_line(acl_catchall_entry); + if (*aentpp) { + acl_list_tail = *aentpp; + } + else { + retval = 0; + DPRINT(DEBUG_OPERATION, acl_debug_level, + ("> catchall acl entry (%s) load failed\n", + acl_catchall_entry)); + } + } } else { - krb5_klog_syslog(LOG_ERR, acl_cantopen_msg, - error_message(errno), acl_acl_file); - if (acl_catchall_entry && - (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) { - acl_list_tail = acl_list_head; - } - else { - retval = 0; - DPRINT(DEBUG_OPERATION, acl_debug_level, - ("> catchall acl entry (%s) load failed\n", - acl_catchall_entry)); - } + krb5_klog_syslog(LOG_ERR, acl_cantopen_msg, + error_message(errno), acl_acl_file); + if (acl_catchall_entry && + (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) { + acl_list_tail = acl_list_head; + } + else { + retval = 0; + DPRINT(DEBUG_OPERATION, acl_debug_level, + ("> catchall acl entry (%s) load failed\n", + acl_catchall_entry)); + } } if (!retval) { - kadm5int_acl_free_entries(); + kadm5int_acl_free_entries(); } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_load_acl_file() = %d\n", retval)); + ("X kadm5int_acl_load_acl_file() = %d\n", retval)); return(retval); } /* - * kadm5int_acl_match_data() - See if two data entries match. + * kadm5int_acl_match_data() - See if two data entries match. * * Wildcarding is only supported for a whole component. */ static krb5_boolean kadm5int_acl_match_data(e1, e2, targetflag, ws) - krb5_data *e1, *e2; - int targetflag; - wildstate_t *ws; + krb5_data *e1, *e2; + int targetflag; + wildstate_t *ws; { - krb5_boolean retval; + krb5_boolean retval; - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_match_entry(%s, %s)\n", e1->data, e2->data)); + DPRINT(DEBUG_CALLS, acl_debug_level, + ("* acl_match_entry(%s, %s)\n", e1->data, e2->data)); retval = 0; if (!strncmp(e1->data, "*", e1->length)) { - retval = 1; - if (ws && !targetflag) { - if (ws->nwild >= 9) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many wildcards in ACL entry %s\n", entry->ae_name)); - } - else - ws->backref[ws->nwild++] = e2; - } + retval = 1; + if (ws && !targetflag) { + if (ws->nwild >= 9) { + DPRINT(DEBUG_ACL, acl_debug_level, + ("Too many wildcards in ACL entry %s\n", entry->ae_name)); + } + else + ws->backref[ws->nwild++] = e2; + } } else if (ws && targetflag && (e1->length == 2) && (e1->data[0] == '*') && - (e1->data[1] >= '1') && (e1->data[1] <= '9')) { - int n = e1->data[1] - '1'; - if (n >= ws->nwild) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many backrefs in ACL entry %s\n", entry->ae_name)); - } - else if ((ws->backref[n]->length == e2->length) && - (!strncmp(ws->backref[n]->data, e2->data, e2->length))) - retval = 1; - + (e1->data[1] >= '1') && (e1->data[1] <= '9')) { + int n = e1->data[1] - '1'; + if (n >= ws->nwild) { + DPRINT(DEBUG_ACL, acl_debug_level, + ("Too many backrefs in ACL entry %s\n", entry->ae_name)); + } + else if ((ws->backref[n]->length == e2->length) && + (!strncmp(ws->backref[n]->data, e2->data, e2->length))) + retval = 1; + } else { - if ((e1->length == e2->length) && - (!strncmp(e1->data, e2->data, e1->length))) - retval = 1; + if ((e1->length == e2->length) && + (!strncmp(e1->data, e2->data, e1->length))) + retval = 1; } DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_match_entry()=%d\n",retval)); return(retval); } /* - * kadm5int_acl_find_entry() - Find a matching entry. + * kadm5int_acl_find_entry() - Find a matching entry. */ static aent_t * kadm5int_acl_find_entry(kcontext, principal, dest_princ) - krb5_context kcontext; - krb5_principal principal; - krb5_principal dest_princ; + krb5_context kcontext; + krb5_principal principal; + krb5_principal dest_princ; { - aent_t *entry; - krb5_error_code kret; - int i; - int matchgood; - wildstate_t state; + aent_t *entry; + krb5_error_code kret; + int i; + int matchgood; + wildstate_t state; DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n")); memset(&state, 0, sizeof state); for (entry=acl_list_head; entry; entry = entry->ae_next) { - if (entry->ae_name_bad) - continue; - if (!strcmp(entry->ae_name, "*")) { - DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n")); - matchgood = 1; - } - else { - if (!entry->ae_principal && !entry->ae_name_bad) { - kret = krb5_parse_name(kcontext, - entry->ae_name, - &entry->ae_principal); - if (kret) - entry->ae_name_bad = 1; - } - if (entry->ae_name_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad ACL entry %s\n", entry->ae_name)); - continue; - } - matchgood = 0; - if (kadm5int_acl_match_data(&entry->ae_principal->realm, - &principal->realm, 0, (wildstate_t *)0) && - (entry->ae_principal->length == principal->length)) { - matchgood = 1; - for (i=0; ilength; i++) { - if (!kadm5int_acl_match_data(&entry->ae_principal->data[i], - &principal->data[i], 0, &state)) { - matchgood = 0; - break; - } - } - } - } - if (!matchgood) - continue; - - /* We've matched the principal. If we have a target, then try it */ - if (entry->ae_target && strcmp(entry->ae_target, "*")) { - if (!entry->ae_target_princ && !entry->ae_target_bad) { - kret = krb5_parse_name(kcontext, entry->ae_target, - &entry->ae_target_princ); - if (kret) - entry->ae_target_bad = 1; - } - if (entry->ae_target_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad target in ACL entry for %s\n", entry->ae_name)); - entry->ae_name_bad = 1; - continue; - } - if (!dest_princ) - matchgood = 0; - else if (entry->ae_target_princ && dest_princ) { - if (kadm5int_acl_match_data(&entry->ae_target_princ->realm, - &dest_princ->realm, 1, (wildstate_t *)0) && - (entry->ae_target_princ->length == dest_princ->length)) { - for (i=0; ilength; i++) { - if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i], - &dest_princ->data[i], 1, &state)) { - matchgood = 0; - break; - } - } - } - else - matchgood = 0; - } + if (entry->ae_name_bad) + continue; + if (!strcmp(entry->ae_name, "*")) { + DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n")); + matchgood = 1; } - if (!matchgood) - continue; - - if (entry->ae_restriction_string - && !entry->ae_restriction_bad - && !entry->ae_restrictions - && kadm5int_acl_parse_restrictions(entry->ae_restriction_string, - &entry->ae_restrictions)) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad restrictions in ACL entry for %s\n", entry->ae_name)); - entry->ae_restriction_bad = 1; - } - if (entry->ae_restriction_bad) { - entry->ae_name_bad = 1; - continue; - } - break; + else { + if (!entry->ae_principal && !entry->ae_name_bad) { + kret = krb5_parse_name(kcontext, + entry->ae_name, + &entry->ae_principal); + if (kret) + entry->ae_name_bad = 1; + } + if (entry->ae_name_bad) { + DPRINT(DEBUG_ACL, acl_debug_level, + ("Bad ACL entry %s\n", entry->ae_name)); + continue; + } + matchgood = 0; + if (kadm5int_acl_match_data(&entry->ae_principal->realm, + &principal->realm, 0, (wildstate_t *)0) && + (entry->ae_principal->length == principal->length)) { + matchgood = 1; + for (i=0; ilength; i++) { + if (!kadm5int_acl_match_data(&entry->ae_principal->data[i], + &principal->data[i], 0, &state)) { + matchgood = 0; + break; + } + } + } + } + if (!matchgood) + continue; + + /* We've matched the principal. If we have a target, then try it */ + if (entry->ae_target && strcmp(entry->ae_target, "*")) { + if (!entry->ae_target_princ && !entry->ae_target_bad) { + kret = krb5_parse_name(kcontext, entry->ae_target, + &entry->ae_target_princ); + if (kret) + entry->ae_target_bad = 1; + } + if (entry->ae_target_bad) { + DPRINT(DEBUG_ACL, acl_debug_level, + ("Bad target in ACL entry for %s\n", entry->ae_name)); + entry->ae_name_bad = 1; + continue; + } + if (!dest_princ) + matchgood = 0; + else if (entry->ae_target_princ && dest_princ) { + if (kadm5int_acl_match_data(&entry->ae_target_princ->realm, + &dest_princ->realm, 1, (wildstate_t *)0) && + (entry->ae_target_princ->length == dest_princ->length)) { + for (i=0; ilength; i++) { + if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i], + &dest_princ->data[i], 1, &state)) { + matchgood = 0; + break; + } + } + } + else + matchgood = 0; + } + } + if (!matchgood) + continue; + + if (entry->ae_restriction_string + && !entry->ae_restriction_bad + && !entry->ae_restrictions + && kadm5int_acl_parse_restrictions(entry->ae_restriction_string, + &entry->ae_restrictions)) { + DPRINT(DEBUG_ACL, acl_debug_level, + ("Bad restrictions in ACL entry for %s\n", entry->ae_name)); + entry->ae_restriction_bad = 1; + } + if (entry->ae_restriction_bad) { + entry->ae_name_bad = 1; + continue; + } + break; } DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry)); return(entry); } /* - * kadm5int_acl_init() - Initialize ACL context. + * kadm5int_acl_init() - Initialize ACL context. */ krb5_error_code kadm5int_acl_init(kcontext, debug_level, acl_file) - krb5_context kcontext; - int debug_level; - char *acl_file; + krb5_context kcontext; + int debug_level; + char *acl_file; { - krb5_error_code kret; + krb5_error_code kret; kret = 0; acl_debug_level = debug_level; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_init(afile=%s)\n", - ((acl_file) ? acl_file : "(null)"))); + ("* kadm5int_acl_init(afile=%s)\n", + ((acl_file) ? acl_file : "(null)"))); acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL; acl_inited = kadm5int_acl_load_acl_file(); @@ -728,12 +729,12 @@ kadm5int_acl_init(kcontext, debug_level, acl_file) } /* - * kadm5int_acl_finish - Terminate ACL context. + * kadm5int_acl_finish - Terminate ACL context. */ void kadm5int_acl_finish(kcontext, debug_level) - krb5_context kcontext; - int debug_level; + krb5_context kcontext; + int debug_level; { DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n")); kadm5int_acl_free_entries(); @@ -741,18 +742,18 @@ kadm5int_acl_finish(kcontext, debug_level) } /* - * kadm5int_acl_check_krb() - Is this operation permitted for this principal? + * kadm5int_acl_check_krb() - Is this operation permitted for this principal? */ krb5_boolean kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions) - krb5_context kcontext; + krb5_context kcontext; krb5_const_principal caller_princ; - krb5_int32 opmask; + krb5_int32 opmask; krb5_const_principal principal; - restriction_t **restrictions; + restriction_t **restrictions; { - krb5_boolean retval; - aent_t *aentry; + krb5_boolean retval; + aent_t *aentry; DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n")); @@ -760,59 +761,59 @@ kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions) aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); if (aentry) { - if ((aentry->ae_op_allowed & opmask) == opmask) { - retval = TRUE; - if (restrictions) { - *restrictions = - (aentry->ae_restrictions && aentry->ae_restrictions->mask) - ? aentry->ae_restrictions - : (restriction_t *) NULL; - } - } + if ((aentry->ae_op_allowed & opmask) == opmask) { + retval = TRUE; + if (restrictions) { + *restrictions = + (aentry->ae_restrictions && aentry->ae_restrictions->mask) + ? aentry->ae_restrictions + : (restriction_t *) NULL; + } + } } DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n", - retval)); + retval)); return retval; } /* - * kadm5int_acl_check() - Is this operation permitted for this principal? - * this code used not to be based on gssapi. In order - * to minimize porting hassles, I've put all the - * gssapi hair in this function. This might not be - * the best medium-term solution. (The best long-term - * solution is, of course, a real authorization service.) + * kadm5int_acl_check() - Is this operation permitted for this principal? + * this code used not to be based on gssapi. In order + * to minimize porting hassles, I've put all the + * gssapi hair in this function. This might not be + * the best medium-term solution. (The best long-term + * solution is, of course, a real authorization service.) */ krb5_boolean kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions) - krb5_context kcontext; - gss_name_t caller; - krb5_int32 opmask; - krb5_principal principal; - restriction_t **restrictions; + krb5_context kcontext; + gss_name_t caller; + krb5_int32 opmask; + krb5_principal principal; + restriction_t **restrictions; { - krb5_boolean retval; - gss_buffer_desc caller_buf; - gss_OID caller_oid; - OM_uint32 emaj, emin; - krb5_error_code code; - krb5_principal caller_princ; + krb5_boolean retval; + gss_buffer_desc caller_buf; + gss_OID caller_oid; + OM_uint32 emaj, emin; + krb5_error_code code; + krb5_principal caller_princ; if (GSS_ERROR(emaj = gss_display_name(&emin, caller, &caller_buf, - &caller_oid))) - return FALSE; + &caller_oid))) + return FALSE; code = krb5_parse_name(kcontext, (char *) caller_buf.value, - &caller_princ); + &caller_princ); gss_release_buffer(&emin, &caller_buf); if (code != 0) - return FALSE; + return FALSE; retval = kadm5int_acl_check_krb(kcontext, caller_princ, - opmask, principal, restrictions); + opmask, principal, restrictions); krb5_free_principal(kcontext, caller_princ); @@ -822,13 +823,13 @@ kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions) kadm5_ret_t kadm5_get_privs(void *server_handle, long *privs) { - CHECK_HANDLE(server_handle); + CHECK_HANDLE(server_handle); - /* this is impossible to do with the current interface. For now, - return all privs, which will confuse some clients, but not - deny any access to users of "smart" clients which try to cache */ + /* this is impossible to do with the current interface. For now, + return all privs, which will confuse some clients, but not + deny any access to users of "smart" clients which try to cache */ - *privs = ~0; + *privs = ~0; - return KADM5_OK; + return KADM5_OK; } diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h index c4c478993..b76fbb52a 100644 --- a/src/lib/kadm5/srv/server_acl.h +++ b/src/lib/kadm5/srv/server_acl.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm5/srv/server_acl.h * @@ -25,85 +26,85 @@ * */ -#ifndef SERVER_ACL_H__ -#define SERVER_ACL_H__ +#ifndef SERVER_ACL_H__ +#define SERVER_ACL_H__ /* * Debug definitions. */ -#define DEBUG_SPROC 1 -#define DEBUG_OPERATION 2 -#define DEBUG_HOST 4 -#define DEBUG_REALM 8 -#define DEBUG_REQUESTS 16 -#define DEBUG_ACL 32 -#define DEBUG_PROTO 64 -#define DEBUG_CALLS 128 -#define DEBUG_NOSLAVES 256 -#ifdef DEBUG -#define DPRINT(l1, cl, al) if ((cl & l1) != 0) xprintf al -#else /* DEBUG */ -#define DPRINT(l1, cl, al) -#endif /* DEBUG */ +#define DEBUG_SPROC 1 +#define DEBUG_OPERATION 2 +#define DEBUG_HOST 4 +#define DEBUG_REALM 8 +#define DEBUG_REQUESTS 16 +#define DEBUG_ACL 32 +#define DEBUG_PROTO 64 +#define DEBUG_CALLS 128 +#define DEBUG_NOSLAVES 256 +#ifdef DEBUG +#define DPRINT(l1, cl, al) if ((cl & l1) != 0) xprintf al +#else /* DEBUG */ +#define DPRINT(l1, cl, al) +#endif /* DEBUG */ /* * Access control bits. */ -#define ACL_ADD 1 -#define ACL_DELETE 2 -#define ACL_MODIFY 4 -#define ACL_CHANGEPW 8 -/* #define ACL_CHANGE_OWN_PW 16 */ -#define ACL_INQUIRE 32 -/* #define ACL_EXTRACT 64 */ -#define ACL_LIST 128 -#define ACL_SETKEY 256 -#define ACL_IPROP 512 -#define ACL_RENAME (ACL_ADD+ACL_DELETE) +#define ACL_ADD 1 +#define ACL_DELETE 2 +#define ACL_MODIFY 4 +#define ACL_CHANGEPW 8 +/* #define ACL_CHANGE_OWN_PW 16 */ +#define ACL_INQUIRE 32 +/* #define ACL_EXTRACT 64 */ +#define ACL_LIST 128 +#define ACL_SETKEY 256 +#define ACL_IPROP 512 +#define ACL_RENAME (ACL_ADD+ACL_DELETE) -#define ACL_ALL_MASK (ACL_ADD | \ - ACL_DELETE | \ - ACL_MODIFY | \ - ACL_CHANGEPW | \ - ACL_INQUIRE | \ - ACL_LIST | \ - ACL_IPROP | \ - ACL_SETKEY) +#define ACL_ALL_MASK (ACL_ADD | \ + ACL_DELETE | \ + ACL_MODIFY | \ + ACL_CHANGEPW | \ + ACL_INQUIRE | \ + ACL_LIST | \ + ACL_IPROP | \ + ACL_SETKEY) typedef struct _restriction { - long mask; - krb5_flags require_attrs; - krb5_flags forbid_attrs; - krb5_deltat princ_lifetime; - krb5_deltat pw_lifetime; - krb5_deltat max_life; - krb5_deltat max_renewable_life; - long aux_attributes; - char *policy; + long mask; + krb5_flags require_attrs; + krb5_flags forbid_attrs; + krb5_deltat princ_lifetime; + krb5_deltat pw_lifetime; + krb5_deltat max_life; + krb5_deltat max_renewable_life; + long aux_attributes; + char *policy; } restriction_t; krb5_error_code kadm5int_acl_init - (krb5_context, - int, - char *); +(krb5_context, + int, + char *); void kadm5int_acl_finish - (krb5_context, - int); +(krb5_context, + int); krb5_boolean kadm5int_acl_check - (krb5_context, - gss_name_t, - krb5_int32, - krb5_principal, - restriction_t **); +(krb5_context, + gss_name_t, + krb5_int32, + krb5_principal, + restriction_t **); krb5_boolean kadm5int_acl_check_krb - (krb5_context, - krb5_const_principal, - krb5_int32, - krb5_const_principal, - restriction_t **); +(krb5_context, + krb5_const_principal, + krb5_int32, + krb5_const_principal, + restriction_t **); krb5_error_code kadm5int_acl_impose_restrictions - (krb5_context, - kadm5_principal_ent_rec *, - long *, - restriction_t *); -#endif /* SERVER_ACL_H__ */ +(krb5_context, + kadm5_principal_ent_rec *, + long *, + restriction_t *); +#endif /* SERVER_ACL_H__ */ diff --git a/src/lib/kadm5/srv/server_dict.c b/src/lib/kadm5/srv/server_dict.c index 8129994f3..81cc5f997 100644 --- a/src/lib/kadm5/srv/server_dict.c +++ b/src/lib/kadm5/srv/server_dict.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -26,24 +27,24 @@ static char *rcsid = "$Header$"; #include "server_internal.h" #include "k5-platform.h" -static char **word_list = NULL; /* list of word pointers */ -static char *word_block = NULL; /* actual word data */ -static unsigned int word_count = 0; /* number of words */ +static char **word_list = NULL; /* list of word pointers */ +static char *word_block = NULL; /* actual word data */ +static unsigned int word_count = 0; /* number of words */ /* * Function: word_compare - * + * * Purpose: compare two words in the dictionary. * * Arguments: - * w1 (input) pointer to first word - * w2 (input) pointer to second word - * result of strcmp + * w1 (input) pointer to first word + * w2 (input) pointer to second word + * result of strcmp * * Requires: - * w1 and w2 to point to valid memory - * + * w1 and w2 to point to valid memory + * */ static int @@ -54,81 +55,81 @@ word_compare(const void *s1, const void *s2) /* * Function: init-dict - * + * * Purpose: Initialize in memory word dictionary * * Arguments: - * none - * KADM5_OK on success errno on failure; - * (but success on ENOENT) + * none + * KADM5_OK on success errno on failure; + * (but success on ENOENT) * * Requires: - * If WORDFILE exists, it must contain a list of words, - * one word per-line. - * + * If WORDFILE exists, it must contain a list of words, + * one word per-line. + * * Effects: - * If WORDFILE exists, it is read into memory sorted for future + * If WORDFILE exists, it is read into memory sorted for future * use. If it does not exist, it syslogs an error message and returns * success. * * Modifies: - * word_list to point to a chunck of allocated memory containing - * pointers to words - * word_block to contain the dictionary. - * + * word_list to point to a chunck of allocated memory containing + * pointers to words + * word_block to contain the dictionary. + * */ int init_dict(kadm5_config_params *params) { - int fd, - len, - i; - char *p, - *t; + int fd, + len, + i; + char *p, + *t; struct stat sb; - + if(word_list != NULL && word_block != NULL) - return KADM5_OK; + return KADM5_OK; if (! (params->mask & KADM5_CONFIG_DICT_FILE)) { - krb5_klog_syslog(LOG_INFO, "No dictionary file specified, continuing " - "without one."); - return KADM5_OK; + krb5_klog_syslog(LOG_INFO, "No dictionary file specified, continuing " + "without one."); + return KADM5_OK; } if ((fd = open(params->dict_file, O_RDONLY)) == -1) { - if (errno == ENOENT) { - krb5_klog_syslog(LOG_ERR, - "WARNING! Cannot find dictionary file %s, " - "continuing without one.", params->dict_file); - return KADM5_OK; - } else - return errno; + if (errno == ENOENT) { + krb5_klog_syslog(LOG_ERR, + "WARNING! Cannot find dictionary file %s, " + "continuing without one.", params->dict_file); + return KADM5_OK; + } else + return errno; } set_cloexec_fd(fd); if (fstat(fd, &sb) == -1) { - close(fd); - return errno; + close(fd); + return errno; } if ((word_block = (char *) malloc(sb.st_size + 1)) == NULL) - return ENOMEM; + return ENOMEM; if (read(fd, word_block, sb.st_size) != sb.st_size) - return errno; + return errno; (void) close(fd); word_block[sb.st_size] = '\0'; p = word_block; len = sb.st_size; while(len > 0 && (t = memchr(p, '\n', len)) != NULL) { - *t = '\0'; - len -= t - p + 1; - p = t + 1; - word_count++; + *t = '\0'; + len -= t - p + 1; + p = t + 1; + word_count++; } if ((word_list = (char **) malloc(word_count * sizeof(char *))) == NULL) - return ENOMEM; + return ENOMEM; p = word_block; for (i = 0; i < word_count; i++) { - word_list[i] = p; - p += strlen(p) + 1; + word_list[i] = p; + p += strlen(p) + 1; } qsort(word_list, word_count, sizeof(char *), word_compare); return KADM5_OK; @@ -136,25 +137,25 @@ int init_dict(kadm5_config_params *params) /* * Function: find_word - * + * * Purpose: See if the specified word exists in the in-core dictionary * * Arguments: - * word (input) word to search for. - * WORD_NOT_FOUND if not in dictionary, - * KADM5_OK if if found word - * errno if init needs to be called and returns an - * error + * word (input) word to search for. + * WORD_NOT_FOUND if not in dictionary, + * KADM5_OK if if found word + * errno if init needs to be called and returns an + * error * * Requires: - * word to be a null terminated string. - * That word_list and word_block besetup - * + * word to be a null terminated string. + * That word_list and word_block besetup + * * Effects: - * finds word in dictionary. + * finds word in dictionary. * Modifies: - * nothing. - * + * nothing. + * */ int @@ -162,46 +163,46 @@ find_word(const char *word) { char **value; - if(word_list == NULL || word_block == NULL) - return WORD_NOT_FOUND; + if(word_list == NULL || word_block == NULL) + return WORD_NOT_FOUND; if ((value = (char **) bsearch(&word, word_list, word_count, sizeof(char *), - word_compare)) == NULL) - return WORD_NOT_FOUND; + word_compare)) == NULL) + return WORD_NOT_FOUND; else - return KADM5_OK; + return KADM5_OK; } /* * Function: destroy_dict - * + * * Purpose: destroy in-core copy of dictionary. * * Arguments: - * none - * none + * none + * none * Requires: - * nothing + * nothing * Effects: - * frees up memory occupied by word_list and word_block - * sets count back to 0, and resets the pointers to NULL + * frees up memory occupied by word_list and word_block + * sets count back to 0, and resets the pointers to NULL * * Modifies: - * word_list, word_block, and word_count. - * + * word_list, word_block, and word_count. + * */ void destroy_dict(void) { if(word_list) { - free(word_list); - word_list = NULL; + free(word_list); + word_list = NULL; } if(word_block) { - free(word_block); - word_block = NULL; + free(word_block); + word_block = NULL; } if(word_count) - word_count = 0; + word_count = 0; return; } diff --git a/src/lib/kadm5/srv/server_handle.c b/src/lib/kadm5/srv/server_handle.c index 53abe94dd..37425c8ba 100644 --- a/src/lib/kadm5/srv/server_handle.c +++ b/src/lib/kadm5/srv/server_handle.c @@ -1,9 +1,10 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include "server_internal.h" int _kadm5_check_handle(void *handle) { - CHECK_HANDLE(handle); - return 0; + CHECK_HANDLE(handle); + return 0; } diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c index d5426f810..ed71cbf96 100644 --- a/src/lib/kadm5/srv/server_init.c +++ b/src/lib/kadm5/srv/server_init.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * @@ -17,7 +18,7 @@ static char *rcsid = "$Header$"; #include #include #include -#include "k5-int.h" /* needed for gssapiP_krb5.h */ +#include "k5-int.h" /* needed for gssapiP_krb5.h */ #include #include #include @@ -33,13 +34,13 @@ static char *rcsid = "$Header$"; * * Arguments: * - * handle The server handle. + * handle The server handle. */ static int check_handle(void *handle) { - CHECK_HANDLE(handle); - return 0; + CHECK_HANDLE(handle); + return 0; } static int dup_db_args(kadm5_server_handle_t handle, char **db_args) @@ -49,30 +50,30 @@ static int dup_db_args(kadm5_server_handle_t handle, char **db_args) for (count=0; db_args && db_args[count]; count++); if (count == 0) { - handle->db_args = NULL; - goto clean_n_exit; + handle->db_args = NULL; + goto clean_n_exit; } handle->db_args = calloc(sizeof(char*), count+1); if (handle->db_args == NULL) { - ret=ENOMEM; - goto clean_n_exit; + ret=ENOMEM; + goto clean_n_exit; } for (count=0; db_args[count]; count++) { - handle->db_args[count] = strdup(db_args[count]); - if (handle->db_args[count] == NULL) { - ret = ENOMEM; - goto clean_n_exit; - } + handle->db_args[count] = strdup(db_args[count]); + if (handle->db_args[count] == NULL) { + ret = ENOMEM; + goto clean_n_exit; + } } - clean_n_exit: +clean_n_exit: if (ret && handle->db_args) { - for (count=0; handle->db_args[count]; count++) - free(handle->db_args[count]); + for (count=0; handle->db_args[count]; count++) + free(handle->db_args[count]); - free(handle->db_args), handle->db_args = NULL; + free(handle->db_args), handle->db_args = NULL; } return ret; @@ -83,97 +84,97 @@ static void free_db_args(kadm5_server_handle_t handle) int count; if (handle->db_args) { - for (count=0; handle->db_args[count]; count++) - free(handle->db_args[count]); + for (count=0; handle->db_args[count]; count++) + free(handle->db_args[count]); - free(handle->db_args), handle->db_args = NULL; + free(handle->db_args), handle->db_args = NULL; } } kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name, - char *pass, char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + char *pass, char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { return kadm5_init(context, client_name, pass, service_name, params, - struct_version, api_version, db_args, - server_handle); + struct_version, api_version, db_args, + server_handle); } kadm5_ret_t kadm5_init_with_creds(krb5_context context, - char *client_name, - krb5_ccache ccache, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + char *client_name, + krb5_ccache ccache, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { - /* - * A program calling init_with_creds *never* expects to prompt - * the user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is - * non-zero, return an error. - */ - if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && - params->mkey_from_kbd) - return KADM5_BAD_SERVER_PARAMS; - return kadm5_init(context, client_name, NULL, service_name, params, - struct_version, api_version, db_args, - server_handle); + /* + * A program calling init_with_creds *never* expects to prompt + * the user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is + * non-zero, return an error. + */ + if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && + params->mkey_from_kbd) + return KADM5_BAD_SERVER_PARAMS; + return kadm5_init(context, client_name, NULL, service_name, params, + struct_version, api_version, db_args, + server_handle); } kadm5_ret_t kadm5_init_with_skey(krb5_context context, char *client_name, - char *keytab, char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + char *keytab, char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { - /* - * A program calling init_with_skey *never* expects to prompt the - * user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is - * non-zero, return an error. - */ - if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && - params->mkey_from_kbd) - return KADM5_BAD_SERVER_PARAMS; - return kadm5_init(context, client_name, NULL, service_name, params, - struct_version, api_version, db_args, - server_handle); + /* + * A program calling init_with_skey *never* expects to prompt the + * user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is + * non-zero, return an error. + */ + if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && + params->mkey_from_kbd) + return KADM5_BAD_SERVER_PARAMS; + return kadm5_init(context, client_name, NULL, service_name, params, + struct_version, api_version, db_args, + server_handle); } kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, - char *service_name, - kadm5_config_params *params_in, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - char **db_args, - void **server_handle) + char *service_name, + kadm5_config_params *params_in, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) { - int ret; - kadm5_server_handle_t handle; - kadm5_config_params params_local; /* for v1 compat */ + int ret; + kadm5_server_handle_t handle; + kadm5_config_params params_local; /* for v1 compat */ if (! server_handle) - return EINVAL; + return EINVAL; if (! client_name) - return EINVAL; + return EINVAL; if (! (handle = (kadm5_server_handle_t) malloc(sizeof *handle))) - return ENOMEM; + return ENOMEM; memset(handle, 0, sizeof(*handle)); ret = dup_db_args(handle, db_args); if (ret) { - free(handle); - return ret; + free(handle); + return ret; } handle->context = context; @@ -186,91 +187,91 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, handle->struct_version = struct_version; handle->api_version = api_version; - /* - * Verify the version numbers before proceeding; we can't use - * CHECK_HANDLE because not all fields are set yet. - */ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, - KADM5_NEW_SERVER_API_VERSION); + /* + * Verify the version numbers before proceeding; we can't use + * CHECK_HANDLE because not all fields are set yet. + */ + GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, + KADM5_NEW_SERVER_API_VERSION); - /* - * Acquire relevant profile entries. Merge values - * in params_in with values from profile, based on - * params_in->mask. - */ - memset(¶ms_local, 0, sizeof(params_local)); + /* + * Acquire relevant profile entries. Merge values + * in params_in with values from profile, based on + * params_in->mask. + */ + memset(¶ms_local, 0, sizeof(params_local)); #if 0 /* Now that we look at krb5.conf as well as kdc.conf, we can - expect to see admin_server being set sometimes. */ + expect to see admin_server being set sometimes. */ #define ILLEGAL_PARAMS (KADM5_CONFIG_ADMIN_SERVER) - if (params_in && (params_in->mask & ILLEGAL_PARAMS)) { - free_db_args(handle); - free(handle); - return KADM5_BAD_SERVER_PARAMS; - } + if (params_in && (params_in->mask & ILLEGAL_PARAMS)) { + free_db_args(handle); + free(handle); + return KADM5_BAD_SERVER_PARAMS; + } #endif - ret = kadm5_get_config_params(handle->context, 1, params_in, - &handle->params); - if (ret) { - free_db_args(handle); - free(handle); - return(ret); - } - -#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_DBNAME | \ - KADM5_CONFIG_ENCTYPE | \ - KADM5_CONFIG_FLAGS | \ - KADM5_CONFIG_MAX_LIFE | KADM5_CONFIG_MAX_RLIFE | \ - KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_ENCTYPES) - -#define IPROP_REQUIRED_PARAMS \ - (KADM5_CONFIG_IPROP_ENABLED | \ - KADM5_CONFIG_IPROP_LOGFILE | \ - KADM5_CONFIG_IPROP_PORT) - - if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { - free_db_args(handle); - free(handle); - return KADM5_MISSING_CONF_PARAMS; - } - if ((handle->params.mask & KADM5_CONFIG_IPROP_ENABLED) == KADM5_CONFIG_IPROP_ENABLED - && handle->params.iprop_enabled) { - if ((handle->params.mask & IPROP_REQUIRED_PARAMS) != IPROP_REQUIRED_PARAMS) { - free_db_args(handle); - free(handle); - return KADM5_MISSING_CONF_PARAMS; - } - } - - ret = krb5_set_default_realm(handle->context, handle->params.realm); - if (ret) { - free_db_args(handle); - free(handle); - return ret; - } + ret = kadm5_get_config_params(handle->context, 1, params_in, + &handle->params); + if (ret) { + free_db_args(handle); + free(handle); + return(ret); + } + +#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_DBNAME | \ + KADM5_CONFIG_ENCTYPE | \ + KADM5_CONFIG_FLAGS | \ + KADM5_CONFIG_MAX_LIFE | KADM5_CONFIG_MAX_RLIFE | \ + KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_ENCTYPES) + +#define IPROP_REQUIRED_PARAMS \ + (KADM5_CONFIG_IPROP_ENABLED | \ + KADM5_CONFIG_IPROP_LOGFILE | \ + KADM5_CONFIG_IPROP_PORT) + + if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { + free_db_args(handle); + free(handle); + return KADM5_MISSING_CONF_PARAMS; + } + if ((handle->params.mask & KADM5_CONFIG_IPROP_ENABLED) == KADM5_CONFIG_IPROP_ENABLED + && handle->params.iprop_enabled) { + if ((handle->params.mask & IPROP_REQUIRED_PARAMS) != IPROP_REQUIRED_PARAMS) { + free_db_args(handle); + free(handle); + return KADM5_MISSING_CONF_PARAMS; + } + } + + ret = krb5_set_default_realm(handle->context, handle->params.realm); + if (ret) { + free_db_args(handle); + free(handle); + return ret; + } ret = krb5_db_open(handle->context, db_args, - KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN); + KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN); if (ret) { - free_db_args(handle); - free(handle); - return(ret); + free_db_args(handle); + free(handle); + return(ret); } if ((ret = krb5_parse_name(handle->context, client_name, - &handle->current_caller))) { - krb5_db_fini(handle->context); - free_db_args(handle); - free(handle); - return ret; + &handle->current_caller))) { + krb5_db_fini(handle->context); + free_db_args(handle); + free(handle); + return ret; } if (! (handle->lhandle = malloc(sizeof(*handle)))) { - krb5_db_fini(handle->context); - free_db_args(handle); - free(handle); - return ENOMEM; + krb5_db_fini(handle->context); + free_db_args(handle); + free(handle); + return ENOMEM; } *handle->lhandle = *handle; handle->lhandle->api_version = KADM5_API_VERSION_3; @@ -280,36 +281,36 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, /* can't check the handle until current_caller is set */ ret = check_handle((void *) handle); if (ret) { - free_db_args(handle); - free(handle); - return ret; + free_db_args(handle); + free(handle); + return ret; } ret = kdb_init_master(handle, handle->params.realm, - (handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD) - && handle->params.mkey_from_kbd); + (handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD) + && handle->params.mkey_from_kbd); if (ret) { - krb5_db_fini(handle->context); - free_db_args(handle); - free(handle); - return ret; + krb5_db_fini(handle->context); + free_db_args(handle); + free(handle); + return ret; } ret = kdb_init_hist(handle, handle->params.realm); if (ret) { - krb5_db_fini(handle->context); - free_db_args(handle); - free(handle); - return ret; + krb5_db_fini(handle->context); + free_db_args(handle); + free(handle); + return ret; } ret = init_dict(&handle->params); if (ret) { - krb5_db_fini(handle->context); - krb5_free_principal(handle->context, handle->current_caller); - free_db_args(handle); - free(handle); - return ret; + krb5_db_fini(handle->context); + krb5_free_principal(handle->context, handle->current_caller); + free_db_args(handle); + free(handle); + return ret; } *server_handle = (void *) handle; @@ -345,7 +346,7 @@ kadm5_ret_t kadm5_lock(void *server_handle) CHECK_HANDLE(server_handle); ret = krb5_db_lock(handle->context, KRB5_DB_LOCKMODE_EXCLUSIVE); if (ret) - return ret; + return ret; return KADM5_OK; } @@ -358,33 +359,33 @@ kadm5_ret_t kadm5_unlock(void *server_handle) CHECK_HANDLE(server_handle); ret = krb5_db_unlock(handle->context); if (ret) - return ret; + return ret; return KADM5_OK; } kadm5_ret_t kadm5_flush(void *server_handle) { - kadm5_server_handle_t handle = server_handle; - kadm5_ret_t ret; - - CHECK_HANDLE(server_handle); - - if ((ret = krb5_db_fini(handle->context)) || - (ret = krb5_db_open(handle->context, handle->db_args, - KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN)) || - (ret = adb_policy_close(handle)) || - (ret = adb_policy_init(handle))) { - (void) kadm5_destroy(server_handle); - return ret; - } - return KADM5_OK; + kadm5_server_handle_t handle = server_handle; + kadm5_ret_t ret; + + CHECK_HANDLE(server_handle); + + if ((ret = krb5_db_fini(handle->context)) || + (ret = krb5_db_open(handle->context, handle->db_args, + KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN)) || + (ret = adb_policy_close(handle)) || + (ret = adb_policy_init(handle))) { + (void) kadm5_destroy(server_handle); + return ret; + } + return KADM5_OK; } int _kadm5_check_handle(void *handle) { - CHECK_HANDLE(handle); - return 0; + CHECK_HANDLE(handle); + return 0; } #include "gssapiP_krb5.h" @@ -392,11 +393,11 @@ krb5_error_code kadm5_init_krb5_context (krb5_context *ctx) { static int first_time = 1; if (first_time) { - krb5_error_code err; - err = krb5_gss_use_kdc_context(); - if (err) - return err; - first_time = 0; + krb5_error_code err; + err = krb5_gss_use_kdc_context(); + if (err) + return err; + first_time = 0; } return krb5int_init_context_kdc(ctx); } @@ -404,17 +405,17 @@ krb5_error_code kadm5_init_krb5_context (krb5_context *ctx) krb5_error_code kadm5_init_iprop(void *handle, char **db_args) { - kadm5_server_handle_t iprop_h; - krb5_error_code retval; - - iprop_h = handle; - if (iprop_h->params.iprop_enabled) { - ulog_set_role(iprop_h->context, IPROP_MASTER); - if ((retval = ulog_map(iprop_h->context, - iprop_h->params.iprop_logfile, - iprop_h->params.iprop_ulogsize, - FKCOMMAND, db_args)) != 0) - return (retval); - } - return (0); + kadm5_server_handle_t iprop_h; + krb5_error_code retval; + + iprop_h = handle; + if (iprop_h->params.iprop_enabled) { + ulog_set_role(iprop_h->context, IPROP_MASTER); + if ((retval = ulog_map(iprop_h->context, + iprop_h->params.iprop_logfile, + iprop_h->params.iprop_ulogsize, + FKCOMMAND, db_args)) != 0) + return (retval); + } + return (0); } diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index fe2020db1..4b1d05dbb 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -19,88 +20,88 @@ static char *rcsid = "$Header$"; #include #include "server_internal.h" -krb5_principal master_princ; -krb5_keyblock master_keyblock; /* local mkey */ +krb5_principal master_princ; +krb5_keyblock master_keyblock; /* local mkey */ krb5_keylist_node *master_keylist = NULL; krb5_actkvno_node *active_mkey_list = NULL; -krb5_db_entry master_db; +krb5_db_entry master_db; -krb5_principal hist_princ; -krb5_keyblock hist_key; -krb5_db_entry hist_db; -krb5_kvno hist_kvno; +krb5_principal hist_princ; +krb5_keyblock hist_key; +krb5_db_entry hist_db; +krb5_kvno hist_kvno; /* much of this code is stolen from the kdc. there should be some library code to deal with this. */ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, - char *r, int from_keyboard) + char *r, int from_keyboard) { - int ret = 0; - char *realm; + int ret = 0; + char *realm; krb5_boolean from_kbd = FALSE; krb5_kvno mkvno = IGNORE_VNO; if (from_keyboard) - from_kbd = TRUE; + from_kbd = TRUE; if (r == NULL) { - if ((ret = krb5_get_default_realm(handle->context, &realm))) - return ret; + if ((ret = krb5_get_default_realm(handle->context, &realm))) + return ret; } else { - realm = r; + realm = r; } if ((ret = krb5_db_setup_mkey_name(handle->context, - handle->params.mkey_name, - realm, NULL, &master_princ))) - goto done; + handle->params.mkey_name, + realm, NULL, &master_princ))) + goto done; master_keyblock.enctype = handle->params.enctype; - /* + /* * Fetch the local mkey, may not be the latest but that's okay because we * really want the list of all mkeys and those can be retrieved with any * valid mkey. */ ret = krb5_db_fetch_mkey(handle->context, master_princ, - master_keyblock.enctype, from_kbd, - FALSE /* only prompt once */, - handle->params.stash_file, - &mkvno /* get the kvno of the returned mkey */, - NULL /* I'm not sure about this, - but it's what the kdc does --marc */, - &master_keyblock); + master_keyblock.enctype, from_kbd, + FALSE /* only prompt once */, + handle->params.stash_file, + &mkvno /* get the kvno of the returned mkey */, + NULL /* I'm not sure about this, + but it's what the kdc does --marc */, + &master_keyblock); if (ret) - goto done; - + goto done; + #if 0 /************** Begin IFDEF'ed OUT *******************************/ /* * krb5_db_fetch_mkey_list will verify mkey so don't call * krb5_db_verify_master_key() */ if ((ret = krb5_db_verify_master_key(handle->context, master_princ, - IGNORE_VNO, &master_keyblock))) { - krb5_db_fini(handle->context); - return ret; + IGNORE_VNO, &master_keyblock))) { + krb5_db_fini(handle->context); + return ret; } #endif /**************** END IFDEF'ed OUT *******************************/ if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ, - &master_keyblock, mkvno, &master_keylist))) { - krb5_db_fini(handle->context); - return (ret); + &master_keyblock, mkvno, &master_keylist))) { + krb5_db_fini(handle->context); + return (ret); } if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ, - &active_mkey_list))) { - krb5_db_fini(handle->context); - return (ret); + &active_mkey_list))) { + krb5_db_fini(handle->context); + return (ret); } done: if (r == NULL) - free(realm); + free(realm); return(ret); } @@ -112,17 +113,17 @@ done: * * Arguments: * - * handle (r) kadm5 api server handle - * r (r) realm of history principal to use, or NULL + * handle (r) kadm5 api server handle + * r (r) realm of history principal to use, or NULL * * Effects: This function sets the value of the following global * variables: * - * hist_princ krb5_principal holding the history principal - * hist_db krb5_db_entry of the history principal - * hist_key krb5_keyblock holding the history principal's key - * hist_encblock krb5_encrypt_block holding the procssed hist_key - * hist_kvno the version number of the history key + * hist_princ krb5_principal holding the history principal + * hist_db krb5_db_entry of the history principal + * hist_key krb5_keyblock holding the history principal's key + * hist_encblock krb5_encrypt_block holding the procssed hist_key + * hist_kvno the version number of the history key * * If the history principal does not already exist, this function * attempts to create it with kadm5_create_principal. WARNING! @@ -133,98 +134,98 @@ done: */ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) { - int ret = 0; + int ret = 0; char *realm, *hist_name; krb5_key_data *key_data; krb5_key_salt_tuple ks[1]; krb5_keyblock *tmp_mkey; if (r == NULL) { - if ((ret = krb5_get_default_realm(handle->context, &realm))) - return ret; + if ((ret = krb5_get_default_realm(handle->context, &realm))) + return ret; } else { - realm = r; + realm = r; } if (asprintf(&hist_name, "%s@%s", KADM5_HIST_PRINCIPAL, realm) < 0) { - hist_name = NULL; - goto done; + hist_name = NULL; + goto done; } if ((ret = krb5_parse_name(handle->context, hist_name, &hist_princ))) - goto done; + goto done; if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) { - kadm5_principal_ent_rec ent; + kadm5_principal_ent_rec ent; - if (ret != KADM5_UNK_PRINC) - goto done; + if (ret != KADM5_UNK_PRINC) + goto done; - /* try to create the principal */ + /* try to create the principal */ - memset(&ent, 0, sizeof(ent)); + memset(&ent, 0, sizeof(ent)); - ent.principal = hist_princ; - ent.max_life = KRB5_KDB_DISALLOW_ALL_TIX; - ent.attributes = 0; + ent.principal = hist_princ; + ent.max_life = KRB5_KDB_DISALLOW_ALL_TIX; + ent.attributes = 0; - /* this uses hist_kvno. So we set it to 2, which will be the - correct value once the principal is created and randomized. - Of course, it doesn't make sense to keep a history for the - history principal, anyway. */ + /* this uses hist_kvno. So we set it to 2, which will be the + correct value once the principal is created and randomized. + Of course, it doesn't make sense to keep a history for the + history principal, anyway. */ - hist_kvno = 2; - ks[0].ks_enctype = handle->params.enctype; - ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; - ret = kadm5_create_principal_3(handle, &ent, - (KADM5_PRINCIPAL | KADM5_MAX_LIFE | - KADM5_ATTRIBUTES), - 1, ks, - "to-be-random"); - if (ret) - goto done; + hist_kvno = 2; + ks[0].ks_enctype = handle->params.enctype; + ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; + ret = kadm5_create_principal_3(handle, &ent, + (KADM5_PRINCIPAL | KADM5_MAX_LIFE | + KADM5_ATTRIBUTES), + 1, ks, + "to-be-random"); + if (ret) + goto done; - /* this won't let us randomize the hist_princ. So we cheat. */ + /* this won't let us randomize the hist_princ. So we cheat. */ - hist_princ = NULL; + hist_princ = NULL; - ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks, - NULL, NULL); + ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks, + NULL, NULL); - hist_princ = ent.principal; + hist_princ = ent.principal; - if (ret) - goto done; + if (ret) + goto done; - /* now read the newly-created kdb record out of the - database. */ + /* now read the newly-created kdb record out of the + database. */ - if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) - goto done; + if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) + goto done; } ret = krb5_dbe_find_enctype(handle->context, &hist_db, - handle->params.enctype, -1, -1, &key_data); + handle->params.enctype, -1, -1, &key_data); if (ret) - goto done; + goto done; ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db, &tmp_mkey); if (ret) - goto done; + goto done; ret = krb5_dbekd_decrypt_key_data(handle->context, tmp_mkey, - key_data, &hist_key, NULL); + key_data, &hist_key, NULL); if (ret) - goto done; + goto done; hist_kvno = key_data->key_data_kvno; done: free(hist_name); if (r == NULL) - free(realm); + free(realm); return ret; } @@ -236,10 +237,10 @@ done: * * Arguments: * - * handle (r) the server_handle - * principal (r) the principal to get - * kdb (w) krb5_db_entry to fill in - * adb (w) osa_princ_ent_rec to fill in + * handle (r) the server_handle + * principal (r) the principal to get + * kdb (w) krb5_db_entry to fill in + * adb (w) osa_princ_ent_rec to fill in * * when the caller is done with kdb and adb, kdb_free_entry must be * called to release them. The adb record is filled in with the @@ -248,8 +249,8 @@ done: */ krb5_error_code kdb_get_entry(kadm5_server_handle_t handle, - krb5_principal principal, krb5_db_entry *kdb, - osa_princ_ent_rec *adb) + krb5_principal principal, krb5_db_entry *kdb, + osa_princ_ent_rec *adb) { krb5_error_code ret; int nprincs; @@ -258,49 +259,49 @@ kdb_get_entry(kadm5_server_handle_t handle, XDR xdrs; ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, - &more); + &more); if (ret) - return(ret); + return(ret); if (more) { - krb5_db_free_principal(handle->context, kdb, nprincs); - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); + krb5_db_free_principal(handle->context, kdb, nprincs); + return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); } else if (nprincs != 1) { - krb5_db_free_principal(handle->context, kdb, nprincs); - return(KADM5_UNK_PRINC); + krb5_db_free_principal(handle->context, kdb, nprincs); + return(KADM5_UNK_PRINC); } if (adb) { - memset(adb, 0, sizeof(*adb)); - - tl_data.tl_data_type = KRB5_TL_KADM_DATA; - /* - * XXX Currently, lookup_tl_data always returns zero; it sets - * tl_data->tl_data_length to zero if the type isn't found. - * This should be fixed... - */ - if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data)) - || (tl_data.tl_data_length == 0)) { - /* there's no admin data. this can happen, if the admin - server is put into production after some principals - are created. In this case, return valid admin - data (which is all zeros with the hist_kvno filled - in), and when the entry is written, the admin - data will get stored correctly. */ - - adb->admin_history_kvno = hist_kvno; - - return(ret); - } - - xdrmem_create(&xdrs, tl_data.tl_data_contents, - tl_data.tl_data_length, XDR_DECODE); - if (! xdr_osa_princ_ent_rec(&xdrs, adb)) { - xdr_destroy(&xdrs); - krb5_db_free_principal(handle->context, kdb, 1); - return(KADM5_XDR_FAILURE); - } - xdr_destroy(&xdrs); + memset(adb, 0, sizeof(*adb)); + + tl_data.tl_data_type = KRB5_TL_KADM_DATA; + /* + * XXX Currently, lookup_tl_data always returns zero; it sets + * tl_data->tl_data_length to zero if the type isn't found. + * This should be fixed... + */ + if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data)) + || (tl_data.tl_data_length == 0)) { + /* there's no admin data. this can happen, if the admin + server is put into production after some principals + are created. In this case, return valid admin + data (which is all zeros with the hist_kvno filled + in), and when the entry is written, the admin + data will get stored correctly. */ + + adb->admin_history_kvno = hist_kvno; + + return(ret); + } + + xdrmem_create(&xdrs, tl_data.tl_data_contents, + tl_data.tl_data_length, XDR_DECODE); + if (! xdr_osa_princ_ent_rec(&xdrs, adb)) { + xdr_destroy(&xdrs); + krb5_db_free_principal(handle->context, kdb, 1); + return(KADM5_XDR_FAILURE); + } + xdr_destroy(&xdrs); } return(0); @@ -313,9 +314,9 @@ kdb_get_entry(kadm5_server_handle_t handle, * * Arguments: * - * handle (r) the server_handle - * kdb (w) krb5_db_entry to fill in - * adb (w) osa_princ_ent_rec to fill in + * handle (r) the server_handle + * kdb (w) krb5_db_entry to fill in + * adb (w) osa_princ_ent_rec to fill in * * when the caller is done with kdb and adb, kdb_free_entry must be * called to release them. @@ -323,18 +324,18 @@ kdb_get_entry(kadm5_server_handle_t handle, krb5_error_code kdb_free_entry(kadm5_server_handle_t handle, - krb5_db_entry *kdb, osa_princ_ent_rec *adb) + krb5_db_entry *kdb, osa_princ_ent_rec *adb) { XDR xdrs; if (kdb) - krb5_db_free_principal(handle->context, kdb, 1); + krb5_db_free_principal(handle->context, kdb, 1); if (adb) { - xdrmem_create(&xdrs, NULL, 0, XDR_FREE); - xdr_osa_princ_ent_rec(&xdrs, adb); - xdr_destroy(&xdrs); + xdrmem_create(&xdrs, NULL, 0, XDR_FREE); + xdr_osa_princ_ent_rec(&xdrs, adb); + xdr_destroy(&xdrs); } return(0); @@ -348,9 +349,9 @@ kdb_free_entry(kadm5_server_handle_t handle, * * Arguments: * - * handle (r) the server_handle - * kdb (r/w) the krb5_db_entry to store - * adb (r) the osa_princ_db_ent to store + * handle (r) the server_handle + * kdb (r/w) the krb5_db_entry to store + * adb (r) the osa_princ_db_ent to store * * Effects: * @@ -360,7 +361,7 @@ kdb_free_entry(kadm5_server_handle_t handle, */ krb5_error_code kdb_put_entry(kadm5_server_handle_t handle, - krb5_db_entry *kdb, osa_princ_ent_rec *adb) + krb5_db_entry *kdb, osa_princ_ent_rec *adb) { krb5_error_code ret; krb5_int32 now; @@ -370,17 +371,17 @@ kdb_put_entry(kadm5_server_handle_t handle, ret = krb5_timeofday(handle->context, &now); if (ret) - return(ret); + return(ret); ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, - handle->current_caller); + handle->current_caller); if (ret) - return(ret); - - xdralloc_create(&xdrs, XDR_ENCODE); + return(ret); + + xdralloc_create(&xdrs, XDR_ENCODE); if(! xdr_osa_princ_ent_rec(&xdrs, adb)) { - xdr_destroy(&xdrs); - return(KADM5_XDR_FAILURE); + xdr_destroy(&xdrs); + return(KADM5_XDR_FAILURE); } tl_data.tl_data_type = KRB5_TL_KADM_DATA; tl_data.tl_data_length = xdr_getpos(&xdrs); @@ -391,7 +392,7 @@ kdb_put_entry(kadm5_server_handle_t handle, xdr_destroy(&xdrs); if (ret) - return(ret); + return(ret); one = 1; @@ -400,7 +401,7 @@ kdb_put_entry(kadm5_server_handle_t handle, ret = krb5_db_put_principal(handle->context, kdb, &one); if (ret) - return(ret); + return(ret); return(0); } @@ -410,7 +411,7 @@ kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name) { int one = 1; krb5_error_code ret; - + ret = krb5_db_delete_principal(handle->context, name, &one); return ret; @@ -433,7 +434,7 @@ kdb_iter_func(krb5_pointer data, krb5_db_entry *kdb) krb5_error_code kdb_iter_entry(kadm5_server_handle_t handle, char *match_entry, - void (*iter_fct)(void *, krb5_principal), void *data) + void (*iter_fct)(void *, krb5_principal), void *data) { iter_data id; krb5_error_code ret; @@ -443,8 +444,7 @@ kdb_iter_entry(kadm5_server_handle_t handle, char *match_entry, ret = krb5_db_iterate(handle->context, match_entry, kdb_iter_func, &id); if (ret) - return(ret); + return(ret); return(0); } - diff --git a/src/lib/kadm5/srv/server_misc.c b/src/lib/kadm5/srv/server_misc.c index cd65371c9..1faeb86b1 100644 --- a/src/lib/kadm5/srv/server_misc.c +++ b/src/lib/kadm5/srv/server_misc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -23,10 +24,10 @@ adb_policy_init(kadm5_server_handle_t handle) { /* now policy is initialized as part of database. No seperate call needed */ if( krb5_db_inited( handle->context ) ) - return KADM5_OK; + return KADM5_OK; - return krb5_db_open( handle->context, NULL, - KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN ); + return krb5_db_open( handle->context, NULL, + KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN ); } kadm5_ret_t @@ -40,144 +41,143 @@ adb_policy_close(kadm5_server_handle_t handle) /* stolen from v4sever/kadm_funcs.c */ static char * reverse(str) - char *str; + char *str; { - static char newstr[80]; - char *p, *q; - int i; - - i = strlen(str); - if (i >= sizeof(newstr)) - i = sizeof(newstr)-1; - p = str+i-1; - q = newstr; - q[i]='\0'; - for(; i > 0; i--) - *q++ = *p--; - - return(newstr); + static char newstr[80]; + char *p, *q; + int i; + + i = strlen(str); + if (i >= sizeof(newstr)) + i = sizeof(newstr)-1; + p = str+i-1; + q = newstr; + q[i]='\0'; + for(; i > 0; i--) + *q++ = *p--; + + return(newstr); } #endif /* HESIOD */ #if 0 static int lower(str) - char *str; + char *str; { - register char *cp; - int effect=0; - - for (cp = str; *cp; cp++) { - if (isupper(*cp)) { - *cp = tolower(*cp); - effect++; - } - } - return(effect); + register char *cp; + int effect=0; + + for (cp = str; *cp; cp++) { + if (isupper(*cp)) { + *cp = tolower(*cp); + effect++; + } + } + return(effect); } #endif #ifdef HESIOD static int str_check_gecos(gecos, pwstr) - char *gecos; - char *pwstr; + char *gecos; + char *pwstr; { - char *cp, *ncp, *tcp; - - for (cp = gecos; *cp; ) { - /* Skip past punctuation */ - for (; *cp; cp++) - if (isalnum(*cp)) - break; - /* Skip to the end of the word */ - for (ncp = cp; *ncp; ncp++) - if (!isalnum(*ncp) && *ncp != '\'') - break; - /* Delimit end of word */ - if (*ncp) - *ncp++ = '\0'; - /* Check word to see if it's the password */ - if (*cp) { - if (!strcasecmp(pwstr, cp)) - return 1; - tcp = reverse(cp); - if (!strcasecmp(pwstr, tcp)) - return 1; - cp = ncp; - } else - break; - } - return 0; + char *cp, *ncp, *tcp; + + for (cp = gecos; *cp; ) { + /* Skip past punctuation */ + for (; *cp; cp++) + if (isalnum(*cp)) + break; + /* Skip to the end of the word */ + for (ncp = cp; *ncp; ncp++) + if (!isalnum(*ncp) && *ncp != '\'') + break; + /* Delimit end of word */ + if (*ncp) + *ncp++ = '\0'; + /* Check word to see if it's the password */ + if (*cp) { + if (!strcasecmp(pwstr, cp)) + return 1; + tcp = reverse(cp); + if (!strcasecmp(pwstr, tcp)) + return 1; + cp = ncp; + } else + break; + } + return 0; } #endif /* HESIOD */ /* some of this is stolen from gatekeeper ... */ kadm5_ret_t passwd_check(kadm5_server_handle_t handle, - char *password, int use_policy, kadm5_policy_ent_t pol, - krb5_principal principal) + char *password, int use_policy, kadm5_policy_ent_t pol, + krb5_principal principal) { - int nupper = 0, - nlower = 0, - ndigit = 0, - npunct = 0, - nspec = 0; + int nupper = 0, + nlower = 0, + ndigit = 0, + npunct = 0, + nspec = 0; char c, *s, *cp; #ifdef HESIOD extern struct passwd *hes_getpwnam(); struct passwd *ent; #endif - + if(use_policy) { - if(strlen(password) < pol->pw_min_length) - return KADM5_PASS_Q_TOOSHORT; - s = password; - while ((c = *s++)) { - if (islower((unsigned char) c)) { - nlower = 1; - continue; - } - else if (isupper((unsigned char) c)) { - nupper = 1; - continue; - } else if (isdigit((unsigned char) c)) { - ndigit = 1; - continue; - } else if (ispunct((unsigned char) c)) { - npunct = 1; - continue; - } else { - nspec = 1; - continue; - } - } - if ((nupper + nlower + ndigit + npunct + nspec) < pol->pw_min_classes) - return KADM5_PASS_Q_CLASS; - if((find_word(password) == KADM5_OK)) - return KADM5_PASS_Q_DICT; - else { - int i, n = krb5_princ_size(handle->context, principal); - cp = krb5_princ_realm(handle->context, principal)->data; - if (strcasecmp(cp, password) == 0) - return KADM5_PASS_Q_DICT; - for (i = 0; i < n ; i++) { - cp = krb5_princ_component(handle->context, principal, i)->data; - if (strcasecmp(cp, password) == 0) - return KADM5_PASS_Q_DICT; + if(strlen(password) < pol->pw_min_length) + return KADM5_PASS_Q_TOOSHORT; + s = password; + while ((c = *s++)) { + if (islower((unsigned char) c)) { + nlower = 1; + continue; + } + else if (isupper((unsigned char) c)) { + nupper = 1; + continue; + } else if (isdigit((unsigned char) c)) { + ndigit = 1; + continue; + } else if (ispunct((unsigned char) c)) { + npunct = 1; + continue; + } else { + nspec = 1; + continue; + } + } + if ((nupper + nlower + ndigit + npunct + nspec) < pol->pw_min_classes) + return KADM5_PASS_Q_CLASS; + if((find_word(password) == KADM5_OK)) + return KADM5_PASS_Q_DICT; + else { + int i, n = krb5_princ_size(handle->context, principal); + cp = krb5_princ_realm(handle->context, principal)->data; + if (strcasecmp(cp, password) == 0) + return KADM5_PASS_Q_DICT; + for (i = 0; i < n ; i++) { + cp = krb5_princ_component(handle->context, principal, i)->data; + if (strcasecmp(cp, password) == 0) + return KADM5_PASS_Q_DICT; #ifdef HESIOD - ent = hes_getpwnam(cp); - if (ent && ent->pw_gecos) - if (str_check_gecos(ent->pw_gecos, password)) - return KADM5_PASS_Q_DICT; /* XXX new error code? */ + ent = hes_getpwnam(cp); + if (ent && ent->pw_gecos) + if (str_check_gecos(ent->pw_gecos, password)) + return KADM5_PASS_Q_DICT; /* XXX new error code? */ #endif - } - return KADM5_OK; - } + } + return KADM5_OK; + } } else { - if (strlen(password) < 1) - return KADM5_PASS_Q_TOOSHORT; + if (strlen(password) < 1) + return KADM5_PASS_Q_TOOSHORT; } - return KADM5_OK; + return KADM5_OK; } - diff --git a/src/lib/kadm5/srv/svr_chpass_util.c b/src/lib/kadm5/srv/svr_chpass_util.c index c8b63100a..bfb66466a 100644 --- a/src/lib/kadm5/srv/svr_chpass_util.c +++ b/src/lib/kadm5/srv/svr_chpass_util.c @@ -1,16 +1,17 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include "server_internal.h" kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, - krb5_principal princ, - char *new_pw, - char **ret_pw, - char *msg_ret, - unsigned int msg_len) + krb5_principal princ, + char *new_pw, + char **ret_pw, + char *msg_ret, + unsigned int msg_len) { - kadm5_server_handle_t handle = server_handle; + kadm5_server_handle_t handle = server_handle; - CHECK_HANDLE(server_handle); - return _kadm5_chpass_principal_util(handle, handle->lhandle, princ, - new_pw, ret_pw, msg_ret, msg_len); + CHECK_HANDLE(server_handle); + return _kadm5_chpass_principal_util(handle, handle->lhandle, princ, + new_pw, ret_pw, msg_ret, msg_len); } diff --git a/src/lib/kadm5/srv/svr_iters.c b/src/lib/kadm5/srv/svr_iters.c index 757d3ab0e..77ef05aea 100644 --- a/src/lib/kadm5/srv/svr_iters.c +++ b/src/lib/kadm5/srv/svr_iters.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -19,30 +20,30 @@ static char *rcsid = "$Header$"; #error I cannot find any regexp functions #endif -#include -#include -#include +#include +#include +#include #ifdef SOLARIS_REGEXPS -#include +#include #endif #ifdef POSIX_REGEXPS -#include +#include #endif #include -#include "server_internal.h" +#include "server_internal.h" struct iter_data { - krb5_context context; - char **names; - int n_names, sz_names; - unsigned int malloc_failed; - char *exp; + krb5_context context; + char **names; + int n_names, sz_names; + unsigned int malloc_failed; + char *exp; #ifdef SOLARIS_REGEXPS - char *expbuf; + char *expbuf; #endif #ifdef POSIX_REGEXPS - regex_t preg; + regex_t preg; #endif }; @@ -52,9 +53,9 @@ struct iter_data { * * Arguments: * - * glob (r) the shell-style glob (?*[]) to convert - * realm (r) the default realm to append, or NULL - * regexp (w) the ed-style regexp created from glob + * glob (r) the shell-style glob (?*[]) to convert + * realm (r) the default realm to append, or NULL + * regexp (w) the ed-style regexp created from glob * * Effects: * @@ -65,210 +66,209 @@ struct iter_data { * * Conversion algorithm: * - * quoted characters are copied quoted - * ? is converted to . - * * is converted to .* - * active characters are quoted: ^, $, . - * [ and ] are active but supported and have the same meaning, so - * they are copied - * other characters are copied - * regexp is anchored with ^ and $ + * quoted characters are copied quoted + * ? is converted to . + * * is converted to .* + * active characters are quoted: ^, $, . + * [ and ] are active but supported and have the same meaning, so + * they are copied + * other characters are copied + * regexp is anchored with ^ and $ */ static kadm5_ret_t glob_to_regexp(char *glob, char *realm, char **regexp) { - int append_realm; - char *p; + int append_realm; + char *p; - /* validate the glob */ - if (glob[strlen(glob)-1] == '\\') - return EINVAL; + /* validate the glob */ + if (glob[strlen(glob)-1] == '\\') + return EINVAL; - /* A character of glob can turn into two in regexp, plus ^ and $ */ - /* and trailing null. If glob has no @, also allocate space for */ - /* the realm. */ - append_realm = (realm != NULL) && (strchr(glob, '@') == NULL); - p = (char *) malloc(strlen(glob)*2+ 3 + (append_realm ? 3 : 0)); - if (p == NULL) - return ENOMEM; - *regexp = p; + /* A character of glob can turn into two in regexp, plus ^ and $ */ + /* and trailing null. If glob has no @, also allocate space for */ + /* the realm. */ + append_realm = (realm != NULL) && (strchr(glob, '@') == NULL); + p = (char *) malloc(strlen(glob)*2+ 3 + (append_realm ? 3 : 0)); + if (p == NULL) + return ENOMEM; + *regexp = p; - *p++ = '^'; - while (*glob) { - switch (*glob) { - case '?': - *p++ = '.'; - break; - case '*': - *p++ = '.'; - *p++ = '*'; - break; - case '.': - case '^': - case '$': - *p++ = '\\'; - *p++ = *glob; - break; - case '\\': - *p++ = '\\'; - *p++ = *++glob; - break; - default: - *p++ = *glob; - break; - } - glob++; - } + *p++ = '^'; + while (*glob) { + switch (*glob) { + case '?': + *p++ = '.'; + break; + case '*': + *p++ = '.'; + *p++ = '*'; + break; + case '.': + case '^': + case '$': + *p++ = '\\'; + *p++ = *glob; + break; + case '\\': + *p++ = '\\'; + *p++ = *++glob; + break; + default: + *p++ = *glob; + break; + } + glob++; + } - if (append_realm) { - *p++ = '@'; - *p++ = '.'; - *p++ = '*'; - } + if (append_realm) { + *p++ = '@'; + *p++ = '.'; + *p++ = '*'; + } - *p++ = '$'; - *p++ = '\0'; - return KADM5_OK; + *p++ = '$'; + *p++ = '\0'; + return KADM5_OK; } static void get_either_iter(struct iter_data *data, char *name) { - int match; + int match; #ifdef SOLARIS_REGEXPS - match = (step(name, data->expbuf) != 0); + match = (step(name, data->expbuf) != 0); #endif #ifdef POSIX_REGEXPS - match = (regexec(&data->preg, name, 0, NULL, 0) == 0); + match = (regexec(&data->preg, name, 0, NULL, 0) == 0); #endif #ifdef BSD_REGEXPS - match = (re_exec(name) != 0); + match = (re_exec(name) != 0); #endif - if (match) { - if (data->n_names == data->sz_names) { - int new_sz = data->sz_names * 2; - char **new_names = realloc(data->names, - new_sz * sizeof(char *)); - if (new_names) { - data->names = new_names; - data->sz_names = new_sz; - } else { - data->malloc_failed = 1; - free(name); - return; - } - } - data->names[data->n_names++] = name; - } else - free(name); + if (match) { + if (data->n_names == data->sz_names) { + int new_sz = data->sz_names * 2; + char **new_names = realloc(data->names, + new_sz * sizeof(char *)); + if (new_names) { + data->names = new_names; + data->sz_names = new_sz; + } else { + data->malloc_failed = 1; + free(name); + return; + } + } + data->names[data->n_names++] = name; + } else + free(name); } static void get_pols_iter(void *data, osa_policy_ent_t entry) { - char *name; + char *name; - if ((name = strdup(entry->name)) == NULL) - return; - get_either_iter(data, name); + if ((name = strdup(entry->name)) == NULL) + return; + get_either_iter(data, name); } static void get_princs_iter(void *data, krb5_principal princ) { - struct iter_data *id = (struct iter_data *) data; - char *name; - - if (krb5_unparse_name(id->context, princ, &name) != 0) - return; - get_either_iter(data, name); + struct iter_data *id = (struct iter_data *) data; + char *name; + + if (krb5_unparse_name(id->context, princ, &name) != 0) + return; + get_either_iter(data, name); } static kadm5_ret_t kadm5_get_either(int princ, - void *server_handle, - char *exp, - char ***princs, - int *count) + void *server_handle, + char *exp, + char ***princs, + int *count) { - struct iter_data data; + struct iter_data data; #ifdef BSD_REGEXPS - char *msg; + char *msg; #endif - char *regexp; - int i, ret; - kadm5_server_handle_t handle = server_handle; + char *regexp; + int i, ret; + kadm5_server_handle_t handle = server_handle; - *princs = NULL; - *count = 0; - if (exp == NULL) - exp = "*"; + *princs = NULL; + *count = 0; + if (exp == NULL) + exp = "*"; - CHECK_HANDLE(server_handle); + CHECK_HANDLE(server_handle); - if ((ret = glob_to_regexp(exp, princ ? handle->params.realm : NULL, - ®exp)) != KADM5_OK) - return ret; + if ((ret = glob_to_regexp(exp, princ ? handle->params.realm : NULL, + ®exp)) != KADM5_OK) + return ret; - if ( + if ( #ifdef SOLARIS_REGEXPS - ((data.expbuf = compile(regexp, NULL, NULL)) == NULL) + ((data.expbuf = compile(regexp, NULL, NULL)) == NULL) #endif #ifdef POSIX_REGEXPS - ((regcomp(&data.preg, regexp, REG_NOSUB)) != 0) + ((regcomp(&data.preg, regexp, REG_NOSUB)) != 0) #endif #ifdef BSD_REGEXPS - ((msg = (char *) re_comp(regexp)) != NULL) + ((msg = (char *) re_comp(regexp)) != NULL) #endif - ) - { - /* XXX syslog msg or regerr(regerrno) */ - free(regexp); - return EINVAL; - } + ) + { + /* XXX syslog msg or regerr(regerrno) */ + free(regexp); + return EINVAL; + } + + data.n_names = 0; + data.sz_names = 10; + data.malloc_failed = 0; + data.names = malloc(sizeof(char *) * data.sz_names); + if (data.names == NULL) { + free(regexp); + return ENOMEM; + } - data.n_names = 0; - data.sz_names = 10; - data.malloc_failed = 0; - data.names = malloc(sizeof(char *) * data.sz_names); - if (data.names == NULL) { - free(regexp); - return ENOMEM; - } + if (princ) { + data.context = handle->context; + ret = kdb_iter_entry(handle, exp, get_princs_iter, (void *) &data); + } else { + ret = krb5_db_iter_policy(handle->context, exp, get_pols_iter, (void *)&data); + } - if (princ) { - data.context = handle->context; - ret = kdb_iter_entry(handle, exp, get_princs_iter, (void *) &data); - } else { - ret = krb5_db_iter_policy(handle->context, exp, get_pols_iter, (void *)&data); - } - - free(regexp); + free(regexp); #ifdef POSIX_REGEXPS - regfree(&data.preg); + regfree(&data.preg); #endif - if ( !ret && data.malloc_failed) - ret = ENOMEM; - if ( ret ) { - for (i = 0; i < data.n_names; i++) - free(data.names[i]); - free(data.names); - return ret; - } + if ( !ret && data.malloc_failed) + ret = ENOMEM; + if ( ret ) { + for (i = 0; i < data.n_names; i++) + free(data.names[i]); + free(data.names); + return ret; + } - *princs = data.names; - *count = data.n_names; - return KADM5_OK; + *princs = data.names; + *count = data.n_names; + return KADM5_OK; } kadm5_ret_t kadm5_get_principals(void *server_handle, - char *exp, - char ***princs, - int *count) + char *exp, + char ***princs, + int *count) { - return kadm5_get_either(1, server_handle, exp, princs, count); + return kadm5_get_either(1, server_handle, exp, princs, count); } kadm5_ret_t kadm5_get_policies(void *server_handle, - char *exp, - char ***pols, - int *count) + char *exp, + char ***pols, + int *count) { - return kadm5_get_either(0, server_handle, exp, pols, count); + return kadm5_get_either(0, server_handle, exp, pols, count); } - diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c index 0d8c5ced6..1d3ccbc66 100644 --- a/src/lib/kadm5/srv/svr_policy.c +++ b/src/lib/kadm5/srv/svr_policy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -8,170 +9,170 @@ static char *rcsid = "$Header$"; #endif -#include -#include -#include "server_internal.h" -#include -#include -#include +#include +#include +#include "server_internal.h" +#include +#include +#include -#define MIN_PW_HISTORY 1 -#define MIN_PW_CLASSES 1 -#define MAX_PW_CLASSES 5 -#define MIN_PW_LENGTH 1 +#define MIN_PW_HISTORY 1 +#define MIN_PW_CLASSES 1 +#define MAX_PW_CLASSES 5 +#define MIN_PW_LENGTH 1 /* * Function: kadm5_create_policy - * + * * Purpose: Create Policies in the policy DB. * * Arguments: - * entry (input) The policy entry to be written out to the DB. - * mask (input) Specifies which fields in entry are to ge written out - * and which get default values. - * 0 if successful otherwise an error code is returned. + * entry (input) The policy entry to be written out to the DB. + * mask (input) Specifies which fields in entry are to ge written out + * and which get default values. + * 0 if successful otherwise an error code is returned. * * Requires: - * Entry must be a valid principal entry, and mask have a valid value. - * + * Entry must be a valid principal entry, and mask have a valid value. + * * Effects: - * Verifies that mask does not specify that the refcount should - * be set as part of the creation, and calls - * kadm5_create_policy_internal. If the refcount *is* - * specified, returns KADM5_BAD_MASK. + * Verifies that mask does not specify that the refcount should + * be set as part of the creation, and calls + * kadm5_create_policy_internal. If the refcount *is* + * specified, returns KADM5_BAD_MASK. */ kadm5_ret_t kadm5_create_policy(void *server_handle, - kadm5_policy_ent_t entry, long mask) + kadm5_policy_ent_t entry, long mask) { CHECK_HANDLE(server_handle); krb5_clear_error_message(((kadm5_server_handle_t)server_handle)->context); if (mask & KADM5_REF_COUNT) - return KADM5_BAD_MASK; + return KADM5_BAD_MASK; else - return kadm5_create_policy_internal(server_handle, entry, mask); + return kadm5_create_policy_internal(server_handle, entry, mask); } /* * Function: kadm5_create_policy_internal - * + * * Purpose: Create Policies in the policy DB. * * Arguments: - * entry (input) The policy entry to be written out to the DB. - * mask (input) Specifies which fields in entry are to ge written out - * and which get default values. - * 0 if successful otherwise an error code is returned. + * entry (input) The policy entry to be written out to the DB. + * mask (input) Specifies which fields in entry are to ge written out + * and which get default values. + * 0 if successful otherwise an error code is returned. * * Requires: - * Entry must be a valid principal entry, and mask have a valid value. - * + * Entry must be a valid principal entry, and mask have a valid value. + * * Effects: - * Writes the data to the database, and does a database sync if - * successful. + * Writes the data to the database, and does a database sync if + * successful. * */ kadm5_ret_t kadm5_create_policy_internal(void *server_handle, - kadm5_policy_ent_t entry, long mask) + kadm5_policy_ent_t entry, long mask) { kadm5_server_handle_t handle = server_handle; - osa_policy_ent_rec pent; - int ret; - char *p; + osa_policy_ent_rec pent; + int ret; + char *p; CHECK_HANDLE(server_handle); if ((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL)) - return EINVAL; + return EINVAL; if(strlen(entry->policy) == 0) - return KADM5_BAD_POLICY; + return KADM5_BAD_POLICY; if (!(mask & KADM5_POLICY)) - return KADM5_BAD_MASK; - + return KADM5_BAD_MASK; + pent.name = entry->policy; p = entry->policy; while(*p != '\0') { - if(*p < ' ' || *p > '~') - return KADM5_BAD_POLICY; - else - p++; + if(*p < ' ' || *p > '~') + return KADM5_BAD_POLICY; + else + p++; } if (!(mask & KADM5_PW_MAX_LIFE)) - pent.pw_max_life = 0; + pent.pw_max_life = 0; else - pent.pw_max_life = entry->pw_max_life; + pent.pw_max_life = entry->pw_max_life; if (!(mask & KADM5_PW_MIN_LIFE)) - pent.pw_min_life = 0; + pent.pw_min_life = 0; else { - if((mask & KADM5_PW_MAX_LIFE)) { - if(entry->pw_min_life > entry->pw_max_life && entry->pw_max_life != 0) - return KADM5_BAD_MIN_PASS_LIFE; - } - pent.pw_min_life = entry->pw_min_life; + if((mask & KADM5_PW_MAX_LIFE)) { + if(entry->pw_min_life > entry->pw_max_life && entry->pw_max_life != 0) + return KADM5_BAD_MIN_PASS_LIFE; + } + pent.pw_min_life = entry->pw_min_life; } if (!(mask & KADM5_PW_MIN_LENGTH)) - pent.pw_min_length = MIN_PW_LENGTH; + pent.pw_min_length = MIN_PW_LENGTH; else { - if(entry->pw_min_length < MIN_PW_LENGTH) - return KADM5_BAD_LENGTH; - pent.pw_min_length = entry->pw_min_length; + if(entry->pw_min_length < MIN_PW_LENGTH) + return KADM5_BAD_LENGTH; + pent.pw_min_length = entry->pw_min_length; } if (!(mask & KADM5_PW_MIN_CLASSES)) - pent.pw_min_classes = MIN_PW_CLASSES; + pent.pw_min_classes = MIN_PW_CLASSES; else { - if(entry->pw_min_classes > MAX_PW_CLASSES || entry->pw_min_classes < MIN_PW_CLASSES) - return KADM5_BAD_CLASS; - pent.pw_min_classes = entry->pw_min_classes; + if(entry->pw_min_classes > MAX_PW_CLASSES || entry->pw_min_classes < MIN_PW_CLASSES) + return KADM5_BAD_CLASS; + pent.pw_min_classes = entry->pw_min_classes; } if (!(mask & KADM5_PW_HISTORY_NUM)) - pent.pw_history_num = MIN_PW_HISTORY; + pent.pw_history_num = MIN_PW_HISTORY; else { - if(entry->pw_history_num < MIN_PW_HISTORY) - return KADM5_BAD_HISTORY; - else - pent.pw_history_num = entry->pw_history_num; + if(entry->pw_history_num < MIN_PW_HISTORY) + return KADM5_BAD_HISTORY; + else + pent.pw_history_num = entry->pw_history_num; } if (!(mask & KADM5_REF_COUNT)) - pent.policy_refcnt = 0; + pent.policy_refcnt = 0; else - pent.policy_refcnt = entry->policy_refcnt; + pent.policy_refcnt = entry->policy_refcnt; if (handle->api_version == KADM5_API_VERSION_3) { - if (!(mask & KADM5_PW_MAX_FAILURE)) - pent.pw_max_fail = 0; - else - pent.pw_max_fail = entry->pw_max_fail; - if (!(mask & KADM5_PW_FAILURE_COUNT_INTERVAL)) - pent.pw_failcnt_interval = 0; - else - pent.pw_failcnt_interval = entry->pw_failcnt_interval; - if (!(mask & KADM5_PW_LOCKOUT_DURATION)) - pent.pw_lockout_duration = 0; - else - pent.pw_lockout_duration = entry->pw_lockout_duration; + if (!(mask & KADM5_PW_MAX_FAILURE)) + pent.pw_max_fail = 0; + else + pent.pw_max_fail = entry->pw_max_fail; + if (!(mask & KADM5_PW_FAILURE_COUNT_INTERVAL)) + pent.pw_failcnt_interval = 0; + else + pent.pw_failcnt_interval = entry->pw_failcnt_interval; + if (!(mask & KADM5_PW_LOCKOUT_DURATION)) + pent.pw_lockout_duration = 0; + else + pent.pw_lockout_duration = entry->pw_lockout_duration; } else { - pent.pw_max_fail = 0; - pent.pw_failcnt_interval = 0; - pent.pw_lockout_duration = 0; + pent.pw_max_fail = 0; + pent.pw_failcnt_interval = 0; + pent.pw_lockout_duration = 0; } if ((ret = krb5_db_create_policy(handle->context, &pent))) - return ret; + return ret; else - return KADM5_OK; + return KADM5_OK; } - + kadm5_ret_t kadm5_delete_policy(void *server_handle, kadm5_policy_t name) { kadm5_server_handle_t handle = server_handle; - osa_policy_ent_t entry; - int ret; + osa_policy_ent_t entry; + int ret; int cnt=1; CHECK_HANDLE(server_handle); @@ -179,102 +180,102 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name) krb5_clear_error_message(handle->context); if(name == (kadm5_policy_t) NULL) - return EINVAL; + return EINVAL; if(strlen(name) == 0) - return KADM5_BAD_POLICY; + return KADM5_BAD_POLICY; if((ret = krb5_db_get_policy(handle->context, name, &entry,&cnt))) - return ret; + return ret; if( cnt != 1 ) - return KADM5_UNK_POLICY; + return KADM5_UNK_POLICY; if(entry->policy_refcnt != 0) { - krb5_db_free_policy(handle->context, entry); - return KADM5_POLICY_REF; + krb5_db_free_policy(handle->context, entry); + return KADM5_POLICY_REF; } krb5_db_free_policy(handle->context, entry); if ((ret = krb5_db_delete_policy(handle->context, name))) - return ret; + return ret; else - return KADM5_OK; + return KADM5_OK; } kadm5_ret_t kadm5_modify_policy(void *server_handle, - kadm5_policy_ent_t entry, long mask) + kadm5_policy_ent_t entry, long mask) { CHECK_HANDLE(server_handle); krb5_clear_error_message(((kadm5_server_handle_t)server_handle)->context); if (mask & KADM5_REF_COUNT) - return KADM5_BAD_MASK; + return KADM5_BAD_MASK; else - return kadm5_modify_policy_internal(server_handle, entry, mask); + return kadm5_modify_policy_internal(server_handle, entry, mask); } kadm5_ret_t kadm5_modify_policy_internal(void *server_handle, - kadm5_policy_ent_t entry, long mask) + kadm5_policy_ent_t entry, long mask) { kadm5_server_handle_t handle = server_handle; - osa_policy_ent_t p; - int ret; + osa_policy_ent_t p; + int ret; int cnt=1; CHECK_HANDLE(server_handle); if((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL)) - return EINVAL; + return EINVAL; if(strlen(entry->policy) == 0) - return KADM5_BAD_POLICY; + return KADM5_BAD_POLICY; if((mask & KADM5_POLICY)) - return KADM5_BAD_MASK; - + return KADM5_BAD_MASK; + if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) - return ret; + return ret; if (cnt != 1) - return KADM5_UNK_POLICY; + return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) - p->pw_max_life = entry->pw_max_life; + p->pw_max_life = entry->pw_max_life; if ((mask & KADM5_PW_MIN_LIFE)) { - if(entry->pw_min_life > p->pw_max_life && p->pw_max_life != 0) { - krb5_db_free_policy(handle->context, p); - return KADM5_BAD_MIN_PASS_LIFE; - } - p->pw_min_life = entry->pw_min_life; + if(entry->pw_min_life > p->pw_max_life && p->pw_max_life != 0) { + krb5_db_free_policy(handle->context, p); + return KADM5_BAD_MIN_PASS_LIFE; + } + p->pw_min_life = entry->pw_min_life; } if ((mask & KADM5_PW_MIN_LENGTH)) { - if(entry->pw_min_length < MIN_PW_LENGTH) { - krb5_db_free_policy(handle->context, p); - return KADM5_BAD_LENGTH; - } - p->pw_min_length = entry->pw_min_length; + if(entry->pw_min_length < MIN_PW_LENGTH) { + krb5_db_free_policy(handle->context, p); + return KADM5_BAD_LENGTH; + } + p->pw_min_length = entry->pw_min_length; } if ((mask & KADM5_PW_MIN_CLASSES)) { - if(entry->pw_min_classes > MAX_PW_CLASSES || - entry->pw_min_classes < MIN_PW_CLASSES) { - krb5_db_free_policy(handle->context, p); - return KADM5_BAD_CLASS; - } - p->pw_min_classes = entry->pw_min_classes; + if(entry->pw_min_classes > MAX_PW_CLASSES || + entry->pw_min_classes < MIN_PW_CLASSES) { + krb5_db_free_policy(handle->context, p); + return KADM5_BAD_CLASS; + } + p->pw_min_classes = entry->pw_min_classes; } if ((mask & KADM5_PW_HISTORY_NUM)) { - if(entry->pw_history_num < MIN_PW_HISTORY) { - krb5_db_free_policy(handle->context, p); - return KADM5_BAD_HISTORY; - } - p->pw_history_num = entry->pw_history_num; + if(entry->pw_history_num < MIN_PW_HISTORY) { + krb5_db_free_policy(handle->context, p); + return KADM5_BAD_HISTORY; + } + p->pw_history_num = entry->pw_history_num; } if ((mask & KADM5_REF_COUNT)) - p->policy_refcnt = entry->policy_refcnt; + p->policy_refcnt = entry->policy_refcnt; if (handle->api_version == KADM5_API_VERSION_3) { - if ((mask & KADM5_PW_MAX_FAILURE)) - p->pw_max_fail = entry->pw_max_fail; - if ((mask & KADM5_PW_FAILURE_COUNT_INTERVAL)) - p->pw_failcnt_interval = entry->pw_failcnt_interval; - if ((mask & KADM5_PW_LOCKOUT_DURATION)) - p->pw_lockout_duration = entry->pw_lockout_duration; + if ((mask & KADM5_PW_MAX_FAILURE)) + p->pw_max_fail = entry->pw_max_fail; + if ((mask & KADM5_PW_FAILURE_COUNT_INTERVAL)) + p->pw_failcnt_interval = entry->pw_failcnt_interval; + if ((mask & KADM5_PW_LOCKOUT_DURATION)) + p->pw_lockout_duration = entry->pw_lockout_duration; } ret = krb5_db_put_policy(handle->context, p); krb5_db_free_policy(handle->context, p); @@ -283,10 +284,10 @@ kadm5_modify_policy_internal(void *server_handle, kadm5_ret_t kadm5_get_policy(void *server_handle, kadm5_policy_t name, - kadm5_policy_ent_t entry) + kadm5_policy_ent_t entry) { - osa_policy_ent_t t; - int ret; + osa_policy_ent_t t; + int ret; kadm5_server_handle_t handle = server_handle; int cnt=1; @@ -295,18 +296,18 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, krb5_clear_error_message(handle->context); if (name == (kadm5_policy_t) NULL) - return EINVAL; + return EINVAL; if(strlen(name) == 0) - return KADM5_BAD_POLICY; + return KADM5_BAD_POLICY; if((ret = krb5_db_get_policy(handle->context, name, &t, &cnt))) - return ret; + return ret; if( cnt != 1 ) - return KADM5_UNK_POLICY; + return KADM5_UNK_POLICY; if ((entry->policy = strdup(t->name)) == NULL) { - krb5_db_free_policy(handle->context, t); - return ENOMEM; + krb5_db_free_policy(handle->context, t); + return ENOMEM; } entry->pw_min_life = t->pw_min_life; entry->pw_max_life = t->pw_max_life; @@ -315,9 +316,9 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, entry->pw_history_num = t->pw_history_num; entry->policy_refcnt = t->policy_refcnt; if (handle->api_version == KADM5_API_VERSION_3) { - entry->pw_max_fail = t->pw_max_fail; - entry->pw_failcnt_interval = t->pw_failcnt_interval; - entry->pw_lockout_duration = t->pw_lockout_duration; + entry->pw_max_fail = t->pw_max_fail; + entry->pw_failcnt_interval = t->pw_failcnt_interval; + entry->pw_lockout_duration = t->pw_lockout_duration; } krb5_db_free_policy(handle->context, t); diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 40eea875b..a58c798ac 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -8,19 +9,19 @@ static char *rcsid = "$Header$"; #endif -#include -#include -#include -#include -#include -#include -#include -#include "server_internal.h" -#include -#include +#include +#include +#include +#include +#include +#include +#include +#include "server_internal.h" +#include +#include #ifdef USE_PASSWORD_SERVER -#include -#include +#include +#include #endif @@ -30,19 +31,19 @@ static char *rcsid = "$Header$"; #define VALGRIND_CHECK_DEFINED(LVALUE) ((void)0) #endif -extern krb5_principal master_princ; -extern krb5_principal hist_princ; -extern krb5_keyblock master_keyblock; +extern krb5_principal master_princ; +extern krb5_principal hist_princ; +extern krb5_keyblock master_keyblock; extern krb5_keylist_node *master_keylist; extern krb5_actkvno_node *active_mkey_list; -extern krb5_keyblock hist_key; -extern krb5_db_entry master_db; -extern krb5_db_entry hist_db; -extern krb5_kvno hist_kvno; +extern krb5_keyblock hist_key; +extern krb5_db_entry master_db; +extern krb5_db_entry hist_db; +extern krb5_kvno hist_kvno; static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey, - int n_key_data, krb5_key_data *key_data, - krb5_keyblock **keyblocks, int *n_keys); + int n_key_data, krb5_key_data *key_data, + krb5_keyblock **keyblocks, int *n_keys); static krb5_error_code kadm5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc) @@ -61,7 +62,7 @@ kadm5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pr nelems = (int) krb5_princ_size(context, inprinc); tempprinc->data = krb5_db_alloc(context, NULL, nelems * sizeof(krb5_data)); if (tempprinc->data == 0) { - krb5_db_free(context, (char *)tempprinc); + krb5_db_free(context, (char *)tempprinc); return ENOMEM; } @@ -79,17 +80,17 @@ kadm5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pr if (len) memcpy(krb5_princ_component(context, tempprinc, i)->data, krb5_princ_component(context, inprinc, i)->data, len); - krb5_princ_component(context, tempprinc, i)->magic = KV5M_DATA; + krb5_princ_component(context, tempprinc, i)->magic = KV5M_DATA; } tempprinc->realm.data = - krb5_db_alloc(context, NULL, tempprinc->realm.length = inprinc->realm.length); + krb5_db_alloc(context, NULL, tempprinc->realm.length = inprinc->realm.length); if (!tempprinc->realm.data && tempprinc->realm.length) { - for (i = 0; i < nelems; i++) - krb5_db_free(context, krb5_princ_component(context, tempprinc, i)->data); - krb5_db_free(context, tempprinc->data); - krb5_db_free(context, tempprinc); - return ENOMEM; + for (i = 0; i < nelems; i++) + krb5_db_free(context, krb5_princ_component(context, tempprinc, i)->data); + krb5_db_free(context, tempprinc->data); + krb5_db_free(context, tempprinc); + return ENOMEM; } if (tempprinc->realm.length) memcpy(tempprinc->realm.data, inprinc->realm.data, @@ -122,90 +123,90 @@ kadm5_free_principal(krb5_context context, krb5_principal val) * XXX Functions that ought to be in libkrb5.a, but aren't. */ kadm5_ret_t krb5_copy_key_data_contents(context, from, to) - krb5_context context; - krb5_key_data *from, *to; + krb5_context context; + krb5_key_data *from, *to; { - int i, idx; - - *to = *from; - - idx = (from->key_data_ver == 1 ? 1 : 2); - - for (i = 0; i < idx; i++) { - if ( from->key_data_length[i] ) { - to->key_data_contents[i] = malloc(from->key_data_length[i]); - if (to->key_data_contents[i] == NULL) { - for (i = 0; i < idx; i++) { - if (to->key_data_contents[i]) { - memset(to->key_data_contents[i], 0, - to->key_data_length[i]); - free(to->key_data_contents[i]); - } - } - return ENOMEM; - } - memcpy(to->key_data_contents[i], from->key_data_contents[i], - from->key_data_length[i]); - } - } - return 0; + int i, idx; + + *to = *from; + + idx = (from->key_data_ver == 1 ? 1 : 2); + + for (i = 0; i < idx; i++) { + if ( from->key_data_length[i] ) { + to->key_data_contents[i] = malloc(from->key_data_length[i]); + if (to->key_data_contents[i] == NULL) { + for (i = 0; i < idx; i++) { + if (to->key_data_contents[i]) { + memset(to->key_data_contents[i], 0, + to->key_data_length[i]); + free(to->key_data_contents[i]); + } + } + return ENOMEM; + } + memcpy(to->key_data_contents[i], from->key_data_contents[i], + from->key_data_length[i]); + } + } + return 0; } static krb5_tl_data *dup_tl_data(krb5_tl_data *tl) { - krb5_tl_data *n; - - n = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)); - if (n == NULL) - return NULL; - n->tl_data_contents = malloc(tl->tl_data_length); - if (n->tl_data_contents == NULL) { - free(n); - return NULL; - } - memcpy(n->tl_data_contents, tl->tl_data_contents, tl->tl_data_length); - n->tl_data_type = tl->tl_data_type; - n->tl_data_length = tl->tl_data_length; - n->tl_data_next = NULL; - return n; + krb5_tl_data *n; + + n = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)); + if (n == NULL) + return NULL; + n->tl_data_contents = malloc(tl->tl_data_length); + if (n->tl_data_contents == NULL) { + free(n); + return NULL; + } + memcpy(n->tl_data_contents, tl->tl_data_contents, tl->tl_data_length); + n->tl_data_type = tl->tl_data_type; + n->tl_data_length = tl->tl_data_length; + n->tl_data_next = NULL; + return n; } /* This is in lib/kdb/kdb_cpw.c, but is static */ static void cleanup_key_data(context, count, data) - krb5_context context; - int count; - krb5_key_data * data; + krb5_context context; + int count; + krb5_key_data * data; { - int i, j; + int i, j; - for (i = 0; i < count; i++) - for (j = 0; j < data[i].key_data_ver; j++) - if (data[i].key_data_length[j]) - krb5_db_free(context, data[i].key_data_contents[j]); - krb5_db_free(context, data); + for (i = 0; i < count; i++) + for (j = 0; j < data[i].key_data_ver; j++) + if (data[i].key_data_length[j]) + krb5_db_free(context, data[i].key_data_contents[j]); + krb5_db_free(context, data); } kadm5_ret_t kadm5_create_principal(void *server_handle, - kadm5_principal_ent_t entry, long mask, - char *password) + kadm5_principal_ent_t entry, long mask, + char *password) { return - kadm5_create_principal_3(server_handle, entry, mask, - 0, NULL, password); + kadm5_create_principal_3(server_handle, entry, mask, + 0, NULL, password); } kadm5_ret_t kadm5_create_principal_3(void *server_handle, - kadm5_principal_ent_t entry, long mask, - int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, - char *password) + kadm5_principal_ent_t entry, long mask, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, + char *password) { - krb5_db_entry kdb; - osa_princ_ent_rec adb; - kadm5_policy_ent_rec polent; - krb5_int32 now; - krb5_tl_data *tl_data_orig, *tl_data_tail; - unsigned int ret; + krb5_db_entry kdb; + osa_princ_ent_rec adb; + kadm5_policy_ent_rec polent; + krb5_int32 now; + krb5_tl_data *tl_data_orig, *tl_data_tail; + unsigned int ret; kadm5_server_handle_t handle = server_handle; krb5_keyblock *act_mkey; krb5_kvno act_kvno; @@ -223,11 +224,11 @@ kadm5_create_principal_3(void *server_handle, (mask & KADM5_AUX_ATTRIBUTES) || (mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) || (mask & KADM5_LAST_FAILED) || (mask & KADM5_FAIL_AUTH_COUNT)) - return KADM5_BAD_MASK; + return KADM5_BAD_MASK; if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; + return KADM5_BAD_MASK; if (entry == NULL) - return EINVAL; + return EINVAL; /* * Check to see if the principal exists @@ -236,12 +237,12 @@ kadm5_create_principal_3(void *server_handle, switch(ret) { case KADM5_UNK_PRINC: - break; + break; case 0: - kdb_free_entry(handle, &kdb, &adb); - return KADM5_DUP; + kdb_free_entry(handle, &kdb, &adb); + return KADM5_DUP; default: - return ret; + return ret; } memset(&kdb, 0, sizeof(krb5_db_entry)); @@ -252,22 +253,22 @@ kadm5_create_principal_3(void *server_handle, * If we can not find the one specified return an error */ if ((mask & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, entry->policy, - &polent)) != KADM5_OK) { - if(ret == EINVAL) - return KADM5_BAD_POLICY; - else - return ret; - } + if ((ret = kadm5_get_policy(handle->lhandle, entry->policy, + &polent)) != KADM5_OK) { + if(ret == EINVAL) + return KADM5_BAD_POLICY; + else + return ret; + } } if (password) { - ret = passwd_check(handle, password, (mask & KADM5_POLICY), - &polent, entry->principal); - if (ret) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; - } + ret = passwd_check(handle, password, (mask & KADM5_POLICY), + &polent, entry->principal); + if (ret) { + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return ret; + } } /* * Start populating the various DB fields, using the @@ -275,43 +276,43 @@ kadm5_create_principal_3(void *server_handle, * mask. */ if ((ret = krb5_timeofday(handle->context, &now))) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return ret; } kdb.magic = KRB5_KDB_MAGIC_NUMBER; kdb.len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */ if ((mask & KADM5_ATTRIBUTES)) - kdb.attributes = entry->attributes; + kdb.attributes = entry->attributes; else - kdb.attributes = handle->params.flags; + kdb.attributes = handle->params.flags; if ((mask & KADM5_MAX_LIFE)) - kdb.max_life = entry->max_life; + kdb.max_life = entry->max_life; else - kdb.max_life = handle->params.max_life; + kdb.max_life = handle->params.max_life; if (mask & KADM5_MAX_RLIFE) - kdb.max_renewable_life = entry->max_renewable_life; + kdb.max_renewable_life = entry->max_renewable_life; else - kdb.max_renewable_life = handle->params.max_rlife; + kdb.max_renewable_life = handle->params.max_rlife; if ((mask & KADM5_PRINC_EXPIRE_TIME)) - kdb.expiration = entry->princ_expire_time; + kdb.expiration = entry->princ_expire_time; else - kdb.expiration = handle->params.expiration; + kdb.expiration = handle->params.expiration; kdb.pw_expiration = 0; if ((mask & KADM5_POLICY)) { - if(polent.pw_max_life) - kdb.pw_expiration = now + polent.pw_max_life; - else - kdb.pw_expiration = 0; + if(polent.pw_max_life) + kdb.pw_expiration = now + polent.pw_max_life; + else + kdb.pw_expiration = 0; } if ((mask & KADM5_PW_EXPIRATION)) - kdb.pw_expiration = entry->pw_expiration; + kdb.pw_expiration = entry->pw_expiration; kdb.last_success = 0; kdb.last_failed = 0; @@ -322,40 +323,40 @@ kadm5_create_principal_3(void *server_handle, principal. */ if ((ret = kadm5_copy_principal(handle->context, - entry->principal, &(kdb.princ)))) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); + entry->principal, &(kdb.princ)))) { + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return(ret); } if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); + krb5_db_free_principal(handle->context, &kdb, 1); + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return(ret); } if (mask & KADM5_TL_DATA) { - /* splice entry->tl_data onto the front of kdb.tl_data */ - tl_data_orig = kdb.tl_data; - for (tl_data_tail = entry->tl_data; tl_data_tail; - tl_data_tail = tl_data_tail->tl_data_next) - { - ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl_data_tail); - if( ret ) - { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; - } - } + /* splice entry->tl_data onto the front of kdb.tl_data */ + tl_data_orig = kdb.tl_data; + for (tl_data_tail = entry->tl_data; tl_data_tail; + tl_data_tail = tl_data_tail->tl_data_next) + { + ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl_data_tail); + if( ret ) + { + krb5_db_free_principal(handle->context, &kdb, 1); + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return ret; + } + } } /* initialize the keys */ ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_kvno, &act_mkey); + active_mkey_list, &act_kvno, &act_mkey); if (ret) { krb5_db_free_principal(handle->context, &kdb, 1); if (mask & KADM5_POLICY) @@ -364,33 +365,33 @@ kadm5_create_principal_3(void *server_handle, } if (password) { - ret = krb5_dbe_cpw(handle->context, act_mkey, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - password, (mask & KADM5_KVNO)?entry->kvno:1, - FALSE, &kdb); + ret = krb5_dbe_cpw(handle->context, act_mkey, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + password, (mask & KADM5_KVNO)?entry->kvno:1, + FALSE, &kdb); } else { - /* Null password means create with random key (new in 1.8). */ - ret = krb5_dbe_crk(handle->context, &master_keyblock, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - FALSE, &kdb); + /* Null password means create with random key (new in 1.8). */ + ret = krb5_dbe_crk(handle->context, &master_keyblock, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + FALSE, &kdb); } if (ret) { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); + krb5_db_free_principal(handle->context, &kdb, 1); + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return(ret); } /* Record the master key VNO used to encrypt this entry's keys */ ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno); if (ret) { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; + krb5_db_free_principal(handle->context, &kdb, 1); + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return ret; } /* populate the admin-server-specific fields. In the OV server, @@ -401,26 +402,26 @@ kadm5_create_principal_3(void *server_handle, adb.admin_history_kvno = hist_kvno; if ((mask & KADM5_POLICY)) { - adb.aux_attributes = KADM5_POLICY; + adb.aux_attributes = KADM5_POLICY; - /* this does *not* need to be strdup'ed, because adb is xdr */ - /* encoded in osa_adb_create_princ, and not ever freed */ + /* this does *not* need to be strdup'ed, because adb is xdr */ + /* encoded in osa_adb_create_princ, and not ever freed */ - adb.policy = entry->policy; + adb.policy = entry->policy; } /* increment the policy ref count, if any */ if ((mask & KADM5_POLICY)) { - polent.policy_refcnt++; - if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT)) - != KADM5_OK) { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } + polent.policy_refcnt++; + if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, + KADM5_REF_COUNT)) + != KADM5_OK) { + krb5_db_free_principal(handle->context, &kdb, 1); + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return(ret); + } } /* In all cases key and the principal data is set, let the database provider know */ @@ -432,25 +433,25 @@ kadm5_create_principal_3(void *server_handle, krb5_db_free_principal(handle->context, &kdb, 1); if (ret) { - if ((mask & KADM5_POLICY)) { - /* decrement the policy ref count */ - - polent.policy_refcnt--; - /* - * if this fails, there's nothing we can do anyway. the - * policy refcount wil be too high. - */ - (void) kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT); - } - - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); + if ((mask & KADM5_POLICY)) { + /* decrement the policy ref count */ + + polent.policy_refcnt--; + /* + * if this fails, there's nothing we can do anyway. the + * policy refcount wil be too high. + */ + (void) kadm5_modify_policy_internal(handle->lhandle, &polent, + KADM5_REF_COUNT); + } + + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return(ret); } if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); + (void) kadm5_free_policy_ent(handle->lhandle, &polent); return KADM5_OK; } @@ -459,10 +460,10 @@ kadm5_create_principal_3(void *server_handle, kadm5_ret_t kadm5_delete_principal(void *server_handle, krb5_principal principal) { - unsigned int ret; - kadm5_policy_ent_rec polent; - krb5_db_entry kdb; - osa_princ_ent_rec adb; + unsigned int ret; + kadm5_policy_ent_rec polent; + krb5_db_entry kdb; + osa_princ_ent_rec adb; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -470,28 +471,28 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal) krb5_clear_error_message(handle->context); if (principal == NULL) - return EINVAL; + return EINVAL; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); + return(ret); if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, - adb.policy, &polent)) - == KADM5_OK) { - polent.policy_refcnt--; - if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT)) - != KADM5_OK) { - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - kdb_free_entry(handle, &kdb, &adb); - return(ret); - } - } - if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) { - kdb_free_entry(handle, &kdb, &adb); - return ret; - } + if ((ret = kadm5_get_policy(handle->lhandle, + adb.policy, &polent)) + == KADM5_OK) { + polent.policy_refcnt--; + if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, + KADM5_REF_COUNT)) + != KADM5_OK) { + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + kdb_free_entry(handle, &kdb, &adb); + return(ret); + } + } + if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) { + kdb_free_entry(handle, &kdb, &adb); + return ret; + } } ret = kdb_delete_entry(handle, principal); @@ -503,14 +504,14 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal) kadm5_ret_t kadm5_modify_principal(void *server_handle, - kadm5_principal_ent_t entry, long mask) + kadm5_principal_ent_t entry, long mask) { - int ret, ret2, i; + int ret, ret2, i; kadm5_policy_ent_rec npol, opol; - int have_npol = 0, have_opol = 0; - krb5_db_entry kdb; - krb5_tl_data *tl_data_orig; - osa_princ_ent_rec adb; + int have_npol = 0, have_opol = 0; + krb5_db_entry kdb; + krb5_tl_data *tl_data_orig; + osa_princ_ent_rec adb; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -522,154 +523,154 @@ kadm5_modify_principal(void *server_handle, (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || (mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) || (mask & KADM5_LAST_FAILED)) - return KADM5_BAD_MASK; + return KADM5_BAD_MASK; if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; + return KADM5_BAD_MASK; if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) - return KADM5_BAD_MASK; + return KADM5_BAD_MASK; if(entry == (kadm5_principal_ent_t) NULL) - return EINVAL; + return EINVAL; if (mask & KADM5_TL_DATA) { - tl_data_orig = entry->tl_data; - while (tl_data_orig) { - if (tl_data_orig->tl_data_type < 256) - return KADM5_BAD_TL_TYPE; - tl_data_orig = tl_data_orig->tl_data_next; - } + tl_data_orig = entry->tl_data; + while (tl_data_orig) { + if (tl_data_orig->tl_data_type < 256) + return KADM5_BAD_TL_TYPE; + tl_data_orig = tl_data_orig->tl_data_next; + } } ret = kdb_get_entry(handle, entry->principal, &kdb, &adb); if (ret) - return(ret); + return(ret); /* * This is pretty much the same as create ... */ if ((mask & KADM5_POLICY)) { - /* get the new policy */ - ret = kadm5_get_policy(handle->lhandle, entry->policy, &npol); - if (ret) { - switch (ret) { - case EINVAL: - ret = KADM5_BAD_POLICY; - break; - case KADM5_UNK_POLICY: - case KADM5_BAD_POLICY: - ret = KADM5_UNK_POLICY; - break; - } - goto done; - } - have_npol = 1; - - /* if we already have a policy, get it to decrement the refcnt */ - if(adb.aux_attributes & KADM5_POLICY) { - /* ... but not if the old and new are the same */ - if(strcmp(adb.policy, entry->policy)) { - ret = kadm5_get_policy(handle->lhandle, - adb.policy, &opol); - switch(ret) { - case EINVAL: - case KADM5_BAD_POLICY: - case KADM5_UNK_POLICY: - break; - case KADM5_OK: - have_opol = 1; - opol.policy_refcnt--; - break; - default: - goto done; - break; - } - npol.policy_refcnt++; - } - } else npol.policy_refcnt++; - - /* set us up to use the new policy */ - adb.aux_attributes |= KADM5_POLICY; - if (adb.policy) - free(adb.policy); - adb.policy = strdup(entry->policy); - - /* set pw_max_life based on new policy */ - if (npol.pw_max_life) { - ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, - &(kdb.pw_expiration)); - if (ret) - goto done; - kdb.pw_expiration += npol.pw_max_life; - } else { - kdb.pw_expiration = 0; - } + /* get the new policy */ + ret = kadm5_get_policy(handle->lhandle, entry->policy, &npol); + if (ret) { + switch (ret) { + case EINVAL: + ret = KADM5_BAD_POLICY; + break; + case KADM5_UNK_POLICY: + case KADM5_BAD_POLICY: + ret = KADM5_UNK_POLICY; + break; + } + goto done; + } + have_npol = 1; + + /* if we already have a policy, get it to decrement the refcnt */ + if(adb.aux_attributes & KADM5_POLICY) { + /* ... but not if the old and new are the same */ + if(strcmp(adb.policy, entry->policy)) { + ret = kadm5_get_policy(handle->lhandle, + adb.policy, &opol); + switch(ret) { + case EINVAL: + case KADM5_BAD_POLICY: + case KADM5_UNK_POLICY: + break; + case KADM5_OK: + have_opol = 1; + opol.policy_refcnt--; + break; + default: + goto done; + break; + } + npol.policy_refcnt++; + } + } else npol.policy_refcnt++; + + /* set us up to use the new policy */ + adb.aux_attributes |= KADM5_POLICY; + if (adb.policy) + free(adb.policy); + adb.policy = strdup(entry->policy); + + /* set pw_max_life based on new policy */ + if (npol.pw_max_life) { + ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, + &(kdb.pw_expiration)); + if (ret) + goto done; + kdb.pw_expiration += npol.pw_max_life; + } else { + kdb.pw_expiration = 0; + } } if ((mask & KADM5_POLICY_CLR) && - (adb.aux_attributes & KADM5_POLICY)) { - ret = kadm5_get_policy(handle->lhandle, adb.policy, &opol); - switch(ret) { - case EINVAL: - case KADM5_BAD_POLICY: - case KADM5_UNK_POLICY: - ret = KADM5_BAD_DB; - goto done; - break; - case KADM5_OK: - have_opol = 1; - if (adb.policy) - free(adb.policy); - adb.policy = NULL; - adb.aux_attributes &= ~KADM5_POLICY; - kdb.pw_expiration = 0; - opol.policy_refcnt--; - break; - default: - goto done; - break; - } + (adb.aux_attributes & KADM5_POLICY)) { + ret = kadm5_get_policy(handle->lhandle, adb.policy, &opol); + switch(ret) { + case EINVAL: + case KADM5_BAD_POLICY: + case KADM5_UNK_POLICY: + ret = KADM5_BAD_DB; + goto done; + break; + case KADM5_OK: + have_opol = 1; + if (adb.policy) + free(adb.policy); + adb.policy = NULL; + adb.aux_attributes &= ~KADM5_POLICY; + kdb.pw_expiration = 0; + opol.policy_refcnt--; + break; + default: + goto done; + break; + } } if (((mask & KADM5_POLICY) || (mask & KADM5_POLICY_CLR)) && - (((have_opol) && - (ret = - kadm5_modify_policy_internal(handle->lhandle, &opol, - KADM5_REF_COUNT))) || - ((have_npol) && - (ret = - kadm5_modify_policy_internal(handle->lhandle, &npol, - KADM5_REF_COUNT))))) - goto done; + (((have_opol) && + (ret = + kadm5_modify_policy_internal(handle->lhandle, &opol, + KADM5_REF_COUNT))) || + ((have_npol) && + (ret = + kadm5_modify_policy_internal(handle->lhandle, &npol, + KADM5_REF_COUNT))))) + goto done; if ((mask & KADM5_ATTRIBUTES)) - kdb.attributes = entry->attributes; + kdb.attributes = entry->attributes; if ((mask & KADM5_MAX_LIFE)) - kdb.max_life = entry->max_life; + kdb.max_life = entry->max_life; if ((mask & KADM5_PRINC_EXPIRE_TIME)) - kdb.expiration = entry->princ_expire_time; + kdb.expiration = entry->princ_expire_time; if (mask & KADM5_PW_EXPIRATION) - kdb.pw_expiration = entry->pw_expiration; + kdb.pw_expiration = entry->pw_expiration; if (mask & KADM5_MAX_RLIFE) - kdb.max_renewable_life = entry->max_renewable_life; + kdb.max_renewable_life = entry->max_renewable_life; if((mask & KADM5_KVNO)) { - for (i = 0; i < kdb.n_key_data; i++) - kdb.key_data[i].key_data_kvno = entry->kvno; + for (i = 0; i < kdb.n_key_data; i++) + kdb.key_data[i].key_data_kvno = entry->kvno; } if (mask & KADM5_TL_DATA) { - krb5_tl_data *tl; - - /* may have to change the version number of the API. Updates the list with the given tl_data rather than over-writting */ - - for (tl = entry->tl_data; tl; - tl = tl->tl_data_next) - { - ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl); - if( ret ) - { - goto done; - } - } + krb5_tl_data *tl; + + /* may have to change the version number of the API. Updates the list with the given tl_data rather than over-writting */ + + for (tl = entry->tl_data; tl; + tl = tl->tl_data_next) + { + ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl); + if( ret ) + { + goto done; + } + } } /* @@ -678,12 +679,12 @@ kadm5_modify_principal(void *server_handle, * value using kadmin. */ if (mask & KADM5_FAIL_AUTH_COUNT) { - if (entry->fail_auth_count != 0) { - ret = KADM5_BAD_SERVER_PARAMS; - goto done; - } + if (entry->fail_auth_count != 0) { + ret = KADM5_BAD_SERVER_PARAMS; + goto done; + } - kdb.fail_auth_count = 0; + kdb.fail_auth_count = 0; } /* let the mask propagate to the database provider */ @@ -695,12 +696,12 @@ kadm5_modify_principal(void *server_handle, ret = KADM5_OK; done: if (have_opol) { - ret2 = kadm5_free_policy_ent(handle->lhandle, &opol); - ret = ret ? ret : ret2; + ret2 = kadm5_free_policy_ent(handle->lhandle, &opol); + ret = ret ? ret : ret2; } if (have_npol) { - ret2 = kadm5_free_policy_ent(handle->lhandle, &npol); - ret = ret ? ret : ret2; + ret2 = kadm5_free_policy_ent(handle->lhandle, &npol); + ret = ret ? ret : ret2; } kdb_free_entry(handle, &kdb, &adb); return ret; @@ -708,11 +709,11 @@ done: kadm5_ret_t kadm5_rename_principal(void *server_handle, - krb5_principal source, krb5_principal target) + krb5_principal source, krb5_principal target) { - krb5_db_entry kdb; - osa_princ_ent_rec adb; - int ret, i; + krb5_db_entry kdb; + osa_princ_ent_rec adb; + int ret, i; kadm5_server_handle_t handle = server_handle; CHECK_HANDLE(server_handle); @@ -720,35 +721,35 @@ kadm5_rename_principal(void *server_handle, krb5_clear_error_message(handle->context); if (source == NULL || target == NULL) - return EINVAL; + return EINVAL; if ((ret = kdb_get_entry(handle, target, &kdb, &adb)) == 0) { - kdb_free_entry(handle, &kdb, &adb); - return(KADM5_DUP); + kdb_free_entry(handle, &kdb, &adb); + return(KADM5_DUP); } if ((ret = kdb_get_entry(handle, source, &kdb, &adb))) - return ret; + return ret; /* this is kinda gross, but unavoidable */ for (i=0; icontext, kdb.princ); ret = kadm5_copy_principal(handle->context, target, &kdb.princ); if (ret) { - kdb.princ = NULL; /* so freeing the dbe doesn't lose */ - goto done; + kdb.princ = NULL; /* so freeing the dbe doesn't lose */ + goto done; } if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; + goto done; ret = kdb_delete_entry(handle, source); @@ -759,13 +760,13 @@ done: kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal principal, - kadm5_principal_ent_t entry, - long in_mask) + kadm5_principal_ent_t entry, + long in_mask) { - krb5_db_entry kdb; - osa_princ_ent_rec adb; - krb5_error_code ret = 0; - long mask; + krb5_db_entry kdb; + osa_princ_ent_rec adb; + krb5_error_code ret = 0; + long mask; int i; kadm5_server_handle_t handle = server_handle; @@ -783,125 +784,125 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, memset(entry, 0, sizeof(*entry)); if (principal == NULL) - return EINVAL; + return EINVAL; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return ret; + return ret; if ((mask & KADM5_POLICY) && - adb.policy && (adb.aux_attributes & KADM5_POLICY)) { - if ((entry->policy = strdup(adb.policy)) == NULL) { - ret = ENOMEM; - goto done; - } + adb.policy && (adb.aux_attributes & KADM5_POLICY)) { + if ((entry->policy = strdup(adb.policy)) == NULL) { + ret = ENOMEM; + goto done; + } } if (mask & KADM5_AUX_ATTRIBUTES) - entry->aux_attributes = adb.aux_attributes; + entry->aux_attributes = adb.aux_attributes; if ((mask & KADM5_PRINCIPAL) && - (ret = krb5_copy_principal(handle->context, kdb.princ, - &entry->principal))) { - goto done; + (ret = krb5_copy_principal(handle->context, kdb.princ, + &entry->principal))) { + goto done; } if (mask & KADM5_PRINC_EXPIRE_TIME) - entry->princ_expire_time = kdb.expiration; + entry->princ_expire_time = kdb.expiration; if ((mask & KADM5_LAST_PWD_CHANGE) && - (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, - &(entry->last_pwd_change)))) { - goto done; + (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, + &(entry->last_pwd_change)))) { + goto done; } if (mask & KADM5_PW_EXPIRATION) - entry->pw_expiration = kdb.pw_expiration; + entry->pw_expiration = kdb.pw_expiration; if (mask & KADM5_MAX_LIFE) - entry->max_life = kdb.max_life; + entry->max_life = kdb.max_life; /* this is a little non-sensical because the function returns two */ /* values that must be checked separately against the mask */ if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) { - ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb, - &(entry->mod_date), - &(entry->mod_name)); - if (ret) { - goto done; - } - - if (! (mask & KADM5_MOD_TIME)) - entry->mod_date = 0; - if (! (mask & KADM5_MOD_NAME)) { - krb5_free_principal(handle->context, entry->principal); - entry->principal = NULL; - } + ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb, + &(entry->mod_date), + &(entry->mod_name)); + if (ret) { + goto done; + } + + if (! (mask & KADM5_MOD_TIME)) + entry->mod_date = 0; + if (! (mask & KADM5_MOD_NAME)) { + krb5_free_principal(handle->context, entry->principal); + entry->principal = NULL; + } } if (mask & KADM5_ATTRIBUTES) - entry->attributes = kdb.attributes; + entry->attributes = kdb.attributes; if (mask & KADM5_KVNO) - for (entry->kvno = 0, i=0; i entry->kvno) - entry->kvno = kdb.key_data[i].key_data_kvno; + for (entry->kvno = 0, i=0; i entry->kvno) + entry->kvno = kdb.key_data[i].key_data_kvno; ret = krb5_dbe_lookup_mkvno(handle->context, &kdb, &entry->mkvno); if (ret) - goto done; + goto done; if (mask & KADM5_MAX_RLIFE) - entry->max_renewable_life = kdb.max_renewable_life; + entry->max_renewable_life = kdb.max_renewable_life; if (mask & KADM5_LAST_SUCCESS) - entry->last_success = kdb.last_success; + entry->last_success = kdb.last_success; if (mask & KADM5_LAST_FAILED) - entry->last_failed = kdb.last_failed; + entry->last_failed = kdb.last_failed; if (mask & KADM5_FAIL_AUTH_COUNT) - entry->fail_auth_count = kdb.fail_auth_count; + entry->fail_auth_count = kdb.fail_auth_count; if (mask & KADM5_TL_DATA) { - krb5_tl_data *tl, *tl2; - - entry->tl_data = NULL; - - tl = kdb.tl_data; - while (tl) { - if (tl->tl_data_type > 255) { - if ((tl2 = dup_tl_data(tl)) == NULL) { - ret = ENOMEM; - goto done; - } - tl2->tl_data_next = entry->tl_data; - entry->tl_data = tl2; - entry->n_tl_data++; - } - - tl = tl->tl_data_next; - } + krb5_tl_data *tl, *tl2; + + entry->tl_data = NULL; + + tl = kdb.tl_data; + while (tl) { + if (tl->tl_data_type > 255) { + if ((tl2 = dup_tl_data(tl)) == NULL) { + ret = ENOMEM; + goto done; + } + tl2->tl_data_next = entry->tl_data; + entry->tl_data = tl2; + entry->n_tl_data++; + } + + tl = tl->tl_data_next; + } } if (mask & KADM5_KEY_DATA) { - entry->n_key_data = kdb.n_key_data; - if(entry->n_key_data) { - entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data)); - if (entry->key_data == NULL) { - ret = ENOMEM; - goto done; - } - } else - entry->key_data = NULL; - - for (i = 0; i < entry->n_key_data; i++) - ret = krb5_copy_key_data_contents(handle->context, - &kdb.key_data[i], - &entry->key_data[i]); - if (ret) - goto done; + entry->n_key_data = kdb.n_key_data; + if(entry->n_key_data) { + entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data)); + if (entry->key_data == NULL) { + ret = ENOMEM; + goto done; + } + } else + entry->key_data = NULL; + + for (i = 0; i < entry->n_key_data; i++) + ret = krb5_copy_key_data_contents(handle->context, + &kdb.key_data[i], + &entry->key_data[i]); + if (ret) + goto done; } ret = KADM5_OK; done: if (ret && entry->principal) { - krb5_free_principal(handle->context, entry->principal); - entry->principal = NULL; + krb5_free_principal(handle->context, entry->principal); + entry->principal = NULL; } kdb_free_entry(handle, &kdb, &adb); @@ -916,66 +917,66 @@ done: * * Arguments: * - * context (r) the krb5 context - * hist_keyblock (r) the key that hist_key_data is - * encrypted in - * n_new_key_data (r) length of new_key_data - * new_key_data (r) keys to check against - * pw_hist_data, encrypted in hist_keyblock - * n_pw_hist_data (r) length of pw_hist_data - * pw_hist_data (r) passwords to check new_key_data against + * context (r) the krb5 context + * hist_keyblock (r) the key that hist_key_data is + * encrypted in + * n_new_key_data (r) length of new_key_data + * new_key_data (r) keys to check against + * pw_hist_data, encrypted in hist_keyblock + * n_pw_hist_data (r) length of pw_hist_data + * pw_hist_data (r) passwords to check new_key_data against * * Effects: * For each new_key in new_key_data: - * decrypt new_key with the master_keyblock - * for each password in pw_hist_data: - * for each hist_key in password: - * decrypt hist_key with hist_keyblock - * compare the new_key and hist_key + * decrypt new_key with the master_keyblock + * for each password in pw_hist_data: + * for each hist_key in password: + * decrypt hist_key with hist_keyblock + * compare the new_key and hist_key * * Returns krb5 errors, KADM5_PASS_RESUSE if a key in * new_key_data is the same as a key in pw_hist_data, or 0. */ static kadm5_ret_t check_pw_reuse(krb5_context context, - krb5_keyblock *mkey, - krb5_keyblock *hist_keyblock, - int n_new_key_data, krb5_key_data *new_key_data, - unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data) + krb5_keyblock *mkey, + krb5_keyblock *hist_keyblock, + int n_new_key_data, krb5_key_data *new_key_data, + unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data) { int x, y, z; krb5_keyblock newkey, histkey; krb5_error_code ret; for (x = 0; x < n_new_key_data; x++) { - ret = krb5_dbekd_decrypt_key_data(context, - mkey, - &(new_key_data[x]), - &newkey, NULL); - if (ret) - return(ret); - for (y = 0; y < n_pw_hist_data; y++) { - for (z = 0; z < pw_hist_data[y].n_key_data; z++) { - ret = krb5_dbekd_decrypt_key_data(context, - hist_keyblock, - &pw_hist_data[y].key_data[z], - &histkey, NULL); - if (ret) - return(ret); - - if ((newkey.length == histkey.length) && - (newkey.enctype == histkey.enctype) && - (memcmp(newkey.contents, histkey.contents, - histkey.length) == 0)) { - krb5_free_keyblock_contents(context, &histkey); - krb5_free_keyblock_contents(context, &newkey); - - return(KADM5_PASS_REUSE); - } - krb5_free_keyblock_contents(context, &histkey); - } - } - krb5_free_keyblock_contents(context, &newkey); + ret = krb5_dbekd_decrypt_key_data(context, + mkey, + &(new_key_data[x]), + &newkey, NULL); + if (ret) + return(ret); + for (y = 0; y < n_pw_hist_data; y++) { + for (z = 0; z < pw_hist_data[y].n_key_data; z++) { + ret = krb5_dbekd_decrypt_key_data(context, + hist_keyblock, + &pw_hist_data[y].key_data[z], + &histkey, NULL); + if (ret) + return(ret); + + if ((newkey.length == histkey.length) && + (newkey.enctype == histkey.enctype) && + (memcmp(newkey.contents, histkey.contents, + histkey.length) == 0)) { + krb5_free_keyblock_contents(context, &histkey); + krb5_free_keyblock_contents(context, &newkey); + + return(KADM5_PASS_REUSE); + } + krb5_free_keyblock_contents(context, &histkey); + } + } + krb5_free_keyblock_contents(context, &newkey); } return(0); @@ -989,10 +990,10 @@ check_pw_reuse(krb5_context context, * * Arguments: * - * context (r) krb5_context to use - * n_key_data (r) number of elements in key_data - * key_data (r) keys to add to the history entry - * hist (w) history entry to fill in + * context (r) krb5_context to use + * n_key_data (r) number of elements in key_data + * key_data (r) keys to add to the history entry + * hist (w) history entry to fill in * * Effects: * @@ -1003,48 +1004,48 @@ check_pw_reuse(krb5_context context, */ static int create_history_entry(krb5_context context, krb5_keyblock *mkey, int n_key_data, - krb5_key_data *key_data, osa_pw_hist_ent *hist) + krb5_key_data *key_data, osa_pw_hist_ent *hist) { - int i, ret; - krb5_keyblock key; - krb5_keysalt salt; - - hist->key_data = (krb5_key_data*)malloc(n_key_data*sizeof(krb5_key_data)); - if (hist->key_data == NULL) - return ENOMEM; - memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data)); - - for (i = 0; i < n_key_data; i++) { - ret = krb5_dbekd_decrypt_key_data(context, - mkey, - &key_data[i], - &key, &salt); - if (ret) - return ret; - - ret = krb5_dbekd_encrypt_key_data(context, &hist_key, - &key, &salt, - key_data[i].key_data_kvno, - &hist->key_data[i]); - if (ret) - return ret; - - krb5_free_keyblock_contents(context, &key); - /* krb5_free_keysalt(context, &salt); */ - } - - hist->n_key_data = n_key_data; - return 0; + int i, ret; + krb5_keyblock key; + krb5_keysalt salt; + + hist->key_data = (krb5_key_data*)malloc(n_key_data*sizeof(krb5_key_data)); + if (hist->key_data == NULL) + return ENOMEM; + memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data)); + + for (i = 0; i < n_key_data; i++) { + ret = krb5_dbekd_decrypt_key_data(context, + mkey, + &key_data[i], + &key, &salt); + if (ret) + return ret; + + ret = krb5_dbekd_encrypt_key_data(context, &hist_key, + &key, &salt, + key_data[i].key_data_kvno, + &hist->key_data[i]); + if (ret) + return ret; + + krb5_free_keyblock_contents(context, &key); + /* krb5_free_keysalt(context, &salt); */ + } + + hist->n_key_data = n_key_data; + return 0; } static void free_history_entry(krb5_context context, osa_pw_hist_ent *hist) { - int i; + int i; - for (i = 0; i < hist->n_key_data; i++) - krb5_free_key_data_contents(context, &hist->key_data[i]); - free(hist->key_data); + for (i = 0; i < hist->n_key_data; i++) + krb5_free_key_data_contents(context, &hist->key_data[i]); + free(hist->key_data); } /* @@ -1054,10 +1055,10 @@ void free_history_entry(krb5_context context, osa_pw_hist_ent *hist) * * Arguments: * - * context (r) krb5_context to use - * adb (r/w) admin principal entry to add keys to - * pol (r) adb's policy - * pw (r) keys for the password to add to adb's key history + * context (r) krb5_context to use + * adb (r/w) admin principal entry to add keys to + * pol (r) adb's policy + * pw (r) keys for the password to add to adb's key history * * Effects: * @@ -1074,111 +1075,111 @@ void free_history_entry(krb5_context context, osa_pw_hist_ent *hist) * adb->old_key_len). */ static kadm5_ret_t add_to_history(krb5_context context, - osa_princ_ent_t adb, - kadm5_policy_ent_t pol, - osa_pw_hist_ent *pw) + osa_princ_ent_t adb, + kadm5_policy_ent_t pol, + osa_pw_hist_ent *pw) { - osa_pw_hist_ent *histp; - uint32_t nhist; - unsigned int i, knext, nkeys; - - nhist = pol->pw_history_num; - /* A history of 1 means just check the current password */ - if (nhist <= 1) - return 0; - - nkeys = adb->old_key_len; - knext = adb->old_key_next; - /* resize the adb->old_keys array if necessary */ - if (nkeys + 1 < nhist) { - if (adb->old_keys == NULL) { - adb->old_keys = (osa_pw_hist_ent *) - malloc((nkeys + 1) * sizeof (osa_pw_hist_ent)); - } else { - adb->old_keys = (osa_pw_hist_ent *) - realloc(adb->old_keys, - (nkeys + 1) * sizeof (osa_pw_hist_ent)); - } - if (adb->old_keys == NULL) - return(ENOMEM); - - memset(&adb->old_keys[nkeys], 0, sizeof(osa_pw_hist_ent)); - nkeys = ++adb->old_key_len; - /* - * To avoid losing old keys, shift forward each entry after - * knext. - */ - for (i = nkeys - 1; i > knext; i--) { - adb->old_keys[i] = adb->old_keys[i - 1]; - } - memset(&adb->old_keys[knext], 0, sizeof(osa_pw_hist_ent)); - } else if (nkeys + 1 > nhist) { - /* - * The policy must have changed! Shrink the array. - * Can't simply realloc() down, since it might be wrapped. - * To understand the arithmetic below, note that we are - * copying into new positions 0 .. N-1 from old positions - * old_key_next-N .. old_key_next-1, modulo old_key_len, - * where N = pw_history_num - 1 is the length of the - * shortened list. Matt Crawford, FNAL - */ - /* - * M = adb->old_key_len, N = pol->pw_history_num - 1 - * - * tmp[0] .. tmp[N-1] = old[(knext-N)%M] .. old[(knext-1)%M] - */ - int j; - osa_pw_hist_t tmp; - - tmp = (osa_pw_hist_ent *) - malloc((nhist - 1) * sizeof (osa_pw_hist_ent)); - if (tmp == NULL) - return ENOMEM; - for (i = 0; i < nhist - 1; i++) { - /* - * Add nkeys once before taking remainder to avoid - * negative values. - */ - j = (i + nkeys + knext - (nhist - 1)) % nkeys; - tmp[i] = adb->old_keys[j]; - } - /* Now free the ones we don't keep (the oldest ones) */ - for (i = 0; i < nkeys - (nhist - 1); i++) { - j = (i + nkeys + knext) % nkeys; - histp = &adb->old_keys[j]; - for (j = 0; j < histp->n_key_data; j++) { - krb5_free_key_data_contents(context, &histp->key_data[j]); - } - free(histp->key_data); - } - free(adb->old_keys); - adb->old_keys = tmp; - nkeys = adb->old_key_len = nhist - 1; - knext = adb->old_key_next = 0; - } - - /* - * If nhist decreased since the last password change, and nkeys+1 - * is less than the previous nhist, it is possible for knext to - * index into unallocated space. This condition would not be - * caught by the resizing code above. - */ - if (knext + 1 > nkeys) - knext = adb->old_key_next = 0; - /* free the old pw history entry if it contains data */ - histp = &adb->old_keys[knext]; - for (i = 0; i < histp->n_key_data; i++) - krb5_free_key_data_contents(context, &histp->key_data[i]); - free(histp->key_data); - - /* store the new entry */ - adb->old_keys[knext] = *pw; - - /* update the next pointer */ - if (++adb->old_key_next == nhist - 1) - adb->old_key_next = 0; - - return(0); + osa_pw_hist_ent *histp; + uint32_t nhist; + unsigned int i, knext, nkeys; + + nhist = pol->pw_history_num; + /* A history of 1 means just check the current password */ + if (nhist <= 1) + return 0; + + nkeys = adb->old_key_len; + knext = adb->old_key_next; + /* resize the adb->old_keys array if necessary */ + if (nkeys + 1 < nhist) { + if (adb->old_keys == NULL) { + adb->old_keys = (osa_pw_hist_ent *) + malloc((nkeys + 1) * sizeof (osa_pw_hist_ent)); + } else { + adb->old_keys = (osa_pw_hist_ent *) + realloc(adb->old_keys, + (nkeys + 1) * sizeof (osa_pw_hist_ent)); + } + if (adb->old_keys == NULL) + return(ENOMEM); + + memset(&adb->old_keys[nkeys], 0, sizeof(osa_pw_hist_ent)); + nkeys = ++adb->old_key_len; + /* + * To avoid losing old keys, shift forward each entry after + * knext. + */ + for (i = nkeys - 1; i > knext; i--) { + adb->old_keys[i] = adb->old_keys[i - 1]; + } + memset(&adb->old_keys[knext], 0, sizeof(osa_pw_hist_ent)); + } else if (nkeys + 1 > nhist) { + /* + * The policy must have changed! Shrink the array. + * Can't simply realloc() down, since it might be wrapped. + * To understand the arithmetic below, note that we are + * copying into new positions 0 .. N-1 from old positions + * old_key_next-N .. old_key_next-1, modulo old_key_len, + * where N = pw_history_num - 1 is the length of the + * shortened list. Matt Crawford, FNAL + */ + /* + * M = adb->old_key_len, N = pol->pw_history_num - 1 + * + * tmp[0] .. tmp[N-1] = old[(knext-N)%M] .. old[(knext-1)%M] + */ + int j; + osa_pw_hist_t tmp; + + tmp = (osa_pw_hist_ent *) + malloc((nhist - 1) * sizeof (osa_pw_hist_ent)); + if (tmp == NULL) + return ENOMEM; + for (i = 0; i < nhist - 1; i++) { + /* + * Add nkeys once before taking remainder to avoid + * negative values. + */ + j = (i + nkeys + knext - (nhist - 1)) % nkeys; + tmp[i] = adb->old_keys[j]; + } + /* Now free the ones we don't keep (the oldest ones) */ + for (i = 0; i < nkeys - (nhist - 1); i++) { + j = (i + nkeys + knext) % nkeys; + histp = &adb->old_keys[j]; + for (j = 0; j < histp->n_key_data; j++) { + krb5_free_key_data_contents(context, &histp->key_data[j]); + } + free(histp->key_data); + } + free(adb->old_keys); + adb->old_keys = tmp; + nkeys = adb->old_key_len = nhist - 1; + knext = adb->old_key_next = 0; + } + + /* + * If nhist decreased since the last password change, and nkeys+1 + * is less than the previous nhist, it is possible for knext to + * index into unallocated space. This condition would not be + * caught by the resizing code above. + */ + if (knext + 1 > nkeys) + knext = adb->old_key_next = 0; + /* free the old pw history entry if it contains data */ + histp = &adb->old_keys[knext]; + for (i = 0; i < histp->n_key_data; i++) + krb5_free_key_data_contents(context, &histp->key_data[i]); + free(histp->key_data); + + /* store the new entry */ + adb->old_keys[knext] = *pw; + + /* update the next pointer */ + if (++adb->old_key_next == nhist - 1) + adb->old_key_next = 0; + + return(0); } /* FIXME: don't use global variable for this */ @@ -1221,22 +1222,22 @@ kadm5_launch_task (krb5_context context, ret = pipe (data_pipe); if (ret) - ret = errno; + ret = errno; if (!ret) { pid_t pid = fork (); if (pid == -1) { ret = errno; - close (data_pipe[0]); - close (data_pipe[1]); + close (data_pipe[0]); + close (data_pipe[1]); } else if (pid == 0) { /* The child: */ if (dup2 (data_pipe[0], STDIN_FILENO) == -1) - _exit (1); + _exit (1); - close (data_pipe[0]); - close (data_pipe[1]); + close (data_pipe[0]); + close (data_pipe[1]); execv (task_path, task_argv); @@ -1245,21 +1246,21 @@ kadm5_launch_task (krb5_context context, /* The parent: */ int status; - ret = 0; + ret = 0; - close (data_pipe[0]); + close (data_pipe[0]); - /* Write out the buffer to the child, add \n */ - if (buffer) { - if (krb5_net_write (context, data_pipe[1], buffer, strlen (buffer)) < 0 - || krb5_net_write (context, data_pipe[1], "\n", 1) < 0) - { - /* kill the child to make sure waitpid() won't hang later */ - ret = errno; - kill (pid, SIGKILL); - } - } - close (data_pipe[1]); + /* Write out the buffer to the child, add \n */ + if (buffer) { + if (krb5_net_write (context, data_pipe[1], buffer, strlen (buffer)) < 0 + || krb5_net_write (context, data_pipe[1], "\n", 1) < 0) + { + /* kill the child to make sure waitpid() won't hang later */ + ret = errno; + kill (pid, SIGKILL); + } + } + close (data_pipe[1]); waitpid (pid, &status, 0); @@ -1267,7 +1268,7 @@ kadm5_launch_task (krb5_context context, if (WIFEXITED (status)) { /* child read password and exited. Check the return value. */ if ((WEXITSTATUS (status) != 0) && (WEXITSTATUS (status) != 252)) { - ret = KRB5KDC_ERR_POLICY; /* password change rejected */ + ret = KRB5KDC_ERR_POLICY; /* password change rejected */ } } else { /* child read password but crashed or was killed */ @@ -1284,27 +1285,27 @@ kadm5_launch_task (krb5_context context, kadm5_ret_t kadm5_chpass_principal(void *server_handle, - krb5_principal principal, char *password) + krb5_principal principal, char *password) { return - kadm5_chpass_principal_3(server_handle, principal, FALSE, - 0, NULL, password); + kadm5_chpass_principal_3(server_handle, principal, FALSE, + 0, NULL, password); } kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, - krb5_principal principal, krb5_boolean keepold, - int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, - char *password) + krb5_principal principal, krb5_boolean keepold, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, + char *password) { - krb5_int32 now; - kadm5_policy_ent_rec pol; - osa_princ_ent_rec adb; - krb5_db_entry kdb, kdb_save; - int ret, ret2, last_pwd, hist_added; - int have_pol = 0; - kadm5_server_handle_t handle = server_handle; - osa_pw_hist_ent hist; + krb5_int32 now; + kadm5_policy_ent_rec pol; + osa_princ_ent_rec adb; + krb5_db_entry kdb, kdb_save; + int ret, ret2, last_pwd, hist_added; + int have_pol = 0; + kadm5_server_handle_t handle = server_handle; + osa_pw_hist_ent hist; krb5_keyblock *act_mkey; krb5_kvno act_kvno; @@ -1316,112 +1317,112 @@ kadm5_chpass_principal_3(void *server_handle, memset(&hist, 0, sizeof(hist)); if (principal == NULL || password == NULL) - return EINVAL; + return EINVAL; if ((krb5_principal_compare(handle->context, - principal, hist_princ)) == TRUE) - return KADM5_PROTECT_PRINCIPAL; + principal, hist_princ)) == TRUE) + return KADM5_PROTECT_PRINCIPAL; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); + return(ret); /* we are going to need the current keys after the new keys are set */ if ((ret = kdb_get_entry(handle, principal, &kdb_save, NULL))) { - kdb_free_entry(handle, &kdb, &adb); - return(ret); + kdb_free_entry(handle, &kdb, &adb); + return(ret); } if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol))) - goto done; - have_pol = 1; + if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol))) + goto done; + have_pol = 1; } if ((ret = passwd_check(handle, password, adb.aux_attributes & - KADM5_POLICY, &pol, principal))) - goto done; + KADM5_POLICY, &pol, principal))) + goto done; ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_kvno, &act_mkey); + active_mkey_list, &act_kvno, &act_mkey); if (ret) - goto done; + goto done; ret = krb5_dbe_cpw(handle->context, act_mkey, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - password, 0 /* increment kvno */, - keepold, &kdb); + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + password, 0 /* increment kvno */, + keepold, &kdb); if (ret) - goto done; + goto done; ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno); if (ret) - goto done; + goto done; kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; ret = krb5_timeofday(handle->context, &now); if (ret) - goto done; + goto done; if ((adb.aux_attributes & KADM5_POLICY)) { - /* the policy was loaded before */ + /* the policy was loaded before */ - ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd); - if (ret) - goto done; + ret = krb5_dbe_lookup_last_pwd_change(handle->context, + &kdb, &last_pwd); + if (ret) + goto done; #if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if ((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } + /* + * The spec says this check is overridden if the caller has + * modify privilege. The admin server therefore makes this + * check itself (in chpass_principal_wrapper, misc.c). A + * local caller implicitly has all authorization bits. + */ + if ((now - last_pwd) < pol.pw_min_life && + !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + ret = KADM5_PASS_TOOSOON; + goto done; + } #endif - ret = create_history_entry(handle->context, - act_mkey, - kdb_save.n_key_data, - kdb_save.key_data, &hist); - if (ret) - goto done; - - ret = check_pw_reuse(handle->context, act_mkey, &hist_key, - kdb.n_key_data, kdb.key_data, - 1, &hist); - if (ret) - goto done; - - if (pol.pw_history_num > 1) { - if (adb.admin_history_kvno != hist_kvno) { - ret = KADM5_BAD_HIST_KEY; - goto done; - } - - ret = check_pw_reuse(handle->context, act_mkey, &hist_key, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys); - if (ret) - goto done; - - ret = add_to_history(handle->context, &adb, &pol, &hist); - if (ret) - goto done; - hist_added = 1; - } - - if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; - else - kdb.pw_expiration = 0; + ret = create_history_entry(handle->context, + act_mkey, + kdb_save.n_key_data, + kdb_save.key_data, &hist); + if (ret) + goto done; + + ret = check_pw_reuse(handle->context, act_mkey, &hist_key, + kdb.n_key_data, kdb.key_data, + 1, &hist); + if (ret) + goto done; + + if (pol.pw_history_num > 1) { + if (adb.admin_history_kvno != hist_kvno) { + ret = KADM5_BAD_HIST_KEY; + goto done; + } + + ret = check_pw_reuse(handle->context, act_mkey, &hist_key, + kdb.n_key_data, kdb.key_data, + adb.old_key_len, adb.old_keys); + if (ret) + goto done; + + ret = add_to_history(handle->context, &adb, &pol, &hist); + if (ret) + goto done; + hist_added = 1; + } + + if (pol.pw_max_life) + kdb.pw_expiration = now + pol.pw_max_life; + else + kdb.pw_expiration = 0; } else { - kdb.pw_expiration = 0; + kdb.pw_expiration = 0; } #ifdef USE_PASSWORD_SERVER @@ -1455,169 +1456,169 @@ kadm5_chpass_principal_3(void *server_handle, ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); if (ret) - goto done; + goto done; /* unlock principal on this KDC */ kdb.fail_auth_count = 0; /* key data and attributes changed, let the database provider know */ kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | - KADM5_FAIL_AUTH_COUNT; - /* | KADM5_CPW_FUNCTION */ + KADM5_FAIL_AUTH_COUNT; + /* | KADM5_CPW_FUNCTION */ if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; + goto done; ret = KADM5_OK; done: if (!hist_added && hist.key_data) - free_history_entry(handle->context, &hist); + free_history_entry(handle->context, &hist); kdb_free_entry(handle, &kdb, &adb); kdb_free_entry(handle, &kdb_save, NULL); krb5_db_free_principal(handle->context, &kdb, 1); if (have_pol && (ret2 = kadm5_free_policy_ent(handle->lhandle, &pol)) - && !ret) - ret = ret2; + && !ret) + ret = ret2; return ret; } kadm5_ret_t kadm5_randkey_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock **keyblocks, - int *n_keys) + krb5_principal principal, + krb5_keyblock **keyblocks, + int *n_keys) { return - kadm5_randkey_principal_3(server_handle, principal, - FALSE, 0, NULL, - keyblocks, n_keys); + kadm5_randkey_principal_3(server_handle, principal, + FALSE, 0, NULL, + keyblocks, n_keys); } kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keyblocks, - int *n_keys) + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keyblocks, + int *n_keys) { - krb5_db_entry kdb; - osa_princ_ent_rec adb; - krb5_int32 now; - kadm5_policy_ent_rec pol; - int ret, last_pwd, have_pol = 0; - kadm5_server_handle_t handle = server_handle; + krb5_db_entry kdb; + osa_princ_ent_rec adb; + krb5_int32 now; + kadm5_policy_ent_rec pol; + int ret, last_pwd, have_pol = 0; + kadm5_server_handle_t handle = server_handle; krb5_keyblock *act_mkey; if (keyblocks) - *keyblocks = NULL; + *keyblocks = NULL; CHECK_HANDLE(server_handle); krb5_clear_error_message(handle->context); if (principal == NULL) - return EINVAL; + return EINVAL; if (hist_princ && /* this will be NULL when initializing the databse */ - ((krb5_principal_compare(handle->context, - principal, hist_princ)) == TRUE)) - return KADM5_PROTECT_PRINCIPAL; + ((krb5_principal_compare(handle->context, + principal, hist_princ)) == TRUE)) + return KADM5_PROTECT_PRINCIPAL; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); + return(ret); ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, NULL, &act_mkey); + active_mkey_list, NULL, &act_mkey); if (ret) - goto done; + goto done; ret = krb5_dbe_crk(handle->context, act_mkey, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - keepold, - &kdb); + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + keepold, + &kdb); if (ret) - goto done; + goto done; kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; ret = krb5_timeofday(handle->context, &now); if (ret) - goto done; + goto done; if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, - &pol)) != KADM5_OK) - goto done; - have_pol = 1; + if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, + &pol)) != KADM5_OK) + goto done; + have_pol = 1; - ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd); - if (ret) - goto done; + ret = krb5_dbe_lookup_last_pwd_change(handle->context, + &kdb, &last_pwd); + if (ret) + goto done; #if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } + /* + * The spec says this check is overridden if the caller has + * modify privilege. The admin server therefore makes this + * check itself (in chpass_principal_wrapper, misc.c). A + * local caller implicitly has all authorization bits. + */ + if((now - last_pwd) < pol.pw_min_life && + !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + ret = KADM5_PASS_TOOSOON; + goto done; + } #endif - if(pol.pw_history_num > 1) { - if(adb.admin_history_kvno != hist_kvno) { - ret = KADM5_BAD_HIST_KEY; - goto done; - } - - ret = check_pw_reuse(handle->context, act_mkey, &hist_key, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys); - if (ret) - goto done; - } - if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; - else - kdb.pw_expiration = 0; + if(pol.pw_history_num > 1) { + if(adb.admin_history_kvno != hist_kvno) { + ret = KADM5_BAD_HIST_KEY; + goto done; + } + + ret = check_pw_reuse(handle->context, act_mkey, &hist_key, + kdb.n_key_data, kdb.key_data, + adb.old_key_len, adb.old_keys); + if (ret) + goto done; + } + if (pol.pw_max_life) + kdb.pw_expiration = now + pol.pw_max_life; + else + kdb.pw_expiration = 0; } else { - kdb.pw_expiration = 0; + kdb.pw_expiration = 0; } ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); if (ret) - goto done; + goto done; /* unlock principal on this KDC */ kdb.fail_auth_count = 0; - if (keyblocks) { - ret = decrypt_key_data(handle->context, act_mkey, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; + if (keyblocks) { + ret = decrypt_key_data(handle->context, act_mkey, + kdb.n_key_data, kdb.key_data, + keyblocks, n_keys); + if (ret) + goto done; } /* key data changed, let the database provider know */ kdb.mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; - /* | KADM5_RANDKEY_USED */; + /* | KADM5_RANDKEY_USED */; if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; + goto done; ret = KADM5_OK; done: kdb_free_entry(handle, &kdb, &adb); if (have_pol) - kadm5_free_policy_ent(handle->lhandle, &pol); + kadm5_free_policy_ent(handle->lhandle, &pol); return ret; } @@ -1631,19 +1632,19 @@ done: */ kadm5_ret_t kadm5_setv4key_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock *keyblock) + krb5_principal principal, + krb5_keyblock *keyblock) { - krb5_db_entry kdb; - osa_princ_ent_rec adb; - krb5_int32 now; - kadm5_policy_ent_rec pol; - krb5_keysalt keysalt; - int i, k, kvno, ret, have_pol = 0; + krb5_db_entry kdb; + osa_princ_ent_rec adb; + krb5_int32 now; + kadm5_policy_ent_rec pol; + krb5_keysalt keysalt; + int i, k, kvno, ret, have_pol = 0; #if 0 int last_pwd; #endif - kadm5_server_handle_t handle = server_handle; + kadm5_server_handle_t handle = server_handle; krb5_key_data tmp_key_data; krb5_keyblock *act_mkey; @@ -1654,28 +1655,28 @@ kadm5_setv4key_principal(void *server_handle, krb5_clear_error_message(handle->context); if (principal == NULL || keyblock == NULL) - return EINVAL; + return EINVAL; if (hist_princ && /* this will be NULL when initializing the databse */ - ((krb5_principal_compare(handle->context, - principal, hist_princ)) == TRUE)) - return KADM5_PROTECT_PRINCIPAL; + ((krb5_principal_compare(handle->context, + principal, hist_princ)) == TRUE)) + return KADM5_PROTECT_PRINCIPAL; if (keyblock->enctype != ENCTYPE_DES_CBC_CRC) - return KADM5_SETV4KEY_INVAL_ENCTYPE; + return KADM5_SETV4KEY_INVAL_ENCTYPE; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); + return(ret); for (kvno = 0, i=0; i kvno) - kvno = kdb.key_data[i].key_data_kvno; + if (kdb.key_data[i].key_data_kvno > kvno) + kvno = kdb.key_data[i].key_data_kvno; if (kdb.key_data != NULL) - cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); + cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data)); if (kdb.key_data == NULL) - return ENOMEM; + return ENOMEM; memset(kdb.key_data, 0, sizeof(krb5_key_data)); kdb.n_key_data = 1; keysalt.type = KRB5_KDB_SALTTYPE_V4; @@ -1684,36 +1685,36 @@ kadm5_setv4key_principal(void *server_handle, keysalt.data.data = NULL; ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, NULL, &act_mkey); + active_mkey_list, NULL, &act_mkey); if (ret) - goto done; + goto done; /* use tmp_key_data as temporary location and reallocate later */ ret = krb5_dbekd_encrypt_key_data(handle->context, act_mkey, - keyblock, &keysalt, kvno + 1, - &tmp_key_data); + keyblock, &keysalt, kvno + 1, + &tmp_key_data); if (ret) { - goto done; + goto done; } for (k = 0; k < tmp_key_data.key_data_ver; k++) { - kdb.key_data->key_data_type[k] = tmp_key_data.key_data_type[k]; - kdb.key_data->key_data_length[k] = tmp_key_data.key_data_length[k]; - if (tmp_key_data.key_data_contents[k]) { - kdb.key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]); - if (kdb.key_data->key_data_contents[k] == NULL) { - cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); - kdb.key_data = NULL; - kdb.n_key_data = 0; - ret = ENOMEM; - goto done; - } - memcpy (kdb.key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); - - memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); - free (tmp_key_data.key_data_contents[k]); - tmp_key_data.key_data_contents[k] = NULL; - } + kdb.key_data->key_data_type[k] = tmp_key_data.key_data_type[k]; + kdb.key_data->key_data_length[k] = tmp_key_data.key_data_length[k]; + if (tmp_key_data.key_data_contents[k]) { + kdb.key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]); + if (kdb.key_data->key_data_contents[k] == NULL) { + cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); + kdb.key_data = NULL; + kdb.n_key_data = 0; + ret = ENOMEM; + goto done; + } + memcpy (kdb.key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); + + memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); + free (tmp_key_data.key_data_contents[k]); + tmp_key_data.key_data_contents[k] = NULL; + } } @@ -1722,115 +1723,115 @@ kadm5_setv4key_principal(void *server_handle, ret = krb5_timeofday(handle->context, &now); if (ret) - goto done; + goto done; if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, - &pol)) != KADM5_OK) - goto done; - have_pol = 1; + if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, + &pol)) != KADM5_OK) + goto done; + have_pol = 1; #if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) - goto done; - if((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } + /* + * The spec says this check is overridden if the caller has + * modify privilege. The admin server therefore makes this + * check itself (in chpass_principal_wrapper, misc.c). A + * local caller implicitly has all authorization bits. + */ + if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, + &kdb, &last_pwd)) + goto done; + if((now - last_pwd) < pol.pw_min_life && + !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + ret = KADM5_PASS_TOOSOON; + goto done; + } #endif #if 0 - /* - * Should we be checking/updating pw history here? - */ - if(pol.pw_history_num > 1) { - if(adb.admin_history_kvno != hist_kvno) { - ret = KADM5_BAD_HIST_KEY; - goto done; - } - - if (ret = check_pw_reuse(handle->context, - &hist_key, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys)) - goto done; - } + /* + * Should we be checking/updating pw history here? + */ + if(pol.pw_history_num > 1) { + if(adb.admin_history_kvno != hist_kvno) { + ret = KADM5_BAD_HIST_KEY; + goto done; + } + + if (ret = check_pw_reuse(handle->context, + &hist_key, + kdb.n_key_data, kdb.key_data, + adb.old_key_len, adb.old_keys)) + goto done; + } #endif - if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; - else - kdb.pw_expiration = 0; + if (pol.pw_max_life) + kdb.pw_expiration = now + pol.pw_max_life; + else + kdb.pw_expiration = 0; } else { - kdb.pw_expiration = 0; + kdb.pw_expiration = 0; } ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); if (ret) - goto done; + goto done; /* unlock principal on this KDC */ kdb.fail_auth_count = 0; if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; + goto done; ret = KADM5_OK; done: for (i = 0; i < tmp_key_data.key_data_ver; i++) { - if (tmp_key_data.key_data_contents[i]) { - memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); - free (tmp_key_data.key_data_contents[i]); - } + if (tmp_key_data.key_data_contents[i]) { + memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); + free (tmp_key_data.key_data_contents[i]); + } } kdb_free_entry(handle, &kdb, &adb); if (have_pol) - kadm5_free_policy_ent(handle->lhandle, &pol); + kadm5_free_policy_ent(handle->lhandle, &pol); return ret; } kadm5_ret_t kadm5_setkey_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock *keyblocks, - int n_keys) + krb5_principal principal, + krb5_keyblock *keyblocks, + int n_keys) { return - kadm5_setkey_principal_3(server_handle, principal, - FALSE, 0, NULL, - keyblocks, n_keys); + kadm5_setkey_principal_3(server_handle, principal, + FALSE, 0, NULL, + keyblocks, n_keys); } kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, - krb5_keyblock *keyblocks, - int n_keys) + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, + krb5_keyblock *keyblocks, + int n_keys) { - krb5_db_entry kdb; - osa_princ_ent_rec adb; - krb5_int32 now; - kadm5_policy_ent_rec pol; - krb5_key_data *old_key_data; - int n_old_keys; - int i, j, k, kvno, ret, have_pol = 0; + krb5_db_entry kdb; + osa_princ_ent_rec adb; + krb5_int32 now; + kadm5_policy_ent_rec pol; + krb5_key_data *old_key_data; + int n_old_keys; + int i, j, k, kvno, ret, have_pol = 0; #if 0 int last_pwd; #endif - kadm5_server_handle_t handle = server_handle; - krb5_boolean similar; - krb5_keysalt keysalt; + kadm5_server_handle_t handle = server_handle; + krb5_boolean similar; + krb5_keysalt keysalt; krb5_key_data tmp_key_data; krb5_key_data *tptr; krb5_keyblock *act_mkey; @@ -1840,177 +1841,177 @@ kadm5_setkey_principal_3(void *server_handle, krb5_clear_error_message(handle->context); if (principal == NULL || keyblocks == NULL) - return EINVAL; + return EINVAL; if (hist_princ && /* this will be NULL when initializing the databse */ - ((krb5_principal_compare(handle->context, - principal, hist_princ)) == TRUE)) - return KADM5_PROTECT_PRINCIPAL; + ((krb5_principal_compare(handle->context, + principal, hist_princ)) == TRUE)) + return KADM5_PROTECT_PRINCIPAL; for (i = 0; i < n_keys; i++) { - for (j = i+1; j < n_keys; j++) { - if ((ret = krb5_c_enctype_compare(handle->context, - keyblocks[i].enctype, - keyblocks[j].enctype, - &similar))) - return(ret); - if (similar) { - if (n_ks_tuple) { - if (ks_tuple[i].ks_salttype == ks_tuple[j].ks_salttype) - return KADM5_SETKEY_DUP_ENCTYPES; - } else - return KADM5_SETKEY_DUP_ENCTYPES; - } - } + for (j = i+1; j < n_keys; j++) { + if ((ret = krb5_c_enctype_compare(handle->context, + keyblocks[i].enctype, + keyblocks[j].enctype, + &similar))) + return(ret); + if (similar) { + if (n_ks_tuple) { + if (ks_tuple[i].ks_salttype == ks_tuple[j].ks_salttype) + return KADM5_SETKEY_DUP_ENCTYPES; + } else + return KADM5_SETKEY_DUP_ENCTYPES; + } + } } if (n_ks_tuple && n_ks_tuple != n_keys) - return KADM5_SETKEY3_ETYPE_MISMATCH; + return KADM5_SETKEY3_ETYPE_MISMATCH; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); + return(ret); for (kvno = 0, i=0; i kvno) - kvno = kdb.key_data[i].key_data_kvno; + if (kdb.key_data[i].key_data_kvno > kvno) + kvno = kdb.key_data[i].key_data_kvno; if (keepold) { - old_key_data = kdb.key_data; - n_old_keys = kdb.n_key_data; + old_key_data = kdb.key_data; + n_old_keys = kdb.n_key_data; } else { - if (kdb.key_data != NULL) - cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); - n_old_keys = 0; - old_key_data = NULL; + if (kdb.key_data != NULL) + cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); + n_old_keys = 0; + old_key_data = NULL; } kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys) - *sizeof(krb5_key_data)); + *sizeof(krb5_key_data)); if (kdb.key_data == NULL) { - ret = ENOMEM; - goto done; + ret = ENOMEM; + goto done; } memset(kdb.key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data)); kdb.n_key_data = 0; for (i = 0; i < n_keys; i++) { - if (n_ks_tuple) { - keysalt.type = ks_tuple[i].ks_salttype; - keysalt.data.length = 0; - keysalt.data.data = NULL; - if (ks_tuple[i].ks_enctype != keyblocks[i].enctype) { - ret = KADM5_SETKEY3_ETYPE_MISMATCH; - goto done; - } - } - memset (&tmp_key_data, 0, sizeof(tmp_key_data)); - - ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, NULL, &act_mkey); - if (ret) - goto done; - - ret = krb5_dbekd_encrypt_key_data(handle->context, - act_mkey, - &keyblocks[i], - n_ks_tuple ? &keysalt : NULL, - kvno + 1, - &tmp_key_data); - if (ret) - goto done; - - tptr = &kdb.key_data[i]; - tptr->key_data_ver = tmp_key_data.key_data_ver; - tptr->key_data_kvno = tmp_key_data.key_data_kvno; - for (k = 0; k < tmp_key_data.key_data_ver; k++) { - tptr->key_data_type[k] = tmp_key_data.key_data_type[k]; - tptr->key_data_length[k] = tmp_key_data.key_data_length[k]; - if (tmp_key_data.key_data_contents[k]) { - tptr->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]); - if (tptr->key_data_contents[k] == NULL) { - int i1; - for (i1 = k; i1 < tmp_key_data.key_data_ver; i1++) { - if (tmp_key_data.key_data_contents[i1]) { - memset (tmp_key_data.key_data_contents[i1], 0, tmp_key_data.key_data_length[i1]); - free (tmp_key_data.key_data_contents[i1]); - } - } - - ret = ENOMEM; - goto done; - } - memcpy (tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); - - memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); - free (tmp_key_data.key_data_contents[k]); - tmp_key_data.key_data_contents[k] = NULL; - } - } - kdb.n_key_data++; + if (n_ks_tuple) { + keysalt.type = ks_tuple[i].ks_salttype; + keysalt.data.length = 0; + keysalt.data.data = NULL; + if (ks_tuple[i].ks_enctype != keyblocks[i].enctype) { + ret = KADM5_SETKEY3_ETYPE_MISMATCH; + goto done; + } + } + memset (&tmp_key_data, 0, sizeof(tmp_key_data)); + + ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, + active_mkey_list, NULL, &act_mkey); + if (ret) + goto done; + + ret = krb5_dbekd_encrypt_key_data(handle->context, + act_mkey, + &keyblocks[i], + n_ks_tuple ? &keysalt : NULL, + kvno + 1, + &tmp_key_data); + if (ret) + goto done; + + tptr = &kdb.key_data[i]; + tptr->key_data_ver = tmp_key_data.key_data_ver; + tptr->key_data_kvno = tmp_key_data.key_data_kvno; + for (k = 0; k < tmp_key_data.key_data_ver; k++) { + tptr->key_data_type[k] = tmp_key_data.key_data_type[k]; + tptr->key_data_length[k] = tmp_key_data.key_data_length[k]; + if (tmp_key_data.key_data_contents[k]) { + tptr->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]); + if (tptr->key_data_contents[k] == NULL) { + int i1; + for (i1 = k; i1 < tmp_key_data.key_data_ver; i1++) { + if (tmp_key_data.key_data_contents[i1]) { + memset (tmp_key_data.key_data_contents[i1], 0, tmp_key_data.key_data_length[i1]); + free (tmp_key_data.key_data_contents[i1]); + } + } + + ret = ENOMEM; + goto done; + } + memcpy (tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); + + memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); + free (tmp_key_data.key_data_contents[k]); + tmp_key_data.key_data_contents[k] = NULL; + } + } + kdb.n_key_data++; } /* copy old key data if necessary */ for (i = 0; i < n_old_keys; i++) { - kdb.key_data[i+n_keys] = old_key_data[i]; - memset(&old_key_data[i], 0, sizeof (krb5_key_data)); - kdb.n_key_data++; + kdb.key_data[i+n_keys] = old_key_data[i]; + memset(&old_key_data[i], 0, sizeof (krb5_key_data)); + kdb.n_key_data++; } if (old_key_data) - krb5_db_free(handle->context, old_key_data); + krb5_db_free(handle->context, old_key_data); /* assert(kdb.n_key_data == n_keys + n_old_keys) */ kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; if ((ret = krb5_timeofday(handle->context, &now))) - goto done; + goto done; if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, - &pol)) != KADM5_OK) - goto done; - have_pol = 1; + if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, + &pol)) != KADM5_OK) + goto done; + have_pol = 1; #if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) - goto done; - if((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } + /* + * The spec says this check is overridden if the caller has + * modify privilege. The admin server therefore makes this + * check itself (in chpass_principal_wrapper, misc.c). A + * local caller implicitly has all authorization bits. + */ + if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, + &kdb, &last_pwd)) + goto done; + if((now - last_pwd) < pol.pw_min_life && + !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + ret = KADM5_PASS_TOOSOON; + goto done; + } #endif #if 0 - /* - * Should we be checking/updating pw history here? - */ - if (pol.pw_history_num > 1) { - if(adb.admin_history_kvno != hist_kvno) { - ret = KADM5_BAD_HIST_KEY; - goto done; - } - - if (ret = check_pw_reuse(handle->context, - &hist_key, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys)) - goto done; - } + /* + * Should we be checking/updating pw history here? + */ + if (pol.pw_history_num > 1) { + if(adb.admin_history_kvno != hist_kvno) { + ret = KADM5_BAD_HIST_KEY; + goto done; + } + + if (ret = check_pw_reuse(handle->context, + &hist_key, + kdb.n_key_data, kdb.key_data, + adb.old_key_len, adb.old_keys)) + goto done; + } #endif - if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; - else - kdb.pw_expiration = 0; + if (pol.pw_max_life) + kdb.pw_expiration = now + pol.pw_max_life; + else + kdb.pw_expiration = 0; } else { - kdb.pw_expiration = 0; + kdb.pw_expiration = 0; } if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) @@ -2020,13 +2021,13 @@ kadm5_setkey_principal_3(void *server_handle, kdb.fail_auth_count = 0; if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; + goto done; ret = KADM5_OK; done: kdb_free_entry(handle, &kdb, &adb); if (have_pol) - kadm5_free_policy_ent(handle->lhandle, &pol); + kadm5_free_policy_ent(handle->lhandle, &pol); return ret; } @@ -2048,7 +2049,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */, krb5_keyblock *mkey_ptr; if (keyblocks) - *keyblocks = NULL; + *keyblocks = NULL; CHECK_HANDLE(server_handle); @@ -2056,10 +2057,10 @@ kadm5_get_principal_keys(void *server_handle /* IN */, return EINVAL; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); + return(ret); if (keyblocks) { - if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb, + if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb, &mkey_ptr))) { krb5_keylist_node *tmp_mkey_list; /* try refreshing master key list */ @@ -2078,11 +2079,11 @@ kadm5_get_principal_keys(void *server_handle /* IN */, } } - ret = decrypt_key_data(handle->context, mkey_ptr, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; + ret = decrypt_key_data(handle->context, mkey_ptr, + kdb.n_key_data, kdb.key_data, + keyblocks, n_keys); + if (ret) + goto done; } ret = KADM5_OK; @@ -2100,40 +2101,40 @@ done: * number of keys decrypted. */ static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey, - int n_key_data, krb5_key_data *key_data, - krb5_keyblock **keyblocks, int *n_keys) + int n_key_data, krb5_key_data *key_data, + krb5_keyblock **keyblocks, int *n_keys) { - krb5_keyblock *keys; - int ret, i; - - keys = (krb5_keyblock *) malloc(n_key_data*sizeof(krb5_keyblock)); - if (keys == NULL) - return ENOMEM; - memset(keys, 0, n_key_data*sizeof(krb5_keyblock)); - - for (i = 0; i < n_key_data; i++) { - ret = krb5_dbekd_decrypt_key_data(context, mkey, - &key_data[i], - &keys[i], NULL); - if (ret) { - for (; i >= 0; i--) { - if (keys[i].contents) { - memset (keys[i].contents, 0, keys[i].length); - free( keys[i].contents ); - } - } - - memset(keys, 0, n_key_data*sizeof(krb5_keyblock)); - free(keys); - return ret; - } - } - - *keyblocks = keys; - if (n_keys) - *n_keys = n_key_data; - - return 0; + krb5_keyblock *keys; + int ret, i; + + keys = (krb5_keyblock *) malloc(n_key_data*sizeof(krb5_keyblock)); + if (keys == NULL) + return ENOMEM; + memset(keys, 0, n_key_data*sizeof(krb5_keyblock)); + + for (i = 0; i < n_key_data; i++) { + ret = krb5_dbekd_decrypt_key_data(context, mkey, + &key_data[i], + &keys[i], NULL); + if (ret) { + for (; i >= 0; i--) { + if (keys[i].contents) { + memset (keys[i].contents, 0, keys[i].length); + free( keys[i].contents ); + } + } + + memset(keys, 0, n_key_data*sizeof(krb5_keyblock)); + free(keys); + return ret; + } + } + + *keyblocks = keys; + if (n_keys) + *n_keys = n_key_data; + + return 0; } /* @@ -2143,15 +2144,15 @@ static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey, * * Arguments: * - * server_handle (r) kadm5 handle - * entry (r) principal retrieved with kadm5_get_principal - * ktype (r) enctype to search for, or -1 to ignore - * stype (r) salt type to search for, or -1 to ignore - * kvno (r) kvno to search for, -1 for max, 0 for max - * only if it also matches ktype and stype - * keyblock (w) keyblock to fill in - * keysalt (w) keysalt to fill in, or NULL - * kvnop (w) kvno to fill in, or NULL + * server_handle (r) kadm5 handle + * entry (r) principal retrieved with kadm5_get_principal + * ktype (r) enctype to search for, or -1 to ignore + * stype (r) salt type to search for, or -1 to ignore + * kvno (r) kvno to search for, -1 for max, 0 for max + * only if it also matches ktype and stype + * keyblock (w) keyblock to fill in + * keysalt (w) keysalt to fill in, or NULL + * kvnop (w) kvno to fill in, or NULL * * Effects: Searches the key_data array of entry, which must have been * retrived with kadm5_get_principal with the KADM5_KEY_DATA mask, to @@ -2167,10 +2168,10 @@ static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey, * returned. */ kadm5_ret_t kadm5_decrypt_key(void *server_handle, - kadm5_principal_ent_t entry, krb5_int32 - ktype, krb5_int32 stype, krb5_int32 - kvno, krb5_keyblock *keyblock, - krb5_keysalt *keysalt, int *kvnop) + kadm5_principal_ent_t entry, krb5_int32 + ktype, krb5_int32 stype, krb5_int32 + kvno, krb5_keyblock *keyblock, + krb5_keysalt *keysalt, int *kvnop) { kadm5_server_handle_t handle = server_handle; krb5_db_entry dbent; @@ -2181,14 +2182,14 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, CHECK_HANDLE(server_handle); if (entry->n_key_data == 0 || entry->key_data == NULL) - return EINVAL; + return EINVAL; /* find_enctype only uses these two fields */ dbent.n_key_data = entry->n_key_data; dbent.key_data = entry->key_data; if ((ret = krb5_dbe_find_enctype(handle->context, &dbent, ktype, - stype, kvno, &key_data))) - return ret; + stype, kvno, &key_data))) + return ret; /* find_mkey only uses this field */ dbent.tl_data = entry->tl_data; @@ -2211,9 +2212,9 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, } if ((ret = krb5_dbekd_decrypt_key_data(handle->context, - mkey_ptr, key_data, - keyblock, keysalt))) - return ret; + mkey_ptr, key_data, + keyblock, keysalt))) + return ret; /* * Coerce the enctype of the output keyblock in case we got an @@ -2224,7 +2225,7 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, keyblock->enctype = ktype; if (kvnop) - *kvnop = key_data->key_data_kvno; + *kvnop = key_data->key_data_kvno; return KADM5_OK; } diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c index 51637f7de..c6fd435f7 100644 --- a/src/lib/kadm5/str_conv.c +++ b/src/lib/kadm5/str_conv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm/str_conv.c * @@ -34,11 +35,11 @@ * * String decoding: * ---------------- - * krb5_string_to_flags() - Convert string to krb5_flags. + * krb5_string_to_flags() - Convert string to krb5_flags. * * String encoding: * ---------------- - * krb5_flags_to_string() - Convert krb5_flags to string. + * krb5_flags_to_string() - Convert krb5_flags to string. */ #include "k5-int.h" @@ -49,10 +50,10 @@ * Local data structures. */ struct flags_lookup_entry { - krb5_flags fl_flags; /* Flag */ - krb5_boolean fl_sense; /* Sense of the flag */ - const char * fl_specifier; /* How to recognize it */ - const char * fl_output; /* How to spit it out */ + krb5_flags fl_flags; /* Flag */ + krb5_boolean fl_sense; /* Sense of the flag */ + const char * fl_specifier; /* How to recognize it */ + const char * fl_output; /* How to spit it out */ }; /* @@ -64,82 +65,82 @@ static const char default_ksaltseps[] = ":."; /* Keytype strings */ /* Flags strings */ -static const char flags_pdate_in[] = "postdateable"; -static const char flags_fwd_in[] = "forwardable"; -static const char flags_tgtbased_in[] = "tgt-based"; -static const char flags_renew_in[] = "renewable"; -static const char flags_proxy_in[] = "proxiable"; -static const char flags_dup_skey_in[] = "dup-skey"; -static const char flags_tickets_in[] = "allow-tickets"; -static const char flags_preauth_in[] = "preauth"; -static const char flags_hwauth_in[] = "hwauth"; -static const char flags_ok_as_delegate_in[] = "ok-as-delegate"; -static const char flags_pwchange_in[] = "pwchange"; -static const char flags_service_in[] = "service"; -static const char flags_pwsvc_in[] = "pwservice"; -static const char flags_md5_in[] = "md5"; +static const char flags_pdate_in[] = "postdateable"; +static const char flags_fwd_in[] = "forwardable"; +static const char flags_tgtbased_in[] = "tgt-based"; +static const char flags_renew_in[] = "renewable"; +static const char flags_proxy_in[] = "proxiable"; +static const char flags_dup_skey_in[] = "dup-skey"; +static const char flags_tickets_in[] = "allow-tickets"; +static const char flags_preauth_in[] = "preauth"; +static const char flags_hwauth_in[] = "hwauth"; +static const char flags_ok_as_delegate_in[] = "ok-as-delegate"; +static const char flags_pwchange_in[] = "pwchange"; +static const char flags_service_in[] = "service"; +static const char flags_pwsvc_in[] = "pwservice"; +static const char flags_md5_in[] = "md5"; static const char flags_ok_to_auth_as_delegate_in[] = "ok-to-auth-as-delegate"; static const char flags_no_auth_data_required_in[] = "no-auth-data-required"; -static const char flags_pdate_out[] = "Not Postdateable"; -static const char flags_fwd_out[] = "Not Forwardable"; -static const char flags_tgtbased_out[] = "No TGT-based requests"; -static const char flags_renew_out[] = "Not renewable"; -static const char flags_proxy_out[] = "Not proxiable"; -static const char flags_dup_skey_out[] = "No DUP_SKEY requests"; -static const char flags_tickets_out[] = "All Tickets Disallowed"; -static const char flags_preauth_out[] = "Preauthentication required"; -static const char flags_hwauth_out[] = "HW authentication required"; -static const char flags_ok_as_delegate_out[] = "OK as Delegate"; -static const char flags_pwchange_out[] = "Password Change required"; -static const char flags_service_out[] = "Service Disabled"; -static const char flags_pwsvc_out[] = "Password Changing Service"; -static const char flags_md5_out[] = "RSA-MD5 supported"; +static const char flags_pdate_out[] = "Not Postdateable"; +static const char flags_fwd_out[] = "Not Forwardable"; +static const char flags_tgtbased_out[] = "No TGT-based requests"; +static const char flags_renew_out[] = "Not renewable"; +static const char flags_proxy_out[] = "Not proxiable"; +static const char flags_dup_skey_out[] = "No DUP_SKEY requests"; +static const char flags_tickets_out[] = "All Tickets Disallowed"; +static const char flags_preauth_out[] = "Preauthentication required"; +static const char flags_hwauth_out[] = "HW authentication required"; +static const char flags_ok_as_delegate_out[] = "OK as Delegate"; +static const char flags_pwchange_out[] = "Password Change required"; +static const char flags_service_out[] = "Service Disabled"; +static const char flags_pwsvc_out[] = "Password Changing Service"; +static const char flags_md5_out[] = "RSA-MD5 supported"; static const char flags_ok_to_auth_as_delegate_out[] = "Protocol transition with delegation allowed"; static const char flags_no_auth_data_required_out[] = "No authorization data required"; -static const char flags_default_neg[] = "-"; -static const char flags_default_sep[] = " "; +static const char flags_default_neg[] = "-"; +static const char flags_default_sep[] = " "; /* * Lookup tables. */ static const struct flags_lookup_entry flags_table[] = { -/* flag sense input specifier output string */ -/*----------------------------- ------- ------------------ ------------------*/ -{ KRB5_KDB_DISALLOW_POSTDATED, 0, flags_pdate_in, flags_pdate_out }, -{ KRB5_KDB_DISALLOW_FORWARDABLE,0, flags_fwd_in, flags_fwd_out }, -{ KRB5_KDB_DISALLOW_TGT_BASED, 0, flags_tgtbased_in, flags_tgtbased_out}, -{ KRB5_KDB_DISALLOW_RENEWABLE, 0, flags_renew_in, flags_renew_out }, -{ KRB5_KDB_DISALLOW_PROXIABLE, 0, flags_proxy_in, flags_proxy_out }, -{ KRB5_KDB_DISALLOW_DUP_SKEY, 0, flags_dup_skey_in, flags_dup_skey_out}, -{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out }, -{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out }, -{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out }, -{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out }, -{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out}, -{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out }, -{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out }, -{ KRB5_KDB_SUPPORT_DESMD5, 1, flags_md5_in, flags_md5_out }, -{ KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 1, flags_ok_to_auth_as_delegate_in, flags_ok_to_auth_as_delegate_out }, -{ KRB5_KDB_NO_AUTH_DATA_REQUIRED, 1, flags_no_auth_data_required_in, flags_no_auth_data_required_out } +/* flag sense input specifier output string */ +/*----------------------------- ------- ------------------ ------------------*/ + { KRB5_KDB_DISALLOW_POSTDATED, 0, flags_pdate_in, flags_pdate_out }, + { KRB5_KDB_DISALLOW_FORWARDABLE,0, flags_fwd_in, flags_fwd_out }, + { KRB5_KDB_DISALLOW_TGT_BASED, 0, flags_tgtbased_in, flags_tgtbased_out}, + { KRB5_KDB_DISALLOW_RENEWABLE, 0, flags_renew_in, flags_renew_out }, + { KRB5_KDB_DISALLOW_PROXIABLE, 0, flags_proxy_in, flags_proxy_out }, + { KRB5_KDB_DISALLOW_DUP_SKEY, 0, flags_dup_skey_in, flags_dup_skey_out}, + { KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out }, + { KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out }, + { KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out }, + { KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out }, + { KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out}, + { KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out }, + { KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out }, + { KRB5_KDB_SUPPORT_DESMD5, 1, flags_md5_in, flags_md5_out }, + { KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 1, flags_ok_to_auth_as_delegate_in, flags_ok_to_auth_as_delegate_out }, + { KRB5_KDB_NO_AUTH_DATA_REQUIRED, 1, flags_no_auth_data_required_in, flags_no_auth_data_required_out } }; static const int flags_table_nents = sizeof(flags_table)/ - sizeof(flags_table[0]); + sizeof(flags_table[0]); krb5_error_code krb5_string_to_flags(string, positive, negative, flagsp) - char * string; - const char * positive; - const char * negative; - krb5_flags * flagsp; + char * string; + const char * positive; + const char * negative; + krb5_flags * flagsp; { - int i; - int found; - const char *neg; - size_t nsize, psize; - int cpos; - int sense; + int i; + int found; + const char *neg; + size_t nsize, psize; + int cpos; + int sense; found = 0; /* We need to have a way to negate it. */ @@ -151,260 +152,260 @@ krb5_string_to_flags(string, positive, negative, flagsp) sense = 1; /* First check for positive or negative sense */ if (!strncasecmp(neg, string, nsize)) { - sense = 0; - cpos += (int) nsize; + sense = 0; + cpos += (int) nsize; } else if (psize && !strncasecmp(positive, string, psize)) { - cpos += (int) psize; + cpos += (int) psize; } for (i=0; i 0) - krb5int_buf_add(&buf, sepstring); - krb5int_buf_add(&buf, flags_table[i].fl_output); - /* Keep track of what we matched */ - pflags |= flags_table[i].fl_flags; - } + if (flags & flags_table[i].fl_flags) { + if (krb5int_buf_len(&buf) > 0) + krb5int_buf_add(&buf, sepstring); + krb5int_buf_add(&buf, flags_table[i].fl_output); + /* Keep track of what we matched */ + pflags |= flags_table[i].fl_flags; + } } if (krb5int_buf_data(&buf) == NULL) - return(ENOMEM); + return(ENOMEM); /* See if there's any leftovers */ if (flags & ~pflags) - return(EINVAL); + return(EINVAL); return(0); } krb5_error_code krb5_input_flag_to_string(flag, buffer, buflen) - int flag; - char * buffer; - size_t buflen; + int flag; + char * buffer; + size_t buflen; { if(flag < 0 || flag >= flags_table_nents) return ENOENT; /* End of list */ if(strlcpy(buffer, flags_table[flag].fl_specifier, buflen) >= buflen) - return ENOMEM; + return ENOMEM; return 0; } /* - * krb5_keysalt_is_present() - Determine if a key/salt pair is present - * in a list of key/salt tuples. + * krb5_keysalt_is_present() - Determine if a key/salt pair is present + * in a list of key/salt tuples. * - * Salttype may be negative to indicate a search for only a enctype. + * Salttype may be negative to indicate a search for only a enctype. */ krb5_boolean krb5_keysalt_is_present(ksaltlist, nksalts, enctype, salttype) - krb5_key_salt_tuple *ksaltlist; - krb5_int32 nksalts; - krb5_enctype enctype; - krb5_int32 salttype; + krb5_key_salt_tuple *ksaltlist; + krb5_int32 nksalts; + krb5_enctype enctype; + krb5_int32 salttype; { - krb5_boolean foundit; - int i; + krb5_boolean foundit; + int i; foundit = 0; if (ksaltlist) { - for (i=0; i - * or - * - */ - sp = (char *) NULL; - /* Attempt to find a separator */ - septmp = ksseplist; - for (sp = strchr(kp, (int) *septmp); - *(++septmp) && !sp; - sp = strchr(kp, (int) *septmp)); - - if (sp) { - /* Separate enctype from salttype */ - sepchar = *sp; - *sp = '\0'; - sp++; - } - else - stype = -1; - - /* - * Attempt to parse enctype and salttype. If we parse well - * then make sure that it specifies a unique key/salt combo - */ - if (!(kret = krb5_string_to_enctype(kp, &ktype)) && - (!sp || !(kret = krb5_string_to_salttype(sp, &stype))) && - (dups || - !krb5_keysalt_is_present(*ksaltp, *nksaltp, ktype, stype))) { - - /* Squirrel away old keysalt array */ - savep = *ksaltp; - len = (size_t) *nksaltp; - - /* Get new keysalt array */ - *ksaltp = (krb5_key_salt_tuple *) - malloc((len + 1) * sizeof(krb5_key_salt_tuple)); - if (*ksaltp) { - - /* Copy old keysalt if appropriate */ - if (savep) { - memcpy(*ksaltp, savep, - len * sizeof(krb5_key_salt_tuple)); - free(savep); - } - - /* Save our values */ - (*ksaltp)[(*nksaltp)].ks_enctype = ktype; - (*ksaltp)[(*nksaltp)].ks_salttype = stype; - (*nksaltp)++; - } - else { - *ksaltp = savep; - break; - } - } - if (kret) - return kret; - if (sp) - sp[-1] = sepchar; - if (ep) - ep[-1] = trailchar; - kp = ep; - - /* Skip over extra separators - like spaces */ - if (kp && *tseplist) { - septmp = tseplist; - while(*septmp && *kp) { - if(*septmp == *kp) { - /* Increment string - reset separator list */ - kp++; - septmp = tseplist; - } else { - septmp++; - } - } - if (!*kp) kp = NULL; - } + /* Attempt to find a separator */ + ep = (char *) NULL; + if (*tseplist) { + septmp = tseplist; + for (ep = strchr(kp, (int) *septmp); + *(++septmp) && !ep; + ep = strchr(kp, (int) *septmp)); + } + + if (ep) { + trailchar = *ep; + *ep = '\0'; + ep++; + } + /* + * kp points to something (hopefully) of the form: + * + * or + * + */ + sp = (char *) NULL; + /* Attempt to find a separator */ + septmp = ksseplist; + for (sp = strchr(kp, (int) *septmp); + *(++septmp) && !sp; + sp = strchr(kp, (int) *septmp)); + + if (sp) { + /* Separate enctype from salttype */ + sepchar = *sp; + *sp = '\0'; + sp++; + } + else + stype = -1; + + /* + * Attempt to parse enctype and salttype. If we parse well + * then make sure that it specifies a unique key/salt combo + */ + if (!(kret = krb5_string_to_enctype(kp, &ktype)) && + (!sp || !(kret = krb5_string_to_salttype(sp, &stype))) && + (dups || + !krb5_keysalt_is_present(*ksaltp, *nksaltp, ktype, stype))) { + + /* Squirrel away old keysalt array */ + savep = *ksaltp; + len = (size_t) *nksaltp; + + /* Get new keysalt array */ + *ksaltp = (krb5_key_salt_tuple *) + malloc((len + 1) * sizeof(krb5_key_salt_tuple)); + if (*ksaltp) { + + /* Copy old keysalt if appropriate */ + if (savep) { + memcpy(*ksaltp, savep, + len * sizeof(krb5_key_salt_tuple)); + free(savep); + } + + /* Save our values */ + (*ksaltp)[(*nksaltp)].ks_enctype = ktype; + (*ksaltp)[(*nksaltp)].ks_salttype = stype; + (*nksaltp)++; + } + else { + *ksaltp = savep; + break; + } + } + if (kret) + return kret; + if (sp) + sp[-1] = sepchar; + if (ep) + ep[-1] = trailchar; + kp = ep; + + /* Skip over extra separators - like spaces */ + if (kp && *tseplist) { + septmp = tseplist; + while(*septmp && *kp) { + if(*septmp == *kp) { + /* Increment string - reset separator list */ + kp++; + septmp = tseplist; + } else { + septmp++; + } + } + if (!*kp) kp = NULL; + } } /* while kp */ return(kret); } /* - * krb5_keysalt_iterate() - Do something for each unique key/salt - * combination. + * krb5_keysalt_iterate() - Do something for each unique key/salt + * combination. * * If ignoresalt set, then salttype is ignored. */ krb5_error_code krb5_keysalt_iterate(ksaltlist, nksalt, ignoresalt, iterator, arg) - krb5_key_salt_tuple *ksaltlist; - krb5_int32 nksalt; - krb5_boolean ignoresalt; - krb5_error_code (*iterator) (krb5_key_salt_tuple *, krb5_pointer); - krb5_pointer arg; + krb5_key_salt_tuple *ksaltlist; + krb5_int32 nksalt; + krb5_boolean ignoresalt; + krb5_error_code (*iterator) (krb5_key_salt_tuple *, krb5_pointer); + krb5_pointer arg; { - int i; - krb5_error_code kret; - krb5_key_salt_tuple scratch; + int i; + krb5_error_code kret; + krb5_key_salt_tuple scratch; kret = 0; for (i=0; i #include #include @@ -9,39 +10,38 @@ #include #include -#define TEST_NUM 25 +#define TEST_NUM 25 int main() { - kadm5_ret_t ret; - char *cp; - int x; - void *server_handle; - kadm5_server_handle_t handle; - krb5_context context; + kadm5_ret_t ret; + char *cp; + int x; + void *server_handle; + kadm5_server_handle_t handle; + krb5_context context; - ret = kadm5_init_krb5_context(&context); - if (ret != 0) { - com_err("test", ret, "context init"); - exit(2); - } - for(x = 0; x < TEST_NUM; x++) { - ret = kadm5_init(context, "admin", "admin", KADM5_ADMIN_SERVICE, 0, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, - &server_handle); - if(ret != KADM5_OK) { - com_err("test", ret, "init"); - exit(2); - } - handle = (kadm5_server_handle_t) server_handle; - cp = strdup(strchr(handle->cache_name, ':') + 1); - kadm5_destroy(server_handle); - if(access(cp, F_OK) == 0) { - puts("ticket cache not destroyed"); - exit(2); - } - free(cp); - } - exit(0); + ret = kadm5_init_krb5_context(&context); + if (ret != 0) { + com_err("test", ret, "context init"); + exit(2); + } + for(x = 0; x < TEST_NUM; x++) { + ret = kadm5_init(context, "admin", "admin", KADM5_ADMIN_SERVICE, 0, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, + &server_handle); + if(ret != KADM5_OK) { + com_err("test", ret, "init"); + exit(2); + } + handle = (kadm5_server_handle_t) server_handle; + cp = strdup(strchr(handle->cache_name, ':') + 1); + kadm5_destroy(server_handle); + if(access(cp, F_OK) == 0) { + puts("ticket cache not destroyed"); + exit(2); + } + free(cp); + } + exit(0); } - diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/unit-test/handle-test.c index 6c26e5f0d..56eac844a 100644 --- a/src/lib/kadm5/unit-test/handle-test.c +++ b/src/lib/kadm5/unit-test/handle-test.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include @@ -11,120 +12,120 @@ int main(int argc, char *argv[]) { - kadm5_ret_t ret; - void *server_handle; - kadm5_server_handle_t handle; - kadm5_server_handle_rec orig_handle; - kadm5_policy_ent_rec pol; - kadm5_principal_ent_t princ; - krb5_keyblock *key; - krb5_principal tprinc; - krb5_context context; + kadm5_ret_t ret; + void *server_handle; + kadm5_server_handle_t handle; + kadm5_server_handle_rec orig_handle; + kadm5_policy_ent_rec pol; + kadm5_principal_ent_t princ; + krb5_keyblock *key; + krb5_principal tprinc; + krb5_context context; kadm5_init_krb5_context(&context); - + ret = kadm5_init(context, "admin/none", "admin", KADM5_ADMIN_SERVICE, NULL, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, - &server_handle); + KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, + &server_handle); if(ret != KADM5_OK) { - com_err("test", ret, "init"); - exit(2); + com_err("test", ret, "init"); + exit(2); } handle = (kadm5_server_handle_t) server_handle; orig_handle = *handle; handle->magic_number = KADM5_STRUCT_VERSION; krb5_parse_name(context, "testuser", &tprinc); ret = kadm5_get_principal(server_handle, tprinc, &princ, - KADM5_PRINCIPAL_NORMAL_MASK); + KADM5_PRINCIPAL_NORMAL_MASK); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "get-principal", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "get-principal", + error_message(ret)); + exit(1); } - + ret = kadm5_get_policy(server_handle, "pol1", &pol); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "get-policy", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "get-policy", + error_message(ret)); + exit(1); } - + ret = kadm5_create_principal(server_handle, princ, KADM5_PRINCIPAL, "pass"); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "create-principal", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "create-principal", + error_message(ret)); + exit(1); } - + ret = kadm5_create_policy(server_handle, &pol, KADM5_POLICY); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "create-policy", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "create-policy", + error_message(ret)); + exit(1); } - + ret = kadm5_modify_principal(server_handle, princ, KADM5_PW_EXPIRATION); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "modify-principal", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "modify-principal", + error_message(ret)); + exit(1); } - + ret = kadm5_modify_policy(server_handle, &pol, KADM5_PW_MAX_LIFE); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "modify-policy", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "modify-policy", + error_message(ret)); + exit(1); } - + ret = kadm5_delete_principal(server_handle, tprinc); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "delete-principal", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "delete-principal", + error_message(ret)); + exit(1); } - + ret = kadm5_delete_policy(server_handle, "pol1"); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "delete-policy", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "delete-policy", + error_message(ret)); + exit(1); } - + ret = kadm5_chpass_principal(server_handle, tprinc, "FooBar"); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "chpass", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "chpass", + error_message(ret)); + exit(1); } ret = kadm5_randkey_principal(server_handle, tprinc, &key, NULL); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "randkey", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "randkey", + error_message(ret)); + exit(1); } - + ret = kadm5_rename_principal(server_handle, tprinc, tprinc); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "rename", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "rename", + error_message(ret)); + exit(1); } - + ret = kadm5_destroy(server_handle); if(ret != KADM5_BAD_SERVER_HANDLE) { - fprintf(stderr, "%s -- returned -- %s\n", "destroy", - error_message(ret)); - exit(1); + fprintf(stderr, "%s -- returned -- %s\n", "destroy", + error_message(ret)); + exit(1); } *handle = orig_handle; ret = kadm5_destroy(server_handle); if (ret != KADM5_OK) { - fprintf(stderr, "valid %s -- returned -- %s\n", "destroy", - error_message(ret)); - exit(1); + fprintf(stderr, "valid %s -- returned -- %s\n", "destroy", + error_message(ret)); + exit(1); } exit(0); diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/unit-test/init-test.c index cfa79374b..a7f065db5 100644 --- a/src/lib/kadm5/unit-test/init-test.c +++ b/src/lib/kadm5/unit-test/init-test.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include @@ -7,29 +8,29 @@ int main() { - kadm5_ret_t ret; - void *server_handle; - kadm5_config_params params; - krb5_context context; + kadm5_ret_t ret; + void *server_handle; + kadm5_config_params params; + krb5_context context; - memset(¶ms, 0, sizeof(params)); - params.mask |= KADM5_CONFIG_NO_AUTH; - ret = kadm5_init_krb5_context(&context); - if (ret != 0) { - com_err("init-test", ret, "while initializing krb5 context"); - exit(1); - } - ret = kadm5_init(context, "admin", "admin", NULL, ¶ms, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, - &server_handle); - if (ret == KADM5_RPC_ERROR) - exit(0); - else if (ret != 0) { - com_err("init-test", ret, "while initializing without auth"); - exit(1); - } else { - fprintf(stderr, "Unexpected success while initializing without auth!\n"); - (void) kadm5_destroy(server_handle); - exit(1); - } + memset(¶ms, 0, sizeof(params)); + params.mask |= KADM5_CONFIG_NO_AUTH; + ret = kadm5_init_krb5_context(&context); + if (ret != 0) { + com_err("init-test", ret, "while initializing krb5 context"); + exit(1); + } + ret = kadm5_init(context, "admin", "admin", NULL, ¶ms, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, + &server_handle); + if (ret == KADM5_RPC_ERROR) + exit(0); + else if (ret != 0) { + com_err("init-test", ret, "while initializing without auth"); + exit(1); + } else { + fprintf(stderr, "Unexpected success while initializing without auth!\n"); + (void) kadm5_destroy(server_handle); + exit(1); + } } diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/unit-test/iter-test.c index be1540735..bc7cfdcfa 100644 --- a/src/lib/kadm5/unit-test/iter-test.c +++ b/src/lib/kadm5/unit-test/iter-test.c @@ -1,51 +1,51 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include int main(int argc, char **argv) { - kadm5_ret_t ret; - void *server_handle; - char **names; - int count, princ, i; - krb5_context context; - - if (argc != 3) { - fprintf(stderr, "Usage: %s [-princ|-pol] exp\n", argv[0]); - exit(1); - } - princ = (strcmp(argv[1], "-princ") == 0); - - ret = kadm5_init_krb5_context(&context); - if (ret != KADM5_OK) { - com_err("iter-test", ret, "while initializing context"); - exit(1); - } - ret = kadm5_init("admin", "admin", KADM5_ADMIN_SERVICE, 0, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, - &server_handle); - if (ret != KADM5_OK) { - com_err("iter-test", ret, "while initializing"); - exit(1); - } - - if (princ) - ret = kadm5_get_principals(server_handle, argv[2], &names, &count); - else - ret = kadm5_get_policies(server_handle, argv[2], &names, &count); - - if (ret != KADM5_OK) { - com_err("iter-test", ret, "while retrieving list"); - exit(1); - } - - for (i = 0; i < count; i++) - printf("%d: %s\n", i, names[i]); - - kadm5_free_name_list(server_handle, names, count); - - (void) kadm5_destroy(server_handle); - - return 0; + kadm5_ret_t ret; + void *server_handle; + char **names; + int count, princ, i; + krb5_context context; + + if (argc != 3) { + fprintf(stderr, "Usage: %s [-princ|-pol] exp\n", argv[0]); + exit(1); + } + princ = (strcmp(argv[1], "-princ") == 0); + + ret = kadm5_init_krb5_context(&context); + if (ret != KADM5_OK) { + com_err("iter-test", ret, "while initializing context"); + exit(1); + } + ret = kadm5_init("admin", "admin", KADM5_ADMIN_SERVICE, 0, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, + &server_handle); + if (ret != KADM5_OK) { + com_err("iter-test", ret, "while initializing"); + exit(1); + } + + if (princ) + ret = kadm5_get_principals(server_handle, argv[2], &names, &count); + else + ret = kadm5_get_policies(server_handle, argv[2], &names, &count); + + if (ret != KADM5_OK) { + com_err("iter-test", ret, "while retrieving list"); + exit(1); + } + + for (i = 0; i < count; i++) + printf("%d: %s\n", i, names[i]); + + kadm5_free_name_list(server_handle, names, count); + + (void) kadm5_destroy(server_handle); + + return 0; } - diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/unit-test/lock-test.c index 85049a7e7..5a0501b27 100644 --- a/src/lib/kadm5/unit-test/lock-test.c +++ b/src/lib/kadm5/unit-test/lock-test.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include @@ -8,99 +9,99 @@ char *whoami; static void usage() { - fprintf(stderr, - "Usage: %s {shared|exclusive|permanent|release|" - "get name|wait} ...\n", whoami); - exit(1); + fprintf(stderr, + "Usage: %s {shared|exclusive|permanent|release|" + "get name|wait} ...\n", whoami); + exit(1); } int main(int argc, char **argv) { - krb5_error_code ret; - osa_policy_ent_t entry; - krb5_context context; - kadm5_config_params params; - krb5_error_code kret; + krb5_error_code ret; + osa_policy_ent_t entry; + krb5_context context; + kadm5_config_params params; + krb5_error_code kret; - whoami = argv[0]; + whoami = argv[0]; - kret = kadm5_init_krb5_context(&context); - if (kret) { - com_err(whoami, kret, "while initializing krb5"); - exit(1); - } + kret = kadm5_init_krb5_context(&context); + if (kret) { + com_err(whoami, kret, "while initializing krb5"); + exit(1); + } - params.mask = 0; - ret = kadm5_get_config_params(context, 1, ¶ms, ¶ms); - if (ret) { - com_err(whoami, ret, "while retrieving configuration parameters"); - exit(1); - } - if (! (params.mask & KADM5_CONFIG_ADBNAME)) { - com_err(whoami, KADM5_BAD_SERVER_PARAMS, - "while retrieving configuration parameters"); - exit(1); - } + params.mask = 0; + ret = kadm5_get_config_params(context, 1, ¶ms, ¶ms); + if (ret) { + com_err(whoami, ret, "while retrieving configuration parameters"); + exit(1); + } + if (! (params.mask & KADM5_CONFIG_ADBNAME)) { + com_err(whoami, KADM5_BAD_SERVER_PARAMS, + "while retrieving configuration parameters"); + exit(1); + } - ret = krb5_db_open( context, NULL, KRB5_KDB_OPEN_RW); - if (ret) { - com_err(whoami, ret, "while opening database"); - exit(1); - } + ret = krb5_db_open( context, NULL, KRB5_KDB_OPEN_RW); + if (ret) { + com_err(whoami, ret, "while opening database"); + exit(1); + } - argc--; argv++; - while (argc) { - if (strcmp(*argv, "shared") == 0) { - ret = krb5_db_lock(context, KRB5_DB_LOCKMODE_SHARED); - if (ret) - com_err(whoami, ret, "while getting shared lock"); - else - printf("shared\n"); - } else if (strcmp(*argv, "exclusive") == 0) { - ret = krb5_db_lock(context, KRB5_DB_LOCKMODE_EXCLUSIVE ); - if (ret) - com_err(whoami, ret, "while getting exclusive lock"); - else - printf("exclusive\n"); - } else if (strcmp(*argv, "permanent") == 0) { - ret = krb5_db_lock(context, KRB5_DB_LOCKMODE_EXCLUSIVE ); - if (ret) - com_err(whoami, ret, "while getting permanent lock"); - else - printf("permanent\n"); - } else if (strcmp(*argv, "release") == 0) { - ret = krb5_db_unlock(context); - if (ret) - com_err(whoami, ret, "while releasing lock"); - else - printf("released\n"); - } else if (strcmp(*argv, "get") == 0) { - int cnt = 1; - argc--; argv++; - if (!argc) usage(); - if ((ret = krb5_db_get_policy(context, *argv, - &entry, &cnt)) ) { - com_err(whoami, ret, "while getting policy"); - } else { - printf("retrieved\n"); - krb5_db_free_policy(context, entry); - } - } else if (strcmp(*argv, "wait") == 0) { - getchar(); - } else { - fprintf(stderr, "%s: Invalid argument \"%s\"\n", - whoami, *argv); - usage(); - } + argc--; argv++; + while (argc) { + if (strcmp(*argv, "shared") == 0) { + ret = krb5_db_lock(context, KRB5_DB_LOCKMODE_SHARED); + if (ret) + com_err(whoami, ret, "while getting shared lock"); + else + printf("shared\n"); + } else if (strcmp(*argv, "exclusive") == 0) { + ret = krb5_db_lock(context, KRB5_DB_LOCKMODE_EXCLUSIVE ); + if (ret) + com_err(whoami, ret, "while getting exclusive lock"); + else + printf("exclusive\n"); + } else if (strcmp(*argv, "permanent") == 0) { + ret = krb5_db_lock(context, KRB5_DB_LOCKMODE_EXCLUSIVE ); + if (ret) + com_err(whoami, ret, "while getting permanent lock"); + else + printf("permanent\n"); + } else if (strcmp(*argv, "release") == 0) { + ret = krb5_db_unlock(context); + if (ret) + com_err(whoami, ret, "while releasing lock"); + else + printf("released\n"); + } else if (strcmp(*argv, "get") == 0) { + int cnt = 1; + argc--; argv++; + if (!argc) usage(); + if ((ret = krb5_db_get_policy(context, *argv, + &entry, &cnt)) ) { + com_err(whoami, ret, "while getting policy"); + } else { + printf("retrieved\n"); + krb5_db_free_policy(context, entry); + } + } else if (strcmp(*argv, "wait") == 0) { + getchar(); + } else { + fprintf(stderr, "%s: Invalid argument \"%s\"\n", + whoami, *argv); + usage(); + } - argc--; argv++; - } + argc--; argv++; + } - ret = krb5_db_fini(context); - if (ret) { - com_err(whoami, ret, "while closing database"); - exit(1); - } + ret = krb5_db_fini(context); + if (ret) { + com_err(whoami, ret, "while closing database"); + exit(1); + } - return 0; + return 0; } diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/unit-test/randkey-test.c index 4e6787a1b..7cf4ee8ac 100644 --- a/src/lib/kadm5/unit-test/randkey-test.c +++ b/src/lib/kadm5/unit-test/randkey-test.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include @@ -6,37 +7,36 @@ #include #include -#define TEST_NUM 1000 +#define TEST_NUM 1000 int main() { - kadm5_ret_t ret; - krb5_keyblock *keys[TEST_NUM]; - krb5_principal tprinc; - krb5_keyblock *newkey; - krb5_context context; - void *server_handle; + kadm5_ret_t ret; + krb5_keyblock *keys[TEST_NUM]; + krb5_principal tprinc; + krb5_keyblock *newkey; + krb5_context context; + void *server_handle; - int x, i; + int x, i; - kadm5_init_krb5_context(&context); + kadm5_init_krb5_context(&context); - krb5_parse_name(context, "testuser", &tprinc); - ret = kadm5_init(context, "admin", "admin", KADM5_ADMIN_SERVICE, NULL, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, - &server_handle); - if(ret != KADM5_OK) { - com_err("test", ret, "init"); - exit(2); - } - for(x = 0; x < TEST_NUM; x++) { - kadm5_randkey_principal(server_handle, tprinc, &keys[x], NULL); - for(i = 0; i < x; i++) { - if (!memcmp(newkey->contents, keys[i]->contents, newkey->length)) - puts("match found"); - } - } - kadm5_destroy(server_handle); - exit(0); + krb5_parse_name(context, "testuser", &tprinc); + ret = kadm5_init(context, "admin", "admin", KADM5_ADMIN_SERVICE, NULL, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, + &server_handle); + if(ret != KADM5_OK) { + com_err("test", ret, "init"); + exit(2); + } + for(x = 0; x < TEST_NUM; x++) { + kadm5_randkey_principal(server_handle, tprinc, &keys[x], NULL); + for(i = 0; i < x; i++) { + if (!memcmp(newkey->contents, keys[i]->contents, newkey->length)) + puts("match found"); + } + } + kadm5_destroy(server_handle); + exit(0); } - diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c index 1dadfc72a..53056e434 100644 --- a/src/lib/kadm5/unit-test/setkey-test.c +++ b/src/lib/kadm5/unit-test/setkey-test.c @@ -1,46 +1,47 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include -#if HAVE_SRAND48 -#define RAND() lrand48() -#define SRAND(a) srand48(a) -#define RAND_TYPE long -#elif HAVE_SRAND -#define RAND() rand() -#define SRAND(a) srand(a) -#define RAND_TYPE int -#elif HAVE_SRANDOM -#define RAND() random() -#define SRAND(a) srandom(a) -#define RAND_TYPE long -#else /* no random */ +#if HAVE_SRAND48 +#define RAND() lrand48() +#define SRAND(a) srand48(a) +#define RAND_TYPE long +#elif HAVE_SRAND +#define RAND() rand() +#define SRAND(a) srand(a) +#define RAND_TYPE int +#elif HAVE_SRANDOM +#define RAND() random() +#define SRAND(a) srandom(a) +#define RAND_TYPE long +#else /* no random */ need a random number generator -#endif /* no random */ +#endif /* no random */ krb5_keyblock test1[] = { {0, ENCTYPE_DES_CBC_CRC, 0, 0}, {-1}, }; krb5_keyblock test2[] = { - {0, ENCTYPE_DES_CBC_RAW, 0, 0}, - {-1}, + {0, ENCTYPE_DES_CBC_RAW, 0, 0}, + {-1}, }; krb5_keyblock test3[] = { - {0, ENCTYPE_DES_CBC_MD5, 0, 0}, - {-1}, + {0, ENCTYPE_DES_CBC_MD5, 0, 0}, + {-1}, }; -krb5_keyblock *tests[] = { - test1, test2, test3, NULL +krb5_keyblock *tests[] = { + test1, test2, test3, NULL }; #if 0 int keyblocks_equal(krb5_keyblock *kb1, krb5_keyblock *kb2) { - return (kb1->enctype == kb2->enctype && - kb1->length == kb2->length && - memcmp(kb1->contents, kb2->contents, kb1->length) == 0); + return (kb1->enctype == kb2->enctype && + kb1->length == kb2->length && + memcmp(kb1->contents, kb2->contents, kb1->length) == 0); } #endif @@ -57,177 +58,171 @@ extern krb5_kt_ops krb5_ktf_writable_ops; int main(int argc, char **argv) { - krb5_context context; - krb5_keytab kt; - krb5_keytab_entry ktent; - krb5_encrypt_block eblock; - krb5_creds my_creds; - kadm5_principal_ent_rec princ_ent; - krb5_principal princ, server; - char pw[16]; - char *whoami, *principal, *authprinc; - krb5_data pwdata; - void *handle; - int ret, i, test, encnum; - - whoami = argv[0]; - - if (argc != 2 && argc != 3) { - fprintf(stderr, "Usage: %s principal [authuser]\n", whoami); - exit(1); - } - principal = argv[1]; - authprinc = argv[2] ? argv[2] : argv[0]; - - /* - * Setup. Initialize data structures, open keytab, open connection - * to kadm5 server. - */ - - memset(&context, 0, sizeof(context)); - kadm5_init_krb5_context(&context); - - ret = krb5_parse_name(context, principal, &princ); - if (ret) { - com_err(whoami, ret, "while parsing principal name %s", principal); - exit(1); - } - - if((ret = krb5_build_principal_ext(context, &server, - krb5_princ_realm(kcontext, princ)->length, - krb5_princ_realm(kcontext, princ)->data, - tgtname.length, tgtname.data, - krb5_princ_realm(kcontext, princ)->length, - krb5_princ_realm(kcontext, princ)->data, - 0))) { - com_err(whoami, ret, "while building server name"); - exit(1); - } - - /* register the WRFILE keytab type */ - ret = krb5_kt_register(context, &krb5_ktf_writable_ops); - if (ret) { - com_err(whoami, ret, - "while registering writable key table functions"); - exit(1); - } - - ret = krb5_kt_default(context, &kt); - if (ret) { - com_err(whoami, ret, "while opening keytab"); - exit(1); - } - - ret = kadm5_init(context, authprinc, NULL, KADM5_ADMIN_SERVICE, NULL, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, - &handle); - if (ret) { - com_err(whoami, ret, "while initializing connection"); - exit(1); - } - - /* these pw's don't need to be secure, just different every time */ - SRAND((RAND_TYPE)time((void *) NULL)); - pwdata.data = pw; - pwdata.length = sizeof(pw); - - /* - * For each test: - * - * For each enctype in the test, construct a random password/key. - * Assign all keys to principal with kadm5_setkey_principal. Add - * each key to the keytab, and acquire an initial ticket with the - * keytab (XXX can I specify the enctype & kvno explicitly?). If - * krb5_get_in_tkt_with_keytab succeeds, then the keys were set - * successfully. - */ - for (test = 0; tests[test] != NULL; test++) { - krb5_keyblock *testp = tests[test]; - printf("+ Test %d:\n", test); - - for (encnum = 0; testp[encnum].magic != -1; encnum++) { - for (i = 0; i < sizeof(pw); i++) - pw[i] = (RAND() % 26) + '0'; /* XXX */ - - krb5_use_enctype(context, &eblock, testp[encnum].enctype); - ret = krb5_string_to_key(context, &eblock, &testp[encnum], - &pwdata, NULL); - if (ret) { - com_err(whoami, ret, "while converting string to key"); - exit(1); - } - } - - /* now, encnum == # of keyblocks in testp */ - ret = kadm5_setkey_principal(handle, princ, testp, encnum); - if (ret) { - com_err(whoami, ret, "while setting keys"); - exit(1); - } - - ret = kadm5_get_principal(handle, princ, &princ_ent, KADM5_KVNO); - if (ret) { - com_err(whoami, ret, "while retrieving principal"); - exit(1); - } - - for (encnum = 0; testp[encnum].magic != -1; encnum++) { - printf("+ enctype %d\n", testp[encnum].enctype); - - memset(&ktent, 0, sizeof(ktent)); - ktent.principal = princ; - ktent.key = testp[encnum]; - ktent.vno = princ_ent.kvno; - - ret = krb5_kt_add_entry(context, kt, &ktent); - if (ret) { - com_err(whoami, ret, "while adding keytab entry"); - exit(1); - } - - memset(&my_creds, 0, sizeof(my_creds)); - my_creds.client = princ; - my_creds.server = server; - - ktypes[0] = testp[encnum].enctype; - ret = krb5_get_in_tkt_with_keytab(context, - 0 /* options */, - NULL /* addrs */, - ktypes, - NULL /* preauth */, - kt, 0, - &my_creds, 0); - if (ret) { - com_err(whoami, ret, "while acquiring initial ticket"); - exit(1); - } - - /* since I can't specify enctype explicitly ... */ - ret = krb5_kt_remove_entry(context, kt, &ktent); - if (ret) { - com_err(whoami, ret, "while removing keytab entry"); - exit(1); - } - } - } - - ret = krb5_kt_close(context, kt); - if (ret) { - com_err(whoami, ret, "while closing keytab"); - exit(1); - } - - ret = kadm5_destroy(handle); - if (ret) { - com_err(whoami, ret, "while closing kadmin connection"); - exit(1); - } - - return 0; + krb5_context context; + krb5_keytab kt; + krb5_keytab_entry ktent; + krb5_encrypt_block eblock; + krb5_creds my_creds; + kadm5_principal_ent_rec princ_ent; + krb5_principal princ, server; + char pw[16]; + char *whoami, *principal, *authprinc; + krb5_data pwdata; + void *handle; + int ret, i, test, encnum; + + whoami = argv[0]; + + if (argc != 2 && argc != 3) { + fprintf(stderr, "Usage: %s principal [authuser]\n", whoami); + exit(1); + } + principal = argv[1]; + authprinc = argv[2] ? argv[2] : argv[0]; + + /* + * Setup. Initialize data structures, open keytab, open connection + * to kadm5 server. + */ + + memset(&context, 0, sizeof(context)); + kadm5_init_krb5_context(&context); + + ret = krb5_parse_name(context, principal, &princ); + if (ret) { + com_err(whoami, ret, "while parsing principal name %s", principal); + exit(1); + } + + if((ret = krb5_build_principal_ext(context, &server, + krb5_princ_realm(kcontext, princ)->length, + krb5_princ_realm(kcontext, princ)->data, + tgtname.length, tgtname.data, + krb5_princ_realm(kcontext, princ)->length, + krb5_princ_realm(kcontext, princ)->data, + 0))) { + com_err(whoami, ret, "while building server name"); + exit(1); + } + + /* register the WRFILE keytab type */ + ret = krb5_kt_register(context, &krb5_ktf_writable_ops); + if (ret) { + com_err(whoami, ret, + "while registering writable key table functions"); + exit(1); + } + + ret = krb5_kt_default(context, &kt); + if (ret) { + com_err(whoami, ret, "while opening keytab"); + exit(1); + } + + ret = kadm5_init(context, authprinc, NULL, KADM5_ADMIN_SERVICE, NULL, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL, + &handle); + if (ret) { + com_err(whoami, ret, "while initializing connection"); + exit(1); + } + + /* these pw's don't need to be secure, just different every time */ + SRAND((RAND_TYPE)time((void *) NULL)); + pwdata.data = pw; + pwdata.length = sizeof(pw); + + /* + * For each test: + * + * For each enctype in the test, construct a random password/key. + * Assign all keys to principal with kadm5_setkey_principal. Add + * each key to the keytab, and acquire an initial ticket with the + * keytab (XXX can I specify the enctype & kvno explicitly?). If + * krb5_get_in_tkt_with_keytab succeeds, then the keys were set + * successfully. + */ + for (test = 0; tests[test] != NULL; test++) { + krb5_keyblock *testp = tests[test]; + printf("+ Test %d:\n", test); + + for (encnum = 0; testp[encnum].magic != -1; encnum++) { + for (i = 0; i < sizeof(pw); i++) + pw[i] = (RAND() % 26) + '0'; /* XXX */ + + krb5_use_enctype(context, &eblock, testp[encnum].enctype); + ret = krb5_string_to_key(context, &eblock, &testp[encnum], + &pwdata, NULL); + if (ret) { + com_err(whoami, ret, "while converting string to key"); + exit(1); + } + } + + /* now, encnum == # of keyblocks in testp */ + ret = kadm5_setkey_principal(handle, princ, testp, encnum); + if (ret) { + com_err(whoami, ret, "while setting keys"); + exit(1); + } + + ret = kadm5_get_principal(handle, princ, &princ_ent, KADM5_KVNO); + if (ret) { + com_err(whoami, ret, "while retrieving principal"); + exit(1); + } + + for (encnum = 0; testp[encnum].magic != -1; encnum++) { + printf("+ enctype %d\n", testp[encnum].enctype); + + memset(&ktent, 0, sizeof(ktent)); + ktent.principal = princ; + ktent.key = testp[encnum]; + ktent.vno = princ_ent.kvno; + + ret = krb5_kt_add_entry(context, kt, &ktent); + if (ret) { + com_err(whoami, ret, "while adding keytab entry"); + exit(1); + } + + memset(&my_creds, 0, sizeof(my_creds)); + my_creds.client = princ; + my_creds.server = server; + + ktypes[0] = testp[encnum].enctype; + ret = krb5_get_in_tkt_with_keytab(context, + 0 /* options */, + NULL /* addrs */, + ktypes, + NULL /* preauth */, + kt, 0, + &my_creds, 0); + if (ret) { + com_err(whoami, ret, "while acquiring initial ticket"); + exit(1); + } + + /* since I can't specify enctype explicitly ... */ + ret = krb5_kt_remove_entry(context, kt, &ktent); + if (ret) { + com_err(whoami, ret, "while removing keytab entry"); + exit(1); + } + } + } + + ret = krb5_kt_close(context, kt); + if (ret) { + com_err(whoami, ret, "while closing keytab"); + exit(1); + } + + ret = kadm5_destroy(handle); + if (ret) { + com_err(whoami, ret, "while closing kadmin connection"); + exit(1); + } + + return 0; } - - - - - - diff --git a/src/lib/kdb/decrypt_key.c b/src/lib/kdb/decrypt_key.c index a564c37b0..8006cf3fa 100644 --- a/src/lib/kdb/decrypt_key.c +++ b/src/lib/kdb/decrypt_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/decrypt_key.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +23,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +48,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -63,76 +64,76 @@ */ krb5_error_code -krb5_dbekd_def_decrypt_key_data( krb5_context context, - const krb5_keyblock * mkey, - const krb5_key_data * key_data, - krb5_keyblock * dbkey, - krb5_keysalt * keysalt) +krb5_dbekd_def_decrypt_key_data( krb5_context context, + const krb5_keyblock * mkey, + const krb5_key_data * key_data, + krb5_keyblock * dbkey, + krb5_keysalt * keysalt) { - krb5_error_code retval = 0; - krb5_int16 tmplen; - krb5_octet * ptr; - krb5_enc_data cipher; - krb5_data plain; + krb5_error_code retval = 0; + krb5_int16 tmplen; + krb5_octet * ptr; + krb5_enc_data cipher; + krb5_data plain; ptr = key_data->key_data_contents[0]; if (ptr) { - krb5_kdb_decode_int16(ptr, tmplen); - ptr += 2; + krb5_kdb_decode_int16(ptr, tmplen); + ptr += 2; - cipher.enctype = ENCTYPE_UNKNOWN; - cipher.ciphertext.length = key_data->key_data_length[0]-2; - cipher.ciphertext.data = ptr; - plain.length = key_data->key_data_length[0]-2; - if ((plain.data = (krb5_octet *) malloc(plain.length)) == NULL) - return(ENOMEM); + cipher.enctype = ENCTYPE_UNKNOWN; + cipher.ciphertext.length = key_data->key_data_length[0]-2; + cipher.ciphertext.data = ptr; + plain.length = key_data->key_data_length[0]-2; + if ((plain.data = (krb5_octet *) malloc(plain.length)) == NULL) + return(ENOMEM); - if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0, - &cipher, &plain))) { - free(plain.data); - return retval; - } + if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0, + &cipher, &plain))) { + free(plain.data); + return retval; + } - /* tmplen is the true length of the key. plain.data is the - plaintext data length, but it may be padded, since the - old-style etypes didn't store the real length. I can check - to make sure that there are enough bytes, but I can't do - any better than that. */ + /* tmplen is the true length of the key. plain.data is the + plaintext data length, but it may be padded, since the + old-style etypes didn't store the real length. I can check + to make sure that there are enough bytes, but I can't do + any better than that. */ - if (tmplen > plain.length) { - free(plain.data); - return(KRB5_CRYPTO_INTERNAL); - } + if (tmplen > plain.length) { + free(plain.data); + return(KRB5_CRYPTO_INTERNAL); + } - dbkey->magic = KV5M_KEYBLOCK; - dbkey->enctype = key_data->key_data_type[0]; - dbkey->length = tmplen; - dbkey->contents = plain.data; + dbkey->magic = KV5M_KEYBLOCK; + dbkey->enctype = key_data->key_data_type[0]; + dbkey->length = tmplen; + dbkey->contents = plain.data; } /* Decode salt data */ if (keysalt) { - if (key_data->key_data_ver == 2) { - keysalt->type = key_data->key_data_type[1]; - if ((keysalt->data.length = key_data->key_data_length[1])) { - if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){ - if (key_data->key_data_contents[0]) { - free(dbkey->contents); - dbkey->contents = 0; - dbkey->length = 0; - } - return ENOMEM; - } - memcpy(keysalt->data.data, key_data->key_data_contents[1], - (size_t) keysalt->data.length); - } else - keysalt->data.data = (char *) NULL; - } else { - keysalt->type = KRB5_KDB_SALTTYPE_NORMAL; - keysalt->data.data = (char *) NULL; - keysalt->data.length = 0; - } + if (key_data->key_data_ver == 2) { + keysalt->type = key_data->key_data_type[1]; + if ((keysalt->data.length = key_data->key_data_length[1])) { + if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){ + if (key_data->key_data_contents[0]) { + free(dbkey->contents); + dbkey->contents = 0; + dbkey->length = 0; + } + return ENOMEM; + } + memcpy(keysalt->data.data, key_data->key_data_contents[1], + (size_t) keysalt->data.length); + } else + keysalt->data.data = (char *) NULL; + } else { + keysalt->type = KRB5_KDB_SALTTYPE_NORMAL; + keysalt->data.data = (char *) NULL; + keysalt->data.length = 0; + } } return retval; diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c index 0db1a029a..bbf520bf8 100644 --- a/src/lib/kdb/encrypt_key.c +++ b/src/lib/kdb/encrypt_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/encrypt_key.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,21 +23,21 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +48,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -63,37 +64,37 @@ */ krb5_error_code -krb5_dbekd_def_encrypt_key_data( krb5_context context, - const krb5_keyblock * mkey, - const krb5_keyblock * dbkey, - const krb5_keysalt * keysalt, - int keyver, - krb5_key_data * key_data) +krb5_dbekd_def_encrypt_key_data( krb5_context context, + const krb5_keyblock * mkey, + const krb5_keyblock * dbkey, + const krb5_keysalt * keysalt, + int keyver, + krb5_key_data * key_data) { - krb5_error_code retval; - krb5_octet * ptr; - size_t len; - int i; - krb5_data plain; - krb5_enc_data cipher; + krb5_error_code retval; + krb5_octet * ptr; + size_t len; + int i; + krb5_data plain; + krb5_enc_data cipher; for (i = 0; i < key_data->key_data_ver; i++) - if (key_data->key_data_contents[i]) - free(key_data->key_data_contents[i]); + if (key_data->key_data_contents[i]) + free(key_data->key_data_contents[i]); key_data->key_data_ver = 1; key_data->key_data_kvno = keyver; - /* - * The First element of the type/length/contents + /* + * The First element of the type/length/contents * fields is the key type/length/contents */ if ((retval = krb5_c_encrypt_length(context, mkey->enctype, dbkey->length, - &len))) - return(retval); + &len))) + return(retval); if ((ptr = (krb5_octet *) malloc(2 + len)) == NULL) - return(ENOMEM); + return(ENOMEM); key_data->key_data_type[0] = dbkey->enctype; key_data->key_data_length[0] = 2 + len; @@ -109,27 +110,27 @@ krb5_dbekd_def_encrypt_key_data( krb5_context context, cipher.ciphertext.data = ptr; if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0, - &plain, &cipher))) { - free(key_data->key_data_contents[0]); - return retval; + &plain, &cipher))) { + free(key_data->key_data_contents[0]); + return retval; } /* After key comes the salt in necessary */ if (keysalt) { - if (keysalt->type > 0) { - key_data->key_data_ver++; - key_data->key_data_type[1] = keysalt->type; - if ((key_data->key_data_length[1] = keysalt->data.length) != 0) { - key_data->key_data_contents[1] = - (krb5_octet *)malloc(keysalt->data.length); - if (key_data->key_data_contents[1] == NULL) { - free(key_data->key_data_contents[0]); - return ENOMEM; - } - memcpy(key_data->key_data_contents[1], keysalt->data.data, - (size_t) keysalt->data.length); - } - } + if (keysalt->type > 0) { + key_data->key_data_ver++; + key_data->key_data_type[1] = keysalt->type; + if ((key_data->key_data_length[1] = keysalt->data.length) != 0) { + key_data->key_data_contents[1] = + (krb5_octet *)malloc(keysalt->data.length); + if (key_data->key_data_contents[1] == NULL) { + free(key_data->key_data_contents[0]); + return ENOMEM; + } + memcpy(key_data->key_data_contents[1], keysalt->data.data, + (size_t) keysalt->data.length); + } + } } return retval; diff --git a/src/lib/kdb/iprop_xdr.c b/src/lib/kdb/iprop_xdr.c index a8b7685ff..093c05676 100644 --- a/src/lib/kdb/iprop_xdr.c +++ b/src/lib/kdb/iprop_xdr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Please do not edit this file. * It was generated using rpcgen. @@ -9,343 +10,343 @@ bool_t xdr_int16_t (XDR *xdrs, int16_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_short (xdrs, objp)) - return FALSE; - return TRUE; + if (!xdr_short (xdrs, objp)) + return FALSE; + return TRUE; } bool_t xdr_uint16_t (XDR *xdrs, uint16_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_u_short (xdrs, objp)) - return FALSE; - return TRUE; + if (!xdr_u_short (xdrs, objp)) + return FALSE; + return TRUE; } bool_t xdr_int32_t (XDR *xdrs, int32_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_int (xdrs, objp)) - return FALSE; - return TRUE; + if (!xdr_int (xdrs, objp)) + return FALSE; + return TRUE; } bool_t xdr_uint32_t (XDR *xdrs, uint32_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_u_int (xdrs, objp)) - return FALSE; - return TRUE; + if (!xdr_u_int (xdrs, objp)) + return FALSE; + return TRUE; } bool_t xdr_utf8str_t (XDR *xdrs, utf8str_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_bytes (xdrs, (char **)&objp->utf8str_t_val, (u_int *) &objp->utf8str_t_len, ~0)) - return FALSE; - return TRUE; + if (!xdr_bytes (xdrs, (char **)&objp->utf8str_t_val, (u_int *) &objp->utf8str_t_len, ~0)) + return FALSE; + return TRUE; } bool_t xdr_kdb_sno_t (XDR *xdrs, kdb_sno_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_uint32_t (xdrs, objp)) - return FALSE; - return TRUE; + if (!xdr_uint32_t (xdrs, objp)) + return FALSE; + return TRUE; } bool_t xdr_kdbe_time_t (XDR *xdrs, kdbe_time_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_uint32_t (xdrs, &objp->seconds)) - return FALSE; - if (!xdr_uint32_t (xdrs, &objp->useconds)) - return FALSE; - return TRUE; + if (!xdr_uint32_t (xdrs, &objp->seconds)) + return FALSE; + if (!xdr_uint32_t (xdrs, &objp->useconds)) + return FALSE; + return TRUE; } bool_t xdr_kdbe_key_t (XDR *xdrs, kdbe_key_t *objp) { - register int32_t *buf; - - if (!xdr_int32_t (xdrs, &objp->k_ver)) - return FALSE; - if (!xdr_int32_t (xdrs, &objp->k_kvno)) - return FALSE; - if (!xdr_array (xdrs, (char **)&objp->k_enctype.k_enctype_val, (u_int *) &objp->k_enctype.k_enctype_len, ~0, - sizeof (int32_t), (xdrproc_t) xdr_int32_t)) - return FALSE; - if (!xdr_array (xdrs, (char **)&objp->k_contents.k_contents_val, (u_int *) &objp->k_contents.k_contents_len, ~0, - sizeof (utf8str_t), (xdrproc_t) xdr_utf8str_t)) - return FALSE; - return TRUE; + register int32_t *buf; + + if (!xdr_int32_t (xdrs, &objp->k_ver)) + return FALSE; + if (!xdr_int32_t (xdrs, &objp->k_kvno)) + return FALSE; + if (!xdr_array (xdrs, (char **)&objp->k_enctype.k_enctype_val, (u_int *) &objp->k_enctype.k_enctype_len, ~0, + sizeof (int32_t), (xdrproc_t) xdr_int32_t)) + return FALSE; + if (!xdr_array (xdrs, (char **)&objp->k_contents.k_contents_val, (u_int *) &objp->k_contents.k_contents_len, ~0, + sizeof (utf8str_t), (xdrproc_t) xdr_utf8str_t)) + return FALSE; + return TRUE; } bool_t xdr_kdbe_data_t (XDR *xdrs, kdbe_data_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_int32_t (xdrs, &objp->k_magic)) - return FALSE; - if (!xdr_utf8str_t (xdrs, &objp->k_data)) - return FALSE; - return TRUE; + if (!xdr_int32_t (xdrs, &objp->k_magic)) + return FALSE; + if (!xdr_utf8str_t (xdrs, &objp->k_data)) + return FALSE; + return TRUE; } bool_t xdr_kdbe_princ_t (XDR *xdrs, kdbe_princ_t *objp) { - register int32_t *buf; - - if (!xdr_utf8str_t (xdrs, &objp->k_realm)) - return FALSE; - if (!xdr_array (xdrs, (char **)&objp->k_components.k_components_val, (u_int *) &objp->k_components.k_components_len, ~0, - sizeof (kdbe_data_t), (xdrproc_t) xdr_kdbe_data_t)) - return FALSE; - if (!xdr_int32_t (xdrs, &objp->k_nametype)) - return FALSE; - return TRUE; + register int32_t *buf; + + if (!xdr_utf8str_t (xdrs, &objp->k_realm)) + return FALSE; + if (!xdr_array (xdrs, (char **)&objp->k_components.k_components_val, (u_int *) &objp->k_components.k_components_len, ~0, + sizeof (kdbe_data_t), (xdrproc_t) xdr_kdbe_data_t)) + return FALSE; + if (!xdr_int32_t (xdrs, &objp->k_nametype)) + return FALSE; + return TRUE; } bool_t xdr_kdbe_tl_t (XDR *xdrs, kdbe_tl_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_int16_t (xdrs, &objp->tl_type)) - return FALSE; - if (!xdr_bytes (xdrs, (char **)&objp->tl_data.tl_data_val, (u_int *) &objp->tl_data.tl_data_len, ~0)) - return FALSE; - return TRUE; + if (!xdr_int16_t (xdrs, &objp->tl_type)) + return FALSE; + if (!xdr_bytes (xdrs, (char **)&objp->tl_data.tl_data_val, (u_int *) &objp->tl_data.tl_data_len, ~0)) + return FALSE; + return TRUE; } bool_t xdr_kdbe_pw_hist_t (XDR *xdrs, kdbe_pw_hist_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_array (xdrs, (char **)&objp->kdbe_pw_hist_t_val, (u_int *) &objp->kdbe_pw_hist_t_len, ~0, - sizeof (kdbe_key_t), (xdrproc_t) xdr_kdbe_key_t)) - return FALSE; - return TRUE; + if (!xdr_array (xdrs, (char **)&objp->kdbe_pw_hist_t_val, (u_int *) &objp->kdbe_pw_hist_t_len, ~0, + sizeof (kdbe_key_t), (xdrproc_t) xdr_kdbe_key_t)) + return FALSE; + return TRUE; } bool_t xdr_kdbe_attr_type_t (XDR *xdrs, kdbe_attr_type_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_enum (xdrs, (enum_t *) objp)) - return FALSE; - return TRUE; + if (!xdr_enum (xdrs, (enum_t *) objp)) + return FALSE; + return TRUE; } bool_t xdr_kdbe_val_t (XDR *xdrs, kdbe_val_t *objp) { - register int32_t *buf; - - if (!xdr_kdbe_attr_type_t (xdrs, &objp->av_type)) - return FALSE; - switch (objp->av_type) { - case AT_ATTRFLAGS: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_attrflags)) - return FALSE; - break; - case AT_MAX_LIFE: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_max_life)) - return FALSE; - break; - case AT_MAX_RENEW_LIFE: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_max_renew_life)) - return FALSE; - break; - case AT_EXP: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_exp)) - return FALSE; - break; - case AT_PW_EXP: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_pw_exp)) - return FALSE; - break; - case AT_LAST_SUCCESS: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_last_success)) - return FALSE; - break; - case AT_LAST_FAILED: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_last_failed)) - return FALSE; - break; - case AT_FAIL_AUTH_COUNT: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_fail_auth_count)) - return FALSE; - break; - case AT_PRINC: - if (!xdr_kdbe_princ_t (xdrs, &objp->kdbe_val_t_u.av_princ)) - return FALSE; - break; - case AT_KEYDATA: - if (!xdr_array (xdrs, (char **)&objp->kdbe_val_t_u.av_keydata.av_keydata_val, (u_int *) &objp->kdbe_val_t_u.av_keydata.av_keydata_len, ~0, - sizeof (kdbe_key_t), (xdrproc_t) xdr_kdbe_key_t)) - return FALSE; - break; - case AT_TL_DATA: - if (!xdr_array (xdrs, (char **)&objp->kdbe_val_t_u.av_tldata.av_tldata_val, (u_int *) &objp->kdbe_val_t_u.av_tldata.av_tldata_len, ~0, - sizeof (kdbe_tl_t), (xdrproc_t) xdr_kdbe_tl_t)) - return FALSE; - break; - case AT_LEN: - if (!xdr_int16_t (xdrs, &objp->kdbe_val_t_u.av_len)) - return FALSE; - break; - case AT_PW_LAST_CHANGE: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_pw_last_change)) - return FALSE; - break; - case AT_MOD_PRINC: - if (!xdr_kdbe_princ_t (xdrs, &objp->kdbe_val_t_u.av_mod_princ)) - return FALSE; - break; - case AT_MOD_TIME: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_mod_time)) - return FALSE; - break; - case AT_MOD_WHERE: - if (!xdr_utf8str_t (xdrs, &objp->kdbe_val_t_u.av_mod_where)) - return FALSE; - break; - case AT_PW_POLICY: - if (!xdr_utf8str_t (xdrs, &objp->kdbe_val_t_u.av_pw_policy)) - return FALSE; - break; - case AT_PW_POLICY_SWITCH: - if (!xdr_bool (xdrs, &objp->kdbe_val_t_u.av_pw_policy_switch)) - return FALSE; - break; - case AT_PW_HIST_KVNO: - if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_pw_hist_kvno)) - return FALSE; - break; - case AT_PW_HIST: - if (!xdr_array (xdrs, (char **)&objp->kdbe_val_t_u.av_pw_hist.av_pw_hist_val, (u_int *) &objp->kdbe_val_t_u.av_pw_hist.av_pw_hist_len, ~0, - sizeof (kdbe_pw_hist_t), (xdrproc_t) xdr_kdbe_pw_hist_t)) - return FALSE; - break; - default: - if (!xdr_bytes (xdrs, (char **)&objp->kdbe_val_t_u.av_extension.av_extension_val, (u_int *) &objp->kdbe_val_t_u.av_extension.av_extension_len, ~0)) - return FALSE; - break; - } - return TRUE; + register int32_t *buf; + + if (!xdr_kdbe_attr_type_t (xdrs, &objp->av_type)) + return FALSE; + switch (objp->av_type) { + case AT_ATTRFLAGS: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_attrflags)) + return FALSE; + break; + case AT_MAX_LIFE: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_max_life)) + return FALSE; + break; + case AT_MAX_RENEW_LIFE: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_max_renew_life)) + return FALSE; + break; + case AT_EXP: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_exp)) + return FALSE; + break; + case AT_PW_EXP: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_pw_exp)) + return FALSE; + break; + case AT_LAST_SUCCESS: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_last_success)) + return FALSE; + break; + case AT_LAST_FAILED: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_last_failed)) + return FALSE; + break; + case AT_FAIL_AUTH_COUNT: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_fail_auth_count)) + return FALSE; + break; + case AT_PRINC: + if (!xdr_kdbe_princ_t (xdrs, &objp->kdbe_val_t_u.av_princ)) + return FALSE; + break; + case AT_KEYDATA: + if (!xdr_array (xdrs, (char **)&objp->kdbe_val_t_u.av_keydata.av_keydata_val, (u_int *) &objp->kdbe_val_t_u.av_keydata.av_keydata_len, ~0, + sizeof (kdbe_key_t), (xdrproc_t) xdr_kdbe_key_t)) + return FALSE; + break; + case AT_TL_DATA: + if (!xdr_array (xdrs, (char **)&objp->kdbe_val_t_u.av_tldata.av_tldata_val, (u_int *) &objp->kdbe_val_t_u.av_tldata.av_tldata_len, ~0, + sizeof (kdbe_tl_t), (xdrproc_t) xdr_kdbe_tl_t)) + return FALSE; + break; + case AT_LEN: + if (!xdr_int16_t (xdrs, &objp->kdbe_val_t_u.av_len)) + return FALSE; + break; + case AT_PW_LAST_CHANGE: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_pw_last_change)) + return FALSE; + break; + case AT_MOD_PRINC: + if (!xdr_kdbe_princ_t (xdrs, &objp->kdbe_val_t_u.av_mod_princ)) + return FALSE; + break; + case AT_MOD_TIME: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_mod_time)) + return FALSE; + break; + case AT_MOD_WHERE: + if (!xdr_utf8str_t (xdrs, &objp->kdbe_val_t_u.av_mod_where)) + return FALSE; + break; + case AT_PW_POLICY: + if (!xdr_utf8str_t (xdrs, &objp->kdbe_val_t_u.av_pw_policy)) + return FALSE; + break; + case AT_PW_POLICY_SWITCH: + if (!xdr_bool (xdrs, &objp->kdbe_val_t_u.av_pw_policy_switch)) + return FALSE; + break; + case AT_PW_HIST_KVNO: + if (!xdr_uint32_t (xdrs, &objp->kdbe_val_t_u.av_pw_hist_kvno)) + return FALSE; + break; + case AT_PW_HIST: + if (!xdr_array (xdrs, (char **)&objp->kdbe_val_t_u.av_pw_hist.av_pw_hist_val, (u_int *) &objp->kdbe_val_t_u.av_pw_hist.av_pw_hist_len, ~0, + sizeof (kdbe_pw_hist_t), (xdrproc_t) xdr_kdbe_pw_hist_t)) + return FALSE; + break; + default: + if (!xdr_bytes (xdrs, (char **)&objp->kdbe_val_t_u.av_extension.av_extension_val, (u_int *) &objp->kdbe_val_t_u.av_extension.av_extension_len, ~0)) + return FALSE; + break; + } + return TRUE; } bool_t xdr_kdbe_t (XDR *xdrs, kdbe_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_array (xdrs, (char **)&objp->kdbe_t_val, (u_int *) &objp->kdbe_t_len, ~0, - sizeof (kdbe_val_t), (xdrproc_t) xdr_kdbe_val_t)) - return FALSE; - return TRUE; + if (!xdr_array (xdrs, (char **)&objp->kdbe_t_val, (u_int *) &objp->kdbe_t_len, ~0, + sizeof (kdbe_val_t), (xdrproc_t) xdr_kdbe_val_t)) + return FALSE; + return TRUE; } bool_t xdr_kdb_incr_update_t (XDR *xdrs, kdb_incr_update_t *objp) { - register int32_t *buf; - - if (!xdr_utf8str_t (xdrs, &objp->kdb_princ_name)) - return FALSE; - if (!xdr_kdb_sno_t (xdrs, &objp->kdb_entry_sno)) - return FALSE; - if (!xdr_kdbe_time_t (xdrs, &objp->kdb_time)) - return FALSE; - if (!xdr_kdbe_t (xdrs, &objp->kdb_update)) - return FALSE; - if (!xdr_bool (xdrs, &objp->kdb_deleted)) - return FALSE; - if (!xdr_bool (xdrs, &objp->kdb_commit)) - return FALSE; - if (!xdr_array (xdrs, (char **)&objp->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val, (u_int *) &objp->kdb_kdcs_seen_by.kdb_kdcs_seen_by_len, ~0, - sizeof (utf8str_t), (xdrproc_t) xdr_utf8str_t)) - return FALSE; - if (!xdr_bytes (xdrs, (char **)&objp->kdb_futures.kdb_futures_val, (u_int *) &objp->kdb_futures.kdb_futures_len, ~0)) - return FALSE; - return TRUE; + register int32_t *buf; + + if (!xdr_utf8str_t (xdrs, &objp->kdb_princ_name)) + return FALSE; + if (!xdr_kdb_sno_t (xdrs, &objp->kdb_entry_sno)) + return FALSE; + if (!xdr_kdbe_time_t (xdrs, &objp->kdb_time)) + return FALSE; + if (!xdr_kdbe_t (xdrs, &objp->kdb_update)) + return FALSE; + if (!xdr_bool (xdrs, &objp->kdb_deleted)) + return FALSE; + if (!xdr_bool (xdrs, &objp->kdb_commit)) + return FALSE; + if (!xdr_array (xdrs, (char **)&objp->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val, (u_int *) &objp->kdb_kdcs_seen_by.kdb_kdcs_seen_by_len, ~0, + sizeof (utf8str_t), (xdrproc_t) xdr_utf8str_t)) + return FALSE; + if (!xdr_bytes (xdrs, (char **)&objp->kdb_futures.kdb_futures_val, (u_int *) &objp->kdb_futures.kdb_futures_len, ~0)) + return FALSE; + return TRUE; } bool_t xdr_kdb_ulog_t (XDR *xdrs, kdb_ulog_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_array (xdrs, (char **)&objp->kdb_ulog_t_val, (u_int *) &objp->kdb_ulog_t_len, ~0, - sizeof (kdb_incr_update_t), (xdrproc_t) xdr_kdb_incr_update_t)) - return FALSE; - return TRUE; + if (!xdr_array (xdrs, (char **)&objp->kdb_ulog_t_val, (u_int *) &objp->kdb_ulog_t_len, ~0, + sizeof (kdb_incr_update_t), (xdrproc_t) xdr_kdb_incr_update_t)) + return FALSE; + return TRUE; } bool_t xdr_update_status_t (XDR *xdrs, update_status_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_enum (xdrs, (enum_t *) objp)) - return FALSE; - return TRUE; + if (!xdr_enum (xdrs, (enum_t *) objp)) + return FALSE; + return TRUE; } bool_t xdr_kdb_last_t (XDR *xdrs, kdb_last_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_kdb_sno_t (xdrs, &objp->last_sno)) - return FALSE; - if (!xdr_kdbe_time_t (xdrs, &objp->last_time)) - return FALSE; - return TRUE; + if (!xdr_kdb_sno_t (xdrs, &objp->last_sno)) + return FALSE; + if (!xdr_kdbe_time_t (xdrs, &objp->last_time)) + return FALSE; + return TRUE; } bool_t xdr_kdb_incr_result_t (XDR *xdrs, kdb_incr_result_t *objp) { - register int32_t *buf; - - if (!xdr_kdb_last_t (xdrs, &objp->lastentry)) - return FALSE; - if (!xdr_kdb_ulog_t (xdrs, &objp->updates)) - return FALSE; - if (!xdr_update_status_t (xdrs, &objp->ret)) - return FALSE; - return TRUE; + register int32_t *buf; + + if (!xdr_kdb_last_t (xdrs, &objp->lastentry)) + return FALSE; + if (!xdr_kdb_ulog_t (xdrs, &objp->updates)) + return FALSE; + if (!xdr_update_status_t (xdrs, &objp->ret)) + return FALSE; + return TRUE; } bool_t xdr_kdb_fullresync_result_t (XDR *xdrs, kdb_fullresync_result_t *objp) { - register int32_t *buf; + register int32_t *buf; - if (!xdr_kdb_last_t (xdrs, &objp->lastentry)) - return FALSE; - if (!xdr_update_status_t (xdrs, &objp->ret)) - return FALSE; - return TRUE; + if (!xdr_kdb_last_t (xdrs, &objp->lastentry)) + return FALSE; + if (!xdr_update_status_t (xdrs, &objp->ret)) + return FALSE; + return TRUE; } diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 8aef88aaf..cd9f71697 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2006, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -32,7 +33,7 @@ * distribution under the MIT license. */ -/* +/* * Include files */ @@ -81,7 +82,7 @@ kdb_lock_list() int err; err = CALL_INIT_FUNCTION (kdb_init_lock_list); if (err) - return err; + return err; return k5_mutex_lock(&db_lock); } @@ -89,7 +90,7 @@ void kdb_fini_lock_list(void) { if (INITIALIZER_RAN(kdb_init_lock_list)) - k5_mutex_destroy(&db_lock); + k5_mutex_destroy(&db_lock); } static int @@ -177,27 +178,27 @@ kdb_get_conf_section(krb5_context kcontext) char *value = NULL; if (kcontext->default_realm == NULL) - return NULL; + return NULL; /* The profile has to have been initialized. If the profile was not initialized, expect nothing less than a crash. */ status = profile_get_string(kcontext->profile, - /* realms */ - KDB_REALM_SECTION, - kcontext->default_realm, - /* under the realm name, database_module */ - KDB_MODULE_POINTER, - /* default value is the realm name itself */ - kcontext->default_realm, - &value); + /* realms */ + KDB_REALM_SECTION, + kcontext->default_realm, + /* under the realm name, database_module */ + KDB_MODULE_POINTER, + /* default value is the realm name itself */ + kcontext->default_realm, + &value); if (status) { - /* some problem */ - result = strdup(kcontext->default_realm); - /* let NULL be handled by the caller */ + /* some problem */ + result = strdup(kcontext->default_realm); + /* let NULL be handled by the caller */ } else { - result = strdup(value); - /* free profile string */ - profile_release_string(value); + result = strdup(value); + /* free profile string */ + profile_release_string(value); } return result; @@ -212,27 +213,27 @@ kdb_get_library_name(krb5_context kcontext) char *lib = NULL; status = profile_get_string(kcontext->profile, - /* realms */ - KDB_REALM_SECTION, - kcontext->default_realm, - /* under the realm name, database_module */ - KDB_MODULE_POINTER, - /* default value is the realm name itself */ - kcontext->default_realm, - &value); + /* realms */ + KDB_REALM_SECTION, + kcontext->default_realm, + /* under the realm name, database_module */ + KDB_MODULE_POINTER, + /* default value is the realm name itself */ + kcontext->default_realm, + &value); if (status) - goto clean_n_exit; + goto clean_n_exit; #define DB2_NAME "db2" /* we got the module section. Get the library name from the module */ status = profile_get_string(kcontext->profile, KDB_MODULE_SECTION, value, - KDB_LIB_POINTER, - /* default to db2 */ - DB2_NAME, - &lib); + KDB_LIB_POINTER, + /* default to db2 */ + DB2_NAME, + &lib); if (status) { - goto clean_n_exit; + goto clean_n_exit; } result = strdup(lib); @@ -246,33 +247,33 @@ static void kdb_setup_opt_functions(db_library lib) { if (lib->vftabl.set_master_key == NULL) - lib->vftabl.set_master_key = kdb_def_set_mkey; + lib->vftabl.set_master_key = kdb_def_set_mkey; if (lib->vftabl.set_master_key_list == NULL) - lib->vftabl.set_master_key_list = kdb_def_set_mkey_list; + lib->vftabl.set_master_key_list = kdb_def_set_mkey_list; if (lib->vftabl.get_master_key == NULL) - lib->vftabl.get_master_key = kdb_def_get_mkey; + lib->vftabl.get_master_key = kdb_def_get_mkey; if (lib->vftabl.get_master_key_list == NULL) - lib->vftabl.get_master_key_list = kdb_def_get_mkey_list; + lib->vftabl.get_master_key_list = kdb_def_get_mkey_list; if (lib->vftabl.fetch_master_key == NULL) - lib->vftabl.fetch_master_key = krb5_db_def_fetch_mkey; + lib->vftabl.fetch_master_key = krb5_db_def_fetch_mkey; if (lib->vftabl.verify_master_key == NULL) - lib->vftabl.verify_master_key = krb5_def_verify_master_key; + lib->vftabl.verify_master_key = krb5_def_verify_master_key; if (lib->vftabl.fetch_master_key_list == NULL) - lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list; + lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list; if (lib->vftabl.store_master_key_list == NULL) - lib->vftabl.store_master_key_list = krb5_def_store_mkey_list; + lib->vftabl.store_master_key_list = krb5_def_store_mkey_list; if (lib->vftabl.dbe_search_enctype == NULL) - lib->vftabl.dbe_search_enctype = krb5_dbe_def_search_enctype; + lib->vftabl.dbe_search_enctype = krb5_dbe_def_search_enctype; if (lib->vftabl.db_change_pwd == NULL) - lib->vftabl.db_change_pwd = krb5_dbe_def_cpw; + lib->vftabl.db_change_pwd = krb5_dbe_def_cpw; if (lib->vftabl.store_master_key == NULL) - lib->vftabl.store_master_key = krb5_def_store_mkey; + lib->vftabl.store_master_key = krb5_def_store_mkey; if (lib->vftabl.promote_db == NULL) - lib->vftabl.promote_db = krb5_def_promote_db; + lib->vftabl.promote_db = krb5_def_promote_db; if (lib->vftabl.dbekd_decrypt_key_data == NULL) - lib->vftabl.dbekd_decrypt_key_data = krb5_dbekd_def_decrypt_key_data; + lib->vftabl.dbekd_decrypt_key_data = krb5_dbekd_def_decrypt_key_data; if (lib->vftabl.dbekd_encrypt_key_data == NULL) - lib->vftabl.dbekd_encrypt_key_data = krb5_dbekd_def_encrypt_key_data; + lib->vftabl.dbekd_encrypt_key_data = krb5_dbekd_def_encrypt_key_data; } #ifdef STATIC_PLUGINS @@ -290,21 +291,21 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library *libptr) kdb_vftabl *vftabl_addr = NULL; if (strcmp(lib_name, "db2") == 0) - vftabl_addr = &krb5_db2_kdb_function_table; + vftabl_addr = &krb5_db2_kdb_function_table; #ifdef ENABLE_LDAP if (strcmp(lib_name, "ldap") == 0) - vftabl_addr = &krb5_ldap_kdb_function_table; + vftabl_addr = &krb5_ldap_kdb_function_table; #endif if (!vftabl_addr) { - krb5_set_error_message(kcontext, KRB5_KDB_DBTYPE_NOTFOUND, - "Unable to find requested database type: %s", - lib_name); - return KRB5_KDB_DBTYPE_NOSUP; + krb5_set_error_message(kcontext, KRB5_KDB_DBTYPE_NOTFOUND, + "Unable to find requested database type: %s", + lib_name); + return KRB5_KDB_DBTYPE_NOSUP; } lib = calloc(1, sizeof(*lib)); if (lib == NULL) - return ENOMEM; + return ENOMEM; strlcpy(lib->name, lib_name, sizeof(lib->name)); memcpy(&lib->vftabl, vftabl_addr, sizeof(kdb_vftabl)); @@ -312,7 +313,7 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library *libptr) status = lib->vftabl.init_library(); if (status) - goto cleanup; + goto cleanup; *libptr = lib; return 0; @@ -339,7 +340,7 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library * lib) When it's static, it goes into ".picdata", which is read-write. */ static const char *const dbpath_names[] = { - KDB_MODULE_SECTION, KRB5_CONF_DB_MODULE_DIR, NULL, + KDB_MODULE_SECTION, KRB5_CONF_DB_MODULE_DIR, NULL, }; const char *filebases[2]; char **profpath = NULL; @@ -350,7 +351,7 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library * lib) *lib = calloc((size_t) 1, sizeof(**lib)); if (*lib == NULL) - return ENOMEM; + return ENOMEM; strlcpy((*lib)->name, lib_name, sizeof((*lib)->name)); @@ -358,31 +359,31 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library * lib) file(s) first. */ status = profile_get_values(kcontext->profile, dbpath_names, &profpath); if (status != 0 && status != PROF_NO_RELATION) - goto clean_n_exit; + goto clean_n_exit; ndx = 0; if (profpath) - while (profpath[ndx] != NULL) - ndx++; + while (profpath[ndx] != NULL) + ndx++; path = calloc(ndx + db_dl_n_locations, sizeof (char *)); if (path == NULL) { - status = ENOMEM; - goto clean_n_exit; + status = ENOMEM; + goto clean_n_exit; } if (ndx) - memcpy(path, profpath, ndx * sizeof(profpath[0])); + memcpy(path, profpath, ndx * sizeof(profpath[0])); memcpy(path + ndx, db_dl_location, db_dl_n_locations * sizeof(char *)); status = 0; - - if ((status = krb5int_open_plugin_dirs ((const char **) path, - filebases, + + if ((status = krb5int_open_plugin_dirs ((const char **) path, + filebases, &(*lib)->dl_dir_handle, &kcontext->err))) { - const char *err_str = krb5_get_error_message(kcontext, status); - status = KRB5_KDB_DBTYPE_NOTFOUND; - krb5_set_error_message (kcontext, status, - "Unable to find requested database type: %s", err_str); - krb5_free_error_message (kcontext, err_str); - goto clean_n_exit; + const char *err_str = krb5_get_error_message(kcontext, status); + status = KRB5_KDB_DBTYPE_NOTFOUND; + krb5_set_error_message (kcontext, status, + "Unable to find requested database type: %s", err_str); + krb5_free_error_message (kcontext, err_str); + goto clean_n_exit; } if ((status = krb5int_get_plugin_dir_data (&(*lib)->dl_dir_handle, "kdb_function_table", @@ -392,34 +393,34 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library * lib) krb5_set_error_message (kcontext, status, "plugin symbol 'kdb_function_table' lookup failed: %s", err_str); krb5_free_error_message (kcontext, err_str); - goto clean_n_exit; + goto clean_n_exit; } if (vftabl_addrs[0] == NULL) { - /* No plugins! */ - status = KRB5_KDB_DBTYPE_NOTFOUND; - krb5_set_error_message (kcontext, status, - _("Unable to load requested database module '%s': plugin symbol 'kdb_function_table' not found"), - lib_name); - goto clean_n_exit; + /* No plugins! */ + status = KRB5_KDB_DBTYPE_NOTFOUND; + krb5_set_error_message (kcontext, status, + _("Unable to load requested database module '%s': plugin symbol 'kdb_function_table' not found"), + lib_name); + goto clean_n_exit; } memcpy(&(*lib)->vftabl, vftabl_addrs[0], sizeof(kdb_vftabl)); kdb_setup_opt_functions(*lib); - + if ((status = (*lib)->vftabl.init_library())) goto clean_n_exit; - + clean_n_exit: krb5int_free_plugin_dir_data(vftabl_addrs); /* Both of these DTRT with NULL. */ profile_free_list(profpath); free(path); if (status && *lib) { - if (PLUGIN_DIR_OPEN((&(*lib)->dl_dir_handle))) - krb5int_close_plugin_dirs (&(*lib)->dl_dir_handle); - free(*lib); - *lib = NULL; + if (PLUGIN_DIR_OPEN((&(*lib)->dl_dir_handle))) + krb5int_close_plugin_dirs (&(*lib)->dl_dir_handle); + free(*lib); + *lib = NULL; } return status; } @@ -436,43 +437,43 @@ kdb_find_library(krb5_context kcontext, char *lib_name, db_library * lib) static int kdb_db2_pol_err_loaded = 0; if (!strcmp(DB2_NAME, lib_name) && (kdb_db2_pol_err_loaded == 0)) { - initialize_adb_error_table(); - kdb_db2_pol_err_loaded = 1; + initialize_adb_error_table(); + kdb_db2_pol_err_loaded = 1; } if ((status = kdb_lock_list()) != 0) - goto clean_n_exit; + goto clean_n_exit; locked = 1; curr_elt = lib_list; while (curr_elt != NULL) { - if (strcmp(lib_name, curr_elt->name) == 0) { - *lib = curr_elt; - goto clean_n_exit; - } - prev_elt = curr_elt; - curr_elt = curr_elt->next; + if (strcmp(lib_name, curr_elt->name) == 0) { + *lib = curr_elt; + goto clean_n_exit; + } + prev_elt = curr_elt; + curr_elt = curr_elt->next; } /* module not found. create and add to list */ status = kdb_load_library(kcontext, lib_name, lib); if (status) - goto clean_n_exit; + goto clean_n_exit; if (prev_elt) { - /* prev_elt points to the last element in the list */ - prev_elt->next = *lib; - (*lib)->prev = prev_elt; + /* prev_elt points to the last element in the list */ + prev_elt->next = *lib; + (*lib)->prev = prev_elt; } else { - lib_list = *lib; + lib_list = *lib; } clean_n_exit: if (*lib) - (*lib)->reference_cnt++; + (*lib)->reference_cnt++; if (locked) - kdb_unlock_list(); + kdb_unlock_list(); return status; } @@ -484,33 +485,33 @@ kdb_free_library(db_library lib) int locked = 0; if ((status = kdb_lock_list()) != 0) - goto clean_n_exit; + goto clean_n_exit; locked = 1; lib->reference_cnt--; if (lib->reference_cnt == 0) { - status = lib->vftabl.fini_library(); - if (status) - goto clean_n_exit; + status = lib->vftabl.fini_library(); + if (status) + goto clean_n_exit; - /* close the library */ + /* close the library */ if (PLUGIN_DIR_OPEN((&lib->dl_dir_handle))) krb5int_close_plugin_dirs (&lib->dl_dir_handle); - - if (lib->prev == NULL) - lib_list = lib->next; /* first element in the list */ - else - lib->prev->next = lib->next; - - if (lib->next) - lib->next->prev = lib->prev; - free(lib); + + if (lib->prev == NULL) + lib_list = lib->next; /* first element in the list */ + else + lib->prev->next = lib->next; + + if (lib->next) + lib->next->prev = lib->prev; + free(lib); } clean_n_exit: if (locked) - kdb_unlock_list(); + kdb_unlock_list(); return status; } @@ -525,19 +526,19 @@ krb5_db_setup_lib_handle(krb5_context kcontext) dal_handle = calloc((size_t) 1, sizeof(kdb5_dal_handle)); if (dal_handle == NULL) { - status = ENOMEM; - goto clean_n_exit; + status = ENOMEM; + goto clean_n_exit; } library = kdb_get_library_name(kcontext); if (library == NULL) { - status = KRB5_KDB_DBTYPE_NOTFOUND; - goto clean_n_exit; + status = KRB5_KDB_DBTYPE_NOTFOUND; + goto clean_n_exit; } status = kdb_find_library(kcontext, library, &lib); if (status) - goto clean_n_exit; + goto clean_n_exit; dal_handle->lib_handle = lib; kcontext->dal_handle = dal_handle; @@ -546,9 +547,9 @@ clean_n_exit: free(library); if (status) { - free(dal_handle); - if (lib) - kdb_free_library(lib); + free(dal_handle); + if (lib) + kdb_free_library(lib); } return status; @@ -561,7 +562,7 @@ kdb_free_lib_handle(krb5_context kcontext) status = kdb_free_library(kcontext->dal_handle->lib_handle); if (status) - return status; + return status; free(kcontext->dal_handle); kcontext->dal_handle = NULL; @@ -575,16 +576,16 @@ get_errmsg(krb5_context kcontext, krb5_error_code err_code) const char *e; if (err_code == 0) - return; + return; assert(kcontext != NULL && kcontext->dal_handle != NULL); v = &kcontext->dal_handle->lib_handle->vftabl; if (v->errcode_2_string == NULL) - return; + return; e = v->errcode_2_string(kcontext, err_code); assert (e != NULL); krb5_set_error_message(kcontext, err_code, "%s", e); if (v->release_errcode_string) - v->release_errcode_string(kcontext, e); + v->release_errcode_string(kcontext, e); } static krb5_error_code @@ -594,9 +595,9 @@ get_vftabl(krb5_context kcontext, kdb_vftabl **vftabl_ptr) *vftabl_ptr = NULL; if (kcontext->dal_handle == NULL) { - status = krb5_db_setup_lib_handle(kcontext); - if (status) - return status; + status = krb5_db_setup_lib_handle(kcontext); + if (status) + return status; } *vftabl_ptr = &kcontext->dal_handle->lib_handle->vftabl; return 0; @@ -614,23 +615,23 @@ krb5_db_open(krb5_context kcontext, char **db_args, int mode) section = kdb_get_conf_section(kcontext); if (section == NULL) { - status = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message (kcontext, status, - "unable to determine configuration section for realm %s\n", - kcontext->default_realm ? kcontext->default_realm : "[UNSET]"); - goto clean_n_exit; + status = KRB5_KDB_SERVER_INTERNAL_ERR; + krb5_set_error_message (kcontext, status, + "unable to determine configuration section for realm %s\n", + kcontext->default_realm ? kcontext->default_realm : "[UNSET]"); + goto clean_n_exit; } status = get_vftabl(kcontext, &v); if (status) - goto clean_n_exit; + goto clean_n_exit; assert(v->init_module != NULL); status = v->init_module(kcontext, section, db_args, mode); get_errmsg(kcontext, status); clean_n_exit: if (section) - free(section); + free(section); return status; } @@ -638,7 +639,7 @@ krb5_error_code krb5_db_inited(krb5_context kcontext) { return !(kcontext && kcontext->dal_handle && - kcontext->dal_handle->db_context); + kcontext->dal_handle->db_context); } krb5_error_code @@ -650,26 +651,26 @@ krb5_db_create(krb5_context kcontext, char **db_args) section = kdb_get_conf_section(kcontext); if (section == NULL) { - status = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message (kcontext, status, - "unable to determine configuration section for realm %s\n", - kcontext->default_realm); - goto clean_n_exit; + status = KRB5_KDB_SERVER_INTERNAL_ERR; + krb5_set_error_message (kcontext, status, + "unable to determine configuration section for realm %s\n", + kcontext->default_realm); + goto clean_n_exit; } status = get_vftabl(kcontext, &v); if (status) - goto clean_n_exit; + goto clean_n_exit; if (v->db_create == NULL) { - status = KRB5_KDB_DBTYPE_NOSUP; - goto clean_n_exit; + status = KRB5_KDB_DBTYPE_NOSUP; + goto clean_n_exit; } status = v->db_create(kcontext, section, db_args); get_errmsg(kcontext, status); clean_n_exit: if (section) - free(section); + free(section); return status; } @@ -681,7 +682,7 @@ krb5_db_fini(krb5_context kcontext) /* Do nothing if module was never loaded. */ if (kcontext->dal_handle == NULL) - return 0; + return 0; v = &kcontext->dal_handle->lib_handle->vftabl; assert(v->fini_module != NULL); @@ -689,7 +690,7 @@ krb5_db_fini(krb5_context kcontext) get_errmsg(kcontext, status); if (status) - return status; + return status; return kdb_free_lib_handle(kcontext); } @@ -703,26 +704,26 @@ krb5_db_destroy(krb5_context kcontext, char **db_args) section = kdb_get_conf_section(kcontext); if (section == NULL) { - status = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message (kcontext, status, - "unable to determine configuration section for realm %s\n", - kcontext->default_realm); - goto clean_n_exit; + status = KRB5_KDB_SERVER_INTERNAL_ERR; + krb5_set_error_message (kcontext, status, + "unable to determine configuration section for realm %s\n", + kcontext->default_realm); + goto clean_n_exit; } status = get_vftabl(kcontext, &v); if (status) - goto clean_n_exit; + goto clean_n_exit; if (v->db_destroy == NULL) { - status = KRB5_KDB_DBTYPE_NOSUP; - goto clean_n_exit; + status = KRB5_KDB_DBTYPE_NOSUP; + goto clean_n_exit; } status = v->db_destroy(kcontext, section, db_args); get_errmsg(kcontext, status); clean_n_exit: if (section) - free(section); + free(section); return status; } @@ -734,9 +735,9 @@ krb5_db_get_age(krb5_context kcontext, char *db_name, time_t * t) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_get_age == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_get_age(kcontext, db_name, t); get_errmsg(kcontext, status); return status; @@ -750,9 +751,9 @@ krb5_db_set_option(krb5_context kcontext, int option, void *value) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_set_option == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_set_option(kcontext, option, value); get_errmsg(kcontext, status); return status; @@ -766,9 +767,9 @@ krb5_db_lock(krb5_context kcontext, int lock_mode) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_lock == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_lock(kcontext, lock_mode); get_errmsg(kcontext, status); return status; @@ -782,9 +783,9 @@ krb5_db_unlock(krb5_context kcontext) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_unlock == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_unlock(kcontext); get_errmsg(kcontext, status); return status; @@ -792,41 +793,41 @@ krb5_db_unlock(krb5_context kcontext) krb5_error_code krb5_db_get_principal(krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry * entries, - int *nentries, krb5_boolean * more) + krb5_const_principal search_for, + krb5_db_entry * entries, + int *nentries, krb5_boolean * more) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_get_principal == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_get_principal(kcontext, search_for, 0, entries, nentries, - more); + more); get_errmsg(kcontext, status); return status; } krb5_error_code krb5_db_get_principal_ext(krb5_context kcontext, - krb5_const_principal search_for, - unsigned int flags, - krb5_db_entry * entries, - int *nentries, krb5_boolean * more) + krb5_const_principal search_for, + unsigned int flags, + krb5_db_entry * entries, + int *nentries, krb5_boolean * more) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_get_principal == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_get_principal(kcontext, search_for, - flags, entries, nentries, more); + flags, entries, nentries, more); get_errmsg(kcontext, status); return status; } @@ -839,9 +840,9 @@ krb5_db_free_principal(krb5_context kcontext, krb5_db_entry * entry, int count) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_free_principal == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_free_principal(kcontext, entry, count); get_errmsg(kcontext, status); return status; @@ -852,18 +853,18 @@ free_db_args(krb5_context kcontext, char **db_args) { int i; if (db_args) { - /* XXX Is this right? Or are we borrowing storage from - the caller? */ - for (i = 0; db_args[i]; i++) - krb5_db_free(kcontext, db_args[i]); - free(db_args); + /* XXX Is this right? Or are we borrowing storage from + the caller? */ + for (i = 0; db_args[i]; i++) + krb5_db_free(kcontext, db_args[i]); + free(db_args); } } static krb5_error_code extract_db_args_from_tl_data(krb5_context kcontext, - krb5_tl_data **start, krb5_int16 *count, - char ***db_argsp) + krb5_tl_data **start, krb5_int16 *count, + char ***db_argsp) { char **db_args = NULL; int db_args_size = 0; @@ -877,51 +878,51 @@ extract_db_args_from_tl_data(krb5_context kcontext, difficult for kadmin remote to pass arguments to server. */ prev = NULL, curr = *start; while (curr) { - if (curr->tl_data_type == KRB5_TL_DB_ARGS) { - char **t; - /* Since this is expected to be NULL terminated string and - this could come from any client, do a check before - passing it to db. */ - if (((char *) curr->tl_data_contents)[curr->tl_data_length - 1] != - '\0') { - /* Not null terminated. Dangerous input. */ - status = EINVAL; - goto clean_n_exit; - } - - db_args_size++; - t = realloc(db_args, sizeof(char *) * (db_args_size + 1)); /* 1 for NULL */ - if (t == NULL) { - status = ENOMEM; - goto clean_n_exit; - } - - db_args = t; - db_args[db_args_size - 1] = (char *) curr->tl_data_contents; - db_args[db_args_size] = NULL; - - next = curr->tl_data_next; - if (prev == NULL) { - /* current node is the first in the linked list. remove it */ - *start = curr->tl_data_next; - } else { - prev->tl_data_next = curr->tl_data_next; - } - (*count)--; - krb5_db_free(kcontext, curr); - - /* previous does not change */ - curr = next; - } else { - prev = curr; - curr = curr->tl_data_next; - } + if (curr->tl_data_type == KRB5_TL_DB_ARGS) { + char **t; + /* Since this is expected to be NULL terminated string and + this could come from any client, do a check before + passing it to db. */ + if (((char *) curr->tl_data_contents)[curr->tl_data_length - 1] != + '\0') { + /* Not null terminated. Dangerous input. */ + status = EINVAL; + goto clean_n_exit; + } + + db_args_size++; + t = realloc(db_args, sizeof(char *) * (db_args_size + 1)); /* 1 for NULL */ + if (t == NULL) { + status = ENOMEM; + goto clean_n_exit; + } + + db_args = t; + db_args[db_args_size - 1] = (char *) curr->tl_data_contents; + db_args[db_args_size] = NULL; + + next = curr->tl_data_next; + if (prev == NULL) { + /* current node is the first in the linked list. remove it */ + *start = curr->tl_data_next; + } else { + prev->tl_data_next = curr->tl_data_next; + } + (*count)--; + krb5_db_free(kcontext, curr); + + /* previous does not change */ + curr = next; + } else { + prev = curr; + curr = curr->tl_data_next; + } } status = 0; clean_n_exit: if (status != 0) { - free_db_args(kcontext, db_args); - db_args = NULL; + free_db_args(kcontext, db_args); + db_args = NULL; } *db_argsp = db_args; return status; @@ -929,7 +930,7 @@ clean_n_exit: krb5_error_code krb5int_put_principal_no_log(krb5_context kcontext, - krb5_db_entry *entries, int *nentries) + krb5_db_entry *entries, int *nentries) { kdb_vftabl *v; krb5_error_code status; @@ -937,14 +938,14 @@ krb5int_put_principal_no_log(krb5_context kcontext, status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_put_principal == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = extract_db_args_from_tl_data(kcontext, &entries->tl_data, - &entries->n_tl_data, - &db_args); + &entries->n_tl_data, + &db_args); if (status) - return status; + return status; status = v->db_put_principal(kcontext, entries, nentries, db_args); get_errmsg(kcontext, status); free_db_args(kcontext, db_args); @@ -953,7 +954,7 @@ krb5int_put_principal_no_log(krb5_context kcontext, krb5_error_code krb5_db_put_principal(krb5_context kcontext, - krb5_db_entry * entries, int *nentries) + krb5_db_entry * entries, int *nentries) { krb5_error_code status = 0; kdb_vftabl *v; @@ -968,88 +969,88 @@ krb5_db_put_principal(krb5_context kcontext, status = get_vftabl(kcontext, &v); if (status) - goto clean_n_exit; + goto clean_n_exit; status = extract_db_args_from_tl_data(kcontext, &entries->tl_data, - &entries->n_tl_data, - &db_args); + &entries->n_tl_data, + &db_args); if (status) - goto clean_n_exit; + goto clean_n_exit; if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) { - if (!(upd = (kdb_incr_update_t *) - malloc(sizeof (kdb_incr_update_t)* *nentries))) { - status = errno; - goto err_lock; - } - fupd = upd; + if (!(upd = (kdb_incr_update_t *) + malloc(sizeof (kdb_incr_update_t)* *nentries))) { + status = errno; + goto err_lock; + } + fupd = upd; - (void) memset(upd, 0, sizeof(kdb_incr_update_t)* *nentries); + (void) memset(upd, 0, sizeof(kdb_incr_update_t)* *nentries); if ((status = ulog_conv_2logentry(kcontext, entries, upd, *nentries))) - goto err_lock; + goto err_lock; } status = ulog_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE); if (status != 0) - goto err_lock; + goto err_lock; ulog_locked = 1; for (i = 0; i < *nentries; i++) { if (fupd) { - if ((status = krb5_unparse_name(kcontext, entries->princ, - &princ_name))) - goto err_lock; + if ((status = krb5_unparse_name(kcontext, entries->princ, + &princ_name))) + goto err_lock; - upd->kdb_princ_name.utf8str_t_val = princ_name; - upd->kdb_princ_name.utf8str_t_len = strlen(princ_name); + upd->kdb_princ_name.utf8str_t_val = princ_name; + upd->kdb_princ_name.utf8str_t_len = strlen(princ_name); - if ((status = ulog_add_update(kcontext, upd)) != 0) - goto err_lock; - upd++; + if ((status = ulog_add_update(kcontext, upd)) != 0) + goto err_lock; + upd++; } } if (v->db_put_principal == NULL) { - status = KRB5_KDB_DBTYPE_NOSUP; - goto err_lock; + status = KRB5_KDB_DBTYPE_NOSUP; + goto err_lock; } status = v->db_put_principal(kcontext, entries, nentries, db_args); get_errmsg(kcontext, status); if (status == 0 && fupd) { - upd = fupd; - for (i = 0; i < *nentries; i++) { - (void) ulog_finish_update(kcontext, upd); - upd++; - } + upd = fupd; + for (i = 0; i < *nentries; i++) { + (void) ulog_finish_update(kcontext, upd); + upd++; + } } err_lock: if (ulog_locked) - ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK); + ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK); clean_n_exit: free_db_args(kcontext, db_args); if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) - ulog_free_entries(fupd, *nentries); + ulog_free_entries(fupd, *nentries); return status; } krb5_error_code krb5int_delete_principal_no_log(krb5_context kcontext, - krb5_principal search_for, - int *nentries) + krb5_principal search_for, + int *nentries) { kdb_vftabl *v; krb5_error_code status; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_delete_principal == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_delete_principal(kcontext, search_for, nentries); get_errmsg(kcontext, status); return status; @@ -1057,7 +1058,7 @@ krb5int_delete_principal_no_log(krb5_context kcontext, krb5_error_code krb5_db_delete_principal(krb5_context kcontext, - krb5_principal search_for, int *nentries) + krb5_principal search_for, int *nentries) { krb5_error_code status = 0; kdb_vftabl *v; @@ -1069,36 +1070,36 @@ krb5_db_delete_principal(krb5_context kcontext, status = get_vftabl(kcontext, &v); if (status) - return status; + return status; status = ulog_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE); if (status) - return status; + return status; /* * We'll be sharing the same locks as db for logging */ if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) { - if ((status = krb5_unparse_name(kcontext, search_for, &princ_name))) { - ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK); - return status; - } + if ((status = krb5_unparse_name(kcontext, search_for, &princ_name))) { + ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK); + return status; + } - (void) memset(&upd, 0, sizeof (kdb_incr_update_t)); + (void) memset(&upd, 0, sizeof (kdb_incr_update_t)); - upd.kdb_princ_name.utf8str_t_val = princ_name; - upd.kdb_princ_name.utf8str_t_len = strlen(princ_name); + upd.kdb_princ_name.utf8str_t_val = princ_name; + upd.kdb_princ_name.utf8str_t_len = strlen(princ_name); - if ((status = ulog_delete_update(kcontext, &upd)) != 0) { - ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK); - free(princ_name); - return status; - } + if ((status = ulog_delete_update(kcontext, &upd)) != 0) { + ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK); + free(princ_name); + return status; + } - free(princ_name); + free(princ_name); } if (v->db_delete_principal == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_delete_principal(kcontext, search_for, nentries); get_errmsg(kcontext, status); @@ -1107,8 +1108,8 @@ krb5_db_delete_principal(krb5_context kcontext, * We need to commit our update upon success */ if (!status) - if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) - (void) ulog_finish_update(kcontext, &upd); + if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) + (void) ulog_finish_update(kcontext, &upd); ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK); @@ -1117,18 +1118,18 @@ krb5_db_delete_principal(krb5_context kcontext, krb5_error_code krb5_db_iterate(krb5_context kcontext, - char *match_entry, - int (*func) (krb5_pointer, krb5_db_entry *), - krb5_pointer func_arg) + char *match_entry, + int (*func) (krb5_pointer, krb5_db_entry *), + krb5_pointer func_arg) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_iterate == NULL) - return 0; + return 0; status = v->db_iterate(kcontext, match_entry, func, func_arg); get_errmsg(kcontext, status); return status; @@ -1142,9 +1143,9 @@ krb5_supported_realms(krb5_context kcontext, char **realms) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_supported_realms == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_supported_realms(kcontext, realms); get_errmsg(kcontext, status); return status; @@ -1158,9 +1159,9 @@ krb5_free_supported_realms(krb5_context kcontext, char **realms) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_free_supported_realms == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_free_supported_realms(kcontext, realms); get_errmsg(kcontext, status); return status; @@ -1168,14 +1169,14 @@ krb5_free_supported_realms(krb5_context kcontext, char **realms) krb5_error_code krb5_db_set_master_key_ext(krb5_context kcontext, - char *pwd, krb5_keyblock * key) + char *pwd, krb5_keyblock * key) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; status = v->set_master_key(kcontext, pwd, key); get_errmsg(kcontext, status); return status; @@ -1196,7 +1197,7 @@ krb5_db_set_mkey_list(krb5_context kcontext, status = get_vftabl(kcontext, &v); if (status) - return status; + return status; status = v->set_master_key_list(kcontext, keylist); get_errmsg(kcontext, status); return status; @@ -1210,7 +1211,7 @@ krb5_db_get_mkey(krb5_context kcontext, krb5_keyblock ** key) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; status = v->get_master_key(kcontext, key); get_errmsg(kcontext, status); return status; @@ -1224,9 +1225,9 @@ krb5_db_get_mkey_list(krb5_context kcontext, krb5_keylist_node ** keylist) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->get_master_key_list == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->get_master_key_list(kcontext, keylist); get_errmsg(kcontext, status); return status; @@ -1234,17 +1235,17 @@ krb5_db_get_mkey_list(krb5_context kcontext, krb5_keylist_node ** keylist) krb5_error_code krb5_db_fetch_mkey_list(krb5_context context, - krb5_principal mname, - const krb5_keyblock * mkey, - krb5_kvno mkvno, - krb5_keylist_node **mkey_list) + krb5_principal mname, + const krb5_keyblock * mkey, + krb5_kvno mkvno, + krb5_keylist_node **mkey_list) { kdb_vftabl *v; krb5_error_code status = 0; status = get_vftabl(context, &v); if (status) - return status; + return status; status = v->fetch_master_key_list(context, mname, mkey, mkvno, mkey_list); get_errmsg(context, status); return status; @@ -1268,42 +1269,42 @@ krb5_db_free_mkey_list(krb5_context context, krb5_error_code krb5_db_store_master_key(krb5_context kcontext, - char *keyfile, - krb5_principal mname, - krb5_kvno kvno, - krb5_keyblock * key, char *master_pwd) + char *keyfile, + krb5_principal mname, + krb5_kvno kvno, + krb5_keyblock * key, char *master_pwd) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->store_master_key == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->store_master_key(kcontext, keyfile, mname, kvno, key, - master_pwd); + master_pwd); get_errmsg(kcontext, status); return status; } krb5_error_code krb5_db_store_master_key_list(krb5_context kcontext, - char *keyfile, - krb5_principal mname, - krb5_keylist_node *keylist, - char *master_pwd) + char *keyfile, + krb5_principal mname, + krb5_keylist_node *keylist, + char *master_pwd) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->store_master_key_list == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->store_master_key_list(kcontext, keyfile, mname, keylist, - master_pwd); + master_pwd); get_errmsg(kcontext, status); return status; } @@ -1331,24 +1332,24 @@ krb5_db_fetch_mkey(krb5_context context, memset(&tmp_key, 0, sizeof(tmp_key)); if (fromkeyboard) { - krb5_data scratch; - - if ((retval = krb5_read_password(context, krb5_mkey_pwd_prompt1, - twice ? krb5_mkey_pwd_prompt2 : 0, - password, &size))) { - goto clean_n_exit; - } - - pwd.data = password; - pwd.length = size; - if (!salt) { - retval = krb5_principal2salt(context, mname, &scratch); - if (retval) - goto clean_n_exit; - } - retval = - krb5_c_string_to_key(context, etype, &pwd, salt ? salt : &scratch, - key); + krb5_data scratch; + + if ((retval = krb5_read_password(context, krb5_mkey_pwd_prompt1, + twice ? krb5_mkey_pwd_prompt2 : 0, + password, &size))) { + goto clean_n_exit; + } + + pwd.data = password; + pwd.length = size; + if (!salt) { + retval = krb5_principal2salt(context, mname, &scratch); + if (retval) + goto clean_n_exit; + } + retval = + krb5_c_string_to_key(context, etype, &pwd, salt ? salt : &scratch, + key); /* * If a kvno pointer was passed in and it dereferences the IGNORE_VNO * value then it should be assigned the value of the kvno associated @@ -1363,9 +1364,9 @@ krb5_db_fetch_mkey(krb5_context context, krb5_db_entry master_entry; rc = krb5_db_get_principal(context, mname, - &master_entry, &nentries, &more); + &master_entry, &nentries, &more); - if (rc == 0 && nentries == 1 && more == FALSE) + if (rc == 0 && nentries == 1 && more == FALSE) *kvno = (krb5_kvno) master_entry.key_data->key_data_kvno; else *kvno = 1; @@ -1374,45 +1375,45 @@ krb5_db_fetch_mkey(krb5_context context, krb5_db_free_principal(context, &master_entry, nentries); } - if (!salt) - free(scratch.data); - zap(password, sizeof(password)); /* erase it */ + if (!salt) + free(scratch.data); + zap(password, sizeof(password)); /* erase it */ } else { - kdb_vftabl *v; + kdb_vftabl *v; - if (context->dal_handle == NULL) { - retval = krb5_db_setup_lib_handle(context); - if (retval) - goto clean_n_exit; - } + if (context->dal_handle == NULL) { + retval = krb5_db_setup_lib_handle(context); + if (retval) + goto clean_n_exit; + } /* get the enctype from the stash */ - tmp_key.enctype = ENCTYPE_UNKNOWN; + tmp_key.enctype = ENCTYPE_UNKNOWN; - v = &context->dal_handle->lib_handle->vftabl; - retval = v->fetch_master_key(context, mname, &tmp_key, kvno, db_args); - get_errmsg(context, retval); + v = &context->dal_handle->lib_handle->vftabl; + retval = v->fetch_master_key(context, mname, &tmp_key, kvno, db_args); + get_errmsg(context, retval); - if (retval) - goto clean_n_exit; + if (retval) + goto clean_n_exit; - key->contents = malloc(tmp_key.length); - if (key->contents == NULL) { - retval = ENOMEM; - goto clean_n_exit; - } + key->contents = malloc(tmp_key.length); + if (key->contents == NULL) { + retval = ENOMEM; + goto clean_n_exit; + } - key->magic = tmp_key.magic; - key->enctype = tmp_key.enctype; - key->length = tmp_key.length; - memcpy(key->contents, tmp_key.contents, tmp_key.length); + key->magic = tmp_key.magic; + key->enctype = tmp_key.enctype; + key->length = tmp_key.length; + memcpy(key->contents, tmp_key.contents, tmp_key.length); } clean_n_exit: if (tmp_key.contents) { - zap(tmp_key.contents, tmp_key.length); - krb5_db_free(context, tmp_key.contents); + zap(tmp_key.contents, tmp_key.length); + krb5_db_free(context, tmp_key.contents); } return retval; } @@ -1428,9 +1429,9 @@ krb5_db_verify_master_key(krb5_context kcontext, status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->verify_master_key == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->verify_master_key(kcontext, mprinc, kvno, mkey); get_errmsg(kcontext, status); return status; @@ -1506,13 +1507,13 @@ krb5_dbe_find_act_mkey(krb5_context context, krb5_error_code retval; krb5_keylist_node *cur_keyblock = mkey_list; krb5_actkvno_node *prev_actkvno, *cur_actkvno; - krb5_timestamp now; - krb5_boolean found = FALSE; + krb5_timestamp now; + krb5_boolean found = FALSE; if (act_mkey_list == NULL) { - *act_kvno = 0; - *act_mkey = NULL; - return 0; + *act_kvno = 0; + *act_mkey = NULL; + return 0; } if ((retval = krb5_timeofday(context, &now))) @@ -1613,7 +1614,7 @@ krb5_db_alloc(krb5_context kcontext, void *ptr, size_t size) status = get_vftabl(kcontext, &v); if (status) - return NULL; + return NULL; return v->db_alloc(kcontext, ptr, size); } @@ -1625,7 +1626,7 @@ krb5_db_free(krb5_context kcontext, void *ptr) status = get_vftabl(kcontext, &v); if (status) - return; + return; v->db_free(kcontext, ptr); } @@ -1633,59 +1634,59 @@ krb5_db_free(krb5_context kcontext, void *ptr) krb5_error_code krb5_dbe_find_enctype(krb5_context kcontext, - krb5_db_entry * dbentp, - krb5_int32 ktype, - krb5_int32 stype, - krb5_int32 kvno, krb5_key_data ** kdatap) + krb5_db_entry * dbentp, + krb5_int32 ktype, + krb5_int32 stype, + krb5_int32 kvno, krb5_key_data ** kdatap) { krb5_int32 start = 0; return krb5_dbe_search_enctype(kcontext, dbentp, &start, ktype, stype, - kvno, kdatap); + kvno, kdatap); } krb5_error_code krb5_dbe_search_enctype(krb5_context kcontext, - krb5_db_entry * dbentp, - krb5_int32 * start, - krb5_int32 ktype, - krb5_int32 stype, - krb5_int32 kvno, krb5_key_data ** kdatap) + krb5_db_entry * dbentp, + krb5_int32 * start, + krb5_int32 ktype, + krb5_int32 stype, + krb5_int32 kvno, krb5_key_data ** kdatap) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; status = v->dbe_search_enctype(kcontext, dbentp, start, ktype, stype, - kvno, kdatap); + kvno, kdatap); get_errmsg(kcontext, status); return status; } -#define REALM_SEP_STRING "@" +#define REALM_SEP_STRING "@" krb5_error_code krb5_db_setup_mkey_name(krb5_context context, - const char *keyname, - const char *realm, - char **fullname, krb5_principal * principal) + const char *keyname, + const char *realm, + char **fullname, krb5_principal * principal) { krb5_error_code retval; char *fname; if (!keyname) - keyname = KRB5_KDB_M_NAME; /* XXX external? */ + keyname = KRB5_KDB_M_NAME; /* XXX external? */ if (asprintf(&fname, "%s%s%s", keyname, REALM_SEP_STRING, realm) < 0) - return ENOMEM; + return ENOMEM; if ((retval = krb5_parse_name(context, fname, principal))) - return retval; + return retval; if (fullname) - *fullname = fname; + *fullname = fname; else - free(fname); + free(fname); return 0; } @@ -1702,11 +1703,11 @@ krb5_dbe_lookup_last_pwd_change(context, entry, stamp) tl_data.tl_data_type = KRB5_TL_LAST_PWD_CHANGE; if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return (code); + return (code); if (tl_data.tl_data_length != 4) { - *stamp = 0; - return (0); + *stamp = 0; + return (0); } krb5_kdb_decode_int32(tl_data.tl_data_contents, tmp); @@ -1725,10 +1726,10 @@ krb5_dbe_lookup_tl_data(context, entry, ret_tl_data) krb5_tl_data *tl_data; for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) { - if (tl_data->tl_data_type == ret_tl_data->tl_data_type) { - *ret_tl_data = *tl_data; - return (0); - } + if (tl_data->tl_data_type == ret_tl_data->tl_data_type) { + *ret_tl_data = *tl_data; + return (0); + } } /* @@ -1748,10 +1749,10 @@ krb5_dbe_create_key_data(context, entry) krb5_db_entry *entry; { if ((entry->key_data = - (krb5_key_data *) krb5_db_alloc(context, entry->key_data, - (sizeof(krb5_key_data) * - (entry->n_key_data + 1)))) == NULL) - return (ENOMEM); + (krb5_key_data *) krb5_db_alloc(context, entry->key_data, + (sizeof(krb5_key_data) * + (entry->n_key_data + 1)))) == NULL) + return (ENOMEM); memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data)); entry->n_key_data++; @@ -1774,14 +1775,14 @@ krb5_dbe_update_mod_princ_data(context, entry, mod_date, mod_princ) unsigned int unparse_mod_princ_size; if ((retval = krb5_unparse_name(context, mod_princ, &unparse_mod_princ))) - return (retval); + return (retval); unparse_mod_princ_size = strlen(unparse_mod_princ) + 1; if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4)) - == NULL) { - free(unparse_mod_princ); - return (ENOMEM); + == NULL) { + free(unparse_mod_princ); + return (ENOMEM); } tl_data.tl_data_type = KRB5_TL_MOD_PRINC; @@ -1818,28 +1819,28 @@ krb5_dbe_lookup_mod_princ_data(context, entry, mod_time, mod_princ) tl_data.tl_data_type = KRB5_TL_MOD_PRINC; if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return (code); + return (code); if ((tl_data.tl_data_length < 5) || - (tl_data.tl_data_contents[tl_data.tl_data_length - 1] != '\0')) - return (KRB5_KDB_TRUNCATED_RECORD); + (tl_data.tl_data_contents[tl_data.tl_data_length - 1] != '\0')) + return (KRB5_KDB_TRUNCATED_RECORD); /* Mod Date */ krb5_kdb_decode_int32(tl_data.tl_data_contents, *mod_time); /* Mod Princ */ if ((code = krb5_parse_name(context, - (const char *) (tl_data.tl_data_contents + 4), - mod_princ))) - return (code); + (const char *) (tl_data.tl_data_contents + 4), + mod_princ))) + return (code); return (0); } krb5_error_code -krb5_dbe_lookup_mkvno(krb5_context context, - krb5_db_entry *entry, - krb5_kvno *mkvno) +krb5_dbe_lookup_mkvno(krb5_context context, + krb5_db_entry *entry, + krb5_kvno *mkvno) { krb5_tl_data tl_data; krb5_error_code code; @@ -1848,13 +1849,13 @@ krb5_dbe_lookup_mkvno(krb5_context context, tl_data.tl_data_type = KRB5_TL_MKVNO; if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return (code); + return (code); if (tl_data.tl_data_length == 0) { - *mkvno = 1; /* default for princs that lack the KRB5_TL_MKVNO data */ - return (0); + *mkvno = 1; /* default for princs that lack the KRB5_TL_MKVNO data */ + return (0); } else if (tl_data.tl_data_length != 2) { - return (KRB5_KDB_TRUNCATED_RECORD); + return (KRB5_KDB_TRUNCATED_RECORD); } krb5_kdb_decode_int16(tl_data.tl_data_contents, tmp); @@ -1887,7 +1888,7 @@ krb5_dbe_lookup_mkey_aux(krb5_context context, krb5_tl_data tl_data; krb5_int16 version; krb5_mkey_aux_node *head_data = NULL, *new_data = NULL, - *prev_data = NULL; + *prev_data = NULL; krb5_octet *curloc; /* current location pointer */ krb5_error_code code; @@ -2079,7 +2080,7 @@ krb5_dbe_lookup_actkvno(krb5_context context, * field. */ num_actkvno = (tl_data.tl_data_length - sizeof(version)) / - ACTKVNO_TUPLE_SIZE; + ACTKVNO_TUPLE_SIZE; prev_data = NULL; /* next_tuple points to first tuple entry in the tl_data_contents */ next_tuple = tl_data.tl_data_contents + sizeof(version); @@ -2105,8 +2106,8 @@ krb5_dbe_lookup_actkvno(krb5_context context, } } else { krb5_set_error_message (context, KRB5_KDB_BAD_VERSION, - "Illegal version number for KRB5_TL_ACTKVNO %d\n", - version); + "Illegal version number for KRB5_TL_ACTKVNO %d\n", + version); return (KRB5_KDB_BAD_VERSION); } } @@ -2183,7 +2184,7 @@ krb5_dbe_update_last_pwd_change(context, entry, stamp) krb5_timestamp stamp; { krb5_tl_data tl_data; - krb5_octet buf[4]; /* this is the encoded size of an int32 */ + krb5_octet buf[4]; /* this is the encoded size of an int32 */ tl_data.tl_data_type = KRB5_TL_LAST_PWD_CHANGE; tl_data.tl_data_length = sizeof(buf); @@ -2196,7 +2197,7 @@ krb5_dbe_update_last_pwd_change(context, entry, stamp) krb5_error_code krb5_dbe_delete_tl_data(krb5_context context, krb5_db_entry *entry, - krb5_int16 tl_data_type) + krb5_int16 tl_data_type) { krb5_tl_data *tl_data, *prev_tl_data, *free_tl_data; @@ -2245,40 +2246,40 @@ krb5_dbe_update_tl_data(context, entry, new_tl_data) * fails. */ if ((tmp = - (krb5_octet *) krb5_db_alloc(context, NULL, - new_tl_data->tl_data_length)) == NULL) - return (ENOMEM); + (krb5_octet *) krb5_db_alloc(context, NULL, + new_tl_data->tl_data_length)) == NULL) + return (ENOMEM); /* * Find an existing entry of the specified type and point at * it, or NULL if not found. */ - if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */ - for (tl_data = entry->tl_data; tl_data; - tl_data = tl_data->tl_data_next) - if (tl_data->tl_data_type == new_tl_data->tl_data_type) - break; + if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */ + for (tl_data = entry->tl_data; tl_data; + tl_data = tl_data->tl_data_next) + if (tl_data->tl_data_type == new_tl_data->tl_data_type) + break; } /* If necessary, chain a new record in the beginning and point at it. */ if (!tl_data) { - tl_data = krb5_db_alloc(context, NULL, sizeof(krb5_tl_data)); - if (tl_data == NULL) { - free(tmp); - return (ENOMEM); - } - memset(tl_data, 0, sizeof(krb5_tl_data)); - tl_data->tl_data_next = entry->tl_data; - entry->tl_data = tl_data; - entry->n_tl_data++; + tl_data = krb5_db_alloc(context, NULL, sizeof(krb5_tl_data)); + if (tl_data == NULL) { + free(tmp); + return (ENOMEM); + } + memset(tl_data, 0, sizeof(krb5_tl_data)); + tl_data->tl_data_next = entry->tl_data; + entry->tl_data = tl_data; + entry->n_tl_data++; } /* fill in the record */ if (tl_data->tl_data_contents) - krb5_db_free(context, tl_data->tl_data_contents); + krb5_db_free(context, tl_data->tl_data_contents); tl_data->tl_data_type = new_tl_data->tl_data_type; tl_data->tl_data_length = new_tl_data->tl_data_length; @@ -2291,20 +2292,20 @@ krb5_dbe_update_tl_data(context, entry, new_tl_data) /* change password functions */ krb5_error_code krb5_dbe_cpw(krb5_context kcontext, - krb5_keyblock * master_key, - krb5_key_salt_tuple * ks_tuple, - int ks_tuple_count, - char *passwd, - int new_kvno, krb5_boolean keepold, krb5_db_entry * db_entry) + krb5_keyblock * master_key, + krb5_key_salt_tuple * ks_tuple, + int ks_tuple_count, + char *passwd, + int new_kvno, krb5_boolean keepold, krb5_db_entry * db_entry) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; status = v->db_change_pwd(kcontext, master_key, ks_tuple, ks_tuple_count, - passwd, new_kvno, keepold, db_entry); + passwd, new_kvno, keepold, db_entry); get_errmsg(kcontext, status); return status; } @@ -2318,9 +2319,9 @@ krb5_db_create_policy(krb5_context kcontext, osa_policy_ent_t policy) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_create_policy == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_create_policy(kcontext, policy); get_errmsg(kcontext, status); return status; @@ -2328,16 +2329,16 @@ krb5_db_create_policy(krb5_context kcontext, osa_policy_ent_t policy) krb5_error_code krb5_db_get_policy(krb5_context kcontext, char *name, - osa_policy_ent_t * policy, int *cnt) + osa_policy_ent_t * policy, int *cnt) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_get_policy == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_get_policy(kcontext, name, policy, cnt); get_errmsg(kcontext, status); return status; @@ -2351,9 +2352,9 @@ krb5_db_put_policy(krb5_context kcontext, osa_policy_ent_t policy) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_put_policy == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_put_policy(kcontext, policy); get_errmsg(kcontext, status); return status; @@ -2361,16 +2362,16 @@ krb5_db_put_policy(krb5_context kcontext, osa_policy_ent_t policy) krb5_error_code krb5_db_iter_policy(krb5_context kcontext, char *match_entry, - osa_adb_iter_policy_func func, void *data) + osa_adb_iter_policy_func func, void *data) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_iter_policy == NULL) - return 0; + return 0; status = v->db_iter_policy(kcontext, match_entry, func, data); get_errmsg(kcontext, status); return status; @@ -2384,9 +2385,9 @@ krb5_db_delete_policy(krb5_context kcontext, char *policy) status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_delete_policy == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; status = v->db_delete_policy(kcontext, policy); get_errmsg(kcontext, status); return status; @@ -2400,7 +2401,7 @@ krb5_db_free_policy(krb5_context kcontext, osa_policy_ent_t policy) status = get_vftabl(kcontext, &v); if (status || v->db_free_policy == NULL) - return; + return; v->db_free_policy(kcontext, policy); get_errmsg(kcontext, status); } @@ -2414,16 +2415,16 @@ krb5_db_promote(krb5_context kcontext, char **db_args) section = kdb_get_conf_section(kcontext); if (section == NULL) { - status = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message (kcontext, status, - "unable to determine configuration section for realm %s\n", - kcontext->default_realm); - goto clean_n_exit; + status = KRB5_KDB_SERVER_INTERNAL_ERR; + krb5_set_error_message (kcontext, status, + "unable to determine configuration section for realm %s\n", + kcontext->default_realm); + goto clean_n_exit; } status = get_vftabl(kcontext, &v); if (status) - goto clean_n_exit; + goto clean_n_exit; status = v->promote_db(kcontext, section, db_args); get_errmsg(kcontext, status); @@ -2433,37 +2434,37 @@ clean_n_exit: } krb5_error_code -krb5_dbekd_decrypt_key_data( krb5_context kcontext, - const krb5_keyblock * mkey, - const krb5_key_data * key_data, - krb5_keyblock * dbkey, - krb5_keysalt * keysalt) +krb5_dbekd_decrypt_key_data( krb5_context kcontext, + const krb5_keyblock * mkey, + const krb5_key_data * key_data, + krb5_keyblock * dbkey, + krb5_keysalt * keysalt) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; return v->dbekd_decrypt_key_data(kcontext, mkey, key_data, dbkey, keysalt); } krb5_error_code -krb5_dbekd_encrypt_key_data( krb5_context kcontext, - const krb5_keyblock * mkey, - const krb5_keyblock * dbkey, - const krb5_keysalt * keysalt, - int keyver, - krb5_key_data * key_data) +krb5_dbekd_encrypt_key_data( krb5_context kcontext, + const krb5_keyblock * mkey, + const krb5_keyblock * dbkey, + const krb5_keysalt * keysalt, + int keyver, + krb5_key_data * key_data) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; return v->dbekd_encrypt_key_data(kcontext, mkey, dbkey, keysalt, keyver, - key_data); + key_data); } krb5_error_code @@ -2471,7 +2472,7 @@ krb5_db_get_context(krb5_context context, void **db_context) { *db_context = KRB5_DB_GET_DB_CONTEXT(context); if (*db_context == NULL) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; return 0; } @@ -2485,17 +2486,17 @@ krb5_db_set_context(krb5_context context, void *db_context) krb5_error_code krb5_db_invoke(krb5_context kcontext, - unsigned int method, - const krb5_data *req, - krb5_data *rep) + unsigned int method, + const krb5_data *req, + krb5_data *rep) { krb5_error_code status = 0; kdb_vftabl *v; status = get_vftabl(kcontext, &v); if (status) - return status; + return status; if (v->db_invoke == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_KDB_DBTYPE_NOSUP; return v->db_invoke(kcontext, method, req, rep); } diff --git a/src/lib/kdb/kdb5.h b/src/lib/kdb/kdb5.h index e3a1f2633..eb9e15ce2 100644 --- a/src/lib/kdb/kdb5.h +++ b/src/lib/kdb/kdb5.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef _KRB5_KDB5_H_ #define _KRB5_KDB5_H_ diff --git a/src/lib/kdb/kdb5int.h b/src/lib/kdb/kdb5int.h index 40f38ad21..994f1f931 100644 --- a/src/lib/kdb/kdb5int.h +++ b/src/lib/kdb/kdb5int.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb5/kdb5int.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Private header file for the kdb5 library for internal functions */ @@ -34,11 +35,11 @@ krb5_error_code krb5int_put_principal_no_log(krb5_context kcontext, - krb5_db_entry *entries, int *nentries); + krb5_db_entry *entries, int *nentries); krb5_error_code krb5int_delete_principal_no_log(krb5_context kcontext, - krb5_principal search_for, - int *nentries); + krb5_principal search_for, + int *nentries); #endif /* __KDB5INT_H__ */ diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c index 9eacac3ea..df3019d6d 100644 --- a/src/lib/kdb/kdb_convert.c +++ b/src/lib/kdb/kdb_convert.c @@ -1,9 +1,10 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2005 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -/* #pragma ident "@(#)kdb_convert.c 1.3 05/01/05 SMI" */ +/* #pragma ident "@(#)kdb_convert.c 1.3 05/01/05 SMI" */ /* * This file contains api's for conversion of the kdb_incr_update_t @@ -20,15 +21,15 @@ #include /* BEGIN CSTYLED */ -#define ULOG_ENTRY_TYPE(upd, i) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i] +#define ULOG_ENTRY_TYPE(upd, i) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i] -#define ULOG_ENTRY(upd, i) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u +#define ULOG_ENTRY(upd, i) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u -#define ULOG_ENTRY_KEYVAL(upd, i, j) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_keydata.av_keydata_val[j] +#define ULOG_ENTRY_KEYVAL(upd, i, j) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_keydata.av_keydata_val[j] -#define ULOG_ENTRY_PRINC(upd, i, j) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_princ.k_components.k_components_val[j] +#define ULOG_ENTRY_PRINC(upd, i, j) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_princ.k_components.k_components_val[j] -#define ULOG_ENTRY_MOD_PRINC(upd, i, j) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_mod_princ.k_components.k_components_val[j] +#define ULOG_ENTRY_MOD_PRINC(upd, i, j) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_mod_princ.k_components.k_components_val[j] /* END CSTYLED */ typedef enum { @@ -44,99 +45,99 @@ typedef enum { */ static void find_changed_attrs(krb5_db_entry *current, krb5_db_entry *new, - krb5_boolean exclude_nra, - kdbe_attr_type_t *attrs, int *nattrs) + krb5_boolean exclude_nra, + kdbe_attr_type_t *attrs, int *nattrs) { int i = 0, j = 0; krb5_tl_data *first, *second; if (current->attributes != new->attributes) - attrs[i++] = AT_ATTRFLAGS; + attrs[i++] = AT_ATTRFLAGS; if (current->max_life != new->max_life) - attrs[i++] = AT_MAX_LIFE; + attrs[i++] = AT_MAX_LIFE; if (current->max_renewable_life != new->max_renewable_life) - attrs[i++] = AT_MAX_RENEW_LIFE; + attrs[i++] = AT_MAX_RENEW_LIFE; if (current->expiration != new->expiration) - attrs[i++] = AT_EXP; + attrs[i++] = AT_EXP; if (current->pw_expiration != new->pw_expiration) - attrs[i++] = AT_PW_EXP; + attrs[i++] = AT_PW_EXP; if (!exclude_nra) { - if (current->last_success != new->last_success) - attrs[i++] = AT_LAST_SUCCESS; + if (current->last_success != new->last_success) + attrs[i++] = AT_LAST_SUCCESS; - if (current->last_failed != new->last_failed) - attrs[i++] = AT_LAST_FAILED; + if (current->last_failed != new->last_failed) + attrs[i++] = AT_LAST_FAILED; - if (current->fail_auth_count != new->fail_auth_count) - attrs[i++] = AT_FAIL_AUTH_COUNT; + if (current->fail_auth_count != new->fail_auth_count) + attrs[i++] = AT_FAIL_AUTH_COUNT; } if ((current->princ->type == new->princ->type) && - (current->princ->length == new->princ->length)) { - if ((current->princ->realm.length == - new->princ->realm.length) && - strncmp(current->princ->realm.data, - new->princ->realm.data, - current->princ->realm.length)) { - for (j = 0; j < current->princ->length; j++) { - if ((current->princ->data[j].data != NULL) && - (strncmp(current->princ->data[j].data, - new->princ->data[j].data, - current->princ->data[j].length))) { - attrs[i++] = AT_PRINC; - break; - } - } - } else { - attrs[i++] = AT_PRINC; - } + (current->princ->length == new->princ->length)) { + if ((current->princ->realm.length == + new->princ->realm.length) && + strncmp(current->princ->realm.data, + new->princ->realm.data, + current->princ->realm.length)) { + for (j = 0; j < current->princ->length; j++) { + if ((current->princ->data[j].data != NULL) && + (strncmp(current->princ->data[j].data, + new->princ->data[j].data, + current->princ->data[j].length))) { + attrs[i++] = AT_PRINC; + break; + } + } + } else { + attrs[i++] = AT_PRINC; + } } else { - attrs[i++] = AT_PRINC; + attrs[i++] = AT_PRINC; } if (current->n_key_data == new->n_key_data) { - /* Assuming key ordering is the same in new & current */ - for (j = 0; j < new->n_key_data; j++) { - if (current->key_data[j].key_data_kvno != - new->key_data[j].key_data_kvno) { - attrs[i++] = AT_KEYDATA; - break; - } - } + /* Assuming key ordering is the same in new & current */ + for (j = 0; j < new->n_key_data; j++) { + if (current->key_data[j].key_data_kvno != + new->key_data[j].key_data_kvno) { + attrs[i++] = AT_KEYDATA; + break; + } + } } else { - attrs[i++] = AT_KEYDATA; + attrs[i++] = AT_KEYDATA; } if (current->n_tl_data == new->n_tl_data) { - /* Assuming we preserve the TL_DATA ordering between updates */ - for (first = current->tl_data, second = new->tl_data; - first; first = first->tl_data_next, - second = second->tl_data_next) { - if ((first->tl_data_length == second->tl_data_length) && - (first->tl_data_type == second->tl_data_type)) { - if ((memcmp((char *)first->tl_data_contents, - (char *)second->tl_data_contents, - first->tl_data_length)) != 0) { - attrs[i++] = AT_TL_DATA; - break; - } - } else { - attrs[i++] = AT_TL_DATA; - break; - } - } + /* Assuming we preserve the TL_DATA ordering between updates */ + for (first = current->tl_data, second = new->tl_data; + first; first = first->tl_data_next, + second = second->tl_data_next) { + if ((first->tl_data_length == second->tl_data_length) && + (first->tl_data_type == second->tl_data_type)) { + if ((memcmp((char *)first->tl_data_contents, + (char *)second->tl_data_contents, + first->tl_data_length)) != 0) { + attrs[i++] = AT_TL_DATA; + break; + } + } else { + attrs[i++] = AT_TL_DATA; + break; + } + } } else { - attrs[i++] = AT_TL_DATA; + attrs[i++] = AT_TL_DATA; } if (current->len != new->len) - attrs[i++] = AT_LEN; + attrs[i++] = AT_LEN; /* * Store the no. of (possibly :)) changed attributes */ @@ -151,12 +152,12 @@ data_to_utf8str(utf8str_t *u, krb5_data d) { u->utf8str_t_len = d.length; if (d.data) { - u->utf8str_t_val = malloc(d.length); - if (u->utf8str_t_val == NULL) - return -1; - memcpy(u->utf8str_t_val, d.data, d.length); + u->utf8str_t_val = malloc(d.length); + if (u->utf8str_t_val == NULL) + return -1; + memcpy(u->utf8str_t_val, d.data, d.length); } else - u->utf8str_t_val = NULL; + u->utf8str_t_val = NULL; return 0; } @@ -165,57 +166,57 @@ data_to_utf8str(utf8str_t *u, krb5_data d) */ static krb5_error_code conv_princ_2ulog(krb5_principal princ, kdb_incr_update_t *upd, - int cnt, princ_type tp) + int cnt, princ_type tp) { int i = 0; kdbe_princ_t *p; kdbe_data_t *components; if ((upd == NULL) || !princ) - return (KRB5KRB_ERR_GENERIC); + return (KRB5KRB_ERR_GENERIC); switch (tp) { case REG_PRINC: case MOD_PRINC: - p = &ULOG_ENTRY(upd, cnt).av_princ; /* or av_mod_princ */ - p->k_nametype = (int32_t)princ->type; - - if (data_to_utf8str(&p->k_realm, princ->realm) < 0) { - return ENOMEM; - } - - p->k_components.k_components_len = princ->length; - - p->k_components.k_components_val = components - = malloc(princ->length * sizeof (kdbe_data_t)); - if (p->k_components.k_components_val == NULL) { - free(p->k_realm.utf8str_t_val); - p->k_realm.utf8str_t_val = NULL; - return (ENOMEM); - } - - memset(components, 0, princ->length * sizeof(kdbe_data_t)); - for (i = 0; i < princ->length; i++) - components[i].k_data.utf8str_t_val = NULL; - for (i = 0; i < princ->length; i++) { - components[i].k_magic = princ->data[i].magic; - if (data_to_utf8str(&components[i].k_data, princ->data[i]) < 0) { - int j; - for (j = 0; j < i; j++) { - free(components[j].k_data.utf8str_t_val); - components[j].k_data.utf8str_t_val = NULL; - } - free(components); - p->k_components.k_components_val = NULL; - free(p->k_realm.utf8str_t_val); - p->k_realm.utf8str_t_val = NULL; - return ENOMEM; - } - } - break; + p = &ULOG_ENTRY(upd, cnt).av_princ; /* or av_mod_princ */ + p->k_nametype = (int32_t)princ->type; + + if (data_to_utf8str(&p->k_realm, princ->realm) < 0) { + return ENOMEM; + } + + p->k_components.k_components_len = princ->length; + + p->k_components.k_components_val = components + = malloc(princ->length * sizeof (kdbe_data_t)); + if (p->k_components.k_components_val == NULL) { + free(p->k_realm.utf8str_t_val); + p->k_realm.utf8str_t_val = NULL; + return (ENOMEM); + } + + memset(components, 0, princ->length * sizeof(kdbe_data_t)); + for (i = 0; i < princ->length; i++) + components[i].k_data.utf8str_t_val = NULL; + for (i = 0; i < princ->length; i++) { + components[i].k_magic = princ->data[i].magic; + if (data_to_utf8str(&components[i].k_data, princ->data[i]) < 0) { + int j; + for (j = 0; j < i; j++) { + free(components[j].k_data.utf8str_t_val); + components[j].k_data.utf8str_t_val = NULL; + } + free(components); + p->k_components.k_components_val = NULL; + free(p->k_realm.utf8str_t_val); + p->k_realm.utf8str_t_val = NULL; + return ENOMEM; + } + } + break; default: - break; + break; } return (0); } @@ -230,15 +231,15 @@ static void set_from_utf8str(krb5_data *d, utf8str_t u) { if (u.utf8str_t_len > INT_MAX-1 || u.utf8str_t_len >= SIZE_MAX-1) { - d->data = NULL; - return; + d->data = NULL; + return; } d->length = u.utf8str_t_len; d->data = malloc(d->length + 1); if (d->data == NULL) - return; - if (d->length) /* Pointer may be null if length = 0. */ - strncpy(d->data, u.utf8str_t_val, d->length); + return; + if (d->length) /* Pointer may be null if length = 0. */ + strncpy(d->data, u.utf8str_t_val, d->length); d->data[d->length] = 0; } @@ -254,7 +255,7 @@ conv_princ_2db(krb5_context context, kdbe_princ_t *kdbe_princ) princ = calloc(1, sizeof (krb5_principal_data)); if (princ == NULL) { - return NULL; + return NULL; } princ->length = 0; princ->data = NULL; @@ -265,21 +266,21 @@ conv_princ_2db(krb5_context context, kdbe_princ_t *kdbe_princ) princ->realm.data = NULL; set_from_utf8str(&princ->realm, kdbe_princ->k_realm); if (princ->realm.data == NULL) - goto error; + goto error; princ->data = calloc(kdbe_princ->k_components.k_components_len, - sizeof (krb5_data)); + sizeof (krb5_data)); if (princ->data == NULL) - goto error; + goto error; for (i = 0; i < kdbe_princ->k_components.k_components_len; i++) - princ->data[i].data = NULL; + princ->data[i].data = NULL; princ->length = (krb5_int32)kdbe_princ->k_components.k_components_len; for (i = 0; i < princ->length; i++) { - princ->data[i].magic = components[i].k_magic; - set_from_utf8str(&princ->data[i], components[i].k_data); - if (princ->data[i].data == NULL) - goto error; + princ->data[i].magic = components[i].k_magic; + set_from_utf8str(&princ->data[i], components[i].k_data); + if (princ->data[i].data == NULL) + goto error; } return princ; @@ -296,8 +297,8 @@ error: */ krb5_error_code ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, - kdb_incr_update_t *updates, - int nentries) + kdb_incr_update_t *updates, + int nentries) { int i, j, k, cnt, final, nattrs, tmpint, nprincs; unsigned int more; @@ -313,294 +314,294 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, krb5_boolean exclude_nra = TRUE; if ((updates == NULL) || (entries == NULL)) - return (KRB5KRB_ERR_GENERIC); + return (KRB5KRB_ERR_GENERIC); upd = updates; ent = entries; for (k = 0; k < nentries; k++) { - nprincs = nattrs = tmpint = 0; - final = -1; - kadm_data_yes = 0; - attr_types = NULL; - - /* - * XXX we rely on the good behaviour of the database not to - * exceed this limit. - */ - if ((upd->kdb_update.kdbe_t_val = (kdbe_val_t *) - malloc(MAXENTRY_SIZE)) == NULL) { - return (ENOMEM); - } - - /* - * Find out which attrs have been modified - */ - if ((attr_types = (kdbe_attr_type_t *)malloc( - sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE)) - == NULL) { - return (ENOMEM); - } - - if ((ret = krb5_db_get_principal(context, ent->princ, &curr, - &nprincs, &more))) { - free(attr_types); - return (ret); - } - - if (nprincs == 0) { - /* - * This is a new entry to the database, hence will - * include all the attribute-value pairs - * - * We leave out the TL_DATA types which we model as - * attrs in kdbe_attr_type_t, since listing AT_TL_DATA - * encompasses these other types-turned-attributes - * - * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME, - * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY, - * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST, - * totalling 8 attrs. - */ - while (nattrs < MAXATTRS_SIZE - 8) { - attr_types[nattrs] = nattrs; - nattrs++; - } - } else { - find_changed_attrs(&curr, ent, exclude_nra, attr_types, &nattrs); - - krb5_db_free_principal(context, &curr, nprincs); - } - - for (i = 0; i < nattrs; i++) { - switch (attr_types[i]) { - case AT_ATTRFLAGS: - if (ent->attributes >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_ATTRFLAGS; - ULOG_ENTRY(upd, final).av_attrflags = - (uint32_t)ent->attributes; - } - break; - - case AT_MAX_LIFE: - if (ent->max_life >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_MAX_LIFE; - ULOG_ENTRY(upd, final).av_max_life = - (uint32_t)ent->max_life; - } - break; - - case AT_MAX_RENEW_LIFE: - if (ent->max_renewable_life >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_MAX_RENEW_LIFE; - ULOG_ENTRY(upd, - final).av_max_renew_life = - (uint32_t)ent->max_renewable_life; - } - break; - - case AT_EXP: - if (ent->expiration >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_EXP; - ULOG_ENTRY(upd, final).av_exp = - (uint32_t)ent->expiration; - } - break; - - case AT_PW_EXP: - if (ent->pw_expiration >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_PW_EXP; - ULOG_ENTRY(upd, final).av_pw_exp = - (uint32_t)ent->pw_expiration; - } - break; - - case AT_LAST_SUCCESS: - if (!exclude_nra && ent->last_success >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_LAST_SUCCESS; - ULOG_ENTRY(upd, - final).av_last_success = - (uint32_t)ent->last_success; - } - break; - - case AT_LAST_FAILED: - if (!exclude_nra && ent->last_failed >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_LAST_FAILED; - ULOG_ENTRY(upd, - final).av_last_failed = - (uint32_t)ent->last_failed; - } - break; - - case AT_FAIL_AUTH_COUNT: - if (!exclude_nra && ent->fail_auth_count >= (krb5_kvno)0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_FAIL_AUTH_COUNT; - ULOG_ENTRY(upd, - final).av_fail_auth_count = - (uint32_t)ent->fail_auth_count; - } - break; - - case AT_PRINC: - if (ent->princ->length > 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_PRINC; - if ((ret = conv_princ_2ulog(ent->princ, - upd, final, REG_PRINC))) { - free(attr_types); - return (ret); - } - } - break; - - case AT_KEYDATA: + nprincs = nattrs = tmpint = 0; + final = -1; + kadm_data_yes = 0; + attr_types = NULL; + + /* + * XXX we rely on the good behaviour of the database not to + * exceed this limit. + */ + if ((upd->kdb_update.kdbe_t_val = (kdbe_val_t *) + malloc(MAXENTRY_SIZE)) == NULL) { + return (ENOMEM); + } + + /* + * Find out which attrs have been modified + */ + if ((attr_types = (kdbe_attr_type_t *)malloc( + sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE)) + == NULL) { + return (ENOMEM); + } + + if ((ret = krb5_db_get_principal(context, ent->princ, &curr, + &nprincs, &more))) { + free(attr_types); + return (ret); + } + + if (nprincs == 0) { + /* + * This is a new entry to the database, hence will + * include all the attribute-value pairs + * + * We leave out the TL_DATA types which we model as + * attrs in kdbe_attr_type_t, since listing AT_TL_DATA + * encompasses these other types-turned-attributes + * + * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME, + * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY, + * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST, + * totalling 8 attrs. + */ + while (nattrs < MAXATTRS_SIZE - 8) { + attr_types[nattrs] = nattrs; + nattrs++; + } + } else { + find_changed_attrs(&curr, ent, exclude_nra, attr_types, &nattrs); + + krb5_db_free_principal(context, &curr, nprincs); + } + + for (i = 0; i < nattrs; i++) { + switch (attr_types[i]) { + case AT_ATTRFLAGS: + if (ent->attributes >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_ATTRFLAGS; + ULOG_ENTRY(upd, final).av_attrflags = + (uint32_t)ent->attributes; + } + break; + + case AT_MAX_LIFE: + if (ent->max_life >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_MAX_LIFE; + ULOG_ENTRY(upd, final).av_max_life = + (uint32_t)ent->max_life; + } + break; + + case AT_MAX_RENEW_LIFE: + if (ent->max_renewable_life >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_MAX_RENEW_LIFE; + ULOG_ENTRY(upd, + final).av_max_renew_life = + (uint32_t)ent->max_renewable_life; + } + break; + + case AT_EXP: + if (ent->expiration >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_EXP; + ULOG_ENTRY(upd, final).av_exp = + (uint32_t)ent->expiration; + } + break; + + case AT_PW_EXP: + if (ent->pw_expiration >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_PW_EXP; + ULOG_ENTRY(upd, final).av_pw_exp = + (uint32_t)ent->pw_expiration; + } + break; + + case AT_LAST_SUCCESS: + if (!exclude_nra && ent->last_success >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_LAST_SUCCESS; + ULOG_ENTRY(upd, + final).av_last_success = + (uint32_t)ent->last_success; + } + break; + + case AT_LAST_FAILED: + if (!exclude_nra && ent->last_failed >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_LAST_FAILED; + ULOG_ENTRY(upd, + final).av_last_failed = + (uint32_t)ent->last_failed; + } + break; + + case AT_FAIL_AUTH_COUNT: + if (!exclude_nra && ent->fail_auth_count >= (krb5_kvno)0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_FAIL_AUTH_COUNT; + ULOG_ENTRY(upd, + final).av_fail_auth_count = + (uint32_t)ent->fail_auth_count; + } + break; + + case AT_PRINC: + if (ent->princ->length > 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_PRINC; + if ((ret = conv_princ_2ulog(ent->princ, + upd, final, REG_PRINC))) { + free(attr_types); + return (ret); + } + } + break; + + case AT_KEYDATA: /* BEGIN CSTYLED */ - if (ent->n_key_data >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_KEYDATA; - ULOG_ENTRY(upd, final).av_keydata.av_keydata_len = ent->n_key_data; - - ULOG_ENTRY(upd, final).av_keydata.av_keydata_val = malloc(ent->n_key_data * sizeof (kdbe_key_t)); - if (ULOG_ENTRY(upd, final).av_keydata.av_keydata_val == NULL) { - free(attr_types); - return (ENOMEM); - } - - for (j = 0; j < ent->n_key_data; j++) { - ULOG_ENTRY_KEYVAL(upd, final, j).k_ver = ent->key_data[j].key_data_ver; - ULOG_ENTRY_KEYVAL(upd, final, j).k_kvno = ent->key_data[j].key_data_kvno; - ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_len = ent->key_data[j].key_data_ver; - ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_len = ent->key_data[j].key_data_ver; - - ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val = malloc(ent->key_data[j].key_data_ver * sizeof(int32_t)); - if (ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val == NULL) { - free(attr_types); - return (ENOMEM); - } - - ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val = malloc(ent->key_data[j].key_data_ver * sizeof(utf8str_t)); - if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val == NULL) { - free(attr_types); - return (ENOMEM); - } - - for (cnt = 0; cnt < ent->key_data[j].key_data_ver; cnt++) { - ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val[cnt] = ent->key_data[j].key_data_type[cnt]; - ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = ent->key_data[j].key_data_length[cnt]; - ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(ent->key_data[j].key_data_length[cnt] * sizeof (char)); - if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL) { - free(attr_types); - return (ENOMEM); - } - (void) memcpy(ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, ent->key_data[j].key_data_contents[cnt], ent->key_data[j].key_data_length[cnt]); - } - } - } - break; - - case AT_TL_DATA: - ret = krb5_dbe_lookup_last_pwd_change(context, - ent, &tmpint); - if (ret == 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_PW_LAST_CHANGE; - ULOG_ENTRY(upd, final).av_pw_last_change = tmpint; - } - tmpint = 0; - - if(!(ret = krb5_dbe_lookup_mod_princ_data( - context, ent, &tmpint, &tmpprinc))) { - - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_MOD_PRINC; - - ret = conv_princ_2ulog(tmpprinc, - upd, final, MOD_PRINC); - krb5_free_principal(context, tmpprinc); - if (ret) { - free(attr_types); - return (ret); - } - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_MOD_TIME; - ULOG_ENTRY(upd, final).av_mod_time = - tmpint; - } - - newtl = ent->tl_data; - while (newtl) { - switch (newtl->tl_data_type) { - case KRB5_TL_LAST_PWD_CHANGE: - case KRB5_TL_MOD_PRINC: - break; - - case KRB5_TL_KADM_DATA: - default: - if (kadm_data_yes == 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_TL_DATA; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_len = 0; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_val = malloc(ent->n_tl_data * sizeof(kdbe_tl_t)); - - if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val == NULL) { - free(attr_types); - return (ENOMEM); - } - kadm_data_yes = 1; - } - - tmpint = ULOG_ENTRY(upd, final).av_tldata.av_tldata_len; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_len++; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char)); - if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL) { - free(attr_types); - return (ENOMEM); - } - (void) memcpy(ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length); - break; - } - newtl = newtl->tl_data_next; - } - break; + if (ent->n_key_data >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_KEYDATA; + ULOG_ENTRY(upd, final).av_keydata.av_keydata_len = ent->n_key_data; + + ULOG_ENTRY(upd, final).av_keydata.av_keydata_val = malloc(ent->n_key_data * sizeof (kdbe_key_t)); + if (ULOG_ENTRY(upd, final).av_keydata.av_keydata_val == NULL) { + free(attr_types); + return (ENOMEM); + } + + for (j = 0; j < ent->n_key_data; j++) { + ULOG_ENTRY_KEYVAL(upd, final, j).k_ver = ent->key_data[j].key_data_ver; + ULOG_ENTRY_KEYVAL(upd, final, j).k_kvno = ent->key_data[j].key_data_kvno; + ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_len = ent->key_data[j].key_data_ver; + ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_len = ent->key_data[j].key_data_ver; + + ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val = malloc(ent->key_data[j].key_data_ver * sizeof(int32_t)); + if (ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val == NULL) { + free(attr_types); + return (ENOMEM); + } + + ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val = malloc(ent->key_data[j].key_data_ver * sizeof(utf8str_t)); + if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val == NULL) { + free(attr_types); + return (ENOMEM); + } + + for (cnt = 0; cnt < ent->key_data[j].key_data_ver; cnt++) { + ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val[cnt] = ent->key_data[j].key_data_type[cnt]; + ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = ent->key_data[j].key_data_length[cnt]; + ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(ent->key_data[j].key_data_length[cnt] * sizeof (char)); + if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL) { + free(attr_types); + return (ENOMEM); + } + (void) memcpy(ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, ent->key_data[j].key_data_contents[cnt], ent->key_data[j].key_data_length[cnt]); + } + } + } + break; + + case AT_TL_DATA: + ret = krb5_dbe_lookup_last_pwd_change(context, + ent, &tmpint); + if (ret == 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_PW_LAST_CHANGE; + ULOG_ENTRY(upd, final).av_pw_last_change = tmpint; + } + tmpint = 0; + + if(!(ret = krb5_dbe_lookup_mod_princ_data( + context, ent, &tmpint, &tmpprinc))) { + + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_MOD_PRINC; + + ret = conv_princ_2ulog(tmpprinc, + upd, final, MOD_PRINC); + krb5_free_principal(context, tmpprinc); + if (ret) { + free(attr_types); + return (ret); + } + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_MOD_TIME; + ULOG_ENTRY(upd, final).av_mod_time = + tmpint; + } + + newtl = ent->tl_data; + while (newtl) { + switch (newtl->tl_data_type) { + case KRB5_TL_LAST_PWD_CHANGE: + case KRB5_TL_MOD_PRINC: + break; + + case KRB5_TL_KADM_DATA: + default: + if (kadm_data_yes == 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_TL_DATA; + ULOG_ENTRY(upd, final).av_tldata.av_tldata_len = 0; + ULOG_ENTRY(upd, final).av_tldata.av_tldata_val = malloc(ent->n_tl_data * sizeof(kdbe_tl_t)); + + if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val == NULL) { + free(attr_types); + return (ENOMEM); + } + kadm_data_yes = 1; + } + + tmpint = ULOG_ENTRY(upd, final).av_tldata.av_tldata_len; + ULOG_ENTRY(upd, final).av_tldata.av_tldata_len++; + ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type; + ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length; + ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char)); + if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL) { + free(attr_types); + return (ENOMEM); + } + (void) memcpy(ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length); + break; + } + newtl = newtl->tl_data_next; + } + break; /* END CSTYLED */ - case AT_LEN: - if (ent->len >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_LEN; - ULOG_ENTRY(upd, final).av_len = - (int16_t)ent->len; - } - break; - - default: - break; - } - - } - - free(attr_types); - - /* - * Update len field in kdb_update - */ - upd->kdb_update.kdbe_t_len = ++final; - - /* - * Bump up to next struct - */ - upd++; - ent++; + case AT_LEN: + if (ent->len >= 0) { + ULOG_ENTRY_TYPE(upd, ++final).av_type = + AT_LEN; + ULOG_ENTRY(upd, final).av_len = + (int16_t)ent->len; + } + break; + + default: + break; + } + + } + + free(attr_types); + + /* + * Update len field in kdb_update + */ + upd->kdb_update.kdbe_t_len = ++final; + + /* + * Bump up to next struct + */ + upd++; + ent++; } return (0); } @@ -613,8 +614,8 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, */ krb5_error_code ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, - kdb_incr_update_t *updates, - int nentries) + kdb_incr_update_t *updates, + int nentries) { int k; krb5_db_entry *ent; @@ -622,248 +623,248 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, int slave; if ((updates == NULL) || (entries == NULL)) - return (KRB5KRB_ERR_GENERIC); + return (KRB5KRB_ERR_GENERIC); ent = entries; upd = updates; slave = (context->kdblog_context != NULL) && - (context->kdblog_context->iproprole == IPROP_SLAVE); + (context->kdblog_context->iproprole == IPROP_SLAVE); for (k = 0; k < nentries; k++) { - krb5_principal mod_princ = NULL; - int i, j, cnt = 0, mod_time = 0, nattrs, nprincs = 0; - krb5_principal dbprinc; - char *dbprincstr = NULL; - - krb5_tl_data *newtl = NULL; - krb5_error_code ret; - unsigned int more; - unsigned int prev_n_keys = 0; - - /* - * If the ulog entry represents a DELETE update, - * just skip to the next entry. - */ - if (upd->kdb_deleted == TRUE) - goto next; - - /* - * Store the no. of changed attributes in nattrs - */ - nattrs = upd->kdb_update.kdbe_t_len; - - dbprincstr = malloc((upd->kdb_princ_name.utf8str_t_len + 1) - * sizeof (char)); - if (dbprincstr == NULL) - return (ENOMEM); - strncpy(dbprincstr, (char *)upd->kdb_princ_name.utf8str_t_val, - upd->kdb_princ_name.utf8str_t_len); - dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0; - - ret = krb5_parse_name(context, dbprincstr, &dbprinc); - free(dbprincstr); - if (ret) - return (ret); - - ret = krb5_db_get_principal(context, dbprinc, ent, &nprincs, - &more); - krb5_free_principal(context, dbprinc); - if (ret) - return (ret); - - /* - * Set ent->n_tl_data = 0 initially, if this is an ADD update - */ - if (nprincs == 0) - ent->n_tl_data = 0; - - for (i = 0; i < nattrs; i++) { - krb5_principal tmpprinc = NULL; + krb5_principal mod_princ = NULL; + int i, j, cnt = 0, mod_time = 0, nattrs, nprincs = 0; + krb5_principal dbprinc; + char *dbprincstr = NULL; + + krb5_tl_data *newtl = NULL; + krb5_error_code ret; + unsigned int more; + unsigned int prev_n_keys = 0; + + /* + * If the ulog entry represents a DELETE update, + * just skip to the next entry. + */ + if (upd->kdb_deleted == TRUE) + goto next; + + /* + * Store the no. of changed attributes in nattrs + */ + nattrs = upd->kdb_update.kdbe_t_len; + + dbprincstr = malloc((upd->kdb_princ_name.utf8str_t_len + 1) + * sizeof (char)); + if (dbprincstr == NULL) + return (ENOMEM); + strncpy(dbprincstr, (char *)upd->kdb_princ_name.utf8str_t_val, + upd->kdb_princ_name.utf8str_t_len); + dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0; + + ret = krb5_parse_name(context, dbprincstr, &dbprinc); + free(dbprincstr); + if (ret) + return (ret); + + ret = krb5_db_get_principal(context, dbprinc, ent, &nprincs, + &more); + krb5_free_principal(context, dbprinc); + if (ret) + return (ret); + + /* + * Set ent->n_tl_data = 0 initially, if this is an ADD update + */ + if (nprincs == 0) + ent->n_tl_data = 0; + + for (i = 0; i < nattrs; i++) { + krb5_principal tmpprinc = NULL; #define u (ULOG_ENTRY(upd, i)) - switch (ULOG_ENTRY_TYPE(upd, i).av_type) { - case AT_ATTRFLAGS: - ent->attributes = (krb5_flags) u.av_attrflags; - break; - - case AT_MAX_LIFE: - ent->max_life = (krb5_deltat) u.av_max_life; - break; - - case AT_MAX_RENEW_LIFE: - ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life; - break; - - case AT_EXP: - ent->expiration = (krb5_timestamp) u.av_exp; - break; - - case AT_PW_EXP: - ent->pw_expiration = (krb5_timestamp) u.av_pw_exp; - break; - - case AT_LAST_SUCCESS: - if (!slave) - ent->last_success = (krb5_timestamp) u.av_last_success; - break; - - case AT_LAST_FAILED: - if (!slave) - ent->last_failed = (krb5_timestamp) u.av_last_failed; - break; - - case AT_FAIL_AUTH_COUNT: - if (!slave) - ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count; - break; - - case AT_PRINC: - tmpprinc = conv_princ_2db(context, &u.av_princ); - if (tmpprinc == NULL) - return ENOMEM; - if (nprincs) - krb5_free_principal(context, ent->princ); - ent->princ = tmpprinc; - break; - - case AT_KEYDATA: - if (nprincs != 0) - prev_n_keys = ent->n_key_data; - else - prev_n_keys = 0; - ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len; - if (nprincs == 0) - ent->key_data = NULL; - - ent->key_data = (krb5_key_data *)realloc(ent->key_data, - (ent->n_key_data * - sizeof (krb5_key_data))); - /* XXX Memory leak: Old key data in - records eliminated by resizing to - smaller size. */ - if (ent->key_data == NULL) - /* XXX Memory leak: old storage. */ - return (ENOMEM); + switch (ULOG_ENTRY_TYPE(upd, i).av_type) { + case AT_ATTRFLAGS: + ent->attributes = (krb5_flags) u.av_attrflags; + break; + + case AT_MAX_LIFE: + ent->max_life = (krb5_deltat) u.av_max_life; + break; + + case AT_MAX_RENEW_LIFE: + ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life; + break; + + case AT_EXP: + ent->expiration = (krb5_timestamp) u.av_exp; + break; + + case AT_PW_EXP: + ent->pw_expiration = (krb5_timestamp) u.av_pw_exp; + break; + + case AT_LAST_SUCCESS: + if (!slave) + ent->last_success = (krb5_timestamp) u.av_last_success; + break; + + case AT_LAST_FAILED: + if (!slave) + ent->last_failed = (krb5_timestamp) u.av_last_failed; + break; + + case AT_FAIL_AUTH_COUNT: + if (!slave) + ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count; + break; + + case AT_PRINC: + tmpprinc = conv_princ_2db(context, &u.av_princ); + if (tmpprinc == NULL) + return ENOMEM; + if (nprincs) + krb5_free_principal(context, ent->princ); + ent->princ = tmpprinc; + break; + + case AT_KEYDATA: + if (nprincs != 0) + prev_n_keys = ent->n_key_data; + else + prev_n_keys = 0; + ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len; + if (nprincs == 0) + ent->key_data = NULL; + + ent->key_data = (krb5_key_data *)realloc(ent->key_data, + (ent->n_key_data * + sizeof (krb5_key_data))); + /* XXX Memory leak: Old key data in + records eliminated by resizing to + smaller size. */ + if (ent->key_data == NULL) + /* XXX Memory leak: old storage. */ + return (ENOMEM); /* BEGIN CSTYLED */ - for (j = prev_n_keys; j < ent->n_key_data; j++) { - for (cnt = 0; cnt < 2; cnt++) { - ent->key_data[j].key_data_contents[cnt] = NULL; - } - } - for (j = 0; j < ent->n_key_data; j++) { - krb5_key_data *kp = &ent->key_data[j]; - kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(upd, i, j); - kp->key_data_ver = (krb5_int16)kv->k_ver; - kp->key_data_kvno = (krb5_int16)kv->k_kvno; - if (kp->key_data_ver > 2) { - return EINVAL; /* XXX ? */ - } - - for (cnt = 0; cnt < kp->key_data_ver; cnt++) { - void *newptr; - kp->key_data_type[cnt] = (krb5_int16)kv->k_enctype.k_enctype_val[cnt]; - kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len; - newptr = realloc(kp->key_data_contents[cnt], - kp->key_data_length[cnt]); - if (newptr == NULL) - return ENOMEM; - kp->key_data_contents[cnt] = newptr; - - (void) memset(kp->key_data_contents[cnt], 0, - kp->key_data_length[cnt]); - (void) memcpy(kp->key_data_contents[cnt], - kv->k_contents.k_contents_val[cnt].utf8str_t_val, - kp->key_data_length[cnt]); - } - } - break; - - case AT_TL_DATA: { - int t; - - cnt = u.av_tldata.av_tldata_len; - newtl = calloc(cnt, sizeof (krb5_tl_data)); - if (newtl == NULL) - return (ENOMEM); - - for (j = 0, t = 0; j < cnt; j++) { - newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type; - newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len; - newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet)); - if (newtl[t].tl_data_contents == NULL) - /* XXX Memory leak: newtl - and previously - allocated elements. */ - return (ENOMEM); - - (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length); - newtl[t].tl_data_next = NULL; - if (t > 0) - newtl[t - 1].tl_data_next = &newtl[t]; - t++; - } - - if ((ret = krb5_dbe_update_tl_data(context, ent, newtl))) - return (ret); - for (j = 0; j < t; j++) - if (newtl[j].tl_data_contents) { - free(newtl[j].tl_data_contents); - newtl[j].tl_data_contents = NULL; - } - if (newtl) { - free(newtl); - newtl = NULL; - } - break; + for (j = prev_n_keys; j < ent->n_key_data; j++) { + for (cnt = 0; cnt < 2; cnt++) { + ent->key_data[j].key_data_contents[cnt] = NULL; + } + } + for (j = 0; j < ent->n_key_data; j++) { + krb5_key_data *kp = &ent->key_data[j]; + kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(upd, i, j); + kp->key_data_ver = (krb5_int16)kv->k_ver; + kp->key_data_kvno = (krb5_int16)kv->k_kvno; + if (kp->key_data_ver > 2) { + return EINVAL; /* XXX ? */ + } + + for (cnt = 0; cnt < kp->key_data_ver; cnt++) { + void *newptr; + kp->key_data_type[cnt] = (krb5_int16)kv->k_enctype.k_enctype_val[cnt]; + kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len; + newptr = realloc(kp->key_data_contents[cnt], + kp->key_data_length[cnt]); + if (newptr == NULL) + return ENOMEM; + kp->key_data_contents[cnt] = newptr; + + (void) memset(kp->key_data_contents[cnt], 0, + kp->key_data_length[cnt]); + (void) memcpy(kp->key_data_contents[cnt], + kv->k_contents.k_contents_val[cnt].utf8str_t_val, + kp->key_data_length[cnt]); + } + } + break; + + case AT_TL_DATA: { + int t; + + cnt = u.av_tldata.av_tldata_len; + newtl = calloc(cnt, sizeof (krb5_tl_data)); + if (newtl == NULL) + return (ENOMEM); + + for (j = 0, t = 0; j < cnt; j++) { + newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type; + newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len; + newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet)); + if (newtl[t].tl_data_contents == NULL) + /* XXX Memory leak: newtl + and previously + allocated elements. */ + return (ENOMEM); + + (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length); + newtl[t].tl_data_next = NULL; + if (t > 0) + newtl[t - 1].tl_data_next = &newtl[t]; + t++; + } + + if ((ret = krb5_dbe_update_tl_data(context, ent, newtl))) + return (ret); + for (j = 0; j < t; j++) + if (newtl[j].tl_data_contents) { + free(newtl[j].tl_data_contents); + newtl[j].tl_data_contents = NULL; + } + if (newtl) { + free(newtl); + newtl = NULL; + } + break; /* END CSTYLED */ - } - case AT_PW_LAST_CHANGE: - if ((ret = krb5_dbe_update_last_pwd_change(context, ent, - u.av_pw_last_change))) - return (ret); - break; - - case AT_MOD_PRINC: - tmpprinc = conv_princ_2db(context, &u.av_mod_princ); - if (tmpprinc == NULL) - return ENOMEM; - mod_princ = tmpprinc; - break; - - case AT_MOD_TIME: - mod_time = u.av_mod_time; - break; - - case AT_LEN: - ent->len = (krb5_int16) u.av_len; - break; - - default: - break; - } + } + case AT_PW_LAST_CHANGE: + if ((ret = krb5_dbe_update_last_pwd_change(context, ent, + u.av_pw_last_change))) + return (ret); + break; + + case AT_MOD_PRINC: + tmpprinc = conv_princ_2db(context, &u.av_mod_princ); + if (tmpprinc == NULL) + return ENOMEM; + mod_princ = tmpprinc; + break; + + case AT_MOD_TIME: + mod_time = u.av_mod_time; + break; + + case AT_LEN: + ent->len = (krb5_int16) u.av_len; + break; + + default: + break; + } #undef u - } - - /* - * process mod_princ_data request - */ - if (mod_time && mod_princ) { - ret = krb5_dbe_update_mod_princ_data(context, ent, - mod_time, mod_princ); - krb5_free_principal(context, mod_princ); - mod_princ = NULL; - if (ret) - return (ret); - } + } + + /* + * process mod_princ_data request + */ + if (mod_time && mod_princ) { + ret = krb5_dbe_update_mod_princ_data(context, ent, + mod_time, mod_princ); + krb5_free_principal(context, mod_princ); + mod_princ = NULL; + if (ret) + return (ret); + } next: - /* - * Bump up to next struct - */ - upd++; - ent++; + /* + * Bump up to next struct + */ + upd++; + ent++; } return (0); } @@ -881,7 +882,7 @@ ulog_free_entries(kdb_incr_update_t *updates, int no_of_updates) int i, j, k, cnt; if (updates == NULL) - return; + return; upd = updates; @@ -890,127 +891,127 @@ ulog_free_entries(kdb_incr_update_t *updates, int no_of_updates) */ for (cnt = 0; cnt < no_of_updates; cnt++) { - /* - * ulog entry - kdb_princ_name - */ - free(upd->kdb_princ_name.utf8str_t_val); + /* + * ulog entry - kdb_princ_name + */ + free(upd->kdb_princ_name.utf8str_t_val); /* BEGIN CSTYLED */ - /* - * ulog entry - kdb_kdcs_seen_by - */ - if (upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val) { - for (i = 0; i < upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_len; i++) - free(upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val[i].utf8str_t_val); - free(upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val); - } - - /* - * ulog entry - kdb_futures - */ - free(upd->kdb_futures.kdb_futures_val); - - /* - * ulog entry - kdb_update - */ - if (upd->kdb_update.kdbe_t_val) { - /* - * Loop thru all the attributes and free up stuff - */ - for (i = 0; i < upd->kdb_update.kdbe_t_len; i++) { - - /* - * Free av_key_data - */ - if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_KEYDATA) && ULOG_ENTRY(upd, i).av_keydata.av_keydata_val) { - - for (j = 0; j < ULOG_ENTRY(upd, i).av_keydata.av_keydata_len; j++) { - free(ULOG_ENTRY_KEYVAL(upd, i, j).k_enctype.k_enctype_val); - if (ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val) { - for (k = 0; k < ULOG_ENTRY_KEYVAL(upd, i, j).k_ver; k++) { - free(ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val[k].utf8str_t_val); - } - free(ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val); - } - } - free(ULOG_ENTRY(upd, i).av_keydata.av_keydata_val); - } - - - /* - * Free av_tl_data - */ - if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_TL_DATA) && ULOG_ENTRY(upd, i).av_tldata.av_tldata_val) { - for (j = 0; j < ULOG_ENTRY(upd, i).av_tldata.av_tldata_len; j++) { - free(ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_data.tl_data_val); - } - free(ULOG_ENTRY(upd, i).av_tldata.av_tldata_val); - } - - /* - * Free av_princ - */ - if (ULOG_ENTRY_TYPE(upd, i).av_type == AT_PRINC) { - free(ULOG_ENTRY(upd, i).av_princ.k_realm.utf8str_t_val); - if (ULOG_ENTRY(upd, i).av_princ.k_components.k_components_val) { - for (j = 0; j < ULOG_ENTRY(upd, i).av_princ.k_components.k_components_len; j++) { - free(ULOG_ENTRY_PRINC(upd, i, j).k_data.utf8str_t_val); - } - free(ULOG_ENTRY(upd, i).av_princ.k_components.k_components_val); - } - } - - /* - * Free av_mod_princ - */ - if (ULOG_ENTRY_TYPE(upd, i).av_type == AT_MOD_PRINC) { - free(ULOG_ENTRY(upd, i).av_mod_princ.k_realm.utf8str_t_val); - if (ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_val) { - for (j = 0; j < ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_len; j++) { - free(ULOG_ENTRY_MOD_PRINC(upd, i, j).k_data.utf8str_t_val); - } - free(ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_val); - } - } - - /* - * Free av_mod_where - */ - if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_MOD_WHERE) && ULOG_ENTRY(upd, i).av_mod_where.utf8str_t_val) - free(ULOG_ENTRY(upd, i).av_mod_where.utf8str_t_val); - - /* - * Free av_pw_policy - */ - if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_PW_POLICY) && ULOG_ENTRY(upd, i).av_pw_policy.utf8str_t_val) - free(ULOG_ENTRY(upd, i).av_pw_policy.utf8str_t_val); - - /* - * XXX: Free av_pw_hist - * - * For now, we just free the pointer - * to av_pw_hist_val, since we aren't - * populating this union member in - * the conv api function(s) anyways. - */ - if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_PW_HIST) && ULOG_ENTRY(upd, i).av_pw_hist.av_pw_hist_val) - free(ULOG_ENTRY(upd, i).av_pw_hist.av_pw_hist_val); - - } - - /* - * Free up the pointer to kdbe_t_val - */ - free(upd->kdb_update.kdbe_t_val); - } + /* + * ulog entry - kdb_kdcs_seen_by + */ + if (upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val) { + for (i = 0; i < upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_len; i++) + free(upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val[i].utf8str_t_val); + free(upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val); + } + + /* + * ulog entry - kdb_futures + */ + free(upd->kdb_futures.kdb_futures_val); + + /* + * ulog entry - kdb_update + */ + if (upd->kdb_update.kdbe_t_val) { + /* + * Loop thru all the attributes and free up stuff + */ + for (i = 0; i < upd->kdb_update.kdbe_t_len; i++) { + + /* + * Free av_key_data + */ + if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_KEYDATA) && ULOG_ENTRY(upd, i).av_keydata.av_keydata_val) { + + for (j = 0; j < ULOG_ENTRY(upd, i).av_keydata.av_keydata_len; j++) { + free(ULOG_ENTRY_KEYVAL(upd, i, j).k_enctype.k_enctype_val); + if (ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val) { + for (k = 0; k < ULOG_ENTRY_KEYVAL(upd, i, j).k_ver; k++) { + free(ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val[k].utf8str_t_val); + } + free(ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val); + } + } + free(ULOG_ENTRY(upd, i).av_keydata.av_keydata_val); + } + + + /* + * Free av_tl_data + */ + if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_TL_DATA) && ULOG_ENTRY(upd, i).av_tldata.av_tldata_val) { + for (j = 0; j < ULOG_ENTRY(upd, i).av_tldata.av_tldata_len; j++) { + free(ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_data.tl_data_val); + } + free(ULOG_ENTRY(upd, i).av_tldata.av_tldata_val); + } + + /* + * Free av_princ + */ + if (ULOG_ENTRY_TYPE(upd, i).av_type == AT_PRINC) { + free(ULOG_ENTRY(upd, i).av_princ.k_realm.utf8str_t_val); + if (ULOG_ENTRY(upd, i).av_princ.k_components.k_components_val) { + for (j = 0; j < ULOG_ENTRY(upd, i).av_princ.k_components.k_components_len; j++) { + free(ULOG_ENTRY_PRINC(upd, i, j).k_data.utf8str_t_val); + } + free(ULOG_ENTRY(upd, i).av_princ.k_components.k_components_val); + } + } + + /* + * Free av_mod_princ + */ + if (ULOG_ENTRY_TYPE(upd, i).av_type == AT_MOD_PRINC) { + free(ULOG_ENTRY(upd, i).av_mod_princ.k_realm.utf8str_t_val); + if (ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_val) { + for (j = 0; j < ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_len; j++) { + free(ULOG_ENTRY_MOD_PRINC(upd, i, j).k_data.utf8str_t_val); + } + free(ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_val); + } + } + + /* + * Free av_mod_where + */ + if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_MOD_WHERE) && ULOG_ENTRY(upd, i).av_mod_where.utf8str_t_val) + free(ULOG_ENTRY(upd, i).av_mod_where.utf8str_t_val); + + /* + * Free av_pw_policy + */ + if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_PW_POLICY) && ULOG_ENTRY(upd, i).av_pw_policy.utf8str_t_val) + free(ULOG_ENTRY(upd, i).av_pw_policy.utf8str_t_val); + + /* + * XXX: Free av_pw_hist + * + * For now, we just free the pointer + * to av_pw_hist_val, since we aren't + * populating this union member in + * the conv api function(s) anyways. + */ + if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_PW_HIST) && ULOG_ENTRY(upd, i).av_pw_hist.av_pw_hist_val) + free(ULOG_ENTRY(upd, i).av_pw_hist.av_pw_hist_val); + + } + + /* + * Free up the pointer to kdbe_t_val + */ + free(upd->kdb_update.kdbe_t_val); + } /* END CSTYLED */ - /* - * Bump up to next struct - */ - upd++; + /* + * Bump up to next struct + */ + upd++; } diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c index 55e8199d2..723d98eaf 100644 --- a/src/lib/kdb/kdb_cpw.c +++ b/src/lib/kdb/kdb_cpw.c @@ -1,14 +1,15 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_cpw.c * - * Copyright 1995, 2009 by the Massachusetts Institute of Technology. + * Copyright 1995, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,19 +23,19 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -45,7 +46,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -58,25 +59,25 @@ int krb5_db_get_key_data_kvno(context, count, data) - krb5_context context; - int count; - krb5_key_data * data; + krb5_context context; + int count; + krb5_key_data * data; { int i, kvno; /* Find last key version number */ for (kvno = i = 0; i < count; i++) { - if (kvno < data[i].key_data_kvno) { - kvno = data[i].key_data_kvno; - } + if (kvno < data[i].key_data_kvno) { + kvno = data[i].key_data_kvno; + } } return(kvno); } static void cleanup_key_data(context, count, data) - krb5_context context; - int count; - krb5_key_data * data; + krb5_context context; + int count; + krb5_key_data * data; { int i, j; @@ -84,30 +85,30 @@ cleanup_key_data(context, count, data) if (data == NULL) return; for (i = 0; i < count; i++) { - for (j = 0; j < data[i].key_data_ver; j++) { - if (data[i].key_data_length[j]) { - krb5_db_free(context, data[i].key_data_contents[j]); - } - } + for (j = 0; j < data[i].key_data_ver; j++) { + if (data[i].key_data_length[j]) { + krb5_db_free(context, data[i].key_data_contents[j]); + } + } } krb5_db_free(context, data); } static krb5_error_code add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno) - krb5_context context; + krb5_context context; krb5_keyblock * master_key; - krb5_key_salt_tuple * ks_tuple; - int ks_tuple_count; - krb5_db_entry * db_entry; - int kvno; + krb5_key_salt_tuple * ks_tuple; + int ks_tuple_count; + krb5_db_entry * db_entry; + int kvno; { - krb5_principal krbtgt_princ; - krb5_keyblock key; - krb5_db_entry krbtgt_entry; - krb5_boolean more; - int max_kvno, one, i, j, k; - krb5_error_code retval; + krb5_principal krbtgt_princ; + krb5_keyblock key; + krb5_db_entry krbtgt_entry; + krb5_boolean more; + int max_kvno, one, i, j, k; + krb5_error_code retval; krb5_key_data tmp_key_data; krb5_key_data *tptr; @@ -115,111 +116,111 @@ add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno) retval = krb5_build_principal_ext(context, &krbtgt_princ, - db_entry->princ->realm.length, - db_entry->princ->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - db_entry->princ->realm.length, - db_entry->princ->realm.data, - 0); + db_entry->princ->realm.length, + db_entry->princ->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + db_entry->princ->realm.length, + db_entry->princ->realm.data, + 0); if (retval) - return retval; + return retval; /* Get tgt from database */ retval = krb5_db_get_principal(context, krbtgt_princ, &krbtgt_entry, - &one, &more); + &one, &more); krb5_free_principal(context, krbtgt_princ); /* don't need it anymore */ if (retval) - return(retval); + return(retval); if ((one > 1) || (more)) { - krb5_db_free_principal(context, &krbtgt_entry, one); - return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; + krb5_db_free_principal(context, &krbtgt_entry, one); + return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; } - if (!one) - return KRB5_KDB_NOENTRY; + if (!one) + return KRB5_KDB_NOENTRY; /* Get max kvno */ for (max_kvno = j = 0; j < krbtgt_entry.n_key_data; j++) { - if (max_kvno < krbtgt_entry.key_data[j].key_data_kvno) { - max_kvno = krbtgt_entry.key_data[j].key_data_kvno; - } + if (max_kvno < krbtgt_entry.key_data[j].key_data_kvno) { + max_kvno = krbtgt_entry.key_data[j].key_data_kvno; + } } for (i = 0; i < ks_tuple_count; i++) { - krb5_boolean similar; - - similar = 0; - - /* - * We could use krb5_keysalt_iterate to replace this loop, or use - * krb5_keysalt_is_present for the loop below, but we want to avoid - * circular library dependencies. - */ - for (j = 0; j < i; j++) { - if ((retval = krb5_c_enctype_compare(context, - ks_tuple[i].ks_enctype, - ks_tuple[j].ks_enctype, - &similar))) - return(retval); - - if (similar) - break; - } - - if (similar) - continue; - - if ((retval = krb5_dbe_create_key_data(context, db_entry))) - goto add_key_rnd_err; - - /* there used to be code here to extract the old key, and derive - a new key from it. Now that there's a unified prng, that isn't - necessary. */ - - /* make new key */ - if ((retval = krb5_c_make_random_key(context, ks_tuple[i].ks_enctype, - &key))) - goto add_key_rnd_err; - - - /* db library will free this. Since, its a so, it could actually be using different memory management - function. So, its better if the memory is allocated by the db's malloc. So, a temporary memory is used - here which will later be copied to the db_entry */ - retval = krb5_dbekd_encrypt_key_data(context, master_key, - &key, NULL, kvno, - &tmp_key_data); - - krb5_free_keyblock_contents(context, &key); - if( retval ) - goto add_key_rnd_err; - - tptr = &db_entry->key_data[db_entry->n_key_data-1]; - - tptr->key_data_ver = tmp_key_data.key_data_ver; - tptr->key_data_kvno = tmp_key_data.key_data_kvno; - - for( k = 0; k < tmp_key_data.key_data_ver; k++ ) - { - tptr->key_data_type[k] = tmp_key_data.key_data_type[k]; - tptr->key_data_length[k] = tmp_key_data.key_data_length[k]; - if( tmp_key_data.key_data_contents[k] ) - { - tptr->key_data_contents[k] = krb5_db_alloc(context, NULL, tmp_key_data.key_data_length[k]); - if( tptr->key_data_contents[k] == NULL ) - { - cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); - db_entry->key_data = NULL; - db_entry->n_key_data = 0; - retval = ENOMEM; - goto add_key_rnd_err; - } - memcpy( tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); - - memset( tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); - free( tmp_key_data.key_data_contents[k] ); - tmp_key_data.key_data_contents[k] = NULL; - } - } + krb5_boolean similar; + + similar = 0; + + /* + * We could use krb5_keysalt_iterate to replace this loop, or use + * krb5_keysalt_is_present for the loop below, but we want to avoid + * circular library dependencies. + */ + for (j = 0; j < i; j++) { + if ((retval = krb5_c_enctype_compare(context, + ks_tuple[i].ks_enctype, + ks_tuple[j].ks_enctype, + &similar))) + return(retval); + + if (similar) + break; + } + + if (similar) + continue; + + if ((retval = krb5_dbe_create_key_data(context, db_entry))) + goto add_key_rnd_err; + + /* there used to be code here to extract the old key, and derive + a new key from it. Now that there's a unified prng, that isn't + necessary. */ + + /* make new key */ + if ((retval = krb5_c_make_random_key(context, ks_tuple[i].ks_enctype, + &key))) + goto add_key_rnd_err; + + + /* db library will free this. Since, its a so, it could actually be using different memory management + function. So, its better if the memory is allocated by the db's malloc. So, a temporary memory is used + here which will later be copied to the db_entry */ + retval = krb5_dbekd_encrypt_key_data(context, master_key, + &key, NULL, kvno, + &tmp_key_data); + + krb5_free_keyblock_contents(context, &key); + if( retval ) + goto add_key_rnd_err; + + tptr = &db_entry->key_data[db_entry->n_key_data-1]; + + tptr->key_data_ver = tmp_key_data.key_data_ver; + tptr->key_data_kvno = tmp_key_data.key_data_kvno; + + for( k = 0; k < tmp_key_data.key_data_ver; k++ ) + { + tptr->key_data_type[k] = tmp_key_data.key_data_type[k]; + tptr->key_data_length[k] = tmp_key_data.key_data_length[k]; + if( tmp_key_data.key_data_contents[k] ) + { + tptr->key_data_contents[k] = krb5_db_alloc(context, NULL, tmp_key_data.key_data_length[k]); + if( tptr->key_data_contents[k] == NULL ) + { + cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); + db_entry->key_data = NULL; + db_entry->n_key_data = 0; + retval = ENOMEM; + goto add_key_rnd_err; + } + memcpy( tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); + + memset( tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); + free( tmp_key_data.key_data_contents[k] ); + tmp_key_data.key_data_contents[k] = NULL; + } + } } @@ -228,40 +229,40 @@ add_key_rnd_err: for( i = 0; i < tmp_key_data.key_data_ver; i++ ) { - if( tmp_key_data.key_data_contents[i] ) - { - memset( tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); - free( tmp_key_data.key_data_contents[i] ); - } + if( tmp_key_data.key_data_contents[i] ) + { + memset( tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); + free( tmp_key_data.key_data_contents[i] ); + } } return(retval); } /* - * Change random key for a krb5_db_entry + * Change random key for a krb5_db_entry * Assumes the max kvno * * As a side effect all old keys are nuked if keepold is false. */ krb5_error_code krb5_dbe_crk(context, master_key, ks_tuple, ks_tuple_count, keepold, db_entry) - krb5_context context; + krb5_context context; krb5_keyblock * master_key; - krb5_key_salt_tuple * ks_tuple; - int ks_tuple_count; - krb5_boolean keepold; - krb5_db_entry * db_entry; + krb5_key_salt_tuple * ks_tuple; + int ks_tuple_count; + krb5_boolean keepold; + krb5_db_entry * db_entry; { - int key_data_count; - int n_new_key_data; - krb5_key_data * key_data; - krb5_error_code retval; - int kvno; - int i; + int key_data_count; + int n_new_key_data; + krb5_key_data * key_data; + krb5_error_code retval; + int kvno; + int i; /* First save the old keydata */ kvno = krb5_db_get_key_data_kvno(context, db_entry->n_key_data, - db_entry->key_data); + db_entry->key_data); key_data_count = db_entry->n_key_data; key_data = db_entry->key_data; db_entry->key_data = NULL; @@ -271,53 +272,53 @@ krb5_dbe_crk(context, master_key, ks_tuple, ks_tuple_count, keepold, db_entry) kvno++; retval = add_key_rnd(context, master_key, ks_tuple, - ks_tuple_count, db_entry, kvno); + ks_tuple_count, db_entry, kvno); if (retval) { - cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); - db_entry->n_key_data = key_data_count; - db_entry->key_data = key_data; + cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); + db_entry->n_key_data = key_data_count; + db_entry->key_data = key_data; } else if (keepold) { - n_new_key_data = db_entry->n_key_data; - for (i = 0; i < key_data_count; i++) { - retval = krb5_dbe_create_key_data(context, db_entry); - if (retval) { - cleanup_key_data(context, db_entry->n_key_data, - db_entry->key_data); - break; - } - db_entry->key_data[i+n_new_key_data] = key_data[i]; - memset(&key_data[i], 0, sizeof(krb5_key_data)); - } - krb5_db_free(context, key_data); /* we moved the cotents to new memory. But, the original block which contained the data */ + n_new_key_data = db_entry->n_key_data; + for (i = 0; i < key_data_count; i++) { + retval = krb5_dbe_create_key_data(context, db_entry); + if (retval) { + cleanup_key_data(context, db_entry->n_key_data, + db_entry->key_data); + break; + } + db_entry->key_data[i+n_new_key_data] = key_data[i]; + memset(&key_data[i], 0, sizeof(krb5_key_data)); + } + krb5_db_free(context, key_data); /* we moved the cotents to new memory. But, the original block which contained the data */ } else { - cleanup_key_data(context, key_data_count, key_data); + cleanup_key_data(context, key_data_count, key_data); } return(retval); } /* - * Add random key for a krb5_db_entry + * Add random key for a krb5_db_entry * Assumes the max kvno * * As a side effect all old keys older than the max kvno are nuked. */ krb5_error_code krb5_dbe_ark(context, master_key, ks_tuple, ks_tuple_count, db_entry) - krb5_context context; + krb5_context context; krb5_keyblock * master_key; - krb5_key_salt_tuple * ks_tuple; - int ks_tuple_count; - krb5_db_entry * db_entry; + krb5_key_salt_tuple * ks_tuple; + int ks_tuple_count; + krb5_db_entry * db_entry; { - int key_data_count; - krb5_key_data * key_data; - krb5_error_code retval; - int kvno; - int i; + int key_data_count; + krb5_key_data * key_data; + krb5_error_code retval; + int kvno; + int i; /* First save the old keydata */ kvno = krb5_db_get_key_data_kvno(context, db_entry->n_key_data, - db_entry->key_data); + db_entry->key_data); key_data_count = db_entry->n_key_data; key_data = db_entry->key_data; db_entry->key_data = NULL; @@ -326,50 +327,50 @@ krb5_dbe_ark(context, master_key, ks_tuple, ks_tuple_count, db_entry) /* increment the kvno */ kvno++; - if ((retval = add_key_rnd(context, master_key, ks_tuple, - ks_tuple_count, db_entry, kvno))) { - cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); - db_entry->n_key_data = key_data_count; - db_entry->key_data = key_data; + if ((retval = add_key_rnd(context, master_key, ks_tuple, + ks_tuple_count, db_entry, kvno))) { + cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); + db_entry->n_key_data = key_data_count; + db_entry->key_data = key_data; } else { - /* Copy keys with key_data_kvno == kvno - 1 ( = old kvno ) */ - for (i = 0; i < key_data_count; i++) { - if (key_data[i].key_data_kvno == (kvno - 1)) { - if ((retval = krb5_dbe_create_key_data(context, db_entry))) { - cleanup_key_data(context, db_entry->n_key_data, - db_entry->key_data); - break; - } - /* We should decrypt/re-encrypt the data to use the same mkvno*/ - db_entry->key_data[db_entry->n_key_data - 1] = key_data[i]; - memset(&key_data[i], 0, sizeof(krb5_key_data)); - } - } - cleanup_key_data(context, key_data_count, key_data); + /* Copy keys with key_data_kvno == kvno - 1 ( = old kvno ) */ + for (i = 0; i < key_data_count; i++) { + if (key_data[i].key_data_kvno == (kvno - 1)) { + if ((retval = krb5_dbe_create_key_data(context, db_entry))) { + cleanup_key_data(context, db_entry->n_key_data, + db_entry->key_data); + break; + } + /* We should decrypt/re-encrypt the data to use the same mkvno*/ + db_entry->key_data[db_entry->n_key_data - 1] = key_data[i]; + memset(&key_data[i], 0, sizeof(krb5_key_data)); + } + } + cleanup_key_data(context, key_data_count, key_data); } return(retval); } /* - * Add key_data for a krb5_db_entry + * Add key_data for a krb5_db_entry * If passwd is NULL the assumes that the caller wants a random password. */ static krb5_error_code -add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, - db_entry, kvno) - krb5_context context; +add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, + db_entry, kvno) + krb5_context context; krb5_keyblock * master_key; - krb5_key_salt_tuple * ks_tuple; - int ks_tuple_count; - char * passwd; - krb5_db_entry * db_entry; - int kvno; + krb5_key_salt_tuple * ks_tuple; + int ks_tuple_count; + char * passwd; + krb5_db_entry * db_entry; + int kvno; { - krb5_error_code retval; - krb5_keysalt key_salt; - krb5_keyblock key; - krb5_data pwd; - int i, j, k; + krb5_error_code retval; + krb5_keysalt key_salt; + krb5_keyblock key; + krb5_data pwd; + int i, j, k; krb5_key_data tmp_key_data; krb5_key_data *tptr; @@ -378,229 +379,229 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, retval = 0; for (i = 0; i < ks_tuple_count; i++) { - krb5_boolean similar; - - similar = 0; - - /* - * We could use krb5_keysalt_iterate to replace this loop, or use - * krb5_keysalt_is_present for the loop below, but we want to avoid - * circular library dependencies. - */ - for (j = 0; j < i; j++) { - if ((retval = krb5_c_enctype_compare(context, - ks_tuple[i].ks_enctype, - ks_tuple[j].ks_enctype, - &similar))) - return(retval); - - if (similar && - (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype)) - break; - } - - if (j < i) - continue; - - if ((retval = krb5_dbe_create_key_data(context, db_entry))) - return(retval); - - /* Convert password string to key using appropriate salt */ - switch (key_salt.type = ks_tuple[i].ks_salttype) { - case KRB5_KDB_SALTTYPE_ONLYREALM: { + krb5_boolean similar; + + similar = 0; + + /* + * We could use krb5_keysalt_iterate to replace this loop, or use + * krb5_keysalt_is_present for the loop below, but we want to avoid + * circular library dependencies. + */ + for (j = 0; j < i; j++) { + if ((retval = krb5_c_enctype_compare(context, + ks_tuple[i].ks_enctype, + ks_tuple[j].ks_enctype, + &similar))) + return(retval); + + if (similar && + (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype)) + break; + } + + if (j < i) + continue; + + if ((retval = krb5_dbe_create_key_data(context, db_entry))) + return(retval); + + /* Convert password string to key using appropriate salt */ + switch (key_salt.type = ks_tuple[i].ks_salttype) { + case KRB5_KDB_SALTTYPE_ONLYREALM: { krb5_data * saltdata; if ((retval = krb5_copy_data(context, krb5_princ_realm(context, - db_entry->princ), &saltdata))) - return(retval); - - key_salt.data = *saltdata; - free(saltdata); - } - break; - case KRB5_KDB_SALTTYPE_NOREALM: + db_entry->princ), &saltdata))) + return(retval); + + key_salt.data = *saltdata; + free(saltdata); + } + break; + case KRB5_KDB_SALTTYPE_NOREALM: if ((retval=krb5_principal2salt_norealm(context, db_entry->princ, - &key_salt.data))) - return(retval); + &key_salt.data))) + return(retval); break; - case KRB5_KDB_SALTTYPE_NORMAL: + case KRB5_KDB_SALTTYPE_NORMAL: if ((retval = krb5_principal2salt(context, db_entry->princ, - &key_salt.data))) - return(retval); + &key_salt.data))) + return(retval); break; - case KRB5_KDB_SALTTYPE_V4: + case KRB5_KDB_SALTTYPE_V4: key_salt.data.length = 0; key_salt.data.data = 0; break; - case KRB5_KDB_SALTTYPE_AFS3: - /* The afs_mit_string_to_key needs to use strlen, and the - realm field is not (necessarily) NULL terminated. */ - retval = krb5int_copy_data_contents_add0(context, - krb5_princ_realm(context, - db_entry->princ), - &key_salt.data); - if (retval) - return retval; - key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/ - break; - default: - return(KRB5_KDB_BAD_SALTTYPE); - } - - pwd.data = passwd; - pwd.length = strlen(passwd); - - /* AFS string to key will happen here */ - if ((retval = krb5_c_string_to_key(context, ks_tuple[i].ks_enctype, - &pwd, &key_salt.data, &key))) { - if (key_salt.data.data) - free(key_salt.data.data); - return(retval); - } - - if (key_salt.data.length == SALT_TYPE_AFS_LENGTH) - key_salt.data.length = - krb5_princ_realm(context, db_entry->princ)->length; - - /* memory allocation to be done by db. So, use temporary block and later copy - it to the memory allocated by db */ - retval = krb5_dbekd_encrypt_key_data(context, master_key, &key, - (const krb5_keysalt *)&key_salt, - kvno, &tmp_key_data); - if (key_salt.data.data) - free(key_salt.data.data); - free(key.contents); - - if( retval ) - return retval; - - tptr = &db_entry->key_data[db_entry->n_key_data-1]; - - tptr->key_data_ver = tmp_key_data.key_data_ver; - tptr->key_data_kvno = tmp_key_data.key_data_kvno; - - for( k = 0; k < tmp_key_data.key_data_ver; k++ ) - { - tptr->key_data_type[k] = tmp_key_data.key_data_type[k]; - tptr->key_data_length[k] = tmp_key_data.key_data_length[k]; - if( tmp_key_data.key_data_contents[k] ) - { - tptr->key_data_contents[k] = krb5_db_alloc(context, NULL, tmp_key_data.key_data_length[k]); - if( tptr->key_data_contents[k] == NULL ) - { - cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); - db_entry->key_data = NULL; - db_entry->n_key_data = 0; - retval = ENOMEM; - goto add_key_pwd_err; - } - memcpy( tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); - - memset( tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); - free( tmp_key_data.key_data_contents[k] ); - tmp_key_data.key_data_contents[k] = NULL; - } - } + case KRB5_KDB_SALTTYPE_AFS3: + /* The afs_mit_string_to_key needs to use strlen, and the + realm field is not (necessarily) NULL terminated. */ + retval = krb5int_copy_data_contents_add0(context, + krb5_princ_realm(context, + db_entry->princ), + &key_salt.data); + if (retval) + return retval; + key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/ + break; + default: + return(KRB5_KDB_BAD_SALTTYPE); + } + + pwd.data = passwd; + pwd.length = strlen(passwd); + + /* AFS string to key will happen here */ + if ((retval = krb5_c_string_to_key(context, ks_tuple[i].ks_enctype, + &pwd, &key_salt.data, &key))) { + if (key_salt.data.data) + free(key_salt.data.data); + return(retval); + } + + if (key_salt.data.length == SALT_TYPE_AFS_LENGTH) + key_salt.data.length = + krb5_princ_realm(context, db_entry->princ)->length; + + /* memory allocation to be done by db. So, use temporary block and later copy + it to the memory allocated by db */ + retval = krb5_dbekd_encrypt_key_data(context, master_key, &key, + (const krb5_keysalt *)&key_salt, + kvno, &tmp_key_data); + if (key_salt.data.data) + free(key_salt.data.data); + free(key.contents); + + if( retval ) + return retval; + + tptr = &db_entry->key_data[db_entry->n_key_data-1]; + + tptr->key_data_ver = tmp_key_data.key_data_ver; + tptr->key_data_kvno = tmp_key_data.key_data_kvno; + + for( k = 0; k < tmp_key_data.key_data_ver; k++ ) + { + tptr->key_data_type[k] = tmp_key_data.key_data_type[k]; + tptr->key_data_length[k] = tmp_key_data.key_data_length[k]; + if( tmp_key_data.key_data_contents[k] ) + { + tptr->key_data_contents[k] = krb5_db_alloc(context, NULL, tmp_key_data.key_data_length[k]); + if( tptr->key_data_contents[k] == NULL ) + { + cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); + db_entry->key_data = NULL; + db_entry->n_key_data = 0; + retval = ENOMEM; + goto add_key_pwd_err; + } + memcpy( tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); + + memset( tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); + free( tmp_key_data.key_data_contents[k] ); + tmp_key_data.key_data_contents[k] = NULL; + } + } } - add_key_pwd_err: +add_key_pwd_err: for( i = 0; i < tmp_key_data.key_data_ver; i++ ) { - if( tmp_key_data.key_data_contents[i] ) - { - memset( tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); - free( tmp_key_data.key_data_contents[i] ); - } + if( tmp_key_data.key_data_contents[i] ) + { + memset( tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); + free( tmp_key_data.key_data_contents[i] ); + } } return(retval); } /* - * Change password for a krb5_db_entry + * Change password for a krb5_db_entry * Assumes the max kvno * * As a side effect all old keys are nuked if keepold is false. */ krb5_error_code krb5_dbe_def_cpw(context, master_key, ks_tuple, ks_tuple_count, passwd, - new_kvno, keepold, db_entry) - krb5_context context; + new_kvno, keepold, db_entry) + krb5_context context; krb5_keyblock * master_key; - krb5_key_salt_tuple * ks_tuple; - int ks_tuple_count; - char * passwd; - int new_kvno; - krb5_boolean keepold; - krb5_db_entry * db_entry; + krb5_key_salt_tuple * ks_tuple; + int ks_tuple_count; + char * passwd; + int new_kvno; + krb5_boolean keepold; + krb5_db_entry * db_entry; { - int key_data_count; - int n_new_key_data; - krb5_key_data * key_data; - krb5_error_code retval; - int old_kvno; - int i; + int key_data_count; + int n_new_key_data; + krb5_key_data * key_data; + krb5_error_code retval; + int old_kvno; + int i; /* First save the old keydata */ old_kvno = krb5_db_get_key_data_kvno(context, db_entry->n_key_data, - db_entry->key_data); + db_entry->key_data); key_data_count = db_entry->n_key_data; key_data = db_entry->key_data; db_entry->key_data = NULL; db_entry->n_key_data = 0; - /* increment the kvno. if the requested kvno is too small, + /* increment the kvno. if the requested kvno is too small, increment the old kvno */ if (new_kvno < old_kvno+1) - new_kvno = old_kvno+1; + new_kvno = old_kvno+1; retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, - passwd, db_entry, new_kvno); + passwd, db_entry, new_kvno); if (retval) { - cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); - db_entry->n_key_data = key_data_count; - db_entry->key_data = key_data; + cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); + db_entry->n_key_data = key_data_count; + db_entry->key_data = key_data; } else if (keepold) { - n_new_key_data = db_entry->n_key_data; - for (i = 0; i < key_data_count; i++) { - retval = krb5_dbe_create_key_data(context, db_entry); - if (retval) { - cleanup_key_data(context, db_entry->n_key_data, - db_entry->key_data); - break; - } - db_entry->key_data[i+n_new_key_data] = key_data[i]; - memset(&key_data[i], 0, sizeof(krb5_key_data)); - } - krb5_db_free( context, key_data ); + n_new_key_data = db_entry->n_key_data; + for (i = 0; i < key_data_count; i++) { + retval = krb5_dbe_create_key_data(context, db_entry); + if (retval) { + cleanup_key_data(context, db_entry->n_key_data, + db_entry->key_data); + break; + } + db_entry->key_data[i+n_new_key_data] = key_data[i]; + memset(&key_data[i], 0, sizeof(krb5_key_data)); + } + krb5_db_free( context, key_data ); } else { - cleanup_key_data(context, key_data_count, key_data); + cleanup_key_data(context, key_data_count, key_data); } return(retval); } /* - * Add password for a krb5_db_entry + * Add password for a krb5_db_entry * Assumes the max kvno * * As a side effect all old keys older than the max kvno are nuked. */ krb5_error_code krb5_dbe_apw(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry) - krb5_context context; + krb5_context context; krb5_keyblock * master_key; - krb5_key_salt_tuple * ks_tuple; - int ks_tuple_count; - char * passwd; - krb5_db_entry * db_entry; + krb5_key_salt_tuple * ks_tuple; + int ks_tuple_count; + char * passwd; + krb5_db_entry * db_entry; { - int key_data_count; - krb5_key_data * key_data; - krb5_error_code retval; - int old_kvno, new_kvno; - int i; + int key_data_count; + krb5_key_data * key_data; + krb5_error_code retval; + int old_kvno, new_kvno; + int i; /* First save the old keydata */ old_kvno = krb5_db_get_key_data_kvno(context, db_entry->n_key_data, - db_entry->key_data); + db_entry->key_data); key_data_count = db_entry->n_key_data; key_data = db_entry->key_data; db_entry->key_data = NULL; @@ -610,27 +611,25 @@ krb5_dbe_apw(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry) new_kvno = old_kvno+1; if ((retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, - passwd, db_entry, new_kvno))) { - cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); - db_entry->n_key_data = key_data_count; - db_entry->key_data = key_data; + passwd, db_entry, new_kvno))) { + cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); + db_entry->n_key_data = key_data_count; + db_entry->key_data = key_data; } else { - /* Copy keys with key_data_kvno == old_kvno */ - for (i = 0; i < key_data_count; i++) { - if (key_data[i].key_data_kvno == old_kvno) { - if ((retval = krb5_dbe_create_key_data(context, db_entry))) { - cleanup_key_data(context, db_entry->n_key_data, - db_entry->key_data); - break; - } - /* We should decrypt/re-encrypt the data to use the same mkvno*/ - db_entry->key_data[db_entry->n_key_data - 1] = key_data[i]; - memset(&key_data[i], 0, sizeof(krb5_key_data)); - } - } - cleanup_key_data(context, key_data_count, key_data); + /* Copy keys with key_data_kvno == old_kvno */ + for (i = 0; i < key_data_count; i++) { + if (key_data[i].key_data_kvno == old_kvno) { + if ((retval = krb5_dbe_create_key_data(context, db_entry))) { + cleanup_key_data(context, db_entry->n_key_data, + db_entry->key_data); + break; + } + /* We should decrypt/re-encrypt the data to use the same mkvno*/ + db_entry->key_data[db_entry->n_key_data - 1] = key_data[i]; + memset(&key_data[i], 0, sizeof(krb5_key_data)); + } + } + cleanup_key_data(context, key_data_count, key_data); } return(retval); } - - diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 69cc52b8e..81c70f36c 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -1,14 +1,15 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_helper.c * - * Copyright 1995, 2009 by the Massachusetts Institute of Technology. + * Copyright 1995, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* @@ -48,30 +49,30 @@ */ krb5_error_code krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) - krb5_context kcontext; - krb5_db_entry *dbentp; - krb5_int32 *start; - krb5_int32 ktype; - krb5_int32 stype; - krb5_int32 kvno; - krb5_key_data **kdatap; + krb5_context kcontext; + krb5_db_entry *dbentp; + krb5_int32 *start; + krb5_int32 ktype; + krb5_int32 stype; + krb5_int32 kvno; + krb5_key_data **kdatap; { - int i, idx; - int maxkvno; - krb5_key_data *datap; - krb5_error_code ret; + int i, idx; + int maxkvno; + krb5_key_data *datap; + krb5_error_code ret; ret = 0; if (kvno == -1 && stype == -1 && ktype == -1) - kvno = 0; - - if (kvno == 0) { - /* Get the max key version */ - for (i = 0; i < dbentp->n_key_data; i++) { - if (kvno < dbentp->key_data[i].key_data_kvno) { - kvno = dbentp->key_data[i].key_data_kvno; - } - } + kvno = 0; + + if (kvno == 0) { + /* Get the max key version */ + for (i = 0; i < dbentp->n_key_data; i++) { + if (kvno < dbentp->key_data[i].key_data_kvno) { + kvno = dbentp->key_data[i].key_data_kvno; + } + } } maxkvno = -1; @@ -80,56 +81,56 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) krb5_boolean similar; krb5_int32 db_stype; - ret = 0; - if (dbentp->key_data[i].key_data_ver > 1) { - db_stype = dbentp->key_data[i].key_data_type[1]; - } else { - db_stype = KRB5_KDB_SALTTYPE_NORMAL; - } - - /* - * Filter out non-permitted enctypes. - */ - if (!krb5_is_permitted_enctype(kcontext, - dbentp->key_data[i].key_data_type[0])) { - ret = KRB5_KDB_NO_PERMITTED_KEY; - continue; - } - - - if (ktype > 0) { - if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, - dbentp->key_data[i].key_data_type[0], - &similar))) - - return(ret); - } - - if (((ktype <= 0) || similar) && - ((db_stype == stype) || (stype < 0))) { - if (kvno >= 0) { - if (kvno == dbentp->key_data[i].key_data_kvno) { - datap = &dbentp->key_data[i]; - idx = i; - maxkvno = kvno; - break; - } - } else { - if (dbentp->key_data[i].key_data_kvno > maxkvno) { - maxkvno = dbentp->key_data[i].key_data_kvno; - datap = &dbentp->key_data[i]; - idx = i; - } - } - } + ret = 0; + if (dbentp->key_data[i].key_data_ver > 1) { + db_stype = dbentp->key_data[i].key_data_type[1]; + } else { + db_stype = KRB5_KDB_SALTTYPE_NORMAL; + } + + /* + * Filter out non-permitted enctypes. + */ + if (!krb5_is_permitted_enctype(kcontext, + dbentp->key_data[i].key_data_type[0])) { + ret = KRB5_KDB_NO_PERMITTED_KEY; + continue; + } + + + if (ktype > 0) { + if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, + dbentp->key_data[i].key_data_type[0], + &similar))) + + return(ret); + } + + if (((ktype <= 0) || similar) && + ((db_stype == stype) || (stype < 0))) { + if (kvno >= 0) { + if (kvno == dbentp->key_data[i].key_data_kvno) { + datap = &dbentp->key_data[i]; + idx = i; + maxkvno = kvno; + break; + } + } else { + if (dbentp->key_data[i].key_data_kvno > maxkvno) { + maxkvno = dbentp->key_data[i].key_data_kvno; + datap = &dbentp->key_data[i]; + idx = i; + } + } + } } if (maxkvno < 0) - return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; + return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; *kdatap = datap; *start = idx+1; return 0; } - + /* * kdb default functions. Ideally, some other file should have this functions. For now, TBD. */ @@ -139,10 +140,10 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) krb5_error_code krb5_def_store_mkey_list(krb5_context context, - char *keyfile, - krb5_principal mname, - krb5_keylist_node *keylist, - char *master_pwd) + char *keyfile, + krb5_principal mname, + krb5_keylist_node *keylist, + char *master_pwd) { krb5_error_code retval = 0; char defkeyfile[MAXPATHLEN+1]; @@ -168,8 +169,8 @@ krb5_def_store_mkey_list(krb5_context context, if (!S_ISREG(stb.st_mode)) { retval = EINVAL; krb5_set_error_message (context, retval, - "keyfile (%s) is not a regular file: %s", - keyfile, error_message(retval)); + "keyfile (%s) is not a regular file: %s", + keyfile, error_message(retval)); goto out; } } @@ -179,7 +180,7 @@ krb5_def_store_mkey_list(krb5_context context, /* create temp file template for use by mktemp() */ if ((retval = asprintf(&tmp_ktname, "WRFILE:%s_XXXXXX", keyfile)) < 0) { krb5_set_error_message (context, retval, - "Could not create temp keytab file name."); + "Could not create temp keytab file name."); goto out; } @@ -193,8 +194,8 @@ krb5_def_store_mkey_list(krb5_context context, if (mktemp(tmp_ktpath) == NULL) { retval = errno; krb5_set_error_message (context, retval, - "Could not create temp stash file: %s", - error_message(errno)); + "Could not create temp stash file: %s", + error_message(errno)); goto out; } @@ -223,8 +224,8 @@ krb5_def_store_mkey_list(krb5_context context, if (rename(tmp_ktpath, keyfile) < 0) { retval = errno; krb5_set_error_message (context, retval, - "rename of temporary keyfile (%s) to (%s) failed: %s", - tmp_ktpath, keyfile, error_message(errno)); + "rename of temporary keyfile (%s) to (%s) failed: %s", + tmp_ktpath, keyfile, error_message(errno)); } } @@ -249,14 +250,14 @@ krb5_def_store_mkey(krb5_context context, list.keyblock = *key; list.next = NULL; return krb5_def_store_mkey_list(context, keyfile, mname, &list, - master_pwd); + master_pwd); } static krb5_error_code krb5_db_def_fetch_mkey_stash(krb5_context context, - const char *keyfile, - krb5_keyblock *key, - krb5_kvno *kvno) + const char *keyfile, + krb5_keyblock *key, + krb5_kvno *kvno) { krb5_error_code retval = 0; krb5_ui_2 enctype; @@ -266,14 +267,14 @@ krb5_db_def_fetch_mkey_stash(krb5_context context, #ifdef ANSI_STDIO if (!(kf = fopen(keyfile, "rb"))) #else - if (!(kf = fopen(keyfile, "r"))) + if (!(kf = fopen(keyfile, "r"))) #endif - return KRB5_KDB_CANTREAD_STORED; + return KRB5_KDB_CANTREAD_STORED; set_cloexec_file(kf); if (fread((krb5_pointer) &enctype, 2, 1, kf) != 1) { - retval = KRB5_KDB_CANTREAD_STORED; - goto errout; + retval = KRB5_KDB_CANTREAD_STORED; + goto errout; } #if BIG_ENDIAN_MASTER_KEY @@ -281,16 +282,16 @@ krb5_db_def_fetch_mkey_stash(krb5_context context, #endif if (key->enctype == ENCTYPE_UNKNOWN) - key->enctype = enctype; + key->enctype = enctype; else if (enctype != key->enctype) { - retval = KRB5_KDB_BADSTORED_MKEY; - goto errout; + retval = KRB5_KDB_BADSTORED_MKEY; + goto errout; } if (fread((krb5_pointer) &keylength, - sizeof(keylength), 1, kf) != 1) { - retval = KRB5_KDB_CANTREAD_STORED; - goto errout; + sizeof(keylength), 1, kf) != 1) { + retval = KRB5_KDB_CANTREAD_STORED; + goto errout; } #if BIG_ENDIAN_MASTER_KEY @@ -300,23 +301,23 @@ krb5_db_def_fetch_mkey_stash(krb5_context context, #endif if (!key->length || ((int) key->length) < 0) { - retval = KRB5_KDB_BADSTORED_MKEY; - goto errout; + retval = KRB5_KDB_BADSTORED_MKEY; + goto errout; } - + if (!(key->contents = (krb5_octet *)malloc(key->length))) { - retval = ENOMEM; - goto errout; + retval = ENOMEM; + goto errout; } if (fread((krb5_pointer) key->contents, sizeof(key->contents[0]), - key->length, kf) != key->length) { - retval = KRB5_KDB_CANTREAD_STORED; - zap(key->contents, key->length); - free(key->contents); - key->contents = 0; + key->length, kf) != key->length) { + retval = KRB5_KDB_CANTREAD_STORED; + zap(key->contents, key->length); + free(key->contents); + key->contents = 0; } else - retval = 0; + retval = 0; /* * Note, the old stash format did not store the kvno and at this point it @@ -325,9 +326,9 @@ krb5_db_def_fetch_mkey_stash(krb5_context context, * verifcation trouble if the mkey princ is using a kvno other than 1. */ if (kvno && *kvno == IGNORE_VNO) - *kvno = 1; + *kvno = 1; - errout: +errout: (void) fclose(kf); return retval; } @@ -391,7 +392,7 @@ krb5_db_def_fetch_mkey_keytab(krb5_context context, errout: if (kt) - krb5_kt_close(context, kt); + krb5_kt_close(context, kt); return retval; } @@ -428,12 +429,12 @@ krb5_db_def_fetch_mkey(krb5_context context, * key, but set a message indicating the actual error. */ if (retval != 0) { - krb5_set_error_message(context, KRB5_KDB_CANTREAD_STORED, - "Can not fetch master key (error: %s).", - error_message(retval)); - return KRB5_KDB_CANTREAD_STORED; + krb5_set_error_message(context, KRB5_KDB_CANTREAD_STORED, + "Can not fetch master key (error: %s).", + error_message(retval)); + return KRB5_KDB_CANTREAD_STORED; } else - return 0; + return 0; } /* @@ -453,52 +454,52 @@ krb5_def_verify_master_key(krb5_context context, nprinc = 1; if ((retval = krb5_db_get_principal(context, mprinc, - &master_entry, &nprinc, &more))) - return(retval); - + &master_entry, &nprinc, &more))) + return(retval); + if (nprinc != 1) { - if (nprinc) - krb5_db_free_principal(context, &master_entry, nprinc); - return(KRB5_KDB_NOMASTERKEY); + if (nprinc) + krb5_db_free_principal(context, &master_entry, nprinc); + return(KRB5_KDB_NOMASTERKEY); } else if (more) { - krb5_db_free_principal(context, &master_entry, nprinc); - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } - - if ((retval = krb5_dbekd_decrypt_key_data(context, mkey, - &master_entry.key_data[0], - &tempkey, NULL))) { - krb5_db_free_principal(context, &master_entry, nprinc); - return retval; + krb5_db_free_principal(context, &master_entry, nprinc); + return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); + } + + if ((retval = krb5_dbekd_decrypt_key_data(context, mkey, + &master_entry.key_data[0], + &tempkey, NULL))) { + krb5_db_free_principal(context, &master_entry, nprinc); + return retval; } if (mkey->length != tempkey.length || - memcmp((char *)mkey->contents, - (char *)tempkey.contents,mkey->length)) { - retval = KRB5_KDB_BADMASTERKEY; + memcmp((char *)mkey->contents, + (char *)tempkey.contents,mkey->length)) { + retval = KRB5_KDB_BADMASTERKEY; } if (kvno != IGNORE_VNO && kvno != (krb5_kvno) master_entry.key_data->key_data_kvno) { retval = KRB5_KDB_BADMASTERKEY; krb5_set_error_message (context, retval, - "User specified mkeyVNO (%u) does not match master key princ's KVNO (%u)", - kvno, master_entry.key_data->key_data_kvno); + "User specified mkeyVNO (%u) does not match master key princ's KVNO (%u)", + kvno, master_entry.key_data->key_data_kvno); } zap((char *)tempkey.contents, tempkey.length); free(tempkey.contents); krb5_db_free_principal(context, &master_entry, nprinc); - + return retval; } krb5_error_code krb5_def_fetch_mkey_list(krb5_context context, - krb5_principal mprinc, - const krb5_keyblock *mkey, - krb5_kvno mkvno, - krb5_keylist_node **mkeys_list) + krb5_principal mprinc, + const krb5_keyblock *mkey, + krb5_kvno mkvno, + krb5_keylist_node **mkeys_list) { krb5_error_code retval; krb5_db_entry master_entry; @@ -507,7 +508,7 @@ krb5_def_fetch_mkey_list(krb5_context context, krb5_keyblock cur_mkey; krb5_keylist_node *mkey_list_head = NULL, **mkey_list_node; krb5_key_data *key_data; - krb5_mkey_aux_node *mkey_aux_data_list = NULL, *aux_data_entry; + krb5_mkey_aux_node *mkey_aux_data_list = NULL, *aux_data_entry; int i; if (mkeys_list == NULL) @@ -583,7 +584,7 @@ krb5_def_fetch_mkey_list(krb5_context context, } if (found_key != TRUE) { krb5_set_error_message (context, KRB5_KDB_BADMASTERKEY, - "Unable to decrypt latest master key with the provided master key\n"); + "Unable to decrypt latest master key with the provided master key\n"); retval = KRB5_KDB_BADMASTERKEY; goto clean_n_exit; } @@ -592,7 +593,7 @@ krb5_def_fetch_mkey_list(krb5_context context, /* * Extract all the mkeys from master_entry using the most current mkey and - * create a mkey list for the mkeys field in kdc_realm_t. + * create a mkey list for the mkeys field in kdc_realm_t. */ mkey_list_head = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node)); @@ -644,36 +645,36 @@ clean_n_exit: } krb5_error_code kdb_def_set_mkey ( krb5_context kcontext, - char *pwd, - krb5_keyblock *key ) + char *pwd, + krb5_keyblock *key ) { /* printf("default set master key\n"); */ return 0; } krb5_error_code kdb_def_get_mkey ( krb5_context kcontext, - krb5_keyblock **key ) + krb5_keyblock **key ) { /* printf("default get master key\n"); */ return 0; } krb5_error_code kdb_def_set_mkey_list ( krb5_context kcontext, - krb5_keylist_node *keylist ) + krb5_keylist_node *keylist ) { /* printf("default set master key\n"); */ return 0; } krb5_error_code kdb_def_get_mkey_list ( krb5_context kcontext, - krb5_keylist_node **keylist ) + krb5_keylist_node **keylist ) { /* printf("default get master key\n"); */ return 0; } krb5_error_code krb5_def_promote_db (krb5_context kcontext, - char *s, char **args) + char *s, char **args) { /* printf("default promote_db\n"); */ return KRB5_PLUGIN_OP_NOTSUPP; diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c index 3652935a1..fe128535c 100644 --- a/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c @@ -1,9 +1,10 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2004 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -/* #pragma ident "@(#)kdb_log.c 1.3 04/02/23 SMI" */ +/* #pragma ident "@(#)kdb_log.c 1.3 04/02/23 SMI" */ #include #include @@ -23,15 +24,15 @@ * modify the Kerberos principal update and header logs. */ -#define getpagesize() sysconf(_SC_PAGESIZE) +#define getpagesize() sysconf(_SC_PAGESIZE) -static int pagesize = 0; +static int pagesize = 0; -#define INIT_ULOG(ctx) \ - log_ctx = ctx->kdblog_context; \ - assert(log_ctx != NULL); \ - ulog = log_ctx->ulog; \ - assert(ulog != NULL) +#define INIT_ULOG(ctx) \ + log_ctx = ctx->kdblog_context; \ + assert(log_ctx != NULL); \ + ulog = log_ctx->ulog; \ + assert(ulog != NULL) /* XXX */ typedef unsigned long ulong_t; @@ -46,9 +47,9 @@ ulog_lock(krb5_context ctx, int mode) kdb_hlog_t *ulog = NULL; if (ctx == NULL) - return KRB5_LOG_ERROR; + return KRB5_LOG_ERROR; if (ctx->kdblog_context == NULL || ctx->kdblog_context->iproprole == IPROP_NULL) - return 0; + return 0; INIT_ULOG(ctx); return krb5_lock_file(ctx, log_ctx->ulogfd, mode); } @@ -59,23 +60,23 @@ ulog_lock(krb5_context ctx, int mode) static krb5_error_code ulog_sync_update(kdb_hlog_t *ulog, kdb_ent_header_t *upd) { - ulong_t start, end, size; - krb5_error_code retval; + ulong_t start, end, size; + krb5_error_code retval; if (ulog == NULL) - return (KRB5_LOG_ERROR); + return (KRB5_LOG_ERROR); if (!pagesize) - pagesize = getpagesize(); + pagesize = getpagesize(); start = ((ulong_t)upd) & (~(pagesize-1)); end = (((ulong_t)upd) + ulog->kdb_block + - (pagesize-1)) & (~(pagesize-1)); + (pagesize-1)) & (~(pagesize-1)); size = end - start; if ((retval = msync((caddr_t)start, size, MS_SYNC))) { - return (retval); + return (retval); } return (0); @@ -89,14 +90,14 @@ ulog_sync_header(kdb_hlog_t *ulog) { if (!pagesize) - pagesize = getpagesize(); + pagesize = getpagesize(); if (msync((caddr_t)ulog, pagesize, MS_SYNC)) { - /* - * Couldn't sync to disk, let's panic - */ - syslog(LOG_ERR, "ulog_sync_header: could not sync to disk"); - abort(); + /* + * Couldn't sync to disk, let's panic + */ + syslog(LOG_ERR, "ulog_sync_header: could not sync to disk"); + abort(); } } @@ -109,10 +110,10 @@ ulog_sync_header(kdb_hlog_t *ulog) static krb5_error_code ulog_resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, uint_t recsize) { - uint_t new_block, new_size; + uint_t new_block, new_size; if (ulog == NULL) - return (KRB5_LOG_ERROR); + return (KRB5_LOG_ERROR); new_size = sizeof (kdb_hlog_t); @@ -122,28 +123,28 @@ ulog_resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, uint_t recsize) new_size += ulogentries * new_block; if (new_size <= MAXLOGLEN) { - /* - * Reinit log with new block size - */ - (void) memset(ulog, 0, sizeof (kdb_hlog_t)); - - ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; - ulog->db_version_num = KDB_VERSION; - ulog->kdb_state = KDB_STABLE; - ulog->kdb_block = new_block; - - ulog_sync_header(ulog); - - /* - * Time to expand log considering new block size - */ - if (extend_file_to(ulogfd, new_size) < 0) - return errno; + /* + * Reinit log with new block size + */ + (void) memset(ulog, 0, sizeof (kdb_hlog_t)); + + ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; + ulog->db_version_num = KDB_VERSION; + ulog->kdb_state = KDB_STABLE; + ulog->kdb_block = new_block; + + ulog_sync_header(ulog); + + /* + * Time to expand log considering new block size + */ + if (extend_file_to(ulogfd, new_size) < 0) + return errno; } else { - /* - * Can't map into file larger than MAXLOGLEN - */ - return (KRB5_LOG_ERROR); + /* + * Can't map into file larger than MAXLOGLEN + */ + return (KRB5_LOG_ERROR); } return (0); @@ -158,25 +159,25 @@ ulog_resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, uint_t recsize) krb5_error_code ulog_add_update(krb5_context context, kdb_incr_update_t *upd) { - XDR xdrs; - kdbe_time_t ktime; - struct timeval timestamp; + XDR xdrs; + kdbe_time_t ktime; + struct timeval timestamp; kdb_ent_header_t *indx_log; - uint_t i, recsize; - ulong_t upd_size; - krb5_error_code retval; - kdb_sno_t cur_sno; - kdb_log_context *log_ctx; - kdb_hlog_t *ulog = NULL; - uint32_t ulogentries; - int ulogfd; + uint_t i, recsize; + ulong_t upd_size; + krb5_error_code retval; + kdb_sno_t cur_sno; + kdb_log_context *log_ctx; + kdb_hlog_t *ulog = NULL; + uint32_t ulogentries; + int ulogfd; INIT_ULOG(context); ulogentries = log_ctx->ulogentries; ulogfd = log_ctx->ulogfd; if (upd == NULL) - return (KRB5_LOG_ERROR); + return (KRB5_LOG_ERROR); (void) gettimeofday(×tamp, NULL); ktime.seconds = timestamp.tv_sec; @@ -187,10 +188,10 @@ ulog_add_update(krb5_context context, kdb_incr_update_t *upd) recsize = sizeof (kdb_ent_header_t) + upd_size; if (recsize > ulog->kdb_block) { - if ((retval = ulog_resize(ulog, ulogentries, ulogfd, recsize))) { - /* Resize element array failed */ - return (retval); - } + if ((retval = ulog_resize(ulog, ulogentries, ulogfd, recsize))) { + /* Resize element array failed */ + return (retval); + } } cur_sno = ulog->kdb_last_sno; @@ -200,9 +201,9 @@ ulog_add_update(krb5_context context, kdb_incr_update_t *upd) * resyncs once they see their sno > than the masters. */ if (cur_sno == ULONG_MAX) - cur_sno = 1; + cur_sno = 1; else - cur_sno++; + cur_sno++; /* * We squirrel this away for finish_update() to index @@ -224,15 +225,15 @@ ulog_add_update(krb5_context context, kdb_incr_update_t *upd) ulog->kdb_state = KDB_UNSTABLE; xdrmem_create(&xdrs, (char *)indx_log->entry_data, - indx_log->kdb_entry_size, XDR_ENCODE); + indx_log->kdb_entry_size, XDR_ENCODE); if (!xdr_kdb_incr_update_t(&xdrs, upd)) - return (KRB5_LOG_CONV); + return (KRB5_LOG_CONV); if ((retval = ulog_sync_update(ulog, indx_log))) - return (retval); + return (retval); if (ulog->kdb_num < ulogentries) - ulog->kdb_num++; + ulog->kdb_num++; ulog->kdb_last_sno = cur_sno; ulog->kdb_last_time = ktime; @@ -242,13 +243,13 @@ ulog_add_update(krb5_context context, kdb_incr_update_t *upd) * always kdb_entry_sno + 1. */ if (cur_sno > ulogentries) { - i = upd->kdb_entry_sno % ulogentries; - indx_log = (kdb_ent_header_t *)INDEX(ulog, i); - ulog->kdb_first_sno = indx_log->kdb_entry_sno; - ulog->kdb_first_time = indx_log->kdb_time; + i = upd->kdb_entry_sno % ulogentries; + indx_log = (kdb_ent_header_t *)INDEX(ulog, i); + ulog->kdb_first_sno = indx_log->kdb_entry_sno; + ulog->kdb_first_time = indx_log->kdb_time; } else if (cur_sno == 1) { - ulog->kdb_first_sno = 1; - ulog->kdb_first_time = indx_log->kdb_time; + ulog->kdb_first_sno = 1; + ulog->kdb_first_time = indx_log->kdb_time; } ulog_sync_header(ulog); @@ -263,12 +264,12 @@ ulog_add_update(krb5_context context, kdb_incr_update_t *upd) krb5_error_code ulog_finish_update(krb5_context context, kdb_incr_update_t *upd) { - krb5_error_code retval; - kdb_ent_header_t *indx_log; - uint_t i; - kdb_log_context *log_ctx; - kdb_hlog_t *ulog = NULL; - uint32_t ulogentries; + krb5_error_code retval; + kdb_ent_header_t *indx_log; + uint_t i; + kdb_log_context *log_ctx; + kdb_hlog_t *ulog = NULL; + uint32_t ulogentries; INIT_ULOG(context); ulogentries = log_ctx->ulogentries; @@ -282,7 +283,7 @@ ulog_finish_update(krb5_context context, kdb_incr_update_t *upd) ulog->kdb_state = KDB_STABLE; if ((retval = ulog_sync_update(ulog, indx_log))) - return (retval); + return (retval); ulog_sync_header(ulog); @@ -323,15 +324,15 @@ ulog_delete_update(krb5_context context, kdb_incr_update_t *upd) krb5_error_code ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) { - krb5_db_entry *entry = NULL; - kdb_incr_update_t *upd = NULL, *fupd; - int i, no_of_updates; - krb5_error_code retval; - krb5_principal dbprinc = NULL; - kdb_last_t errlast; - char *dbprincstr = NULL; - kdb_log_context *log_ctx; - kdb_hlog_t *ulog = NULL; + krb5_db_entry *entry = NULL; + kdb_incr_update_t *upd = NULL, *fupd; + int i, no_of_updates; + krb5_error_code retval; + krb5_principal dbprinc = NULL; + kdb_last_t errlast; + char *dbprincstr = NULL; + kdb_log_context *log_ctx; + kdb_hlog_t *ulog = NULL; INIT_ULOG(context); @@ -348,84 +349,84 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) errlast.last_time.useconds = (unsigned int)0; if ((retval = krb5_db_open(context, db_args, - KRB5_KDB_OPEN_RW|KRB5_KDB_SRV_TYPE_ADMIN))) - goto cleanup; + KRB5_KDB_OPEN_RW|KRB5_KDB_SRV_TYPE_ADMIN))) + goto cleanup; for (i = 0; i < no_of_updates; i++) { - int nentry = 1; + int nentry = 1; - if (!upd->kdb_commit) - continue; + if (!upd->kdb_commit) + continue; - if (upd->kdb_deleted) { - dbprincstr = malloc((upd->kdb_princ_name.utf8str_t_len - + 1) * sizeof (char)); + if (upd->kdb_deleted) { + dbprincstr = malloc((upd->kdb_princ_name.utf8str_t_len + + 1) * sizeof (char)); - if (dbprincstr == NULL) { - retval = ENOMEM; - goto cleanup; - } + if (dbprincstr == NULL) { + retval = ENOMEM; + goto cleanup; + } - (void) strncpy(dbprincstr, - (char *)upd->kdb_princ_name.utf8str_t_val, - (upd->kdb_princ_name.utf8str_t_len + 1)); - dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0; + (void) strncpy(dbprincstr, + (char *)upd->kdb_princ_name.utf8str_t_val, + (upd->kdb_princ_name.utf8str_t_len + 1)); + dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0; - if ((retval = krb5_parse_name(context, dbprincstr, - &dbprinc))) { - goto cleanup; - } + if ((retval = krb5_parse_name(context, dbprincstr, + &dbprinc))) { + goto cleanup; + } - free(dbprincstr); + free(dbprincstr); - retval = krb5int_delete_principal_no_log(context, - dbprinc, - &nentry); + retval = krb5int_delete_principal_no_log(context, + dbprinc, + &nentry); - if (dbprinc) { - krb5_free_principal(context, dbprinc); - dbprinc = NULL; - } + if (dbprinc) { + krb5_free_principal(context, dbprinc); + dbprinc = NULL; + } - if (retval) - goto cleanup; - } else { - entry = (krb5_db_entry *)malloc(sizeof (krb5_db_entry)); + if (retval) + goto cleanup; + } else { + entry = (krb5_db_entry *)malloc(sizeof (krb5_db_entry)); - if (!entry) { - retval = errno; - goto cleanup; - } + if (!entry) { + retval = errno; + goto cleanup; + } - (void) memset(entry, 0, sizeof (krb5_db_entry)); + (void) memset(entry, 0, sizeof (krb5_db_entry)); - if ((retval = ulog_conv_2dbentry(context, entry, upd, 1))) - goto cleanup; + if ((retval = ulog_conv_2dbentry(context, entry, upd, 1))) + goto cleanup; - retval = krb5int_put_principal_no_log(context, entry, - &nentry); + retval = krb5int_put_principal_no_log(context, entry, + &nentry); - if (entry) { - krb5_db_free_principal(context, entry, nentry); - free(entry); - entry = NULL; - } - if (retval) - goto cleanup; - } + if (entry) { + krb5_db_free_principal(context, entry, nentry); + free(entry); + entry = NULL; + } + if (retval) + goto cleanup; + } - upd++; + upd++; } cleanup: if (fupd) - ulog_free_entries(fupd, no_of_updates); + ulog_free_entries(fupd, no_of_updates); if (log_ctx && (log_ctx->iproprole == IPROP_SLAVE)) { - if (retval) - ulog_finish_update_slave(ulog, errlast); - else - ulog_finish_update_slave(ulog, incr_ret->lastentry); + if (retval) + ulog_finish_update_slave(ulog, errlast); + else + ulog_finish_update_slave(ulog, incr_ret->lastentry); } return (retval); @@ -440,95 +441,95 @@ cleanup: static krb5_error_code ulog_check(krb5_context context, kdb_hlog_t *ulog, char **db_args) { - XDR xdrs; - krb5_error_code retval = 0; - unsigned int i; - kdb_ent_header_t *indx_log; - kdb_incr_update_t *upd = NULL; - kdb_incr_result_t *incr_ret = NULL; + XDR xdrs; + krb5_error_code retval = 0; + unsigned int i; + kdb_ent_header_t *indx_log; + kdb_incr_update_t *upd = NULL; + kdb_incr_result_t *incr_ret = NULL; ulog->kdb_state = KDB_STABLE; for (i = 0; i < ulog->kdb_num; i++) { - indx_log = (kdb_ent_header_t *)INDEX(ulog, i); - - if (indx_log->kdb_umagic != KDB_ULOG_MAGIC) { - /* - * Update entry corrupted we should scream and die - */ - ulog->kdb_state = KDB_CORRUPT; - retval = KRB5_LOG_CORRUPT; - break; - } - - if (indx_log->kdb_commit == FALSE) { - ulog->kdb_state = KDB_UNSTABLE; - - incr_ret = (kdb_incr_result_t *) - malloc(sizeof (kdb_incr_result_t)); - if (incr_ret == NULL) { - retval = errno; - goto error; - } - - upd = (kdb_incr_update_t *) - malloc(sizeof (kdb_incr_update_t)); - if (upd == NULL) { - retval = errno; - goto error; - } - - (void) memset(upd, 0, sizeof (kdb_incr_update_t)); - xdrmem_create(&xdrs, (char *)indx_log->entry_data, - indx_log->kdb_entry_size, XDR_DECODE); - if (!xdr_kdb_incr_update_t(&xdrs, upd)) { - retval = KRB5_LOG_CONV; - goto error; - } - - incr_ret->updates.kdb_ulog_t_len = 1; - incr_ret->updates.kdb_ulog_t_val = upd; - - upd->kdb_commit = TRUE; - - /* - * We don't want to readd this update and just use the - * existing update to be propagated later on - */ - ulog_set_role(context, IPROP_NULL); - retval = ulog_replay(context, incr_ret, db_args); - - /* - * upd was freed by ulog_replay, we NULL - * the pointer in case we subsequently break from loop. - */ - upd = NULL; - if (incr_ret) { - free(incr_ret); - incr_ret = NULL; - } - ulog_set_role(context, IPROP_MASTER); - - if (retval) - goto error; - - /* - * We flag this as committed since this was - * the last entry before kadmind crashed, ergo - * the slaves have not seen this update before - */ - indx_log->kdb_commit = TRUE; - retval = ulog_sync_update(ulog, indx_log); - if (retval) - goto error; - - ulog->kdb_state = KDB_STABLE; - } + indx_log = (kdb_ent_header_t *)INDEX(ulog, i); + + if (indx_log->kdb_umagic != KDB_ULOG_MAGIC) { + /* + * Update entry corrupted we should scream and die + */ + ulog->kdb_state = KDB_CORRUPT; + retval = KRB5_LOG_CORRUPT; + break; + } + + if (indx_log->kdb_commit == FALSE) { + ulog->kdb_state = KDB_UNSTABLE; + + incr_ret = (kdb_incr_result_t *) + malloc(sizeof (kdb_incr_result_t)); + if (incr_ret == NULL) { + retval = errno; + goto error; + } + + upd = (kdb_incr_update_t *) + malloc(sizeof (kdb_incr_update_t)); + if (upd == NULL) { + retval = errno; + goto error; + } + + (void) memset(upd, 0, sizeof (kdb_incr_update_t)); + xdrmem_create(&xdrs, (char *)indx_log->entry_data, + indx_log->kdb_entry_size, XDR_DECODE); + if (!xdr_kdb_incr_update_t(&xdrs, upd)) { + retval = KRB5_LOG_CONV; + goto error; + } + + incr_ret->updates.kdb_ulog_t_len = 1; + incr_ret->updates.kdb_ulog_t_val = upd; + + upd->kdb_commit = TRUE; + + /* + * We don't want to readd this update and just use the + * existing update to be propagated later on + */ + ulog_set_role(context, IPROP_NULL); + retval = ulog_replay(context, incr_ret, db_args); + + /* + * upd was freed by ulog_replay, we NULL + * the pointer in case we subsequently break from loop. + */ + upd = NULL; + if (incr_ret) { + free(incr_ret); + incr_ret = NULL; + } + ulog_set_role(context, IPROP_MASTER); + + if (retval) + goto error; + + /* + * We flag this as committed since this was + * the last entry before kadmind crashed, ergo + * the slaves have not seen this update before + */ + indx_log->kdb_commit = TRUE; + retval = ulog_sync_update(ulog, indx_log); + if (retval) + goto error; + + ulog->kdb_state = KDB_STABLE; + } } error: if (upd) - ulog_free_entries(upd, 1); + ulog_free_entries(upd, 1); free(incr_ret); @@ -547,134 +548,134 @@ error: */ krb5_error_code ulog_map(krb5_context context, const char *logname, uint32_t ulogentries, - int caller, char **db_args) + int caller, char **db_args) { - struct stat st; - krb5_error_code retval; - uint32_t ulog_filesize; - kdb_log_context *log_ctx; - kdb_hlog_t *ulog = NULL; - int ulogfd = -1; + struct stat st; + krb5_error_code retval; + uint32_t ulog_filesize; + kdb_log_context *log_ctx; + kdb_hlog_t *ulog = NULL; + int ulogfd = -1; ulog_filesize = sizeof (kdb_hlog_t); if (stat(logname, &st) == -1) { - if (caller == FKPROPLOG) { - /* - * File doesn't exist so we exit with kproplog - */ - return (errno); - } + if (caller == FKPROPLOG) { + /* + * File doesn't exist so we exit with kproplog + */ + return (errno); + } - if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) { - return (errno); - } + if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) { + return (errno); + } - if (lseek(ulogfd, 0L, SEEK_CUR) == -1) { - return (errno); - } + if (lseek(ulogfd, 0L, SEEK_CUR) == -1) { + return (errno); + } - if ((caller == FKADMIND) || (caller == FKCOMMAND)) - ulog_filesize += ulogentries * ULOG_BLOCK; + if ((caller == FKADMIND) || (caller == FKCOMMAND)) + ulog_filesize += ulogentries * ULOG_BLOCK; - if (extend_file_to(ulogfd, ulog_filesize) < 0) - return errno; + if (extend_file_to(ulogfd, ulog_filesize) < 0) + return errno; } else { - ulogfd = open(logname, O_RDWR, 0600); - if (ulogfd == -1) - /* - * Can't open existing log file - */ - return errno; + ulogfd = open(logname, O_RDWR, 0600); + if (ulogfd == -1) + /* + * Can't open existing log file + */ + return errno; } if (caller == FKPROPLOG) { - if (fstat(ulogfd, &st) < 0) { - close(ulogfd); - return errno; - } - ulog_filesize = st.st_size; - - ulog = (kdb_hlog_t *)mmap(0, ulog_filesize, - PROT_READ+PROT_WRITE, MAP_PRIVATE, ulogfd, 0); + if (fstat(ulogfd, &st) < 0) { + close(ulogfd); + return errno; + } + ulog_filesize = st.st_size; + + ulog = (kdb_hlog_t *)mmap(0, ulog_filesize, + PROT_READ+PROT_WRITE, MAP_PRIVATE, ulogfd, 0); } else { - /* - * else kadmind, kpropd, & kcommands should udpate stores - */ - ulog = (kdb_hlog_t *)mmap(0, MAXLOGLEN, - PROT_READ+PROT_WRITE, MAP_SHARED, ulogfd, 0); + /* + * else kadmind, kpropd, & kcommands should udpate stores + */ + ulog = (kdb_hlog_t *)mmap(0, MAXLOGLEN, + PROT_READ+PROT_WRITE, MAP_SHARED, ulogfd, 0); } if ((int)(ulog) == -1) { - /* - * Can't map update log file to memory - */ - close(ulogfd); - return (errno); + /* + * Can't map update log file to memory + */ + close(ulogfd); + return (errno); } if (!context->kdblog_context) { - if (!(log_ctx = malloc(sizeof (kdb_log_context)))) - return (errno); - memset(log_ctx, 0, sizeof(*log_ctx)); - context->kdblog_context = log_ctx; + if (!(log_ctx = malloc(sizeof (kdb_log_context)))) + return (errno); + memset(log_ctx, 0, sizeof(*log_ctx)); + context->kdblog_context = log_ctx; } else - log_ctx = context->kdblog_context; + log_ctx = context->kdblog_context; log_ctx->ulog = ulog; log_ctx->ulogentries = ulogentries; log_ctx->ulogfd = ulogfd; if (ulog->kdb_hmagic != KDB_ULOG_HDR_MAGIC) { - if (ulog->kdb_hmagic == 0) { - /* - * New update log - */ - (void) memset(ulog, 0, sizeof (kdb_hlog_t)); - - ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; - ulog->db_version_num = KDB_VERSION; - ulog->kdb_state = KDB_STABLE; - ulog->kdb_block = ULOG_BLOCK; - if (!(caller == FKPROPLOG)) - ulog_sync_header(ulog); - } else { - return (KRB5_LOG_CORRUPT); - } + if (ulog->kdb_hmagic == 0) { + /* + * New update log + */ + (void) memset(ulog, 0, sizeof (kdb_hlog_t)); + + ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; + ulog->db_version_num = KDB_VERSION; + ulog->kdb_state = KDB_STABLE; + ulog->kdb_block = ULOG_BLOCK; + if (!(caller == FKPROPLOG)) + ulog_sync_header(ulog); + } else { + return (KRB5_LOG_CORRUPT); + } } if (caller == FKADMIND) { - retval = ulog_lock(context, KRB5_LOCKMODE_EXCLUSIVE); - if (retval) - return retval; - switch (ulog->kdb_state) { - case KDB_STABLE: - case KDB_UNSTABLE: - /* - * Log is currently un/stable, check anyway - */ - retval = ulog_check(context, ulog, db_args); - ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - if (retval == KRB5_LOG_CORRUPT) { - return (retval); - } - break; - case KDB_CORRUPT: - ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - return (KRB5_LOG_CORRUPT); - default: - /* - * Invalid db state - */ - ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - return (KRB5_LOG_ERROR); - } + retval = ulog_lock(context, KRB5_LOCKMODE_EXCLUSIVE); + if (retval) + return retval; + switch (ulog->kdb_state) { + case KDB_STABLE: + case KDB_UNSTABLE: + /* + * Log is currently un/stable, check anyway + */ + retval = ulog_check(context, ulog, db_args); + ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + if (retval == KRB5_LOG_CORRUPT) { + return (retval); + } + break; + case KDB_CORRUPT: + ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + return (KRB5_LOG_CORRUPT); + default: + /* + * Invalid db state + */ + ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + return (KRB5_LOG_ERROR); + } } else if ((caller == FKPROPLOG) || (caller == FKPROPD)) { - /* - * kproplog and kpropd don't need to do anything else - */ - return (0); + /* + * kproplog and kpropd don't need to do anything else + */ + return (0); } /* @@ -683,33 +684,33 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries, */ retval = ulog_lock(context, KRB5_LOCKMODE_EXCLUSIVE); if (retval) - return retval; + return retval; if (ulog->kdb_num != ulogentries) { - if ((ulog->kdb_num != 0) && - ((ulog->kdb_last_sno > ulog->kdb_num) || - (ulog->kdb_num > ulogentries))) { - - (void) memset(ulog, 0, sizeof (kdb_hlog_t)); - - ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; - ulog->db_version_num = KDB_VERSION; - ulog->kdb_state = KDB_STABLE; - ulog->kdb_block = ULOG_BLOCK; - - ulog_sync_header(ulog); - } - - /* - * Expand ulog if we have specified a greater size - */ - if (ulog->kdb_num < ulogentries) { - ulog_filesize += ulogentries * ulog->kdb_block; - - if (extend_file_to(ulogfd, ulog_filesize) < 0) { - ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - return errno; - } - } + if ((ulog->kdb_num != 0) && + ((ulog->kdb_last_sno > ulog->kdb_num) || + (ulog->kdb_num > ulogentries))) { + + (void) memset(ulog, 0, sizeof (kdb_hlog_t)); + + ulog->kdb_hmagic = KDB_ULOG_HDR_MAGIC; + ulog->db_version_num = KDB_VERSION; + ulog->kdb_state = KDB_STABLE; + ulog->kdb_block = ULOG_BLOCK; + + ulog_sync_header(ulog); + } + + /* + * Expand ulog if we have specified a greater size + */ + if (ulog->kdb_num < ulogentries) { + ulog_filesize += ulogentries * ulog->kdb_block; + + if (extend_file_to(ulogfd, ulog_filesize) < 0) { + ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + return errno; + } + } } ulog_lock(context, KRB5_LOCKMODE_UNLOCK); @@ -720,44 +721,44 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries, * Get the last set of updates seen, (last+1) to n is returned. */ krb5_error_code -ulog_get_entries(krb5_context context, /* input - krb5 lib config */ - kdb_last_t last, /* input - slave's last sno */ - kdb_incr_result_t *ulog_handle) /* output - incr result for slave */ +ulog_get_entries(krb5_context context, /* input - krb5 lib config */ + kdb_last_t last, /* input - slave's last sno */ + kdb_incr_result_t *ulog_handle) /* output - incr result for slave */ { - XDR xdrs; - kdb_ent_header_t *indx_log; - kdb_incr_update_t *upd; - uint_t indx, count, tdiff; - uint32_t sno; - krb5_error_code retval; - struct timeval timestamp; - kdb_log_context *log_ctx; - kdb_hlog_t *ulog = NULL; - uint32_t ulogentries; + XDR xdrs; + kdb_ent_header_t *indx_log; + kdb_incr_update_t *upd; + uint_t indx, count, tdiff; + uint32_t sno; + krb5_error_code retval; + struct timeval timestamp; + kdb_log_context *log_ctx; + kdb_hlog_t *ulog = NULL; + uint32_t ulogentries; INIT_ULOG(context); ulogentries = log_ctx->ulogentries; retval = ulog_lock(context, KRB5_LOCKMODE_SHARED); if (retval) - return retval; + return retval; /* * Check to make sure we don't have a corrupt ulog first. */ if (ulog->kdb_state == KDB_CORRUPT) { - ulog_handle->ret = UPDATE_ERROR; - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - return (KRB5_LOG_CORRUPT); + ulog_handle->ret = UPDATE_ERROR; + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + return (KRB5_LOG_CORRUPT); } gettimeofday(×tamp, NULL); tdiff = timestamp.tv_sec - ulog->kdb_last_time.seconds; if (tdiff <= ULOG_IDLE_TIME) { - ulog_handle->ret = UPDATE_BUSY; - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - return (0); + ulog_handle->ret = UPDATE_BUSY; + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + return (0); } /* @@ -767,8 +768,8 @@ ulog_get_entries(krb5_context context, /* input - krb5 lib config */ */ retval = krb5_db_lock(context, KRB5_LOCKMODE_SHARED); if (retval) { - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - return (retval); + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + return (retval); } /* @@ -776,103 +777,103 @@ ulog_get_entries(krb5_context context, /* input - krb5 lib config */ * the client's ulog has just been created. */ if ((last.last_sno > ulog->kdb_last_sno) || - (last.last_sno < ulog->kdb_first_sno) || - (last.last_sno == 0)) { - ulog_handle->lastentry.last_sno = ulog->kdb_last_sno; - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - (void) krb5_db_unlock(context); - ulog_handle->ret = UPDATE_FULL_RESYNC_NEEDED; - return (0); + (last.last_sno < ulog->kdb_first_sno) || + (last.last_sno == 0)) { + ulog_handle->lastentry.last_sno = ulog->kdb_last_sno; + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + (void) krb5_db_unlock(context); + ulog_handle->ret = UPDATE_FULL_RESYNC_NEEDED; + return (0); } else if (last.last_sno <= ulog->kdb_last_sno) { - sno = last.last_sno; - - indx = (sno - 1) % ulogentries; - - indx_log = (kdb_ent_header_t *)INDEX(ulog, indx); - - /* - * Validate the time stamp just to make sure it was the same sno - */ - if ((indx_log->kdb_time.seconds == last.last_time.seconds) && - (indx_log->kdb_time.useconds == last.last_time.useconds)) { - - /* - * If we have the same sno we return success - */ - if (last.last_sno == ulog->kdb_last_sno) { - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - (void) krb5_db_unlock(context); - ulog_handle->ret = UPDATE_NIL; - return (0); - } - - count = ulog->kdb_last_sno - sno; - - ulog_handle->updates.kdb_ulog_t_val = - (kdb_incr_update_t *)malloc( - sizeof (kdb_incr_update_t) * count); - - upd = ulog_handle->updates.kdb_ulog_t_val; - - if (upd == NULL) { - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - (void) krb5_db_unlock(context); - ulog_handle->ret = UPDATE_ERROR; - return (errno); - } - - while (sno < ulog->kdb_last_sno) { - indx = sno % ulogentries; - - indx_log = (kdb_ent_header_t *) - INDEX(ulog, indx); - - (void) memset(upd, 0, - sizeof (kdb_incr_update_t)); - xdrmem_create(&xdrs, - (char *)indx_log->entry_data, - indx_log->kdb_entry_size, XDR_DECODE); - if (!xdr_kdb_incr_update_t(&xdrs, upd)) { - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - (void) krb5_db_unlock(context); - ulog_handle->ret = UPDATE_ERROR; - return (KRB5_LOG_CONV); - } - /* - * Mark commitment since we didn't - * want to decode and encode the - * incr update record the first time. - */ - upd->kdb_commit = indx_log->kdb_commit; - - upd++; - sno++; - } /* while */ - - ulog_handle->updates.kdb_ulog_t_len = count; - - ulog_handle->lastentry.last_sno = ulog->kdb_last_sno; - ulog_handle->lastentry.last_time.seconds = - ulog->kdb_last_time.seconds; - ulog_handle->lastentry.last_time.useconds = - ulog->kdb_last_time.useconds; - ulog_handle->ret = UPDATE_OK; - - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - (void) krb5_db_unlock(context); - - return (0); - } else { - /* - * We have time stamp mismatch or we no longer have - * the slave's last sno, so we brute force it - */ - (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); - (void) krb5_db_unlock(context); - ulog_handle->ret = UPDATE_FULL_RESYNC_NEEDED; - - return (0); - } + sno = last.last_sno; + + indx = (sno - 1) % ulogentries; + + indx_log = (kdb_ent_header_t *)INDEX(ulog, indx); + + /* + * Validate the time stamp just to make sure it was the same sno + */ + if ((indx_log->kdb_time.seconds == last.last_time.seconds) && + (indx_log->kdb_time.useconds == last.last_time.useconds)) { + + /* + * If we have the same sno we return success + */ + if (last.last_sno == ulog->kdb_last_sno) { + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + (void) krb5_db_unlock(context); + ulog_handle->ret = UPDATE_NIL; + return (0); + } + + count = ulog->kdb_last_sno - sno; + + ulog_handle->updates.kdb_ulog_t_val = + (kdb_incr_update_t *)malloc( + sizeof (kdb_incr_update_t) * count); + + upd = ulog_handle->updates.kdb_ulog_t_val; + + if (upd == NULL) { + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + (void) krb5_db_unlock(context); + ulog_handle->ret = UPDATE_ERROR; + return (errno); + } + + while (sno < ulog->kdb_last_sno) { + indx = sno % ulogentries; + + indx_log = (kdb_ent_header_t *) + INDEX(ulog, indx); + + (void) memset(upd, 0, + sizeof (kdb_incr_update_t)); + xdrmem_create(&xdrs, + (char *)indx_log->entry_data, + indx_log->kdb_entry_size, XDR_DECODE); + if (!xdr_kdb_incr_update_t(&xdrs, upd)) { + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + (void) krb5_db_unlock(context); + ulog_handle->ret = UPDATE_ERROR; + return (KRB5_LOG_CONV); + } + /* + * Mark commitment since we didn't + * want to decode and encode the + * incr update record the first time. + */ + upd->kdb_commit = indx_log->kdb_commit; + + upd++; + sno++; + } /* while */ + + ulog_handle->updates.kdb_ulog_t_len = count; + + ulog_handle->lastentry.last_sno = ulog->kdb_last_sno; + ulog_handle->lastentry.last_time.seconds = + ulog->kdb_last_time.seconds; + ulog_handle->lastentry.last_time.useconds = + ulog->kdb_last_time.useconds; + ulog_handle->ret = UPDATE_OK; + + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + (void) krb5_db_unlock(context); + + return (0); + } else { + /* + * We have time stamp mismatch or we no longer have + * the slave's last sno, so we brute force it + */ + (void) ulog_lock(context, KRB5_LOCKMODE_UNLOCK); + (void) krb5_db_unlock(context); + ulog_handle->ret = UPDATE_FULL_RESYNC_NEEDED; + + return (0); + } } /* @@ -886,15 +887,15 @@ ulog_get_entries(krb5_context context, /* input - krb5 lib config */ krb5_error_code ulog_set_role(krb5_context ctx, iprop_role role) { - kdb_log_context *log_ctx; + kdb_log_context *log_ctx; if (!ctx->kdblog_context) { - if (!(log_ctx = malloc(sizeof (kdb_log_context)))) - return (errno); - memset(log_ctx, 0, sizeof(*log_ctx)); - ctx->kdblog_context = log_ctx; + if (!(log_ctx = malloc(sizeof (kdb_log_context)))) + return (errno); + memset(log_ctx, 0, sizeof(*log_ctx)); + ctx->kdblog_context = log_ctx; } else - log_ctx = ctx->kdblog_context; + log_ctx = ctx->kdblog_context; log_ctx->iproprole = role; @@ -911,25 +912,25 @@ static int extend_file_to(int fd, uint_t new_size) current_offset = lseek(fd, 0, SEEK_END); if (current_offset < 0) - return -1; + return -1; if (new_size > INT_MAX) { - errno = EINVAL; - return -1; + errno = EINVAL; + return -1; } while (current_offset < new_size) { - int write_size, wrote_size; - write_size = new_size - current_offset; - if (write_size > 512) - write_size = 512; - wrote_size = write(fd, zero, write_size); - if (wrote_size < 0) - return -1; - if (wrote_size == 0) { - errno = EINVAL; /* XXX ?? */ - return -1; - } - current_offset += wrote_size; - write_size = new_size - current_offset; + int write_size, wrote_size; + write_size = new_size - current_offset; + if (write_size > 512) + write_size = 512; + wrote_size = write(fd, zero, write_size); + if (wrote_size < 0) + return -1; + if (wrote_size == 0) { + errno = EINVAL; /* XXX ?? */ + return -1; + } + current_offset += wrote_size; + write_size = new_size - current_offset; } return 0; } diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index 47626f152..03cc897c3 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/v5server/keytab.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include @@ -35,30 +36,30 @@ is_xrealm_tgt(krb5_context, krb5_const_principal); krb5_error_code krb5_ktkdb_close (krb5_context, krb5_keytab); krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_principal, - krb5_kvno, krb5_enctype, krb5_keytab_entry *); + krb5_kvno, krb5_enctype, krb5_keytab_entry *); static krb5_error_code krb5_ktkdb_get_name(krb5_context context, krb5_keytab keytab, - char *name, unsigned int namelen) + char *name, unsigned int namelen) { if (strlcpy(name, "KDB:", namelen) >= namelen); - return KRB5_KT_NAME_TOOLONG; + return KRB5_KT_NAME_TOOLONG; return 0; } krb5_kt_ops krb5_kt_kdb_ops = { 0, - "KDB", /* Prefix -- this string should not appear anywhere else! */ - krb5_ktkdb_resolve, /* resolve */ - krb5_ktkdb_get_name, /* get_name */ - krb5_ktkdb_close, /* close */ - krb5_ktkdb_get_entry, /* get */ - NULL, /* start_seq_get */ - NULL, /* get_next */ - NULL, /* end_get */ - NULL, /* add (extended) */ - NULL, /* remove (extended) */ - NULL, /* (void *) &krb5_ktfile_ser_entry */ + "KDB", /* Prefix -- this string should not appear anywhere else! */ + krb5_ktkdb_resolve, /* resolve */ + krb5_ktkdb_get_name, /* get_name */ + krb5_ktkdb_close, /* close */ + krb5_ktkdb_get_entry, /* get */ + NULL, /* start_seq_get */ + NULL, /* get_next */ + NULL, /* end_get */ + NULL, /* add (extended) */ + NULL, /* remove (extended) */ + NULL, /* (void *) &krb5_ktfile_ser_entry */ }; typedef struct krb5_ktkdb_data { @@ -67,9 +68,9 @@ typedef struct krb5_ktkdb_data { krb5_error_code krb5_ktkdb_resolve(context, name, id) - krb5_context context; - const char * name; - krb5_keytab * id; + krb5_context context; + const char * name; + krb5_keytab * id; { if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) return(ENOMEM); @@ -80,21 +81,21 @@ krb5_ktkdb_resolve(context, name, id) krb5_error_code krb5_ktkdb_close(context, kt) - krb5_context context; - krb5_keytab kt; + krb5_context context; + krb5_keytab kt; { - /* - * This routine is responsible for freeing all memory allocated - * for this keytab. There are no system resources that need - * to be freed nor are there any open files. - * - * This routine should undo anything done by krb5_ktkdb_resolve(). - */ - - kt->ops = NULL; - free(kt); - - return 0; + /* + * This routine is responsible for freeing all memory allocated + * for this keytab. There are no system resources that need + * to be freed nor are there any open files. + * + * This routine should undo anything done by krb5_ktkdb_resolve(). + */ + + kt->ops = NULL; + free(kt); + + return 0; } static krb5_context ktkdb_ctx = NULL; @@ -115,28 +116,28 @@ krb5_ktkdb_set_context(krb5_context ctx) krb5_error_code krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) - krb5_context in_context; - krb5_keytab id; + krb5_context in_context; + krb5_keytab id; krb5_const_principal principal; - krb5_kvno kvno; - krb5_enctype enctype; - krb5_keytab_entry * entry; + krb5_kvno kvno; + krb5_enctype enctype; + krb5_keytab_entry * entry; { - krb5_context context; + krb5_context context; krb5_keylist_node * master_keylist; krb5_keyblock * master_key; - krb5_error_code kerror = 0; - krb5_key_data * key_data; - krb5_db_entry db_entry; - krb5_boolean more = 0; - int n = 0; + krb5_error_code kerror = 0; + krb5_key_data * key_data; + krb5_db_entry db_entry; + krb5_boolean more = 0; + int n = 0; int xrealm_tgt; krb5_boolean similar; if (ktkdb_ctx) - context = ktkdb_ctx; + context = ktkdb_ctx; else - context = in_context; + context = in_context; xrealm_tgt = is_xrealm_tgt(context, principal); @@ -146,59 +147,59 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) /* get_principal */ kerror = krb5_db_get_principal(context, principal, & - db_entry, &n, &more); + db_entry, &n, &more); if (kerror) { - /* krb5_db_close_database(context); */ + /* krb5_db_close_database(context); */ return(kerror); } if (n != 1) { - /* krb5_db_close_database(context); */ - return KRB5_KT_NOTFOUND; + /* krb5_db_close_database(context); */ + return KRB5_KT_NOTFOUND; } if (db_entry.attributes & KRB5_KDB_DISALLOW_SVR - || db_entry.attributes & KRB5_KDB_DISALLOW_ALL_TIX) { - kerror = KRB5_KT_NOTFOUND; - goto error; + || db_entry.attributes & KRB5_KDB_DISALLOW_ALL_TIX) { + kerror = KRB5_KT_NOTFOUND; + goto error; } /* match key */ kerror = krb5_db_get_mkey_list(context, &master_keylist); if (kerror) - goto error; + goto error; kerror = krb5_dbe_find_mkey(context, master_keylist, &db_entry, &master_key); if (kerror) - goto error; + goto error; /* For cross realm tgts, we match whatever enctype is provided; * for other principals, we only match the first enctype that is * found. Since the TGS and AS code do the same thing, then we * will only successfully decrypt tickets we have issued.*/ kerror = krb5_dbe_find_enctype(context, &db_entry, - xrealm_tgt?enctype:-1, - -1, kvno, &key_data); + xrealm_tgt?enctype:-1, + -1, kvno, &key_data); if (kerror == KRB5_KDB_NO_MATCHING_KEY) - kerror = KRB5_KT_KVNONOTFOUND; + kerror = KRB5_KT_KVNONOTFOUND; if (kerror) - goto error; + goto error; kerror = krb5_dbekd_decrypt_key_data(context, master_key, - key_data, &entry->key, NULL); + key_data, &entry->key, NULL); if (kerror) - goto error; - - if (enctype > 0) { - kerror = krb5_c_enctype_compare(context, enctype, - entry->key.enctype, &similar); - if (kerror) - goto error; - - if (!similar) { - kerror = KRB5_KDB_NO_PERMITTED_KEY; - goto error; - } + goto error; + + if (enctype > 0) { + kerror = krb5_c_enctype_compare(context, enctype, + entry->key.enctype, &similar); + if (kerror) + goto error; + + if (!similar) { + kerror = KRB5_KDB_NO_PERMITTED_KEY; + goto error; + } } /* * Coerce the enctype of the output keyblock in case we got an @@ -208,10 +209,10 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) kerror = krb5_copy_principal(context, principal, &entry->principal); if (kerror) - goto error; + goto error; /* Close database */ - error: +error: krb5_db_free_principal(context, &db_entry, 1); /* krb5_db_close_database(context); */ return(kerror); @@ -227,16 +228,15 @@ is_xrealm_tgt(krb5_context context, krb5_const_principal princ) { krb5_data *dat; if (krb5_princ_size(context, princ) != 2) - return 0; + return 0; dat = krb5_princ_component(context, princ, 0); if (strncmp("krbtgt", dat->data, dat->length) != 0) - return 0; + return 0; dat = krb5_princ_component(context, princ, 1); if (dat->length != princ->realm.length) - return 1; + return 1; if (strncmp(dat->data, princ->realm.data, dat->length) == 0) - return 0; + return 0; return 1; } - diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index 1a4689448..e6682b541 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -1774,7 +1774,7 @@ error_out: asn1_error_code asn1_decode_external_principal_identifier_ptr - (asn1buf *buf, + (asn1buf *buf, krb5_external_principal_identifier **valptr) { decode_ptr(krb5_external_principal_identifier *, diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h index f0d99dcc0..4cf7e080f 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.h +++ b/src/lib/krb5/asn.1/asn1_k_decode.h @@ -109,7 +109,7 @@ asn1_error_code asn1_decode_checksum_ptr asn1_error_code asn1_decode_encryption_key (asn1buf *buf, krb5_keyblock *val); asn1_error_code asn1_decode_encryption_key_ptr - (asn1buf *buf, krb5_keyblock **valptr); + (asn1buf *buf, krb5_keyblock **valptr); asn1_error_code asn1_decode_encrypted_data (asn1buf *buf, krb5_enc_data *val); asn1_error_code asn1_decode_ticket_flags @@ -127,7 +127,7 @@ asn1_error_code asn1_decode_kdc_options asn1_error_code asn1_decode_ticket (asn1buf *buf, krb5_ticket *val); asn1_error_code asn1_decode_ticket_ptr - (asn1buf *buf, krb5_ticket **valptr); + (asn1buf *buf, krb5_ticket **valptr); asn1_error_code asn1_decode_kdc_req (asn1buf *buf, krb5_kdc_req *val); asn1_error_code asn1_decode_kdc_req_body @@ -137,7 +137,7 @@ asn1_error_code asn1_decode_krb_safe_body asn1_error_code asn1_decode_host_address (asn1buf *buf, krb5_address *val); asn1_error_code asn1_decode_host_address_ptr - (asn1buf *buf, krb5_address **valptr); + (asn1buf *buf, krb5_address **valptr); asn1_error_code asn1_decode_kdc_rep (asn1buf *buf, krb5_kdc_rep *val); asn1_error_code asn1_decode_last_req_entry @@ -155,7 +155,7 @@ asn1_error_code asn1_decode_krb_cred_info_ptr asn1_error_code asn1_decode_pa_data (asn1buf *buf, krb5_pa_data *val); asn1_error_code asn1_decode_pa_data_ptr - (asn1buf *buf, krb5_pa_data **valptr); + (asn1buf *buf, krb5_pa_data **valptr); asn1_error_code asn1_decode_passwdsequence (asn1buf *buf, passwd_phrase_element *val); asn1_error_code asn1_decode_passwdsequence_ptr diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 215608d33..fa835feba 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -1191,7 +1191,7 @@ krb5_error_code decode_krb5_ad_kdcissued cleanup(free); } - + #ifndef DISABLE_PKINIT krb5_error_code decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **repptr) diff --git a/src/lib/krb5/asn.1/krb5_encode.c b/src/lib/krb5/asn.1/krb5_encode.c index 5834e8ae8..144b726b6 100644 --- a/src/lib/krb5/asn.1/krb5_encode.c +++ b/src/lib/krb5/asn.1/krb5_encode.c @@ -171,4 +171,3 @@ krb5_error_code encode_krb5_typed_data(const krb5_typed_data **rep, krb5_data ** sum += length; krb5_cleanup(); } - diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h index 84b100286..685426546 100644 --- a/src/lib/krb5/ccache/cc-int.h +++ b/src/lib/krb5/ccache/cc-int.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/file/cc-int.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This file contains constant and function declarations used in the * file-based credential cache routines. @@ -71,8 +72,8 @@ typedef struct _k5_cc_mutex { krb5_int32 refcount; } k5_cc_mutex; -#define K5_CC_MUTEX_PARTIAL_INITIALIZER \ - { K5_MUTEX_PARTIAL_INITIALIZER, NULL, 0 } +#define K5_CC_MUTEX_PARTIAL_INITIALIZER \ + { K5_MUTEX_PARTIAL_INITIALIZER, NULL, 0 } krb5_error_code k5_cc_mutex_init(k5_cc_mutex *m); @@ -80,8 +81,8 @@ k5_cc_mutex_init(k5_cc_mutex *m); krb5_error_code k5_cc_mutex_finish_init(k5_cc_mutex *m); -#define k5_cc_mutex_destroy(M) \ -k5_mutex_destroy(&(M)->lock); +#define k5_cc_mutex_destroy(M) \ + k5_mutex_destroy(&(M)->lock); void k5_cc_mutex_assert_locked(krb5_context context, k5_cc_mutex *m); @@ -101,7 +102,7 @@ extern k5_cc_mutex krb5int_cc_file_mutex; #ifdef USE_CCAPI_V3 extern krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_lock -(krb5_context context); +(krb5_context context); extern krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_unlock (krb5_context context); diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c index 32564a04e..d1499bc75 100644 --- a/src/lib/krb5/ccache/cc_file.c +++ b/src/lib/krb5/ccache/cc_file.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_file.c * @@ -10,7 +11,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -24,46 +25,46 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * implementation of file-based credentials cache */ /* -If OPENCLOSE is defined, each of the functions opens and closes the -file whenever it needs to access it. Otherwise, the file is opened -once in initialize and closed once is close. - -This library depends on UNIX-like file descriptors, and UNIX-like -behavior from the functions: open, close, read, write, lseek. - -The quasi-BNF grammar for a credentials cache: - -file ::= - principal list-of-credentials - -credential ::= - client (principal) - server (principal) - keyblock (keyblock) - times (ticket_times) - is_skey (boolean) - ticket_flags (flags) - ticket (data) - second_ticket (data) - -principal ::= - number of components (int32) - component 1 (data) - component 2 (data) - ... - -data ::= - length (int32) - string of length bytes - -etc. - */ + If OPENCLOSE is defined, each of the functions opens and closes the + file whenever it needs to access it. Otherwise, the file is opened + once in initialize and closed once is close. + + This library depends on UNIX-like file descriptors, and UNIX-like + behavior from the functions: open, close, read, write, lseek. + + The quasi-BNF grammar for a credentials cache: + + file ::= + principal list-of-credentials + + credential ::= + client (principal) + server (principal) + keyblock (keyblock) + times (ticket_times) + is_skey (boolean) + ticket_flags (flags) + ticket (data) + second_ticket (data) + + principal ::= + number of components (int32) + component 1 (data) + component 2 (data) + ... + + data ::= + length (int32) + string of length bytes + + etc. +*/ /* todo: Make sure that each time a function returns KRB5_NOMEM, everything allocated earlier in the function and stack tree is freed. @@ -74,7 +75,7 @@ etc. simultaneously. (That may require reader/writer locks.) fcc_nseq.c and fcc_read don't check return values a lot. - */ +*/ #include "k5-int.h" #include "cc-int.h" @@ -96,93 +97,93 @@ etc. #endif static krb5_error_code KRB5_CALLCONV krb5_fcc_close - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_destroy - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_end_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_fcc_generate_new - (krb5_context, krb5_ccache *id); +(krb5_context, krb5_ccache *id); static const char * KRB5_CALLCONV krb5_fcc_get_name - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_get_principal - (krb5_context, krb5_ccache id, krb5_principal *princ); +(krb5_context, krb5_ccache id, krb5_principal *princ); static krb5_error_code KRB5_CALLCONV krb5_fcc_initialize - (krb5_context, krb5_ccache id, krb5_principal princ); +(krb5_context, krb5_ccache id, krb5_principal princ); static krb5_error_code KRB5_CALLCONV krb5_fcc_next_cred - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, - krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, + krb5_creds *creds); static krb5_error_code krb5_fcc_read - (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len); +(krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len); static krb5_error_code krb5_fcc_read_principal - (krb5_context, krb5_ccache id, krb5_principal *princ); +(krb5_context, krb5_ccache id, krb5_principal *princ); static krb5_error_code krb5_fcc_read_keyblock - (krb5_context, krb5_ccache id, krb5_keyblock *keyblock); +(krb5_context, krb5_ccache id, krb5_keyblock *keyblock); static krb5_error_code krb5_fcc_read_data - (krb5_context, krb5_ccache id, krb5_data *data); +(krb5_context, krb5_ccache id, krb5_data *data); static krb5_error_code krb5_fcc_read_int32 - (krb5_context, krb5_ccache id, krb5_int32 *i); +(krb5_context, krb5_ccache id, krb5_int32 *i); static krb5_error_code krb5_fcc_read_ui_2 - (krb5_context, krb5_ccache id, krb5_ui_2 *i); +(krb5_context, krb5_ccache id, krb5_ui_2 *i); static krb5_error_code krb5_fcc_read_octet - (krb5_context, krb5_ccache id, krb5_octet *i); +(krb5_context, krb5_ccache id, krb5_octet *i); static krb5_error_code krb5_fcc_read_times - (krb5_context, krb5_ccache id, krb5_ticket_times *t); +(krb5_context, krb5_ccache id, krb5_ticket_times *t); static krb5_error_code krb5_fcc_read_addrs - (krb5_context, krb5_ccache, krb5_address ***); +(krb5_context, krb5_ccache, krb5_address ***); static krb5_error_code krb5_fcc_read_addr - (krb5_context, krb5_ccache, krb5_address *); +(krb5_context, krb5_ccache, krb5_address *); static krb5_error_code krb5_fcc_read_authdata - (krb5_context, krb5_ccache, krb5_authdata ***); +(krb5_context, krb5_ccache, krb5_authdata ***); static krb5_error_code krb5_fcc_read_authdatum - (krb5_context, krb5_ccache, krb5_authdata *); +(krb5_context, krb5_ccache, krb5_authdata *); static krb5_error_code KRB5_CALLCONV krb5_fcc_resolve - (krb5_context, krb5_ccache *id, const char *residual); +(krb5_context, krb5_ccache *id, const char *residual); static krb5_error_code KRB5_CALLCONV krb5_fcc_retrieve - (krb5_context, krb5_ccache id, krb5_flags whichfields, - krb5_creds *mcreds, krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds); static krb5_error_code KRB5_CALLCONV krb5_fcc_start_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_fcc_store - (krb5_context, krb5_ccache id, krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_creds *creds); static krb5_error_code krb5_fcc_skip_header - (krb5_context, krb5_ccache); +(krb5_context, krb5_ccache); static krb5_error_code krb5_fcc_skip_principal - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_set_flags - (krb5_context, krb5_ccache id, krb5_flags flags); +(krb5_context, krb5_ccache id, krb5_flags flags); static krb5_error_code KRB5_CALLCONV krb5_fcc_ptcursor_new - (krb5_context context, krb5_cc_ptcursor *cursor); +(krb5_context context, krb5_cc_ptcursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_fcc_ptcursor_next - (krb5_context context, krb5_cc_ptcursor cursor, krb5_ccache *ccache); +(krb5_context context, krb5_cc_ptcursor cursor, krb5_ccache *ccache); static krb5_error_code KRB5_CALLCONV krb5_fcc_ptcursor_free - (krb5_context context, krb5_cc_ptcursor *cursor); +(krb5_context context, krb5_cc_ptcursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_fcc_last_change_time - (krb5_context context, krb5_ccache id, krb5_timestamp *change_time); +(krb5_context context, krb5_ccache id, krb5_timestamp *change_time); static krb5_error_code KRB5_CALLCONV krb5_fcc_lock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_unlock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); extern const krb5_cc_ops krb5_cc_file_ops; @@ -190,43 +191,43 @@ extern const krb5_cc_ops krb5_cc_file_ops; krb5_error_code krb5_change_cache (void); static krb5_error_code krb5_fcc_write - (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len); +(krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len); static krb5_error_code krb5_fcc_store_principal - (krb5_context, krb5_ccache id, krb5_principal princ); +(krb5_context, krb5_ccache id, krb5_principal princ); static krb5_error_code krb5_fcc_store_keyblock - (krb5_context, krb5_ccache id, krb5_keyblock *keyblock); +(krb5_context, krb5_ccache id, krb5_keyblock *keyblock); static krb5_error_code krb5_fcc_store_data - (krb5_context, krb5_ccache id, krb5_data *data); +(krb5_context, krb5_ccache id, krb5_data *data); static krb5_error_code krb5_fcc_store_int32 - (krb5_context, krb5_ccache id, krb5_int32 i); +(krb5_context, krb5_ccache id, krb5_int32 i); static krb5_error_code krb5_fcc_store_ui_4 - (krb5_context, krb5_ccache id, krb5_ui_4 i); +(krb5_context, krb5_ccache id, krb5_ui_4 i); static krb5_error_code krb5_fcc_store_ui_2 - (krb5_context, krb5_ccache id, krb5_int32 i); +(krb5_context, krb5_ccache id, krb5_int32 i); static krb5_error_code krb5_fcc_store_octet - (krb5_context, krb5_ccache id, krb5_int32 i); +(krb5_context, krb5_ccache id, krb5_int32 i); static krb5_error_code krb5_fcc_store_times - (krb5_context, krb5_ccache id, krb5_ticket_times *t); +(krb5_context, krb5_ccache id, krb5_ticket_times *t); static krb5_error_code krb5_fcc_store_addrs - (krb5_context, krb5_ccache, krb5_address **); +(krb5_context, krb5_ccache, krb5_address **); static krb5_error_code krb5_fcc_store_addr - (krb5_context, krb5_ccache, krb5_address *); +(krb5_context, krb5_ccache, krb5_address *); static krb5_error_code krb5_fcc_store_authdata - (krb5_context, krb5_ccache, krb5_authdata **); +(krb5_context, krb5_ccache, krb5_authdata **); static krb5_error_code krb5_fcc_store_authdatum - (krb5_context, krb5_ccache, krb5_authdata *); +(krb5_context, krb5_ccache, krb5_authdata *); static krb5_error_code krb5_fcc_interpret - (krb5_context, int); +(krb5_context, int); struct _krb5_fcc_data; static krb5_error_code krb5_fcc_close_file - (krb5_context, struct _krb5_fcc_data *data); +(krb5_context, struct _krb5_fcc_data *data); static krb5_error_code krb5_fcc_open_file - (krb5_context, krb5_ccache, int); +(krb5_context, krb5_ccache, int); static krb5_error_code krb5_fcc_data_last_change_time - (krb5_context context, struct _krb5_fcc_data *data, - krb5_timestamp *change_time); +(krb5_context context, struct _krb5_fcc_data *data, + krb5_timestamp *change_time); #define KRB5_OK 0 @@ -236,11 +237,11 @@ static krb5_error_code krb5_fcc_data_last_change_time /* * FCC version 2 contains type information for principals. FCC * version 1 does not. - * + * * FCC version 3 contains keyblock encryption type information, and is * architecture independent. Previous versions are not. * - * The code will accept version 1, 2, and 3 ccaches, and depending + * The code will accept version 1, 2, and 3 ccaches, and depending * what KRB5_FCC_DEFAULT_FVNO is set to, it will create version 1, 2, * or 3 FCC caches. * @@ -248,24 +249,24 @@ static krb5_error_code krb5_fcc_data_last_change_time * init_ctx.c). */ -#define KRB5_FCC_FVNO_1 0x0501 /* krb v5, fcc v1 */ -#define KRB5_FCC_FVNO_2 0x0502 /* krb v5, fcc v2 */ -#define KRB5_FCC_FVNO_3 0x0503 /* krb v5, fcc v3 */ -#define KRB5_FCC_FVNO_4 0x0504 /* krb v5, fcc v4 */ +#define KRB5_FCC_FVNO_1 0x0501 /* krb v5, fcc v1 */ +#define KRB5_FCC_FVNO_2 0x0502 /* krb v5, fcc v2 */ +#define KRB5_FCC_FVNO_3 0x0503 /* krb v5, fcc v3 */ +#define KRB5_FCC_FVNO_4 0x0504 /* krb v5, fcc v4 */ -#define FCC_OPEN_AND_ERASE 1 -#define FCC_OPEN_RDWR 2 -#define FCC_OPEN_RDONLY 3 +#define FCC_OPEN_AND_ERASE 1 +#define FCC_OPEN_RDWR 2 +#define FCC_OPEN_RDONLY 3 /* Credential file header tags. * The header tags are constructed as: - * krb5_ui_2 tag - * krb5_ui_2 len - * krb5_octet data[len] + * krb5_ui_2 tag + * krb5_ui_2 len + * krb5_octet data[len] * This format allows for older versions of the fcc processing code to skip * past unrecognized tag formats. */ -#define FCC_TAG_DELTATIME 1 +#define FCC_TAG_DELTATIME 1 #ifndef TKT_ROOT #ifdef MSDOS_FILESYSTEM @@ -286,8 +287,8 @@ typedef struct _krb5_fcc_data { k5_cc_mutex lock; int file; krb5_flags flags; - int mode; /* needed for locking code */ - int version; /* version number of the file */ + int mode; /* needed for locking code */ + int version; /* version number of the file */ /* Buffer data on reading, for performance. We used to have a stdio option, but we get more precise control @@ -308,10 +309,10 @@ static off_t fcc_lseek(krb5_fcc_data *data, off_t offset, int whence) /* If we read some extra data in advance, and then want to know or use our "current" position, we need to back up a little. */ if (whence == SEEK_CUR && data->valid_bytes) { - assert(data->valid_bytes > 0); - assert(data->cur_offset > 0); - assert(data->cur_offset <= data->valid_bytes); - offset -= (data->valid_bytes - data->cur_offset); + assert(data->valid_bytes > 0); + assert(data->cur_offset > 0); + assert(data->cur_offset <= data->valid_bytes); + offset -= (data->valid_bytes - data->cur_offset); } invalidate_cache(data); return lseek(data->file, offset, whence); @@ -336,31 +337,31 @@ typedef struct _krb5_fcc_cursor { off_t pos; } krb5_fcc_cursor; -#define MAYBE_OPEN(CONTEXT, ID, MODE) \ -{ \ - k5_cc_mutex_assert_locked(CONTEXT, &((krb5_fcc_data *)(ID)->data)->lock); \ - if (OPENCLOSE (ID)) { \ - krb5_error_code maybe_open_ret; \ - maybe_open_ret = krb5_fcc_open_file (CONTEXT,ID,MODE); \ - if (maybe_open_ret) { \ - k5_cc_mutex_unlock(CONTEXT, &((krb5_fcc_data *)(ID)->data)->lock); \ - return maybe_open_ret; \ - } \ - } \ -} +#define MAYBE_OPEN(CONTEXT, ID, MODE) \ + { \ + k5_cc_mutex_assert_locked(CONTEXT, &((krb5_fcc_data *)(ID)->data)->lock); \ + if (OPENCLOSE (ID)) { \ + krb5_error_code maybe_open_ret; \ + maybe_open_ret = krb5_fcc_open_file (CONTEXT,ID,MODE); \ + if (maybe_open_ret) { \ + k5_cc_mutex_unlock(CONTEXT, &((krb5_fcc_data *)(ID)->data)->lock); \ + return maybe_open_ret; \ + } \ + } \ + } -#define MAYBE_CLOSE(CONTEXT, ID, RET) \ -{ \ - if (OPENCLOSE (ID)) { \ - krb5_error_code maybe_close_ret; \ - maybe_close_ret = krb5_fcc_close_file (CONTEXT, \ - (krb5_fcc_data *)(ID)->data); \ - if (!(RET)) RET = maybe_close_ret; } } +#define MAYBE_CLOSE(CONTEXT, ID, RET) \ + { \ + if (OPENCLOSE (ID)) { \ + krb5_error_code maybe_close_ret; \ + maybe_close_ret = krb5_fcc_close_file (CONTEXT, \ + (krb5_fcc_data *)(ID)->data); \ + if (!(RET)) RET = maybe_close_ret; } } -#define MAYBE_CLOSE_IGNORE(CONTEXT, ID) \ -{ \ - if (OPENCLOSE (ID)) { \ - (void) krb5_fcc_close_file (CONTEXT,(krb5_fcc_data *)(ID)->data); } } +#define MAYBE_CLOSE_IGNORE(CONTEXT, ID) \ + { \ + if (OPENCLOSE (ID)) { \ + (void) krb5_fcc_close_file (CONTEXT,(krb5_fcc_data *)(ID)->data); } } #define CHECK(ret) if (ret != KRB5_OK) goto errout; @@ -381,56 +382,56 @@ static krb5_error_code krb5_fcc_read(krb5_context context, krb5_ccache id, krb5_pointer buf, unsigned int len) { #if 0 - int ret; + int ret; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - ret = read(((krb5_fcc_data *) id->data)->file, (char *) buf, len); - if (ret == -1) - return krb5_fcc_interpret(context, errno); - if (ret != len) - return KRB5_CC_END; - else - return KRB5_OK; + ret = read(((krb5_fcc_data *) id->data)->file, (char *) buf, len); + if (ret == -1) + return krb5_fcc_interpret(context, errno); + if (ret != len) + return KRB5_CC_END; + else + return KRB5_OK; #else - krb5_fcc_data *data = (krb5_fcc_data *) id->data; - - k5_cc_mutex_assert_locked(context, &data->lock); - - while (len > 0) { - int nread, e; - size_t ncopied; - - assert (data->valid_bytes >= 0); - if (data->valid_bytes > 0) - assert(data->cur_offset <= data->valid_bytes); - if (data->valid_bytes == 0 - || data->cur_offset == data->valid_bytes) { - /* Fill buffer from current file position. */ - nread = read(data->file, data->buf, sizeof(data->buf)); - e = errno; - if (nread < 0) - return krb5_fcc_interpret(context, e); - if (nread == 0) - /* EOF */ - return KRB5_CC_END; - data->valid_bytes = nread; - data->cur_offset = 0; - } - assert(data->cur_offset < data->valid_bytes); - ncopied = len; - assert(ncopied == len); - if (data->valid_bytes - data->cur_offset < ncopied) - ncopied = data->valid_bytes - data->cur_offset; - memcpy(buf, data->buf + data->cur_offset, ncopied); - data->cur_offset += ncopied; - assert(data->cur_offset > 0); - assert(data->cur_offset <= data->valid_bytes); - len -= ncopied; - /* Don't do arithmetic on void pointers. */ - buf = (char*)buf + ncopied; - } - return 0; + krb5_fcc_data *data = (krb5_fcc_data *) id->data; + + k5_cc_mutex_assert_locked(context, &data->lock); + + while (len > 0) { + int nread, e; + size_t ncopied; + + assert (data->valid_bytes >= 0); + if (data->valid_bytes > 0) + assert(data->cur_offset <= data->valid_bytes); + if (data->valid_bytes == 0 + || data->cur_offset == data->valid_bytes) { + /* Fill buffer from current file position. */ + nread = read(data->file, data->buf, sizeof(data->buf)); + e = errno; + if (nread < 0) + return krb5_fcc_interpret(context, e); + if (nread == 0) + /* EOF */ + return KRB5_CC_END; + data->valid_bytes = nread; + data->cur_offset = 0; + } + assert(data->cur_offset < data->valid_bytes); + ncopied = len; + assert(ncopied == len); + if (data->valid_bytes - data->cur_offset < ncopied) + ncopied = data->valid_bytes - data->cur_offset; + memcpy(buf, data->buf + data->cur_offset, ncopied); + data->cur_offset += ncopied; + assert(data->cur_offset > 0); + assert(data->cur_offset <= data->valid_bytes); + len -= ncopied; + /* Don't do arithmetic on void pointers. */ + buf = (char*)buf + ncopied; + } + return 0; #endif } @@ -453,9 +454,9 @@ krb5_fcc_read(krb5_context context, krb5_ccache id, krb5_pointer buf, unsigned i * KRB5_CC_NOMEM */ -#define ALLOC(NUM,TYPE) \ - (((NUM) <= (((size_t)0-1)/ sizeof(TYPE))) \ - ? (TYPE *) calloc((NUM), sizeof(TYPE)) \ +#define ALLOC(NUM,TYPE) \ + (((NUM) <= (((size_t)0-1)/ sizeof(TYPE))) \ + ? (TYPE *) calloc((NUM), sizeof(TYPE)) \ : (errno = ENOMEM,(TYPE *) 0)) static krb5_error_code @@ -472,44 +473,44 @@ krb5_fcc_read_principal(krb5_context context, krb5_ccache id, krb5_principal *pr *princ = NULL; if (data->version == KRB5_FCC_FVNO_1) { - type = KRB5_NT_UNKNOWN; + type = KRB5_NT_UNKNOWN; } else { /* Read principal type */ kret = krb5_fcc_read_int32(context, id, &type); if (kret != KRB5_OK) - return kret; + return kret; } /* Read the number of components */ kret = krb5_fcc_read_int32(context, id, &length); if (kret != KRB5_OK) - return kret; + return kret; /* * DCE includes the principal's realm in the count; the new format * does not. */ if (data->version == KRB5_FCC_FVNO_1) - length--; + length--; if (length < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; tmpprinc = (krb5_principal) malloc(sizeof(krb5_principal_data)); if (tmpprinc == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; if (length) { - size_t msize = length; - if (msize != length) { - free(tmpprinc); - return KRB5_CC_NOMEM; - } - tmpprinc->data = ALLOC (msize, krb5_data); - if (tmpprinc->data == 0) { - free(tmpprinc); - return KRB5_CC_NOMEM; - } + size_t msize = length; + if (msize != length) { + free(tmpprinc); + return KRB5_CC_NOMEM; + } + tmpprinc->data = ALLOC (msize, krb5_data); + if (tmpprinc->data == 0) { + free(tmpprinc); + return KRB5_CC_NOMEM; + } } else - tmpprinc->data = 0; + tmpprinc->data = 0; tmpprinc->magic = KV5M_PRINCIPAL; tmpprinc->length = length; tmpprinc->type = type; @@ -520,15 +521,15 @@ krb5_fcc_read_principal(krb5_context context, krb5_ccache id, krb5_principal *pr CHECK(kret); for (i=0; i < length; i++) { - kret = krb5_fcc_read_data(context, id, krb5_princ_component(context, tmpprinc, i)); - CHECK(kret); + kret = krb5_fcc_read_data(context, id, krb5_princ_component(context, tmpprinc, i)); + CHECK(kret); } *princ = tmpprinc; return KRB5_OK; - errout: +errout: while(--i >= 0) - free(krb5_princ_component(context, tmpprinc, i)->data); + free(krb5_princ_component(context, tmpprinc, i)->data); free(krb5_princ_realm(context, tmpprinc)->data); free(tmpprinc->data); free(tmpprinc); @@ -538,185 +539,185 @@ krb5_fcc_read_principal(krb5_context context, krb5_ccache id, krb5_principal *pr static krb5_error_code krb5_fcc_read_addrs(krb5_context context, krb5_ccache id, krb5_address ***addrs) { - krb5_error_code kret; - krb5_int32 length; - size_t msize; - int i; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - *addrs = 0; - - /* Read the number of components */ - kret = krb5_fcc_read_int32(context, id, &length); - CHECK(kret); - - /* Make *addrs able to hold length pointers to krb5_address structs - * Add one extra for a null-terminated list - */ - msize = length; - msize += 1; - if (msize == 0 || msize - 1 != length || length < 0) - return KRB5_CC_NOMEM; - *addrs = ALLOC (msize, krb5_address *); - if (*addrs == NULL) - return KRB5_CC_NOMEM; - - for (i=0; i < length; i++) { - (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address)); - if ((*addrs)[i] == NULL) { - krb5_free_addresses(context, *addrs); - *addrs = 0; - return KRB5_CC_NOMEM; - } - (*addrs)[i]->contents = NULL; - kret = krb5_fcc_read_addr(context, id, (*addrs)[i]); - CHECK(kret); - } - - return KRB5_OK; - errout: - if (*addrs) { - krb5_free_addresses(context, *addrs); - *addrs = NULL; - } - return kret; + krb5_error_code kret; + krb5_int32 length; + size_t msize; + int i; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + *addrs = 0; + + /* Read the number of components */ + kret = krb5_fcc_read_int32(context, id, &length); + CHECK(kret); + + /* Make *addrs able to hold length pointers to krb5_address structs + * Add one extra for a null-terminated list + */ + msize = length; + msize += 1; + if (msize == 0 || msize - 1 != length || length < 0) + return KRB5_CC_NOMEM; + *addrs = ALLOC (msize, krb5_address *); + if (*addrs == NULL) + return KRB5_CC_NOMEM; + + for (i=0; i < length; i++) { + (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address)); + if ((*addrs)[i] == NULL) { + krb5_free_addresses(context, *addrs); + *addrs = 0; + return KRB5_CC_NOMEM; + } + (*addrs)[i]->contents = NULL; + kret = krb5_fcc_read_addr(context, id, (*addrs)[i]); + CHECK(kret); + } + + return KRB5_OK; +errout: + if (*addrs) { + krb5_free_addresses(context, *addrs); + *addrs = NULL; + } + return kret; } static krb5_error_code krb5_fcc_read_keyblock(krb5_context context, krb5_ccache id, krb5_keyblock *keyblock) { - krb5_fcc_data *data = (krb5_fcc_data *)id->data; - krb5_error_code kret; - krb5_ui_2 ui2; - krb5_int32 int32; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - keyblock->magic = KV5M_KEYBLOCK; - keyblock->contents = 0; - - kret = krb5_fcc_read_ui_2(context, id, &ui2); - keyblock->enctype = ui2; - CHECK(kret); - if (data->version == KRB5_FCC_FVNO_3) { - /* This works because the old etype is the same as the new enctype. */ - kret = krb5_fcc_read_ui_2(context, id, &ui2); - /* keyblock->enctype = ui2; */ - CHECK(kret); - } - - kret = krb5_fcc_read_int32(context, id, &int32); - CHECK(kret); - if (int32 < 0) - return KRB5_CC_NOMEM; - keyblock->length = int32; - /* Overflow check. */ - if (keyblock->length != int32) - return KRB5_CC_NOMEM; - if ( keyblock->length == 0 ) - return KRB5_OK; - keyblock->contents = ALLOC (keyblock->length, krb5_octet); - if (keyblock->contents == NULL) - return KRB5_CC_NOMEM; - - kret = krb5_fcc_read(context, id, keyblock->contents, keyblock->length); - if (kret) - goto errout; - - return KRB5_OK; - errout: - if (keyblock->contents) { - free(keyblock->contents); - keyblock->contents = NULL; - } - return kret; + krb5_fcc_data *data = (krb5_fcc_data *)id->data; + krb5_error_code kret; + krb5_ui_2 ui2; + krb5_int32 int32; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + keyblock->magic = KV5M_KEYBLOCK; + keyblock->contents = 0; + + kret = krb5_fcc_read_ui_2(context, id, &ui2); + keyblock->enctype = ui2; + CHECK(kret); + if (data->version == KRB5_FCC_FVNO_3) { + /* This works because the old etype is the same as the new enctype. */ + kret = krb5_fcc_read_ui_2(context, id, &ui2); + /* keyblock->enctype = ui2; */ + CHECK(kret); + } + + kret = krb5_fcc_read_int32(context, id, &int32); + CHECK(kret); + if (int32 < 0) + return KRB5_CC_NOMEM; + keyblock->length = int32; + /* Overflow check. */ + if (keyblock->length != int32) + return KRB5_CC_NOMEM; + if ( keyblock->length == 0 ) + return KRB5_OK; + keyblock->contents = ALLOC (keyblock->length, krb5_octet); + if (keyblock->contents == NULL) + return KRB5_CC_NOMEM; + + kret = krb5_fcc_read(context, id, keyblock->contents, keyblock->length); + if (kret) + goto errout; + + return KRB5_OK; +errout: + if (keyblock->contents) { + free(keyblock->contents); + keyblock->contents = NULL; + } + return kret; } static krb5_error_code krb5_fcc_read_data(krb5_context context, krb5_ccache id, krb5_data *data) { - krb5_error_code kret; - krb5_int32 len; + krb5_error_code kret; + krb5_int32 len; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - data->magic = KV5M_DATA; - data->data = 0; + data->magic = KV5M_DATA; + data->data = 0; - kret = krb5_fcc_read_int32(context, id, &len); - CHECK(kret); - if (len < 0) + kret = krb5_fcc_read_int32(context, id, &len); + CHECK(kret); + if (len < 0) return KRB5_CC_NOMEM; - data->length = len; - if (data->length != len || data->length + 1 == 0) - return KRB5_CC_NOMEM; - - if (data->length == 0) { - data->data = 0; - return KRB5_OK; - } - - data->data = (char *) malloc(data->length+1); - if (data->data == NULL) - return KRB5_CC_NOMEM; - - kret = krb5_fcc_read(context, id, data->data, (unsigned) data->length); - CHECK(kret); - - data->data[data->length] = 0; /* Null terminate, just in case.... */ - return KRB5_OK; - errout: - if (data->data) { - free(data->data); - data->data = NULL; - } - return kret; + data->length = len; + if (data->length != len || data->length + 1 == 0) + return KRB5_CC_NOMEM; + + if (data->length == 0) { + data->data = 0; + return KRB5_OK; + } + + data->data = (char *) malloc(data->length+1); + if (data->data == NULL) + return KRB5_CC_NOMEM; + + kret = krb5_fcc_read(context, id, data->data, (unsigned) data->length); + CHECK(kret); + + data->data[data->length] = 0; /* Null terminate, just in case.... */ + return KRB5_OK; +errout: + if (data->data) { + free(data->data); + data->data = NULL; + } + return kret; } static krb5_error_code krb5_fcc_read_addr(krb5_context context, krb5_ccache id, krb5_address *addr) { - krb5_error_code kret; - krb5_ui_2 ui2; - krb5_int32 int32; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - addr->magic = KV5M_ADDRESS; - addr->contents = 0; - - kret = krb5_fcc_read_ui_2(context, id, &ui2); - CHECK(kret); - addr->addrtype = ui2; - - kret = krb5_fcc_read_int32(context, id, &int32); - CHECK(kret); - if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ - return KRB5_CC_NOMEM; - addr->length = int32; - /* Length field is "unsigned int", which may be smaller than 32 - bits. */ - if (addr->length != int32) - return KRB5_CC_NOMEM; /* XXX */ - - if (addr->length == 0) - return KRB5_OK; - - addr->contents = (krb5_octet *) malloc(addr->length); - if (addr->contents == NULL) - return KRB5_CC_NOMEM; - - kret = krb5_fcc_read(context, id, addr->contents, addr->length); - CHECK(kret); - - return KRB5_OK; - errout: - if (addr->contents) { - free(addr->contents); - addr->contents = NULL; - } - return kret; + krb5_error_code kret; + krb5_ui_2 ui2; + krb5_int32 int32; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + addr->magic = KV5M_ADDRESS; + addr->contents = 0; + + kret = krb5_fcc_read_ui_2(context, id, &ui2); + CHECK(kret); + addr->addrtype = ui2; + + kret = krb5_fcc_read_int32(context, id, &int32); + CHECK(kret); + if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ + return KRB5_CC_NOMEM; + addr->length = int32; + /* Length field is "unsigned int", which may be smaller than 32 + bits. */ + if (addr->length != int32) + return KRB5_CC_NOMEM; /* XXX */ + + if (addr->length == 0) + return KRB5_OK; + + addr->contents = (krb5_octet *) malloc(addr->length); + if (addr->contents == NULL) + return KRB5_CC_NOMEM; + + kret = krb5_fcc_read(context, id, addr->contents, addr->length); + CHECK(kret); + + return KRB5_OK; +errout: + if (addr->contents) { + free(addr->contents); + addr->contents = NULL; + } + return kret; } static krb5_error_code @@ -729,14 +730,14 @@ krb5_fcc_read_int32(krb5_context context, krb5_ccache id, krb5_int32 *i) k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_int32)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_int32)); else { - retval = krb5_fcc_read(context, id, buf, 4); - if (retval) - return retval; + retval = krb5_fcc_read(context, id, buf, 4); + if (retval) + return retval; *i = load_32_be (buf); - return 0; + return 0; } } @@ -746,27 +747,27 @@ krb5_fcc_read_ui_2(krb5_context context, krb5_ccache id, krb5_ui_2 *i) krb5_fcc_data *data = (krb5_fcc_data *)id->data; krb5_error_code retval; unsigned char buf[2]; - + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_ui_2)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_ui_2)); else { - retval = krb5_fcc_read(context, id, buf, 2); - if (retval) - return retval; - *i = load_16_be (buf); - return 0; + retval = krb5_fcc_read(context, id, buf, 2); + if (retval) + return retval; + *i = load_16_be (buf); + return 0; } -} +} static krb5_error_code krb5_fcc_read_octet(krb5_context context, krb5_ccache id, krb5_octet *i) { k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); return krb5_fcc_read(context, id, (krb5_pointer) i, 1); -} +} static krb5_error_code @@ -775,28 +776,28 @@ krb5_fcc_read_times(krb5_context context, krb5_ccache id, krb5_ticket_times *t) krb5_fcc_data *data = (krb5_fcc_data *)id->data; krb5_error_code retval; krb5_int32 i; - + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_read(context, id, (krb5_pointer) t, sizeof(krb5_ticket_times)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_read(context, id, (krb5_pointer) t, sizeof(krb5_ticket_times)); else { - retval = krb5_fcc_read_int32(context, id, &i); - CHECK(retval); - t->authtime = i; - - retval = krb5_fcc_read_int32(context, id, &i); - CHECK(retval); - t->starttime = i; - - retval = krb5_fcc_read_int32(context, id, &i); - CHECK(retval); - t->endtime = i; - - retval = krb5_fcc_read_int32(context, id, &i); - CHECK(retval); - t->renew_till = i; + retval = krb5_fcc_read_int32(context, id, &i); + CHECK(retval); + t->authtime = i; + + retval = krb5_fcc_read_int32(context, id, &i); + CHECK(retval); + t->starttime = i; + + retval = krb5_fcc_read_int32(context, id, &i); + CHECK(retval); + t->endtime = i; + + retval = krb5_fcc_read_int32(context, id, &i); + CHECK(retval); + t->renew_till = i; } return 0; errout: @@ -806,52 +807,52 @@ errout: static krb5_error_code krb5_fcc_read_authdata(krb5_context context, krb5_ccache id, krb5_authdata ***a) { - krb5_error_code kret; - krb5_int32 length; - size_t msize; - int i; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - *a = 0; - - /* Read the number of components */ - kret = krb5_fcc_read_int32(context, id, &length); - CHECK(kret); - - if (length == 0) - return KRB5_OK; - - /* Make *a able to hold length pointers to krb5_authdata structs - * Add one extra for a null-terminated list - */ - msize = length; - msize += 1; - if (msize == 0 || msize - 1 != length || length < 0) - return KRB5_CC_NOMEM; - *a = ALLOC (msize, krb5_authdata *); - if (*a == NULL) - return KRB5_CC_NOMEM; - - for (i=0; i < length; i++) { - (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata)); - if ((*a)[i] == NULL) { - krb5_free_authdata(context, *a); - *a = NULL; - return KRB5_CC_NOMEM; - } - (*a)[i]->contents = NULL; - kret = krb5_fcc_read_authdatum(context, id, (*a)[i]); - CHECK(kret); - } - - return KRB5_OK; - errout: - if (*a) { - krb5_free_authdata(context, *a); - *a = NULL; - } - return kret; + krb5_error_code kret; + krb5_int32 length; + size_t msize; + int i; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + *a = 0; + + /* Read the number of components */ + kret = krb5_fcc_read_int32(context, id, &length); + CHECK(kret); + + if (length == 0) + return KRB5_OK; + + /* Make *a able to hold length pointers to krb5_authdata structs + * Add one extra for a null-terminated list + */ + msize = length; + msize += 1; + if (msize == 0 || msize - 1 != length || length < 0) + return KRB5_CC_NOMEM; + *a = ALLOC (msize, krb5_authdata *); + if (*a == NULL) + return KRB5_CC_NOMEM; + + for (i=0; i < length; i++) { + (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + if ((*a)[i] == NULL) { + krb5_free_authdata(context, *a); + *a = NULL; + return KRB5_CC_NOMEM; + } + (*a)[i]->contents = NULL; + kret = krb5_fcc_read_authdatum(context, id, (*a)[i]); + CHECK(kret); + } + + return KRB5_OK; +errout: + if (*a) { + krb5_free_authdata(context, *a); + *a = NULL; + } + return kret; } static krb5_error_code @@ -860,7 +861,7 @@ krb5_fcc_read_authdatum(krb5_context context, krb5_ccache id, krb5_authdata *a) krb5_error_code kret; krb5_int32 int32; krb5_int16 ui2; /* negative authorization data types are allowed */ - + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); a->magic = KV5M_AUTHDATA; @@ -872,31 +873,31 @@ krb5_fcc_read_authdatum(krb5_context context, krb5_ccache id, krb5_authdata *a) kret = krb5_fcc_read_int32(context, id, &int32); CHECK(kret); if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; a->length = int32; /* Value could have gotten truncated if int is smaller than 32 bits. */ if (a->length != int32) - return KRB5_CC_NOMEM; /* XXX */ - + return KRB5_CC_NOMEM; /* XXX */ + if (a->length == 0 ) - return KRB5_OK; + return KRB5_OK; a->contents = (krb5_octet *) malloc(a->length); if (a->contents == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_fcc_read(context, id, a->contents, a->length); CHECK(kret); - - return KRB5_OK; - errout: - if (a->contents) { - free(a->contents); - a->contents = NULL; - } - return kret; - + + return KRB5_OK; +errout: + if (a->contents) { + free(a->contents); + a->contents = NULL; + } + return kret; + } #undef CHECK @@ -915,27 +916,27 @@ krb5_fcc_read_authdatum(krb5_context context, krb5_ccache id, krb5_authdata *a) static krb5_error_code krb5_fcc_write(krb5_context context, krb5_ccache id, krb5_pointer buf, unsigned int len) { - int ret; + int ret; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - invalidate_cache((krb5_fcc_data *) id->data); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + invalidate_cache((krb5_fcc_data *) id->data); - ret = write(((krb5_fcc_data *)id->data)->file, (char *) buf, len); - if (ret < 0) - return krb5_fcc_interpret(context, errno); - if (ret != len) - return KRB5_CC_WRITE; - return KRB5_OK; + ret = write(((krb5_fcc_data *)id->data)->file, (char *) buf, len); + if (ret < 0) + return krb5_fcc_interpret(context, errno); + if (ret != len) + return KRB5_CC_WRITE; + return KRB5_OK; } /* * FOR ALL OF THE FOLLOWING FUNCTIONS: - * + * * Requires: * ((krb5_fcc_data *) id->data)->file is open and at the right position. * * mutex is locked - * + * * Effects: * Stores an encoded version of the second argument in the * cache file. @@ -957,17 +958,17 @@ krb5_fcc_store_principal(krb5_context context, krb5_ccache id, krb5_principal pr tmp = length = krb5_princ_size(context, princ); if (data->version == KRB5_FCC_FVNO_1) { - /* - * DCE-compatible format means that the length count - * includes the realm. (It also doesn't include the - * principal type information.) - */ - tmp++; + /* + * DCE-compatible format means that the length count + * includes the realm. (It also doesn't include the + * principal type information.) + */ + tmp++; } else { - ret = krb5_fcc_store_int32(context, id, type); - CHECK(ret); + ret = krb5_fcc_store_int32(context, id, type); + CHECK(ret); } - + ret = krb5_fcc_store_int32(context, id, tmp); CHECK(ret); @@ -975,8 +976,8 @@ krb5_fcc_store_principal(krb5_context context, krb5_ccache id, krb5_principal pr CHECK(ret); for (i=0; i < length; i++) { - ret = krb5_fcc_store_data(context, id, krb5_princ_component(context, princ, i)); - CHECK(ret); + ret = krb5_fcc_store_data(context, id, krb5_princ_component(context, princ, i)); + CHECK(ret); } return KRB5_OK; @@ -985,73 +986,73 @@ krb5_fcc_store_principal(krb5_context context, krb5_ccache id, krb5_principal pr static krb5_error_code krb5_fcc_store_addrs(krb5_context context, krb5_ccache id, krb5_address **addrs) { - krb5_error_code ret; - krb5_address **temp; - krb5_int32 i, length = 0; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - /* Count the number of components */ - if (addrs) { - temp = addrs; - while (*temp++) - length += 1; - } - - ret = krb5_fcc_store_int32(context, id, length); - CHECK(ret); - for (i=0; i < length; i++) { - ret = krb5_fcc_store_addr(context, id, addrs[i]); - CHECK(ret); - } - - return KRB5_OK; + krb5_error_code ret; + krb5_address **temp; + krb5_int32 i, length = 0; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + /* Count the number of components */ + if (addrs) { + temp = addrs; + while (*temp++) + length += 1; + } + + ret = krb5_fcc_store_int32(context, id, length); + CHECK(ret); + for (i=0; i < length; i++) { + ret = krb5_fcc_store_addr(context, id, addrs[i]); + CHECK(ret); + } + + return KRB5_OK; } static krb5_error_code krb5_fcc_store_keyblock(krb5_context context, krb5_ccache id, krb5_keyblock *keyblock) { - krb5_fcc_data *data = (krb5_fcc_data *)id->data; - krb5_error_code ret; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype); - CHECK(ret); - if (data->version == KRB5_FCC_FVNO_3) { - ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype); - CHECK(ret); - } - ret = krb5_fcc_store_ui_4(context, id, keyblock->length); - CHECK(ret); - return krb5_fcc_write(context, id, (char *) keyblock->contents, keyblock->length); + krb5_fcc_data *data = (krb5_fcc_data *)id->data; + krb5_error_code ret; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype); + CHECK(ret); + if (data->version == KRB5_FCC_FVNO_3) { + ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype); + CHECK(ret); + } + ret = krb5_fcc_store_ui_4(context, id, keyblock->length); + CHECK(ret); + return krb5_fcc_write(context, id, (char *) keyblock->contents, keyblock->length); } static krb5_error_code krb5_fcc_store_addr(krb5_context context, krb5_ccache id, krb5_address *addr) { - krb5_error_code ret; + krb5_error_code ret; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - ret = krb5_fcc_store_ui_2(context, id, addr->addrtype); - CHECK(ret); - ret = krb5_fcc_store_ui_4(context, id, addr->length); - CHECK(ret); - return krb5_fcc_write(context, id, (char *) addr->contents, addr->length); + ret = krb5_fcc_store_ui_2(context, id, addr->addrtype); + CHECK(ret); + ret = krb5_fcc_store_ui_4(context, id, addr->length); + CHECK(ret); + return krb5_fcc_write(context, id, (char *) addr->contents, addr->length); } static krb5_error_code krb5_fcc_store_data(krb5_context context, krb5_ccache id, krb5_data *data) { - krb5_error_code ret; + krb5_error_code ret; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - ret = krb5_fcc_store_ui_4(context, id, data->length); - CHECK(ret); - return krb5_fcc_write(context, id, data->data, data->length); + ret = krb5_fcc_store_ui_4(context, id, data->length); + CHECK(ret); + return krb5_fcc_write(context, id, data->data, data->length); } static krb5_error_code @@ -1069,11 +1070,11 @@ krb5_fcc_store_ui_4(krb5_context context, krb5_ccache id, krb5_ui_4 i) k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_write(context, id, (char *) &i, sizeof(krb5_int32)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_write(context, id, (char *) &i, sizeof(krb5_int32)); else { - store_32_be (i, buf); - return krb5_fcc_write(context, id, buf, 4); + store_32_be (i, buf); + return krb5_fcc_write(context, id, buf, 4); } } @@ -1083,19 +1084,19 @@ krb5_fcc_store_ui_2(krb5_context context, krb5_ccache id, krb5_int32 i) krb5_fcc_data *data = (krb5_fcc_data *)id->data; krb5_ui_2 ibuf; unsigned char buf[2]; - + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) { + (data->version == KRB5_FCC_FVNO_2)) { ibuf = (krb5_ui_2) i; - return krb5_fcc_write(context, id, (char *) &ibuf, sizeof(krb5_ui_2)); + return krb5_fcc_write(context, id, (char *) &ibuf, sizeof(krb5_ui_2)); } else { - store_16_be (i, buf); - return krb5_fcc_write(context, id, buf, 2); + store_16_be (i, buf); + return krb5_fcc_write(context, id, buf, 2); } } - + static krb5_error_code krb5_fcc_store_octet(krb5_context context, krb5_ccache id, krb5_int32 i) { @@ -1106,7 +1107,7 @@ krb5_fcc_store_octet(krb5_context context, krb5_ccache id, krb5_int32 i) ibuf = (krb5_octet) i; return krb5_fcc_write(context, id, (char *) &ibuf, 1); } - + static krb5_error_code krb5_fcc_store_times(krb5_context context, krb5_ccache id, krb5_ticket_times *t) { @@ -1116,21 +1117,21 @@ krb5_fcc_store_times(krb5_context context, krb5_ccache id, krb5_ticket_times *t) k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_write(context, id, (char *) t, sizeof(krb5_ticket_times)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_write(context, id, (char *) t, sizeof(krb5_ticket_times)); else { - retval = krb5_fcc_store_int32(context, id, t->authtime); - CHECK(retval); - retval = krb5_fcc_store_int32(context, id, t->starttime); - CHECK(retval); - retval = krb5_fcc_store_int32(context, id, t->endtime); - CHECK(retval); - retval = krb5_fcc_store_int32(context, id, t->renew_till); - CHECK(retval); - return 0; + retval = krb5_fcc_store_int32(context, id, t->authtime); + CHECK(retval); + retval = krb5_fcc_store_int32(context, id, t->starttime); + CHECK(retval); + retval = krb5_fcc_store_int32(context, id, t->endtime); + CHECK(retval); + retval = krb5_fcc_store_int32(context, id, t->renew_till); + CHECK(retval); + return 0; } } - + static krb5_error_code krb5_fcc_store_authdata(krb5_context context, krb5_ccache id, krb5_authdata **a) { @@ -1141,15 +1142,15 @@ krb5_fcc_store_authdata(krb5_context context, krb5_ccache id, krb5_authdata **a) k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if (a != NULL) { - for (temp=a; *temp; temp++) - length++; + for (temp=a; *temp; temp++) + length++; } ret = krb5_fcc_store_int32(context, id, length); CHECK(ret); for (i=0; ilock); + k5_cc_mutex_assert_locked(context, &data->lock); - if (data->file == NO_FILE) - return KRB5_FCC_INTERNAL; + if (data->file == NO_FILE) + return KRB5_FCC_INTERNAL; - retval = krb5_unlock_file(context, data->file); - ret = close (data->file); - data->file = NO_FILE; - if (retval) - return retval; + retval = krb5_unlock_file(context, data->file); + ret = close (data->file); + data->file = NO_FILE; + if (retval) + return retval; - return ret ? krb5_fcc_interpret (context, errno) : 0; + return ret ? krb5_fcc_interpret (context, errno) : 0; } #if defined(ANSI_STDIO) || defined(_WIN32) @@ -1197,8 +1198,8 @@ krb5_fcc_close_file (krb5_context context, krb5_fcc_data *data) #ifndef HAVE_SETVBUF #undef setvbuf -#define setvbuf(FILE,BUF,MODE,SIZE) \ - ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF)) +#define setvbuf(FILE,BUF,MODE,SIZE) \ + ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF)) #endif static krb5_error_code @@ -1218,211 +1219,211 @@ krb5_fcc_open_file (krb5_context context, krb5_ccache id, int mode) invalidate_cache(data); if (data->file != NO_FILE) { - /* Don't know what state it's in; shut down and start anew. */ - (void) krb5_unlock_file(context, data->file); - (void) close (data->file); - data->file = NO_FILE; + /* Don't know what state it's in; shut down and start anew. */ + (void) krb5_unlock_file(context, data->file); + (void) close (data->file); + data->file = NO_FILE; } switch(mode) { case FCC_OPEN_AND_ERASE: - unlink(data->filename); - open_flag = O_CREAT|O_EXCL|O_TRUNC|O_RDWR; - break; + unlink(data->filename); + open_flag = O_CREAT|O_EXCL|O_TRUNC|O_RDWR; + break; case FCC_OPEN_RDWR: - open_flag = O_RDWR; - break; + open_flag = O_RDWR; + break; case FCC_OPEN_RDONLY: default: - open_flag = O_RDONLY; - break; + open_flag = O_RDONLY; + break; } f = THREEPARAMOPEN (data->filename, open_flag | O_BINARY, 0600); if (f == NO_FILE) { - switch (errno) { - case ENOENT: - retval = KRB5_FCC_NOFILE; - krb5_set_error_message(context, retval, - "Credentials cache file '%s' not found", - data->filename); - return retval; - default: - return krb5_fcc_interpret (context, errno); - } + switch (errno) { + case ENOENT: + retval = KRB5_FCC_NOFILE; + krb5_set_error_message(context, retval, + "Credentials cache file '%s' not found", + data->filename); + return retval; + default: + return krb5_fcc_interpret (context, errno); + } } set_cloexec_fd(f); data->mode = mode; if (data->mode == FCC_OPEN_RDONLY) - lock_flag = KRB5_LOCKMODE_SHARED; - else - lock_flag = KRB5_LOCKMODE_EXCLUSIVE; + lock_flag = KRB5_LOCKMODE_SHARED; + else + lock_flag = KRB5_LOCKMODE_EXCLUSIVE; if ((retval = krb5_lock_file(context, f, lock_flag))) { - (void) close(f); - return retval; + (void) close(f); + return retval; } if (mode == FCC_OPEN_AND_ERASE) { - /* write the version number */ - int cnt; - - fcc_fvno = htons(context->fcc_default_format); - data->version = context->fcc_default_format; - if ((cnt = write(f, (char *)&fcc_fvno, sizeof(fcc_fvno))) != - sizeof(fcc_fvno)) { - retval = ((cnt == -1) ? krb5_fcc_interpret(context, errno) : - KRB5_CC_IO); - goto done; - } - data->file = f; - - if (data->version == KRB5_FCC_FVNO_4) { - /* V4 of the credentials cache format allows for header tags */ - fcc_flen = 0; - - if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) - fcc_flen += (2*sizeof(krb5_ui_2) + 2*sizeof(krb5_int32)); - - /* Write header length */ - retval = krb5_fcc_store_ui_2(context, id, (krb5_int32)fcc_flen); - if (retval) goto done; - - if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) { - /* Write time offset tag */ - fcc_tag = FCC_TAG_DELTATIME; - fcc_taglen = 2*sizeof(krb5_int32); - - retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_tag); - if (retval) goto done; - retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_taglen); - if (retval) goto done; - retval = krb5_fcc_store_int32(context,id,os_ctx->time_offset); - if (retval) goto done; - retval = krb5_fcc_store_int32(context,id,os_ctx->usec_offset); - if (retval) goto done; - } - } - invalidate_cache(data); - goto done; - } - - /* verify a valid version number is there */ + /* write the version number */ + int cnt; + + fcc_fvno = htons(context->fcc_default_format); + data->version = context->fcc_default_format; + if ((cnt = write(f, (char *)&fcc_fvno, sizeof(fcc_fvno))) != + sizeof(fcc_fvno)) { + retval = ((cnt == -1) ? krb5_fcc_interpret(context, errno) : + KRB5_CC_IO); + goto done; + } + data->file = f; + + if (data->version == KRB5_FCC_FVNO_4) { + /* V4 of the credentials cache format allows for header tags */ + fcc_flen = 0; + + if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) + fcc_flen += (2*sizeof(krb5_ui_2) + 2*sizeof(krb5_int32)); + + /* Write header length */ + retval = krb5_fcc_store_ui_2(context, id, (krb5_int32)fcc_flen); + if (retval) goto done; + + if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) { + /* Write time offset tag */ + fcc_tag = FCC_TAG_DELTATIME; + fcc_taglen = 2*sizeof(krb5_int32); + + retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_tag); + if (retval) goto done; + retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_taglen); + if (retval) goto done; + retval = krb5_fcc_store_int32(context,id,os_ctx->time_offset); + if (retval) goto done; + retval = krb5_fcc_store_int32(context,id,os_ctx->usec_offset); + if (retval) goto done; + } + } + invalidate_cache(data); + goto done; + } + + /* verify a valid version number is there */ invalidate_cache(data); - if (read(f, (char *)&fcc_fvno, sizeof(fcc_fvno)) != sizeof(fcc_fvno)) { - retval = KRB5_CC_FORMAT; - goto done; - } - data->version = ntohs(fcc_fvno); + if (read(f, (char *)&fcc_fvno, sizeof(fcc_fvno)) != sizeof(fcc_fvno)) { + retval = KRB5_CC_FORMAT; + goto done; + } + data->version = ntohs(fcc_fvno); if ((data->version != KRB5_FCC_FVNO_4) && - (data->version != KRB5_FCC_FVNO_3) && - (data->version != KRB5_FCC_FVNO_2) && - (data->version != KRB5_FCC_FVNO_1)) { - retval = KRB5_CCACHE_BADVNO; - goto done; + (data->version != KRB5_FCC_FVNO_3) && + (data->version != KRB5_FCC_FVNO_2) && + (data->version != KRB5_FCC_FVNO_1)) { + retval = KRB5_CCACHE_BADVNO; + goto done; } data->file = f; - if (data->version == KRB5_FCC_FVNO_4) { - char buf[1024]; - - if (krb5_fcc_read_ui_2(context, id, &fcc_flen) || - (fcc_flen > sizeof(buf))) - { - retval = KRB5_CC_FORMAT; - goto done; - } - - while (fcc_flen) { - if ((fcc_flen < (2 * sizeof(krb5_ui_2))) || - krb5_fcc_read_ui_2(context, id, &fcc_tag) || - krb5_fcc_read_ui_2(context, id, &fcc_taglen) || - (fcc_taglen > (fcc_flen - 2*sizeof(krb5_ui_2)))) - { - retval = KRB5_CC_FORMAT; - goto done; - } - - switch (fcc_tag) { - case FCC_TAG_DELTATIME: - if (fcc_taglen != 2*sizeof(krb5_int32)) { - retval = KRB5_CC_FORMAT; - goto done; - } - if (!(context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) || - (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) - { - if (krb5_fcc_read(context, id, buf, fcc_taglen)) { - retval = KRB5_CC_FORMAT; - goto done; - } - break; - } - if (krb5_fcc_read_int32(context, id, &os_ctx->time_offset) || - krb5_fcc_read_int32(context, id, &os_ctx->usec_offset)) - { - retval = KRB5_CC_FORMAT; - goto done; - } - os_ctx->os_flags = - ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | - KRB5_OS_TOFFSET_VALID); - break; - default: - if (fcc_taglen && krb5_fcc_read(context,id,buf,fcc_taglen)) { - retval = KRB5_CC_FORMAT; - goto done; - } - break; - } - fcc_flen -= (2*sizeof(krb5_ui_2) + fcc_taglen); - } - } + if (data->version == KRB5_FCC_FVNO_4) { + char buf[1024]; + + if (krb5_fcc_read_ui_2(context, id, &fcc_flen) || + (fcc_flen > sizeof(buf))) + { + retval = KRB5_CC_FORMAT; + goto done; + } + + while (fcc_flen) { + if ((fcc_flen < (2 * sizeof(krb5_ui_2))) || + krb5_fcc_read_ui_2(context, id, &fcc_tag) || + krb5_fcc_read_ui_2(context, id, &fcc_taglen) || + (fcc_taglen > (fcc_flen - 2*sizeof(krb5_ui_2)))) + { + retval = KRB5_CC_FORMAT; + goto done; + } + + switch (fcc_tag) { + case FCC_TAG_DELTATIME: + if (fcc_taglen != 2*sizeof(krb5_int32)) { + retval = KRB5_CC_FORMAT; + goto done; + } + if (!(context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) || + (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) + { + if (krb5_fcc_read(context, id, buf, fcc_taglen)) { + retval = KRB5_CC_FORMAT; + goto done; + } + break; + } + if (krb5_fcc_read_int32(context, id, &os_ctx->time_offset) || + krb5_fcc_read_int32(context, id, &os_ctx->usec_offset)) + { + retval = KRB5_CC_FORMAT; + goto done; + } + os_ctx->os_flags = + ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | + KRB5_OS_TOFFSET_VALID); + break; + default: + if (fcc_taglen && krb5_fcc_read(context,id,buf,fcc_taglen)) { + retval = KRB5_CC_FORMAT; + goto done; + } + break; + } + fcc_flen -= (2*sizeof(krb5_ui_2) + fcc_taglen); + } + } done: - if (retval) { - data->file = -1; - (void) krb5_unlock_file(context, f); - (void) close(f); - } - return retval; + if (retval) { + data->file = -1; + (void) krb5_unlock_file(context, f); + (void) close(f); + } + return retval; } static krb5_error_code krb5_fcc_skip_header(krb5_context context, krb5_ccache id) { - krb5_fcc_data *data = (krb5_fcc_data *)id->data; - krb5_error_code kret; - krb5_ui_2 fcc_flen; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - fcc_lseek(data, (off_t) sizeof(krb5_ui_2), SEEK_SET); - if (data->version == KRB5_FCC_FVNO_4) { - kret = krb5_fcc_read_ui_2(context, id, &fcc_flen); - if (kret) return kret; - if(fcc_lseek(data, (off_t) fcc_flen, SEEK_CUR) < 0) - return errno; - } - return KRB5_OK; + krb5_fcc_data *data = (krb5_fcc_data *)id->data; + krb5_error_code kret; + krb5_ui_2 fcc_flen; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + fcc_lseek(data, (off_t) sizeof(krb5_ui_2), SEEK_SET); + if (data->version == KRB5_FCC_FVNO_4) { + kret = krb5_fcc_read_ui_2(context, id, &fcc_flen); + if (kret) return kret; + if(fcc_lseek(data, (off_t) fcc_flen, SEEK_CUR) < 0) + return errno; + } + return KRB5_OK; } static krb5_error_code krb5_fcc_skip_principal(krb5_context context, krb5_ccache id) { - krb5_error_code kret; - krb5_principal princ; + krb5_error_code kret; + krb5_principal princ; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - kret = krb5_fcc_read_principal(context, id, &princ); - if (kret != KRB5_OK) - return kret; + kret = krb5_fcc_read_principal(context, id, &princ); + if (kret != KRB5_OK) + return kret; - krb5_free_principal(context, princ); - return KRB5_OK; + krb5_free_principal(context, princ); + return KRB5_OK; } @@ -1441,36 +1442,36 @@ krb5_fcc_skip_principal(krb5_context context, krb5_ccache id) static krb5_error_code KRB5_CALLCONV krb5_fcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) { - krb5_error_code kret = 0; - int reti = 0; + krb5_error_code kret = 0; + int reti = 0; - kret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); - if (kret) - return kret; + kret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); + if (kret) + return kret; - MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE); + MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE); #if defined(HAVE_FCHMOD) || defined(HAVE_CHMOD) - { + { #ifdef HAVE_FCHMOD - reti = fchmod(((krb5_fcc_data *) id->data)->file, S_IREAD | S_IWRITE); + reti = fchmod(((krb5_fcc_data *) id->data)->file, S_IREAD | S_IWRITE); #else - reti = chmod(((krb5_fcc_data *) id->data)->filename, S_IREAD | S_IWRITE); + reti = chmod(((krb5_fcc_data *) id->data)->filename, S_IREAD | S_IWRITE); #endif - if (reti == -1) { - kret = krb5_fcc_interpret(context, errno); - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - return kret; - } - } + if (reti == -1) { + kret = krb5_fcc_interpret(context, errno); + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + return kret; + } + } #endif - kret = krb5_fcc_store_principal(context, id, princ); + kret = krb5_fcc_store_principal(context, id, princ); - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - krb5_change_cache (); - return kret; + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + krb5_change_cache (); + return kret; } /* @@ -1484,34 +1485,34 @@ static krb5_error_code dereference(krb5_context context, krb5_fcc_data *data) kerr = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); if (kerr) - return kerr; + return kerr; for (fccsp = &fccs; *fccsp != NULL; fccsp = &(*fccsp)->next) - if ((*fccsp)->data == data) - break; + if ((*fccsp)->data == data) + break; assert(*fccsp != NULL); assert((*fccsp)->data == data); (*fccsp)->refcount--; if ((*fccsp)->refcount == 0) { struct fcc_set *temp; - data = (*fccsp)->data; - temp = *fccsp; - *fccsp = (*fccsp)->next; - free(temp); - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_assert_unlocked(context, &data->lock); - free(data->filename); - zap(data->buf, sizeof(data->buf)); - if (data->file >= 0) { - kerr = k5_cc_mutex_lock(context, &data->lock); - if (kerr) - return kerr; - krb5_fcc_close_file(context, data); - k5_cc_mutex_unlock(context, &data->lock); - } - k5_cc_mutex_destroy(&data->lock); - free(data); + data = (*fccsp)->data; + temp = *fccsp; + *fccsp = (*fccsp)->next; + free(temp); + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_assert_unlocked(context, &data->lock); + free(data->filename); + zap(data->buf, sizeof(data->buf)); + if (data->file >= 0) { + kerr = k5_cc_mutex_lock(context, &data->lock); + if (kerr) + return kerr; + krb5_fcc_close_file(context, data); + k5_cc_mutex_unlock(context, &data->lock); + } + k5_cc_mutex_destroy(&data->lock); + free(data); } else - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); return 0; } @@ -1526,9 +1527,9 @@ static krb5_error_code dereference(krb5_context context, krb5_fcc_data *data) static krb5_error_code KRB5_CALLCONV krb5_fcc_close(krb5_context context, krb5_ccache id) { - dereference(context, (krb5_fcc_data *) id->data); - free(id); - return KRB5_OK; + dereference(context, (krb5_fcc_data *) id->data); + free(id); + return KRB5_OK; } /* @@ -1541,32 +1542,32 @@ krb5_fcc_close(krb5_context context, krb5_ccache id) static krb5_error_code KRB5_CALLCONV krb5_fcc_destroy(krb5_context context, krb5_ccache id) { - krb5_error_code kret = 0; - krb5_fcc_data *data = (krb5_fcc_data *) id->data; - register int ret; - - struct stat buf; - unsigned long i, size; - unsigned int wlen; - char zeros[BUFSIZ]; - - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) - return kret; - - if (OPENCLOSE(id)) { - invalidate_cache(data); - ret = THREEPARAMOPEN(data->filename, - O_RDWR | O_BINARY, 0); - if (ret < 0) { - kret = krb5_fcc_interpret(context, errno); - goto cleanup; - } - set_cloexec_fd(ret); - data->file = ret; - } - else - fcc_lseek(data, (off_t) 0, SEEK_SET); + krb5_error_code kret = 0; + krb5_fcc_data *data = (krb5_fcc_data *) id->data; + register int ret; + + struct stat buf; + unsigned long i, size; + unsigned int wlen; + char zeros[BUFSIZ]; + + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) + return kret; + + if (OPENCLOSE(id)) { + invalidate_cache(data); + ret = THREEPARAMOPEN(data->filename, + O_RDWR | O_BINARY, 0); + if (ret < 0) { + kret = krb5_fcc_interpret(context, errno); + goto cleanup; + } + set_cloexec_fd(ret); + data->file = ret; + } + else + fcc_lseek(data, (off_t) 0, SEEK_SET); #ifdef MSDOS_FILESYSTEM /* "disgusting bit of UNIX trivia" - that's how the writers of NFS describe @@ -1607,65 +1608,65 @@ krb5_fcc_destroy(krb5_context context, krb5_ccache id) #else /* MSDOS_FILESYSTEM */ - ret = unlink(data->filename); - if (ret < 0) { - kret = krb5_fcc_interpret(context, errno); - if (OPENCLOSE(id)) { - (void) close(((krb5_fcc_data *)id->data)->file); - data->file = -1; - kret = ret; - } - goto cleanup; - } - - ret = fstat(data->file, &buf); - if (ret < 0) { - kret = krb5_fcc_interpret(context, errno); - if (OPENCLOSE(id)) { - (void) close(((krb5_fcc_data *)id->data)->file); - data->file = -1; - } - goto cleanup; - } - - /* XXX This may not be legal XXX */ - size = (unsigned long) buf.st_size; - memset(zeros, 0, BUFSIZ); - for (i=0; i < size / BUFSIZ; i++) - if (write(data->file, zeros, BUFSIZ) < 0) { - kret = krb5_fcc_interpret(context, errno); - if (OPENCLOSE(id)) { - (void) close(((krb5_fcc_data *)id->data)->file); - data->file = -1; - } - goto cleanup; - } - - wlen = (unsigned int) (size % BUFSIZ); - if (write(data->file, zeros, wlen) < 0) { - kret = krb5_fcc_interpret(context, errno); - if (OPENCLOSE(id)) { - (void) close(((krb5_fcc_data *)id->data)->file); - data->file = -1; - } - goto cleanup; - } - - ret = close(data->file); - data->file = -1; - - if (ret) - kret = krb5_fcc_interpret(context, errno); + ret = unlink(data->filename); + if (ret < 0) { + kret = krb5_fcc_interpret(context, errno); + if (OPENCLOSE(id)) { + (void) close(((krb5_fcc_data *)id->data)->file); + data->file = -1; + kret = ret; + } + goto cleanup; + } + + ret = fstat(data->file, &buf); + if (ret < 0) { + kret = krb5_fcc_interpret(context, errno); + if (OPENCLOSE(id)) { + (void) close(((krb5_fcc_data *)id->data)->file); + data->file = -1; + } + goto cleanup; + } + + /* XXX This may not be legal XXX */ + size = (unsigned long) buf.st_size; + memset(zeros, 0, BUFSIZ); + for (i=0; i < size / BUFSIZ; i++) + if (write(data->file, zeros, BUFSIZ) < 0) { + kret = krb5_fcc_interpret(context, errno); + if (OPENCLOSE(id)) { + (void) close(((krb5_fcc_data *)id->data)->file); + data->file = -1; + } + goto cleanup; + } + + wlen = (unsigned int) (size % BUFSIZ); + if (write(data->file, zeros, wlen) < 0) { + kret = krb5_fcc_interpret(context, errno); + if (OPENCLOSE(id)) { + (void) close(((krb5_fcc_data *)id->data)->file); + data->file = -1; + } + goto cleanup; + } + + ret = close(data->file); + data->file = -1; + + if (ret) + kret = krb5_fcc_interpret(context, errno); #endif /* MSDOS_FILESYSTEM */ - cleanup: - k5_cc_mutex_unlock(context, &data->lock); - dereference(context, data); - free(id); +cleanup: + k5_cc_mutex_unlock(context, &data->lock); + dereference(context, data); + free(id); - krb5_change_cache (); - return kret; + krb5_change_cache (); + return kret; } extern const krb5_cc_ops krb5_fcc_ops; @@ -1676,109 +1677,109 @@ extern const krb5_cc_ops krb5_fcc_ops; * * Modifies: * id - * + * * Effects: * creates a file-based cred cache that will reside in the file * residual. The cache is not opened, but the filename is reserved. - * + * * Returns: * A filled in krb5_ccache structure "id". * * Errors: * KRB5_CC_NOMEM - there was insufficient memory to allocate the - * krb5_ccache. id is undefined. + * krb5_ccache. id is undefined. * permission errors */ static krb5_error_code KRB5_CALLCONV krb5_fcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) { - krb5_ccache lid; - krb5_error_code kret; - krb5_fcc_data *data; - struct fcc_set *setptr; - - kret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); - if (kret) - return kret; - for (setptr = fccs; setptr; setptr = setptr->next) { - if (!strcmp(setptr->data->filename, residual)) - break; - } - if (setptr) { - data = setptr->data; - assert(setptr->refcount != 0); - setptr->refcount++; - assert(setptr->refcount != 0); - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - return kret; - } - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - } else { - data = malloc(sizeof(krb5_fcc_data)); - if (data == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - return KRB5_CC_NOMEM; - } - data->filename = strdup(residual); - if (data->filename == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - free(data); - return KRB5_CC_NOMEM; - } - kret = k5_cc_mutex_init(&data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - free(data->filename); - free(data); - return kret; - } - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - return kret; - } - /* data->version,mode filled in for real later */ - data->version = data->mode = 0; - data->flags = KRB5_TC_OPENCLOSE; - data->file = -1; - data->valid_bytes = 0; - setptr = malloc(sizeof(struct fcc_set)); - if (setptr == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_unlock(context, &data->lock); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - return KRB5_CC_NOMEM; - } - setptr->refcount = 1; - setptr->data = data; - setptr->next = fccs; - fccs = setptr; - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - } - - k5_cc_mutex_assert_locked(context, &data->lock); - k5_cc_mutex_unlock(context, &data->lock); - lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); - if (lid == NULL) { - dereference(context, data); - return KRB5_CC_NOMEM; - } - - lid->ops = &krb5_fcc_ops; - lid->data = data; - lid->magic = KV5M_CCACHE; - - /* other routines will get errors on open, and callers must expect them, - if cache is non-existent/unusable */ - *id = lid; - return KRB5_OK; + krb5_ccache lid; + krb5_error_code kret; + krb5_fcc_data *data; + struct fcc_set *setptr; + + kret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); + if (kret) + return kret; + for (setptr = fccs; setptr; setptr = setptr->next) { + if (!strcmp(setptr->data->filename, residual)) + break; + } + if (setptr) { + data = setptr->data; + assert(setptr->refcount != 0); + setptr->refcount++; + assert(setptr->refcount != 0); + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + return kret; + } + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + } else { + data = malloc(sizeof(krb5_fcc_data)); + if (data == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + return KRB5_CC_NOMEM; + } + data->filename = strdup(residual); + if (data->filename == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + free(data); + return KRB5_CC_NOMEM; + } + kret = k5_cc_mutex_init(&data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + free(data->filename); + free(data); + return kret; + } + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + return kret; + } + /* data->version,mode filled in for real later */ + data->version = data->mode = 0; + data->flags = KRB5_TC_OPENCLOSE; + data->file = -1; + data->valid_bytes = 0; + setptr = malloc(sizeof(struct fcc_set)); + if (setptr == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &data->lock); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + return KRB5_CC_NOMEM; + } + setptr->refcount = 1; + setptr->data = data; + setptr->next = fccs; + fccs = setptr; + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + } + + k5_cc_mutex_assert_locked(context, &data->lock); + k5_cc_mutex_unlock(context, &data->lock); + lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); + if (lid == NULL) { + dereference(context, data); + return KRB5_CC_NOMEM; + } + + lid->ops = &krb5_fcc_ops; + lid->data = data; + lid->magic = KV5M_CCACHE; + + /* other routines will get errors on open, and callers must expect them, + if cache is non-existent/unusable */ + *id = lid; + return KRB5_OK; } /* @@ -1796,49 +1797,49 @@ krb5_fcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) */ static krb5_error_code KRB5_CALLCONV krb5_fcc_start_seq_get(krb5_context context, krb5_ccache id, - krb5_cc_cursor *cursor) + krb5_cc_cursor *cursor) { - krb5_fcc_cursor *fcursor; - krb5_error_code kret = KRB5_OK; - krb5_fcc_data *data = (krb5_fcc_data *)id->data; - - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) - return kret; - - fcursor = (krb5_fcc_cursor *) malloc(sizeof(krb5_fcc_cursor)); - if (fcursor == NULL) { - k5_cc_mutex_unlock(context, &data->lock); - return KRB5_CC_NOMEM; - } - if (OPENCLOSE(id)) { - kret = krb5_fcc_open_file(context, id, FCC_OPEN_RDONLY); - if (kret) { - free(fcursor); - k5_cc_mutex_unlock(context, &data->lock); - return kret; - } - } - - /* Make sure we start reading right after the primary principal */ - kret = krb5_fcc_skip_header(context, id); - if (kret) { - free(fcursor); - goto done; - } - kret = krb5_fcc_skip_principal(context, id); - if (kret) { - free(fcursor); - goto done; - } - - fcursor->pos = fcc_lseek(data, (off_t) 0, SEEK_CUR); - *cursor = (krb5_cc_cursor) fcursor; + krb5_fcc_cursor *fcursor; + krb5_error_code kret = KRB5_OK; + krb5_fcc_data *data = (krb5_fcc_data *)id->data; + + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) + return kret; + + fcursor = (krb5_fcc_cursor *) malloc(sizeof(krb5_fcc_cursor)); + if (fcursor == NULL) { + k5_cc_mutex_unlock(context, &data->lock); + return KRB5_CC_NOMEM; + } + if (OPENCLOSE(id)) { + kret = krb5_fcc_open_file(context, id, FCC_OPEN_RDONLY); + if (kret) { + free(fcursor); + k5_cc_mutex_unlock(context, &data->lock); + return kret; + } + } + + /* Make sure we start reading right after the primary principal */ + kret = krb5_fcc_skip_header(context, id); + if (kret) { + free(fcursor); + goto done; + } + kret = krb5_fcc_skip_principal(context, id); + if (kret) { + free(fcursor); + goto done; + } + + fcursor->pos = fcc_lseek(data, (off_t) 0, SEEK_CUR); + *cursor = (krb5_cc_cursor) fcursor; done: - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &data->lock); - return kret; + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &data->lock); + return kret; } @@ -1849,7 +1850,7 @@ done: * * Modifes: * cursor, creds - * + * * Effects: * Fills in creds with the "next" credentals structure from the cache * id. The actual order the creds are returned in is arbitrary. @@ -1864,62 +1865,62 @@ done: */ static krb5_error_code KRB5_CALLCONV krb5_fcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, - krb5_creds *creds) + krb5_creds *creds) { #define TCHECK(ret) if (ret != KRB5_OK) goto lose; - krb5_error_code kret; - krb5_fcc_cursor *fcursor; - krb5_int32 int32; - krb5_octet octet; - krb5_fcc_data *d = (krb5_fcc_data *) id->data; - - kret = k5_cc_mutex_lock(context, &d->lock); - if (kret) - return kret; - - memset(creds, 0, sizeof(*creds)); - MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); - fcursor = (krb5_fcc_cursor *) *cursor; - - kret = (fcc_lseek(d, fcursor->pos, SEEK_SET) == (off_t) -1); - if (kret) { - kret = krb5_fcc_interpret(context, errno); - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &d->lock); - return kret; - } - - kret = krb5_fcc_read_principal(context, id, &creds->client); - TCHECK(kret); - kret = krb5_fcc_read_principal(context, id, &creds->server); - TCHECK(kret); - kret = krb5_fcc_read_keyblock(context, id, &creds->keyblock); - TCHECK(kret); - kret = krb5_fcc_read_times(context, id, &creds->times); - TCHECK(kret); - kret = krb5_fcc_read_octet(context, id, &octet); - TCHECK(kret); - creds->is_skey = octet; - kret = krb5_fcc_read_int32(context, id, &int32); - TCHECK(kret); - creds->ticket_flags = int32; - kret = krb5_fcc_read_addrs(context, id, &creds->addresses); - TCHECK(kret); - kret = krb5_fcc_read_authdata(context, id, &creds->authdata); - TCHECK(kret); - kret = krb5_fcc_read_data(context, id, &creds->ticket); - TCHECK(kret); - kret = krb5_fcc_read_data(context, id, &creds->second_ticket); - TCHECK(kret); - - fcursor->pos = fcc_lseek(d, (off_t) 0, SEEK_CUR); + krb5_error_code kret; + krb5_fcc_cursor *fcursor; + krb5_int32 int32; + krb5_octet octet; + krb5_fcc_data *d = (krb5_fcc_data *) id->data; + + kret = k5_cc_mutex_lock(context, &d->lock); + if (kret) + return kret; + + memset(creds, 0, sizeof(*creds)); + MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); + fcursor = (krb5_fcc_cursor *) *cursor; + + kret = (fcc_lseek(d, fcursor->pos, SEEK_SET) == (off_t) -1); + if (kret) { + kret = krb5_fcc_interpret(context, errno); + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &d->lock); + return kret; + } + + kret = krb5_fcc_read_principal(context, id, &creds->client); + TCHECK(kret); + kret = krb5_fcc_read_principal(context, id, &creds->server); + TCHECK(kret); + kret = krb5_fcc_read_keyblock(context, id, &creds->keyblock); + TCHECK(kret); + kret = krb5_fcc_read_times(context, id, &creds->times); + TCHECK(kret); + kret = krb5_fcc_read_octet(context, id, &octet); + TCHECK(kret); + creds->is_skey = octet; + kret = krb5_fcc_read_int32(context, id, &int32); + TCHECK(kret); + creds->ticket_flags = int32; + kret = krb5_fcc_read_addrs(context, id, &creds->addresses); + TCHECK(kret); + kret = krb5_fcc_read_authdata(context, id, &creds->authdata); + TCHECK(kret); + kret = krb5_fcc_read_data(context, id, &creds->ticket); + TCHECK(kret); + kret = krb5_fcc_read_data(context, id, &creds->second_ticket); + TCHECK(kret); + + fcursor->pos = fcc_lseek(d, (off_t) 0, SEEK_CUR); lose: - MAYBE_CLOSE (context, id, kret); - k5_cc_mutex_unlock(context, &d->lock); - if (kret != KRB5_OK) - krb5_free_cred_contents(context, creds); - return kret; + MAYBE_CLOSE (context, id, kret); + k5_cc_mutex_unlock(context, &d->lock); + if (kret != KRB5_OK) + krb5_free_cred_contents(context, creds); + return kret; } /* @@ -1938,15 +1939,15 @@ lose: static krb5_error_code KRB5_CALLCONV krb5_fcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - /* We don't do anything with the file cache itself, so - no need to lock anything. */ - - /* don't close; it may be left open by the caller, - and if not, fcc_start_seq_get and/or fcc_next_cred will do the - MAYBE_CLOSE. - MAYBE_CLOSE(context, id, kret); */ - free((krb5_fcc_cursor *) *cursor); - return 0; + /* We don't do anything with the file cache itself, so + no need to lock anything. */ + + /* don't close; it may be left open by the caller, + and if not, fcc_start_seq_get and/or fcc_next_cred will do the + MAYBE_CLOSE. + MAYBE_CLOSE(context, id, kret); */ + free((krb5_fcc_cursor *) *cursor); + return 0; } @@ -1955,184 +1956,184 @@ krb5_fcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *curso * Creates a new file cred cache whose name is guaranteed to be * unique. The name begins with the string TKT_ROOT (from fcc.h). * The cache is not opened, but the new filename is reserved. - * + * * Returns: * The filled in krb5_ccache id. * * Errors: * KRB5_CC_NOMEM - there was insufficient memory to allocate the - * krb5_ccache. id is undefined. + * krb5_ccache. id is undefined. * system errors (from open) */ static krb5_error_code KRB5_CALLCONV krb5_fcc_generate_new (krb5_context context, krb5_ccache *id) { - krb5_ccache lid; - int ret; - krb5_error_code kret = 0; - char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for - NUL */ - krb5_fcc_data *data; - krb5_int16 fcc_fvno = htons(context->fcc_default_format); - krb5_int16 fcc_flen = 0; - int errsave, cnt; - struct fcc_set *setptr; - - /* Set master lock */ - kret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); - if (kret) - return kret; - - (void) snprintf(scratch, sizeof(scratch), "%sXXXXXX", TKT_ROOT); - ret = mkstemp(scratch); - if (ret == -1) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - return krb5_fcc_interpret(context, errno); - } - set_cloexec_fd(ret); - - /* Allocate memory */ - data = (krb5_pointer) malloc(sizeof(krb5_fcc_data)); - if (data == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - close(ret); - unlink(scratch); - return KRB5_CC_NOMEM; - } - - data->filename = strdup(scratch); - if (data->filename == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - free(data); - close(ret); - unlink(scratch); - return KRB5_CC_NOMEM; - } - - kret = k5_cc_mutex_init(&data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - free(data->filename); - free(data); - close(ret); - unlink(scratch); - return kret; - } - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - close(ret); - unlink(scratch); - return kret; - } - - /* - * The file is initially closed at the end of this call... - */ - data->flags = 0; - data->file = -1; - data->valid_bytes = 0; - /* data->version,mode filled in for real later */ - data->version = data->mode = 0; - - - /* Ignore user's umask, set mode = 0600 */ + krb5_ccache lid; + int ret; + krb5_error_code kret = 0; + char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for + NUL */ + krb5_fcc_data *data; + krb5_int16 fcc_fvno = htons(context->fcc_default_format); + krb5_int16 fcc_flen = 0; + int errsave, cnt; + struct fcc_set *setptr; + + /* Set master lock */ + kret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); + if (kret) + return kret; + + (void) snprintf(scratch, sizeof(scratch), "%sXXXXXX", TKT_ROOT); + ret = mkstemp(scratch); + if (ret == -1) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + return krb5_fcc_interpret(context, errno); + } + set_cloexec_fd(ret); + + /* Allocate memory */ + data = (krb5_pointer) malloc(sizeof(krb5_fcc_data)); + if (data == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + close(ret); + unlink(scratch); + return KRB5_CC_NOMEM; + } + + data->filename = strdup(scratch); + if (data->filename == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + free(data); + close(ret); + unlink(scratch); + return KRB5_CC_NOMEM; + } + + kret = k5_cc_mutex_init(&data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + free(data->filename); + free(data); + close(ret); + unlink(scratch); + return kret; + } + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + close(ret); + unlink(scratch); + return kret; + } + + /* + * The file is initially closed at the end of this call... + */ + data->flags = 0; + data->file = -1; + data->valid_bytes = 0; + /* data->version,mode filled in for real later */ + data->version = data->mode = 0; + + + /* Ignore user's umask, set mode = 0600 */ #ifndef HAVE_FCHMOD #ifdef HAVE_CHMOD - chmod(data->filename, S_IRUSR | S_IWUSR); + chmod(data->filename, S_IRUSR | S_IWUSR); #endif #else - fchmod(ret, S_IRUSR | S_IWUSR); + fchmod(ret, S_IRUSR | S_IWUSR); #endif - if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) - != sizeof(fcc_fvno)) { - errsave = errno; - (void) close(ret); - (void) unlink(data->filename); - kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; - goto err_out; - } - /* For version 4 we save a length for the rest of the header */ - if (context->fcc_default_format == KRB5_FCC_FVNO_4) { - if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) - != sizeof(fcc_flen)) { - errsave = errno; - (void) close(ret); - (void) unlink(data->filename); - kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; - goto err_out; - } - } - if (close(ret) == -1) { - errsave = errno; - (void) unlink(data->filename); - kret = krb5_fcc_interpret(context, errsave); - goto err_out; - } - - - setptr = malloc(sizeof(struct fcc_set)); - if (setptr == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_unlock(context, &data->lock); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - (void) close(ret); - (void) unlink(scratch); - return KRB5_CC_NOMEM; - } - setptr->refcount = 1; - setptr->data = data; - setptr->next = fccs; - fccs = setptr; - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - - k5_cc_mutex_assert_locked(context, &data->lock); - k5_cc_mutex_unlock(context, &data->lock); - lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); - if (lid == NULL) { - dereference(context, data); - return KRB5_CC_NOMEM; - } - - lid->ops = &krb5_fcc_ops; - lid->data = data; - lid->magic = KV5M_CCACHE; - - /* default to open/close on every trn - otherwise destroy - will get as to state confused */ - ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; - - *id = lid; - - - krb5_change_cache (); - return KRB5_OK; + if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) + != sizeof(fcc_fvno)) { + errsave = errno; + (void) close(ret); + (void) unlink(data->filename); + kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; + goto err_out; + } + /* For version 4 we save a length for the rest of the header */ + if (context->fcc_default_format == KRB5_FCC_FVNO_4) { + if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) + != sizeof(fcc_flen)) { + errsave = errno; + (void) close(ret); + (void) unlink(data->filename); + kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; + goto err_out; + } + } + if (close(ret) == -1) { + errsave = errno; + (void) unlink(data->filename); + kret = krb5_fcc_interpret(context, errsave); + goto err_out; + } + + + setptr = malloc(sizeof(struct fcc_set)); + if (setptr == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &data->lock); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + (void) close(ret); + (void) unlink(scratch); + return KRB5_CC_NOMEM; + } + setptr->refcount = 1; + setptr->data = data; + setptr->next = fccs; + fccs = setptr; + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + + k5_cc_mutex_assert_locked(context, &data->lock); + k5_cc_mutex_unlock(context, &data->lock); + lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); + if (lid == NULL) { + dereference(context, data); + return KRB5_CC_NOMEM; + } + + lid->ops = &krb5_fcc_ops; + lid->data = data; + lid->magic = KV5M_CCACHE; + + /* default to open/close on every trn - otherwise destroy + will get as to state confused */ + ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; + + *id = lid; + + + krb5_change_cache (); + return KRB5_OK; err_out: - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_unlock(context, &data->lock); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - return kret; + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &data->lock); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + return kret; } /* * Requires: * id is a file credential cache - * + * * Returns: * The name of the file cred cache id. */ static const char * KRB5_CALLCONV krb5_fcc_get_name (krb5_context context, krb5_ccache id) { - return (char *) ((krb5_fcc_data *) id->data)->filename; + return (char *) ((krb5_fcc_data *) id->data)->filename; } /* @@ -2151,31 +2152,31 @@ krb5_fcc_get_name (krb5_context context, krb5_ccache id) static krb5_error_code KRB5_CALLCONV krb5_fcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ) { - krb5_error_code kret = KRB5_OK; + krb5_error_code kret = KRB5_OK; + + kret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); + if (kret) + return kret; - kret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); - if (kret) - return kret; + MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); - MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); - - /* make sure we're beyond the header */ - kret = krb5_fcc_skip_header(context, id); - if (kret) goto done; - kret = krb5_fcc_read_principal(context, id, princ); + /* make sure we're beyond the header */ + kret = krb5_fcc_skip_header(context, id); + if (kret) goto done; + kret = krb5_fcc_read_principal(context, id, princ); done: - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - return kret; + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + return kret; } - + static krb5_error_code KRB5_CALLCONV krb5_fcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) { return krb5_cc_retrieve_cred_default (context, id, whichfields, - mcreds, creds); + mcreds, creds); } @@ -2194,55 +2195,55 @@ static krb5_error_code KRB5_CALLCONV krb5_fcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) { #define TCHECK(ret) if (ret != KRB5_OK) goto lose; - krb5_error_code ret; - - ret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); - if (ret) - return ret; - - /* Make sure we are writing to the end of the file */ - MAYBE_OPEN(context, id, FCC_OPEN_RDWR); - - /* Make sure we are writing to the end of the file */ - ret = fcc_lseek((krb5_fcc_data *) id->data, (off_t) 0, SEEK_END); - if (ret < 0) { - MAYBE_CLOSE_IGNORE(context, id); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - return krb5_fcc_interpret(context, errno); - } - - ret = krb5_fcc_store_principal(context, id, creds->client); - TCHECK(ret); - ret = krb5_fcc_store_principal(context, id, creds->server); - TCHECK(ret); - ret = krb5_fcc_store_keyblock(context, id, &creds->keyblock); - TCHECK(ret); - ret = krb5_fcc_store_times(context, id, &creds->times); - TCHECK(ret); - ret = krb5_fcc_store_octet(context, id, (krb5_int32) creds->is_skey); - TCHECK(ret); - ret = krb5_fcc_store_int32(context, id, creds->ticket_flags); - TCHECK(ret); - ret = krb5_fcc_store_addrs(context, id, creds->addresses); - TCHECK(ret); - ret = krb5_fcc_store_authdata(context, id, creds->authdata); - TCHECK(ret); - ret = krb5_fcc_store_data(context, id, &creds->ticket); - TCHECK(ret); - ret = krb5_fcc_store_data(context, id, &creds->second_ticket); - TCHECK(ret); + krb5_error_code ret; + + ret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); + if (ret) + return ret; + + /* Make sure we are writing to the end of the file */ + MAYBE_OPEN(context, id, FCC_OPEN_RDWR); + + /* Make sure we are writing to the end of the file */ + ret = fcc_lseek((krb5_fcc_data *) id->data, (off_t) 0, SEEK_END); + if (ret < 0) { + MAYBE_CLOSE_IGNORE(context, id); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + return krb5_fcc_interpret(context, errno); + } + + ret = krb5_fcc_store_principal(context, id, creds->client); + TCHECK(ret); + ret = krb5_fcc_store_principal(context, id, creds->server); + TCHECK(ret); + ret = krb5_fcc_store_keyblock(context, id, &creds->keyblock); + TCHECK(ret); + ret = krb5_fcc_store_times(context, id, &creds->times); + TCHECK(ret); + ret = krb5_fcc_store_octet(context, id, (krb5_int32) creds->is_skey); + TCHECK(ret); + ret = krb5_fcc_store_int32(context, id, creds->ticket_flags); + TCHECK(ret); + ret = krb5_fcc_store_addrs(context, id, creds->addresses); + TCHECK(ret); + ret = krb5_fcc_store_authdata(context, id, creds->authdata); + TCHECK(ret); + ret = krb5_fcc_store_data(context, id, &creds->ticket); + TCHECK(ret); + ret = krb5_fcc_store_data(context, id, &creds->second_ticket); + TCHECK(ret); lose: - MAYBE_CLOSE(context, id, ret); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - krb5_change_cache (); - return ret; + MAYBE_CLOSE(context, id, ret); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + krb5_change_cache (); + return ret; #undef TCHECK } -/* +/* * Non-functional stub implementation for krb5_fcc_remove - * + * * Errors: * KRB5_CC_NOSUPP - not implemented */ @@ -2260,7 +2261,7 @@ krb5_fcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, * * Modifies: * id - * + * * Effects: * Sets the operational flags of id to flags. */ @@ -2271,18 +2272,18 @@ krb5_fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) ret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); if (ret) - return ret; + return ret; /* XXX This should check for illegal combinations, if any.. */ if (flags & KRB5_TC_OPENCLOSE) { - /* asking to turn on OPENCLOSE mode */ - if (!OPENCLOSE(id) - /* XXX Is this test necessary? */ - && ((krb5_fcc_data *) id->data)->file != NO_FILE) + /* asking to turn on OPENCLOSE mode */ + if (!OPENCLOSE(id) + /* XXX Is this test necessary? */ + && ((krb5_fcc_data *) id->data)->file != NO_FILE) (void) krb5_fcc_close_file (context, ((krb5_fcc_data *) id->data)); } else { - /* asking to turn off OPENCLOSE mode, meaning it must be - left open. We open if it's not yet open */ + /* asking to turn off OPENCLOSE mode, meaning it must be + left open. We open if it's not yet open */ MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); } @@ -2298,7 +2299,7 @@ krb5_fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) * * Modifies: * id (mutex only; temporary) - * + * * Effects: * Returns the operational flags of id. */ @@ -2309,7 +2310,7 @@ krb5_fcc_get_flags(krb5_context context, krb5_ccache id, krb5_flags *flags) ret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); if (ret) - return ret; + return ret; *flags = ((krb5_fcc_data *) id->data)->flags; k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); return ret; @@ -2321,9 +2322,9 @@ krb5_fcc_ptcursor_new(krb5_context context, krb5_cc_ptcursor *cursor) krb5_error_code ret = 0; krb5_cc_ptcursor n = NULL; struct krb5_fcc_ptcursor_data *cdata = NULL; - + *cursor = NULL; - + n = malloc(sizeof(*n)); if (n == NULL) return ENOMEM; @@ -2341,11 +2342,11 @@ krb5_fcc_ptcursor_new(krb5_context context, krb5_cc_ptcursor *cursor) ret = k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); if (ret) goto errout; - + errout: - if (ret) { - krb5_fcc_ptcursor_free(context, &n); - } + if (ret) { + krb5_fcc_ptcursor_free(context, &n); + } *cursor = n; return ret; } @@ -2358,39 +2359,39 @@ krb5_fcc_ptcursor_next(krb5_context context, krb5_error_code ret = 0; struct krb5_fcc_ptcursor_data *cdata = NULL; krb5_ccache n; - + *ccache = NULL; n = malloc(sizeof(*n)); if (n == NULL) return ENOMEM; - + cdata = cursor->data; ret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); if (ret) goto errout; - + if (cdata->cur == NULL) { k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); free(n); n = NULL; goto errout; } - + n->ops = &krb5_fcc_ops; n->data = cdata->cur->data; cdata->cur->refcount++; - + cdata->cur = cdata->cur->next; - + ret = k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); if (ret) goto errout; errout: - if (ret && n != NULL) { - free(n); - n = NULL; - } + if (ret && n != NULL) { + free(n); + n = NULL; + } *ccache = n; return ret; } @@ -2411,14 +2412,14 @@ krb5_fcc_ptcursor_free(krb5_context context, /* * Modifies: * change_time - * + * * Effects: * Returns the timestamp of id's file modification date. * If an error occurs, change_time is set to 0. */ static krb5_error_code KRB5_CALLCONV krb5_fcc_last_change_time(krb5_context context, krb5_ccache id, - krb5_timestamp *change_time) + krb5_timestamp *change_time) { krb5_error_code kret = KRB5_OK; krb5_fcc_data *data = (krb5_fcc_data *) id->data; @@ -2429,7 +2430,7 @@ krb5_fcc_last_change_time(krb5_context context, krb5_ccache id, } static krb5_error_code KRB5_CALLCONV krb5_fcc_lock(krb5_context context, - krb5_ccache id) + krb5_ccache id) { krb5_error_code ret = 0; krb5_fcc_data *data = (krb5_fcc_data *) id->data; @@ -2438,7 +2439,7 @@ static krb5_error_code KRB5_CALLCONV krb5_fcc_lock(krb5_context context, } static krb5_error_code KRB5_CALLCONV krb5_fcc_unlock(krb5_context context, - krb5_ccache id) + krb5_ccache id) { krb5_error_code ret = 0; krb5_fcc_data *data = (krb5_fcc_data *) id->data; @@ -2448,7 +2449,7 @@ static krb5_error_code KRB5_CALLCONV krb5_fcc_unlock(krb5_context context, static krb5_error_code krb5_fcc_data_last_change_time(krb5_context context, krb5_fcc_data *data, - krb5_timestamp *change_time) + krb5_timestamp *change_time) { krb5_error_code kret = KRB5_OK; register int ret; @@ -2480,8 +2481,8 @@ krb5_fcc_interpret(krb5_context context, int errnum) register krb5_error_code retval; switch (errnum) { case ENOENT: - retval = KRB5_FCC_NOFILE; - break; + retval = KRB5_FCC_NOFILE; + break; case EPERM: case EACCES: #ifdef EISDIR @@ -2496,10 +2497,10 @@ krb5_fcc_interpret(krb5_context context, int errnum) #endif case EBUSY: case EROFS: - retval = KRB5_FCC_PERM; - break; + retval = KRB5_FCC_PERM; + break; case EINVAL: - case EEXIST: /* XXX */ + case EEXIST: /* XXX */ case EFAULT: case EBADF: #ifdef ENAMETOOLONG @@ -2508,8 +2509,8 @@ krb5_fcc_interpret(krb5_context context, int errnum) #ifdef EWOULDBLOCK case EWOULDBLOCK: #endif - retval = KRB5_FCC_INTERNAL; - break; + retval = KRB5_FCC_INTERNAL; + break; #ifdef EDQUOT case EDQUOT: #endif @@ -2519,40 +2520,40 @@ krb5_fcc_interpret(krb5_context context, int errnum) case EMFILE: case ENXIO: default: - retval = KRB5_CC_IO; /* XXX */ - krb5_set_error_message(context, retval, - "Credentials cache I/O operation failed (%s)", - strerror(errnum)); + retval = KRB5_CC_IO; /* XXX */ + krb5_set_error_message(context, retval, + "Credentials cache I/O operation failed (%s)", + strerror(errnum)); } return retval; } const krb5_cc_ops krb5_fcc_ops = { - 0, - "FILE", - krb5_fcc_get_name, - krb5_fcc_resolve, - krb5_fcc_generate_new, - krb5_fcc_initialize, - krb5_fcc_destroy, - krb5_fcc_close, - krb5_fcc_store, - krb5_fcc_retrieve, - krb5_fcc_get_principal, - krb5_fcc_start_seq_get, - krb5_fcc_next_cred, - krb5_fcc_end_seq_get, - krb5_fcc_remove_cred, - krb5_fcc_set_flags, - krb5_fcc_get_flags, - krb5_fcc_ptcursor_new, - krb5_fcc_ptcursor_next, - krb5_fcc_ptcursor_free, - NULL, /* move */ - krb5_fcc_last_change_time, - NULL, /* wasdefault */ - krb5_fcc_lock, - krb5_fcc_unlock, + 0, + "FILE", + krb5_fcc_get_name, + krb5_fcc_resolve, + krb5_fcc_generate_new, + krb5_fcc_initialize, + krb5_fcc_destroy, + krb5_fcc_close, + krb5_fcc_store, + krb5_fcc_retrieve, + krb5_fcc_get_principal, + krb5_fcc_start_seq_get, + krb5_fcc_next_cred, + krb5_fcc_end_seq_get, + krb5_fcc_remove_cred, + krb5_fcc_set_flags, + krb5_fcc_get_flags, + krb5_fcc_ptcursor_new, + krb5_fcc_ptcursor_next, + krb5_fcc_ptcursor_free, + NULL, /* move */ + krb5_fcc_last_change_time, + NULL, /* wasdefault */ + krb5_fcc_lock, + krb5_fcc_unlock, }; #if defined(_WIN32) @@ -2561,10 +2562,10 @@ const krb5_cc_ops krb5_fcc_ops = { * A notification message is is posted out to all top level * windows so that they may recheck the cache based on the * changes made. We register a unique message type with which - * we'll communicate to all other processes. + * we'll communicate to all other processes. */ -krb5_error_code +krb5_error_code krb5_change_cache (void) { PostMessage(HWND_BROADCAST, krb5_get_notification_message(), 0, 0); @@ -2597,29 +2598,29 @@ krb5_get_notification_message (void) #endif /* _WIN32 */ const krb5_cc_ops krb5_cc_file_ops = { - 0, - "FILE", - krb5_fcc_get_name, - krb5_fcc_resolve, - krb5_fcc_generate_new, - krb5_fcc_initialize, - krb5_fcc_destroy, - krb5_fcc_close, - krb5_fcc_store, - krb5_fcc_retrieve, - krb5_fcc_get_principal, - krb5_fcc_start_seq_get, - krb5_fcc_next_cred, - krb5_fcc_end_seq_get, - krb5_fcc_remove_cred, - krb5_fcc_set_flags, - krb5_fcc_get_flags, - krb5_fcc_ptcursor_new, - krb5_fcc_ptcursor_next, - krb5_fcc_ptcursor_free, - NULL, /* move */ - krb5_fcc_last_change_time, - NULL, /* wasdefault */ - krb5_fcc_lock, - krb5_fcc_unlock, + 0, + "FILE", + krb5_fcc_get_name, + krb5_fcc_resolve, + krb5_fcc_generate_new, + krb5_fcc_initialize, + krb5_fcc_destroy, + krb5_fcc_close, + krb5_fcc_store, + krb5_fcc_retrieve, + krb5_fcc_get_principal, + krb5_fcc_start_seq_get, + krb5_fcc_next_cred, + krb5_fcc_end_seq_get, + krb5_fcc_remove_cred, + krb5_fcc_set_flags, + krb5_fcc_get_flags, + krb5_fcc_ptcursor_new, + krb5_fcc_ptcursor_next, + krb5_fcc_ptcursor_free, + NULL, /* move */ + krb5_fcc_last_change_time, + NULL, /* wasdefault */ + krb5_fcc_lock, + krb5_fcc_unlock, }; diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c index 9353fd497..9841ed5fc 100644 --- a/src/lib/krb5/ccache/cc_keyring.c +++ b/src/lib/krb5/ccache/cc_keyring.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_keyring.c * @@ -40,7 +41,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -61,13 +62,13 @@ * * Some assumptions: * - * - A credentials cache "file" == a keyring with separate keys - * for the information in the ccache (see below) - * - A credentials cache keyring will contain only keys, - * not other keyrings - * - Each Kerberos ticket will have its own key within the ccache keyring - * - The principal information for the ccache is stored in a - * special key, which is not counted in the 'numkeys' count + * - A credentials cache "file" == a keyring with separate keys + * for the information in the ccache (see below) + * - A credentials cache keyring will contain only keys, + * not other keyrings + * - Each Kerberos ticket will have its own key within the ccache keyring + * - The principal information for the ccache is stored in a + * special key, which is not counted in the 'numkeys' count */ #include "cc-int.h" @@ -78,24 +79,24 @@ #include #ifdef DEBUG -#define KRCC_DEBUG 1 +#define KRCC_DEBUG 1 #endif #if KRCC_DEBUG -void debug_print(char *fmt, ...); /* prototype to silence warning */ +void debug_print(char *fmt, ...); /* prototype to silence warning */ #include #define DEBUG_PRINT(x) debug_print x void debug_print(char *fmt, ...) { - va_list ap; - va_start(ap, fmt); + va_list ap; + va_start(ap, fmt); #ifdef DEBUG_STDERR - vfprintf(stderr, fmt, ap); + vfprintf(stderr, fmt, ap); #else - vsyslog(LOG_ERR, fmt, ap); + vsyslog(LOG_ERR, fmt, ap); #endif - va_end(ap); + va_end(ap); } #else #define DEBUG_PRINT(x) @@ -145,9 +146,9 @@ debug_print(char *fmt, ...) /* Hopefully big enough to hold a serialized credential */ #define GUESS_CRED_SIZE 4096 -#define ALLOC(NUM,TYPE) \ - (((NUM) <= (((size_t)0-1)/ sizeof(TYPE))) \ - ? (TYPE *) calloc((NUM), sizeof(TYPE)) \ +#define ALLOC(NUM,TYPE) \ + (((NUM) <= (((size_t)0-1)/ sizeof(TYPE))) \ + ? (TYPE *) calloc((NUM), sizeof(TYPE)) \ : (errno = ENOMEM,(TYPE *) 0)) #define CHECK_N_GO(ret, errdest) if (ret != KRB5_OK) goto errdest @@ -155,9 +156,9 @@ debug_print(char *fmt, ...) #define CHECK_OUT(ret) if (ret != KRB5_OK) return ret typedef struct krb5_krcc_ring_ids { - key_serial_t session; - key_serial_t process; - key_serial_t thread; + key_serial_t session; + key_serial_t process; + key_serial_t thread; } krb5_krcc_ring_ids_t; typedef struct _krb5_krcc_cursor @@ -176,13 +177,13 @@ typedef struct _krb5_krcc_cursor */ typedef struct _krb5_krcc_data { - char *name; /* Name for this credentials cache */ - k5_cc_mutex lock; /* synchronization */ - key_serial_t parent_id; /* parent keyring of this ccache keyring */ - key_serial_t ring_id; /* keyring representing ccache */ - key_serial_t princ_id; /* key holding principal info */ - int numkeys; /* # of keys in this ring - * (does NOT include principal info) */ + char *name; /* Name for this credentials cache */ + k5_cc_mutex lock; /* synchronization */ + key_serial_t parent_id; /* parent keyring of this ccache keyring */ + key_serial_t ring_id; /* keyring representing ccache */ + key_serial_t princ_id; /* key holding principal info */ + int numkeys; /* # of keys in this ring + * (does NOT include principal info) */ krb5_timestamp changetime; } krb5_krcc_data; @@ -203,154 +204,154 @@ k5_cc_mutex krb5int_krcc_mutex = K5_CC_MUTEX_PARTIAL_INITIALIZER; extern const krb5_cc_ops krb5_krcc_ops; static const char *KRB5_CALLCONV krb5_krcc_get_name - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_krcc_resolve - (krb5_context, krb5_ccache * id, const char *residual); +(krb5_context, krb5_ccache * id, const char *residual); static krb5_error_code KRB5_CALLCONV krb5_krcc_generate_new - (krb5_context, krb5_ccache * id); +(krb5_context, krb5_ccache * id); static krb5_error_code KRB5_CALLCONV krb5_krcc_initialize - (krb5_context, krb5_ccache id, krb5_principal princ); +(krb5_context, krb5_ccache id, krb5_principal princ); static krb5_error_code KRB5_CALLCONV krb5_krcc_destroy - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_krcc_close - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_krcc_store - (krb5_context, krb5_ccache id, krb5_creds * creds); +(krb5_context, krb5_ccache id, krb5_creds * creds); static krb5_error_code KRB5_CALLCONV krb5_krcc_retrieve - (krb5_context, krb5_ccache id, krb5_flags whichfields, - krb5_creds * mcreds, krb5_creds * creds); +(krb5_context, krb5_ccache id, krb5_flags whichfields, + krb5_creds * mcreds, krb5_creds * creds); static krb5_error_code KRB5_CALLCONV krb5_krcc_get_principal - (krb5_context, krb5_ccache id, krb5_principal * princ); +(krb5_context, krb5_ccache id, krb5_principal * princ); static krb5_error_code KRB5_CALLCONV krb5_krcc_start_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor * cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor * cursor); static krb5_error_code KRB5_CALLCONV krb5_krcc_next_cred - (krb5_context, krb5_ccache id, krb5_cc_cursor * cursor, - krb5_creds * creds); +(krb5_context, krb5_ccache id, krb5_cc_cursor * cursor, + krb5_creds * creds); static krb5_error_code KRB5_CALLCONV krb5_krcc_end_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor * cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor * cursor); static krb5_error_code KRB5_CALLCONV krb5_krcc_remove_cred - (krb5_context context, krb5_ccache cache, krb5_flags flags, - krb5_creds * creds); +(krb5_context context, krb5_ccache cache, krb5_flags flags, + krb5_creds * creds); static krb5_error_code KRB5_CALLCONV krb5_krcc_set_flags - (krb5_context, krb5_ccache id, krb5_flags flags); +(krb5_context, krb5_ccache id, krb5_flags flags); static krb5_error_code KRB5_CALLCONV krb5_krcc_get_flags - (krb5_context context, krb5_ccache id, krb5_flags * flags); +(krb5_context context, krb5_ccache id, krb5_flags * flags); static krb5_error_code KRB5_CALLCONV krb5_krcc_last_change_time - (krb5_context, krb5_ccache, krb5_timestamp *); +(krb5_context, krb5_ccache, krb5_timestamp *); static krb5_error_code KRB5_CALLCONV krb5_krcc_lock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_krcc_unlock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); /* * Internal utility functions */ static krb5_error_code krb5_krcc_clearcache - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); static krb5_error_code krb5_krcc_new_data - (const char *, key_serial_t ring, key_serial_t parent_ring, - krb5_krcc_data **); +(const char *, key_serial_t ring, key_serial_t parent_ring, + krb5_krcc_data **); static krb5_error_code krb5_krcc_save_principal - (krb5_context context, krb5_ccache id, krb5_principal princ); +(krb5_context context, krb5_ccache id, krb5_principal princ); static krb5_error_code krb5_krcc_retrieve_principal - (krb5_context context, krb5_ccache id, krb5_principal * princ); +(krb5_context context, krb5_ccache id, krb5_principal * princ); static int krb5_krcc_get_ring_ids(krb5_krcc_ring_ids_t *p); /* Routines to parse a key from a keyring into a cred structure */ static krb5_error_code krb5_krcc_parse - (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len, - krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_cred - (krb5_context context, krb5_ccache id, krb5_creds * creds, - char *payload, int psize); +(krb5_context context, krb5_ccache id, krb5_creds * creds, + char *payload, int psize); static krb5_error_code krb5_krcc_parse_principal - (krb5_context context, krb5_ccache id, krb5_principal * princ, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_principal * princ, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_keyblock - (krb5_context context, krb5_ccache id, krb5_keyblock * keyblock, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_keyblock * keyblock, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_times - (krb5_context context, krb5_ccache id, krb5_ticket_times * t, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_ticket_times * t, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_krb5data - (krb5_context context, krb5_ccache id, krb5_data * data, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_data * data, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_int32 - (krb5_context context, krb5_ccache id, krb5_int32 * i, krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_int32 * i, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_octet - (krb5_context context, krb5_ccache id, krb5_octet * octet, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_octet * octet, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_addrs - (krb5_context context, krb5_ccache id, krb5_address *** a, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_address *** a, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_addr - (krb5_context context, krb5_ccache id, krb5_address * a, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_address * a, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_authdata - (krb5_context context, krb5_ccache id, krb5_authdata *** ad, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_authdata *** ad, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_authdatum - (krb5_context context, krb5_ccache id, krb5_authdata * ad, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_authdata * ad, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_ui_2 - (krb5_context, krb5_ccache id, krb5_ui_2 * i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_ui_2 * i, krb5_krcc_bc * bc); /* Routines to unparse a cred structure into keyring key */ static krb5_error_code krb5_krcc_unparse - (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len, - krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_cred - (krb5_context context, krb5_ccache id, krb5_creds * creds, - char **datapp, unsigned int *lenptr); +(krb5_context context, krb5_ccache id, krb5_creds * creds, + char **datapp, unsigned int *lenptr); static krb5_error_code krb5_krcc_unparse_principal - (krb5_context, krb5_ccache id, krb5_principal princ, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_principal princ, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_keyblock - (krb5_context, krb5_ccache id, krb5_keyblock * keyblock, - krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_keyblock * keyblock, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_times - (krb5_context, krb5_ccache id, krb5_ticket_times * t, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_ticket_times * t, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_krb5data - (krb5_context, krb5_ccache id, krb5_data * data, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_data * data, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_int32 - (krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_octet - (krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_addrs - (krb5_context, krb5_ccache, krb5_address ** a, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache, krb5_address ** a, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_addr - (krb5_context, krb5_ccache, krb5_address * a, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache, krb5_address * a, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_authdata - (krb5_context, krb5_ccache, krb5_authdata ** ad, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache, krb5_authdata ** ad, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_authdatum - (krb5_context, krb5_ccache, krb5_authdata * ad, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache, krb5_authdata * ad, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_ui_4 - (krb5_context, krb5_ccache id, krb5_ui_4 i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_ui_4 i, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_ui_2 - (krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); static void krb5_krcc_update_change_time - (krb5_krcc_data *); +(krb5_krcc_data *); /* Note the following is a stub function for Linux */ extern krb5_error_code krb5_change_cache(void); @@ -363,12 +364,12 @@ static int KRB5_CALLCONV krb5_krcc_getkeycount(key_serial_t cred_ring) { int res, nkeys; - + res = keyctl_read(cred_ring, NULL, 0); if (res > 0) - nkeys = (res / sizeof(key_serial_t)) - 1; + nkeys = (res / sizeof(key_serial_t)) - 1; else - nkeys = 0; + nkeys = 0; return(nkeys); } @@ -387,7 +388,7 @@ krb5_krcc_getkeycount(key_serial_t cred_ring) static krb5_error_code KRB5_CALLCONV krb5_krcc_initialize(krb5_context context, krb5_ccache id, - krb5_principal princ) + krb5_principal princ) { krb5_error_code kret; @@ -395,15 +396,15 @@ krb5_krcc_initialize(krb5_context context, krb5_ccache id, kret = k5_cc_mutex_lock(context, &((krb5_krcc_data *) id->data)->lock); if (kret) - return kret; + return kret; kret = krb5_krcc_clearcache(context, id); if (kret != KRB5_OK) - goto out; + goto out; kret = krb5_krcc_save_principal(context, id, princ); if (kret == KRB5_OK) - krb5_change_cache(); + krb5_change_cache(); out: k5_cc_mutex_unlock(context, &((krb5_krcc_data *) id->data)->lock); @@ -462,11 +463,11 @@ krb5_krcc_clearcache(krb5_context context, krb5_ccache id) d = (krb5_krcc_data *) id->data; DEBUG_PRINT(("krb5_krcc_clearcache: ring_id %d, princ_id %d, " - "numkeys is %d\n", d->ring_id, d->princ_id, d->numkeys)); + "numkeys is %d\n", d->ring_id, d->princ_id, d->numkeys)); res = keyctl_clear(d->ring_id); if (res != 0) { - return errno; + return errno; } d->numkeys = 0; d->princ_id = 0; @@ -495,16 +496,16 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id) kret = k5_cc_mutex_lock(context, &d->lock); if (kret) - return kret; + return kret; krb5_krcc_clearcache(context, id); free(d->name); res = keyctl_unlink(d->ring_id, d->parent_id); if (res < 0) { - kret = errno; - DEBUG_PRINT(("krb5_krcc_destroy: unlinking key %d from ring %d: %s", - d->ring_id, d->parent_id, error_message(errno))); - goto cleanup; + kret = errno; + DEBUG_PRINT(("krb5_krcc_destroy: unlinking key %d from ring %d: %s", + d->ring_id, d->parent_id, error_message(errno))); + goto cleanup; } cleanup: k5_cc_mutex_unlock(context, &d->lock); @@ -553,28 +554,28 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache * id, const char *full_resid const char *residual; DEBUG_PRINT(("krb5_krcc_resolve: entered with name '%s'\n", - full_residual)); + full_residual)); res = krb5_krcc_get_ring_ids(&ids); if (res) { - kret = EINVAL; - DEBUG_PRINT(("krb5_krcc_resolve: Error getting ring id values!\n")); - return kret; + kret = EINVAL; + DEBUG_PRINT(("krb5_krcc_resolve: Error getting ring id values!\n")); + return kret; } if (strncmp(full_residual, "thread:", 7) == 0) { - residual = full_residual + 7; - ring_id = ids.thread; + residual = full_residual + 7; + ring_id = ids.thread; } else if (strncmp(full_residual, "process:", 8) == 0) { - residual = full_residual + 8; - ring_id = ids.process; + residual = full_residual + 8; + ring_id = ids.process; } else { - residual = full_residual; - ring_id = ids.session; + residual = full_residual; + ring_id = ids.session; } DEBUG_PRINT(("krb5_krcc_resolve: searching ring %d for residual '%s'\n", - ring_id, residual)); + ring_id, residual)); /* * Use keyctl_search instead of request_key. If we're supposed @@ -587,46 +588,46 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache * id, const char *full_resid */ key = keyctl_search(ring_id, KRCC_KEY_TYPE_KEYRING, residual, 0); if (key < 0) { - key = add_key(KRCC_KEY_TYPE_KEYRING, residual, NULL, 0, ring_id); - if (key < 0) { - kret = errno; - DEBUG_PRINT(("krb5_krcc_resolve: Error adding new " - "keyring '%s': %s\n", residual, strerror(errno))); - return kret; - } - DEBUG_PRINT(("krb5_krcc_resolve: new keyring '%s', " - "key %d, added to keyring %d\n", - residual, key, ring_id)); + key = add_key(KRCC_KEY_TYPE_KEYRING, residual, NULL, 0, ring_id); + if (key < 0) { + kret = errno; + DEBUG_PRINT(("krb5_krcc_resolve: Error adding new " + "keyring '%s': %s\n", residual, strerror(errno))); + return kret; + } + DEBUG_PRINT(("krb5_krcc_resolve: new keyring '%s', " + "key %d, added to keyring %d\n", + residual, key, ring_id)); } else { - DEBUG_PRINT(("krb5_krcc_resolve: found existing " - "key %d, with name '%s' in keyring %d\n", - key, residual, ring_id)); - /* Determine key containing principal information */ - pkey = keyctl_search(key, KRCC_KEY_TYPE_USER, - KRCC_SPEC_PRINC_KEYNAME, 0); - if (pkey < 0) { - DEBUG_PRINT(("krb5_krcc_resolve: Error locating principal " - "info for existing ccache in ring %d: %s\n", - key, strerror(errno))); - pkey = 0; - } - /* Determine how many keys exist */ - nkeys = krb5_krcc_getkeycount(key); + DEBUG_PRINT(("krb5_krcc_resolve: found existing " + "key %d, with name '%s' in keyring %d\n", + key, residual, ring_id)); + /* Determine key containing principal information */ + pkey = keyctl_search(key, KRCC_KEY_TYPE_USER, + KRCC_SPEC_PRINC_KEYNAME, 0); + if (pkey < 0) { + DEBUG_PRINT(("krb5_krcc_resolve: Error locating principal " + "info for existing ccache in ring %d: %s\n", + key, strerror(errno))); + pkey = 0; + } + /* Determine how many keys exist */ + nkeys = krb5_krcc_getkeycount(key); } lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); if (lid == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_new_data(residual, key, ring_id, &d); if (kret) { - free(lid); - return kret; + free(lid); + return kret; } DEBUG_PRINT(("krb5_krcc_resolve: ring_id %d, princ_id %d, " - "nkeys %d\n", key, pkey, nkeys)); + "nkeys %d\n", key, pkey, nkeys)); d->princ_id = pkey; d->numkeys = nkeys; lid->ops = &krb5_krcc_ops; @@ -651,7 +652,7 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache * id, const char *full_resid */ static krb5_error_code KRB5_CALLCONV krb5_krcc_start_seq_get(krb5_context context, krb5_ccache id, - krb5_cc_cursor * cursor) + krb5_cc_cursor * cursor) { krb5_krcc_cursor krcursor; krb5_error_code kret; @@ -664,7 +665,7 @@ krb5_krcc_start_seq_get(krb5_context context, krb5_ccache id, d = id->data; kret = k5_cc_mutex_lock(context, &d->lock); if (kret) - return kret; + return kret; /* * Determine how many keys currently exist and update numkeys. @@ -677,19 +678,19 @@ krb5_krcc_start_seq_get(krb5_context context, krb5_ccache id, krcursor = (krb5_krcc_cursor) malloc(size); if (krcursor == NULL) { - k5_cc_mutex_unlock(context, &d->lock); - return KRB5_CC_NOMEM; + k5_cc_mutex_unlock(context, &d->lock); + return KRB5_CC_NOMEM; } krcursor->keys = (key_serial_t *) ((char *) krcursor + sizeof(*krcursor)); res = keyctl_read(d->ring_id, (char *) krcursor->keys, - ((d->numkeys + 1) * sizeof(key_serial_t))); + ((d->numkeys + 1) * sizeof(key_serial_t))); if (res < 0 || res > ((d->numkeys + 1) * sizeof(key_serial_t))) { - DEBUG_PRINT(("Read %d bytes from keyring, numkeys %d: %s\n", - res, d->numkeys, strerror(errno))); - free(krcursor); - k5_cc_mutex_unlock(context, &d->lock); - return KRB5_CC_IO; + DEBUG_PRINT(("Read %d bytes from keyring, numkeys %d: %s\n", + res, d->numkeys, strerror(errno))); + free(krcursor); + k5_cc_mutex_unlock(context, &d->lock); + return KRB5_CC_IO; } krcursor->numkeys = d->numkeys; @@ -723,7 +724,7 @@ krb5_krcc_start_seq_get(krb5_context context, krb5_ccache id, */ static krb5_error_code KRB5_CALLCONV krb5_krcc_next_cred(krb5_context context, krb5_ccache id, - krb5_cc_cursor * cursor, krb5_creds * creds) + krb5_cc_cursor * cursor, krb5_creds * creds) { krb5_krcc_cursor krcursor; krb5_error_code kret; @@ -738,35 +739,35 @@ krb5_krcc_next_cred(krb5_context context, krb5_ccache id, */ krcursor = (krb5_krcc_cursor) * cursor; if (krcursor == NULL) - return KRB5_CC_END; + return KRB5_CC_END; memset(creds, 0, sizeof(krb5_creds)); /* If we're pointing past the end of the keys array, there are no more */ if (krcursor->currkey > krcursor->numkeys) - return KRB5_CC_END; + return KRB5_CC_END; /* If we're pointing at the entry with the principal, skip it */ if (krcursor->keys[krcursor->currkey] == krcursor->princ_id) { - krcursor->currkey++; - /* Check if we have now reached the end */ - if (krcursor->currkey > krcursor->numkeys) - return KRB5_CC_END; + krcursor->currkey++; + /* Check if we have now reached the end */ + if (krcursor->currkey > krcursor->numkeys) + return KRB5_CC_END; } /* Read the key, the right size buffer will ba allocated and returned */ psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey], &payload); if (psize == -1) { - DEBUG_PRINT(("Error reading key %d: %s\n", - krcursor->keys[krcursor->currkey], - strerror(errno))); - kret = KRB5_FCC_NOFILE; - goto freepayload; + DEBUG_PRINT(("Error reading key %d: %s\n", + krcursor->keys[krcursor->currkey], + strerror(errno))); + kret = KRB5_FCC_NOFILE; + goto freepayload; } krcursor->currkey++; kret = krb5_krcc_parse_cred(context, id, creds, payload, psize); - freepayload: +freepayload: if (payload) free(payload); return kret; } @@ -786,7 +787,7 @@ krb5_krcc_next_cred(krb5_context context, krb5_ccache id, /* ARGSUSED */ static krb5_error_code KRB5_CALLCONV krb5_krcc_end_seq_get(krb5_context context, krb5_ccache id, - krb5_cc_cursor * cursor) + krb5_cc_cursor * cursor) { DEBUG_PRINT(("krb5_krcc_end_seq_get: entered\n")); @@ -800,26 +801,26 @@ krb5_krcc_end_seq_get(krb5_context context, krb5_ccache id, Call with the global list lock held. */ static krb5_error_code krb5_krcc_new_data(const char *name, key_serial_t ring, - key_serial_t parent_ring, krb5_krcc_data ** datapp) + key_serial_t parent_ring, krb5_krcc_data ** datapp) { krb5_error_code kret; krb5_krcc_data *d; d = malloc(sizeof(krb5_krcc_data)); if (d == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = k5_cc_mutex_init(&d->lock); if (kret) { - free(d); - return kret; + free(d); + return kret; } d->name = strdup(name); if (d->name == NULL) { - k5_cc_mutex_destroy(&d->lock); - free(d); - return KRB5_CC_NOMEM; + k5_cc_mutex_destroy(&d->lock); + free(d); + return KRB5_CC_NOMEM; } d->princ_id = 0; d->ring_id = ring; @@ -859,14 +860,14 @@ krb5_krcc_generate_new(krb5_context context, krb5_ccache * id) /* Allocate memory */ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); if (lid == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; lid->ops = &krb5_krcc_ops; kret = k5_cc_mutex_lock(context, &krb5int_krcc_mutex); if (kret) { - free(lid); - return kret; + free(lid); + return kret; } /* XXX These values are platform-specific and should not be here! */ @@ -889,36 +890,36 @@ krb5_krcc_generate_new(krb5_context context, krb5_ccache * id) * a unique name, or we get an error. */ while (1) { - kret = krb5int_random_string(context, uniquename, sizeof(uniquename)); + kret = krb5int_random_string(context, uniquename, sizeof(uniquename)); if (kret) { k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); free(lid); return kret; - } - - DEBUG_PRINT(("krb5_krcc_generate_new: searching for name '%s'\n", - uniquename)); - key = keyctl_search(ring_id, KRCC_KEY_TYPE_KEYRING, uniquename, 0); -/*XXX*/ DEBUG_PRINT(("krb5_krcc_generate_new: after searching for '%s', key = %d, errno = %d\n", uniquename, key, errno)); - if (key < 0 && errno == ENOKEY) { - /* name does not already exist, create it to reserve the name */ - key = add_key(KRCC_KEY_TYPE_KEYRING, uniquename, NULL, 0, ring_id); - if (key < 0) { - kret = errno; - DEBUG_PRINT(("krb5_krcc_generate_new: '%s' trying to " - "create '%s'\n", strerror(errno), uniquename)); - k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); - return kret; - } - break; - } + } + + DEBUG_PRINT(("krb5_krcc_generate_new: searching for name '%s'\n", + uniquename)); + key = keyctl_search(ring_id, KRCC_KEY_TYPE_KEYRING, uniquename, 0); + /*XXX*/ DEBUG_PRINT(("krb5_krcc_generate_new: after searching for '%s', key = %d, errno = %d\n", uniquename, key, errno)); + if (key < 0 && errno == ENOKEY) { + /* name does not already exist, create it to reserve the name */ + key = add_key(KRCC_KEY_TYPE_KEYRING, uniquename, NULL, 0, ring_id); + if (key < 0) { + kret = errno; + DEBUG_PRINT(("krb5_krcc_generate_new: '%s' trying to " + "create '%s'\n", strerror(errno), uniquename)); + k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); + return kret; + } + break; + } } - + kret = krb5_krcc_new_data(uniquename, key, ring_id, &d); k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); if (kret) { - free(lid); - return kret; + free(lid); + return kret; } lid->data = d; *id = lid; @@ -955,7 +956,7 @@ krb5_krcc_get_name(krb5_context context, krb5_ccache id) */ static krb5_error_code KRB5_CALLCONV krb5_krcc_get_principal(krb5_context context, krb5_ccache id, - krb5_principal * princ) + krb5_principal * princ) { DEBUG_PRINT(("krb5_krcc_get_principal: entered\n")); @@ -964,13 +965,13 @@ krb5_krcc_get_principal(krb5_context context, krb5_ccache id, static krb5_error_code KRB5_CALLCONV krb5_krcc_retrieve(krb5_context context, krb5_ccache id, - krb5_flags whichfields, krb5_creds * mcreds, - krb5_creds * creds) + krb5_flags whichfields, krb5_creds * mcreds, + krb5_creds * creds) { DEBUG_PRINT(("krb5_krcc_retrieve: entered\n")); return krb5_cc_retrieve_cred_default(context, id, whichfields, - mcreds, creds); + mcreds, creds); } /* @@ -981,7 +982,7 @@ krb5_krcc_retrieve(krb5_context context, krb5_ccache id, */ static krb5_error_code KRB5_CALLCONV krb5_krcc_remove_cred(krb5_context context, krb5_ccache cache, - krb5_flags flags, krb5_creds * creds) + krb5_flags flags, krb5_creds * creds) { DEBUG_PRINT(("krb5_krcc_remove_cred: entered (returning KRB5_CC_NOSUPP)\n")); @@ -1031,54 +1032,54 @@ krb5_krcc_store(krb5_context context, krb5_ccache id, krb5_creds * creds) kret = k5_cc_mutex_lock(context, &d->lock); if (kret) - return kret; + return kret; /* Get the service principal name and use it as the key name */ kret = krb5_unparse_name(context, creds->server, &keyname); if (kret) { - DEBUG_PRINT(("Error unparsing service principal name!\n")); - goto errout; + DEBUG_PRINT(("Error unparsing service principal name!\n")); + goto errout; } /* Serialize credential into memory */ kret = krb5_krcc_unparse_cred(context, id, creds, &payload, &payloadlen); if (kret != KRB5_OK) - goto errout; + goto errout; /* Add new key (credentials) into keyring */ DEBUG_PRINT(("krb5_krcc_store: adding new key '%s' to keyring %d\n", - keyname, d->ring_id)); + keyname, d->ring_id)); newkey = add_key(KRCC_KEY_TYPE_USER, keyname, payload, - payloadlen, d->ring_id); + payloadlen, d->ring_id); if (newkey < 0) { - kret = errno; - DEBUG_PRINT(("Error adding user key '%s': %s\n", - keyname, strerror(kret))); + kret = errno; + DEBUG_PRINT(("Error adding user key '%s': %s\n", + keyname, strerror(kret))); } else { - d->numkeys++; - kret = KRB5_OK; - krb5_krcc_update_change_time(d); + d->numkeys++; + kret = KRB5_OK; + krb5_krcc_update_change_time(d); } - errout: +errout: if (keyname) - krb5_free_unparsed_name(context, keyname); + krb5_free_unparsed_name(context, keyname); if (payload) - free(payload); + free(payload); k5_cc_mutex_unlock(context, &d->lock); return kret; } -static krb5_error_code KRB5_CALLCONV -krb5_krcc_last_change_time(krb5_context context, krb5_ccache id, - krb5_timestamp *change_time) +static krb5_error_code KRB5_CALLCONV +krb5_krcc_last_change_time(krb5_context context, krb5_ccache id, + krb5_timestamp *change_time) { krb5_error_code ret = 0; krb5_krcc_data *data = (krb5_krcc_data *) id->data; - + *change_time = 0; - + ret = k5_cc_mutex_lock(context, &data->lock); if (!ret) { *change_time = data->changetime; @@ -1088,7 +1089,7 @@ krb5_krcc_last_change_time(krb5_context context, krb5_ccache id, return ret; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_krcc_lock(krb5_context context, krb5_ccache id) { krb5_error_code ret = 0; @@ -1097,7 +1098,7 @@ krb5_krcc_lock(krb5_context context, krb5_ccache id) return ret; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_krcc_unlock(krb5_context context, krb5_ccache id) { krb5_error_code ret = 0; @@ -1109,7 +1110,7 @@ krb5_krcc_unlock(krb5_context context, krb5_ccache id) static krb5_error_code krb5_krcc_save_principal(krb5_context context, krb5_ccache id, - krb5_principal princ) + krb5_principal princ) { krb5_krcc_data *d; krb5_error_code kret; @@ -1124,7 +1125,7 @@ krb5_krcc_save_principal(krb5_context context, krb5_ccache id, payload = malloc(GUESS_CRED_SIZE); if (payload == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; bc.bpp = payload; bc.endp = payload + GUESS_CRED_SIZE; @@ -1136,36 +1137,36 @@ krb5_krcc_save_principal(krb5_context context, krb5_ccache id, payloadsize = bc.bpp - payload; #ifdef KRCC_DEBUG { - krb5_error_code rc; - char *princname = NULL; - rc = krb5_unparse_name(context, princ, &princname); - DEBUG_PRINT(("krb5_krcc_save_principal: adding new key '%s' " - "to keyring %d for principal '%s'\n", - KRCC_SPEC_PRINC_KEYNAME, d->ring_id, - rc ? "" : princname)); - if (rc == 0) - krb5_free_unparsed_name(context, princname); + krb5_error_code rc; + char *princname = NULL; + rc = krb5_unparse_name(context, princ, &princname); + DEBUG_PRINT(("krb5_krcc_save_principal: adding new key '%s' " + "to keyring %d for principal '%s'\n", + KRCC_SPEC_PRINC_KEYNAME, d->ring_id, + rc ? "" : princname)); + if (rc == 0) + krb5_free_unparsed_name(context, princname); } #endif newkey = add_key(KRCC_KEY_TYPE_USER, KRCC_SPEC_PRINC_KEYNAME, payload, - payloadsize, d->ring_id); + payloadsize, d->ring_id); if (newkey < 0) { - kret = errno; - DEBUG_PRINT(("Error adding principal key: %s\n", strerror(kret))); + kret = errno; + DEBUG_PRINT(("Error adding principal key: %s\n", strerror(kret))); } else { - d->princ_id = newkey; - kret = KRB5_OK; - krb5_krcc_update_change_time(d); + d->princ_id = newkey; + kret = KRB5_OK; + krb5_krcc_update_change_time(d); } - errout: +errout: free(payload); return kret; } static krb5_error_code krb5_krcc_retrieve_principal(krb5_context context, krb5_ccache id, - krb5_principal * princ) + krb5_principal * princ) { krb5_krcc_data *d = (krb5_krcc_data *) id->data; krb5_error_code kret; @@ -1175,28 +1176,28 @@ krb5_krcc_retrieve_principal(krb5_context context, krb5_ccache id, kret = k5_cc_mutex_lock(context, &d->lock); if (kret) - return kret; + return kret; if (!d->princ_id) { - princ = 0L; - kret = KRB5_FCC_NOFILE; - goto errout; + princ = 0L; + kret = KRB5_FCC_NOFILE; + goto errout; } psize = keyctl_read_alloc(d->princ_id, &payload); if (psize == -1) { - DEBUG_PRINT(("Reading principal key %d: %s\n", - d->princ_id, strerror(errno))); - kret = KRB5_CC_IO; - goto errout; + DEBUG_PRINT(("Reading principal key %d: %s\n", + d->princ_id, strerror(errno))); + kret = KRB5_CC_IO; + goto errout; } bc.bpp = payload; bc.endp = (char *)payload + psize; kret = krb5_krcc_parse_principal(context, id, princ, &bc); - errout: +errout: if (payload) - free(payload); + free(payload); k5_cc_mutex_unlock(context, &d->lock); return kret; } @@ -1212,7 +1213,7 @@ krb5_krcc_get_ring_ids(krb5_krcc_ring_ids_t *p) DEBUG_PRINT(("krb5_krcc_get_ring_ids: entered\n")); if (!p) - return EINVAL; + return EINVAL; /* Use the defaults in case we find no ids key */ p->session = KEY_SPEC_SESSION_KEYRING; @@ -1226,29 +1227,29 @@ krb5_krcc_get_ring_ids(krb5_krcc_ring_ids_t *p) */ ids_key = request_key(KRCC_KEY_TYPE_USER, KRCC_SPEC_IDS_KEYNAME, NULL, 0); if (ids_key < 0) - goto out; + goto out; DEBUG_PRINT(("krb5_krcc_get_ring_ids: processing '%s' key %d\n", - KRCC_SPEC_IDS_KEYNAME, ids_key)); + KRCC_SPEC_IDS_KEYNAME, ids_key)); /* * Read and parse the ids file */ memset(ids_buf, '\0', sizeof(ids_buf)); val = keyctl_read(ids_key, ids_buf, sizeof(ids_buf)); if (val > sizeof(ids_buf)) - goto out; + goto out; val = sscanf(ids_buf, "%d:%d:%d", &session, &process, &thread); if (val != 3) - goto out; + goto out; p->session = session; p->process = process; p->thread = thread; - out: +out: DEBUG_PRINT(("krb5_krcc_get_ring_ids: returning %d:%d:%d\n", - p->session, p->process, p->thread)); + p->session, p->process, p->thread)); return 0; } @@ -1273,12 +1274,12 @@ krb5_krcc_get_ring_ids(krb5_krcc_ring_ids_t *p) */ static krb5_error_code krb5_krcc_parse(krb5_context context, krb5_ccache id, krb5_pointer buf, - unsigned int len, krb5_krcc_bc * bc) + unsigned int len, krb5_krcc_bc * bc) { DEBUG_PRINT(("krb5_krcc_parse: entered\n")); if ((bc->endp == bc->bpp) || (bc->endp - bc->bpp) < len) - return KRB5_CC_END; + return KRB5_CC_END; memcpy(buf, bc->bpp, len); bc->bpp += len; @@ -1292,7 +1293,7 @@ krb5_krcc_parse(krb5_context context, krb5_ccache id, krb5_pointer buf, */ static krb5_error_code krb5_krcc_parse_cred(krb5_context context, krb5_ccache id, krb5_creds * creds, - char *payload, int psize) + char *payload, int psize) { krb5_error_code kret; krb5_octet octet; @@ -1337,27 +1338,27 @@ krb5_krcc_parse_cred(krb5_context context, krb5_ccache id, krb5_creds * creds, kret = KRB5_OK; goto out; - cleanticket: +cleanticket: memset(creds->ticket.data, 0, (unsigned) creds->ticket.length); free(creds->ticket.data); - cleanauthdata: +cleanauthdata: krb5_free_authdata(context, creds->authdata); - cleanaddrs: +cleanaddrs: krb5_free_addresses(context, creds->addresses); - cleanblock: +cleanblock: free(creds->keyblock.contents); - cleanserver: +cleanserver: krb5_free_principal(context, creds->server); - cleanclient: +cleanclient: krb5_free_principal(context, creds->client); - out: +out: return kret; } static krb5_error_code krb5_krcc_parse_principal(krb5_context context, krb5_ccache id, - krb5_principal * princ, krb5_krcc_bc * bc) + krb5_principal * princ, krb5_krcc_bc * bc) { krb5_error_code kret; register krb5_principal tmpprinc; @@ -1367,53 +1368,53 @@ krb5_krcc_parse_principal(krb5_context context, krb5_ccache id, /* Read principal type */ kret = krb5_krcc_parse_int32(context, id, &type, bc); if (kret != KRB5_OK) - return kret; + return kret; /* Read the number of components */ kret = krb5_krcc_parse_int32(context, id, &length, bc); if (kret != KRB5_OK) - return kret; + return kret; if (length < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; tmpprinc = (krb5_principal) malloc(sizeof(krb5_principal_data)); if (tmpprinc == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; if (length) { - size_t msize = length; - if (msize != length) { - free(tmpprinc); - return KRB5_CC_NOMEM; - } - tmpprinc->data = ALLOC(msize, krb5_data); - if (tmpprinc->data == 0) { - free(tmpprinc); - return KRB5_CC_NOMEM; - } + size_t msize = length; + if (msize != length) { + free(tmpprinc); + return KRB5_CC_NOMEM; + } + tmpprinc->data = ALLOC(msize, krb5_data); + if (tmpprinc->data == 0) { + free(tmpprinc); + return KRB5_CC_NOMEM; + } } else - tmpprinc->data = 0; + tmpprinc->data = 0; tmpprinc->magic = KV5M_PRINCIPAL; tmpprinc->length = length; tmpprinc->type = type; kret = krb5_krcc_parse_krb5data(context, id, - krb5_princ_realm(context, tmpprinc), bc); + krb5_princ_realm(context, tmpprinc), bc); i = 0; CHECK(kret); for (i = 0; i < length; i++) { - kret = krb5_krcc_parse_krb5data(context, id, - krb5_princ_component(context, tmpprinc, - i), bc); - CHECK(kret); + kret = krb5_krcc_parse_krb5data(context, id, + krb5_princ_component(context, tmpprinc, + i), bc); + CHECK(kret); } *princ = tmpprinc; return KRB5_OK; - errout: +errout: while (--i >= 0) - free(krb5_princ_component(context, tmpprinc, i)->data); + free(krb5_princ_component(context, tmpprinc, i)->data); free(krb5_princ_realm(context, tmpprinc)->data); free(tmpprinc->data); free(tmpprinc); @@ -1422,7 +1423,7 @@ krb5_krcc_parse_principal(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_parse_keyblock(krb5_context context, krb5_ccache id, - krb5_keyblock * keyblock, krb5_krcc_bc * bc) + krb5_keyblock * keyblock, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_ui_2 ui2; @@ -1438,31 +1439,31 @@ krb5_krcc_parse_keyblock(krb5_context context, krb5_ccache id, kret = krb5_krcc_parse_int32(context, id, &int32, bc); CHECK(kret); if (int32 < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; keyblock->length = int32; /* Overflow check. */ if (keyblock->length != int32) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; if (keyblock->length == 0) - return KRB5_OK; + return KRB5_OK; keyblock->contents = ALLOC(keyblock->length, krb5_octet); if (keyblock->contents == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_parse(context, id, keyblock->contents, - keyblock->length, bc); + keyblock->length, bc); CHECK(kret); return KRB5_OK; - errout: +errout: if (keyblock->contents) - free(keyblock->contents); + free(keyblock->contents); return kret; } static krb5_error_code krb5_krcc_parse_times(krb5_context context, krb5_ccache id, - krb5_ticket_times * t, krb5_krcc_bc * bc) + krb5_ticket_times * t, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 i; @@ -1484,13 +1485,13 @@ krb5_krcc_parse_times(krb5_context context, krb5_ccache id, t->renew_till = i; return 0; - errout: +errout: return kret; } static krb5_error_code krb5_krcc_parse_krb5data(krb5_context context, krb5_ccache id, - krb5_data * data, krb5_krcc_bc * bc) + krb5_data * data, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 len; @@ -1501,56 +1502,56 @@ krb5_krcc_parse_krb5data(krb5_context context, krb5_ccache id, kret = krb5_krcc_parse_int32(context, id, &len, bc); CHECK(kret); if (len < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; data->length = len; if (data->length != len || data->length + 1 == 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; if (data->length == 0) { - data->data = 0; - return KRB5_OK; + data->data = 0; + return KRB5_OK; } data->data = (char *) malloc(data->length + 1); if (data->data == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_parse(context, id, data->data, (unsigned) data->length, - bc); + bc); CHECK(kret); - data->data[data->length] = 0; /* Null terminate, just in case.... */ + data->data[data->length] = 0; /* Null terminate, just in case.... */ return KRB5_OK; - errout: +errout: if (data->data) - free(data->data); + free(data->data); return kret; } static krb5_error_code krb5_krcc_parse_int32(krb5_context context, krb5_ccache id, krb5_int32 * i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { krb5_error_code kret; unsigned char buf[4]; kret = krb5_krcc_parse(context, id, buf, 4, bc); if (kret) - return kret; + return kret; *i = load_32_be(buf); return 0; } static krb5_error_code krb5_krcc_parse_octet(krb5_context context, krb5_ccache id, krb5_octet * i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { return krb5_krcc_parse(context, id, (krb5_pointer) i, 1, bc); } static krb5_error_code krb5_krcc_parse_addrs(krb5_context context, krb5_ccache id, - krb5_address *** addrs, krb5_krcc_bc * bc) + krb5_address *** addrs, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 length; @@ -1570,31 +1571,31 @@ krb5_krcc_parse_addrs(krb5_context context, krb5_ccache id, msize = length; msize += 1; if (msize == 0 || msize - 1 != length || length < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; *addrs = ALLOC(msize, krb5_address *); if (*addrs == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; for (i = 0; i < length; i++) { - (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address)); - if ((*addrs)[i] == NULL) { - krb5_free_addresses(context, *addrs); - return KRB5_CC_NOMEM; - } - kret = krb5_krcc_parse_addr(context, id, (*addrs)[i], bc); - CHECK(kret); + (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address)); + if ((*addrs)[i] == NULL) { + krb5_free_addresses(context, *addrs); + return KRB5_CC_NOMEM; + } + kret = krb5_krcc_parse_addr(context, id, (*addrs)[i], bc); + CHECK(kret); } return KRB5_OK; - errout: +errout: if (*addrs) - krb5_free_addresses(context, *addrs); + krb5_free_addresses(context, *addrs); return kret; } static krb5_error_code krb5_krcc_parse_addr(krb5_context context, krb5_ccache id, krb5_address * addr, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { krb5_error_code kret; krb5_ui_2 ui2; @@ -1609,36 +1610,36 @@ krb5_krcc_parse_addr(krb5_context context, krb5_ccache id, krb5_address * addr, kret = krb5_krcc_parse_int32(context, id, &int32, bc); CHECK(kret); - if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ - return KRB5_CC_NOMEM; + if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ + return KRB5_CC_NOMEM; addr->length = int32; /* * Length field is "unsigned int", which may be smaller * than 32 bits. */ if (addr->length != int32) - return KRB5_CC_NOMEM; /* XXX */ + return KRB5_CC_NOMEM; /* XXX */ if (addr->length == 0) - return KRB5_OK; + return KRB5_OK; addr->contents = (krb5_octet *) malloc(addr->length); if (addr->contents == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_parse(context, id, addr->contents, addr->length, bc); CHECK(kret); return KRB5_OK; - errout: +errout: if (addr->contents) - free(addr->contents); + free(addr->contents); return kret; } static krb5_error_code krb5_krcc_parse_authdata(krb5_context context, krb5_ccache id, - krb5_authdata *** a, krb5_krcc_bc * bc) + krb5_authdata *** a, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 length; @@ -1652,7 +1653,7 @@ krb5_krcc_parse_authdata(krb5_context context, krb5_ccache id, CHECK(kret); if (length == 0) - return KRB5_OK; + return KRB5_OK; /* * Make *a able to hold length pointers to krb5_authdata structs @@ -1661,34 +1662,34 @@ krb5_krcc_parse_authdata(krb5_context context, krb5_ccache id, msize = length; msize += 1; if (msize == 0 || msize - 1 != length || length < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; *a = ALLOC(msize, krb5_authdata *); if (*a == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; for (i = 0; i < length; i++) { - (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata)); - if ((*a)[i] == NULL) { - krb5_free_authdata(context, *a); - *a = NULL; - return KRB5_CC_NOMEM; - } - kret = krb5_krcc_parse_authdatum(context, id, (*a)[i], bc); - CHECK(kret); + (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + if ((*a)[i] == NULL) { + krb5_free_authdata(context, *a); + *a = NULL; + return KRB5_CC_NOMEM; + } + kret = krb5_krcc_parse_authdatum(context, id, (*a)[i], bc); + CHECK(kret); } return KRB5_OK; - errout: +errout: if (*a) { - krb5_free_authdata(context, *a); - *a = NULL; + krb5_free_authdata(context, *a); + *a = NULL; } return kret; } static krb5_error_code krb5_krcc_parse_authdatum(krb5_context context, krb5_ccache id, - krb5_authdata * a, krb5_krcc_bc * bc) + krb5_authdata * a, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 int32; @@ -1702,44 +1703,44 @@ krb5_krcc_parse_authdatum(krb5_context context, krb5_ccache id, a->ad_type = (krb5_authdatatype) ui2; kret = krb5_krcc_parse_int32(context, id, &int32, bc); CHECK(kret); - if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ - return KRB5_CC_NOMEM; + if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ + return KRB5_CC_NOMEM; a->length = int32; /* * Value could have gotten truncated if int is * smaller than 32 bits. */ if (a->length != int32) - return KRB5_CC_NOMEM; /* XXX */ + return KRB5_CC_NOMEM; /* XXX */ if (a->length == 0) - return KRB5_OK; + return KRB5_OK; a->contents = (krb5_octet *) malloc(a->length); if (a->contents == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_parse(context, id, a->contents, a->length, bc); CHECK(kret); return KRB5_OK; - errout: +errout: if (a->contents) - free(a->contents); + free(a->contents); return kret; } static krb5_error_code krb5_krcc_parse_ui_2(krb5_context context, krb5_ccache id, krb5_ui_2 * i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { krb5_error_code kret; unsigned char buf[2]; kret = krb5_krcc_parse(context, id, buf, 2, bc); if (kret) - return kret; + return kret; *i = load_16_be(buf); return 0; } @@ -1758,10 +1759,10 @@ krb5_krcc_parse_ui_2(krb5_context context, krb5_ccache id, krb5_ui_2 * i, */ static krb5_error_code krb5_krcc_unparse(krb5_context context, krb5_ccache id, krb5_pointer buf, - unsigned int len, krb5_krcc_bc * bc) + unsigned int len, krb5_krcc_bc * bc) { if (bc->bpp + len > bc->endp) - return KRB5_CC_WRITE; + return KRB5_CC_WRITE; memcpy(bc->bpp, buf, len); bc->bpp += len; @@ -1771,7 +1772,7 @@ krb5_krcc_unparse(krb5_context context, krb5_ccache id, krb5_pointer buf, static krb5_error_code krb5_krcc_unparse_principal(krb5_context context, krb5_ccache id, - krb5_principal princ, krb5_krcc_bc * bc) + krb5_principal princ, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 i, length, tmp, type; @@ -1786,14 +1787,14 @@ krb5_krcc_unparse_principal(krb5_context context, krb5_ccache id, CHECK_OUT(kret); kret = krb5_krcc_unparse_krb5data(context, id, - krb5_princ_realm(context, princ), bc); + krb5_princ_realm(context, princ), bc); CHECK_OUT(kret); for (i = 0; i < length; i++) { - kret = krb5_krcc_unparse_krb5data(context, id, - krb5_princ_component(context, princ, - i), bc); - CHECK_OUT(kret); + kret = krb5_krcc_unparse_krb5data(context, id, + krb5_princ_component(context, princ, + i), bc); + CHECK_OUT(kret); } return KRB5_OK; @@ -1801,7 +1802,7 @@ krb5_krcc_unparse_principal(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_unparse_keyblock(krb5_context context, krb5_ccache id, - krb5_keyblock * keyblock, krb5_krcc_bc * bc) + krb5_keyblock * keyblock, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1810,12 +1811,12 @@ krb5_krcc_unparse_keyblock(krb5_context context, krb5_ccache id, kret = krb5_krcc_unparse_ui_4(context, id, keyblock->length, bc); CHECK_OUT(kret); return krb5_krcc_unparse(context, id, (char *) keyblock->contents, - keyblock->length, bc); + keyblock->length, bc); } static krb5_error_code krb5_krcc_unparse_times(krb5_context context, krb5_ccache id, - krb5_ticket_times * t, krb5_krcc_bc * bc) + krb5_ticket_times * t, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1832,7 +1833,7 @@ krb5_krcc_unparse_times(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_unparse_krb5data(krb5_context context, krb5_ccache id, - krb5_data * data, krb5_krcc_bc * bc) + krb5_data * data, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1843,14 +1844,14 @@ krb5_krcc_unparse_krb5data(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_unparse_int32(krb5_context context, krb5_ccache id, krb5_int32 i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { return krb5_krcc_unparse_ui_4(context, id, (krb5_ui_4) i, bc); } static krb5_error_code krb5_krcc_unparse_octet(krb5_context context, krb5_ccache id, krb5_int32 i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { krb5_octet ibuf; @@ -1860,7 +1861,7 @@ krb5_krcc_unparse_octet(krb5_context context, krb5_ccache id, krb5_int32 i, static krb5_error_code krb5_krcc_unparse_addrs(krb5_context context, krb5_ccache id, - krb5_address ** addrs, krb5_krcc_bc * bc) + krb5_address ** addrs, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_address **temp; @@ -1868,16 +1869,16 @@ krb5_krcc_unparse_addrs(krb5_context context, krb5_ccache id, /* Count the number of components */ if (addrs) { - temp = addrs; - while (*temp++) - length += 1; + temp = addrs; + while (*temp++) + length += 1; } kret = krb5_krcc_unparse_int32(context, id, length, bc); CHECK_OUT(kret); for (i = 0; i < length; i++) { - kret = krb5_krcc_unparse_addr(context, id, addrs[i], bc); - CHECK_OUT(kret); + kret = krb5_krcc_unparse_addr(context, id, addrs[i], bc); + CHECK_OUT(kret); } return KRB5_OK; @@ -1885,7 +1886,7 @@ krb5_krcc_unparse_addrs(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_unparse_addr(krb5_context context, krb5_ccache id, - krb5_address * addr, krb5_krcc_bc * bc) + krb5_address * addr, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1894,34 +1895,34 @@ krb5_krcc_unparse_addr(krb5_context context, krb5_ccache id, kret = krb5_krcc_unparse_ui_4(context, id, addr->length, bc); CHECK_OUT(kret); return krb5_krcc_unparse(context, id, (char *) addr->contents, - addr->length, bc); + addr->length, bc); } static krb5_error_code krb5_krcc_unparse_authdata(krb5_context context, krb5_ccache id, - krb5_authdata ** a, krb5_krcc_bc * bc) + krb5_authdata ** a, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_authdata **temp; krb5_int32 i, length = 0; if (a != NULL) { - for (temp = a; *temp; temp++) - length++; + for (temp = a; *temp; temp++) + length++; } kret = krb5_krcc_unparse_int32(context, id, length, bc); CHECK_OUT(kret); for (i = 0; i < length; i++) { - kret = krb5_krcc_unparse_authdatum(context, id, a[i], bc); - CHECK_OUT(kret); + kret = krb5_krcc_unparse_authdatum(context, id, a[i], bc); + CHECK_OUT(kret); } return KRB5_OK; } static krb5_error_code krb5_krcc_unparse_authdatum(krb5_context context, krb5_ccache id, - krb5_authdata * a, krb5_krcc_bc * bc) + krb5_authdata * a, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1930,12 +1931,12 @@ krb5_krcc_unparse_authdatum(krb5_context context, krb5_ccache id, kret = krb5_krcc_unparse_ui_4(context, id, a->length, bc); CHECK_OUT(kret); return krb5_krcc_unparse(context, id, (krb5_pointer) a->contents, - a->length, bc); + a->length, bc); } static krb5_error_code krb5_krcc_unparse_ui_4(krb5_context context, krb5_ccache id, krb5_ui_4 i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { unsigned char buf[4]; @@ -1945,7 +1946,7 @@ krb5_krcc_unparse_ui_4(krb5_context context, krb5_ccache id, krb5_ui_4 i, static krb5_error_code krb5_krcc_unparse_ui_2(krb5_context context, krb5_ccache id, krb5_int32 i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { unsigned char buf[2]; @@ -1967,21 +1968,21 @@ krb5_krcc_unparse_ui_2(krb5_context context, krb5_ccache id, krb5_int32 i, */ static krb5_error_code krb5_krcc_unparse_cred(krb5_context context, krb5_ccache id, - krb5_creds * creds, char **datapp, unsigned int *lenptr) + krb5_creds * creds, char **datapp, unsigned int *lenptr) { krb5_error_code kret; char *buf; krb5_krcc_bc bc; if (!creds || !datapp || !lenptr) - return EINVAL; + return EINVAL; *datapp = NULL; *lenptr = 0; buf = malloc(GUESS_CRED_SIZE); if (buf == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; bc.bpp = buf; bc.endp = buf + GUESS_CRED_SIZE; @@ -1999,7 +2000,7 @@ krb5_krcc_unparse_cred(krb5_context context, krb5_ccache id, CHECK_N_GO(kret, errout); kret = krb5_krcc_unparse_octet(context, id, (krb5_int32) creds->is_skey, - &bc); + &bc); CHECK_N_GO(kret, errout); kret = krb5_krcc_unparse_int32(context, id, creds->ticket_flags, &bc); @@ -2022,23 +2023,23 @@ krb5_krcc_unparse_cred(krb5_context context, krb5_ccache id, *lenptr = bc.bpp - buf; kret = KRB5_OK; - errout: +errout: return kret; } /* - * Utility routine: called by krb5_krcc_* functions to keep + * Utility routine: called by krb5_krcc_* functions to keep * result of krb5_krcc_last_change_time up to date. - * Value monotonically increases -- based on but not guaranteed to be actual + * Value monotonically increases -- based on but not guaranteed to be actual * system time. */ static void krb5_krcc_update_change_time(krb5_krcc_data *d) { - krb5_timestamp now_time = time(NULL); - d->changetime = (d->changetime >= now_time) ? - d->changetime + 1 : now_time; + krb5_timestamp now_time = time(NULL); + d->changetime = (d->changetime >= now_time) ? + d->changetime + 1 : now_time; } @@ -2065,7 +2066,7 @@ const krb5_cc_ops krb5_krcc_ops = { krb5_krcc_end_seq_get, krb5_krcc_remove_cred, krb5_krcc_set_flags, - krb5_krcc_get_flags, /* added after 1.4 release */ + krb5_krcc_get_flags, /* added after 1.4 release */ NULL, NULL, NULL, @@ -2098,7 +2099,7 @@ const krb5_cc_ops krb5_krcc_ops = { NULL, NULL, NULL, - NULL, /* added after 1.4 release */ + NULL, /* added after 1.4 release */ NULL, NULL, NULL, @@ -2108,4 +2109,4 @@ const krb5_cc_ops krb5_krcc_ops = { NULL, NULL, }; -#endif /* USE_KEYRING_CCACHE */ +#endif /* USE_KEYRING_CCACHE */ diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c index 076f7ebd0..578b5ddc5 100644 --- a/src/lib/krb5/ccache/cc_memory.c +++ b/src/lib/krb5/ccache/cc_memory.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_memory.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * implementation of memory-based credentials cache */ @@ -30,68 +31,68 @@ #include static krb5_error_code KRB5_CALLCONV krb5_mcc_close - (krb5_context, krb5_ccache id ); +(krb5_context, krb5_ccache id ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_destroy - (krb5_context, krb5_ccache id ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_destroy +(krb5_context, krb5_ccache id ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_end_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_end_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_generate_new - (krb5_context, krb5_ccache *id ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_generate_new +(krb5_context, krb5_ccache *id ); -static const char * KRB5_CALLCONV krb5_mcc_get_name - (krb5_context, krb5_ccache id ); +static const char * KRB5_CALLCONV krb5_mcc_get_name +(krb5_context, krb5_ccache id ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_get_principal - (krb5_context, krb5_ccache id , krb5_principal *princ ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_get_principal +(krb5_context, krb5_ccache id , krb5_principal *princ ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_initialize - (krb5_context, krb5_ccache id , krb5_principal princ ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_initialize +(krb5_context, krb5_ccache id , krb5_principal princ ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_next_cred - (krb5_context, - krb5_ccache id , - krb5_cc_cursor *cursor , - krb5_creds *creds ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_next_cred +(krb5_context, + krb5_ccache id , + krb5_cc_cursor *cursor , + krb5_creds *creds ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_resolve - (krb5_context, krb5_ccache *id , const char *residual ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_resolve +(krb5_context, krb5_ccache *id , const char *residual ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_retrieve - (krb5_context, - krb5_ccache id , - krb5_flags whichfields , - krb5_creds *mcreds , - krb5_creds *creds ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_retrieve +(krb5_context, + krb5_ccache id , + krb5_flags whichfields , + krb5_creds *mcreds , + krb5_creds *creds ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_start_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_start_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_store - (krb5_context, krb5_ccache id , krb5_creds *creds ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_store +(krb5_context, krb5_ccache id , krb5_creds *creds ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_set_flags - (krb5_context, krb5_ccache id , krb5_flags flags ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_set_flags +(krb5_context, krb5_ccache id , krb5_flags flags ); static krb5_error_code KRB5_CALLCONV krb5_mcc_ptcursor_new - (krb5_context, krb5_cc_ptcursor *); +(krb5_context, krb5_cc_ptcursor *); static krb5_error_code KRB5_CALLCONV krb5_mcc_ptcursor_next - (krb5_context, krb5_cc_ptcursor, krb5_ccache *); +(krb5_context, krb5_cc_ptcursor, krb5_ccache *); static krb5_error_code KRB5_CALLCONV krb5_mcc_ptcursor_free - (krb5_context, krb5_cc_ptcursor *); +(krb5_context, krb5_cc_ptcursor *); static krb5_error_code KRB5_CALLCONV krb5_mcc_last_change_time - (krb5_context, krb5_ccache, krb5_timestamp *); +(krb5_context, krb5_ccache, krb5_timestamp *); static krb5_error_code KRB5_CALLCONV krb5_mcc_lock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_mcc_unlock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); extern const krb5_cc_ops krb5_mcc_ops; @@ -146,7 +147,7 @@ static void krb5_mcc_free (krb5_context context, krb5_ccache id); krb5_error_code KRB5_CALLCONV krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) { - krb5_error_code ret; + krb5_error_code ret; krb5_mcc_data *d; d = (krb5_mcc_data *)id->data; @@ -155,10 +156,10 @@ krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) return ret; krb5_mcc_free(context, id); - + d = (krb5_mcc_data *)id->data; ret = krb5_copy_principal(context, princ, - &d->prin); + &d->prin); update_mcc_change_time(d); k5_cc_mutex_unlock(context, &d->lock); @@ -178,8 +179,8 @@ krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) krb5_error_code KRB5_CALLCONV krb5_mcc_close(krb5_context context, krb5_ccache id) { - free(id); - return KRB5_OK; + free(id); + return KRB5_OK; } static void @@ -190,10 +191,10 @@ krb5_mcc_free(krb5_context context, krb5_ccache id) d = (krb5_mcc_data *) id->data; for (curr = d->link; curr;) { - krb5_free_creds(context, curr->creds); - next = curr->next; - free(curr); - curr = next; + krb5_free_creds(context, curr->creds); + next = curr->next; + free(curr); + curr = next; } d->link = NULL; krb5_free_principal(context, d->prin); @@ -215,16 +216,16 @@ krb5_mcc_destroy(krb5_context context, krb5_ccache id) err = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (err) - return err; + return err; d = (krb5_mcc_data *)id->data; for (curr = &mcc_head; *curr; curr = &(*curr)->next) { - if ((*curr)->cache == d) { - node = *curr; - *curr = node->next; - free(node); - break; - } + if ((*curr)->cache == d) { + node = *curr; + *curr = node->next; + free(node); + break; + } } k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); @@ -236,7 +237,7 @@ krb5_mcc_destroy(krb5_context context, krb5_ccache id) free(d->name); k5_cc_mutex_unlock(context, &d->lock); k5_cc_mutex_destroy(&d->lock); - free(d); + free(d); free(id); krb5_change_cache (); @@ -249,11 +250,11 @@ krb5_mcc_destroy(krb5_context context, krb5_ccache id) * * Modifies: * id - * + * * Effects: - * creates or accesses a memory-based cred cache that is referenced by - * residual. - * + * creates or accesses a memory-based cred cache that is referenced by + * residual. + * * Returns: * A filled in krb5_ccache structure "id". * @@ -274,28 +275,28 @@ krb5_mcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) err = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (err) - return err; + return err; for (ptr = mcc_head; ptr; ptr=ptr->next) - if (!strcmp(ptr->cache->name, residual)) - break; + if (!strcmp(ptr->cache->name, residual)) + break; if (ptr) - d = ptr->cache; + d = ptr->cache; else { - err = new_mcc_data(residual, &d); - if (err) { - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); - return err; - } + err = new_mcc_data(residual, &d); + if (err) { + k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); + return err; + } } k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); if (lid == NULL) - return KRB5_CC_NOMEM; - + return KRB5_CC_NOMEM; + lid->ops = &krb5_mcc_ops; lid->data = d; - *id = lid; + *id = lid; return KRB5_OK; } @@ -314,20 +315,20 @@ krb5_mcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) */ krb5_error_code KRB5_CALLCONV krb5_mcc_start_seq_get(krb5_context context, krb5_ccache id, - krb5_cc_cursor *cursor) + krb5_cc_cursor *cursor) { - krb5_mcc_cursor mcursor; - krb5_error_code err; - krb5_mcc_data *d; - - d = id->data; - err = k5_cc_mutex_lock(context, &d->lock); - if (err) - return err; - mcursor = d->link; - k5_cc_mutex_unlock(context, &d->lock); - *cursor = (krb5_cc_cursor) mcursor; - return KRB5_OK; + krb5_mcc_cursor mcursor; + krb5_error_code err; + krb5_mcc_data *d; + + d = id->data; + err = k5_cc_mutex_lock(context, &d->lock); + if (err) + return err; + mcursor = d->link; + k5_cc_mutex_unlock(context, &d->lock); + *cursor = (krb5_cc_cursor) mcursor; + return KRB5_OK; } /* @@ -337,7 +338,7 @@ krb5_mcc_start_seq_get(krb5_context context, krb5_ccache id, * * Modifes: * cursor, creds - * + * * Effects: * Fills in creds with the "next" credentals structure from the cache * id. The actual order the creds are returned in is arbitrary. @@ -352,25 +353,25 @@ krb5_mcc_start_seq_get(krb5_context context, krb5_ccache id, */ krb5_error_code KRB5_CALLCONV krb5_mcc_next_cred(krb5_context context, krb5_ccache id, - krb5_cc_cursor *cursor, krb5_creds *creds) + krb5_cc_cursor *cursor, krb5_creds *creds) { - krb5_mcc_cursor mcursor; - krb5_error_code retval; - - /* Once the node in the linked list is created, it's never - modified, so we don't need to worry about locking here. (Note - that we don't support _remove_cred.) */ - mcursor = (krb5_mcc_cursor) *cursor; - if (mcursor == NULL) - return KRB5_CC_END; - memset(creds, 0, sizeof(krb5_creds)); - if (mcursor->creds) { - retval = krb5int_copy_creds_contents(context, mcursor->creds, creds); - if (retval) - return retval; - } - *cursor = (krb5_cc_cursor)mcursor->next; - return KRB5_OK; + krb5_mcc_cursor mcursor; + krb5_error_code retval; + + /* Once the node in the linked list is created, it's never + modified, so we don't need to worry about locking here. (Note + that we don't support _remove_cred.) */ + mcursor = (krb5_mcc_cursor) *cursor; + if (mcursor == NULL) + return KRB5_CC_END; + memset(creds, 0, sizeof(krb5_creds)); + if (mcursor->creds) { + retval = krb5int_copy_creds_contents(context, mcursor->creds, creds); + if (retval) + return retval; + } + *cursor = (krb5_cc_cursor)mcursor->next; + return KRB5_OK; } /* @@ -389,8 +390,8 @@ krb5_mcc_next_cred(krb5_context context, krb5_ccache id, krb5_error_code KRB5_CALLCONV krb5_mcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - *cursor = 0L; - return KRB5_OK; + *cursor = 0L; + return KRB5_OK; } /* Utility routine: Creates the back-end data for a memory cache, and @@ -406,19 +407,19 @@ new_mcc_data (const char *name, krb5_mcc_data **dataptr) d = malloc(sizeof(krb5_mcc_data)); if (d == NULL) - return KRB5_CC_NOMEM; - + return KRB5_CC_NOMEM; + err = k5_cc_mutex_init(&d->lock); if (err) { - free(d); - return err; + free(d); + return err; } d->name = strdup(name); if (d->name == NULL) { - k5_cc_mutex_destroy(&d->lock); - free(d); - return KRB5_CC_NOMEM; + k5_cc_mutex_destroy(&d->lock); + free(d); + return KRB5_CC_NOMEM; } d->link = NULL; d->prin = NULL; @@ -427,10 +428,10 @@ new_mcc_data (const char *name, krb5_mcc_data **dataptr) n = malloc(sizeof(krb5_mcc_list_node)); if (n == NULL) { - free(d->name); - k5_cc_mutex_destroy(&d->lock); - free(d); - return KRB5_CC_NOMEM; + free(d->name); + k5_cc_mutex_destroy(&d->lock); + free(d); + return KRB5_CC_NOMEM; } n->cache = d; @@ -445,7 +446,7 @@ new_mcc_data (const char *name, krb5_mcc_data **dataptr) * Effects: * Creates a new memory cred cache whose name is guaranteed to be * unique. The name begins with the string TKT_ROOT (from mcc.h). - * + * * Returns: * The filled in krb5_ccache id. * @@ -466,41 +467,41 @@ krb5_mcc_generate_new (krb5_context context, krb5_ccache *id) /* Allocate memory */ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); if (lid == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; lid->ops = &krb5_mcc_ops; - + err = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (err) { - free(lid); - return err; + free(lid); + return err; } - + /* Check for uniqueness with mutex locked to avoid race conditions */ while (1) { krb5_mcc_list_node *ptr; err = krb5int_random_string (context, uniquename, sizeof (uniquename)); if (err) { - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); - free(lid); - return err; + k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); + free(lid); + return err; } - - for (ptr = mcc_head; ptr; ptr=ptr->next) { + + for (ptr = mcc_head; ptr; ptr=ptr->next) { if (!strcmp(ptr->cache->name, uniquename)) { - break; /* got a match, loop again */ + break; /* got a match, loop again */ } - } + } if (!ptr) break; /* got to the end without finding a match */ } - + err = new_mcc_data(uniquename, &d); k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); if (err) { - free(lid); - return err; + free(lid); + return err; } lid->data = d; *id = lid; @@ -508,8 +509,8 @@ krb5_mcc_generate_new (krb5_context context, krb5_ccache *id) return KRB5_OK; } -/* Utility routine: Creates a random memory ccache name. - * This algorithm was selected because it creates readable +/* Utility routine: Creates a random memory ccache name. + * This algorithm was selected because it creates readable * random ccache names in a fixed size buffer. */ krb5_error_code @@ -520,19 +521,19 @@ krb5int_random_string (krb5_context context, char *string, unsigned int length) krb5_error_code err = 0; unsigned char *bytes = NULL; unsigned int bytecount = length - 1; - + if (!err) { bytes = malloc (bytecount); if (bytes == NULL) { err = ENOMEM; } } - + if (!err) { krb5_data data; data.length = bytecount; data.data = (char *) bytes; err = krb5_c_random_make_octets (context, &data); } - + if (!err) { unsigned int i; for (i = 0; i < bytecount; i++) { @@ -540,23 +541,23 @@ krb5int_random_string (krb5_context context, char *string, unsigned int length) } string[length - 1] = '\0'; } - + if (bytes != NULL) { free (bytes); } - + return err; } /* * Requires: * id is a file credential cache - * + * * Returns: * A pointer to the name of the file cred cache id. */ const char * KRB5_CALLCONV krb5_mcc_get_name (krb5_context context, krb5_ccache id) { - return (char *) ((krb5_mcc_data *) id->data)->name; + return (char *) ((krb5_mcc_data *) id->data)->name; } /* @@ -575,25 +576,25 @@ krb5_mcc_get_name (krb5_context context, krb5_ccache id) krb5_error_code KRB5_CALLCONV krb5_mcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ) { - krb5_mcc_data *ptr = (krb5_mcc_data *)id->data; - if (!ptr->prin) { + krb5_mcc_data *ptr = (krb5_mcc_data *)id->data; + if (!ptr->prin) { *princ = 0L; return KRB5_FCC_NOFILE; - } - return krb5_copy_principal(context, ptr->prin, princ); + } + return krb5_copy_principal(context, ptr->prin, princ); } krb5_error_code KRB5_CALLCONV krb5_mcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, - krb5_creds *mcreds, krb5_creds *creds) + krb5_creds *mcreds, krb5_creds *creds) { return krb5_cc_retrieve_cred_default (context, id, whichfields, - mcreds, creds); + mcreds, creds); } -/* +/* * Non-functional stub implementation for krb5_mcc_remove - * + * * Errors: * KRB5_CC_NOSUPP - not implemented */ @@ -612,7 +613,7 @@ krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, * * Modifies: * id - * + * * Effects: * Sets the operational flags of id to flags. */ @@ -649,13 +650,13 @@ krb5_mcc_store(krb5_context ctx, krb5_ccache id, krb5_creds *creds) new_node = malloc(sizeof(krb5_mcc_link)); if (new_node == NULL) - return ENOMEM; + return ENOMEM; err = krb5_copy_creds(ctx, creds, &new_node->creds); if (err) - goto cleanup; + goto cleanup; err = k5_cc_mutex_lock(ctx, &mptr->lock); if (err) - goto cleanup; + goto cleanup; new_node->next = mptr->link; mptr->link = new_node; update_mcc_change_time(mptr); @@ -679,25 +680,25 @@ krb5_mcc_ptcursor_new( n = malloc(sizeof(*n)); if (n == NULL) - return ENOMEM; + return ENOMEM; n->ops = &krb5_mcc_ops; cdata = malloc(sizeof(struct krb5_mcc_ptcursor_data)); if (cdata == NULL) { - ret = ENOMEM; - goto errout; + ret = ENOMEM; + goto errout; } n->data = cdata; ret = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (ret) - goto errout; + goto errout; cdata->cur = mcc_head; ret = k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); if (ret) - goto errout; + goto errout; errout: if (ret) { - krb5_mcc_ptcursor_free(context, &n); + krb5_mcc_ptcursor_free(context, &n); } *cursor = n; return ret; @@ -715,25 +716,25 @@ krb5_mcc_ptcursor_next( *ccache = NULL; cdata = cursor->data; if (cdata->cur == NULL) - return 0; + return 0; *ccache = malloc(sizeof(**ccache)); if (*ccache == NULL) - return ENOMEM; + return ENOMEM; (*ccache)->ops = &krb5_mcc_ops; (*ccache)->data = cdata->cur->cache; ret = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (ret) - goto errout; + goto errout; cdata->cur = cdata->cur->next; ret = k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); if (ret) - goto errout; + goto errout; errout: if (ret && *ccache != NULL) { - free(*ccache); - *ccache = NULL; + free(*ccache); + *ccache = NULL; } return ret; } @@ -744,25 +745,25 @@ krb5_mcc_ptcursor_free( krb5_cc_ptcursor *cursor) { if (*cursor == NULL) - return 0; + return 0; if ((*cursor)->data != NULL) - free((*cursor)->data); + free((*cursor)->data); free(*cursor); *cursor = NULL; return 0; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_mcc_last_change_time( krb5_context context, - krb5_ccache id, + krb5_ccache id, krb5_timestamp *change_time) { krb5_error_code ret = 0; krb5_mcc_data *data = (krb5_mcc_data *) id->data; - + *change_time = 0; - + ret = k5_cc_mutex_lock(context, &data->lock); if (!ret) { *change_time = data->changetime; @@ -773,19 +774,19 @@ krb5_mcc_last_change_time( } /* - Utility routine: called by krb5_mcc_* functions to keep - result of krb5_mcc_last_change_time up to date - */ + Utility routine: called by krb5_mcc_* functions to keep + result of krb5_mcc_last_change_time up to date +*/ static void update_mcc_change_time(krb5_mcc_data *d) { krb5_timestamp now_time = time(NULL); - d->changetime = (d->changetime >= now_time) ? - d->changetime + 1 : now_time; + d->changetime = (d->changetime >= now_time) ? + d->changetime + 1 : now_time; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_mcc_lock(krb5_context context, krb5_ccache id) { krb5_error_code ret = 0; @@ -794,7 +795,7 @@ krb5_mcc_lock(krb5_context context, krb5_ccache id) return ret; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_mcc_unlock(krb5_context context, krb5_ccache id) { krb5_error_code ret = 0; @@ -804,29 +805,29 @@ krb5_mcc_unlock(krb5_context context, krb5_ccache id) } const krb5_cc_ops krb5_mcc_ops = { - 0, - "MEMORY", - krb5_mcc_get_name, - krb5_mcc_resolve, - krb5_mcc_generate_new, - krb5_mcc_initialize, - krb5_mcc_destroy, - krb5_mcc_close, - krb5_mcc_store, - krb5_mcc_retrieve, - krb5_mcc_get_principal, - krb5_mcc_start_seq_get, - krb5_mcc_next_cred, - krb5_mcc_end_seq_get, - krb5_mcc_remove_cred, - krb5_mcc_set_flags, - krb5_mcc_get_flags, - krb5_mcc_ptcursor_new, - krb5_mcc_ptcursor_next, - krb5_mcc_ptcursor_free, - NULL, /* move */ - krb5_mcc_last_change_time, - NULL, /* wasdefault */ - krb5_mcc_lock, - krb5_mcc_unlock, + 0, + "MEMORY", + krb5_mcc_get_name, + krb5_mcc_resolve, + krb5_mcc_generate_new, + krb5_mcc_initialize, + krb5_mcc_destroy, + krb5_mcc_close, + krb5_mcc_store, + krb5_mcc_retrieve, + krb5_mcc_get_principal, + krb5_mcc_start_seq_get, + krb5_mcc_next_cred, + krb5_mcc_end_seq_get, + krb5_mcc_remove_cred, + krb5_mcc_set_flags, + krb5_mcc_get_flags, + krb5_mcc_ptcursor_new, + krb5_mcc_ptcursor_next, + krb5_mcc_ptcursor_free, + NULL, /* move */ + krb5_mcc_last_change_time, + NULL, /* wasdefault */ + krb5_mcc_lock, + krb5_mcc_unlock, }; diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index db74828f3..826794f89 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_mslsa.c * @@ -10,7 +11,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -24,11 +25,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Copyright 2000 by Carnegie Mellon University * * All Rights Reserved - * + * * Permission to use, copy, modify, and distribute this software and its * documentation for any purpose and without fee is hereby granted, * provided that the above copyright notice appear in all copies and that @@ -37,7 +38,7 @@ * University not be used in advertising or publicity pertaining to * distribution of the software without specific, written prior * permission. - * + * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND * FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR @@ -88,63 +89,63 @@ #define MAX_MSG_SIZE 256 #define MAX_MSPRINC_SIZE 1024 -/* THREAD SAFETY - * The functions is_windows_2000(), is_windows_xp(), - * does_retrieve_ticket_cache_ticket() and does_query_ticket_cache_ex2() - * contain static variables to cache the responses of the tests being - * performed. There is no harm in the test being performed more than +/* THREAD SAFETY + * The functions is_windows_2000(), is_windows_xp(), + * does_retrieve_ticket_cache_ticket() and does_query_ticket_cache_ex2() + * contain static variables to cache the responses of the tests being + * performed. There is no harm in the test being performed more than * once since the result will always be the same. */ -static BOOL +static BOOL is_windows_2000 (void) { - static BOOL fChecked = FALSE; - static BOOL fIsWin2K = FALSE; + static BOOL fChecked = FALSE; + static BOOL fIsWin2K = FALSE; - if (!fChecked) - { - OSVERSIONINFO Version; + if (!fChecked) + { + OSVERSIONINFO Version; - memset (&Version, 0x00, sizeof(Version)); - Version.dwOSVersionInfoSize = sizeof(Version); + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); - if (GetVersionEx (&Version)) - { - if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && + if (GetVersionEx (&Version)) + { + if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && Version.dwMajorVersion >= 5) - fIsWin2K = TRUE; - } - fChecked = TRUE; - } + fIsWin2K = TRUE; + } + fChecked = TRUE; + } - return fIsWin2K; + return fIsWin2K; } -static BOOL +static BOOL is_windows_xp (void) { - static BOOL fChecked = FALSE; - static BOOL fIsWinXP = FALSE; + static BOOL fChecked = FALSE; + static BOOL fIsWinXP = FALSE; - if (!fChecked) - { - OSVERSIONINFO Version; + if (!fChecked) + { + OSVERSIONINFO Version; - memset (&Version, 0x00, sizeof(Version)); - Version.dwOSVersionInfoSize = sizeof(Version); + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); - if (GetVersionEx (&Version)) - { - if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && + if (GetVersionEx (&Version)) + { + if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && (Version.dwMajorVersion > 5 || Version.dwMajorVersion == 5 && Version.dwMinorVersion >= 1) ) - fIsWinXP = TRUE; - } - fChecked = TRUE; - } + fIsWinXP = TRUE; + } + fChecked = TRUE; + } - return fIsWinXP; + return fIsWinXP; } static BOOL @@ -155,17 +156,17 @@ is_windows_vista (void) if (!fChecked) { - OSVERSIONINFO Version; + OSVERSIONINFO Version; - memset (&Version, 0x00, sizeof(Version)); - Version.dwOSVersionInfoSize = sizeof(Version); + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); - if (GetVersionEx (&Version)) - { - if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && Version.dwMajorVersion >= 6) - fIsVista = TRUE; - } - fChecked = TRUE; + if (GetVersionEx (&Version)) + { + if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && Version.dwMajorVersion >= 6) + fIsVista = TRUE; + } + fChecked = TRUE; } return fIsVista; @@ -179,24 +180,24 @@ is_process_uac_limited (void) if (!fChecked) { - NTSTATUS Status = 0; - HANDLE TokenHandle; - DWORD ElevationLevel; - DWORD ReqLen; - BOOL Success; - - if (is_windows_vista()) { - Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle ); - if ( Success ) { - Success = GetTokenInformation( TokenHandle, - TokenOrigin+1 /* ElevationLevel */, - &ElevationLevel, sizeof(DWORD), &ReqLen ); - CloseHandle( TokenHandle ); - if ( Success && ElevationLevel == 3 /* Limited */ ) - fIsUAC = TRUE; - } - } - fChecked = TRUE; + NTSTATUS Status = 0; + HANDLE TokenHandle; + DWORD ElevationLevel; + DWORD ReqLen; + BOOL Success; + + if (is_windows_vista()) { + Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle ); + if ( Success ) { + Success = GetTokenInformation( TokenHandle, + TokenOrigin+1 /* ElevationLevel */, + &ElevationLevel, sizeof(DWORD), &ReqLen ); + CloseHandle( TokenHandle ); + if ( Success && ElevationLevel == 3 /* Limited */ ) + fIsUAC = TRUE; + } + } + fChecked = TRUE; } return fIsUAC; @@ -212,31 +213,31 @@ is_broken_wow64(void) if (!fChecked) { - BOOL isWow64 = FALSE; - OSVERSIONINFO Version; - HANDLE h1 = NULL; - LPFN_ISWOW64PROCESS fnIsWow64Process = NULL; - - h1 = GetModuleHandle(L"kernel32.dll"); - fnIsWow64Process = - (LPFN_ISWOW64PROCESS)GetProcAddress(h1, "IsWow64Process"); - - /* If we don't find the fnIsWow64Process function then we - * are not running in a broken Wow64 - */ - if (fnIsWow64Process) { - memset (&Version, 0x00, sizeof(Version)); - Version.dwOSVersionInfoSize = sizeof(Version); - - if (fnIsWow64Process(GetCurrentProcess(), &isWow64) && - GetVersionEx (&Version)) { - if (isWow64 && - Version.dwPlatformId == VER_PLATFORM_WIN32_NT && - Version.dwMajorVersion < 6) - fIsBrokenWow64 = TRUE; - } - } - fChecked = TRUE; + BOOL isWow64 = FALSE; + OSVERSIONINFO Version; + HANDLE h1 = NULL; + LPFN_ISWOW64PROCESS fnIsWow64Process = NULL; + + h1 = GetModuleHandle(L"kernel32.dll"); + fnIsWow64Process = + (LPFN_ISWOW64PROCESS)GetProcAddress(h1, "IsWow64Process"); + + /* If we don't find the fnIsWow64Process function then we + * are not running in a broken Wow64 + */ + if (fnIsWow64Process) { + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); + + if (fnIsWow64Process(GetCurrentProcess(), &isWow64) && + GetVersionEx (&Version)) { + if (isWow64 && + Version.dwPlatformId == VER_PLATFORM_WIN32_NT && + Version.dwMajorVersion < 6) + fIsBrokenWow64 = TRUE; + } + } + fChecked = TRUE; } return fIsBrokenWow64; @@ -244,7 +245,7 @@ is_broken_wow64(void) /* This flag is only supported by versions of Windows which have obtained * a code change from Microsoft. When the code change is installed, - * setting this flag will cause all retrieved credentials to be stored + * setting this flag will cause all retrieved credentials to be stored * in the LSA cache. */ #ifndef KERB_RETRIEVE_TICKET_CACHE_TICKET @@ -308,27 +309,27 @@ UnicodeToANSI(LPTSTR lpInputString, LPSTR lpszOutputString, int nOutStringLen) // Only supporting non-Unicode strings int reqLen = WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) lpInputString, -1, NULL, 0, NULL, NULL); - if ( reqLen > nOutStringLen) + if ( reqLen > nOutStringLen) { return FALSE; } else { - if (WideCharToMultiByte(CP_ACP, - /* WC_NO_BEST_FIT_CHARS | */ WC_COMPOSITECHECK, - (LPCWSTR) lpInputString, -1, - lpszOutputString, - nOutStringLen, NULL, NULL) == 0) - return FALSE; + if (WideCharToMultiByte(CP_ACP, + /* WC_NO_BEST_FIT_CHARS | */ WC_COMPOSITECHECK, + (LPCWSTR) lpInputString, -1, + lpszOutputString, + nOutStringLen, NULL, NULL) == 0) + return FALSE; } - } + } else { // Looks like unicode, better translate it - if (WideCharToMultiByte(CP_ACP, - /* WC_NO_BEST_FIT_CHARS | */ WC_COMPOSITECHECK, - (LPCWSTR) lpInputString, -1, - lpszOutputString, - nOutStringLen, NULL, NULL) == 0) - return FALSE; + if (WideCharToMultiByte(CP_ACP, + /* WC_NO_BEST_FIT_CHARS | */ WC_COMPOSITECHECK, + (LPCWSTR) lpInputString, -1, + lpszOutputString, + nOutStringLen, NULL, NULL) == 0) + return FALSE; } return TRUE; @@ -365,14 +366,14 @@ MITPrincToMSPrinc(krb5_context context, krb5_principal principal, UNICODE_STRING msprinc->Length = strlen(aname) * sizeof(WCHAR); if ( msprinc->Length <= msprinc->MaximumLength ) ANSIToUnicode(aname, msprinc->Buffer, msprinc->MaximumLength); - else + else msprinc->Length = 0; krb5_free_unparsed_name(context,aname); } } static BOOL -UnicodeStringToMITPrinc(UNICODE_STRING *service, WCHAR *realm, krb5_context context, +UnicodeStringToMITPrinc(UNICODE_STRING *service, WCHAR *realm, krb5_context context, krb5_principal *principal) { WCHAR princbuf[512]; @@ -385,14 +386,14 @@ UnicodeStringToMITPrinc(UNICODE_STRING *service, WCHAR *realm, krb5_context cont wcscat(princbuf, realm); if (UnicodeToANSI(princbuf, aname, sizeof(aname))) { if (krb5_parse_name(context, aname, principal) == 0) - return TRUE; + return TRUE; } return FALSE; } static BOOL -KerbExternalNameToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_context context, +KerbExternalNameToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_context context, krb5_principal *principal) { WCHAR princbuf[512],tmpbuf[128]; @@ -411,7 +412,7 @@ KerbExternalNameToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_conte wcscat(princbuf, realm); if (UnicodeToANSI(princbuf, aname, sizeof(aname))) { if (krb5_parse_name(context, aname, principal) == 0) - return TRUE; + return TRUE; } return FALSE; } @@ -451,16 +452,16 @@ static BOOL IsMSSessionKeyNull(KERB_CRYPTO_KEY *mskey) { DWORD i; - + if (is_process_uac_limited()) - return TRUE; + return TRUE; if (mskey->KeyType == KERB_ETYPE_NULL) - return TRUE; + return TRUE; for ( i=0; iLength; i++ ) { - if (mskey->Value[i]) - return FALSE; + if (mskey->Value[i]) + return FALSE; } return TRUE; @@ -482,12 +483,12 @@ MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_d tmpdata.length=msticket->EncodedTicketSize; tmpdata.data=msticket->EncodedTicket; - // this is ugly and will break krb5_free_data() + // this is ugly and will break krb5_free_data() // now that this is being done within the library it won't break krb5_free_data() rc = krb5_copy_data(context, &tmpdata, &newdata); if (rc) return FALSE; - + memcpy(ticket, newdata, sizeof(krb5_data)); free(newdata); return TRUE; @@ -496,7 +497,7 @@ MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_d /* * PreserveInitialTicketIdentity() * - * This will find the "PreserveInitialTicketIdentity" key in the registry. + * This will find the "PreserveInitialTicketIdentity" key in the registry. * Returns 1 to preserve and 0 to not. */ @@ -520,7 +521,7 @@ PreserveInitialTicketIdentity(void) RegCloseKey(hKey); goto done; - syskey: +syskey: if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS) goto done; if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS) @@ -530,13 +531,13 @@ PreserveInitialTicketIdentity(void) } RegCloseKey(hKey); - done: +done: return retval; } static BOOL -MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm, +MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm, krb5_context context, krb5_creds *creds) { WCHAR wrealm[128]; @@ -555,7 +556,7 @@ MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm, wrealm[msticket->DomainName.Length/sizeof(WCHAR)]=0; if (!KerbExternalNameToMITPrinc(msticket->ServiceName, wrealm, context, &creds->server)) return FALSE; - MSSessionKeyToMITKeyblock(&msticket->SessionKey, context, + MSSessionKeyToMITKeyblock(&msticket->SessionKey, context, &creds->keyblock); MSFlagsToMITFlags(msticket->TicketFlags, &creds->ticket_flags); creds->times.starttime=FileTimeToUnixTime(&msticket->StartTime); @@ -581,14 +582,14 @@ CacheInfoEx2ToMITCred(KERB_TICKET_CACHE_INFO_EX2 *info, wcsncpy(wrealm, info->ClientRealm.Buffer, info->ClientRealm.Length/sizeof(WCHAR)); wrealm[info->ClientRealm.Length/sizeof(WCHAR)]=0; if (!UnicodeStringToMITPrinc(&info->ClientName, wrealm, context, &creds->client)) - return FALSE; + return FALSE; // construct Service Principal wcsncpy(wrealm, info->ServerRealm.Buffer, info->ServerRealm.Length/sizeof(WCHAR)); wrealm[info->ServerRealm.Length/sizeof(WCHAR)]=0; if (!UnicodeStringToMITPrinc(&info->ServerName, wrealm, context, &creds->server)) - return FALSE; + return FALSE; creds->keyblock.magic = KV5M_KEYBLOCK; creds->keyblock.enctype = info->SessionKeyType; @@ -616,7 +617,7 @@ PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId) Status = LsaConnectUntrusted( pLogonHandle - ); + ); if (FAILED(Status)) { @@ -632,7 +633,7 @@ PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId) *pLogonHandle, &Name, pPackageId - ); + ); if (FAILED(Status)) { @@ -644,123 +645,123 @@ PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId) } -static BOOL +static BOOL does_retrieve_ticket_cache_ticket (void) { - static BOOL fChecked = FALSE; - static BOOL fCachesTicket = FALSE; - - if (!fChecked) - { - NTSTATUS Status = 0; - NTSTATUS SubStatus = 0; - HANDLE LogonHandle; - ULONG PackageId; - ULONG RequestSize; - PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL; - PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL; - ULONG ResponseSize; - - RequestSize = sizeof(*pTicketRequest) + 1; - - if (!PackageConnectLookup(&LogonHandle, &PackageId)) - return FALSE; - - pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); - if (!pTicketRequest) { - CloseHandle(LogonHandle); - return FALSE; - } - - pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage; - pTicketRequest->LogonId.LowPart = 0; - pTicketRequest->LogonId.HighPart = 0; - pTicketRequest->TargetName.Length = 0; - pTicketRequest->TargetName.MaximumLength = 0; - pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); - pTicketRequest->CacheOptions = - KERB_RETRIEVE_TICKET_DONT_USE_CACHE | KERB_RETRIEVE_TICKET_CACHE_TICKET; - pTicketRequest->EncryptionType = 0; - pTicketRequest->TicketFlags = 0; - - Status = LsaCallAuthenticationPackage( LogonHandle, - PackageId, - pTicketRequest, - RequestSize, - &pTicketResponse, - &ResponseSize, - &SubStatus - ); - - LocalFree(pTicketRequest); - CloseHandle(LogonHandle); - - if (FAILED(Status) || FAILED(SubStatus)) { - if ( SubStatus == STATUS_NOT_SUPPORTED ) - /* The combination of the two CacheOption flags - * is not supported; therefore, the new flag is supported - */ - fCachesTicket = TRUE; - } - fChecked = TRUE; - } - - return fCachesTicket; + static BOOL fChecked = FALSE; + static BOOL fCachesTicket = FALSE; + + if (!fChecked) + { + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + HANDLE LogonHandle; + ULONG PackageId; + ULONG RequestSize; + PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL; + PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL; + ULONG ResponseSize; + + RequestSize = sizeof(*pTicketRequest) + 1; + + if (!PackageConnectLookup(&LogonHandle, &PackageId)) + return FALSE; + + pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); + if (!pTicketRequest) { + CloseHandle(LogonHandle); + return FALSE; + } + + pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage; + pTicketRequest->LogonId.LowPart = 0; + pTicketRequest->LogonId.HighPart = 0; + pTicketRequest->TargetName.Length = 0; + pTicketRequest->TargetName.MaximumLength = 0; + pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); + pTicketRequest->CacheOptions = + KERB_RETRIEVE_TICKET_DONT_USE_CACHE | KERB_RETRIEVE_TICKET_CACHE_TICKET; + pTicketRequest->EncryptionType = 0; + pTicketRequest->TicketFlags = 0; + + Status = LsaCallAuthenticationPackage( LogonHandle, + PackageId, + pTicketRequest, + RequestSize, + &pTicketResponse, + &ResponseSize, + &SubStatus + ); + + LocalFree(pTicketRequest); + CloseHandle(LogonHandle); + + if (FAILED(Status) || FAILED(SubStatus)) { + if ( SubStatus == STATUS_NOT_SUPPORTED ) + /* The combination of the two CacheOption flags + * is not supported; therefore, the new flag is supported + */ + fCachesTicket = TRUE; + } + fChecked = TRUE; + } + + return fCachesTicket; } #ifdef HAVE_CACHE_INFO_EX2 -static BOOL +static BOOL does_query_ticket_cache_ex2 (void) { - static BOOL fChecked = FALSE; - static BOOL fEx2Response = FALSE; - - if (!fChecked) - { - NTSTATUS Status = 0; - NTSTATUS SubStatus = 0; - HANDLE LogonHandle; - ULONG PackageId; - ULONG RequestSize; - PKERB_QUERY_TKT_CACHE_REQUEST pCacheRequest = NULL; - PKERB_QUERY_TKT_CACHE_EX2_RESPONSE pCacheResponse = NULL; - ULONG ResponseSize; - - RequestSize = sizeof(*pCacheRequest) + 1; - - if (!PackageConnectLookup(&LogonHandle, &PackageId)) - return FALSE; - - pCacheRequest = (PKERB_QUERY_TKT_CACHE_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); - if (!pCacheRequest) { - CloseHandle(LogonHandle); - return FALSE; - } - - pCacheRequest->MessageType = KerbQueryTicketCacheEx2Message; - pCacheRequest->LogonId.LowPart = 0; - pCacheRequest->LogonId.HighPart = 0; - - Status = LsaCallAuthenticationPackage( LogonHandle, - PackageId, - pCacheRequest, - RequestSize, - &pCacheResponse, - &ResponseSize, - &SubStatus - ); - - LocalFree(pCacheRequest); - CloseHandle(LogonHandle); - - if (!(FAILED(Status) || FAILED(SubStatus))) { - LsaFreeReturnBuffer(pCacheResponse); - fEx2Response = TRUE; - } - fChecked = TRUE; - } - - return fEx2Response; + static BOOL fChecked = FALSE; + static BOOL fEx2Response = FALSE; + + if (!fChecked) + { + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + HANDLE LogonHandle; + ULONG PackageId; + ULONG RequestSize; + PKERB_QUERY_TKT_CACHE_REQUEST pCacheRequest = NULL; + PKERB_QUERY_TKT_CACHE_EX2_RESPONSE pCacheResponse = NULL; + ULONG ResponseSize; + + RequestSize = sizeof(*pCacheRequest) + 1; + + if (!PackageConnectLookup(&LogonHandle, &PackageId)) + return FALSE; + + pCacheRequest = (PKERB_QUERY_TKT_CACHE_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); + if (!pCacheRequest) { + CloseHandle(LogonHandle); + return FALSE; + } + + pCacheRequest->MessageType = KerbQueryTicketCacheEx2Message; + pCacheRequest->LogonId.LowPart = 0; + pCacheRequest->LogonId.HighPart = 0; + + Status = LsaCallAuthenticationPackage( LogonHandle, + PackageId, + pCacheRequest, + RequestSize, + &pCacheResponse, + &ResponseSize, + &SubStatus + ); + + LocalFree(pCacheRequest); + CloseHandle(LogonHandle); + + if (!(FAILED(Status) || FAILED(SubStatus))) { + LsaFreeReturnBuffer(pCacheResponse); + fEx2Response = TRUE; + } + fChecked = TRUE; + } + + return fEx2Response; } #endif /* HAVE_CACHE_INFO_EX2 */ @@ -794,8 +795,8 @@ get_STRING_from_registry(HKEY hBaseKey, char * key, char * value, char * outbuf, DWORD dwCount; LONG rc; - if (!outbuf || outlen == 0) - return FALSE; + if (!outbuf || outlen == 0) + return FALSE; rc = RegOpenKeyExA(hBaseKey, key, 0, KEY_QUERY_VALUE, &hKey); if (rc) @@ -838,11 +839,11 @@ GetSecurityLogonSessionData(PSECURITY_LOGON_SESSION_DATA * ppSessionData) } // -// IsKerberosLogon() does not validate whether or not there are valid tickets in the -// cache. It validates whether or not it is reasonable to assume that if we -// attempted to retrieve valid tickets we could do so. Microsoft does not +// IsKerberosLogon() does not validate whether or not there are valid tickets in the +// cache. It validates whether or not it is reasonable to assume that if we +// attempted to retrieve valid tickets we could do so. Microsoft does not // automatically renew expired tickets. Therefore, the cache could contain -// expired or invalid tickets. Microsoft also caches the user's password +// expired or invalid tickets. Microsoft also caches the user's password // and will use it to retrieve new TGTs if the cache is empty and tickets // are requested. @@ -896,7 +897,7 @@ ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * o TargetPrefix.MaximumLength = TargetPrefix.Length; // - // We will need to concatenate the "krbtgt/" prefix and the + // We will need to concatenate the "krbtgt/" prefix and the // Logon Session's DnsDomainName into our request's target name. // // Therefore, first compute the necessary buffer size for that. @@ -930,8 +931,8 @@ ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * o pTicketRequest->TargetName.MaximumLength = TargetSize; pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); Error = ConcatenateUnicodeStrings(&(pTicketRequest->TargetName), - TargetPrefix, - DomainName); + TargetPrefix, + DomainName); *outRequest = pTicketRequest; *outSize = RequestSize; return Error; @@ -954,20 +955,20 @@ PurgeAllTickets(HANDLE LogonHandle, ULONG PackageId) PurgeRequest.RealmName.Length = 0; PurgeRequest.RealmName.MaximumLength = 0; Status = LsaCallAuthenticationPackage(LogonHandle, - PackageId, - &PurgeRequest, - sizeof(PurgeRequest), - NULL, - NULL, - &SubStatus - ); + PackageId, + &PurgeRequest, + sizeof(PurgeRequest), + NULL, + NULL, + &SubStatus + ); if (FAILED(Status) || FAILED(SubStatus)) return FALSE; return TRUE; } static BOOL -PurgeTicket2000( HANDLE LogonHandle, ULONG PackageId, +PurgeTicket2000( HANDLE LogonHandle, ULONG PackageId, krb5_context context, krb5_creds *cred ) { NTSTATUS Status = 0; @@ -1009,7 +1010,7 @@ PurgeTicket2000( HANDLE LogonHandle, ULONG PackageId, NULL, NULL, &SubStatus - ); + ); free(pPurgeRequest); krb5_free_unparsed_name(context, sname); @@ -1021,7 +1022,7 @@ PurgeTicket2000( HANDLE LogonHandle, ULONG PackageId, static BOOL -PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, +PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, krb5_context context, krb5_flags flags, krb5_creds *cred) { NTSTATUS Status = 0; @@ -1033,7 +1034,7 @@ PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, if (krb5_unparse_name(context, cred->client, &cname)) return FALSE; - + if (krb5_unparse_name(context, cred->server, &sname)) { krb5_free_unparsed_name(context, cname); return FALSE; @@ -1093,7 +1094,7 @@ PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, NULL, NULL, &SubStatus - ); + ); free(pPurgeRequest); krb5_free_unparsed_name(context,cname); krb5_free_unparsed_name(context,sname); @@ -1105,7 +1106,7 @@ PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, #ifdef KERB_SUBMIT_TICKET static BOOL -KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, +KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, krb5_context context, krb5_creds *cred) { NTSTATUS Status = 0; @@ -1126,14 +1127,14 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, KRB5_AUTH_CONTEXT_RET_TIME)) { return FALSE; } - + krb5_auth_con_getsendsubkey(context, auth_context, &keyblock); if (keyblock == NULL) krb5_auth_con_getkey(context, auth_context, &keyblock); - /* make up a key, any key, that can be used to generate the - * encrypted KRB_CRED pdu. The Vista release LSA requires - * that an enctype other than NULL be used. */ + /* make up a key, any key, that can be used to generate the + * encrypted KRB_CRED pdu. The Vista release LSA requires + * that an enctype other than NULL be used. */ if (keyblock == NULL) { keyblock = (krb5_keyblock *)malloc(sizeof(krb5_keyblock)); keyblock->enctype = ENCTYPE_ARCFOUR_HMAC; @@ -1176,7 +1177,7 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, pSubmitRequest->LogonId.LowPart = 0; pSubmitRequest->LogonId.HighPart = 0; pSubmitRequest->Flags = 0; - + if (keyblock) { pSubmitRequest->Key.KeyType = keyblock->enctype; pSubmitRequest->Key.Length = keyblock->length; @@ -1192,7 +1193,7 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, krb_cred->data, krb_cred->length); if (keyblock) memcpy(((CHAR *)pSubmitRequest)+sizeof(KERB_SUBMIT_TKT_REQUEST)+krb_cred->length, - keyblock->contents, keyblock->length); + keyblock->contents, keyblock->length); krb5_free_data(context, krb_cred); Status = LsaCallAuthenticationPackage( LogonHandle, @@ -1202,20 +1203,20 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, NULL, NULL, &SubStatus - ); + ); free(pSubmitRequest); if (keyblock) krb5_free_keyblock(context, keyblock); krb5_auth_con_free(context, auth_context); if (FAILED(Status) || FAILED(SubStatus)) { - return FALSE; + return FALSE; } return TRUE; } #endif /* KERB_SUBMIT_TICKET */ -/* +/* * A simple function to determine if there is an exact match between two tickets * We rely on the fact that the external tickets contain the raw Kerberos ticket. * If the EncodedTicket fields match, the KERB_EXTERNAL_TICKETs must be the same. @@ -1227,7 +1228,7 @@ KerbExternalTicketMatch( PKERB_EXTERNAL_TICKET one, PKERB_EXTERNAL_TICKET two ) return FALSE; if ( memcmp(one->EncodedTicket, two->EncodedTicket, one->EncodedTicketSize) ) - return FALSE; + return FALSE; return TRUE; } @@ -1240,12 +1241,12 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ, if (krb5_get_tgs_ktypes(context, princ, &list)) return(0); - + ret = 0; for (ptr = list; *ptr; ptr++) - if (*ptr == etype) - ret = 1; + if (*ptr == etype) + ret = 1; krb5_free_ktypes (context, list); @@ -1256,7 +1257,7 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ, // to allow the purging of expired tickets from LSA cache. This is necessary // to force the retrieval of new TGTs. Microsoft does not appear to retrieve // new tickets when they expire. Instead they continue to accept the expired -// tickets. This is safe to do because the LSA purges its cache when it +// tickets. This is safe to do because the LSA purges its cache when it // retrieves a new TGT (ms calls this renew) but not when it renews the TGT // (ms calls this refresh). @@ -1287,7 +1288,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA krb5_enctype *etype_list = NULL, *ptr = NULL, etype = 0; if (is_process_uac_limited()) { - Status = STATUS_ACCESS_DENIED; + Status = STATUS_ACCESS_DENIED; goto cleanup; } @@ -1304,12 +1305,12 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA &pTicketResponse, &ResponseSize, &SubStatus - ); + ); if (FAILED(Status)) { // if the call to LsaCallAuthenticationPackage failed we cannot - // perform any queries most likely because the Kerberos package + // perform any queries most likely because the Kerberos package // is not available or we do not have access bIsLsaError = TRUE; goto cleanup; @@ -1330,7 +1331,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA verinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); GetVersionEx((OSVERSIONINFO *)&verinfo); - supported = (verinfo.dwMajorVersion > 5) || + supported = (verinfo.dwMajorVersion > 5) || (verinfo.dwMajorVersion == 5 && verinfo.dwMinorVersion >= 1); // If we could not get a TGT from the cache we won't know what the @@ -1340,7 +1341,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA if ( supported && GetSecurityLogonSessionData(&pSessionData) ) { if ( pSessionData->DnsDomainName.Buffer ) { Error = ConstructTicketRequest(pSessionData->DnsDomainName, - &pTicketRequest, &RequestSize); + &pTicketRequest, &RequestSize); LsaFreeReturnBuffer(pSessionData); if ( Error ) goto cleanup; @@ -1354,11 +1355,11 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA WCHAR UnicodeUserDnsDomain[256]; UNICODE_STRING wrapper; if ( !get_STRING_from_registry(HKEY_CURRENT_USER, - "Volatile Environment", - "USERDNSDOMAIN", + "Volatile Environment", + "USERDNSDOMAIN", UserDnsDomain, sizeof(UserDnsDomain) - ) ) + ) ) { goto cleanup; } @@ -1369,16 +1370,16 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA wrapper.MaximumLength = 256; Error = ConstructTicketRequest(wrapper, - &pTicketRequest, &RequestSize); + &pTicketRequest, &RequestSize); if ( Error ) goto cleanup; } } else { - /* We have succeeded in obtaining a credential from the cache. + /* We have succeeded in obtaining a credential from the cache. * Assuming the enctype is one that we support and the ticket * has not expired and is not marked invalid we will use it. * Otherwise, we must create a new ticket request and obtain - * a credential we can use. + * a credential we can use. */ #ifdef PURGE_ALL @@ -1386,7 +1387,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA #else /* Check Supported Enctypes */ if ( !enforce_tgs_enctypes || - IsMSSessionKeyNull(&pTicketResponse->Ticket.SessionKey) || + IsMSSessionKeyNull(&pTicketResponse->Ticket.SessionKey) || krb5_is_permitted_tgs_enctype(context, NULL, pTicketResponse->Ticket.SessionKey.KeyType) ) { FILETIME Now, MinLife, EndTime, LocalEndTime; __int64 temp; @@ -1421,7 +1422,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA #endif /* PURGE_ALL */ Error = ConstructTicketRequest(pTicketResponse->Ticket.TargetDomainName, - &pTicketRequest, &RequestSize); + &pTicketRequest, &RequestSize); if ( Error ) { goto cleanup; } @@ -1439,7 +1440,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA #ifdef ENABLE_PURGING if ( purge_cache ) { // - // Purge the existing tickets which we cannot use so new ones can + // Purge the existing tickets which we cannot use so new ones can // be requested. It is not possible to purge just the TGT. All // service tickets must be purged. // @@ -1447,7 +1448,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA } #endif /* ENABLE_PURGING */ } - + // // Intialize the request of the request. // @@ -1457,8 +1458,8 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA pTicketRequest->LogonId.HighPart = 0; // Note: pTicketRequest->TargetName set up above #ifdef ENABLE_PURGING - pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ? - KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L); + pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ? + KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L); #else pTicketRequest->CacheOptions = (ignore_cache ? KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L); #endif /* ENABLE_PURGING */ @@ -1472,7 +1473,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA &pTicketResponse, &ResponseSize, &SubStatus - ); + ); if (FAILED(Status) || FAILED(SubStatus)) { @@ -1520,7 +1521,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA &pTicketResponse, &ResponseSize, &SubStatus - ); + ); if (FAILED(Status) || FAILED(SubStatus)) { @@ -1528,9 +1529,9 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA goto cleanup; } - if ( pTicketResponse->Ticket.SessionKey.KeyType == etype && + if ( pTicketResponse->Ticket.SessionKey.KeyType == etype && (!enforce_tgs_enctypes || - krb5_is_permitted_tgs_enctype(context, NULL, pTicketResponse->Ticket.SessionKey.KeyType)) ) { + krb5_is_permitted_tgs_enctype(context, NULL, pTicketResponse->Ticket.SessionKey.KeyType)) ) { goto cleanup; // we have a valid ticket, all done } @@ -1541,7 +1542,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA } } - cleanup: +cleanup: if ( etype_list ) krb5_free_ktypes(context, etype_list); @@ -1585,7 +1586,7 @@ GetQueryTktCacheResponseW2K( HANDLE LogonHandle, ULONG PackageId, KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; PKERB_QUERY_TKT_CACHE_RESPONSE pQueryResponse = NULL; ULONG ResponseSize; - + CacheRequest.MessageType = KerbQueryTicketCacheMessage; CacheRequest.LogonId.LowPart = 0; CacheRequest.LogonId.HighPart = 0; @@ -1598,7 +1599,7 @@ GetQueryTktCacheResponseW2K( HANDLE LogonHandle, ULONG PackageId, &pQueryResponse, &ResponseSize, &SubStatus - ); + ); if ( !(FAILED(Status) || FAILED(SubStatus)) ) { *ppResponse = pQueryResponse; @@ -1618,7 +1619,7 @@ GetQueryTktCacheResponseXP( HANDLE LogonHandle, ULONG PackageId, KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; PKERB_QUERY_TKT_CACHE_EX_RESPONSE pQueryResponse = NULL; ULONG ResponseSize; - + CacheRequest.MessageType = KerbQueryTicketCacheExMessage; CacheRequest.LogonId.LowPart = 0; CacheRequest.LogonId.HighPart = 0; @@ -1631,7 +1632,7 @@ GetQueryTktCacheResponseXP( HANDLE LogonHandle, ULONG PackageId, &pQueryResponse, &ResponseSize, &SubStatus - ); + ); if ( !(FAILED(Status) || FAILED(SubStatus)) ) { *ppResponse = pQueryResponse; @@ -1652,7 +1653,7 @@ GetQueryTktCacheResponseEX2( HANDLE LogonHandle, ULONG PackageId, KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; PKERB_QUERY_TKT_CACHE_EX2_RESPONSE pQueryResponse = NULL; ULONG ResponseSize; - + CacheRequest.MessageType = KerbQueryTicketCacheEx2Message; CacheRequest.LogonId.LowPart = 0; CacheRequest.LogonId.HighPart = 0; @@ -1665,7 +1666,7 @@ GetQueryTktCacheResponseEX2( HANDLE LogonHandle, ULONG PackageId, &pQueryResponse, &ResponseSize, &SubStatus - ); + ); if ( !(FAILED(Status) || FAILED(SubStatus)) ) { *ppResponse = pQueryResponse; @@ -1678,7 +1679,7 @@ GetQueryTktCacheResponseEX2( HANDLE LogonHandle, ULONG PackageId, static BOOL GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId, - krb5_context context, krb5_creds *creds, + krb5_context context, krb5_creds *creds, PKERB_EXTERNAL_TICKET *ticket) { NTSTATUS Status = 0; @@ -1715,7 +1716,7 @@ GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId, &pTicketResponse, &ResponseSize, &SubStatus - ); + ); LocalFree(pTicketRequest); @@ -1729,7 +1730,7 @@ GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId, static BOOL GetMSCacheTicketFromCacheInfoW2K( HANDLE LogonHandle, ULONG PackageId, - PKERB_TICKET_CACHE_INFO tktinfo, PKERB_EXTERNAL_TICKET *ticket) + PKERB_TICKET_CACHE_INFO tktinfo, PKERB_EXTERNAL_TICKET *ticket) { NTSTATUS Status = 0; NTSTATUS SubStatus = 0; @@ -1773,13 +1774,13 @@ GetMSCacheTicketFromCacheInfoW2K( HANDLE LogonHandle, ULONG PackageId, &pTicketResponse, &ResponseSize, &SubStatus - ); + ); LocalFree(pTicketRequest); if (FAILED(Status) || FAILED(SubStatus)) return(FALSE); - + /* otherwise return ticket */ *ticket = &(pTicketResponse->Ticket); @@ -1795,7 +1796,7 @@ GetMSCacheTicketFromCacheInfoW2K( HANDLE LogonHandle, ULONG PackageId, static BOOL GetMSCacheTicketFromCacheInfoXP( HANDLE LogonHandle, ULONG PackageId, - PKERB_TICKET_CACHE_INFO_EX tktinfo, PKERB_EXTERNAL_TICKET *ticket) + PKERB_TICKET_CACHE_INFO_EX tktinfo, PKERB_EXTERNAL_TICKET *ticket) { NTSTATUS Status = 0; NTSTATUS SubStatus = 0; @@ -1837,16 +1838,16 @@ GetMSCacheTicketFromCacheInfoXP( HANDLE LogonHandle, ULONG PackageId, &pTicketResponse, &ResponseSize, &SubStatus - ); + ); LocalFree(pTicketRequest); if (FAILED(Status) || FAILED(SubStatus)) return(FALSE); - + /* otherwise return ticket */ *ticket = &(pTicketResponse->Ticket); - + /* set the initial flag if we were attempting to retrieve one * because Windows won't necessarily return the initial ticket * to us. @@ -1860,7 +1861,7 @@ GetMSCacheTicketFromCacheInfoXP( HANDLE LogonHandle, ULONG PackageId, #ifdef HAVE_CACHE_INFO_EX2 static BOOL GetMSCacheTicketFromCacheInfoEX2( HANDLE LogonHandle, ULONG PackageId, - PKERB_TICKET_CACHE_INFO_EX2 tktinfo, PKERB_EXTERNAL_TICKET *ticket) + PKERB_TICKET_CACHE_INFO_EX2 tktinfo, PKERB_EXTERNAL_TICKET *ticket) { NTSTATUS Status = 0; NTSTATUS SubStatus = 0; @@ -1902,71 +1903,71 @@ GetMSCacheTicketFromCacheInfoEX2( HANDLE LogonHandle, ULONG PackageId, &pTicketResponse, &ResponseSize, &SubStatus - ); + ); LocalFree(pTicketRequest); if (FAILED(Status) || FAILED(SubStatus)) return(FALSE); - + /* otherwise return ticket */ *ticket = &(pTicketResponse->Ticket); - + /* set the initial flag if we were attempting to retrieve one - * because Windows won't necessarily return the initial ticket - * to us. - */ - if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_initial ) - (*ticket)->TicketFlags |= KERB_TICKET_FLAGS_initial; + * because Windows won't necessarily return the initial ticket + * to us. + */ + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_initial ) + (*ticket)->TicketFlags |= KERB_TICKET_FLAGS_initial; return(TRUE); } #endif /* HAVE_CACHE_INFO_EX2 */ static krb5_error_code KRB5_CALLCONV krb5_lcc_close - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_lcc_destroy - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_lcc_end_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_lcc_generate_new - (krb5_context, krb5_ccache *id); +(krb5_context, krb5_ccache *id); static const char * KRB5_CALLCONV krb5_lcc_get_name - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_lcc_get_principal - (krb5_context, krb5_ccache id, krb5_principal *princ); +(krb5_context, krb5_ccache id, krb5_principal *princ); static krb5_error_code KRB5_CALLCONV krb5_lcc_initialize - (krb5_context, krb5_ccache id, krb5_principal princ); +(krb5_context, krb5_ccache id, krb5_principal princ); static krb5_error_code KRB5_CALLCONV krb5_lcc_next_cred - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, - krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, + krb5_creds *creds); static krb5_error_code KRB5_CALLCONV krb5_lcc_resolve - (krb5_context, krb5_ccache *id, const char *residual); +(krb5_context, krb5_ccache *id, const char *residual); static krb5_error_code KRB5_CALLCONV krb5_lcc_retrieve - (krb5_context, krb5_ccache id, krb5_flags whichfields, - krb5_creds *mcreds, krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds); static krb5_error_code KRB5_CALLCONV krb5_lcc_start_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_lcc_store - (krb5_context, krb5_ccache id, krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_creds *creds); static krb5_error_code KRB5_CALLCONV krb5_lcc_set_flags - (krb5_context, krb5_ccache id, krb5_flags flags); +(krb5_context, krb5_ccache id, krb5_flags flags); static krb5_error_code KRB5_CALLCONV krb5_lcc_get_flags - (krb5_context, krb5_ccache id, krb5_flags *flags); +(krb5_context, krb5_ccache id, krb5_flags *flags); extern const krb5_cc_ops krb5_lcc_ops; @@ -2004,18 +2005,18 @@ typedef struct _krb5_lcc_cursor { * * Modifies: * id - * + * * Effects: * Acccess the MS Kerberos LSA cache in the current logon session * Ignore the residual. - * + * * Returns: * A filled in krb5_ccache structure "id". * * Errors: * KRB5_CC_NOMEM - there was insufficient memory to allocate the - * - * krb5_ccache. id is undefined. + * + * krb5_ccache. id is undefined. * permission errors */ static krb5_error_code KRB5_CALLCONV @@ -2032,7 +2033,7 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) return KRB5_FCC_NOFILE; #ifdef COMMENT - /* In at least one case on Win2003 it appears that it is possible + /* In at least one case on Win2003 it appears that it is possible * for the logon session to be authenticated via NTLM and yet for * there to be Kerberos credentials obtained by the LSA on behalf * of the logged in user. Therefore, we are removing this test @@ -2062,7 +2063,7 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) } lid->magic = KV5M_CCACHE; - data = (krb5_lcc_data *)lid->data; + data = (krb5_lcc_data *)lid->data; data->LogonHandle = LogonHandle; data->PackageId = PackageId; data->princ = 0; @@ -2099,16 +2100,16 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) /* * other routines will get errors on open, and callers must expect them, - * if cache is non-existent/unusable + * if cache is non-existent/unusable */ *id = lid; return retval; } /* -* return success although we do not do anything -* We should delete all tickets belonging to the specified principal -*/ + * return success although we do not do anything + * We should delete all tickets belonging to the specified principal + */ static krb5_error_code KRB5_CALLCONV krb5_lcc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags flags, @@ -2160,7 +2161,7 @@ krb5_lcc_close(krb5_context context, krb5_ccache id) { register int closeval = KRB5_OK; register krb5_lcc_data *data; - + if (!is_windows_2000()) return KRB5_FCC_NOFILE; @@ -2187,15 +2188,15 @@ static krb5_error_code KRB5_CALLCONV krb5_lcc_destroy(krb5_context context, krb5_ccache id) { register krb5_lcc_data *data; - + if (!is_windows_2000()) return KRB5_FCC_NOFILE; - if (id) { + if (id) { data = (krb5_lcc_data *) id->data; return PurgeAllTickets(data->LogonHandle, data->PackageId) ? KRB5_OK : KRB5_FCC_INTERNAL; - } + } return KRB5_FCC_INTERNAL; } @@ -2244,23 +2245,23 @@ krb5_lcc_start_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cur *cursor = 0; return KRB5_FCC_INTERNAL; } - } else + } else #endif /* HAVE_CACHE_INFO_EX2 */ - if ( is_windows_xp() ) { - if ( !GetQueryTktCacheResponseXP(data->LogonHandle, data->PackageId, &lcursor->response.xp) ) { - LsaFreeReturnBuffer(lcursor->mstgt); - free(lcursor); - *cursor = 0; - return KRB5_FCC_INTERNAL; - } - } else { - if ( !GetQueryTktCacheResponseW2K(data->LogonHandle, data->PackageId, &lcursor->response.w2k) ) { - LsaFreeReturnBuffer(lcursor->mstgt); - free(lcursor); - *cursor = 0; - return KRB5_FCC_INTERNAL; + if ( is_windows_xp() ) { + if ( !GetQueryTktCacheResponseXP(data->LogonHandle, data->PackageId, &lcursor->response.xp) ) { + LsaFreeReturnBuffer(lcursor->mstgt); + free(lcursor); + *cursor = 0; + return KRB5_FCC_INTERNAL; + } + } else { + if ( !GetQueryTktCacheResponseW2K(data->LogonHandle, data->PackageId, &lcursor->response.w2k) ) { + LsaFreeReturnBuffer(lcursor->mstgt); + free(lcursor); + *cursor = 0; + return KRB5_FCC_INTERNAL; + } } - } lcursor->index = 0; *cursor = (krb5_cc_cursor) lcursor; return KRB5_OK; @@ -2274,7 +2275,7 @@ krb5_lcc_start_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cur * * Modifes: * cursor - * + * * Effects: * Fills in creds with the TGT obtained from the MS LSA * @@ -2297,7 +2298,7 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, data = (krb5_lcc_data *)id->data; - next_cred: +next_cred: #ifdef HAVE_CACHE_INFO_EX2 if ( does_query_ticket_cache_ex2() ) { if ( lcursor->index >= lcursor->response.ex2->CountOfTickets ) { @@ -2313,58 +2314,58 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, } if ( data->flags & KRB5_TC_NOTICKET ) { - if (!CacheInfoEx2ToMITCred( &lcursor->response.ex2->Tickets[lcursor->index++], - context, creds)) { + if (!CacheInfoEx2ToMITCred( &lcursor->response.ex2->Tickets[lcursor->index++], + context, creds)) { retval = KRB5_FCC_INTERNAL; goto next_cred; - } + } return KRB5_OK; } else { if (!GetMSCacheTicketFromCacheInfoEX2(data->LogonHandle, data->PackageId, - &lcursor->response.ex2->Tickets[lcursor->index++],&msticket)) { + &lcursor->response.ex2->Tickets[lcursor->index++],&msticket)) { retval = KRB5_FCC_INTERNAL; goto next_cred; } } - } else + } else #endif /* HAVE_CACHE_INFO_EX2 */ - if ( is_windows_xp() ) { - if ( lcursor->index >= lcursor->response.xp->CountOfTickets ) { - if (retval == KRB5_OK) - return KRB5_CC_END; - else { - LsaFreeReturnBuffer(lcursor->mstgt); - LsaFreeReturnBuffer(lcursor->response.xp); - free(*cursor); - *cursor = 0; - return retval; + if ( is_windows_xp() ) { + if ( lcursor->index >= lcursor->response.xp->CountOfTickets ) { + if (retval == KRB5_OK) + return KRB5_CC_END; + else { + LsaFreeReturnBuffer(lcursor->mstgt); + LsaFreeReturnBuffer(lcursor->response.xp); + free(*cursor); + *cursor = 0; + return retval; + } } - } - if (!GetMSCacheTicketFromCacheInfoXP(data->LogonHandle, data->PackageId, - &lcursor->response.xp->Tickets[lcursor->index++],&msticket)) { - retval = KRB5_FCC_INTERNAL; - goto next_cred; - } - } else { - if ( lcursor->index >= lcursor->response.w2k->CountOfTickets ) { - if (retval == KRB5_OK) - return KRB5_CC_END; - else { - LsaFreeReturnBuffer(lcursor->mstgt); - LsaFreeReturnBuffer(lcursor->response.w2k); - free(*cursor); - *cursor = 0; - return retval; + if (!GetMSCacheTicketFromCacheInfoXP(data->LogonHandle, data->PackageId, + &lcursor->response.xp->Tickets[lcursor->index++],&msticket)) { + retval = KRB5_FCC_INTERNAL; + goto next_cred; + } + } else { + if ( lcursor->index >= lcursor->response.w2k->CountOfTickets ) { + if (retval == KRB5_OK) + return KRB5_CC_END; + else { + LsaFreeReturnBuffer(lcursor->mstgt); + LsaFreeReturnBuffer(lcursor->response.w2k); + free(*cursor); + *cursor = 0; + return retval; + } } - } - if (!GetMSCacheTicketFromCacheInfoW2K(data->LogonHandle, data->PackageId, - &lcursor->response.w2k->Tickets[lcursor->index++],&msticket)) { - retval = KRB5_FCC_INTERNAL; - goto next_cred; + if (!GetMSCacheTicketFromCacheInfoW2K(data->LogonHandle, data->PackageId, + &lcursor->response.w2k->Tickets[lcursor->index++],&msticket)) { + retval = KRB5_FCC_INTERNAL; + goto next_cred; + } } - } /* Don't return tickets with NULL Session Keys */ if ( IsMSSessionKeyNull(&msticket->SessionKey) ) { @@ -2377,15 +2378,15 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, if ( does_query_ticket_cache_ex2() ) { if (!MSCredToMITCred(msticket, lcursor->response.ex2->Tickets[lcursor->index-1].ClientRealm, context, creds)) retval = KRB5_FCC_INTERNAL; - } else + } else #endif /* HAVE_CACHE_INFO_EX2 */ - if ( is_windows_xp() ) { - if (!MSCredToMITCred(msticket, lcursor->response.xp->Tickets[lcursor->index-1].ClientRealm, context, creds)) - retval = KRB5_FCC_INTERNAL; - } else { - if (!MSCredToMITCred(msticket, lcursor->mstgt->DomainName, context, creds)) - retval = KRB5_FCC_INTERNAL; - } + if ( is_windows_xp() ) { + if (!MSCredToMITCred(msticket, lcursor->response.xp->Tickets[lcursor->index-1].ClientRealm, context, creds)) + retval = KRB5_FCC_INTERNAL; + } else { + if (!MSCredToMITCred(msticket, lcursor->mstgt->DomainName, context, creds)) + retval = KRB5_FCC_INTERNAL; + } LsaFreeReturnBuffer(msticket); return retval; } @@ -2416,12 +2417,12 @@ krb5_lcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *curso #ifdef HAVE_CACHE_INFO_EX2 if ( does_query_ticket_cache_ex2() ) LsaFreeReturnBuffer(lcursor->response.ex2); - else -#endif /* HAVE_CACHE_INFO_EX2 */ - if ( is_windows_xp() ) - LsaFreeReturnBuffer(lcursor->response.xp); else - LsaFreeReturnBuffer(lcursor->response.w2k); +#endif /* HAVE_CACHE_INFO_EX2 */ + if ( is_windows_xp() ) + LsaFreeReturnBuffer(lcursor->response.xp); + else + LsaFreeReturnBuffer(lcursor->response.w2k); free(*cursor); } *cursor = 0; @@ -2446,7 +2447,7 @@ krb5_lcc_generate_new (krb5_context context, krb5_ccache *id) /* * Requires: * id is a ms lsa credential cache - * + * * Returns: * The ccname specified during the krb5_lcc_resolve call */ @@ -2505,14 +2506,14 @@ krb5_lcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *pri krb5_copy_principal(context, creds.client, &data->princ); krb5_free_cred_contents(context,&creds); return krb5_copy_principal(context, data->princ, princ); - } + } } return KRB5_CC_NOTFOUND; } - + static krb5_error_code KRB5_CALLCONV -krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, +krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) { krb5_error_code kret = KRB5_OK; @@ -2530,7 +2531,7 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds); if ( !kret ) return KRB5_OK; - + /* if not, we must try to get a ticket without specifying any flags or etypes */ kret = krb5_copy_creds(context, mcreds, &mcreds_noflags); if (kret) @@ -2585,7 +2586,7 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, for ( i=0; iCountOfTickets; i++ ) { if (!GetMSCacheTicketFromCacheInfoXP(data->LogonHandle, data->PackageId, - &pResponse->Tickets[i],&mstmp)) { + &pResponse->Tickets[i],&mstmp)) { continue; } @@ -2616,7 +2617,7 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, kret = KRB5_CC_NOTFOUND; } - cleanup: +cleanup: if ( mstmp ) LsaFreeReturnBuffer(mstmp); if ( mstgt ) @@ -2678,12 +2679,12 @@ krb5_lcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) return KRB5_CC_READONLY; } -/* +/* * Individual credentials can be implemented differently depending * on the operating system version. (undocumented.) - * + * * Errors: - * KRB5_CC_READONLY: + * KRB5_CC_READONLY: */ static krb5_error_code KRB5_CALLCONV krb5_lcc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags flags, @@ -2735,28 +2736,28 @@ krb5_lcc_get_flags(krb5_context context, krb5_ccache id, krb5_flags *flags) } const krb5_cc_ops krb5_lcc_ops = { - 0, - "MSLSA", - krb5_lcc_get_name, - krb5_lcc_resolve, - krb5_lcc_generate_new, - krb5_lcc_initialize, - krb5_lcc_destroy, - krb5_lcc_close, - krb5_lcc_store, - krb5_lcc_retrieve, - krb5_lcc_get_principal, - krb5_lcc_start_seq_get, - krb5_lcc_next_cred, - krb5_lcc_end_seq_get, - krb5_lcc_remove_cred, - krb5_lcc_set_flags, - krb5_lcc_get_flags, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, + 0, + "MSLSA", + krb5_lcc_get_name, + krb5_lcc_resolve, + krb5_lcc_generate_new, + krb5_lcc_initialize, + krb5_lcc_destroy, + krb5_lcc_close, + krb5_lcc_store, + krb5_lcc_retrieve, + krb5_lcc_get_principal, + krb5_lcc_start_seq_get, + krb5_lcc_next_cred, + krb5_lcc_end_seq_get, + krb5_lcc_remove_cred, + krb5_lcc_set_flags, + krb5_lcc_get_flags, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, }; #endif /* _WIN32 */ diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c index 8d3398b18..1c4b575ba 100644 --- a/src/lib/krb5/ccache/cc_retr.c +++ b/src/lib/krb5/ccache/cc_retr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_retr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -38,21 +39,21 @@ static int times_match_exact(const krb5_ticket_times *t1, const krb5_ticket_times *t2) { return (t1->authtime == t2->authtime && - t1->starttime == t2->starttime && - t1->endtime == t2->endtime && - t1->renew_till == t2->renew_till); + t1->starttime == t2->starttime && + t1->endtime == t2->endtime && + t1->renew_till == t2->renew_till); } static krb5_boolean times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2) { if (t1->renew_till) { - if (t1->renew_till > t2->renew_till) - return FALSE; /* this one expires too late */ + if (t1->renew_till > t2->renew_till) + return FALSE; /* this one expires too late */ } if (t1->endtime) { - if (t1->endtime > t2->endtime) - return FALSE; /* this one expires too late */ + if (t1->endtime > t2->endtime) + return FALSE; /* this one expires too late */ } /* only care about expiration on a times_match */ return TRUE; @@ -61,8 +62,8 @@ times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2) static krb5_boolean standard_fields_match(krb5_context context, const krb5_creds *mcreds, const krb5_creds *creds) { - return (krb5_principal_compare(context, mcreds->client,creds->client) - && krb5_principal_compare(context, mcreds->server,creds->server)); + return (krb5_principal_compare(context, mcreds->client,creds->client) + && krb5_principal_compare(context, mcreds->server,creds->server)); } /* only match the server name portion, not the server realm portion */ @@ -72,10 +73,10 @@ srvname_match(krb5_context context, const krb5_creds *mcreds, const krb5_creds * { krb5_boolean retval; krb5_principal_data p1, p2; - + retval = krb5_principal_compare(context, mcreds->client,creds->client); if (retval != TRUE) - return retval; + return retval; /* * Hack to ignore the server realm for the purposes of the compare. */ @@ -91,22 +92,22 @@ authdata_match(krb5_authdata *const *mdata, krb5_authdata *const *data) const krb5_authdata *mdatap, *datap; if (mdata == data) - return TRUE; + return TRUE; if (mdata == NULL) - return *data == NULL; - + return *data == NULL; + if (data == NULL) - return *mdata == NULL; - + return *mdata == NULL; + while ((mdatap = *mdata) && (datap = *data)) { - if ((mdatap->ad_type != datap->ad_type) || - (mdatap->length != datap->length) || - (memcmp ((char *)mdatap->contents, - (char *)datap->contents, (unsigned) mdatap->length) != 0)) - return FALSE; - mdata++; - data++; + if ((mdatap->ad_type != datap->ad_type) || + (mdatap->length != datap->length) || + (memcmp ((char *)mdatap->contents, + (char *)datap->contents, (unsigned) mdatap->length) != 0)) + return FALSE; + mdata++; + data++; } return (*mdata == NULL) && (*data == NULL); } @@ -115,10 +116,10 @@ static krb5_boolean data_match(const krb5_data *data1, const krb5_data *data2) { if (!data1) { - if (!data2) - return TRUE; - else - return FALSE; + if (!data2) + return TRUE; + else + return FALSE; } if (!data2) return FALSE; @@ -128,11 +129,11 @@ data_match(const krb5_data *data1, const krb5_data *data2) static int pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes) { - int i; - for (i = 0; i < nktypes; i++) - if (my_ktype == ktypes[i]) - return i; - return -1; + int i; + for (i = 0; i < nktypes; i++) + if (my_ktype == ktypes[i]) + return i; + return -1; } /* @@ -141,7 +142,7 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes) * with the fields specified by whichfields. If one if found, it is * returned in creds, which should be freed by the caller with * krb5_free_credentials(). - * + * * The fields are interpreted in the following way (all constants are * preceded by KRB5_TC_). MATCH_IS_SKEY requires the is_skey field to * match exactly. MATCH_TIMES requires the requested lifetime to be @@ -166,105 +167,105 @@ krb5_boolean krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) { if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) && - srvname_match(context, mcreds, creds)) || - standard_fields_match(context, mcreds, creds)) - && - (! set(KRB5_TC_MATCH_IS_SKEY) || - mcreds->is_skey == creds->is_skey) - && - (! set(KRB5_TC_MATCH_FLAGS_EXACT) || - mcreds->ticket_flags == creds->ticket_flags) - && - (! set(KRB5_TC_MATCH_FLAGS) || - flags_match(mcreds->ticket_flags, creds->ticket_flags)) - && - (! set(KRB5_TC_MATCH_TIMES_EXACT) || - times_match_exact(&mcreds->times, &creds->times)) - && - (! set(KRB5_TC_MATCH_TIMES) || - times_match(&mcreds->times, &creds->times)) - && - ( ! set(KRB5_TC_MATCH_AUTHDATA) || - authdata_match(mcreds->authdata, creds->authdata)) - && - (! set(KRB5_TC_MATCH_2ND_TKT) || - data_match (&mcreds->second_ticket, &creds->second_ticket)) - && - ((! set(KRB5_TC_MATCH_KTYPE))|| - (mcreds->keyblock.enctype == creds->keyblock.enctype))) + srvname_match(context, mcreds, creds)) || + standard_fields_match(context, mcreds, creds)) + && + (! set(KRB5_TC_MATCH_IS_SKEY) || + mcreds->is_skey == creds->is_skey) + && + (! set(KRB5_TC_MATCH_FLAGS_EXACT) || + mcreds->ticket_flags == creds->ticket_flags) + && + (! set(KRB5_TC_MATCH_FLAGS) || + flags_match(mcreds->ticket_flags, creds->ticket_flags)) + && + (! set(KRB5_TC_MATCH_TIMES_EXACT) || + times_match_exact(&mcreds->times, &creds->times)) + && + (! set(KRB5_TC_MATCH_TIMES) || + times_match(&mcreds->times, &creds->times)) + && + ( ! set(KRB5_TC_MATCH_AUTHDATA) || + authdata_match(mcreds->authdata, creds->authdata)) + && + (! set(KRB5_TC_MATCH_2ND_TKT) || + data_match (&mcreds->second_ticket, &creds->second_ticket)) + && + ((! set(KRB5_TC_MATCH_KTYPE))|| + (mcreds->keyblock.enctype == creds->keyblock.enctype))) return TRUE; return FALSE; } static krb5_error_code krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, - krb5_flags whichfields, krb5_creds *mcreds, - krb5_creds *creds, int nktypes, krb5_enctype *ktypes) + krb5_flags whichfields, krb5_creds *mcreds, + krb5_creds *creds, int nktypes, krb5_enctype *ktypes) { - /* This function could be considerably faster if it kept indexing */ - /* information.. sounds like a "next version" idea to me. :-) */ - - krb5_cc_cursor cursor; - krb5_error_code kret; - krb5_error_code nomatch_err = KRB5_CC_NOTFOUND; - struct { - krb5_creds creds; - int pref; - } fetched, best; - int have_creds = 0; - krb5_flags oflags = 0; + /* This function could be considerably faster if it kept indexing */ + /* information.. sounds like a "next version" idea to me. :-) */ + + krb5_cc_cursor cursor; + krb5_error_code kret; + krb5_error_code nomatch_err = KRB5_CC_NOTFOUND; + struct { + krb5_creds creds; + int pref; + } fetched, best; + int have_creds = 0; + krb5_flags oflags = 0; #define fetchcreds (fetched.creds) - kret = krb5_cc_get_flags(context, id, &oflags); - if (kret != KRB5_OK) - return kret; - if (oflags & KRB5_TC_OPENCLOSE) - (void) krb5_cc_set_flags(context, id, oflags & ~KRB5_TC_OPENCLOSE); - kret = krb5_cc_start_seq_get(context, id, &cursor); - if (kret != KRB5_OK) { - if (oflags & KRB5_TC_OPENCLOSE) - krb5_cc_set_flags(context, id, oflags); - return kret; - } - - while (krb5_cc_next_cred(context, id, &cursor, &fetchcreds) == KRB5_OK) { - if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds)) - { - if (ktypes) { - fetched.pref = pref (fetchcreds.keyblock.enctype, - nktypes, ktypes); - if (fetched.pref < 0) - nomatch_err = KRB5_CC_NOT_KTYPE; - else if (!have_creds || fetched.pref < best.pref) { - if (have_creds) - krb5_free_cred_contents (context, &best.creds); - else - have_creds = 1; - best = fetched; - continue; - } - } else { - krb5_cc_end_seq_get(context, id, &cursor); - *creds = fetchcreds; - if (oflags & KRB5_TC_OPENCLOSE) - krb5_cc_set_flags(context, id, oflags); - return KRB5_OK; - } - } - - /* This one doesn't match */ - krb5_free_cred_contents(context, &fetchcreds); - } - - /* If we get here, a match wasn't found */ - krb5_cc_end_seq_get(context, id, &cursor); - if (oflags & KRB5_TC_OPENCLOSE) - krb5_cc_set_flags(context, id, oflags); - if (have_creds) { - *creds = best.creds; - return KRB5_OK; - } else - return nomatch_err; + kret = krb5_cc_get_flags(context, id, &oflags); + if (kret != KRB5_OK) + return kret; + if (oflags & KRB5_TC_OPENCLOSE) + (void) krb5_cc_set_flags(context, id, oflags & ~KRB5_TC_OPENCLOSE); + kret = krb5_cc_start_seq_get(context, id, &cursor); + if (kret != KRB5_OK) { + if (oflags & KRB5_TC_OPENCLOSE) + krb5_cc_set_flags(context, id, oflags); + return kret; + } + + while (krb5_cc_next_cred(context, id, &cursor, &fetchcreds) == KRB5_OK) { + if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds)) + { + if (ktypes) { + fetched.pref = pref (fetchcreds.keyblock.enctype, + nktypes, ktypes); + if (fetched.pref < 0) + nomatch_err = KRB5_CC_NOT_KTYPE; + else if (!have_creds || fetched.pref < best.pref) { + if (have_creds) + krb5_free_cred_contents (context, &best.creds); + else + have_creds = 1; + best = fetched; + continue; + } + } else { + krb5_cc_end_seq_get(context, id, &cursor); + *creds = fetchcreds; + if (oflags & KRB5_TC_OPENCLOSE) + krb5_cc_set_flags(context, id, oflags); + return KRB5_OK; + } + } + + /* This one doesn't match */ + krb5_free_cred_contents(context, &fetchcreds); + } + + /* If we get here, a match wasn't found */ + krb5_cc_end_seq_get(context, id, &cursor); + if (oflags & KRB5_TC_OPENCLOSE) + krb5_cc_set_flags(context, id, oflags); + if (have_creds) { + *creds = best.creds; + return KRB5_OK; + } else + return nomatch_err; } krb5_error_code KRB5_CALLCONV @@ -275,20 +276,20 @@ krb5_cc_retrieve_cred_default (krb5_context context, krb5_ccache id, krb5_flags krb5_error_code ret; if (flags & KRB5_TC_SUPPORTED_KTYPES) { - ret = krb5_get_tgs_ktypes (context, mcreds->server, &ktypes); - if (ret) - return ret; - nktypes = 0; - while (ktypes[nktypes]) - nktypes++; - - ret = krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds, - nktypes, ktypes); - free (ktypes); - return ret; + ret = krb5_get_tgs_ktypes (context, mcreds->server, &ktypes); + if (ret) + return ret; + nktypes = 0; + while (ktypes[nktypes]) + nktypes++; + + ret = krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds, + nktypes, ktypes); + free (ktypes); + return ret; } else { - return krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds, - 0, 0); + return krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds, + 0, 0); } } @@ -298,24 +299,24 @@ krb5_cc_retrieve_cred_default (krb5_context context, krb5_ccache id, krb5_flags /* returned by the CCAPI is the same creds as the caller passed in. */ /* Unlike the code above it requires that all structures be identical. */ -krb5_boolean KRB5_CALLCONV +krb5_boolean KRB5_CALLCONV krb5_creds_compare (krb5_context in_context, krb5_creds *in_creds, krb5_creds *in_compare_creds) { /* Set to 0 when we hit the first mismatch and then fall through */ int equal = 1; - + if (equal) { - equal = krb5_principal_compare (in_context, in_creds->client, + equal = krb5_principal_compare (in_context, in_creds->client, in_compare_creds->client); } - + if (equal) { - equal = krb5_principal_compare (in_context, in_creds->server, + equal = krb5_principal_compare (in_context, in_creds->server, in_compare_creds->server); } - + if (equal) { equal = (in_creds->keyblock.enctype == in_compare_creds->keyblock.enctype && in_creds->keyblock.length == in_compare_creds->keyblock.length && @@ -323,27 +324,27 @@ krb5_creds_compare (krb5_context in_context, !memcmp (in_creds->keyblock.contents, in_compare_creds->keyblock.contents, in_creds->keyblock.length))); } - - if (equal) { + + if (equal) { equal = (in_creds->times.authtime == in_compare_creds->times.authtime && in_creds->times.starttime == in_compare_creds->times.starttime && in_creds->times.endtime == in_compare_creds->times.endtime && in_creds->times.renew_till == in_compare_creds->times.renew_till); } - + if (equal) { equal = (in_creds->is_skey == in_compare_creds->is_skey); - } - + } + if (equal) { equal = (in_creds->ticket_flags == in_compare_creds->ticket_flags); } - + if (equal) { krb5_address **addresses = in_creds->addresses; krb5_address **compare_addresses = in_compare_creds->addresses; unsigned int i; - + if (addresses && compare_addresses) { for (i = 0; (equal && addresses[i] && compare_addresses[i]); i++) { equal = krb5_address_compare (in_context, addresses[i], @@ -354,29 +355,29 @@ krb5_creds_compare (krb5_context in_context, if (equal) { equal = (!addresses && !compare_addresses); } } } - + if (equal) { - equal = data_eq(in_creds->ticket, in_compare_creds->ticket); + equal = data_eq(in_creds->ticket, in_compare_creds->ticket); } - + if (equal) { - equal = data_eq(in_creds->second_ticket, in_compare_creds->second_ticket); + equal = data_eq(in_creds->second_ticket, in_compare_creds->second_ticket); } - + if (equal) { krb5_authdata **authdata = in_creds->authdata; krb5_authdata **compare_authdata = in_compare_creds->authdata; unsigned int i; - - if (authdata && compare_authdata) { + + if (authdata && compare_authdata) { for (i = 0; (equal && authdata[i] && compare_authdata[i]); i++) { - equal = authdata_eq(*authdata[i], *compare_authdata[i]); + equal = authdata_eq(*authdata[i], *compare_authdata[i]); } if (equal) { equal = (!authdata[i] && !compare_authdata[i]); } } else { if (equal) { equal = (!authdata && !compare_authdata); } } } - + return equal; } diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c index 14569fb59..33fb97c76 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc.c +++ b/src/lib/krb5/ccache/ccapi/stdcc.c @@ -1,7 +1,8 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * stdcc.c - additions to the Kerberos 5 library to support the memory - * credentical cache API - * + * credentical cache API + * * Written by Frank Dabek July 1998 * Updated by Jeffrey Altman June 2006 * @@ -12,7 +13,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -26,7 +27,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #if defined(_WIN32) || defined(USE_CCAPI) @@ -38,7 +39,7 @@ #include #if defined(_WIN32) -#include "winccld.h" +#include "winccld.h" #endif #ifndef CC_API_VER2 @@ -50,8 +51,8 @@ #include #define SHOW_DEBUG(buf) MessageBox((HWND)NULL, (buf), "ccapi debug", MB_OK) #endif - /* XXX need macintosh debugging statement if we want to debug */ - /* on the mac */ +/* XXX need macintosh debugging statement if we want to debug */ +/* on the mac */ #else #define SHOW_DEBUG(buf) #endif @@ -69,54 +70,54 @@ apiCB *gCntrlBlock = NULL; */ krb5_cc_ops krb5_cc_stdcc_ops = { - 0, - "API", + 0, + "API", #ifdef USE_CCAPI_V3 - krb5_stdccv3_get_name, - krb5_stdccv3_resolve, - krb5_stdccv3_generate_new, - krb5_stdccv3_initialize, - krb5_stdccv3_destroy, - krb5_stdccv3_close, - krb5_stdccv3_store, - krb5_stdccv3_retrieve, - krb5_stdccv3_get_principal, - krb5_stdccv3_start_seq_get, - krb5_stdccv3_next_cred, - krb5_stdccv3_end_seq_get, - krb5_stdccv3_remove, - krb5_stdccv3_set_flags, - krb5_stdccv3_get_flags, - krb5_stdccv3_ptcursor_new, - krb5_stdccv3_ptcursor_next, - krb5_stdccv3_ptcursor_free, - NULL, /* move */ - krb5_stdccv3_last_change_time, /* lastchange */ - NULL, /* wasdefault */ - krb5_stdccv3_lock, - krb5_stdccv3_unlock, + krb5_stdccv3_get_name, + krb5_stdccv3_resolve, + krb5_stdccv3_generate_new, + krb5_stdccv3_initialize, + krb5_stdccv3_destroy, + krb5_stdccv3_close, + krb5_stdccv3_store, + krb5_stdccv3_retrieve, + krb5_stdccv3_get_principal, + krb5_stdccv3_start_seq_get, + krb5_stdccv3_next_cred, + krb5_stdccv3_end_seq_get, + krb5_stdccv3_remove, + krb5_stdccv3_set_flags, + krb5_stdccv3_get_flags, + krb5_stdccv3_ptcursor_new, + krb5_stdccv3_ptcursor_next, + krb5_stdccv3_ptcursor_free, + NULL, /* move */ + krb5_stdccv3_last_change_time, /* lastchange */ + NULL, /* wasdefault */ + krb5_stdccv3_lock, + krb5_stdccv3_unlock, #else - krb5_stdcc_get_name, - krb5_stdcc_resolve, - krb5_stdcc_generate_new, - krb5_stdcc_initialize, - krb5_stdcc_destroy, - krb5_stdcc_close, - krb5_stdcc_store, - krb5_stdcc_retrieve, - krb5_stdcc_get_principal, - krb5_stdcc_start_seq_get, - krb5_stdcc_next_cred, - krb5_stdcc_end_seq_get, - krb5_stdcc_remove, - krb5_stdcc_set_flags, - krb5_stdcc_get_flags, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, + krb5_stdcc_get_name, + krb5_stdcc_resolve, + krb5_stdcc_generate_new, + krb5_stdcc_initialize, + krb5_stdcc_destroy, + krb5_stdcc_close, + krb5_stdcc_store, + krb5_stdcc_retrieve, + krb5_stdcc_get_principal, + krb5_stdcc_start_seq_get, + krb5_stdcc_next_cred, + krb5_stdcc_end_seq_get, + krb5_stdcc_remove, + krb5_stdcc_set_flags, + krb5_stdcc_get_flags, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, #endif }; @@ -126,89 +127,89 @@ krb5_cc_ops krb5_cc_stdcc_ops = { * A notification message is is posted out to all top level * windows so that they may recheck the cache based on the * changes made. We register a unique message type with which - * we'll communicate to all other processes. + * we'll communicate to all other processes. */ static void cache_changed() { - static unsigned int message = 0; - - if (message == 0) - message = RegisterWindowMessage(WM_KERBEROS5_CHANGED); + static unsigned int message = 0; - PostMessage(HWND_BROADCAST, message, 0, 0); + if (message == 0) + message = RegisterWindowMessage(WM_KERBEROS5_CHANGED); + + PostMessage(HWND_BROADCAST, message, 0, 0); } #else /* _WIN32 */ static void cache_changed() { - return; + return; } #endif /* _WIN32 */ struct err_xlate { - int cc_err; - krb5_error_code krb5_err; + int cc_err; + krb5_error_code krb5_err; }; static const struct err_xlate err_xlate_table[] = { #ifdef USE_CCAPI_V3 - { ccIteratorEnd, KRB5_CC_END }, - { ccErrBadParam, KRB5_FCC_INTERNAL }, - { ccErrNoMem, KRB5_CC_NOMEM }, - { ccErrInvalidContext, KRB5_FCC_NOFILE }, - { ccErrInvalidCCache, KRB5_FCC_NOFILE }, - { ccErrInvalidString, KRB5_FCC_INTERNAL }, - { ccErrInvalidCredentials, KRB5_FCC_INTERNAL }, - { ccErrInvalidCCacheIterator, KRB5_FCC_INTERNAL }, - { ccErrInvalidCredentialsIterator, KRB5_FCC_INTERNAL }, - { ccErrInvalidLock, KRB5_FCC_INTERNAL }, - { ccErrBadName, KRB5_CC_BADNAME }, - { ccErrBadCredentialsVersion, KRB5_FCC_INTERNAL }, - { ccErrBadAPIVersion, KRB5_FCC_INTERNAL }, - { ccErrContextLocked, KRB5_FCC_INTERNAL }, - { ccErrContextUnlocked, KRB5_FCC_INTERNAL }, - { ccErrCCacheLocked, KRB5_FCC_INTERNAL }, - { ccErrCCacheUnlocked, KRB5_FCC_INTERNAL }, - { ccErrBadLockType, KRB5_FCC_INTERNAL }, - { ccErrNeverDefault, KRB5_FCC_INTERNAL }, - { ccErrCredentialsNotFound, KRB5_CC_NOTFOUND }, - { ccErrCCacheNotFound, KRB5_FCC_NOFILE }, - { ccErrContextNotFound, KRB5_FCC_NOFILE }, - { ccErrServerUnavailable, KRB5_CC_IO }, - { ccErrServerInsecure, KRB5_CC_IO }, - { ccErrServerCantBecomeUID, KRB5_CC_IO }, - { ccErrTimeOffsetNotSet, KRB5_FCC_INTERNAL }, - { ccErrBadInternalMessage, KRB5_FCC_INTERNAL }, - { ccErrNotImplemented, KRB5_FCC_INTERNAL }, + { ccIteratorEnd, KRB5_CC_END }, + { ccErrBadParam, KRB5_FCC_INTERNAL }, + { ccErrNoMem, KRB5_CC_NOMEM }, + { ccErrInvalidContext, KRB5_FCC_NOFILE }, + { ccErrInvalidCCache, KRB5_FCC_NOFILE }, + { ccErrInvalidString, KRB5_FCC_INTERNAL }, + { ccErrInvalidCredentials, KRB5_FCC_INTERNAL }, + { ccErrInvalidCCacheIterator, KRB5_FCC_INTERNAL }, + { ccErrInvalidCredentialsIterator, KRB5_FCC_INTERNAL }, + { ccErrInvalidLock, KRB5_FCC_INTERNAL }, + { ccErrBadName, KRB5_CC_BADNAME }, + { ccErrBadCredentialsVersion, KRB5_FCC_INTERNAL }, + { ccErrBadAPIVersion, KRB5_FCC_INTERNAL }, + { ccErrContextLocked, KRB5_FCC_INTERNAL }, + { ccErrContextUnlocked, KRB5_FCC_INTERNAL }, + { ccErrCCacheLocked, KRB5_FCC_INTERNAL }, + { ccErrCCacheUnlocked, KRB5_FCC_INTERNAL }, + { ccErrBadLockType, KRB5_FCC_INTERNAL }, + { ccErrNeverDefault, KRB5_FCC_INTERNAL }, + { ccErrCredentialsNotFound, KRB5_CC_NOTFOUND }, + { ccErrCCacheNotFound, KRB5_FCC_NOFILE }, + { ccErrContextNotFound, KRB5_FCC_NOFILE }, + { ccErrServerUnavailable, KRB5_CC_IO }, + { ccErrServerInsecure, KRB5_CC_IO }, + { ccErrServerCantBecomeUID, KRB5_CC_IO }, + { ccErrTimeOffsetNotSet, KRB5_FCC_INTERNAL }, + { ccErrBadInternalMessage, KRB5_FCC_INTERNAL }, + { ccErrNotImplemented, KRB5_FCC_INTERNAL }, #else - { CC_BADNAME, KRB5_CC_BADNAME }, - { CC_NOTFOUND, KRB5_CC_NOTFOUND }, - { CC_END, KRB5_CC_END }, - { CC_IO, KRB5_CC_IO }, - { CC_WRITE, KRB5_CC_WRITE }, - { CC_NOMEM, KRB5_CC_NOMEM }, - { CC_FORMAT, KRB5_CC_FORMAT }, - { CC_WRITE, KRB5_CC_WRITE }, - { CC_LOCKED, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_BAD_API_VERSION, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_NO_EXIST, KRB5_FCC_NOFILE }, - { CC_NOT_SUPP, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_BAD_PARM, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_ERR_CACHE_ATTACH, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_ERR_CACHE_RELEASE, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_ERR_CACHE_FULL, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_ERR_CRED_VERSION, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_BADNAME, KRB5_CC_BADNAME }, + { CC_NOTFOUND, KRB5_CC_NOTFOUND }, + { CC_END, KRB5_CC_END }, + { CC_IO, KRB5_CC_IO }, + { CC_WRITE, KRB5_CC_WRITE }, + { CC_NOMEM, KRB5_CC_NOMEM }, + { CC_FORMAT, KRB5_CC_FORMAT }, + { CC_WRITE, KRB5_CC_WRITE }, + { CC_LOCKED, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_BAD_API_VERSION, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_NO_EXIST, KRB5_FCC_NOFILE }, + { CC_NOT_SUPP, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_BAD_PARM, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_ERR_CACHE_ATTACH, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_ERR_CACHE_RELEASE, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_ERR_CACHE_FULL, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_ERR_CRED_VERSION, KRB5_FCC_INTERNAL /* XXX */ }, #endif - { 0, 0 } + { 0, 0 } }; /* Note: cc_err_xlate is NOT idempotent. Don't call it multiple times. */ static krb5_error_code cc_err_xlate(int err) { const struct err_xlate *p; - + #ifdef USE_CCAPI_V3 if (err == ccNoError) return 0; @@ -216,12 +217,12 @@ static krb5_error_code cc_err_xlate(int err) if (err == CC_NOERROR) return 0; #endif - + for (p = err_xlate_table; p->cc_err; p++) { if (err == p->cc_err) return p->krb5_err; } - + return KRB5_FCC_INTERNAL; } @@ -232,26 +233,26 @@ static krb5_error_code stdccv3_get_timeoffset (krb5_context in_context, cc_ccache_t in_ccache) { krb5_error_code err = 0; - + if (gCCVersion >= ccapi_version_5) { krb5_os_context os_ctx = (krb5_os_context) &in_context->os_context; cc_time_t time_offset = 0; - + err = cc_ccache_get_kdc_time_offset (in_ccache, cc_credentials_v5, &time_offset); - + if (!err) { os_ctx->time_offset = time_offset; os_ctx->usec_offset = 0; os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | KRB5_OS_TOFFSET_VALID); } - + if (err == ccErrTimeOffsetNotSet) { err = 0; /* okay if there is no time offset */ } } - + return err; /* Don't translate. Callers will translate for us */ } @@ -259,17 +260,17 @@ static krb5_error_code stdccv3_set_timeoffset (krb5_context in_context, cc_ccache_t in_ccache) { krb5_error_code err = 0; - + if (gCCVersion >= ccapi_version_5) { krb5_os_context os_ctx = (krb5_os_context) &in_context->os_context; - + if (!err && os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) { - err = cc_ccache_set_kdc_time_offset (in_ccache, + err = cc_ccache_set_kdc_time_offset (in_ccache, cc_credentials_v5, os_ctx->time_offset); } } - + return err; /* Don't translate. Callers will translate for us */ } @@ -277,21 +278,21 @@ static krb5_error_code stdccv3_setup (krb5_context context, stdccCacheDataPtr ccapi_data) { krb5_error_code err = 0; - + if (!err && !gCntrlBlock) { err = cc_initialize (&gCntrlBlock, ccapi_version_max, &gCCVersion, NULL); } - + if (!err && ccapi_data && !ccapi_data->NamedCache) { - /* ccache has not been opened yet. open it. */ + /* ccache has not been opened yet. open it. */ err = cc_context_open_ccache (gCntrlBlock, ccapi_data->cache_name, &ccapi_data->NamedCache); } - + if (!err && ccapi_data && ccapi_data->NamedCache) { err = stdccv3_get_timeoffset (context, ccapi_data->NamedCache); } - + return err; /* Don't translate. Callers will translate for us */ } @@ -305,12 +306,12 @@ void krb5_stdcc_shutdown() /* * -- generate_new -------------------------------- - * + * * create a new cache with a unique name, corresponds to creating a * named cache initialize the API here if we have to. */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_generate_new (krb5_context context, krb5_ccache *id ) +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_generate_new (krb5_context context, krb5_ccache *id ) { krb5_error_code err = 0; krb5_ccache newCache = NULL; @@ -318,98 +319,98 @@ krb5_stdccv3_generate_new (krb5_context context, krb5_ccache *id ) cc_ccache_t ccache = NULL; cc_string_t ccstring = NULL; char *name = NULL; - + if (!err) { err = stdccv3_setup(context, NULL); } - + if (!err) { newCache = (krb5_ccache) malloc (sizeof (*newCache)); if (!newCache) { err = KRB5_CC_NOMEM; } } - + if (!err) { ccapi_data = (stdccCacheDataPtr) malloc (sizeof (*ccapi_data)); if (!ccapi_data) { err = KRB5_CC_NOMEM; } } - + if (!err) { err = cc_context_create_new_ccache (gCntrlBlock, cc_credentials_v5, "", &ccache); } - + if (!err) { err = stdccv3_set_timeoffset (context, ccache); } - + if (!err) { err = cc_ccache_get_name (ccache, &ccstring); } - + if (!err) { name = strdup (ccstring->data); if (!name) { err = KRB5_CC_NOMEM; } } - + if (!err) { ccapi_data->cache_name = name; name = NULL; /* take ownership */ - + ccapi_data->NamedCache = ccache; ccache = NULL; /* take ownership */ - + newCache->ops = &krb5_cc_stdcc_ops; newCache->data = ccapi_data; ccapi_data = NULL; /* take ownership */ - + /* return a pointer to the new cache */ *id = newCache; newCache = NULL; } - + if (ccstring) { cc_string_release (ccstring); } if (name) { free (name); } if (ccache) { cc_ccache_release (ccache); } if (ccapi_data) { free (ccapi_data); } if (newCache) { free (newCache); } - + return cc_err_xlate (err); } - + /* * resolve * * create a new cache with the name stored in residual */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_resolve (krb5_context context, krb5_ccache *id , const char *residual ) +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_resolve (krb5_context context, krb5_ccache *id , const char *residual ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = NULL; krb5_ccache ccache = NULL; char *name = NULL; - + if (id == NULL) { err = KRB5_CC_NOMEM; } - + if (!err) { err = stdccv3_setup (context, NULL); } - + if (!err) { ccapi_data = (stdccCacheDataPtr) malloc (sizeof (*ccapi_data)); if (!ccapi_data) { err = KRB5_CC_NOMEM; } } - + if (!err) { ccache = (krb5_ccache ) malloc (sizeof (*ccache)); if (!ccache) { err = KRB5_CC_NOMEM; } } - + if (!err) { name = strdup (residual); if (!name) { err = KRB5_CC_NOMEM; } } - + if (!err) { err = cc_context_open_ccache (gCntrlBlock, residual, &ccapi_data->NamedCache); @@ -420,24 +421,24 @@ krb5_stdccv3_resolve (krb5_context context, krb5_ccache *id , const char *residu } if (!err) { - ccapi_data->cache_name = name; + ccapi_data->cache_name = name; name = NULL; /* take ownership */ - ccache->ops = &krb5_cc_stdcc_ops; - ccache->data = ccapi_data; + ccache->ops = &krb5_cc_stdcc_ops; + ccache->data = ccapi_data; ccapi_data = NULL; /* take ownership */ - + *id = ccache; ccache = NULL; /* take ownership */ } - + if (ccache) { free (ccache); } if (ccapi_data) { free (ccapi_data); } if (name) { free (name); } - + return cc_err_xlate (err); } - + /* * initialize * @@ -445,36 +446,36 @@ krb5_stdccv3_resolve (krb5_context context, krb5_ccache *id , const char *residu * principal if not set our principal to this principal. This * searching enables ticket sharing */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_initialize (krb5_context context, - krb5_ccache id, - krb5_principal princ) +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_initialize (krb5_context context, + krb5_ccache id, + krb5_principal princ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; char *name = NULL; cc_ccache_t ccache = NULL; - + if (id == NULL) { err = KRB5_CC_NOMEM; } - + if (!err) { err = stdccv3_setup (context, NULL); } - + if (!err) { err = krb5_unparse_name(context, princ, &name); } - + if (!err) { - err = cc_context_create_ccache (gCntrlBlock, ccapi_data->cache_name, + err = cc_context_create_ccache (gCntrlBlock, ccapi_data->cache_name, cc_credentials_v5, name, &ccache); } - + if (!err) { err = stdccv3_set_timeoffset (context, ccache); } - + if (!err) { if (ccapi_data->NamedCache) { err = cc_ccache_release (ccapi_data->NamedCache); @@ -483,10 +484,10 @@ krb5_stdccv3_initialize (krb5_context context, ccache = NULL; /* take ownership */ cache_changed (); } - + if (ccache) { cc_ccache_release (ccache); } if (name ) { krb5_free_unparsed_name(context, name); } - + return cc_err_xlate(err); } @@ -495,32 +496,32 @@ krb5_stdccv3_initialize (krb5_context context, * * store some credentials in our cache */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_stdccv3_store (krb5_context context, krb5_ccache id, krb5_creds *creds ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_union *cred_union = NULL; - + if (!err) { err = stdccv3_setup (context, ccapi_data); } - + if (!err) { /* copy the fields from the almost identical structures */ err = copy_krb5_creds_to_cc_cred_union (context, creds, &cred_union); } - + if (!err) { err = cc_ccache_store_credentials (ccapi_data->NamedCache, cred_union); } - + if (!err) { cache_changed(); } - + if (cred_union) { cred_union_release (cred_union); } - + return cc_err_xlate (err); } @@ -529,54 +530,54 @@ krb5_stdccv3_store (krb5_context context, krb5_ccache id, krb5_creds *creds ) * * begin an iterator call to get all of the credentials in the cache */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_start_seq_get (krb5_context context, - krb5_ccache id, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_start_seq_get (krb5_context context, + krb5_ccache id, krb5_cc_cursor *cursor ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_iterator_t iterator = NULL; - + if (!err) { err = stdccv3_setup (context, ccapi_data); } - + if (!err) { err = cc_ccache_new_credentials_iterator(ccapi_data->NamedCache, &iterator); } - + if (!err) { *cursor = iterator; } - + return cc_err_xlate (err); } /* * next cred - * + * * - get the next credential in the cache as part of an iterator call * - this maps to call to cc_seq_fetch_creds */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_next_cred (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_next_cred (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor, krb5_creds *creds) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_t credentials = NULL; cc_credentials_iterator_t iterator = *cursor; - + if (!iterator) { err = KRB5_CC_END; } - + if (!err) { err = stdccv3_setup (context, ccapi_data); } - + /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ while (!err) { err = cc_credentials_iterator_next (iterator, &credentials); @@ -586,13 +587,13 @@ krb5_stdccv3_next_cred (krb5_context context, break; } } - + if (credentials) { cc_credentials_release (credentials); } if (err == ccIteratorEnd) { cc_credentials_iterator_release (iterator); *cursor = 0; - } - + } + return cc_err_xlate (err); } @@ -603,14 +604,14 @@ krb5_stdccv3_next_cred (krb5_context context, * - try to find a matching credential in the cache */ krb5_error_code KRB5_CALLCONV -krb5_stdccv3_retrieve (krb5_context context, - krb5_ccache id, - krb5_flags whichfields, - krb5_creds *mcreds, +krb5_stdccv3_retrieve (krb5_context context, + krb5_ccache id, + krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds) { return krb5_cc_retrieve_cred_default (context, id, whichfields, - mcreds, creds); + mcreds, creds); } /* @@ -618,58 +619,58 @@ krb5_stdccv3_retrieve (krb5_context context, * * just free up the storage assoicated with the cursor (if we can) */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_end_seq_get (krb5_context context, - krb5_ccache id, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_end_seq_get (krb5_context context, + krb5_ccache id, krb5_cc_cursor *cursor) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_iterator_t iterator = *cursor; - + if (!iterator) { return 0; } - + if (!err) { err = stdccv3_setup (context, ccapi_data); } - + if (!err) { err = cc_credentials_iterator_release(iterator); } - + return cc_err_xlate(err); } - + /* * close * * - free our pointers to the NC */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_close(krb5_context context, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_close(krb5_context context, krb5_ccache id) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + if (!err) { err = stdccv3_setup (context, NULL); } - + if (!err) { - if (ccapi_data) { - if (ccapi_data->cache_name) { - free (ccapi_data->cache_name); + if (ccapi_data) { + if (ccapi_data->cache_name) { + free (ccapi_data->cache_name); } - if (ccapi_data->NamedCache) { - err = cc_ccache_release (ccapi_data->NamedCache); + if (ccapi_data->NamedCache) { + err = cc_ccache_release (ccapi_data->NamedCache); } free (ccapi_data); id->data = NULL; - } - free (id); + } + free (id); } - + return cc_err_xlate(err); } @@ -679,35 +680,35 @@ krb5_stdccv3_close(krb5_context context, * - free our storage and the cache */ krb5_error_code KRB5_CALLCONV -krb5_stdccv3_destroy (krb5_context context, +krb5_stdccv3_destroy (krb5_context context, krb5_ccache id) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } - + if (!err) { - if (ccapi_data) { - if (ccapi_data->cache_name) { - free(ccapi_data->cache_name); + if (ccapi_data) { + if (ccapi_data->cache_name) { + free(ccapi_data->cache_name); } if (ccapi_data->NamedCache) { /* destroy the named cache */ err = cc_ccache_destroy(ccapi_data->NamedCache); - if (err == ccErrCCacheNotFound) { + if (err == ccErrCCacheNotFound) { err = 0; /* ccache maybe already destroyed */ } cache_changed(); } free(ccapi_data); id->data = NULL; - } - free(id); + } + free(id); } - + return cc_err_xlate(err); } @@ -716,12 +717,12 @@ krb5_stdccv3_destroy (krb5_context context, * * - return the name of the named cache */ -const char * KRB5_CALLCONV -krb5_stdccv3_get_name (krb5_context context, +const char * KRB5_CALLCONV +krb5_stdccv3_get_name (krb5_context context, krb5_ccache id ) { stdccCacheDataPtr ccapi_data = id->data; - + if (!ccapi_data) { return NULL; } else { @@ -734,29 +735,29 @@ krb5_stdccv3_get_name (krb5_context context, * * - return the principal associated with the named cache */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_get_principal (krb5_context context, - krb5_ccache id , - krb5_principal *princ) +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_get_principal (krb5_context context, + krb5_ccache id , + krb5_principal *princ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_string_t name = NULL; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } - + if (!err) { err = cc_ccache_get_principal (ccapi_data->NamedCache, cc_credentials_v5, &name); } - + if (!err) { err = krb5_parse_name (context, name->data, princ); } - + if (name) { cc_string_release (name); } - + return cc_err_xlate (err); } @@ -765,16 +766,16 @@ krb5_stdccv3_get_principal (krb5_context context, * * - currently a NOP since we don't store any flags in the NC */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_set_flags (krb5_context context, - krb5_ccache id, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_set_flags (krb5_context context, + krb5_ccache id, krb5_flags flags) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + err = stdccv3_setup (context, ccapi_data); - + return cc_err_xlate (err); } @@ -783,16 +784,16 @@ krb5_stdccv3_set_flags (krb5_context context, * * - currently a NOP since we don't store any flags in the NC */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_get_flags (krb5_context context, - krb5_ccache id, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_get_flags (krb5_context context, + krb5_ccache id, krb5_flags *flags) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + err = stdccv3_setup (context, ccapi_data); - + return cc_err_xlate (err); } @@ -801,22 +802,22 @@ krb5_stdccv3_get_flags (krb5_context context, * * - remove the specified credentials from the NC */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_remove (krb5_context context, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_remove (krb5_context context, krb5_ccache id, - krb5_flags flags, + krb5_flags flags, krb5_creds *in_creds) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_iterator_t iterator = NULL; int found = 0; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } - - + + if (!err) { err = cc_ccache_new_credentials_iterator(ccapi_data->NamedCache, &iterator); @@ -825,28 +826,28 @@ krb5_stdccv3_remove (krb5_context context, /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ while (!err && !found) { cc_credentials_t credentials = NULL; - + err = cc_credentials_iterator_next (iterator, &credentials); - + if (!err && (credentials->data->version == cc_credentials_v5)) { krb5_creds creds; - - err = copy_cc_cred_union_to_krb5_creds(context, + + err = copy_cc_cred_union_to_krb5_creds(context, credentials->data, &creds); if (!err) { found = krb5_creds_compare (context, in_creds, &creds); krb5_free_cred_contents (context, &creds); } - + if (!err && found) { err = cc_ccache_remove_credentials (ccapi_data->NamedCache, credentials); } } - + if (credentials) { cc_credentials_release (credentials); } } - if (err == ccIteratorEnd) { err = ccErrCredentialsNotFound; } + if (err == ccIteratorEnd) { err = ccErrCredentialsNotFound; } if (iterator) { err = cc_credentials_iterator_release(iterator); @@ -855,7 +856,7 @@ krb5_stdccv3_remove (krb5_context context, if (!err) { cache_changed (); } - + return cc_err_xlate (err); } @@ -863,38 +864,38 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_ptcursor_new(krb5_context context, krb5_cc_ptcursor *cursor) { - krb5_error_code err = 0; - krb5_cc_ptcursor ptcursor = NULL; - cc_ccache_iterator_t iterator = NULL; - - ptcursor = malloc(sizeof(*ptcursor)); - if (ptcursor == NULL) { - err = ENOMEM; - } - else { - memset(ptcursor, 0, sizeof(*ptcursor)); - } - - if (!err) { - err = stdccv3_setup(context, NULL); - } - if (!err) { - ptcursor->ops = &krb5_cc_stdcc_ops; - err = cc_context_new_ccache_iterator(gCntrlBlock, &iterator); - } - - if (!err) { - ptcursor->data = iterator; - } - - if (err) { - if (ptcursor) { krb5_stdccv3_ptcursor_free(context, &ptcursor); } - // krb5_stdccv3_ptcursor_free sets ptcursor to NULL for us - } - - *cursor = ptcursor; - - return err; + krb5_error_code err = 0; + krb5_cc_ptcursor ptcursor = NULL; + cc_ccache_iterator_t iterator = NULL; + + ptcursor = malloc(sizeof(*ptcursor)); + if (ptcursor == NULL) { + err = ENOMEM; + } + else { + memset(ptcursor, 0, sizeof(*ptcursor)); + } + + if (!err) { + err = stdccv3_setup(context, NULL); + } + if (!err) { + ptcursor->ops = &krb5_cc_stdcc_ops; + err = cc_context_new_ccache_iterator(gCntrlBlock, &iterator); + } + + if (!err) { + ptcursor->data = iterator; + } + + if (err) { + if (ptcursor) { krb5_stdccv3_ptcursor_free(context, &ptcursor); } + // krb5_stdccv3_ptcursor_free sets ptcursor to NULL for us + } + + *cursor = ptcursor; + + return err; } krb5_error_code KRB5_CALLCONV @@ -903,72 +904,72 @@ krb5_stdccv3_ptcursor_next( krb5_cc_ptcursor cursor, krb5_ccache *ccache) { - krb5_error_code err = 0; - cc_ccache_iterator_t iterator = NULL; - - krb5_ccache newCache = NULL; - stdccCacheDataPtr ccapi_data = NULL; - cc_ccache_t ccCache = NULL; - cc_string_t ccstring = NULL; - char *name = NULL; - - if (!cursor || !cursor->data) { - err = ccErrInvalidContext; - } - - *ccache = NULL; - - if (!err) { - newCache = (krb5_ccache) malloc (sizeof (*newCache)); - if (!newCache) { err = KRB5_CC_NOMEM; } - } - - if (!err) { - ccapi_data = (stdccCacheDataPtr) malloc (sizeof (*ccapi_data)); - if (!ccapi_data) { err = KRB5_CC_NOMEM; } - } - - if (!err) { - iterator = cursor->data; - err = cc_ccache_iterator_next(iterator, &ccCache); - } - - if (!err) { - err = cc_ccache_get_name (ccCache, &ccstring); - } - - if (!err) { - name = strdup (ccstring->data); - if (!name) { err = KRB5_CC_NOMEM; } - } - - if (!err) { - ccapi_data->cache_name = name; - name = NULL; /* take ownership */ - - ccapi_data->NamedCache = ccCache; - ccCache = NULL; /* take ownership */ - - newCache->ops = &krb5_cc_stdcc_ops; - newCache->data = ccapi_data; - ccapi_data = NULL; /* take ownership */ - - /* return a pointer to the new cache */ - *ccache = newCache; - newCache = NULL; - } - - if (name) { free (name); } - if (ccstring) { cc_string_release (ccstring); } - if (ccCache) { cc_ccache_release (ccCache); } - if (ccapi_data) { free (ccapi_data); } - if (newCache) { free (newCache); } - - if (err == ccIteratorEnd) { - err = ccNoError; - } - - return err; + krb5_error_code err = 0; + cc_ccache_iterator_t iterator = NULL; + + krb5_ccache newCache = NULL; + stdccCacheDataPtr ccapi_data = NULL; + cc_ccache_t ccCache = NULL; + cc_string_t ccstring = NULL; + char *name = NULL; + + if (!cursor || !cursor->data) { + err = ccErrInvalidContext; + } + + *ccache = NULL; + + if (!err) { + newCache = (krb5_ccache) malloc (sizeof (*newCache)); + if (!newCache) { err = KRB5_CC_NOMEM; } + } + + if (!err) { + ccapi_data = (stdccCacheDataPtr) malloc (sizeof (*ccapi_data)); + if (!ccapi_data) { err = KRB5_CC_NOMEM; } + } + + if (!err) { + iterator = cursor->data; + err = cc_ccache_iterator_next(iterator, &ccCache); + } + + if (!err) { + err = cc_ccache_get_name (ccCache, &ccstring); + } + + if (!err) { + name = strdup (ccstring->data); + if (!name) { err = KRB5_CC_NOMEM; } + } + + if (!err) { + ccapi_data->cache_name = name; + name = NULL; /* take ownership */ + + ccapi_data->NamedCache = ccCache; + ccCache = NULL; /* take ownership */ + + newCache->ops = &krb5_cc_stdcc_ops; + newCache->data = ccapi_data; + ccapi_data = NULL; /* take ownership */ + + /* return a pointer to the new cache */ + *ccache = newCache; + newCache = NULL; + } + + if (name) { free (name); } + if (ccstring) { cc_string_release (ccstring); } + if (ccCache) { cc_ccache_release (ccCache); } + if (ccapi_data) { free (ccapi_data); } + if (newCache) { free (newCache); } + + if (err == ccIteratorEnd) { + err = ccNoError; + } + + return err; } krb5_error_code KRB5_CALLCONV @@ -977,25 +978,25 @@ krb5_stdccv3_ptcursor_free( krb5_cc_ptcursor *cursor) { if (*cursor != NULL) { - if ((*cursor)->data != NULL) { - cc_ccache_iterator_release((cc_ccache_iterator_t)((*cursor)->data)); - } - free(*cursor); - *cursor = NULL; - } + if ((*cursor)->data != NULL) { + cc_ccache_iterator_release((cc_ccache_iterator_t)((*cursor)->data)); + } + free(*cursor); + *cursor = NULL; + } return 0; } krb5_error_code KRB5_CALLCONV krb5_stdccv3_last_change_time - (krb5_context context, krb5_ccache id, - krb5_timestamp *change_time) +(krb5_context context, krb5_ccache id, + krb5_timestamp *change_time) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_time_t ccapi_change_time = 0; *change_time = 0; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } @@ -1005,7 +1006,7 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_last_change_time if (!err) { *change_time = ccapi_change_time; } - + return cc_err_xlate (err); } @@ -1014,14 +1015,14 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_lock { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } if (!err) { err = cc_ccache_lock(ccapi_data->NamedCache, cc_lock_write, cc_lock_block); } - return cc_err_xlate(err); + return cc_err_xlate(err); } krb5_error_code KRB5_CALLCONV krb5_stdccv3_unlock @@ -1029,14 +1030,14 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_unlock { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } if (!err) { err = cc_ccache_unlock(ccapi_data->NamedCache); } - return cc_err_xlate(err); + return cc_err_xlate(err); } krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_lock @@ -1050,7 +1051,7 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_lock if (!err) { err = cc_context_lock(gCntrlBlock, cc_lock_write, cc_lock_block); } - return cc_err_xlate(err); + return cc_err_xlate(err); } krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_unlock @@ -1064,173 +1065,173 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_unlock if (!err) { err = cc_context_unlock(gCntrlBlock); } - return cc_err_xlate(err); + return cc_err_xlate(err); } #else /* !USE_CCAPI_V3 */ static krb5_error_code stdcc_setup(krb5_context context, - stdccCacheDataPtr ccapi_data) + stdccCacheDataPtr ccapi_data) { - int err; + int err; - /* make sure the API has been intialized */ - if (gCntrlBlock == NULL) { + /* make sure the API has been intialized */ + if (gCntrlBlock == NULL) { #ifdef CC_API_VER2 - err = cc_initialize(&gCntrlBlock, CC_API_VER_2, NULL, NULL); + err = cc_initialize(&gCntrlBlock, CC_API_VER_2, NULL, NULL); #else - err = cc_initialize(&gCntrlBlock, CC_API_VER_1, NULL, NULL); + err = cc_initialize(&gCntrlBlock, CC_API_VER_1, NULL, NULL); #endif - if (err != CC_NOERROR) - return cc_err_xlate(err); - } - - /* - * No ccapi_data structure, so we don't need to make sure the - * ccache exists. - */ - if (!ccapi_data) - return 0; - - /* - * The ccache already exists - */ - if (ccapi_data->NamedCache) - return 0; - - err = cc_open(gCntrlBlock, ccapi_data->cache_name, - CC_CRED_V5, 0L, &ccapi_data->NamedCache); - if (err == CC_NOTFOUND) - err = CC_NO_EXIST; - if (err == CC_NOERROR) - return 0; - - ccapi_data->NamedCache = NULL; - return cc_err_xlate(err); + if (err != CC_NOERROR) + return cc_err_xlate(err); + } + + /* + * No ccapi_data structure, so we don't need to make sure the + * ccache exists. + */ + if (!ccapi_data) + return 0; + + /* + * The ccache already exists + */ + if (ccapi_data->NamedCache) + return 0; + + err = cc_open(gCntrlBlock, ccapi_data->cache_name, + CC_CRED_V5, 0L, &ccapi_data->NamedCache); + if (err == CC_NOTFOUND) + err = CC_NO_EXIST; + if (err == CC_NOERROR) + return 0; + + ccapi_data->NamedCache = NULL; + return cc_err_xlate(err); } void krb5_stdcc_shutdown() { - if (gCntrlBlock) - cc_shutdown(&gCntrlBlock); - gCntrlBlock = NULL; + if (gCntrlBlock) + cc_shutdown(&gCntrlBlock); + gCntrlBlock = NULL; } /* * -- generate_new -------------------------------- - * + * * create a new cache with a unique name, corresponds to creating a * named cache iniitialize the API here if we have to. */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_generate_new - (krb5_context context, krb5_ccache *id ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_generate_new +(krb5_context context, krb5_ccache *id ) { - krb5_ccache newCache = NULL; - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = NULL; - char *name = NULL; - cc_time_t change_time; - int err; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - retval = KRB5_CC_NOMEM; - if (!(newCache = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)))) - goto errout; - if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData)))) - goto errout; - if (!(name = malloc(256))) - goto errout; - - /* create a unique name */ - cc_get_change_time(gCntrlBlock, &change_time); - snprintf(name, 256, "gen_new_cache%d", change_time); - - /* create the new cache */ - err = cc_create(gCntrlBlock, name, name, CC_CRED_V5, 0L, - &ccapi_data->NamedCache); - if (err != CC_NOERROR) { - retval = cc_err_xlate(err); - goto errout; - } - - /* setup some fields */ - newCache->ops = &krb5_cc_stdcc_ops; - newCache->data = ccapi_data; - ccapi_data->cache_name = name; - - /* return a pointer to the new cache */ - *id = newCache; - - return 0; + krb5_ccache newCache = NULL; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = NULL; + char *name = NULL; + cc_time_t change_time; + int err; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + retval = KRB5_CC_NOMEM; + if (!(newCache = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)))) + goto errout; + if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData)))) + goto errout; + if (!(name = malloc(256))) + goto errout; + + /* create a unique name */ + cc_get_change_time(gCntrlBlock, &change_time); + snprintf(name, 256, "gen_new_cache%d", change_time); + + /* create the new cache */ + err = cc_create(gCntrlBlock, name, name, CC_CRED_V5, 0L, + &ccapi_data->NamedCache); + if (err != CC_NOERROR) { + retval = cc_err_xlate(err); + goto errout; + } + + /* setup some fields */ + newCache->ops = &krb5_cc_stdcc_ops; + newCache->data = ccapi_data; + ccapi_data->cache_name = name; + + /* return a pointer to the new cache */ + *id = newCache; + + return 0; errout: - if (newCache) - free(newCache); - if (ccapi_data) - free(ccapi_data); - if (name) - free(name); - return retval; + if (newCache) + free(newCache); + if (ccapi_data) + free(ccapi_data); + if (name) + free(name); + return retval; } - + /* * resolve * * create a new cache with the name stored in residual */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve - (krb5_context context, krb5_ccache *id , const char *residual ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve +(krb5_context context, krb5_ccache *id , const char *residual ) { - krb5_ccache newCache = NULL; - stdccCacheDataPtr ccapi_data = NULL; - int err; - krb5_error_code retval; - char *cName = NULL; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - retval = KRB5_CC_NOMEM; - if (!(newCache = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)))) - goto errout; - - if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData)))) - goto errout; - - if (!(cName = strdup(residual))) - goto errout; - - newCache->ops = &krb5_cc_stdcc_ops; - newCache->data = ccapi_data; - ccapi_data->cache_name = cName; - - err = cc_open(gCntrlBlock, cName, CC_CRED_V5, 0L, - &ccapi_data->NamedCache); - if (err != CC_NOERROR) { - ccapi_data->NamedCache = NULL; - if (err != CC_NO_EXIST) { - retval = cc_err_xlate(err); - goto errout; - } + krb5_ccache newCache = NULL; + stdccCacheDataPtr ccapi_data = NULL; + int err; + krb5_error_code retval; + char *cName = NULL; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + retval = KRB5_CC_NOMEM; + if (!(newCache = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)))) + goto errout; + + if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData)))) + goto errout; + + if (!(cName = strdup(residual))) + goto errout; + + newCache->ops = &krb5_cc_stdcc_ops; + newCache->data = ccapi_data; + ccapi_data->cache_name = cName; + + err = cc_open(gCntrlBlock, cName, CC_CRED_V5, 0L, + &ccapi_data->NamedCache); + if (err != CC_NOERROR) { + ccapi_data->NamedCache = NULL; + if (err != CC_NO_EXIST) { + retval = cc_err_xlate(err); + goto errout; } - - /* return new cache structure */ - *id = newCache; - - return 0; - + } + + /* return new cache structure */ + *id = newCache; + + return 0; + errout: - if (newCache) - free(newCache); - if (ccapi_data) - free(ccapi_data); - if (cName) - free(cName); - return retval; + if (newCache) + free(newCache); + if (ccapi_data) + free(ccapi_data); + if (cName) + free(cName); + return retval; } - + /* * initialize * @@ -1238,48 +1239,48 @@ errout: * principal if not set our principal to this principal. This * searching enables ticket sharing */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize - (krb5_context context, krb5_ccache id, krb5_principal princ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize +(krb5_context context, krb5_ccache id, krb5_principal princ) { - stdccCacheDataPtr ccapi_data = NULL; - int err; - char *cName = NULL; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - /* test id for null */ - if (id == NULL) return KRB5_CC_NOMEM; - - if ((retval = krb5_unparse_name(context, princ, &cName))) - return retval; - - ccapi_data = id->data; - - - if (ccapi_data->NamedCache) - cc_close(gCntrlBlock, &ccapi_data->NamedCache); - - err = cc_create(gCntrlBlock, ccapi_data->cache_name, cName, - CC_CRED_V5, 0L, &ccapi_data->NamedCache); - if (err != CC_NOERROR) { - krb5_free_unparsed_name(context, cName); - return cc_err_xlate(err); - } + stdccCacheDataPtr ccapi_data = NULL; + int err; + char *cName = NULL; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + /* test id for null */ + if (id == NULL) return KRB5_CC_NOMEM; + + if ((retval = krb5_unparse_name(context, princ, &cName))) + return retval; + + ccapi_data = id->data; + + + if (ccapi_data->NamedCache) + cc_close(gCntrlBlock, &ccapi_data->NamedCache); + + err = cc_create(gCntrlBlock, ccapi_data->cache_name, cName, + CC_CRED_V5, 0L, &ccapi_data->NamedCache); + if (err != CC_NOERROR) { + krb5_free_unparsed_name(context, cName); + return cc_err_xlate(err); + } #if 0 - /* - * Some implementations don't set the principal name - * correctly, so we force set it to the correct value. - */ - err = cc_set_principal(gCntrlBlock, ccapi_data->NamedCache, - CC_CRED_V5, cName); + /* + * Some implementations don't set the principal name + * correctly, so we force set it to the correct value. + */ + err = cc_set_principal(gCntrlBlock, ccapi_data->NamedCache, + CC_CRED_V5, cName); #endif - krb5_free_unparsed_name(context, cName); - cache_changed(); - - return cc_err_xlate(err); + krb5_free_unparsed_name(context, cName); + cache_changed(); + + return cc_err_xlate(err); } /* @@ -1287,35 +1288,35 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize * * store some credentials in our cache */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_store - (krb5_context context, krb5_ccache id, krb5_creds *creds ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_store +(krb5_context context, krb5_ccache id, krb5_creds *creds ) { - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = id->data; - cred_union *cu = NULL; - int err; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; - - /* copy the fields from the almost identical structures */ - dupK5toCC(context, creds, &cu); - - /* - * finally store the credential - * store will copy (that is duplicate) everything - */ - err = cc_store(gCntrlBlock, - ((stdccCacheDataPtr)(id->data))->NamedCache, *cu); - if (err != CC_NOERROR) - return cc_err_xlate(err); - - /* free the cred union using our local version of cc_free_creds() - since we allocated it locally */ - err = krb5int_free_cc_cred_union(&cu); - - cache_changed(); - return err; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = id->data; + cred_union *cu = NULL; + int err; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; + + /* copy the fields from the almost identical structures */ + dupK5toCC(context, creds, &cu); + + /* + * finally store the credential + * store will copy (that is duplicate) everything + */ + err = cc_store(gCntrlBlock, + ((stdccCacheDataPtr)(id->data))->NamedCache, *cu); + if (err != CC_NOERROR) + return cc_err_xlate(err); + + /* free the cred union using our local version of cc_free_creds() + since we allocated it locally */ + err = krb5int_free_cc_cred_union(&cu); + + cache_changed(); + return err; } /* @@ -1323,75 +1324,75 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_store * * begin an iterator call to get all of the credentials in the cache */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_start_seq_get +krb5_error_code KRB5_CALLCONV krb5_stdcc_start_seq_get (krb5_context context, krb5_ccache id , krb5_cc_cursor *cursor ) { - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - int err; - ccache_cit *iterator; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + int err; + ccache_cit *iterator; - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; #ifdef CC_API_VER2 - err = cc_seq_fetch_creds_begin(gCntrlBlock, ccapi_data->NamedCache, - &iterator); - if (err != CC_NOERROR) - return cc_err_xlate(err); - *cursor = iterator; + err = cc_seq_fetch_creds_begin(gCntrlBlock, ccapi_data->NamedCache, + &iterator); + if (err != CC_NOERROR) + return cc_err_xlate(err); + *cursor = iterator; #else - /* all we have to do is initialize the cursor */ - *cursor = NULL; + /* all we have to do is initialize the cursor */ + *cursor = NULL; #endif - return 0; + return 0; } /* * next cred - * + * * - get the next credential in the cache as part of an iterator call * - this maps to call to cc_seq_fetch_creds */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred - (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, - krb5_creds *creds) +krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred +(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, + krb5_creds *creds) { - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = id->data; - int err; - cred_union *credU = NULL; - ccache_cit *iterator; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; - + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = id->data; + int err; + cred_union *credU = NULL; + ccache_cit *iterator; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; + #ifdef CC_API_VER2 - iterator = *cursor; - if (iterator == 0) - return KRB5_CC_END; - err = cc_seq_fetch_creds_next(gCntrlBlock, &credU, iterator); - - if (err == CC_END) { - cc_seq_fetch_creds_end(gCntrlBlock, &iterator); - *cursor = 0; - } + iterator = *cursor; + if (iterator == 0) + return KRB5_CC_END; + err = cc_seq_fetch_creds_next(gCntrlBlock, &credU, iterator); + + if (err == CC_END) { + cc_seq_fetch_creds_end(gCntrlBlock, &iterator); + *cursor = 0; + } #else - err = cc_seq_fetch_creds(gCntrlBlock, ccapi_data->NamedCache, - &credU, (ccache_cit **)cursor); + err = cc_seq_fetch_creds(gCntrlBlock, ccapi_data->NamedCache, + &credU, (ccache_cit **)cursor); #endif - if (err != CC_NOERROR) - return cc_err_xlate(err); - - /* copy data (with translation) */ - dupCCtoK5(context, credU->cred.pV5Cred, creds); - - /* free our version of the cred - okay to use cc_free_creds() here - because we got it from the CCache library */ - cc_free_creds(gCntrlBlock, &credU); - - return 0; + if (err != CC_NOERROR) + return cc_err_xlate(err); + + /* copy data (with translation) */ + dupCCtoK5(context, credU->cred.pV5Cred, creds); + + /* free our version of the cred - okay to use cc_free_creds() here + because we got it from the CCache library */ + cc_free_creds(gCntrlBlock, &credU); + + return 0; } @@ -1401,63 +1402,63 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred * - try to find a matching credential in the cache */ #if 0 -krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve - (krb5_context context, - krb5_ccache id, - krb5_flags whichfields, - krb5_creds *mcreds, - krb5_creds *creds ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve +(krb5_context context, + krb5_ccache id, + krb5_flags whichfields, + krb5_creds *mcreds, + krb5_creds *creds ) { - krb5_error_code retval; - krb5_cc_cursor curs = NULL; - krb5_creds *fetchcreds; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - fetchcreds = (krb5_creds *)malloc(sizeof(krb5_creds)); - if (fetchcreds == NULL) return KRB5_CC_NOMEM; - - /* we're going to use the iterators */ - krb5_stdcc_start_seq_get(context, id, &curs); - - while (!krb5_stdcc_next_cred(context, id, &curs, fetchcreds)) { - /* - * look at each credential for a match - * use this match routine since it takes the - * whichfields and the API doesn't - */ - if (stdccCredsMatch(context, fetchcreds, - mcreds, whichfields)) { - /* we found it, copy and exit */ - *creds = *fetchcreds; - krb5_stdcc_end_seq_get(context, id, &curs); - return 0; - } - /* free copy allocated by next_cred */ - krb5_free_cred_contents(context, fetchcreds); - } - - /* no luck, end get and exit */ - krb5_stdcc_end_seq_get(context, id, &curs); - - /* we're not using this anymore so we should get rid of it! */ - free(fetchcreds); - - return KRB5_CC_NOTFOUND; + krb5_error_code retval; + krb5_cc_cursor curs = NULL; + krb5_creds *fetchcreds; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + fetchcreds = (krb5_creds *)malloc(sizeof(krb5_creds)); + if (fetchcreds == NULL) return KRB5_CC_NOMEM; + + /* we're going to use the iterators */ + krb5_stdcc_start_seq_get(context, id, &curs); + + while (!krb5_stdcc_next_cred(context, id, &curs, fetchcreds)) { + /* + * look at each credential for a match + * use this match routine since it takes the + * whichfields and the API doesn't + */ + if (stdccCredsMatch(context, fetchcreds, + mcreds, whichfields)) { + /* we found it, copy and exit */ + *creds = *fetchcreds; + krb5_stdcc_end_seq_get(context, id, &curs); + return 0; + } + /* free copy allocated by next_cred */ + krb5_free_cred_contents(context, fetchcreds); + } + + /* no luck, end get and exit */ + krb5_stdcc_end_seq_get(context, id, &curs); + + /* we're not using this anymore so we should get rid of it! */ + free(fetchcreds); + + return KRB5_CC_NOTFOUND; } #else krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve(context, id, whichfields, mcreds, creds) - krb5_context context; - krb5_ccache id; - krb5_flags whichfields; - krb5_creds *mcreds; - krb5_creds *creds; + krb5_context context; + krb5_ccache id; + krb5_flags whichfields; + krb5_creds *mcreds; + krb5_creds *creds; { return krb5_cc_retrieve_cred_default (context, id, whichfields, - mcreds, creds); + mcreds, creds); } #endif @@ -1467,73 +1468,73 @@ krb5_stdcc_retrieve(context, id, whichfields, mcreds, creds) * * just free up the storage assoicated with the cursor (if we could) */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get - (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) +krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get +(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = NULL; - int err; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = NULL; + int err; #ifndef CC_API_VER2 - cred_union *credU = NULL; + cred_union *credU = NULL; #endif - ccapi_data = id->data; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; + ccapi_data = id->data; - if (*cursor == NULL) - return 0; + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; + + if (*cursor == NULL) + return 0; #ifdef CC_API_VER2 - err = cc_seq_fetch_creds_end(gCntrlBlock, (ccache_cit **)cursor); - if (err != CC_NOERROR) - return cc_err_xlate(err); -#else - /* - * Finish calling cc_seq_fetch_creds to clear out the cursor - */ - while (*cursor) { - err = cc_seq_fetch_creds(gCntrlBlock, ccapi_data->NamedCache, - &credU, (ccache_cit **)cursor); - if (err) - break; - - /* okay to call cc_free_creds() here because we got credU from CCache lib */ - cc_free_creds(gCntrlBlock, &credU); - } + err = cc_seq_fetch_creds_end(gCntrlBlock, (ccache_cit **)cursor); + if (err != CC_NOERROR) + return cc_err_xlate(err); +#else + /* + * Finish calling cc_seq_fetch_creds to clear out the cursor + */ + while (*cursor) { + err = cc_seq_fetch_creds(gCntrlBlock, ccapi_data->NamedCache, + &credU, (ccache_cit **)cursor); + if (err) + break; + + /* okay to call cc_free_creds() here because we got credU from CCache lib */ + cc_free_creds(gCntrlBlock, &credU); + } #endif - - return(0); + + return(0); } - + /* * close * * - free our pointers to the NC */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_stdcc_close(krb5_context context, krb5_ccache id) { - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = id->data; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - /* free it */ - - if (ccapi_data) { - if (ccapi_data->cache_name) - free(ccapi_data->cache_name); - if (ccapi_data->NamedCache) - cc_close(gCntrlBlock, &ccapi_data->NamedCache); - free(ccapi_data); - id->data = NULL; - } - free(id); - - return 0; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = id->data; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + /* free it */ + + if (ccapi_data) { + if (ccapi_data->cache_name) + free(ccapi_data->cache_name); + if (ccapi_data->NamedCache) + cc_close(gCntrlBlock, &ccapi_data->NamedCache); + free(ccapi_data); + id->data = NULL; + } + free(id); + + return 0; } /* @@ -1544,35 +1545,35 @@ krb5_stdcc_close(krb5_context context, krb5_ccache id) krb5_error_code KRB5_CALLCONV krb5_stdcc_destroy (krb5_context context, krb5_ccache id) { - int err; - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = id->data; - - if ((retval = stdcc_setup(context, ccapi_data))) { - return retval; - } - - /* free memory associated with the krb5_ccache */ - if (ccapi_data) { - if (ccapi_data->cache_name) - free(ccapi_data->cache_name); - if (ccapi_data->NamedCache) { - /* destroy the named cache */ - err = cc_destroy(gCntrlBlock, &ccapi_data->NamedCache); - retval = cc_err_xlate(err); - cache_changed(); - } - free(ccapi_data); - id->data = NULL; - } - free(id); - - /* If the cache does not exist when we tried to destroy it, - that's fine. That means someone else destryoed it since - we resolved it. */ - if (retval == KRB5_FCC_NOFILE) - return 0; - return retval; + int err; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = id->data; + + if ((retval = stdcc_setup(context, ccapi_data))) { + return retval; + } + + /* free memory associated with the krb5_ccache */ + if (ccapi_data) { + if (ccapi_data->cache_name) + free(ccapi_data->cache_name); + if (ccapi_data->NamedCache) { + /* destroy the named cache */ + err = cc_destroy(gCntrlBlock, &ccapi_data->NamedCache); + retval = cc_err_xlate(err); + cache_changed(); + } + free(ccapi_data); + id->data = NULL; + } + free(id); + + /* If the cache does not exist when we tried to destroy it, + that's fine. That means someone else destryoed it since + we resolved it. */ + if (retval == KRB5_FCC_NOFILE) + return 0; + return retval; } /* @@ -1580,15 +1581,15 @@ krb5_stdcc_destroy (krb5_context context, krb5_ccache id) * * - return the name of the named cache */ -const char * KRB5_CALLCONV krb5_stdcc_get_name - (krb5_context context, krb5_ccache id ) +const char * KRB5_CALLCONV krb5_stdcc_get_name +(krb5_context context, krb5_ccache id ) { - stdccCacheDataPtr ccapi_data = id->data; + stdccCacheDataPtr ccapi_data = id->data; - if (!ccapi_data) - return 0; + if (!ccapi_data) + return 0; - return (ccapi_data->cache_name); + return (ccapi_data->cache_name); } @@ -1597,29 +1598,29 @@ const char * KRB5_CALLCONV krb5_stdcc_get_name * - return the principal associated with the named cache */ krb5_error_code KRB5_CALLCONV krb5_stdcc_get_principal - (krb5_context context, krb5_ccache id , krb5_principal *princ) +(krb5_context context, krb5_ccache id , krb5_principal *princ) { - int err; - char *name = NULL; - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; - - /* another wrapper */ - err = cc_get_principal(gCntrlBlock, ccapi_data->NamedCache, - &name); - - if (err != CC_NOERROR) - return cc_err_xlate(err); - - /* turn it into a krb principal */ - err = krb5_parse_name(context, name, princ); - - cc_free_principal(gCntrlBlock, &name); - - return err; + int err; + char *name = NULL; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; + + /* another wrapper */ + err = cc_get_principal(gCntrlBlock, ccapi_data->NamedCache, + &name); + + if (err != CC_NOERROR) + return cc_err_xlate(err); + + /* turn it into a krb principal */ + err = krb5_parse_name(context, name, princ); + + cc_free_principal(gCntrlBlock, &name); + + return err; } /* @@ -1627,16 +1628,16 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_get_principal * * - currently a NOP since we don't store any flags in the NC */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags - (krb5_context context, krb5_ccache id , krb5_flags flags) +krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags +(krb5_context context, krb5_ccache id , krb5_flags flags) { - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; - return 0; + return 0; } /* @@ -1644,16 +1645,16 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags * * - currently a NOP since we don't store any flags in the NC */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags - (krb5_context context, krb5_ccache id , krb5_flags *flags) +krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags +(krb5_context context, krb5_ccache id , krb5_flags *flags) { - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; - return 0; + return 0; } /* @@ -1661,39 +1662,38 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags * * - remove the specified credentials from the NC */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_remove - (krb5_context context, krb5_ccache id, - krb5_flags flags, krb5_creds *creds) +krb5_error_code KRB5_CALLCONV krb5_stdcc_remove +(krb5_context context, krb5_ccache id, + krb5_flags flags, krb5_creds *creds) { - cred_union *cu = NULL; - int err; - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, ccapi_data))) { - if (retval == KRB5_FCC_NOFILE) - return 0; - return retval; - } - - /* convert to a cred union */ - dupK5toCC(context, creds, &cu); - - /* remove it */ - err = cc_remove_cred(gCntrlBlock, ccapi_data->NamedCache, *cu); - if (err != CC_NOERROR) - return cc_err_xlate(err); - - /* free the cred union using our local version of cc_free_creds() - since we allocated it locally */ - err = krb5int_free_cc_cred_union(&cu); - cache_changed(); - if (err != CC_NOERROR) - return cc_err_xlate(err); + cred_union *cu = NULL; + int err; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, ccapi_data))) { + if (retval == KRB5_FCC_NOFILE) + return 0; + return retval; + } - return 0; + /* convert to a cred union */ + dupK5toCC(context, creds, &cu); + + /* remove it */ + err = cc_remove_cred(gCntrlBlock, ccapi_data->NamedCache, *cu); + if (err != CC_NOERROR) + return cc_err_xlate(err); + + /* free the cred union using our local version of cc_free_creds() + since we allocated it locally */ + err = krb5int_free_cc_cred_union(&cu); + cache_changed(); + if (err != CC_NOERROR) + return cc_err_xlate(err); + + return 0; } #endif /* !USE_CCAPI_V3 */ #endif /* defined(_WIN32) || defined(USE_CCAPI) */ - diff --git a/src/lib/krb5/ccache/ccapi/stdcc.h b/src/lib/krb5/ccache/ccapi/stdcc.h index e9ec085eb..6550efcb4 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc.h +++ b/src/lib/krb5/ccache/ccapi/stdcc.h @@ -1,9 +1,10 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef __KRB5_STDCC_H__ #define __KRB5_STDCC_H__ #if defined(_WIN32) || defined(USE_CCAPI) -#include "k5-int.h" /* loads krb5.h */ +#include "k5-int.h" /* loads krb5.h */ #ifdef USE_CCAPI_V3 #include @@ -24,11 +25,11 @@ extern krb5_cc_ops krb5_cc_stdcc_ops; * structure to stash in the cache's data field */ typedef struct _stdccCacheData { - char *cache_name; + char *cache_name; #ifdef USE_CCAPI_V3 - cc_ccache_t NamedCache; + cc_ccache_t NamedCache; #else - ccache_p *NamedCache; + ccache_p *NamedCache; #endif } stdccCacheData, *stdccCacheDataPtr; @@ -40,135 +41,135 @@ void krb5_stdcc_shutdown(void); #ifdef USE_CCAPI_V3 krb5_error_code KRB5_CALLCONV krb5_stdccv3_close - (krb5_context, krb5_ccache id ); +(krb5_context, krb5_ccache id ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_destroy - (krb5_context, krb5_ccache id ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_destroy +(krb5_context, krb5_ccache id ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_end_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_end_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_generate_new - (krb5_context, krb5_ccache *id ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_generate_new +(krb5_context, krb5_ccache *id ); -const char * KRB5_CALLCONV krb5_stdccv3_get_name - (krb5_context, krb5_ccache id ); +const char * KRB5_CALLCONV krb5_stdccv3_get_name +(krb5_context, krb5_ccache id ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_get_principal - (krb5_context, krb5_ccache id , krb5_principal *princ ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_get_principal +(krb5_context, krb5_ccache id , krb5_principal *princ ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_initialize - (krb5_context, krb5_ccache id , krb5_principal princ ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_initialize +(krb5_context, krb5_ccache id , krb5_principal princ ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_next_cred - (krb5_context, - krb5_ccache id , - krb5_cc_cursor *cursor , - krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_next_cred +(krb5_context, + krb5_ccache id , + krb5_cc_cursor *cursor , + krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_resolve - (krb5_context, krb5_ccache *id , const char *residual ); - -krb5_error_code KRB5_CALLCONV krb5_stdccv3_retrieve - (krb5_context, - krb5_ccache id , - krb5_flags whichfields , - krb5_creds *mcreds , - krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_resolve +(krb5_context, krb5_ccache *id , const char *residual ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_start_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_retrieve +(krb5_context, + krb5_ccache id , + krb5_flags whichfields , + krb5_creds *mcreds , + krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_store - (krb5_context, krb5_ccache id , krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_start_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_set_flags - (krb5_context, krb5_ccache id , krb5_flags flags ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_store +(krb5_context, krb5_ccache id , krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_get_flags - (krb5_context, krb5_ccache id , krb5_flags *flags ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_set_flags +(krb5_context, krb5_ccache id , krb5_flags flags ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_remove - (krb5_context, krb5_ccache id , krb5_flags flags, krb5_creds *creds); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_get_flags +(krb5_context, krb5_ccache id , krb5_flags *flags ); + +krb5_error_code KRB5_CALLCONV krb5_stdccv3_remove +(krb5_context, krb5_ccache id , krb5_flags flags, krb5_creds *creds); krb5_error_code KRB5_CALLCONV krb5_stdccv3_ptcursor_new - (krb5_context context, krb5_cc_ptcursor *cursor); +(krb5_context context, krb5_cc_ptcursor *cursor); krb5_error_code KRB5_CALLCONV krb5_stdccv3_ptcursor_next - (krb5_context context, krb5_cc_ptcursor cursor, krb5_ccache *ccache); +(krb5_context context, krb5_cc_ptcursor cursor, krb5_ccache *ccache); krb5_error_code KRB5_CALLCONV krb5_stdccv3_ptcursor_free - (krb5_context context, krb5_cc_ptcursor *cursor); +(krb5_context context, krb5_cc_ptcursor *cursor); krb5_error_code KRB5_CALLCONV krb5_stdccv3_last_change_time - (krb5_context context, krb5_ccache id, - krb5_timestamp *change_time); +(krb5_context context, krb5_ccache id, + krb5_timestamp *change_time); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_lock - (krb5_context, krb5_ccache id); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_lock +(krb5_context, krb5_ccache id); krb5_error_code KRB5_CALLCONV krb5_stdccv3_unlock - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_lock - (krb5_context context); +(krb5_context context); krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_unlock - (krb5_context context); +(krb5_context context); #else krb5_error_code KRB5_CALLCONV krb5_stdcc_close - (krb5_context, krb5_ccache id ); +(krb5_context, krb5_ccache id ); + +krb5_error_code KRB5_CALLCONV krb5_stdcc_destroy +(krb5_context, krb5_ccache id ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_destroy - (krb5_context, krb5_ccache id ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_generate_new +(krb5_context, krb5_ccache *id ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_generate_new - (krb5_context, krb5_ccache *id ); +const char * KRB5_CALLCONV krb5_stdcc_get_name +(krb5_context, krb5_ccache id ); -const char * KRB5_CALLCONV krb5_stdcc_get_name - (krb5_context, krb5_ccache id ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_get_principal +(krb5_context, krb5_ccache id , krb5_principal *princ ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_get_principal - (krb5_context, krb5_ccache id , krb5_principal *princ ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize +(krb5_context, krb5_ccache id , krb5_principal princ ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize - (krb5_context, krb5_ccache id , krb5_principal princ ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred +(krb5_context, + krb5_ccache id , + krb5_cc_cursor *cursor , + krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred - (krb5_context, - krb5_ccache id , - krb5_cc_cursor *cursor , - krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve +(krb5_context, krb5_ccache *id , const char *residual ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve - (krb5_context, krb5_ccache *id , const char *residual ); - -krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve - (krb5_context, - krb5_ccache id , - krb5_flags whichfields , - krb5_creds *mcreds , - krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve +(krb5_context, + krb5_ccache id , + krb5_flags whichfields , + krb5_creds *mcreds , + krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_start_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_start_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_store - (krb5_context, krb5_ccache id , krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_store +(krb5_context, krb5_ccache id , krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags - (krb5_context, krb5_ccache id , krb5_flags flags ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags +(krb5_context, krb5_ccache id , krb5_flags flags ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags - (krb5_context, krb5_ccache id , krb5_flags *flags ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags +(krb5_context, krb5_ccache id , krb5_flags *flags ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_remove - (krb5_context, krb5_ccache id , krb5_flags flags, krb5_creds *creds); +krb5_error_code KRB5_CALLCONV krb5_stdcc_remove +(krb5_context, krb5_ccache id , krb5_flags flags, krb5_creds *creds); #endif #endif /* defined(_WIN32) || defined(USE_CCAPI) */ diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c index 114e79ed9..9f44af3d0 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc_util.c +++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * stdcc_util.c * utility functions used in implementing the ccache api for krb5 @@ -17,7 +18,7 @@ #include "stdcc_util.h" #include "krb5.h" -#ifdef _WIN32 /* it's part of krb5.h everywhere else */ +#ifdef _WIN32 /* it's part of krb5.h everywhere else */ #include "kv5m_err.h" #endif @@ -26,30 +27,30 @@ #ifdef USE_CCAPI_V3 -static void +static void free_cc_array (cc_data **io_cc_array) { if (io_cc_array) { unsigned int i; - + for (i = 0; io_cc_array[i]; i++) { if (io_cc_array[i]->data) { free (io_cc_array[i]->data); } free (io_cc_array[i]); } free (io_cc_array); - } + } } -static krb5_error_code -copy_cc_array_to_addresses (krb5_context in_context, - cc_data **in_cc_array, +static krb5_error_code +copy_cc_array_to_addresses (krb5_context in_context, + cc_data **in_cc_array, krb5_address ***out_addresses) { krb5_error_code err = 0; - + if (in_cc_array == NULL) { *out_addresses = NULL; - + } else { unsigned int count, i; krb5_address **addresses = NULL; @@ -58,26 +59,26 @@ copy_cc_array_to_addresses (krb5_context in_context, for (count = 0; in_cc_array[count]; count++); addresses = (krb5_address **) malloc (sizeof (*addresses) * (count + 1)); if (!addresses) { err = KRB5_CC_NOMEM; } - - for (i = 0; !err && i < count; i++) { + + for (i = 0; !err && i < count; i++) { addresses[i] = (krb5_address *) malloc (sizeof (krb5_address)); if (!addresses[i]) { err = KRB5_CC_NOMEM; } - + if (!err) { - addresses[i]->contents = (krb5_octet *) malloc (sizeof (krb5_octet) * - in_cc_array[i]->length); + addresses[i]->contents = (krb5_octet *) malloc (sizeof (krb5_octet) * + in_cc_array[i]->length); if (!addresses[i]->contents) { err = KRB5_CC_NOMEM; } } - + if (!err) { addresses[i]->magic = KV5M_ADDRESS; addresses[i]->addrtype = in_cc_array[i]->type; addresses[i]->length = in_cc_array[i]->length; - memcpy (addresses[i]->contents, + memcpy (addresses[i]->contents, in_cc_array[i]->data, in_cc_array[i]->length); } } - + if (!err) { addresses[i] = NULL; /* terminator */ *out_addresses = addresses; @@ -86,70 +87,70 @@ copy_cc_array_to_addresses (krb5_context in_context, if (addresses) { krb5_free_addresses (in_context, addresses); } } - + return err; } -static krb5_error_code -copy_cc_array_to_authdata (krb5_context in_context, - cc_data **in_cc_array, +static krb5_error_code +copy_cc_array_to_authdata (krb5_context in_context, + cc_data **in_cc_array, krb5_authdata ***out_authdata) { krb5_error_code err = 0; - + if (in_cc_array == NULL) { *out_authdata = NULL; - + } else { unsigned int count, i; krb5_authdata **authdata = NULL; - + /* get length of array */ for (count = 0; in_cc_array[count]; count++); authdata = (krb5_authdata **) malloc (sizeof (*authdata) * (count + 1)); if (!authdata) { err = KRB5_CC_NOMEM; } - - for (i = 0; !err && i < count; i++) { + + for (i = 0; !err && i < count; i++) { authdata[i] = (krb5_authdata *) malloc (sizeof (krb5_authdata)); if (!authdata[i]) { err = KRB5_CC_NOMEM; } - + if (!err) { - authdata[i]->contents = (krb5_octet *) malloc (sizeof (krb5_octet) * - in_cc_array[i]->length); + authdata[i]->contents = (krb5_octet *) malloc (sizeof (krb5_octet) * + in_cc_array[i]->length); if (!authdata[i]->contents) { err = KRB5_CC_NOMEM; } } - + if (!err) { authdata[i]->magic = KV5M_AUTHDATA; authdata[i]->ad_type = in_cc_array[i]->type; authdata[i]->length = in_cc_array[i]->length; - memcpy (authdata[i]->contents, + memcpy (authdata[i]->contents, in_cc_array[i]->data, in_cc_array[i]->length); } } - + if (!err) { authdata[i] = NULL; /* terminator */ *out_authdata = authdata; authdata = NULL; } - + if (authdata) { krb5_free_authdata (in_context, authdata); } } - + return err; } -static krb5_error_code -copy_addresses_to_cc_array (krb5_context in_context, - krb5_address **in_addresses, +static krb5_error_code +copy_addresses_to_cc_array (krb5_context in_context, + krb5_address **in_addresses, cc_data ***out_cc_array) { krb5_error_code err = 0; - + if (in_addresses == NULL) { *out_cc_array = NULL; - + } else { unsigned int count, i; cc_data **cc_array = NULL; @@ -158,23 +159,23 @@ copy_addresses_to_cc_array (krb5_context in_context, for (count = 0; in_addresses[count]; count++); cc_array = (cc_data **) malloc (sizeof (*cc_array) * (count + 1)); if (!cc_array) { err = KRB5_CC_NOMEM; } - - for (i = 0; !err && i < count; i++) { + + for (i = 0; !err && i < count; i++) { cc_array[i] = (cc_data *) malloc (sizeof (cc_data)); if (!cc_array[i]) { err = KRB5_CC_NOMEM; } - + if (!err) { cc_array[i]->data = malloc (in_addresses[i]->length); if (!cc_array[i]->data) { err = KRB5_CC_NOMEM; } } - + if (!err) { cc_array[i]->type = in_addresses[i]->addrtype; cc_array[i]->length = in_addresses[i]->length; memcpy (cc_array[i]->data, in_addresses[i]->contents, in_addresses[i]->length); } } - + if (!err) { cc_array[i] = NULL; /* terminator */ *out_cc_array = cc_array; @@ -183,18 +184,18 @@ copy_addresses_to_cc_array (krb5_context in_context, if (cc_array) { free_cc_array (cc_array); } } - - + + return err; } -static krb5_error_code -copy_authdata_to_cc_array (krb5_context in_context, - krb5_authdata **in_authdata, +static krb5_error_code +copy_authdata_to_cc_array (krb5_context in_context, + krb5_authdata **in_authdata, cc_data ***out_cc_array) { krb5_error_code err = 0; - + if (in_authdata == NULL) { *out_cc_array = NULL; @@ -206,23 +207,23 @@ copy_authdata_to_cc_array (krb5_context in_context, for (count = 0; in_authdata[count]; count++); cc_array = (cc_data **) malloc (sizeof (*cc_array) * (count + 1)); if (!cc_array) { err = KRB5_CC_NOMEM; } - - for (i = 0; !err && i < count; i++) { + + for (i = 0; !err && i < count; i++) { cc_array[i] = (cc_data *) malloc (sizeof (cc_data)); if (!cc_array[i]) { err = KRB5_CC_NOMEM; } - + if (!err) { cc_array[i]->data = malloc (in_authdata[i]->length); if (!cc_array[i]->data) { err = KRB5_CC_NOMEM; } } - + if (!err) { cc_array[i]->type = in_authdata[i]->ad_type; cc_array[i]->length = in_authdata[i]->length; memcpy (cc_array[i]->data, in_authdata[i]->contents, in_authdata[i]->length); } } - + if (!err) { cc_array[i] = NULL; /* terminator */ *out_cc_array = cc_array; @@ -231,8 +232,8 @@ copy_authdata_to_cc_array (krb5_context in_context, if (cc_array) { free_cc_array (cc_array); } } - - + + return err; } @@ -242,9 +243,9 @@ copy_authdata_to_cc_array (krb5_context in_context, * - allocate an empty k5 style ticket and copy info from the cc_creds ticket */ -krb5_error_code -copy_cc_cred_union_to_krb5_creds (krb5_context in_context, - const cc_credentials_union *in_cred_union, +krb5_error_code +copy_cc_cred_union_to_krb5_creds (krb5_context in_context, + const cc_credentials_union *in_cred_union, krb5_creds *out_creds) { krb5_error_code err = 0; @@ -257,59 +258,59 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, unsigned char *keyblock_contents = NULL; krb5_address **addresses = NULL; krb5_authdata **authdata = NULL; - - if (in_cred_union->version != cc_credentials_v5) { - err = KRB5_CC_NOT_KTYPE; + + if (in_cred_union->version != cc_credentials_v5) { + err = KRB5_CC_NOT_KTYPE; } else { cv5 = in_cred_union->credentials.credentials_v5; } - + #if TARGET_OS_MAC if (!err) { err = krb5_get_time_offsets (in_context, &offset_seconds, &offset_microseconds); } #endif - + if (!err) { err = krb5_parse_name (in_context, cv5->client, &client); } - + if (!err) { err = krb5_parse_name (in_context, cv5->server, &server); } - + if (!err && cv5->keyblock.data) { keyblock_contents = (unsigned char *) malloc (cv5->keyblock.length); if (!keyblock_contents) { err = KRB5_CC_NOMEM; } } - + if (!err && cv5->ticket.data) { ticket_data = (char *) malloc (cv5->ticket.length); if (!ticket_data) { err = KRB5_CC_NOMEM; } } - + if (!err && cv5->second_ticket.data) { second_ticket_data = (char *) malloc (cv5->second_ticket.length); if (!second_ticket_data) { err = KRB5_CC_NOMEM; } } - + if (!err) { /* addresses */ err = copy_cc_array_to_addresses (in_context, cv5->addresses, &addresses); } - + if (!err) { /* authdata */ err = copy_cc_array_to_authdata (in_context, cv5->authdata, &authdata); } - + if (!err) { /* principals */ out_creds->client = client; client = NULL; out_creds->server = server; server = NULL; - + /* copy keyblock */ if (cv5->keyblock.data) { memcpy (keyblock_contents, cv5->keyblock.data, cv5->keyblock.length); @@ -334,7 +335,7 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, out_creds->ticket.length = cv5->ticket.length; out_creds->ticket.data = ticket_data; ticket_data = NULL; - + /* second ticket */ if (cv5->second_ticket.data) { memcpy(second_ticket_data, cv5->second_ticket.data, cv5->second_ticket.length); @@ -342,17 +343,17 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, out_creds->second_ticket.length = cv5->second_ticket.length; out_creds->second_ticket.data = second_ticket_data; second_ticket_data = NULL; - + out_creds->addresses = addresses; addresses = NULL; out_creds->authdata = authdata; authdata = NULL; - + /* zero out magic number */ out_creds->magic = 0; } - + if (addresses) { krb5_free_addresses (in_context, addresses); } if (authdata) { krb5_free_authdata (in_context, authdata); } if (keyblock_contents) { free (keyblock_contents); } @@ -360,7 +361,7 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, if (second_ticket_data) { free (second_ticket_data); } if (client) { krb5_free_principal (in_context, client); } if (server) { krb5_free_principal (in_context, server); } - + return err; } @@ -369,8 +370,8 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, * - analagous to above but in the reverse direction */ krb5_error_code -copy_krb5_creds_to_cc_cred_union (krb5_context in_context, - krb5_creds *in_creds, +copy_krb5_creds_to_cc_cred_union (krb5_context in_context, + krb5_creds *in_creds, cc_credentials_union **out_cred_union) { krb5_error_code err = 0; @@ -384,56 +385,56 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, krb5_int32 offset_seconds = 0, offset_microseconds = 0; cc_data **cc_address_array = NULL; cc_data **cc_authdata_array = NULL; - + if (out_cred_union == NULL) { err = KRB5_CC_NOMEM; } - + #if TARGET_OS_MAC if (!err) { err = krb5_get_time_offsets (in_context, &offset_seconds, &offset_microseconds); } #endif - + if (!err) { cred_union = (cc_credentials_union *) malloc (sizeof (*cred_union)); if (!cred_union) { err = KRB5_CC_NOMEM; } } - + if (!err) { cv5 = (cc_credentials_v5_t *) malloc (sizeof (*cv5)); if (!cv5) { err = KRB5_CC_NOMEM; } } - + if (!err) { err = krb5_unparse_name (in_context, in_creds->client, &client); } - + if (!err) { err = krb5_unparse_name (in_context, in_creds->server, &server); } - + if (!err && in_creds->keyblock.contents) { keyblock_data = (unsigned char *) malloc (in_creds->keyblock.length); if (!keyblock_data) { err = KRB5_CC_NOMEM; } } - + if (!err && in_creds->ticket.data) { ticket_data = (unsigned char *) malloc (in_creds->ticket.length); if (!ticket_data) { err = KRB5_CC_NOMEM; } } - + if (!err && in_creds->second_ticket.data) { second_ticket_data = (unsigned char *) malloc (in_creds->second_ticket.length); if (!second_ticket_data) { err = KRB5_CC_NOMEM; } } - + if (!err) { err = copy_addresses_to_cc_array (in_context, in_creds->addresses, &cc_address_array); } - + if (!err) { err = copy_authdata_to_cc_array (in_context, in_creds->authdata, &cc_authdata_array); } - + if (!err) { /* principals */ cv5->client = client; @@ -449,7 +450,7 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, cv5->keyblock.length = in_creds->keyblock.length; cv5->keyblock.data = keyblock_data; keyblock_data = NULL; - + cv5->authtime = in_creds->times.authtime - offset_seconds; cv5->starttime = in_creds->times.starttime - offset_seconds; cv5->endtime = in_creds->times.endtime - offset_seconds; @@ -463,29 +464,29 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, cv5->ticket.length = in_creds->ticket.length; cv5->ticket.data = ticket_data; ticket_data = NULL; - + if (in_creds->second_ticket.data) { memcpy (second_ticket_data, in_creds->second_ticket.data, in_creds->second_ticket.length); } cv5->second_ticket.length = in_creds->second_ticket.length; cv5->second_ticket.data = second_ticket_data; second_ticket_data = NULL; - + cv5->addresses = cc_address_array; cc_address_array = NULL; - + cv5->authdata = cc_authdata_array; - cc_authdata_array = NULL; - + cc_authdata_array = NULL; + /* Set up the structures to return to the caller */ cred_union->version = cc_credentials_v5; cred_union->credentials.credentials_v5 = cv5; cv5 = NULL; - + *out_cred_union = cred_union; cred_union = NULL; } - + if (cc_address_array) { free_cc_array (cc_address_array); } if (cc_authdata_array) { free_cc_array (cc_authdata_array); } if (keyblock_data) { free (keyblock_data); } @@ -495,38 +496,38 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, if (server) { krb5_free_unparsed_name (in_context, server); } if (cv5) { free (cv5); } if (cred_union) { free (cred_union); } - + return err; } -krb5_error_code -cred_union_release (cc_credentials_union *in_cred_union) +krb5_error_code +cred_union_release (cc_credentials_union *in_cred_union) { if (in_cred_union) { if (in_cred_union->version == cc_credentials_v5 && in_cred_union->credentials.credentials_v5) { cc_credentials_v5_t *cv5 = in_cred_union->credentials.credentials_v5; - + /* should use krb5_free_unparsed_name but we have no context */ if (cv5->client) { free (cv5->client); } if (cv5->server) { free (cv5->server); } - + if (cv5->keyblock.data) { free (cv5->keyblock.data); } if (cv5->ticket.data) { free (cv5->ticket.data); } if (cv5->second_ticket.data) { free (cv5->second_ticket.data); } - + free_cc_array (cv5->addresses); free_cc_array (cv5->authdata); - + free (cv5); - + } else if (in_cred_union->version == cc_credentials_v4 && in_cred_union->credentials.credentials_v4) { free (in_cred_union->credentials.credentials_v4); } free ((cc_credentials_union *) in_cred_union); } - + return 0; } @@ -534,85 +535,85 @@ cred_union_release (cc_credentials_union *in_cred_union) /* * CopyCCDataArrayToK5 * - copy and translate the null terminated arrays of data records - * used in k5 tickets + * used in k5 tickets */ int copyCCDataArrayToK5(cc_creds *ccCreds, krb5_creds *v5Creds, char whichArray) { if (whichArray == kAddressArray) { - if (ccCreds->addresses == NULL) { - v5Creds->addresses = NULL; - } else { - - krb5_address **addrPtr, *addr; - cc_data **dataPtr, *data; - unsigned int numRecords = 0; - - /* Allocate the array of pointers: */ - for (dataPtr = ccCreds->addresses; *dataPtr != NULL; numRecords++, dataPtr++) {} - - v5Creds->addresses = (krb5_address **) malloc (sizeof(krb5_address *) * (numRecords + 1)); - if (v5Creds->addresses == NULL) - return ENOMEM; - - /* Fill in the array, allocating the address structures: */ - for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *dataPtr != NULL; addrPtr++, dataPtr++) { - - *addrPtr = (krb5_address *) malloc (sizeof(krb5_address)); - if (*addrPtr == NULL) - return ENOMEM; - data = *dataPtr; - addr = *addrPtr; - - addr->addrtype = data->type; - addr->magic = KV5M_ADDRESS; - addr->length = data->length; - addr->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * addr->length); - if (addr->contents == NULL) - return ENOMEM; - memmove(addr->contents, data->data, addr->length); /* copy contents */ - } - - /* Write terminator: */ - *addrPtr = NULL; - } + if (ccCreds->addresses == NULL) { + v5Creds->addresses = NULL; + } else { + + krb5_address **addrPtr, *addr; + cc_data **dataPtr, *data; + unsigned int numRecords = 0; + + /* Allocate the array of pointers: */ + for (dataPtr = ccCreds->addresses; *dataPtr != NULL; numRecords++, dataPtr++) {} + + v5Creds->addresses = (krb5_address **) malloc (sizeof(krb5_address *) * (numRecords + 1)); + if (v5Creds->addresses == NULL) + return ENOMEM; + + /* Fill in the array, allocating the address structures: */ + for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *dataPtr != NULL; addrPtr++, dataPtr++) { + + *addrPtr = (krb5_address *) malloc (sizeof(krb5_address)); + if (*addrPtr == NULL) + return ENOMEM; + data = *dataPtr; + addr = *addrPtr; + + addr->addrtype = data->type; + addr->magic = KV5M_ADDRESS; + addr->length = data->length; + addr->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * addr->length); + if (addr->contents == NULL) + return ENOMEM; + memmove(addr->contents, data->data, addr->length); /* copy contents */ + } + + /* Write terminator: */ + *addrPtr = NULL; + } } if (whichArray == kAuthDataArray) { - if (ccCreds->authdata == NULL) { - v5Creds->authdata = NULL; - } else { - krb5_authdata **authPtr, *auth; - cc_data **dataPtr, *data; - unsigned int numRecords = 0; - - /* Allocate the array of pointers: */ - for (dataPtr = ccCreds->authdata; *dataPtr != NULL; numRecords++, dataPtr++) {} - - v5Creds->authdata = (krb5_authdata **) malloc (sizeof(krb5_authdata *) * (numRecords + 1)); - if (v5Creds->authdata == NULL) - return ENOMEM; - - /* Fill in the array, allocating the address structures: */ - for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *dataPtr != NULL; authPtr++, dataPtr++) { - - *authPtr = (krb5_authdata *) malloc (sizeof(krb5_authdata)); - if (*authPtr == NULL) - return ENOMEM; - data = *dataPtr; - auth = *authPtr; - - auth->ad_type = data->type; - auth->magic = KV5M_AUTHDATA; - auth->length = data->length; - auth->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * auth->length); - if (auth->contents == NULL) - return ENOMEM; - memmove(auth->contents, data->data, auth->length); /* copy contents */ - } - - /* Write terminator: */ - *authPtr = NULL; - } + if (ccCreds->authdata == NULL) { + v5Creds->authdata = NULL; + } else { + krb5_authdata **authPtr, *auth; + cc_data **dataPtr, *data; + unsigned int numRecords = 0; + + /* Allocate the array of pointers: */ + for (dataPtr = ccCreds->authdata; *dataPtr != NULL; numRecords++, dataPtr++) {} + + v5Creds->authdata = (krb5_authdata **) malloc (sizeof(krb5_authdata *) * (numRecords + 1)); + if (v5Creds->authdata == NULL) + return ENOMEM; + + /* Fill in the array, allocating the address structures: */ + for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *dataPtr != NULL; authPtr++, dataPtr++) { + + *authPtr = (krb5_authdata *) malloc (sizeof(krb5_authdata)); + if (*authPtr == NULL) + return ENOMEM; + data = *dataPtr; + auth = *authPtr; + + auth->ad_type = data->type; + auth->magic = KV5M_AUTHDATA; + auth->length = data->length; + auth->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * auth->length); + if (auth->contents == NULL) + return ENOMEM; + memmove(auth->contents, data->data, auth->length); /* copy contents */ + } + + /* Write terminator: */ + *authPtr = NULL; + } } return 0; @@ -625,78 +626,78 @@ int copyCCDataArrayToK5(cc_creds *ccCreds, krb5_creds *v5Creds, char whichArray) int copyK5DataArrayToCC(krb5_creds *v5Creds, cc_creds *ccCreds, char whichArray) { if (whichArray == kAddressArray) { - if (v5Creds->addresses == NULL) { - ccCreds->addresses = NULL; - } else { - - krb5_address **addrPtr, *addr; - cc_data **dataPtr, *data; - unsigned int numRecords = 0; - - /* Allocate the array of pointers: */ - for (addrPtr = v5Creds->addresses; *addrPtr != NULL; numRecords++, addrPtr++) {} - - ccCreds->addresses = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1)); - if (ccCreds->addresses == NULL) - return ENOMEM; - - /* Fill in the array, allocating the address structures: */ - for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *addrPtr != NULL; addrPtr++, dataPtr++) { - - *dataPtr = (cc_data *) malloc (sizeof(cc_data)); - if (*dataPtr == NULL) - return ENOMEM; - data = *dataPtr; - addr = *addrPtr; - - data->type = addr->addrtype; - data->length = addr->length; - data->data = malloc (sizeof(char) * data->length); - if (data->data == NULL) - return ENOMEM; - memmove(data->data, addr->contents, data->length); /* copy contents */ - } - - /* Write terminator: */ - *dataPtr = NULL; - } + if (v5Creds->addresses == NULL) { + ccCreds->addresses = NULL; + } else { + + krb5_address **addrPtr, *addr; + cc_data **dataPtr, *data; + unsigned int numRecords = 0; + + /* Allocate the array of pointers: */ + for (addrPtr = v5Creds->addresses; *addrPtr != NULL; numRecords++, addrPtr++) {} + + ccCreds->addresses = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1)); + if (ccCreds->addresses == NULL) + return ENOMEM; + + /* Fill in the array, allocating the address structures: */ + for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *addrPtr != NULL; addrPtr++, dataPtr++) { + + *dataPtr = (cc_data *) malloc (sizeof(cc_data)); + if (*dataPtr == NULL) + return ENOMEM; + data = *dataPtr; + addr = *addrPtr; + + data->type = addr->addrtype; + data->length = addr->length; + data->data = malloc (sizeof(char) * data->length); + if (data->data == NULL) + return ENOMEM; + memmove(data->data, addr->contents, data->length); /* copy contents */ + } + + /* Write terminator: */ + *dataPtr = NULL; + } } if (whichArray == kAuthDataArray) { - if (v5Creds->authdata == NULL) { - ccCreds->authdata = NULL; - } else { - krb5_authdata **authPtr, *auth; - cc_data **dataPtr, *data; - unsigned int numRecords = 0; - - /* Allocate the array of pointers: */ - for (authPtr = v5Creds->authdata; *authPtr != NULL; numRecords++, authPtr++) {} - - ccCreds->authdata = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1)); - if (ccCreds->authdata == NULL) - return ENOMEM; - - /* Fill in the array, allocating the address structures: */ - for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *authPtr != NULL; authPtr++, dataPtr++) { - - *dataPtr = (cc_data *) malloc (sizeof(cc_data)); - if (*dataPtr == NULL) - return ENOMEM; - data = *dataPtr; - auth = *authPtr; - - data->type = auth->ad_type; - data->length = auth->length; - data->data = malloc (sizeof(char) * data->length); - if (data->data == NULL) - return ENOMEM; - memmove(data->data, auth->contents, data->length); /* copy contents */ - } - - /* Write terminator: */ - *dataPtr = NULL; - } + if (v5Creds->authdata == NULL) { + ccCreds->authdata = NULL; + } else { + krb5_authdata **authPtr, *auth; + cc_data **dataPtr, *data; + unsigned int numRecords = 0; + + /* Allocate the array of pointers: */ + for (authPtr = v5Creds->authdata; *authPtr != NULL; numRecords++, authPtr++) {} + + ccCreds->authdata = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1)); + if (ccCreds->authdata == NULL) + return ENOMEM; + + /* Fill in the array, allocating the address structures: */ + for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *authPtr != NULL; authPtr++, dataPtr++) { + + *dataPtr = (cc_data *) malloc (sizeof(cc_data)); + if (*dataPtr == NULL) + return ENOMEM; + data = *dataPtr; + auth = *authPtr; + + data->type = auth->ad_type; + data->length = auth->length; + data->data = malloc (sizeof(char) * data->length); + if (data->data == NULL) + return ENOMEM; + memmove(data->data, auth->contents, data->length); /* copy contents */ + } + + /* Write terminator: */ + *dataPtr = NULL; + } } return 0; @@ -774,7 +775,7 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) /* allocate the cred_union */ *cu = (cred_union *)malloc(sizeof(cred_union)); if ((*cu) == NULL) - return; + return; (*cu)->cred_type = CC_CRED_V5; @@ -793,10 +794,10 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) c->keyblock.length = creds->keyblock.length; if (creds->keyblock.contents != NULL) { - c->keyblock.data = (unsigned char *)malloc(creds->keyblock.length); - memcpy(c->keyblock.data, creds->keyblock.contents, creds->keyblock.length); + c->keyblock.data = (unsigned char *)malloc(creds->keyblock.length); + memcpy(c->keyblock.data, creds->keyblock.contents, creds->keyblock.length); } else { - c->keyblock.data = NULL; + c->keyblock.data = NULL; } #if TARGET_OS_MAC @@ -815,18 +816,18 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) c->ticket.length = creds->ticket.length; if (creds->ticket.data != NULL) { - c->ticket.data = (unsigned char *)malloc(creds->ticket.length); - memcpy(c->ticket.data, creds->ticket.data, creds->ticket.length); + c->ticket.data = (unsigned char *)malloc(creds->ticket.length); + memcpy(c->ticket.data, creds->ticket.data, creds->ticket.length); } else { - c->ticket.data = NULL; + c->ticket.data = NULL; } c->second_ticket.length = creds->second_ticket.length; if (creds->second_ticket.data != NULL) { - c->second_ticket.data = (unsigned char *)malloc(creds->second_ticket.length); - memcpy(c->second_ticket.data, creds->second_ticket.data, creds->second_ticket.length); + c->second_ticket.data = (unsigned char *)malloc(creds->second_ticket.length); + memcpy(c->second_ticket.data, creds->second_ticket.data, creds->second_ticket.length); } else { - c->second_ticket.data = NULL; + c->second_ticket.data = NULL; } err = copyK5DataArrayToCC(creds, c, kAuthDataArray); @@ -851,7 +852,7 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) static void deep_free_cc_data (cc_data data) { if (data.data != NULL) - free (data.data); + free (data.data); } static void deep_free_cc_data_array (cc_data** data) { @@ -859,11 +860,11 @@ static void deep_free_cc_data_array (cc_data** data) { unsigned int i; if (data == NULL) - return; + return; for (i = 0; data [i] != NULL; i++) { - deep_free_cc_data (*(data [i])); - free (data [i]); + deep_free_cc_data (*(data [i])); + free (data [i]); } free (data); @@ -872,12 +873,12 @@ static void deep_free_cc_data_array (cc_data** data) { static void deep_free_cc_v5_creds (cc_creds* creds) { if (creds == NULL) - return; + return; if (creds -> client != NULL) - free (creds -> client); + free (creds -> client); if (creds -> server != NULL) - free (creds -> server); + free (creds -> server); deep_free_cc_data (creds -> keyblock); deep_free_cc_data (creds -> ticket); @@ -892,10 +893,10 @@ static void deep_free_cc_v5_creds (cc_creds* creds) static void deep_free_cc_creds (cred_union creds) { if (creds.cred_type == CC_CRED_V4) { - /* we shouldn't get this, of course */ - free (creds.cred.pV4Cred); + /* we shouldn't get this, of course */ + free (creds.cred.pV4Cred); } else if (creds.cred_type == CC_CRED_V5) { - deep_free_cc_v5_creds (creds.cred.pV5Cred); + deep_free_cc_v5_creds (creds.cred.pV5Cred); } } @@ -903,12 +904,12 @@ static void deep_free_cc_creds (cred_union creds) cc_int32 krb5int_free_cc_cred_union (cred_union** creds) { if (creds == NULL) - return CC_BAD_PARM; + return CC_BAD_PARM; if (*creds != NULL) { - deep_free_cc_creds (**creds); - free (*creds); - *creds = NULL; + deep_free_cc_creds (**creds); + free (*creds); + *creds = NULL; } return CC_NOERROR; @@ -921,15 +922,15 @@ cc_int32 krb5int_free_cc_cred_union (cred_union** creds) static krb5_boolean times_match(t1, t2) register const krb5_ticket_times *t1; -register const krb5_ticket_times *t2; + register const krb5_ticket_times *t2; { if (t1->renew_till) { - if (t1->renew_till > t2->renew_till) - return FALSE; /* this one expires too late */ + if (t1->renew_till > t2->renew_till) + return FALSE; /* this one expires too late */ } if (t1->endtime) { - if (t1->endtime > t2->endtime) - return FALSE; /* this one expires too late */ + if (t1->endtime > t2->endtime) + return FALSE; /* this one expires too late */ } /* only care about expiration on a times_match */ return TRUE; @@ -940,18 +941,18 @@ times_match_exact (t1, t2) register const krb5_ticket_times *t1, *t2; { return (t1->authtime == t2->authtime - && t1->starttime == t2->starttime - && t1->endtime == t2->endtime - && t1->renew_till == t2->renew_till); + && t1->starttime == t2->starttime + && t1->endtime == t2->endtime + && t1->renew_till == t2->renew_till); } static krb5_boolean standard_fields_match(context, mcreds, creds) krb5_context context; -register const krb5_creds *mcreds, *creds; + register const krb5_creds *mcreds, *creds; { return (krb5_principal_compare(context, mcreds->client,creds->client) && - krb5_principal_compare(context, mcreds->server,creds->server)); + krb5_principal_compare(context, mcreds->server,creds->server)); } /* only match the server name portion, not the server realm portion */ @@ -959,14 +960,14 @@ register const krb5_creds *mcreds, *creds; static krb5_boolean srvname_match(context, mcreds, creds) krb5_context context; -register const krb5_creds *mcreds, *creds; + register const krb5_creds *mcreds, *creds; { krb5_boolean retval; krb5_principal_data p1, p2; retval = krb5_principal_compare(context, mcreds->client,creds->client); if (retval != TRUE) - return retval; + return retval; /* * Hack to ignore the server realm for the purposes of the compare. */ @@ -984,22 +985,22 @@ authdata_match(mdata, data) const krb5_authdata *mdatap, *datap; if (mdata == data) - return TRUE; + return TRUE; if (mdata == NULL) - return *data == NULL; + return *data == NULL; if (data == NULL) - return *mdata == NULL; + return *mdata == NULL; while ((mdatap = *mdata) - && (datap = *data) - && mdatap->ad_type == datap->ad_type - && mdatap->length == datap->length - && !memcmp ((char *) mdatap->contents, (char *) datap->contents, - datap->length)) { - mdata++; - data++; + && (datap = *data) + && mdatap->ad_type == datap->ad_type + && mdatap->length == datap->length + && !memcmp ((char *) mdatap->contents, (char *) datap->contents, + datap->length)) { + mdata++; + data++; } return !*mdata && !*data; @@ -1010,17 +1011,17 @@ data_match(data1, data2) register const krb5_data *data1, *data2; { if (!data1) { - if (!data2) - return TRUE; - else - return FALSE; + if (!data2) + return TRUE; + else + return FALSE; } if (!data2) return FALSE; if (data1->length != data2->length) - return FALSE; + return FALSE; else - return memcmp(data1->data, data2->data, data1->length) ? FALSE : TRUE; + return memcmp(data1->data, data2->data, data1->length) ? FALSE : TRUE; } #define MATCH_SET(bits) (whichfields & bits) @@ -1029,41 +1030,41 @@ data_match(data1, data2) /* stdccCredsMatch * - check to see if the creds match based on the whichFields variable * NOTE: if whichfields is zero we are now comparing 'standard fields.' - * This is the bug that was killing fetch for a - * week. The behaviour is what krb5 expects, however. + * This is the bug that was killing fetch for a + * week. The behaviour is what krb5 expects, however. */ int stdccCredsMatch(krb5_context context, krb5_creds *base, - krb5_creds *match, int whichfields) + krb5_creds *match, int whichfields) { if (((MATCH_SET(KRB5_TC_MATCH_SRV_NAMEONLY) && - srvname_match(context, match, base)) || - standard_fields_match(context, match, base)) + srvname_match(context, match, base)) || + standard_fields_match(context, match, base)) + && + (! MATCH_SET(KRB5_TC_MATCH_IS_SKEY) || + match->is_skey == base->is_skey) + && + (! MATCH_SET(KRB5_TC_MATCH_FLAGS_EXACT) || + match->ticket_flags == base->ticket_flags) + && + (! MATCH_SET(KRB5_TC_MATCH_FLAGS) || + flags_match(match->ticket_flags, base->ticket_flags)) + && + (! MATCH_SET(KRB5_TC_MATCH_TIMES_EXACT) || + times_match_exact(&match->times, &base->times)) + && + (! MATCH_SET(KRB5_TC_MATCH_TIMES) || + times_match(&match->times, &base->times)) + && + (! MATCH_SET(KRB5_TC_MATCH_AUTHDATA) || + authdata_match (match->authdata, base->authdata)) + && + (! MATCH_SET(KRB5_TC_MATCH_2ND_TKT) || + data_match (&match->second_ticket, &base->second_ticket)) && - (! MATCH_SET(KRB5_TC_MATCH_IS_SKEY) || - match->is_skey == base->is_skey) - && - (! MATCH_SET(KRB5_TC_MATCH_FLAGS_EXACT) || - match->ticket_flags == base->ticket_flags) - && - (! MATCH_SET(KRB5_TC_MATCH_FLAGS) || - flags_match(match->ticket_flags, base->ticket_flags)) - && - (! MATCH_SET(KRB5_TC_MATCH_TIMES_EXACT) || - times_match_exact(&match->times, &base->times)) - && - (! MATCH_SET(KRB5_TC_MATCH_TIMES) || - times_match(&match->times, &base->times)) - && - (! MATCH_SET(KRB5_TC_MATCH_AUTHDATA) || - authdata_match (match->authdata, base->authdata)) - && - (! MATCH_SET(KRB5_TC_MATCH_2ND_TKT) || - data_match (&match->second_ticket, &base->second_ticket)) - && - ((! MATCH_SET(KRB5_TC_MATCH_KTYPE))|| - (match->keyblock.enctype == base->keyblock.enctype)) - ) - return TRUE; + ((! MATCH_SET(KRB5_TC_MATCH_KTYPE))|| + (match->keyblock.enctype == base->keyblock.enctype)) + ) + return TRUE; return FALSE; } diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.h b/src/lib/krb5/ccache/ccapi/stdcc_util.h index 2b724eb78..2e5eecc2b 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc_util.h +++ b/src/lib/krb5/ccache/ccapi/stdcc_util.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* stdcc_util.h * * Frank Dabek, July 1998 @@ -21,16 +22,16 @@ /* protoypes for private functions declared in stdcc_util.c */ #ifdef USE_CCAPI_V3 -krb5_error_code -copy_cc_cred_union_to_krb5_creds (krb5_context in_context, - const cc_credentials_union *in_cred_union, +krb5_error_code +copy_cc_cred_union_to_krb5_creds (krb5_context in_context, + const cc_credentials_union *in_cred_union, krb5_creds *out_creds); krb5_error_code -copy_krb5_creds_to_cc_cred_union (krb5_context in_context, - krb5_creds *in_creds, +copy_krb5_creds_to_cc_cred_union (krb5_context in_context, + krb5_creds *in_creds, cc_credentials_union **out_cred_union); -krb5_error_code +krb5_error_code cred_union_release (cc_credentials_union *in_cred_union); #else int copyCCDataArrayToK5(cc_creds *cc, krb5_creds *kc, char whichArray); @@ -42,7 +43,7 @@ cc_int32 krb5int_free_cc_cred_union (cred_union** creds); int stdccCredsMatch(krb5_context context, krb5_creds *base, krb5_creds *match, int whichfields); int bitTst(int var, int mask); -#define kAddressArray 4 +#define kAddressArray 4 #define kAuthDataArray 5 #endif /* defined(_WIN32) || defined(USE_CCAPI) */ diff --git a/src/lib/krb5/ccache/ccapi/winccld.c b/src/lib/krb5/ccache/ccapi/winccld.c index 22646e1ee..8b2e90c42 100644 --- a/src/lib/krb5/ccache/ccapi/winccld.c +++ b/src/lib/krb5/ccache/ccapi/winccld.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #if defined(_WIN32) /* * winccld.c --- routine for dynamically loading the ccache DLL if @@ -23,9 +24,9 @@ extern int krb5_is_ccdll_loaded(); /* * return codes */ -#define LF_OK 0 -#define LF_NODLL 1 -#define LF_NOFUNC 2 +#define LF_OK 0 +#define LF_NODLL 1 +#define LF_NOFUNC 2 #ifdef _WIN64 #define KRBCC_DLL "krbcc64.dll" @@ -34,10 +35,10 @@ extern int krb5_is_ccdll_loaded(); #endif static int LoadFuncs(const char* dll_name, FUNC_INFO fi[], - HINSTANCE* ph, int debug); + HINSTANCE* ph, int debug); static int LoadFuncs(const char* dll_name, FUNC_INFO fi[], - HINSTANCE* ph, int debug) + HINSTANCE* ph, int debug) { HINSTANCE h; int i, n; @@ -46,55 +47,55 @@ static int LoadFuncs(const char* dll_name, FUNC_INFO fi[], if (ph) *ph = 0; for (n = 0; fi[n].func_ptr_var; n++) { - *(fi[n].func_ptr_var) = 0; + *(fi[n].func_ptr_var) = 0; } if (!(h = LoadLibrary(dll_name))) { - /* Get error for source debugging purposes. */ - error = (int)GetLastError(); - return LF_NODLL; + /* Get error for source debugging purposes. */ + error = (int)GetLastError(); + return LF_NODLL; } if (debug) - printf("Loaded %s\n", dll_name); + printf("Loaded %s\n", dll_name); for (i = 0; !error && (i < n); i++) { - void* p = (void*)GetProcAddress(h, fi[i].func_name); - if (!p) { - if (debug) - printf("Could not get function: %s\n", fi[i].func_name); - error = 1; - } else { - *(fi[i].func_ptr_var) = p; - if (debug) - printf("Loaded function %s at 0x%08X\n", fi[i].func_name, p); - } + void* p = (void*)GetProcAddress(h, fi[i].func_name); + if (!p) { + if (debug) + printf("Could not get function: %s\n", fi[i].func_name); + error = 1; + } else { + *(fi[i].func_ptr_var) = p; + if (debug) + printf("Loaded function %s at 0x%08X\n", fi[i].func_name, p); + } } if (error) { - for (i = 0; i < n; i++) { - *(fi[i].func_ptr_var) = 0; - } - FreeLibrary(h); - return LF_NOFUNC; + for (i = 0; i < n; i++) { + *(fi[i].func_ptr_var) = 0; + } + FreeLibrary(h); + return LF_NOFUNC; } if (ph) *ph = h; return LF_OK; } void krb5_win_ccdll_load(context) - krb5_context context; + krb5_context context; { - krb5_cc_register(context, &krb5_fcc_ops, 0); - if (krb5_win_ccdll_loaded) - return; - if (LoadFuncs(KRBCC_DLL, krbcc_fi, 0, 0)) - return; /* Error, give up */ - krb5_win_ccdll_loaded = 1; - krb5_cc_dfl_ops = &krb5_cc_stdcc_ops; /* Use stdcc! */ + krb5_cc_register(context, &krb5_fcc_ops, 0); + if (krb5_win_ccdll_loaded) + return; + if (LoadFuncs(KRBCC_DLL, krbcc_fi, 0, 0)) + return; /* Error, give up */ + krb5_win_ccdll_loaded = 1; + krb5_cc_dfl_ops = &krb5_cc_stdcc_ops; /* Use stdcc! */ } int krb5_is_ccdll_loaded() { - return krb5_win_ccdll_loaded; + return krb5_win_ccdll_loaded; } -#endif /* Windows */ +#endif /* Windows */ diff --git a/src/lib/krb5/ccache/ccapi/winccld.h b/src/lib/krb5/ccache/ccapi/winccld.h index 245ae245e..85017abbd 100644 --- a/src/lib/krb5/ccache/ccapi/winccld.h +++ b/src/lib/krb5/ccache/ccapi/winccld.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * winccld.h -- the dynamic loaded version of the ccache DLL */ @@ -19,19 +20,19 @@ #ifdef USE_CCAPI_V3 typedef CCACHE_API cc_int32 (*FP_cc_initialize) ( - cc_context_t* outContext, - cc_int32 inVersion, - cc_int32* outSupportedVersion, - char const** outVendor); + cc_context_t* outContext, + cc_int32 inVersion, + cc_int32* outSupportedVersion, + char const** outVendor); #else -typedef cc_int32 (*FP_cc_initialize)(apiCB**, const cc_int32, - cc_int32*, const char**); -typedef cc_int32 (*FP_cc_shutdown)(apiCB**); -typedef cc_int32 (*FP_cc_get_change_time)(apiCB*, cc_time_t*); +typedef cc_int32 (*FP_cc_initialize)(apiCB**, const cc_int32, + cc_int32*, const char**); +typedef cc_int32 (*FP_cc_shutdown)(apiCB**); +typedef cc_int32 (*FP_cc_get_change_time)(apiCB*, cc_time_t*); typedef cc_int32 (*FP_cc_create)(apiCB*, const char*, const char*, - const enum cc_cred_vers, const cc_int32, ccache_p**); + const enum cc_cred_vers, const cc_int32, ccache_p**); typedef cc_int32 (*FP_cc_open)(apiCB*, const char*, const enum cc_cred_vers, - const cc_int32, ccache_p**); + const cc_int32, ccache_p**); typedef cc_int32 (*FP_cc_close)(apiCB*, ccache_p**); typedef cc_int32 (*FP_cc_destroy)(apiCB*, ccache_p**); typedef cc_int32 (*FP_cc_seq_fetch_NCs)(apiCB*, ccache_p**, ccache_cit**); @@ -42,21 +43,21 @@ typedef cc_int32 (*FP_cc_get_NC_info)(apiCB*, struct _infoNC***); typedef cc_int32 (*FP_cc_free_NC_info)(apiCB*, struct _infoNC***); typedef cc_int32 (*FP_cc_get_name)(apiCB*, const ccache_p*, char**); typedef cc_int32 (*FP_cc_set_principal)(apiCB*, const ccache_p*, - const enum cc_cred_vers, const char*); + const enum cc_cred_vers, const char*); typedef cc_int32 (*FP_cc_get_principal)(apiCB*, ccache_p*, char**); typedef cc_int32 (*FP_cc_get_cred_version)(apiCB*, const ccache_p*, - enum cc_cred_vers*); + enum cc_cred_vers*); typedef cc_int32 (*FP_cc_lock_request)(apiCB*, const ccache_p*, - const cc_int32); + const cc_int32); typedef cc_int32 (*FP_cc_store)(apiCB*, const ccache_p*, const cred_union); typedef cc_int32 (*FP_cc_remove_cred)(apiCB*, const ccache_p*, - const cred_union); -typedef cc_int32 (*FP_cc_seq_fetch_creds)(apiCB*, const ccache_p*, - cred_union**, ccache_cit**); -typedef cc_int32 (*FP_cc_seq_fetch_creds_begin)(apiCB*, const ccache_p*, - ccache_cit**); -typedef cc_int32 (*FP_cc_seq_fetch_creds_next)(apiCB*, cred_union**, - ccache_cit*); + const cred_union); +typedef cc_int32 (*FP_cc_seq_fetch_creds)(apiCB*, const ccache_p*, + cred_union**, ccache_cit**); +typedef cc_int32 (*FP_cc_seq_fetch_creds_begin)(apiCB*, const ccache_p*, + ccache_cit**); +typedef cc_int32 (*FP_cc_seq_fetch_creds_next)(apiCB*, cred_union**, + ccache_cit*); typedef cc_int32 (*FP_cc_seq_fetch_creds_end)(apiCB*, ccache_cit**); typedef cc_int32 (*FP_cc_free_principal)(apiCB*, char**); typedef cc_int32 (*FP_cc_free_name)(apiCB*, char** name); diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c index f54486f7d..fb3d7ec9d 100644 --- a/src/lib/krb5/ccache/ccbase.c +++ b/src/lib/krb5/ccache/ccbase.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ccbase.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Registration functions for ccache. */ @@ -96,22 +97,22 @@ krb5int_cc_initialize(void) err = k5_cc_mutex_finish_init(&cccol_lock); if (err) - return err; + return err; err = k5_cc_mutex_finish_init(&krb5int_mcc_mutex); if (err) - return err; + return err; err = k5_mutex_finish_init(&cc_typelist_lock); if (err) - return err; + return err; #ifndef NO_FILE_CCACHE err = k5_cc_mutex_finish_init(&krb5int_cc_file_mutex); if (err) - return err; + return err; #endif #ifdef USE_KEYRING_CCACHE err = k5_cc_mutex_finish_init(&krb5int_krcc_mutex); if (err) - return err; + return err; #endif return 0; } @@ -131,8 +132,8 @@ krb5int_cc_finalize(void) k5_cc_mutex_destroy(&krb5int_krcc_mutex); #endif for (t = cc_typehead; t != INITIAL_TYPEHEAD; t = t_next) { - t_next = t->next; - free(t); + t_next = t->next; + free(t); } } @@ -143,30 +144,30 @@ krb5int_cc_finalize(void) */ krb5_error_code KRB5_CALLCONV -krb5_cc_register(krb5_context context, const krb5_cc_ops *ops, - krb5_boolean override) +krb5_cc_register(krb5_context context, const krb5_cc_ops *ops, + krb5_boolean override) { struct krb5_cc_typelist *t; krb5_error_code err; err = k5_mutex_lock(&cc_typelist_lock); if (err) - return err; + return err; for (t = cc_typehead;t && strcmp(t->ops->prefix,ops->prefix);t = t->next) - ; + ; if (t) { - if (override) { - t->ops = ops; - k5_mutex_unlock(&cc_typelist_lock); - return 0; - } else { - k5_mutex_unlock(&cc_typelist_lock); - return KRB5_CC_TYPE_EXISTS; - } + if (override) { + t->ops = ops; + k5_mutex_unlock(&cc_typelist_lock); + return 0; + } else { + k5_mutex_unlock(&cc_typelist_lock); + return KRB5_CC_TYPE_EXISTS; + } } if (!(t = (struct krb5_cc_typelist *) malloc(sizeof(*t)))) { - k5_mutex_unlock(&cc_typelist_lock); - return ENOMEM; + k5_mutex_unlock(&cc_typelist_lock); + return ENOMEM; } t->next = cc_typehead; t->ops = ops; @@ -196,14 +197,14 @@ krb5_cc_resolve (krb5_context context, const char *name, krb5_ccache *cache) const krb5_cc_ops *ops; if (name == NULL) - return KRB5_CC_BADNAME; + return KRB5_CC_BADNAME; pfx = NULL; cp = strchr (name, ':'); if (!cp) { - if (krb5_cc_dfl_ops) - return (*krb5_cc_dfl_ops->resolve)(context, cache, name); - else - return KRB5_CC_BADNAME; + if (krb5_cc_dfl_ops) + return (*krb5_cc_dfl_ops->resolve)(context, cache, name); + else + return KRB5_CC_BADNAME; } pfxlen = cp - name; @@ -230,9 +231,9 @@ krb5_cc_resolve (krb5_context context, const char *name, krb5_ccache *cache) err = krb5int_cc_getops(context, pfx, &ops); if (pfx != NULL) - free(pfx); + free(pfx); if (err) - return err; + return err; return ops->resolve(context, cache, resid); } @@ -254,19 +255,19 @@ krb5int_cc_getops( err = k5_mutex_lock(&cc_typelist_lock); if (err) - return err; + return err; for (tlist = cc_typehead; tlist; tlist = tlist->next) { - if (strcmp (tlist->ops->prefix, pfx) == 0) { - *ops = tlist->ops; - k5_mutex_unlock(&cc_typelist_lock); - return 0; - } + if (strcmp (tlist->ops->prefix, pfx) == 0) { + *ops = tlist->ops; + k5_mutex_unlock(&cc_typelist_lock); + return 0; + } } k5_mutex_unlock(&cc_typelist_lock); if (krb5_cc_dfl_ops && !strcmp (pfx, krb5_cc_dfl_ops->prefix)) { - *ops = krb5_cc_dfl_ops; - return 0; + *ops = krb5_cc_dfl_ops; + return 0; } return KRB5_CC_UNKNOWN_TYPE; } @@ -291,7 +292,7 @@ krb5_cc_new_unique( err = krb5int_cc_getops(context, type, &ops); if (err) - return err; + return err; return ops->gen_new(context, id); } @@ -312,20 +313,20 @@ krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *t) *t = NULL; n = malloc(sizeof(*n)); if (n == NULL) - return ENOMEM; + return ENOMEM; err = k5_mutex_lock(&cc_typelist_lock); if (err) - goto errout; + goto errout; n->tptr = cc_typehead; err = k5_mutex_unlock(&cc_typelist_lock); if (err) - goto errout; + goto errout; *t = n; errout: if (err) - free(n); + free(n); return err; } @@ -339,16 +340,16 @@ krb5int_cc_typecursor_next( *ops = NULL; if (t->tptr == NULL) - return 0; + return 0; err = k5_mutex_lock(&cc_typelist_lock); if (err) - goto errout; + goto errout; *ops = t->tptr->ops; t->tptr = t->tptr->next; err = k5_mutex_unlock(&cc_typelist_lock); if (err) - goto errout; + goto errout; errout: return err; @@ -367,40 +368,40 @@ krb5_cc_move (krb5_context context, krb5_ccache src, krb5_ccache dst) { krb5_error_code ret = 0; krb5_principal princ = NULL; - + ret = krb5_cccol_lock(context); if (ret) { - return ret; + return ret; } - + ret = krb5_cc_lock(context, src); if (ret) { - krb5_cccol_unlock(context); - return ret; + krb5_cccol_unlock(context); + return ret; } - + ret = krb5_cc_get_principal(context, src, &princ); if (!ret) { - ret = krb5_cc_initialize(context, dst, princ); + ret = krb5_cc_initialize(context, dst, princ); } if (!ret) { - ret = krb5_cc_lock(context, dst); + ret = krb5_cc_lock(context, dst); } if (!ret) { - ret = krb5_cc_copy_creds(context, src, dst); - krb5_cc_unlock(context, dst); + ret = krb5_cc_copy_creds(context, src, dst); + krb5_cc_unlock(context, dst); } - + krb5_cc_unlock(context, src); if (!ret) { - ret = krb5_cc_destroy(context, src); + ret = krb5_cc_destroy(context, src); } krb5_cccol_unlock(context); if (princ) { - krb5_free_principal(context, princ); - princ = NULL; - } - + krb5_free_principal(context, princ); + princ = NULL; + } + return ret; } @@ -408,12 +409,12 @@ krb5_error_code k5_cc_mutex_init(k5_cc_mutex *m) { krb5_error_code ret = 0; - + ret = k5_mutex_init(&m->lock); if (ret) return ret; m->owner = NULL; m->refcount = 0; - + return ret; } @@ -421,12 +422,12 @@ krb5_error_code k5_cc_mutex_finish_init(k5_cc_mutex *m) { krb5_error_code ret = 0; - + ret = k5_mutex_finish_init(&m->lock); if (ret) return ret; m->owner = NULL; m->refcount = 0; - + return ret; } @@ -447,42 +448,42 @@ k5_cc_mutex_assert_unlocked(krb5_context context, k5_cc_mutex *m) assert(m->refcount == 0); assert(m->owner == NULL); #endif - k5_assert_unlocked(&m->lock); + k5_assert_unlocked(&m->lock); } krb5_error_code k5_cc_mutex_lock(krb5_context context, k5_cc_mutex *m) { krb5_error_code ret = 0; - + // not locked or already locked by another context if (m->owner != context) { - // acquire lock, blocking until available - ret = k5_mutex_lock(&m->lock); - m->owner = context; - m->refcount = 1; + // acquire lock, blocking until available + ret = k5_mutex_lock(&m->lock); + m->owner = context; + m->refcount = 1; } // already locked by this context, just increase refcount else { - m->refcount++; + m->refcount++; } - return ret; + return ret; } krb5_error_code k5_cc_mutex_unlock(krb5_context context, k5_cc_mutex *m) { krb5_error_code ret = 0; - + /* verify owner and sanity check refcount */ if ((m->owner != context) || (m->refcount < 1)) { - return ret; + return ret; } /* decrement & unlock when count reaches zero */ m->refcount--; if (m->refcount == 0) { - m->owner = NULL; - k5_mutex_unlock(&m->lock); + m->owner = NULL; + k5_mutex_unlock(&m->lock); } return ret; } @@ -492,13 +493,13 @@ krb5_error_code k5_cc_mutex_force_unlock(k5_cc_mutex *m) { krb5_error_code ret = 0; - + m->refcount = 0; m->owner = NULL; if (m->refcount > 0) { - k5_mutex_unlock(&m->lock); + k5_mutex_unlock(&m->lock); } - return ret; + return ret; } /* @@ -509,28 +510,28 @@ krb5_error_code KRB5_CALLCONV krb5_cccol_lock(krb5_context context) { krb5_error_code ret = 0; - + ret = k5_cc_mutex_lock(context, &cccol_lock); if (ret) { - return ret; - } + return ret; + } ret = k5_mutex_lock(&cc_typelist_lock); if (ret) { - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; } ret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); if (ret) { - k5_mutex_unlock(&cc_typelist_lock); - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; + k5_mutex_unlock(&cc_typelist_lock); + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; } ret = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (ret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_mutex_unlock(&cc_typelist_lock); - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_mutex_unlock(&cc_typelist_lock); + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; } #ifdef USE_CCAPI_V3 ret = krb5_stdccv3_context_lock(context); @@ -539,11 +540,11 @@ krb5_cccol_lock(krb5_context context) ret = k5_cc_mutex_lock(context, &krb5int_krcc_mutex); #endif if (ret) { - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_mutex_unlock(&cc_typelist_lock); - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; + k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_mutex_unlock(&cc_typelist_lock); + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; } k5_mutex_unlock(&cc_typelist_lock); return ret; @@ -553,15 +554,15 @@ krb5_error_code KRB5_CALLCONV krb5_cccol_unlock(krb5_context context) { krb5_error_code ret = 0; - + /* sanity check */ k5_cc_mutex_assert_locked(context, &cccol_lock); - + ret = k5_mutex_lock(&cc_typelist_lock); if (ret) { - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; - } + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; + } // unlock each type in the opposite order #ifdef USE_KEYRING_CCACHE @@ -588,20 +589,20 @@ krb5_error_code k5_cccol_force_unlock() { krb5_error_code ret = 0; - + /* sanity check */ if ((&cccol_lock)->refcount == 0) { - return 0; + return 0; } - + ret = k5_mutex_lock(&cc_typelist_lock); if (ret) { - (&cccol_lock)->refcount = 0; - (&cccol_lock)->owner = NULL; - k5_mutex_unlock(&(&cccol_lock)->lock); - return ret; - } - + (&cccol_lock)->refcount = 0; + (&cccol_lock)->owner = NULL; + k5_mutex_unlock(&(&cccol_lock)->lock); + return ret; + } + // unlock each type in the opposite order #ifdef USE_KEYRING_CCACHE k5_cc_mutex_force_unlock(&krb5int_krcc_mutex); @@ -611,9 +612,9 @@ k5_cccol_force_unlock() #endif k5_cc_mutex_force_unlock(&krb5int_mcc_mutex); k5_cc_mutex_force_unlock(&krb5int_cc_file_mutex); - + k5_mutex_unlock(&cc_typelist_lock); k5_cc_mutex_force_unlock(&cccol_lock); - + return ret; } diff --git a/src/lib/krb5/ccache/cccopy.c b/src/lib/krb5/ccache/cccopy.c index a9a45b501..36b3f4270 100644 --- a/src/lib/krb5/ccache/cccopy.c +++ b/src/lib/krb5/ccache/cccopy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" krb5_error_code KRB5_CALLCONV @@ -8,29 +9,29 @@ krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc) krb5_cc_cursor cur = 0; krb5_creds creds; - flags = 0; /* turns off OPENCLOSE mode */ + flags = 0; /* turns off OPENCLOSE mode */ if ((code = krb5_cc_set_flags(context, incc, flags))) - return(code); + return(code); /* the code for this will open the file for reading only, which is not what I had in mind. So I won't turn off OPENCLOSE for the output ccache */ #if 0 if ((code = krb5_cc_set_flags(context, outcc, flags))) - return(code); + return(code); #endif if ((code = krb5_cc_start_seq_get(context, incc, &cur))) - goto cleanup; + goto cleanup; while (!(code = krb5_cc_next_cred(context, incc, &cur, &creds))) { - code = krb5_cc_store_cred(context, outcc, &creds); - krb5_free_cred_contents(context, &creds); - if (code) - goto cleanup; + code = krb5_cc_store_cred(context, outcc, &creds); + krb5_free_cred_contents(context, &creds); + if (code) + goto cleanup; } if (code != KRB5_CC_END) - goto cleanup; + goto cleanup; code = krb5_cc_end_seq_get(context, incc, &cur); cur = 0; @@ -43,19 +44,19 @@ cleanup: flags = KRB5_TC_OPENCLOSE; /* If set then we are in an error pathway */ - if (cur) - krb5_cc_end_seq_get(context, incc, &cur); + if (cur) + krb5_cc_end_seq_get(context, incc, &cur); if (code) - krb5_cc_set_flags(context, incc, flags); + krb5_cc_set_flags(context, incc, flags); else - code = krb5_cc_set_flags(context, incc, flags); + code = krb5_cc_set_flags(context, incc, flags); #if 0 if (code) - krb5_cc_set_flags(context, outcc, flags); + krb5_cc_set_flags(context, outcc, flags); else - code = krb5_cc_set_flags(context, outcc, flags); + code = krb5_cc_set_flags(context, outcc, flags); #endif return(code); diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c index 5a062d443..852eff847 100644 --- a/src/lib/krb5/ccache/cccursor.c +++ b/src/lib/krb5/ccache/cccursor.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cccursor.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -75,7 +76,7 @@ krb5_cccol_cursor_new( *cursor = NULL; n = malloc(sizeof(*n)); if (n == NULL) - return ENOMEM; + return ENOMEM; n->pos = CCCURSOR_CONTEXT; n->typecursor = NULL; @@ -83,27 +84,27 @@ krb5_cccol_cursor_new( n->ops = NULL; for (i = 0; i < NFULLNAMES; i++) { - n->fullnames[i].pfx = n->fullnames[i].res = NULL; + n->fullnames[i].pfx = n->fullnames[i].res = NULL; } n->cur_fullname = 0; ret = krb5int_cc_typecursor_new(context, &n->typecursor); if (ret) - goto errout; + goto errout; do { - /* Find first backend with ptcursor functionality. */ - ret = krb5int_cc_typecursor_next(context, n->typecursor, &n->ops); - if (ret || n->ops == NULL) - goto errout; + /* Find first backend with ptcursor functionality. */ + ret = krb5int_cc_typecursor_next(context, n->typecursor, &n->ops); + if (ret || n->ops == NULL) + goto errout; } while (n->ops->ptcursor_new == NULL); ret = n->ops->ptcursor_new(context, &n->ptcursor); if (ret) - goto errout; + goto errout; errout: if (ret) { - krb5_cccol_cursor_free(context, &n); + krb5_cccol_cursor_free(context, &n); } *cursor = n; return ret; @@ -124,48 +125,48 @@ krb5_cccol_cursor_next( switch (cursor->pos) { case CCCURSOR_CONTEXT: - name = os_ctx->default_ccname; - if (name != NULL) { - cursor->pos = CCCURSOR_ENV; - ret = cccol_do_resolve(context, cursor, name, ccache); - if (ret) - goto errout; - if (*ccache != NULL) - break; - } - /* fall through */ + name = os_ctx->default_ccname; + if (name != NULL) { + cursor->pos = CCCURSOR_ENV; + ret = cccol_do_resolve(context, cursor, name, ccache); + if (ret) + goto errout; + if (*ccache != NULL) + break; + } + /* fall through */ case CCCURSOR_ENV: - name = getenv(KRB5_ENV_CCNAME); - if (name != NULL) { - cursor->pos = CCCURSOR_OS; - ret = cccol_do_resolve(context, cursor, name, ccache); - if (ret) - goto errout; - if (*ccache != NULL) - break; - } - /* fall through */ + name = getenv(KRB5_ENV_CCNAME); + if (name != NULL) { + cursor->pos = CCCURSOR_OS; + ret = cccol_do_resolve(context, cursor, name, ccache); + if (ret) + goto errout; + if (*ccache != NULL) + break; + } + /* fall through */ case CCCURSOR_OS: - ret = krb5int_cc_os_default_name(context, &name); - if (ret) goto errout; - if (name != NULL) { - cursor->pos = CCCURSOR_PERTYPE; - ret = cccol_do_resolve(context, cursor, name, ccache); - free(name); - if (ret) - goto errout; - if (*ccache != NULL) - break; - } - /* fall through */ + ret = krb5int_cc_os_default_name(context, &name); + if (ret) goto errout; + if (name != NULL) { + cursor->pos = CCCURSOR_PERTYPE; + ret = cccol_do_resolve(context, cursor, name, ccache); + free(name); + if (ret) + goto errout; + if (*ccache != NULL) + break; + } + /* fall through */ case CCCURSOR_PERTYPE: - cursor->pos = CCCURSOR_PERTYPE; - do { - ret = cccol_pertype_next(context, cursor, ccache); - if (ret) - goto errout; - } while (cccol_already(context, cursor, ccache)); - break; + cursor->pos = CCCURSOR_PERTYPE; + do { + ret = cccol_pertype_next(context, cursor, ccache); + if (ret) + goto errout; + } while (cccol_already(context, cursor, ccache)); + break; } errout: return ret; @@ -180,18 +181,18 @@ krb5_cccol_cursor_free( int i; if (c == NULL) - return 0; + return 0; for (i = 0; i < NFULLNAMES; i++) { - if (c->fullnames[i].pfx != NULL) - free(c->fullnames[i].pfx); - if (c->fullnames[i].res != NULL) - free(c->fullnames[i].res); + if (c->fullnames[i].pfx != NULL) + free(c->fullnames[i].pfx); + if (c->fullnames[i].res != NULL) + free(c->fullnames[i].res); } if (c->ptcursor != NULL) - c->ops->ptcursor_free(context, &c->ptcursor); + c->ops->ptcursor_free(context, &c->ptcursor); if (c->typecursor != NULL) - krb5int_cc_typecursor_free(context, &c->typecursor); + krb5int_cc_typecursor_free(context, &c->typecursor); free(c); *cursor = NULL; @@ -200,7 +201,7 @@ krb5_cccol_cursor_free( krb5_error_code KRB5_CALLCONV krb5_cccol_last_change_time( - krb5_context context, + krb5_context context, krb5_timestamp *change_time) { krb5_error_code ret = 0; @@ -208,11 +209,11 @@ krb5_cccol_last_change_time( krb5_ccache ccache = NULL; krb5_timestamp last_time = 0; krb5_timestamp max_change_time = 0; - + *change_time = 0; - + ret = krb5_cccol_cursor_new(context, &c); - + while (!ret) { ret = krb5_cccol_cursor_next(context, c, &ccache); if (ccache) { @@ -248,19 +249,19 @@ cccol_already( int i; if (*ccache == NULL) - return 0; + return 0; name = krb5_cc_get_name(context, *ccache); if (name == NULL) - return 0; + return 0; prefix = krb5_cc_get_type(context, *ccache); assert(c->cur_fullname < NFULLNAMES); for (i = 0; i < c->cur_fullname; i++) { - if (cccol_cmpname(prefix, name, &c->fullnames[i])) { - krb5_cc_close(context, *ccache); - *ccache = NULL; - return 1; - } + if (cccol_cmpname(prefix, name, &c->fullnames[i])) { + krb5_cc_close(context, *ccache); + *ccache = NULL; + return 1; + } } return 0; } @@ -275,11 +276,11 @@ cccol_cmpname( struct cc_fullname *fullname) { if (fullname->pfx == NULL || fullname->res == NULL) - return 0; + return 0; if (strcmp(prefix, fullname->pfx)) - return 0; + return 0; if (strcmp(name, fullname->res)) - return 0; + return 0; return 1; } @@ -303,10 +304,10 @@ cccol_do_resolve( assert(cursor->cur_fullname < NFULLNAMES); ret = krb5_cc_resolve(context, name, ccache); if (ret) - return ret; + return ret; if (cccol_already(context, cursor, ccache)) - return 0; + return 0; fullname = &cursor->fullnames[cursor->cur_fullname]; fullname->pfx = strdup(krb5_cc_get_type(context, *ccache)); @@ -331,35 +332,35 @@ cccol_pertype_next( /* Are we out of backends? */ if (cursor->ops == NULL) - return 0; + return 0; /* * Loop in case there are multiple backends with empty ccache * lists. */ while (*ccache == NULL) { - ret = cursor->ops->ptcursor_next(context, cursor->ptcursor, ccache); - if (ret) - goto errout; - if (*ccache != NULL) - return 0; - - ret = cursor->ops->ptcursor_free(context, &cursor->ptcursor); - if (ret) - goto errout; - - do { - /* Find first backend with ptcursor functionality. */ - ret = krb5int_cc_typecursor_next(context, cursor->typecursor, - &cursor->ops); - if (ret) - goto errout; - if (cursor->ops == NULL) - return 0; - } while (cursor->ops->ptcursor_new == NULL); - - ret = cursor->ops->ptcursor_new(context, &cursor->ptcursor); - if (ret) - goto errout; + ret = cursor->ops->ptcursor_next(context, cursor->ptcursor, ccache); + if (ret) + goto errout; + if (*ccache != NULL) + return 0; + + ret = cursor->ops->ptcursor_free(context, &cursor->ptcursor); + if (ret) + goto errout; + + do { + /* Find first backend with ptcursor functionality. */ + ret = krb5int_cc_typecursor_next(context, cursor->typecursor, + &cursor->ops); + if (ret) + goto errout; + if (cursor->ops == NULL) + return 0; + } while (cursor->ops->ptcursor_new == NULL); + + ret = cursor->ops->ptcursor_new(context, &cursor->ptcursor); + if (ret) + goto errout; } errout: return ret; diff --git a/src/lib/krb5/ccache/ccdefault.c b/src/lib/krb5/ccache/ccdefault.c index c4f9f292e..a4498d069 100644 --- a/src/lib/krb5/ccache/ccdefault.c +++ b/src/lib/krb5/ccache/ccdefault.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ccdefault.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Find default credential cache */ @@ -46,20 +47,20 @@ static HANDLE hLeashDLL = INVALID_HANDLE_VALUE; krb5_error_code KRB5_CALLCONV krb5_cc_default(krb5_context context, krb5_ccache *ccache) { - const char *default_name; - - if (!context || context->magic != KV5M_CONTEXT) - return KV5M_CONTEXT; - - default_name = krb5_cc_default_name(context); - if (default_name == NULL) { - /* Could be a bogus context, or an allocation failure, or - other things. Unfortunately the API doesn't allow us - to find out any specifics. */ - return KRB5_FCC_INTERNAL; - } - - return krb5_cc_resolve(context, default_name, ccache); + const char *default_name; + + if (!context || context->magic != KV5M_CONTEXT) + return KV5M_CONTEXT; + + default_name = krb5_cc_default_name(context); + if (default_name == NULL) { + /* Could be a bogus context, or an allocation failure, or + other things. Unfortunately the API doesn't allow us + to find out any specifics. */ + return KRB5_FCC_INTERNAL; + } + + return krb5_cc_resolve(context, default_name, ccache); } /* This is the internal function which opens the default ccache. On @@ -85,35 +86,35 @@ krb5int_cc_default(krb5_context context, krb5_ccache *ccache) kim_identity identity = KIM_IDENTITY_ANY; kim_credential_state state; kim_string name = NULL; - - err = kim_ccache_create_from_display_name (&kimccache, + + err = kim_ccache_create_from_display_name (&kimccache, krb5_cc_default_name (context)); - + if (!err) { err = kim_ccache_get_client_identity (kimccache, &identity); } - + if (!err) { err = kim_ccache_get_state (kimccache, &state); } - + if (err || state != kim_credentials_state_valid) { /* Either the ccache is does not exist or is invalid. Get new * tickets. Use the identity in the ccache if there was one. */ kim_ccache_free (&kimccache); - err = kim_ccache_create_new (&kimccache, + err = kim_ccache_create_new (&kimccache, identity, KIM_OPTIONS_DEFAULT); } - + if (!err) { err = kim_ccache_get_display_name (kimccache, &name); } - + if (!err) { - krb5_cc_set_default_name (context, name); + krb5_cc_set_default_name (context, name); } - kim_identity_free (&identity); + kim_identity_free (&identity); kim_string_free (&name); kim_ccache_free (&kimccache); } @@ -123,19 +124,19 @@ krb5int_cc_default(krb5_context context, krb5_ccache *ccache) hLeashDLL = LoadLibrary(LEASH_DLL); if ( hLeashDLL != INVALID_HANDLE_VALUE ) { (FARPROC) pLeash_AcquireInitialTicketsIfNeeded = - GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded"); + GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded"); } } - + if ( pLeash_AcquireInitialTicketsIfNeeded ) { - char ccname[256]=""; + char ccname[256]=""; pLeash_AcquireInitialTicketsIfNeeded(context, NULL, ccname, sizeof(ccname)); - if (ccname[0]) { + if (ccname[0]) { char * ccdefname = krb5_cc_default_name (context); if (!ccdefname || strcmp (ccdefname, ccname) != 0) { krb5_cc_set_default_name (context, ccname); } - } + } } #endif #endif diff --git a/src/lib/krb5/ccache/ccdefops.c b/src/lib/krb5/ccache/ccdefops.c index 949758bdf..e517a2543 100644 --- a/src/lib/krb5/ccache/ccdefops.c +++ b/src/lib/krb5/ccache/ccdefops.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ccdefops.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Default credentials cache determination. This is a separate file * so that the user can more easily override it. @@ -35,7 +36,7 @@ /* * Macs use the shared, memory based credentials cache * Windows may also use the ccapi cache, but only if the Krbcc32.dll - * can be found; otherwise it falls back to using the old + * can be found; otherwise it falls back to using the old * file-based ccache. */ #include "stdcc.h" /* from ccapi subdir */ diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c index abfc037be..e12dd563f 100644 --- a/src/lib/krb5/ccache/ccfns.c +++ b/src/lib/krb5/ccache/ccfns.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ccfns.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -44,7 +45,7 @@ krb5_cc_gen_new (krb5_context context, krb5_ccache *cache) krb5_error_code KRB5_CALLCONV krb5_cc_initialize(krb5_context context, krb5_ccache cache, - krb5_principal principal) + krb5_principal principal) { return cache->ops->init(context, cache, principal); } @@ -63,7 +64,7 @@ krb5_cc_close (krb5_context context, krb5_ccache cache) krb5_error_code KRB5_CALLCONV krb5_cc_store_cred (krb5_context context, krb5_ccache cache, - krb5_creds *creds) + krb5_creds *creds) { krb5_error_code ret; krb5_ticket *tkt; @@ -97,17 +98,17 @@ krb5_cc_store_cred (krb5_context context, krb5_ccache cache, krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache, - krb5_flags flags, krb5_creds *mcreds, - krb5_creds *creds) + krb5_flags flags, krb5_creds *mcreds, + krb5_creds *creds) { krb5_error_code ret; krb5_data tmprealm; ret = cache->ops->retrieve(context, cache, flags, mcreds, creds); if (ret != KRB5_CC_NOTFOUND) - return ret; + return ret; if (!krb5_is_referral_realm(&mcreds->server->realm)) - return ret; + return ret; /* * Retry using client's realm if service has referral realm. @@ -121,35 +122,35 @@ krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache, krb5_error_code KRB5_CALLCONV krb5_cc_get_principal (krb5_context context, krb5_ccache cache, - krb5_principal *principal) + krb5_principal *principal) { return cache->ops->get_princ(context, cache, principal); } krb5_error_code KRB5_CALLCONV krb5_cc_start_seq_get (krb5_context context, krb5_ccache cache, - krb5_cc_cursor *cursor) + krb5_cc_cursor *cursor) { return cache->ops->get_first(context, cache, cursor); } krb5_error_code KRB5_CALLCONV krb5_cc_next_cred (krb5_context context, krb5_ccache cache, - krb5_cc_cursor *cursor, krb5_creds *creds) + krb5_cc_cursor *cursor, krb5_creds *creds) { return cache->ops->get_next(context, cache, cursor, creds); } krb5_error_code KRB5_CALLCONV krb5_cc_end_seq_get (krb5_context context, krb5_ccache cache, - krb5_cc_cursor *cursor) + krb5_cc_cursor *cursor) { return cache->ops->end_get(context, cache, cursor); } krb5_error_code KRB5_CALLCONV krb5_cc_remove_cred (krb5_context context, krb5_ccache cache, krb5_flags flags, - krb5_creds *creds) + krb5_creds *creds) { return cache->ops->remove_cred(context, cache, flags, creds); } @@ -173,8 +174,8 @@ krb5_cc_get_type (krb5_context context, krb5_ccache cache) } krb5_error_code KRB5_CALLCONV -krb5_cc_last_change_time (krb5_context context, krb5_ccache ccache, - krb5_timestamp *change_time) +krb5_cc_last_change_time (krb5_context context, krb5_ccache ccache, + krb5_timestamp *change_time) { return ccache->ops->lastchange(context, ccache, change_time); } @@ -190,4 +191,3 @@ krb5_cc_unlock (krb5_context context, krb5_ccache ccache) { return ccache->ops->unlock(context, ccache); } - diff --git a/src/lib/krb5/ccache/fcc.h b/src/lib/krb5/ccache/fcc.h index f349da998..7ca60da8b 100644 --- a/src/lib/krb5/ccache/fcc.h +++ b/src/lib/krb5/ccache/fcc.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/file/fcc.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This file contains constant and function declarations used in the * file-based credential cache routines. diff --git a/src/lib/krb5/ccache/scc.h b/src/lib/krb5/ccache/scc.h index 98acbc25c..c6b5254ba 100644 --- a/src/lib/krb5/ccache/scc.h +++ b/src/lib/krb5/ccache/scc.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/stdio/scc.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This file contains constant and function declarations used in the * file-based credential cache routines. @@ -46,14 +47,14 @@ * */ -#define KRB5_SCC_FVNO_1 0x0501 /* krb v5, scc v1 */ -#define KRB5_SCC_FVNO_2 0x0502 /* krb v5, scc v2 */ -#define KRB5_SCC_FVNO_3 0x0503 /* krb v5, scc v3 */ -#define KRB5_SCC_FVNO_4 0x0504 /* krb v5, scc v4 */ +#define KRB5_SCC_FVNO_1 0x0501 /* krb v5, scc v1 */ +#define KRB5_SCC_FVNO_2 0x0502 /* krb v5, scc v2 */ +#define KRB5_SCC_FVNO_3 0x0503 /* krb v5, scc v3 */ +#define KRB5_SCC_FVNO_4 0x0504 /* krb v5, scc v4 */ -#define SCC_OPEN_AND_ERASE 1 -#define SCC_OPEN_RDWR 2 -#define SCC_OPEN_RDONLY 3 +#define SCC_OPEN_AND_ERASE 1 +#define SCC_OPEN_RDWR 2 +#define SCC_OPEN_RDONLY 3 /* Credential file header tags. * The header tags are constructed as: @@ -63,7 +64,7 @@ * This format allows for older versions of the fcc processing code to skip * past unrecognized tag formats. */ -#define SCC_TAG_DELTATIME 1 +#define SCC_TAG_DELTATIME 1 #ifndef TKT_ROOT #define TKT_ROOT "/tmp/tkt" @@ -73,11 +74,11 @@ #define OPENCLOSE(id) (((krb5_scc_data *)id->data)->flags & KRB5_TC_OPENCLOSE) typedef struct _krb5_scc_data { - char *filename; - FILE *file; - krb5_flags flags; - char stdio_buffer[BUFSIZ]; - int version; + char *filename; + FILE *file; + krb5_flags flags; + char stdio_buffer[BUFSIZ]; + int version; } krb5_scc_data; /* An off_t can be arbitrarily complex */ @@ -85,17 +86,17 @@ typedef struct _krb5_scc_cursor { long pos; } krb5_scc_cursor; -#define MAYBE_OPEN(context, ID, MODE) \ -{ \ - if (OPENCLOSE (ID)) { \ - krb5_error_code maybe_open_ret = krb5_scc_open_file (context, ID,MODE); \ - if (maybe_open_ret) return maybe_open_ret; } } +#define MAYBE_OPEN(context, ID, MODE) \ + { \ + if (OPENCLOSE (ID)) { \ + krb5_error_code maybe_open_ret = krb5_scc_open_file (context, ID,MODE); \ + if (maybe_open_ret) return maybe_open_ret; } } -#define MAYBE_CLOSE(context, ID, RET) \ -{ \ - if (OPENCLOSE (ID)) { \ - krb5_error_code maybe_close_ret = krb5_scc_close_file (context, ID); \ - if (!(RET)) RET = maybe_close_ret; } } +#define MAYBE_CLOSE(context, ID, RET) \ + { \ + if (OPENCLOSE (ID)) { \ + krb5_error_code maybe_close_ret = krb5_scc_close_file (context, ID); \ + if (!(RET)) RET = maybe_close_ret; } } /* DO NOT ADD ANYTHING AFTER THIS #endif */ #endif /* __KRB5_FILE_CCACHE__ */ diff --git a/src/lib/krb5/ccache/ser_cc.c b/src/lib/krb5/ccache/ser_cc.c index 882dbf714..dfe5e6040 100644 --- a/src/lib/krb5/ccache/ser_cc.c +++ b/src/lib/krb5/ccache/ser_cc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ser_rc.c * @@ -32,129 +33,129 @@ /* * Routines to deal with externalizing krb5_ccache. - * krb5_ccache_size(); - * krb5_ccache_externalize(); - * krb5_ccache_internalize(); + * krb5_ccache_size(); + * krb5_ccache_externalize(); + * krb5_ccache_internalize(); */ static krb5_error_code krb5_ccache_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_ccache_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_ccache_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Serialization entry for this type. */ static const krb5_ser_entry krb5_ccache_ser_entry = { - KV5M_CCACHE, /* Type */ - krb5_ccache_size, /* Sizer routine */ - krb5_ccache_externalize, /* Externalize routine */ - krb5_ccache_internalize /* Internalize routine */ + KV5M_CCACHE, /* Type */ + krb5_ccache_size, /* Sizer routine */ + krb5_ccache_externalize, /* Externalize routine */ + krb5_ccache_internalize /* Internalize routine */ }; /* - * krb5_ccache_size() - Determine the size required to externalize - * this krb5_ccache variant. + * krb5_ccache_size() - Determine the size required to externalize + * this krb5_ccache variant. */ static krb5_error_code krb5_ccache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_ccache ccache; - size_t required; + krb5_error_code kret; + krb5_ccache ccache; + size_t required; kret = EINVAL; if ((ccache = (krb5_ccache) arg)) { - /* - * Saving FILE: variants of krb5_ccache requires at minimum: - * krb5_int32 for KV5M_CCACHE - * krb5_int32 for length of ccache name. - * krb5_int32 for KV5M_CCACHE - */ - required = sizeof(krb5_int32) * 3; - if (ccache->ops->prefix) - required += (strlen(ccache->ops->prefix)+1); - - /* - * The ccache name is formed as follows: - * : - */ - required += strlen(krb5_cc_get_name(kcontext, ccache)); - - kret = 0; - *sizep += required; + /* + * Saving FILE: variants of krb5_ccache requires at minimum: + * krb5_int32 for KV5M_CCACHE + * krb5_int32 for length of ccache name. + * krb5_int32 for KV5M_CCACHE + */ + required = sizeof(krb5_int32) * 3; + if (ccache->ops->prefix) + required += (strlen(ccache->ops->prefix)+1); + + /* + * The ccache name is formed as follows: + * : + */ + required += strlen(krb5_cc_get_name(kcontext, ccache)); + + kret = 0; + *sizep += required; } return(kret); } /* - * krb5_ccache_externalize() - Externalize the krb5_ccache. + * krb5_ccache_externalize() - Externalize the krb5_ccache. */ static krb5_error_code krb5_ccache_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_ccache ccache; - size_t required; - krb5_octet *bp; - size_t remain; - char *ccname; - const char *fnamep; + krb5_error_code kret; + krb5_ccache ccache; + size_t required; + krb5_octet *bp; + size_t remain; + char *ccname; + const char *fnamep; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((ccache = (krb5_ccache) arg)) { - kret = ENOMEM; - if (!krb5_ccache_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); - - fnamep = krb5_cc_get_name(kcontext, ccache); - - if (ccache->ops->prefix) { - if (asprintf(&ccname, "%s:%s", ccache->ops->prefix, fnamep) < 0) - ccname = NULL; - } else - ccname = strdup(fnamep); - - if (ccname) { - /* Put the length of the file name */ - (void) krb5_ser_pack_int32((krb5_int32) strlen(ccname), - &bp, &remain); - - /* Put the name */ - (void) krb5_ser_pack_bytes((krb5_octet *) ccname, - strlen(ccname), - &bp, &remain); - - /* Put the trailer */ - (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - free(ccname); - } - } + kret = ENOMEM; + if (!krb5_ccache_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); + + fnamep = krb5_cc_get_name(kcontext, ccache); + + if (ccache->ops->prefix) { + if (asprintf(&ccname, "%s:%s", ccache->ops->prefix, fnamep) < 0) + ccname = NULL; + } else + ccname = strdup(fnamep); + + if (ccname) { + /* Put the length of the file name */ + (void) krb5_ser_pack_int32((krb5_int32) strlen(ccname), + &bp, &remain); + + /* Put the name */ + (void) krb5_ser_pack_bytes((krb5_octet *) ccname, + strlen(ccname), + &bp, &remain); + + /* Put the trailer */ + (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); + kret = 0; + *buffer = bp; + *lenremain = remain; + free(ccname); + } + } } return(kret); } /* - * krb5_ccache_internalize() - Internalize the krb5_ccache. + * krb5_ccache_internalize() - Internalize the krb5_ccache. */ static krb5_error_code krb5_ccache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_ccache ccache; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - char *ccname = NULL; + krb5_error_code kret; + krb5_ccache ccache; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + char *ccname = NULL; *argp = NULL; @@ -164,40 +165,40 @@ krb5_ccache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet ** /* Read our magic number. */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; if (ibuf != KV5M_CCACHE) - return EINVAL; + return EINVAL; /* Unpack and validate the length of the ccache name. */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; if (ibuf < 0 || ibuf > remain) - return EINVAL; + return EINVAL; /* Allocate and unpack the name. */ ccname = malloc(ibuf + 1); if (!ccname) - return ENOMEM; + return ENOMEM; kret = krb5_ser_unpack_bytes((krb5_octet *) ccname, (size_t) ibuf, - &bp, &remain); + &bp, &remain); if (kret) - goto cleanup; + goto cleanup; ccname[ibuf] = '\0'; /* Read the second magic number. */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - goto cleanup; + goto cleanup; if (ibuf != KV5M_CCACHE) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } /* Resolve the named credential cache. */ kret = krb5_cc_resolve(kcontext, ccname, &ccache); if (kret) - goto cleanup; + goto cleanup; *buffer = bp; *lenremain = remain; diff --git a/src/lib/krb5/ccache/t_cc.c b/src/lib/krb5/ccache/t_cc.c index c243809a6..466fa232f 100644 --- a/src/lib/krb5/ccache/t_cc.c +++ b/src/lib/krb5/ccache/t_cc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/scc_test.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -44,273 +45,273 @@ int debug=0; static void init_structs(void) { - static int add=0x12345; - - static krb5_address addr; - - static krb5_address *addrs[] = { - &addr, - 0, - }; - - addr.magic = KV5M_ADDRESS; - addr.addrtype = ADDRTYPE_INET; - addr.length = 4; - addr.contents = (krb5_octet *) &add; - - test_creds.magic = KV5M_CREDS; - test_creds.client = NULL; - test_creds.server = NULL; - - test_creds.keyblock.magic = KV5M_KEYBLOCK; - test_creds.keyblock.contents = 0; - test_creds.keyblock.enctype = 1; - test_creds.keyblock.length = 1; - test_creds.keyblock.contents = (unsigned char *) "1"; - test_creds.times.authtime = 1111; - test_creds.times.starttime = 2222; - test_creds.times.endtime = 3333; - test_creds.times.renew_till = 4444; - test_creds.is_skey = 1; - test_creds.ticket_flags = 5555; - test_creds.addresses = addrs; - + static int add=0x12345; + + static krb5_address addr; + + static krb5_address *addrs[] = { + &addr, + 0, + }; + + addr.magic = KV5M_ADDRESS; + addr.addrtype = ADDRTYPE_INET; + addr.length = 4; + addr.contents = (krb5_octet *) &add; + + test_creds.magic = KV5M_CREDS; + test_creds.client = NULL; + test_creds.server = NULL; + + test_creds.keyblock.magic = KV5M_KEYBLOCK; + test_creds.keyblock.contents = 0; + test_creds.keyblock.enctype = 1; + test_creds.keyblock.length = 1; + test_creds.keyblock.contents = (unsigned char *) "1"; + test_creds.times.authtime = 1111; + test_creds.times.starttime = 2222; + test_creds.times.endtime = 3333; + test_creds.times.renew_till = 4444; + test_creds.is_skey = 1; + test_creds.ticket_flags = 5555; + test_creds.addresses = addrs; + #define SET_TICKET(ent, str) {ent.magic = KV5M_DATA; ent.length = sizeof(str); ent.data = str;} - SET_TICKET(test_creds.ticket, "This is ticket 1"); - SET_TICKET(test_creds.second_ticket, "This is ticket 2"); - test_creds.authdata = NULL; + SET_TICKET(test_creds.ticket, "This is ticket 1"); + SET_TICKET(test_creds.second_ticket, "This is ticket 2"); + test_creds.authdata = NULL; } static krb5_error_code init_test_cred(krb5_context context) { - krb5_error_code kret; - unsigned int i; - krb5_authdata *a; + krb5_error_code kret; + unsigned int i; + krb5_authdata *a; #define REALM "REALM" - kret = krb5_build_principal(context, &test_creds.client, sizeof(REALM), REALM, - "client-comp1", "client-comp2", NULL); - if(kret) - return kret; - - kret = krb5_build_principal(context, &test_creds.server, sizeof(REALM), REALM, - "server-comp1", "server-comp2", NULL); - if(kret) { - krb5_free_principal(context, test_creds.client); - test_creds.client = 0; - goto cleanup; - } - - test_creds.authdata = malloc (3 * sizeof(krb5_authdata *)); - if (!test_creds.authdata) { - kret = ENOMEM; - goto cleanup; - } - - for (i = 0 ; i <= 2 ; i++) { - test_creds.authdata[i] = 0; - } - a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); - if(!a) { - kret = ENOMEM; - goto cleanup; - } - a->magic = KV5M_AUTHDATA; - a->ad_type = KRB5_AUTHDATA_IF_RELEVANT; - a->contents = (krb5_octet * ) malloc(1); - if(!a->contents) { - free(a); - kret = ENOMEM; - goto cleanup; - } - a->contents[0]=5; - a->length = 1; - test_creds.authdata[0] = a; - - a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); - if(!a) { - kret = ENOMEM; - goto cleanup; - } - a->magic = KV5M_AUTHDATA; - a->ad_type = KRB5_AUTHDATA_KDC_ISSUED; - a->contents = (krb5_octet * ) malloc(2); - if(!a->contents) { - free(a); - kret = ENOMEM; - goto cleanup; - } - a->contents[0]=4; - a->contents[1]=6; - a->length = 2; - test_creds.authdata[1] = a; - + kret = krb5_build_principal(context, &test_creds.client, sizeof(REALM), REALM, + "client-comp1", "client-comp2", NULL); + if(kret) + return kret; + + kret = krb5_build_principal(context, &test_creds.server, sizeof(REALM), REALM, + "server-comp1", "server-comp2", NULL); + if(kret) { + krb5_free_principal(context, test_creds.client); + test_creds.client = 0; + goto cleanup; + } + + test_creds.authdata = malloc (3 * sizeof(krb5_authdata *)); + if (!test_creds.authdata) { + kret = ENOMEM; + goto cleanup; + } + + for (i = 0 ; i <= 2 ; i++) { + test_creds.authdata[i] = 0; + } + a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + if(!a) { + kret = ENOMEM; + goto cleanup; + } + a->magic = KV5M_AUTHDATA; + a->ad_type = KRB5_AUTHDATA_IF_RELEVANT; + a->contents = (krb5_octet * ) malloc(1); + if(!a->contents) { + free(a); + kret = ENOMEM; + goto cleanup; + } + a->contents[0]=5; + a->length = 1; + test_creds.authdata[0] = a; + + a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + if(!a) { + kret = ENOMEM; + goto cleanup; + } + a->magic = KV5M_AUTHDATA; + a->ad_type = KRB5_AUTHDATA_KDC_ISSUED; + a->contents = (krb5_octet * ) malloc(2); + if(!a->contents) { + free(a); + kret = ENOMEM; + goto cleanup; + } + a->contents[0]=4; + a->contents[1]=6; + a->length = 2; + test_creds.authdata[1] = a; + cleanup: - if(kret) { - if (test_creds.client) { - krb5_free_principal(context, test_creds.client); - test_creds.client = 0; - } - if (test_creds.server) { - krb5_free_principal(context, test_creds.server); - test_creds.server = 0; - - } - if (test_creds.authdata) { - krb5_free_authdata(context, test_creds.authdata); - test_creds.authdata = 0; - } - } - - return kret; + if(kret) { + if (test_creds.client) { + krb5_free_principal(context, test_creds.client); + test_creds.client = 0; + } + if (test_creds.server) { + krb5_free_principal(context, test_creds.server); + test_creds.server = 0; + + } + if (test_creds.authdata) { + krb5_free_authdata(context, test_creds.authdata); + test_creds.authdata = 0; + } + } + + return kret; } static void free_test_cred(krb5_context context) { - krb5_free_principal(context, test_creds.client); - - krb5_free_principal(context, test_creds.server); - - if(test_creds.authdata) { - krb5_free_authdata(context, test_creds.authdata); - test_creds.authdata = 0; - } + krb5_free_principal(context, test_creds.client); + + krb5_free_principal(context, test_creds.server); + + if(test_creds.authdata) { + krb5_free_authdata(context, test_creds.authdata); + test_creds.authdata = 0; + } } -#define CHECK(kret,msg) \ - if (kret != KRB5_OK) {\ - com_err(msg, kret, ""); \ - fflush(stderr);\ - exit(1);\ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK(kret,msg) \ + if (kret != KRB5_OK) { \ + com_err(msg, kret, ""); \ + fflush(stderr); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); -#define CHECK_STR(str,msg) \ - if (str == 0) {\ - com_err(msg, kret, "");\ - exit(1);\ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK_STR(str,msg) \ + if (str == 0) { \ + com_err(msg, kret, ""); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); -#define CHECK_BOOL(expr,errstr,msg) \ - if (expr) {\ - fprintf(stderr, "%s %s\n", msg, errstr); \ - exit(1); \ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK_BOOL(expr,errstr,msg) \ + if (expr) { \ + fprintf(stderr, "%s %s\n", msg, errstr); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); -#define CHECK_FAIL(experr, kret, msg) \ - if (experr != kret) { CHECK(kret, msg);} +#define CHECK_FAIL(experr, kret, msg) \ + if (experr != kret) { CHECK(kret, msg);} static void cc_test(krb5_context context, const char *name, krb5_flags flags) { - krb5_ccache id, id2; - krb5_creds creds; - krb5_error_code kret; - krb5_cc_cursor cursor; - krb5_principal tmp; - - const char *c_name; - char newcache[300]; - char *save_type; - - kret = init_test_cred(context); - CHECK(kret, "init_creds"); - - kret = krb5_cc_resolve(context, name, &id); - CHECK(kret, "resolve"); - kret = krb5_cc_initialize(context, id, test_creds.client); - CHECK(kret, "initialize"); - - c_name = krb5_cc_get_name(context, id); - CHECK_STR(c_name, "get_name"); - - c_name = krb5_cc_get_type(context, id); - CHECK_STR(c_name, "get_type"); - save_type=strdup(c_name); - CHECK_STR(save_type, "copying type"); - - kret = krb5_cc_store_cred(context, id, &test_creds); - CHECK(kret, "store"); - - kret = krb5_cc_get_principal(context, id, &tmp); - CHECK(kret, "get_principal"); - - CHECK_BOOL(krb5_realm_compare(context, tmp, test_creds.client) != TRUE, - "realms do not match", "realm_compare"); - - - CHECK_BOOL(krb5_principal_compare(context, tmp, test_creds.client) != TRUE, - "principals do not match", "principal_compare"); - - krb5_free_principal(context, tmp); - - kret = krb5_cc_set_flags (context, id, flags); - CHECK(kret, "set_flags"); - - kret = krb5_cc_start_seq_get(context, id, &cursor); - CHECK(kret, "start_seq_get"); - kret = 0; - while (kret != KRB5_CC_END) { - if(debug) printf("Calling next_cred\n"); - kret = krb5_cc_next_cred(context, id, &cursor, &creds); - if(kret == KRB5_CC_END) { - if(debug) printf("next_cred: ok at end\n"); - } - else { - CHECK(kret, "next_cred"); - krb5_free_cred_contents(context, &creds); - } - - } - kret = krb5_cc_end_seq_get(context, id, &cursor); - CHECK(kret, "end_seq_get"); - - kret = krb5_cc_close(context, id); - CHECK(kret, "close"); - - - /* ------------------------------------------------- */ - kret = krb5_cc_resolve(context, name, &id); - CHECK(kret, "resolve2"); - - { - /* Copy the cache test*/ - snprintf(newcache, sizeof(newcache), "%s.new", name); - kret = krb5_cc_resolve(context, newcache, &id2); - CHECK(kret, "resolve of new cache"); - - /* This should fail as the new creds are not initialized */ - kret = krb5_cc_copy_creds(context, id, id2); - CHECK_FAIL(KRB5_FCC_NOFILE, kret, "copy_creds"); - - kret = krb5_cc_initialize(context, id2, test_creds.client); - CHECK(kret, "initialize of id2"); - - kret = krb5_cc_copy_creds(context, id, id2); - CHECK(kret, "copy_creds"); - - kret = krb5_cc_destroy(context, id2); - CHECK(kret, "destroy new cache"); - } - - /* Destroy the first cache */ - kret = krb5_cc_destroy(context, id); - CHECK(kret, "destroy"); - - /* ----------------------------------------------------- */ - /* Tests the generate new code */ - kret = krb5_cc_new_unique(context, save_type, - NULL, &id2); - CHECK(kret, "new_unique"); - - kret = krb5_cc_initialize(context, id2, test_creds.client); - CHECK(kret, "initialize"); - - kret = krb5_cc_store_cred(context, id2, &test_creds); - CHECK(kret, "store"); - - kret = krb5_cc_destroy(context, id2); - CHECK(kret, "destroy id2"); - - free(save_type); - free_test_cred(context); + krb5_ccache id, id2; + krb5_creds creds; + krb5_error_code kret; + krb5_cc_cursor cursor; + krb5_principal tmp; + + const char *c_name; + char newcache[300]; + char *save_type; + + kret = init_test_cred(context); + CHECK(kret, "init_creds"); + + kret = krb5_cc_resolve(context, name, &id); + CHECK(kret, "resolve"); + kret = krb5_cc_initialize(context, id, test_creds.client); + CHECK(kret, "initialize"); + + c_name = krb5_cc_get_name(context, id); + CHECK_STR(c_name, "get_name"); + + c_name = krb5_cc_get_type(context, id); + CHECK_STR(c_name, "get_type"); + save_type=strdup(c_name); + CHECK_STR(save_type, "copying type"); + + kret = krb5_cc_store_cred(context, id, &test_creds); + CHECK(kret, "store"); + + kret = krb5_cc_get_principal(context, id, &tmp); + CHECK(kret, "get_principal"); + + CHECK_BOOL(krb5_realm_compare(context, tmp, test_creds.client) != TRUE, + "realms do not match", "realm_compare"); + + + CHECK_BOOL(krb5_principal_compare(context, tmp, test_creds.client) != TRUE, + "principals do not match", "principal_compare"); + + krb5_free_principal(context, tmp); + + kret = krb5_cc_set_flags (context, id, flags); + CHECK(kret, "set_flags"); + + kret = krb5_cc_start_seq_get(context, id, &cursor); + CHECK(kret, "start_seq_get"); + kret = 0; + while (kret != KRB5_CC_END) { + if(debug) printf("Calling next_cred\n"); + kret = krb5_cc_next_cred(context, id, &cursor, &creds); + if(kret == KRB5_CC_END) { + if(debug) printf("next_cred: ok at end\n"); + } + else { + CHECK(kret, "next_cred"); + krb5_free_cred_contents(context, &creds); + } + + } + kret = krb5_cc_end_seq_get(context, id, &cursor); + CHECK(kret, "end_seq_get"); + + kret = krb5_cc_close(context, id); + CHECK(kret, "close"); + + + /* ------------------------------------------------- */ + kret = krb5_cc_resolve(context, name, &id); + CHECK(kret, "resolve2"); + + { + /* Copy the cache test*/ + snprintf(newcache, sizeof(newcache), "%s.new", name); + kret = krb5_cc_resolve(context, newcache, &id2); + CHECK(kret, "resolve of new cache"); + + /* This should fail as the new creds are not initialized */ + kret = krb5_cc_copy_creds(context, id, id2); + CHECK_FAIL(KRB5_FCC_NOFILE, kret, "copy_creds"); + + kret = krb5_cc_initialize(context, id2, test_creds.client); + CHECK(kret, "initialize of id2"); + + kret = krb5_cc_copy_creds(context, id, id2); + CHECK(kret, "copy_creds"); + + kret = krb5_cc_destroy(context, id2); + CHECK(kret, "destroy new cache"); + } + + /* Destroy the first cache */ + kret = krb5_cc_destroy(context, id); + CHECK(kret, "destroy"); + + /* ----------------------------------------------------- */ + /* Tests the generate new code */ + kret = krb5_cc_new_unique(context, save_type, + NULL, &id2); + CHECK(kret, "new_unique"); + + kret = krb5_cc_initialize(context, id2, test_creds.client); + CHECK(kret, "initialize"); + + kret = krb5_cc_store_cred(context, id2, &test_creds); + CHECK(kret, "store"); + + kret = krb5_cc_destroy(context, id2); + CHECK(kret, "destroy id2"); + + free(save_type); + free_test_cred(context); } @@ -319,66 +320,66 @@ static void cc_test(krb5_context context, const char *name, krb5_flags flags) */ static int check_registered(krb5_context context, const char *prefix) { - char name[300]; - krb5_error_code kret; - krb5_ccache id; - - snprintf(name, sizeof(name), "%s/tmp/cctest.%ld", prefix, (long) getpid()); - - kret = krb5_cc_resolve(context, name, &id); - if(kret != KRB5_OK) { - if(kret == KRB5_CC_UNKNOWN_TYPE) - return 0; - com_err("Checking on credential type", kret,prefix); - fflush(stderr); - return 0; - } + char name[300]; + krb5_error_code kret; + krb5_ccache id; + + snprintf(name, sizeof(name), "%s/tmp/cctest.%ld", prefix, (long) getpid()); + + kret = krb5_cc_resolve(context, name, &id); + if(kret != KRB5_OK) { + if(kret == KRB5_CC_UNKNOWN_TYPE) + return 0; + com_err("Checking on credential type", kret,prefix); + fflush(stderr); + return 0; + } - kret = krb5_cc_close(context, id); - if(kret != KRB5_OK) { - com_err("Checking on credential type - closing", kret,prefix); - fflush(stderr); - } + kret = krb5_cc_close(context, id); + if(kret != KRB5_OK) { + com_err("Checking on credential type - closing", kret,prefix); + fflush(stderr); + } - return 1; + return 1; } static void do_test(krb5_context context, const char *prefix) { - char name[300]; + char name[300]; - snprintf(name, sizeof(name), "%s/tmp/cctest.%ld", prefix, (long) getpid()); - printf("Starting test on %s\n", name); - cc_test (context, name, 0); - cc_test (context, name, !0); - printf("Test on %s passed\n", name); + snprintf(name, sizeof(name), "%s/tmp/cctest.%ld", prefix, (long) getpid()); + printf("Starting test on %s\n", name); + cc_test (context, name, 0); + cc_test (context, name, !0); + printf("Test on %s passed\n", name); } static void test_misc(krb5_context context) { - /* Tests for certain error returns */ - krb5_error_code kret; - krb5_ccache id; - const krb5_cc_ops *ops_save; + /* Tests for certain error returns */ + krb5_error_code kret; + krb5_ccache id; + const krb5_cc_ops *ops_save; - fprintf(stderr, "Testing miscellaneous error conditions\n"); + fprintf(stderr, "Testing miscellaneous error conditions\n"); - kret = krb5_cc_resolve(context, "unknown_method_ep:/tmp/name", &id); - if (kret != KRB5_CC_UNKNOWN_TYPE) { - CHECK(kret, "resolve unknown type"); - } + kret = krb5_cc_resolve(context, "unknown_method_ep:/tmp/name", &id); + if (kret != KRB5_CC_UNKNOWN_TYPE) { + CHECK(kret, "resolve unknown type"); + } - /* Test for not specifiying a cache type with no defaults */ - ops_save = krb5_cc_dfl_ops; - krb5_cc_dfl_ops = 0; + /* Test for not specifiying a cache type with no defaults */ + ops_save = krb5_cc_dfl_ops; + krb5_cc_dfl_ops = 0; - kret = krb5_cc_resolve(context, "/tmp/e", &id); - if (kret != KRB5_CC_BADNAME) { - CHECK(kret, "resolve no builtin type"); - } + kret = krb5_cc_resolve(context, "/tmp/e", &id); + if (kret != KRB5_CC_BADNAME) { + CHECK(kret, "resolve no builtin type"); + } - krb5_cc_dfl_ops = ops_save; + krb5_cc_dfl_ops = ops_save; } extern const krb5_cc_ops krb5_mcc_ops; @@ -387,28 +388,28 @@ extern const krb5_cc_ops krb5_fcc_ops; int main (void) { krb5_context context; - krb5_error_code kret; + krb5_error_code kret; if ((kret = krb5_init_context(&context))) { - printf("Couldn't initialize krb5 library: %s\n", - error_message(kret)); - exit(1); + printf("Couldn't initialize krb5 library: %s\n", + error_message(kret)); + exit(1); } kret = krb5_cc_register(context, &krb5_mcc_ops,0); if(kret && kret != KRB5_CC_TYPE_EXISTS) { - CHECK(kret, "register_mem"); + CHECK(kret, "register_mem"); } kret = krb5_cc_register(context, &krb5_fcc_ops,0); if(kret && kret != KRB5_CC_TYPE_EXISTS) { - CHECK(kret, "register_mem"); + CHECK(kret, "register_mem"); } /* Registering a second time tests for error return */ kret = krb5_cc_register(context, &krb5_fcc_ops,0); if(kret != KRB5_CC_TYPE_EXISTS) { - CHECK(kret, "register_mem"); + CHECK(kret, "register_mem"); } /* Registering with override should work */ @@ -421,9 +422,9 @@ int main (void) do_test(context, ""); if(check_registered(context, "KEYRING:")) - do_test(context, "KEYRING:"); - else - printf("Skiping KEYRING: test - unregistered type\n"); + do_test(context, "KEYRING:"); + else + printf("Skiping KEYRING: test - unregistered type\n"); do_test(context, "MEMORY:"); do_test(context, "FILE:"); diff --git a/src/lib/krb5/ccache/t_cccursor.c b/src/lib/krb5/ccache/t_cccursor.c index e65beadd0..1e4f4b9e5 100644 --- a/src/lib/krb5/ccache/t_cccursor.c +++ b/src/lib/krb5/ccache/t_cccursor.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/t_cccursor.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -101,22 +102,22 @@ cr_cache(krb5_context context, const char *ccname, const char *pname) ret = krb5_cc_resolve(context, ccname, &ccache); if (ret) - goto errout; + goto errout; if (pname != NULL) { - ret = krb5_parse_name(context, pname, &princ); - if (ret) - return ret; - ret = krb5_cc_initialize(context, ccache, princ); - if (ret) - goto errout; - printf("created cache %s with principal %s\n", ccname, pname); + ret = krb5_parse_name(context, pname, &princ); + if (ret) + return ret; + ret = krb5_cc_initialize(context, ccache, princ); + if (ret) + goto errout; + printf("created cache %s with principal %s\n", ccname, pname); } else - printf("created cache %s (uninitialized)\n", ccname); + printf("created cache %s (uninitialized)\n", ccname); errout: if (princ != NULL) - krb5_free_principal(context, princ); + krb5_free_principal(context, princ); if (ccache != NULL) - krb5_cc_close(context, ccache); + krb5_cc_close(context, ccache); return ret; } @@ -128,15 +129,15 @@ dest_cache(krb5_context context, const char *ccname, const char *pname) ret = krb5_cc_resolve(context, ccname, &ccache); if (ret) - goto errout; + goto errout; if (pname != NULL) { - ret = krb5_cc_destroy(context, ccache); - if (ret) - return ret; - printf("Destroyed cache %s\n", ccname); + ret = krb5_cc_destroy(context, ccache); + if (ret) + return ret; + printf("Destroyed cache %s\n", ccname); } else { - printf("Closed cache %s (uninitialized)\n", ccname); - ret = krb5_cc_close(context, ccache); + printf("Closed cache %s (uninitialized)\n", ccname); + ret = krb5_cc_close(context, ccache); } errout: return ret; @@ -147,11 +148,11 @@ do_chk_one(const char *prefix, const char *name, struct chklist *chk) { if (chk->pfx == NULL) - return 0; + return 0; if (strcmp(chk->pfx, prefix) || strcmp(chk->res, name)) { - fprintf(stderr, "MATCH FAILED: expected %s:%s\n", - chk->pfx, chk->res); - return 1; + fprintf(stderr, "MATCH FAILED: expected %s:%s\n", + chk->pfx, chk->res); + return 1; } return 0; } @@ -175,33 +176,33 @@ do_chk( i = 0; printf(">>>\n"); for (i = 0; ; i++) { - ret = krb5_cccol_cursor_next(context, cursor, &ccache); - if (ret) goto errout; - if (ccache == NULL) { - printf("<<< end of list\n"); - break; - } - prefix = krb5_cc_get_type(context, ccache); - name = krb5_cc_get_name(context, ccache); - printf("cursor: %s:%s\n", prefix, name); - - if (i < nmax) { - if (do_chk_one(prefix, name, &chklist[i])) { - *good = 0; - } - } - ret = krb5_cc_close(context, ccache); - if (ret) goto errout; + ret = krb5_cccol_cursor_next(context, cursor, &ccache); + if (ret) goto errout; + if (ccache == NULL) { + printf("<<< end of list\n"); + break; + } + prefix = krb5_cc_get_type(context, ccache); + name = krb5_cc_get_name(context, ccache); + printf("cursor: %s:%s\n", prefix, name); + + if (i < nmax) { + if (do_chk_one(prefix, name, &chklist[i])) { + *good = 0; + } + } + ret = krb5_cc_close(context, ccache); + if (ret) goto errout; } if (i != nmax) { - fprintf(stderr, "total ccaches %d != expected ccaches %d\n", i, nmax); - *good = 0; + fprintf(stderr, "total ccaches %d != expected ccaches %d\n", i, nmax); + *good = 0; } errout: if (cursor != NULL) - krb5_cccol_cursor_free(context, &cursor); + krb5_cccol_cursor_free(context, &cursor); return ret; } @@ -216,8 +217,8 @@ main(int argc, char *argv[]) if (ret) exit(1); for (i = 0; i < NCRLIST; i++) { - ret = cr_cache(context, crlist[i].ccname, crlist[i].pname); - if (ret) goto errout; + ret = cr_cache(context, crlist[i].ccname, crlist[i].pname); + if (ret) goto errout; } #ifdef HAVE_SETENV @@ -228,7 +229,7 @@ main(int argc, char *argv[]) printf("KRB5CCNAME=foo\n"); ret = do_chk(context, chklist0, NCHKLIST0, &good); if (ret) - goto errout; + goto errout; #ifdef HAVE_SETENV setenv("KRB5CCNAME", "MEMORY:env", 1); @@ -238,28 +239,28 @@ main(int argc, char *argv[]) printf("KRB5CCNAME=MEMORY:env\n"); ret = do_chk(context, chklist1, NCHKLIST1, &good); if (ret) - goto errout; + goto errout; ret = krb5_cc_set_default_name(context, "MEMORY:env"); if (ret) - goto errout; + goto errout; printf("KRB5CCNAME=MEMORY:env, ccdefname=MEMORY:env\n"); ret = do_chk(context, chklist2, NCHKLIST2, &good); if (ret) - goto errout; + goto errout; for (i = 0; i < NCRLIST; i++) { - ret = dest_cache(context, crlist[i].ccname, crlist[i].pname); - if (ret) goto errout; + ret = dest_cache(context, crlist[i].ccname, crlist[i].pname); + if (ret) goto errout; } errout: krb5_free_context(context); if (ret) { - com_err("main", ret, ""); - exit(1); + com_err("main", ret, ""); + exit(1); } else { - exit(!good); + exit(!good); } } diff --git a/src/lib/krb5/ccache/t_memory.c b/src/lib/krb5/ccache/t_memory.c index b117aed33..5650280eb 100644 --- a/src/lib/krb5/ccache/t_memory.c +++ b/src/lib/krb5/ccache/t_memory.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/file/mcc_test.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -31,110 +32,109 @@ krb5_data client1 = { #define DATA "client1-comp1" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data client2 = { #define DATA "client1-comp2" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data server1 = { #define DATA "server1-comp1" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data server2 = { #define DATA "server1-comp2" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_creds test_creds = { - NULL, - NULL, - { - 1, - 1, - (unsigned char *) "1" - }, - { - 1111, - 2222, - 3333, - 4444 - }, - 1, - 5555, - { + NULL, + NULL, + { + 1, + 1, + (unsigned char *) "1" + }, + { + 1111, + 2222, + 3333, + 4444 + }, + 1, + 5555, + { #define TICKET "This is ticket 1" - sizeof(TICKET), - TICKET, + sizeof(TICKET), + TICKET, #undef TICKET - }, - { + }, + { #define TICKET "This is ticket 2" - sizeof(TICKET), - TICKET, + sizeof(TICKET), + TICKET, #undef TICKET - }, + }, }; void init_test_cred() { - test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3); - test_creds.client[0] = &client1; - test_creds.client[1] = &client2; - test_creds.client[2] = NULL; + test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3); + test_creds.client[0] = &client1; + test_creds.client[1] = &client2; + test_creds.client[2] = NULL; - test_creds.server = (krb5_principal) malloc(sizeof(krb5_data *)*3); - test_creds.server[0] = &server1; - test_creds.server[1] = &server2; - test_creds.server[2] = NULL; + test_creds.server = (krb5_principal) malloc(sizeof(krb5_data *)*3); + test_creds.server[0] = &server1; + test_creds.server[1] = &server2; + test_creds.server[2] = NULL; } -#define CHECK(kret,msg) \ - if (kret != KRB5_OK) {\ - printf("%s returned %d\n", msg, kret);\ - }; - +#define CHECK(kret,msg) \ + if (kret != KRB5_OK) { \ + printf("%s returned %d\n", msg, kret); \ + }; + void mcc_test() { - krb5_ccache id; - krb5_creds creds; - krb5_error_code kret; - krb5_cc_cursor cursor; + krb5_ccache id; + krb5_creds creds; + krb5_error_code kret; + krb5_cc_cursor cursor; - init_test_cred(); + init_test_cred(); - kret = krb5_mcc_resolve(context, &id, "/tmp/tkt_test"); - CHECK(kret, "resolve"); - kret = krb5_mcc_initialize(context, id, test_creds.client); - CHECK(kret, "initialize"); - kret = krb5_mcc_store(context, id, &test_creds); - CHECK(kret, "store"); + kret = krb5_mcc_resolve(context, &id, "/tmp/tkt_test"); + CHECK(kret, "resolve"); + kret = krb5_mcc_initialize(context, id, test_creds.client); + CHECK(kret, "initialize"); + kret = krb5_mcc_store(context, id, &test_creds); + CHECK(kret, "store"); - kret = krb5_mcc_start_seq_get(context, id, &cursor); - CHECK(kret, "start_seq_get"); - kret = 0; - while (kret != KRB5_CC_END) { - printf("Calling next_cred\n"); - kret = krb5_mcc_next_cred(context, id, &cursor, &creds); - CHECK(kret, "next_cred"); - } - kret = krb5_mcc_end_seq_get(context, id, &cursor); - CHECK(kret, "end_seq_get"); + kret = krb5_mcc_start_seq_get(context, id, &cursor); + CHECK(kret, "start_seq_get"); + kret = 0; + while (kret != KRB5_CC_END) { + printf("Calling next_cred\n"); + kret = krb5_mcc_next_cred(context, id, &cursor, &creds); + CHECK(kret, "next_cred"); + } + kret = krb5_mcc_end_seq_get(context, id, &cursor); + CHECK(kret, "end_seq_get"); - kret = krb5_mcc_destroy(context, id); - CHECK(kret, "destroy"); - kret = krb5_mcc_close(context, id); - CHECK(kret, "close"); + kret = krb5_mcc_destroy(context, id); + CHECK(kret, "destroy"); + kret = krb5_mcc_close(context, id); + CHECK(kret, "close"); } - diff --git a/src/lib/krb5/ccache/t_stdio.c b/src/lib/krb5/ccache/t_stdio.c index a76d1fcd7..f17d50647 100644 --- a/src/lib/krb5/ccache/t_stdio.c +++ b/src/lib/krb5/ccache/t_stdio.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/stdio/scc_test.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -31,29 +32,29 @@ krb5_data client1 = { #define DATA "client1-comp1" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data client2 = { #define DATA "client1-comp2" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data server1 = { #define DATA "server1-comp1" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data server2 = { #define DATA "server1-comp2" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; @@ -70,92 +71,92 @@ krb5_address *addrs[] = { }; krb5_creds test_creds = { - NULL, - NULL, - { - 1, - 1, - (unsigned char *) "1" - }, - { - 1111, - 2222, - 3333, - 4444, - }, - 1, - 5555, - addrs, - { + NULL, + NULL, + { + 1, + 1, + (unsigned char *) "1" + }, + { + 1111, + 2222, + 3333, + 4444, + }, + 1, + 5555, + addrs, + { #define TICKET "This is ticket 1" - sizeof(TICKET), - TICKET, + sizeof(TICKET), + TICKET, #undef TICKET - }, - { + }, + { #define TICKET "This is ticket 2" - sizeof(TICKET), - TICKET, + sizeof(TICKET), + TICKET, #undef TICKET - }, + }, }; void init_test_cred() { - test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3); - test_creds.client[0] = &client1; - test_creds.client[1] = &client2; - test_creds.client[2] = NULL; - - test_creds.server = (krb5_principal) malloc(sizeof(krb5_data *)*3); - test_creds.server[0] = &server1; - test_creds.server[1] = &server2; - test_creds.server[2] = NULL; + test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3); + test_creds.client[0] = &client1; + test_creds.client[1] = &client2; + test_creds.client[2] = NULL; + + test_creds.server = (krb5_principal) malloc(sizeof(krb5_data *)*3); + test_creds.server[0] = &server1; + test_creds.server[1] = &server2; + test_creds.server[2] = NULL; } -#define CHECK(kret,msg) \ - if (kret != KRB5_OK) {\ - com_err(msg, kret, "");\ - } else printf("%s went ok\n", msg); - +#define CHECK(kret,msg) \ + if (kret != KRB5_OK) { \ + com_err(msg, kret, ""); \ + } else printf("%s went ok\n", msg); + int flags = 0; void scc_test() { - krb5_ccache id; - krb5_creds creds; - krb5_error_code kret; - krb5_cc_cursor cursor; - - init_test_cred(); - - kret = krb5_scc_resolve(context, &id, "/tmp/tkt_test"); - CHECK(kret, "resolve"); - kret = krb5_scc_initialize(context, id, test_creds.client); - CHECK(kret, "initialize"); - kret = krb5_scc_store(id, &test_creds); - CHECK(kret, "store"); - - kret = krb5_scc_set_flags (id, flags); - CHECK(kret, "set_flags"); - kret = krb5_scc_start_seq_get(id, &cursor); - CHECK(kret, "start_seq_get"); - kret = 0; - while (kret != KRB5_CC_END) { - printf("Calling next_cred\n"); - kret = krb5_scc_next_cred(id, &cursor, &creds); - CHECK(kret, "next_cred"); - } - kret = krb5_scc_end_seq_get(id, &cursor); - CHECK(kret, "end_seq_get"); - - kret = krb5_scc_close(id); - CHECK(kret, "close"); - - - kret = krb5_scc_resolve(&id, "/tmp/tkt_test"); - CHECK(kret, "resolve"); - kret = krb5_scc_destroy(id); - CHECK(kret, "destroy"); + krb5_ccache id; + krb5_creds creds; + krb5_error_code kret; + krb5_cc_cursor cursor; + + init_test_cred(); + + kret = krb5_scc_resolve(context, &id, "/tmp/tkt_test"); + CHECK(kret, "resolve"); + kret = krb5_scc_initialize(context, id, test_creds.client); + CHECK(kret, "initialize"); + kret = krb5_scc_store(id, &test_creds); + CHECK(kret, "store"); + + kret = krb5_scc_set_flags (id, flags); + CHECK(kret, "set_flags"); + kret = krb5_scc_start_seq_get(id, &cursor); + CHECK(kret, "start_seq_get"); + kret = 0; + while (kret != KRB5_CC_END) { + printf("Calling next_cred\n"); + kret = krb5_scc_next_cred(id, &cursor, &creds); + CHECK(kret, "next_cred"); + } + kret = krb5_scc_end_seq_get(id, &cursor); + CHECK(kret, "end_seq_get"); + + kret = krb5_scc_close(id); + CHECK(kret, "close"); + + + kret = krb5_scc_resolve(&id, "/tmp/tkt_test"); + CHECK(kret, "resolve"); + kret = krb5_scc_destroy(id); + CHECK(kret, "destroy"); } int remove (s) char*s; { return unlink(s); } diff --git a/src/lib/krb5/error_tables/init_ets.c b/src/lib/krb5/error_tables/init_ets.c index 56a750e75..f682c8512 100644 --- a/src/lib/krb5/error_tables/init_ets.c +++ b/src/lib/krb5/error_tables/init_ets.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/error_tables/init_ets.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Initialize Kerberos library error tables. */ @@ -35,12 +36,12 @@ krb5_init_ets (krb5_context context) static int inited = 0; if (inited == 0) { - initialize_krb5_error_table(); - initialize_kv5m_error_table(); - initialize_kdb5_error_table(); - initialize_asn1_error_table(); - initialize_k524_error_table(); - inited++; + initialize_krb5_error_table(); + initialize_kv5m_error_table(); + initialize_kdb5_error_table(); + initialize_asn1_error_table(); + initialize_k524_error_table(); + inited++; } } diff --git a/src/lib/krb5/keytab/kt-int.h b/src/lib/krb5/keytab/kt-int.h index e62b2d3f1..383d346f7 100644 --- a/src/lib/krb5/keytab/kt-int.h +++ b/src/lib/krb5/keytab/kt-int.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/kt-int.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This file contains constant and function declarations used in the * file-based credential cache routines. diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c index 4c90b8b47..c27829ca0 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/kt_file.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #ifndef LEAN_CLIENT @@ -40,22 +41,22 @@ * Constants */ -#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ -#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ +#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ +#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ #define KRB5_KT_DEFAULT_VNO KRB5_KT_VNO -/* +/* * Types */ typedef struct _krb5_ktfile_data { - char *name; /* Name of the file */ - FILE *openf; /* open file, if any. */ - char iobuf[BUFSIZ]; /* so we can zap it later */ - int version; /* Version number of keytab */ - unsigned int iter_count; /* Number of active iterators */ - long start_offset; /* Starting offset after version */ - k5_mutex_t lock; /* Protect openf, version */ + char *name; /* Name of the file */ + FILE *openf; /* open file, if any. */ + char iobuf[BUFSIZ]; /* so we can zap it later */ + int version; /* Version number of keytab */ + unsigned int iter_count; /* Number of active iterators */ + long start_offset; /* Starting offset after version */ + k5_mutex_t lock; /* Protect openf, version */ } krb5_ktfile_data; /* @@ -93,114 +94,114 @@ typedef struct _krb5_ktfile_data { extern const struct _krb5_kt_ops krb5_ktf_ops; extern const struct _krb5_kt_ops krb5_ktf_writable_ops; -static krb5_error_code KRB5_CALLCONV krb5_ktfile_resolve - (krb5_context, - const char *, - krb5_keytab *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_wresolve - (krb5_context, - const char *, - krb5_keytab *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_name - (krb5_context, - krb5_keytab, - char *, - unsigned int); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_close - (krb5_context, - krb5_keytab); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_entry - (krb5_context, - krb5_keytab, - krb5_const_principal, - krb5_kvno, - krb5_enctype, - krb5_keytab_entry *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_start_seq_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_next - (krb5_context, - krb5_keytab, - krb5_keytab_entry *, - krb5_kt_cursor *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_end_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); +static krb5_error_code KRB5_CALLCONV krb5_ktfile_resolve +(krb5_context, + const char *, + krb5_keytab *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_wresolve +(krb5_context, + const char *, + krb5_keytab *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_name +(krb5_context, + krb5_keytab, + char *, + unsigned int); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_close +(krb5_context, + krb5_keytab); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_entry +(krb5_context, + krb5_keytab, + krb5_const_principal, + krb5_kvno, + krb5_enctype, + krb5_keytab_entry *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_start_seq_get +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_next +(krb5_context, + krb5_keytab, + krb5_keytab_entry *, + krb5_kt_cursor *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_end_get +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); /* routines to be included on extended version (write routines) */ -static krb5_error_code KRB5_CALLCONV krb5_ktfile_add - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_remove - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); - -static krb5_error_code krb5_ktfileint_openr - (krb5_context, - krb5_keytab); - -static krb5_error_code krb5_ktfileint_openw - (krb5_context, - krb5_keytab); - -static krb5_error_code krb5_ktfileint_close - (krb5_context, - krb5_keytab); - -static krb5_error_code krb5_ktfileint_read_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); - -static krb5_error_code krb5_ktfileint_write_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); - -static krb5_error_code krb5_ktfileint_delete_entry - (krb5_context, - krb5_keytab, - krb5_int32); - -static krb5_error_code krb5_ktfileint_internal_read_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry *, - krb5_int32 *); - -static krb5_error_code krb5_ktfileint_size_entry - (krb5_context, - krb5_keytab_entry *, - krb5_int32 *); - -static krb5_error_code krb5_ktfileint_find_slot - (krb5_context, - krb5_keytab, - krb5_int32 *, - krb5_int32 *); +static krb5_error_code KRB5_CALLCONV krb5_ktfile_add +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_remove +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); + +static krb5_error_code krb5_ktfileint_openr +(krb5_context, + krb5_keytab); + +static krb5_error_code krb5_ktfileint_openw +(krb5_context, + krb5_keytab); + +static krb5_error_code krb5_ktfileint_close +(krb5_context, + krb5_keytab); + +static krb5_error_code krb5_ktfileint_read_entry +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); + +static krb5_error_code krb5_ktfileint_write_entry +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); + +static krb5_error_code krb5_ktfileint_delete_entry +(krb5_context, + krb5_keytab, + krb5_int32); + +static krb5_error_code krb5_ktfileint_internal_read_entry +(krb5_context, + krb5_keytab, + krb5_keytab_entry *, + krb5_int32 *); + +static krb5_error_code krb5_ktfileint_size_entry +(krb5_context, + krb5_keytab_entry *, + krb5_int32 *); + +static krb5_error_code krb5_ktfileint_find_slot +(krb5_context, + krb5_keytab, + krb5_int32 *, + krb5_int32 *); /* - * This is an implementation specific resolver. It returns a keytab id + * This is an implementation specific resolver. It returns a keytab id * initialized with file keytab routines. */ static krb5_error_code ktfile_common_resolve(krb5_context context, const char *name, - krb5_keytab *idptr, const struct _krb5_kt_ops *ops) + krb5_keytab *idptr, const struct _krb5_kt_ops *ops) { krb5_ktfile_data *data = NULL; krb5_error_code err = ENOMEM; @@ -210,20 +211,20 @@ ktfile_common_resolve(krb5_context context, const char *name, id = calloc(1, sizeof(*id)); if (id == NULL) - return ENOMEM; - + return ENOMEM; + id->ops = ops; data = calloc(1, sizeof(krb5_ktfile_data)); if (data == NULL) - goto cleanup; + goto cleanup; data->name = strdup(name); if (data->name == NULL) - goto cleanup; + goto cleanup; err = k5_mutex_init(&data->lock); if (err) - goto cleanup; + goto cleanup; data->openf = 0; data->version = 0; @@ -235,13 +236,13 @@ ktfile_common_resolve(krb5_context context, const char *name, return 0; cleanup: if (data) - free(data->name); + free(data->name); free(data); free(id); return err; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_resolve(krb5_context context, const char *name, krb5_keytab *id) { return ktfile_common_resolve(context, name, id, &krb5_ktf_writable_ops); @@ -253,15 +254,15 @@ krb5_ktfile_resolve(krb5_context context, const char *name, krb5_keytab *id) * free memory hidden in the structures. */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_close(krb5_context context, krb5_keytab id) - /* - * This routine is responsible for freeing all memory allocated - * for this keytab. There are no system resources that need - * to be freed nor are there any open files. - * - * This routine should undo anything done by krb5_ktfile_resolve(). - */ +/* + * This routine is responsible for freeing all memory allocated + * for this keytab. There are no system resources that need + * to be freed nor are there any open files. + * + * This routine should undo anything done by krb5_ktfile_resolve(). + */ { free(KTFILENAME(id)); zap(KTFILEBUFP(id), BUFSIZ); @@ -280,8 +281,8 @@ krb5_ktfile_close(krb5_context context, krb5_keytab id) static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, - krb5_const_principal principal, krb5_kvno kvno, - krb5_enctype enctype, krb5_keytab_entry *entry) + krb5_const_principal principal, krb5_kvno kvno, + krb5_enctype enctype, krb5_keytab_entry *entry) { krb5_keytab_entry cur_entry, new_entry; krb5_error_code kerror = 0; @@ -292,27 +293,27 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, kerror = KTLOCK(id); if (kerror) - return kerror; + return kerror; if (KTFILEP(id) != NULL) { - was_open = 1; + was_open = 1; - if (fseek(KTFILEP(id), KTSTARTOFF(id), SEEK_SET) == -1) { - KTUNLOCK(id); - return errno; - } + if (fseek(KTFILEP(id), KTSTARTOFF(id), SEEK_SET) == -1) { + KTUNLOCK(id); + return errno; + } } else { - was_open = 0; + was_open = 0; - /* Open the keyfile for reading */ - if ((kerror = krb5_ktfileint_openr(context, id))) { - KTUNLOCK(id); - return(kerror); - } + /* Open the keyfile for reading */ + if ((kerror = krb5_ktfileint_openr(context, id))) { + KTUNLOCK(id); + return(kerror); + } } - - /* - * For efficiency and simplicity, we'll use a while true that + + /* + * For efficiency and simplicity, we'll use a while true that * is exited with a break statement. */ cur_entry.principal = 0; @@ -320,111 +321,111 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, cur_entry.key.contents = 0; while (TRUE) { - if ((kerror = krb5_ktfileint_read_entry(context, id, &new_entry))) - break; - - /* by the time this loop exits, it must either free cur_entry, - and copy new_entry there, or free new_entry. Otherwise, it - leaks. */ - - /* if the principal isn't the one requested, free new_entry - and continue to the next. */ - - if (!krb5_principal_compare(context, principal, new_entry.principal)) { - krb5_kt_free_entry(context, &new_entry); - continue; - } - - /* if the enctype is not ignored and doesn't match, free new_entry - and continue to the next */ - - if (enctype != IGNORE_ENCTYPE) { - if ((kerror = krb5_c_enctype_compare(context, enctype, - new_entry.key.enctype, - &similar))) { - krb5_kt_free_entry(context, &new_entry); - break; - } - - if (!similar) { - krb5_kt_free_entry(context, &new_entry); - continue; - } - /* - * Coerce the enctype of the output keyblock in case we - * got an inexact match on the enctype. - */ - new_entry.key.enctype = enctype; - - } - - if (kvno == IGNORE_VNO) { - /* if this is the first match, or if the new vno is - bigger, free the current and keep the new. Otherwise, - free the new. */ - /* A 1.2.x keytab contains only the low 8 bits of the key - version number. Since it can be much bigger, and thus - the 8-bit value can wrap, we need some heuristics to - figure out the "highest" numbered key if some numbers - close to 255 and some near 0 are used. - - The heuristic here: - - If we have any keys with versions over 240, then assume - that all version numbers 0-127 refer to 256+N instead. - Not perfect, but maybe good enough? */ + if ((kerror = krb5_ktfileint_read_entry(context, id, &new_entry))) + break; + + /* by the time this loop exits, it must either free cur_entry, + and copy new_entry there, or free new_entry. Otherwise, it + leaks. */ + + /* if the principal isn't the one requested, free new_entry + and continue to the next. */ + + if (!krb5_principal_compare(context, principal, new_entry.principal)) { + krb5_kt_free_entry(context, &new_entry); + continue; + } + + /* if the enctype is not ignored and doesn't match, free new_entry + and continue to the next */ + + if (enctype != IGNORE_ENCTYPE) { + if ((kerror = krb5_c_enctype_compare(context, enctype, + new_entry.key.enctype, + &similar))) { + krb5_kt_free_entry(context, &new_entry); + break; + } + + if (!similar) { + krb5_kt_free_entry(context, &new_entry); + continue; + } + /* + * Coerce the enctype of the output keyblock in case we + * got an inexact match on the enctype. + */ + new_entry.key.enctype = enctype; + + } + + if (kvno == IGNORE_VNO) { + /* if this is the first match, or if the new vno is + bigger, free the current and keep the new. Otherwise, + free the new. */ + /* A 1.2.x keytab contains only the low 8 bits of the key + version number. Since it can be much bigger, and thus + the 8-bit value can wrap, we need some heuristics to + figure out the "highest" numbered key if some numbers + close to 255 and some near 0 are used. + + The heuristic here: + + If we have any keys with versions over 240, then assume + that all version numbers 0-127 refer to 256+N instead. + Not perfect, but maybe good enough? */ #define M(VNO) (((VNO) - kvno_offset + 256) % 256) - if (new_entry.vno > 240) - kvno_offset = 128; - if (! cur_entry.principal || - M(new_entry.vno) > M(cur_entry.vno)) { - krb5_kt_free_entry(context, &cur_entry); - cur_entry = new_entry; - } else { - krb5_kt_free_entry(context, &new_entry); - } - } else { - /* if this kvno matches, free the current (will there ever - be one?), keep the new, and break out. Otherwise, remember - that we were here so we can return the right error, and - free the new */ - /* Yuck. The krb5-1.2.x keytab format only stores one byte - for the kvno, so we're toast if the kvno requested is - higher than that. Short-term workaround: only compare - the low 8 bits. */ - - if (new_entry.vno == (kvno & 0xff)) { - krb5_kt_free_entry(context, &cur_entry); - cur_entry = new_entry; - break; - } else { - found_wrong_kvno++; - krb5_kt_free_entry(context, &new_entry); - } - } + if (new_entry.vno > 240) + kvno_offset = 128; + if (! cur_entry.principal || + M(new_entry.vno) > M(cur_entry.vno)) { + krb5_kt_free_entry(context, &cur_entry); + cur_entry = new_entry; + } else { + krb5_kt_free_entry(context, &new_entry); + } + } else { + /* if this kvno matches, free the current (will there ever + be one?), keep the new, and break out. Otherwise, remember + that we were here so we can return the right error, and + free the new */ + /* Yuck. The krb5-1.2.x keytab format only stores one byte + for the kvno, so we're toast if the kvno requested is + higher than that. Short-term workaround: only compare + the low 8 bits. */ + + if (new_entry.vno == (kvno & 0xff)) { + krb5_kt_free_entry(context, &cur_entry); + cur_entry = new_entry; + break; + } else { + found_wrong_kvno++; + krb5_kt_free_entry(context, &new_entry); + } + } } if (kerror == KRB5_KT_END) { - if (cur_entry.principal) - kerror = 0; - else if (found_wrong_kvno) - kerror = KRB5_KT_KVNONOTFOUND; - else - kerror = KRB5_KT_NOTFOUND; + if (cur_entry.principal) + kerror = 0; + else if (found_wrong_kvno) + kerror = KRB5_KT_KVNONOTFOUND; + else + kerror = KRB5_KT_NOTFOUND; } if (kerror) { - if (was_open == 0) - (void) krb5_ktfileint_close(context, id); - KTUNLOCK(id); - krb5_kt_free_entry(context, &cur_entry); - return kerror; + if (was_open == 0) + (void) krb5_ktfileint_close(context, id); + KTUNLOCK(id); + krb5_kt_free_entry(context, &cur_entry); + return kerror; } if (was_open == 0 && (kerror = krb5_ktfileint_close(context, id)) != 0) { - KTUNLOCK(id); - krb5_kt_free_entry(context, &cur_entry); - return kerror; + KTUNLOCK(id); + krb5_kt_free_entry(context, &cur_entry); + return kerror; } KTUNLOCK(id); *entry = cur_entry; @@ -437,19 +438,19 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len) - /* - * This routine returns the name of the name of the file associated with - * this file-based keytab. name is zeroed and the filename is truncated - * to fit in name if necessary. The name is prefixed with PREFIX:, so that - * trt will happen if the name is passed back to resolve. - */ +/* + * This routine returns the name of the name of the file associated with + * this file-based keytab. name is zeroed and the filename is truncated + * to fit in name if necessary. The name is prefixed with PREFIX:, so that + * trt will happen if the name is passed back to resolve. + */ { int result; memset(name, 0, len); result = snprintf(name, len, "%s:%s", id->ops->prefix, KTFILENAME(id)); if (SNPRINTF_OVERFLOW(result, len)) - return(KRB5_KT_NAME_TOOLONG); + return(KRB5_KT_NAME_TOOLONG); return(0); } @@ -465,31 +466,31 @@ krb5_ktfile_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor * retval = KTLOCK(id); if (retval) - return retval; + return retval; if (KTITERS(id) == 0) { - if ((retval = krb5_ktfileint_openr(context, id))) { - KTUNLOCK(id); - return retval; - } + if ((retval = krb5_ktfileint_openr(context, id))) { + KTUNLOCK(id); + return retval; + } } if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { - if (KTITERS(id) == 0) - krb5_ktfileint_close(context, id); - KTUNLOCK(id); - return ENOMEM; + if (KTITERS(id) == 0) + krb5_ktfileint_close(context, id); + KTUNLOCK(id); + return ENOMEM; } *fileoff = KTSTARTOFF(id); *cursorp = (krb5_kt_cursor)fileoff; KTITERS(id)++; if (KTITERS(id) == 0) { - /* Wrapped?! */ - KTITERS(id)--; - KTUNLOCK(id); - krb5_set_error_message(context, KRB5_KT_IOERR, - "Too many keytab iterators active"); - return KRB5_KT_IOERR; /* XXX */ + /* Wrapped?! */ + KTITERS(id)--; + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Too many keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ } KTUNLOCK(id); @@ -500,7 +501,7 @@ krb5_ktfile_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor * * krb5_ktfile_get_next() */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { long *fileoff = (long *)*cursor; @@ -509,18 +510,18 @@ krb5_ktfile_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *en kerror = KTLOCK(id); if (kerror) - return kerror; + return kerror; if (KTFILEP(id) == NULL) { - KTUNLOCK(id); - return KRB5_KT_IOERR; + KTUNLOCK(id); + return KRB5_KT_IOERR; } if (fseek(KTFILEP(id), *fileoff, 0) == -1) { - KTUNLOCK(id); - return KRB5_KT_END; + KTUNLOCK(id); + return KRB5_KT_END; } if ((kerror = krb5_ktfileint_read_entry(context, id, &cur_entry))) { - KTUNLOCK(id); - return kerror; + KTUNLOCK(id); + return kerror; } *fileoff = ftell(KTFILEP(id)); *entry = cur_entry; @@ -532,7 +533,7 @@ krb5_ktfile_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *en * krb5_ktfile_end_get() */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { krb5_error_code kerror; @@ -540,12 +541,12 @@ krb5_ktfile_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor free(*cursor); kerror = KTLOCK(id); if (kerror) - return kerror; + return kerror; KTITERS(id)--; if (KTFILEP(id) != NULL && KTITERS(id) == 0) - kerror = krb5_ktfileint_close(context, id); + kerror = krb5_ktfileint_close(context, id); else - kerror = 0; + kerror = 0; KTUNLOCK(id); return kerror; } @@ -558,183 +559,183 @@ static const char ktfile_def_name[] = "."; /* * Routines to deal with externalizing krb5_keytab for [WR]FILE: variants. - * krb5_ktf_keytab_size(); - * krb5_ktf_keytab_externalize(); - * krb5_ktf_keytab_internalize(); + * krb5_ktf_keytab_size(); + * krb5_ktf_keytab_externalize(); + * krb5_ktf_keytab_internalize(); */ static krb5_error_code krb5_ktf_keytab_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_ktf_keytab_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_ktf_keytab_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Serialization entry for this type. */ const krb5_ser_entry krb5_ktfile_ser_entry = { - KV5M_KEYTAB, /* Type */ - krb5_ktf_keytab_size, /* Sizer routine */ - krb5_ktf_keytab_externalize, /* Externalize routine */ - krb5_ktf_keytab_internalize /* Internalize routine */ + KV5M_KEYTAB, /* Type */ + krb5_ktf_keytab_size, /* Sizer routine */ + krb5_ktf_keytab_externalize, /* Externalize routine */ + krb5_ktf_keytab_internalize /* Internalize routine */ }; /* - * krb5_ktf_keytab_size() - Determine the size required to externalize - * this krb5_keytab variant. + * krb5_ktf_keytab_size() - Determine the size required to externalize + * this krb5_keytab variant. */ static krb5_error_code krb5_ktf_keytab_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_keytab keytab; - size_t required; - krb5_ktfile_data *ktdata; + krb5_error_code kret; + krb5_keytab keytab; + size_t required; + krb5_ktfile_data *ktdata; kret = EINVAL; if ((keytab = (krb5_keytab) arg)) { - /* - * Saving FILE: variants of krb5_keytab requires at minimum: - * krb5_int32 for KV5M_KEYTAB - * krb5_int32 for length of keytab name. - * krb5_int32 for file status. - * krb5_int32 for file position. - * krb5_int32 for file position. - * krb5_int32 for version. - * krb5_int32 for KV5M_KEYTAB - */ - required = sizeof(krb5_int32) * 7; - if (keytab->ops && keytab->ops->prefix) - required += (strlen(keytab->ops->prefix)+1); - - /* - * The keytab name is formed as follows: - * : - * If there's no name, we use a default name so that we have something - * to call krb5_keytab_resolve with. - */ - ktdata = (krb5_ktfile_data *) keytab->data; - required += strlen((ktdata && ktdata->name) ? - ktdata->name : ktfile_def_name); - kret = 0; - - if (!kret) - *sizep += required; + /* + * Saving FILE: variants of krb5_keytab requires at minimum: + * krb5_int32 for KV5M_KEYTAB + * krb5_int32 for length of keytab name. + * krb5_int32 for file status. + * krb5_int32 for file position. + * krb5_int32 for file position. + * krb5_int32 for version. + * krb5_int32 for KV5M_KEYTAB + */ + required = sizeof(krb5_int32) * 7; + if (keytab->ops && keytab->ops->prefix) + required += (strlen(keytab->ops->prefix)+1); + + /* + * The keytab name is formed as follows: + * : + * If there's no name, we use a default name so that we have something + * to call krb5_keytab_resolve with. + */ + ktdata = (krb5_ktfile_data *) keytab->data; + required += strlen((ktdata && ktdata->name) ? + ktdata->name : ktfile_def_name); + kret = 0; + + if (!kret) + *sizep += required; } return(kret); } /* - * krb5_ktf_keytab_externalize() - Externalize the krb5_keytab. + * krb5_ktf_keytab_externalize() - Externalize the krb5_keytab. */ static krb5_error_code krb5_ktf_keytab_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keytab keytab; - size_t required; - krb5_octet *bp; - size_t remain; - krb5_ktfile_data *ktdata; - krb5_int32 file_is_open; - krb5_int64 file_pos; - char *ktname; - const char *fnamep; + krb5_error_code kret; + krb5_keytab keytab; + size_t required; + krb5_octet *bp; + size_t remain; + krb5_ktfile_data *ktdata; + krb5_int32 file_is_open; + krb5_int64 file_pos; + char *ktname; + const char *fnamep; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((keytab = (krb5_keytab) arg)) { - kret = ENOMEM; - if (!krb5_ktf_keytab_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain); - - ktdata = (krb5_ktfile_data *) keytab->data; - file_is_open = 0; - file_pos = 0; - - /* Calculate the length of the name */ - if (ktdata && ktdata->name) - fnamep = ktdata->name; - else - fnamep = ktfile_def_name; - - if (keytab->ops && keytab->ops->prefix) { - if (asprintf(&ktname, "%s:%s", keytab->ops->prefix, fnamep) < 0) - ktname = NULL; - } else - ktname = strdup(fnamep); - - if (ktname) { - /* Fill in the file-specific keytab information. */ - if (ktdata) { - if (ktdata->openf) { - long fpos; - int fflags = 0; - - file_is_open = 1; + kret = ENOMEM; + if (!krb5_ktf_keytab_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain); + + ktdata = (krb5_ktfile_data *) keytab->data; + file_is_open = 0; + file_pos = 0; + + /* Calculate the length of the name */ + if (ktdata && ktdata->name) + fnamep = ktdata->name; + else + fnamep = ktfile_def_name; + + if (keytab->ops && keytab->ops->prefix) { + if (asprintf(&ktname, "%s:%s", keytab->ops->prefix, fnamep) < 0) + ktname = NULL; + } else + ktname = strdup(fnamep); + + if (ktname) { + /* Fill in the file-specific keytab information. */ + if (ktdata) { + if (ktdata->openf) { + long fpos; + int fflags = 0; + + file_is_open = 1; #if !defined(_WIN32) - fflags = fcntl(fileno(ktdata->openf), F_GETFL, 0); - if (fflags > 0) - file_is_open |= ((fflags & O_ACCMODE) << 1); + fflags = fcntl(fileno(ktdata->openf), F_GETFL, 0); + if (fflags > 0) + file_is_open |= ((fflags & O_ACCMODE) << 1); #else - file_is_open = 0; + file_is_open = 0; #endif - fpos = ftell(ktdata->openf); - file_pos = fpos; /* XX range check? */ - } - } - - /* Put the length of the file name */ - (void) krb5_ser_pack_int32((krb5_int32) strlen(ktname), - &bp, &remain); - - /* Put the name */ - (void) krb5_ser_pack_bytes((krb5_octet *) ktname, - strlen(ktname), - &bp, &remain); - - /* Put the file open flag */ - (void) krb5_ser_pack_int32(file_is_open, &bp, &remain); - - /* Put the file position */ - (void) krb5_ser_pack_int64(file_pos, &bp, &remain); - - /* Put the version */ - (void) krb5_ser_pack_int32((krb5_int32) ((ktdata) ? - ktdata->version : 0), - &bp, &remain); - - /* Put the trailer */ - (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - free(ktname); - } - } + fpos = ftell(ktdata->openf); + file_pos = fpos; /* XX range check? */ + } + } + + /* Put the length of the file name */ + (void) krb5_ser_pack_int32((krb5_int32) strlen(ktname), + &bp, &remain); + + /* Put the name */ + (void) krb5_ser_pack_bytes((krb5_octet *) ktname, + strlen(ktname), + &bp, &remain); + + /* Put the file open flag */ + (void) krb5_ser_pack_int32(file_is_open, &bp, &remain); + + /* Put the file position */ + (void) krb5_ser_pack_int64(file_pos, &bp, &remain); + + /* Put the version */ + (void) krb5_ser_pack_int32((krb5_int32) ((ktdata) ? + ktdata->version : 0), + &bp, &remain); + + /* Put the trailer */ + (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain); + kret = 0; + *buffer = bp; + *lenremain = remain; + free(ktname); + } + } } return(kret); } /* - * krb5_ktf_keytab_internalize() - Internalize the krb5_ktf_keytab. + * krb5_ktf_keytab_internalize() - Internalize the krb5_ktf_keytab. */ static krb5_error_code krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keytab keytab = NULL; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - char *ktname = NULL; - krb5_ktfile_data *ktdata; - krb5_int32 file_is_open; - krb5_int64 foff; + krb5_error_code kret; + krb5_keytab keytab = NULL; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + char *ktname = NULL; + krb5_ktfile_data *ktdata; + krb5_int32 file_is_open; + krb5_int64 foff; *argp = NULL; bp = *buffer; @@ -742,36 +743,36 @@ krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octe /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_KEYTAB) - return EINVAL; + return EINVAL; /* Read the keytab name */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; ktname = malloc(ibuf + 1); if (!ktname) - return ENOMEM; + return ENOMEM; kret = krb5_ser_unpack_bytes((krb5_octet *) ktname, (size_t) ibuf, - &bp, &remain); + &bp, &remain); if (kret) - goto cleanup; + goto cleanup; ktname[ibuf] = '\0'; /* Resolve the keytab. */ kret = krb5_kt_resolve(kcontext, ktname, &keytab); if (kret) - goto cleanup; + goto cleanup; if (keytab->ops != &krb5_ktf_writable_ops - && keytab->ops != &krb5_ktf_ops) { - kret = EINVAL; - goto cleanup; + && keytab->ops != &krb5_ktf_ops) { + kret = EINVAL; + goto cleanup; } ktdata = (krb5_ktfile_data *) keytab->data; if (remain < (sizeof(krb5_int32)*5)) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } (void) krb5_ser_unpack_int32(&file_is_open, &bp, &remain); (void) krb5_ser_unpack_int64(&foff, &bp, &remain); @@ -779,30 +780,30 @@ krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octe ktdata->version = (int) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (ibuf != KV5M_KEYTAB) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } if (file_is_open) { - int fmode; - long fpos; + int fmode; + long fpos; #if !defined(_WIN32) - fmode = (file_is_open >> 1) & O_ACCMODE; + fmode = (file_is_open >> 1) & O_ACCMODE; #else - fmode = 0; + fmode = 0; #endif - if (fmode) - kret = krb5_ktfileint_openw(kcontext, keytab); - else - kret = krb5_ktfileint_openr(kcontext, keytab); - if (kret) - goto cleanup; - fpos = foff; /* XX range check? */ - if (fseek(KTFILEP(keytab), fpos, SEEK_SET) == -1) { - kret = errno; - goto cleanup; - } + if (fmode) + kret = krb5_ktfileint_openw(kcontext, keytab); + else + kret = krb5_ktfileint_openr(kcontext, keytab); + if (kret) + goto cleanup; + fpos = foff; /* XX range check? */ + if (fseek(KTFILEP(keytab), fpos, SEEK_SET) == -1) { + kret = errno; + goto cleanup; + } } *buffer = bp; @@ -810,13 +811,13 @@ krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octe *argp = (krb5_pointer) keytab; cleanup: if (kret != 0 && keytab) - krb5_kt_close(kcontext, keytab); + krb5_kt_close(kcontext, keytab); free(ktname); return kret; } /* - * This is an implementation specific resolver. It returns a keytab id + * This is an implementation specific resolver. It returns a keytab id * initialized with file keytab routines. */ @@ -831,28 +832,28 @@ krb5_ktfile_wresolve(krb5_context context, const char *name, krb5_keytab *id) * krb5_ktfile_add() */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { krb5_error_code retval; retval = KTLOCK(id); if (retval) - return retval; + return retval; if (KTFILEP(id)) { - /* Iterator(s) active -- no changes. */ - KTUNLOCK(id); - krb5_set_error_message(context, KRB5_KT_IOERR, - "Cannot change keytab with keytab iterators active"); - return KRB5_KT_IOERR; /* XXX */ + /* Iterator(s) active -- no changes. */ + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Cannot change keytab with keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ } if ((retval = krb5_ktfileint_openw(context, id))) { - KTUNLOCK(id); - return retval; + KTUNLOCK(id); + return retval; } if (fseek(KTFILEP(id), 0, 2) == -1) { - KTUNLOCK(id); - return KRB5_KT_END; + KTUNLOCK(id); + return KRB5_KT_END; } retval = krb5_ktfileint_write_entry(context, id, entry); krb5_ktfileint_close(context, id); @@ -864,7 +865,7 @@ krb5_ktfile_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) * krb5_ktfile_remove() */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { krb5_keytab_entry cur_entry; @@ -873,53 +874,53 @@ krb5_ktfile_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entr kerror = KTLOCK(id); if (kerror) - return kerror; + return kerror; if (KTFILEP(id)) { - /* Iterator(s) active -- no changes. */ - KTUNLOCK(id); - krb5_set_error_message(context, KRB5_KT_IOERR, - "Cannot change keytab with keytab iterators active"); - return KRB5_KT_IOERR; /* XXX */ + /* Iterator(s) active -- no changes. */ + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Cannot change keytab with keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ } if ((kerror = krb5_ktfileint_openw(context, id))) { - KTUNLOCK(id); - return kerror; + KTUNLOCK(id); + return kerror; } - /* - * For efficiency and simplicity, we'll use a while true that + /* + * For efficiency and simplicity, we'll use a while true that * is exited with a break statement. */ while (TRUE) { - if ((kerror = krb5_ktfileint_internal_read_entry(context, id, - &cur_entry, - &delete_point))) - break; + if ((kerror = krb5_ktfileint_internal_read_entry(context, id, + &cur_entry, + &delete_point))) + break; - if ((entry->vno == cur_entry.vno) && + if ((entry->vno == cur_entry.vno) && (entry->key.enctype == cur_entry.key.enctype) && - krb5_principal_compare(context, entry->principal, cur_entry.principal)) { - /* found a match */ + krb5_principal_compare(context, entry->principal, cur_entry.principal)) { + /* found a match */ krb5_kt_free_entry(context, &cur_entry); - break; - } - krb5_kt_free_entry(context, &cur_entry); + break; + } + krb5_kt_free_entry(context, &cur_entry); } if (kerror == KRB5_KT_END) - kerror = KRB5_KT_NOTFOUND; + kerror = KRB5_KT_NOTFOUND; if (kerror) { - (void) krb5_ktfileint_close(context, id); - KTUNLOCK(id); - return kerror; + (void) krb5_ktfileint_close(context, id); + KTUNLOCK(id); + return kerror; } kerror = krb5_ktfileint_delete_entry(context, id, delete_point); if (kerror) { - (void) krb5_ktfileint_close(context, id); + (void) krb5_ktfileint_close(context, id); } else { kerror = krb5_ktfileint_close(context, id); } @@ -933,9 +934,9 @@ krb5_ktfile_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entr const struct _krb5_kt_ops krb5_ktf_ops = { 0, - "FILE", /* Prefix -- this string should not appear anywhere else! */ + "FILE", /* Prefix -- this string should not appear anywhere else! */ krb5_ktfile_resolve, - krb5_ktfile_get_name, + krb5_ktfile_get_name, krb5_ktfile_close, krb5_ktfile_get_entry, krb5_ktfile_start_seq_get, @@ -952,9 +953,9 @@ const struct _krb5_kt_ops krb5_ktf_ops = { const struct _krb5_kt_ops krb5_ktf_writable_ops = { 0, - "WRFILE", /* Prefix -- this string should not appear anywhere else! */ + "WRFILE", /* Prefix -- this string should not appear anywhere else! */ krb5_ktfile_wresolve, - krb5_ktfile_get_name, + krb5_ktfile_get_name, krb5_ktfile_close, krb5_ktfile_get_entry, krb5_ktfile_start_seq_get, @@ -971,9 +972,9 @@ const struct _krb5_kt_ops krb5_ktf_writable_ops = { const krb5_kt_ops krb5_kt_dfl_ops = { 0, - "FILE", /* Prefix -- this string should not appear anywhere else! */ + "FILE", /* Prefix -- this string should not appear anywhere else! */ krb5_ktfile_resolve, - krb5_ktfile_get_name, + krb5_ktfile_get_name, krb5_ktfile_close, krb5_ktfile_get_entry, krb5_ktfile_start_seq_get, @@ -998,7 +999,7 @@ const krb5_kt_ops krb5_kt_dfl_ops = { * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -1012,16 +1013,16 @@ const krb5_kt_ops krb5_kt_dfl_ops = { * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * * - * This function contains utilities for the file based implementation of + * + * This function contains utilities for the file based implementation of * the keytab. There are no public functions in this file. * * This file is the only one that has knowledge of the format of a * keytab file. * * The format is as follows: - * + * * * * principal timestamp vno key @@ -1031,21 +1032,21 @@ const krb5_kt_ops krb5_kt_dfl_ops = { * * A length field (sizeof(krb5_int32)) exists between entries. When this * length is positive it indicates an active entry, when negative a hole. - * The length indicates the size of the block in the file (this may be + * The length indicates the size of the block in the file (this may be * larger than the size of the next record, since we are using a first * fit algorithm for re-using holes and the first fit may be larger than * the entry we are writing). Another (compatible) implementation could - * break up holes when allocating them to smaller entries to minimize + * break up holes when allocating them to smaller entries to minimize * wasted space. (Such an implementation should also coalesce adjacent * holes to reduce fragmentation). This implementation does neither. * - * There are no separators between fields of an entry. + * There are no separators between fields of an entry. * A principal is a length-encoded array of length-encoded strings. The - * length is a krb5_int16 in each case. The specific format, then, is - * multiple entries concatinated with no separators. An entry has this + * length is a krb5_int16 in each case. The specific format, then, is + * multiple entries concatinated with no separators. An entry has this * exact format: * - * sizeof(krb5_int16) bytes for number of components in the principal; + * sizeof(krb5_int16) bytes for number of components in the principal; * then, each component listed in ordser. * For each component, sizeof(krb5_int16) bytes for the number of bytes * in the component, followed by the component. @@ -1083,73 +1084,73 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; KTFILEP(id) = fopen(KTFILENAME(id), - (mode == KRB5_LOCKMODE_EXCLUSIVE) ? - fopen_mode_rbplus : fopen_mode_rb); + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? + fopen_mode_rbplus : fopen_mode_rb); if (!KTFILEP(id)) { - if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { - /* try making it first time around */ + if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { + /* try making it first time around */ krb5_create_secure_file(context, KTFILENAME(id)); - errno = 0; - KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); - if (!KTFILEP(id)) - goto report_errno; - writevno = 1; - } else { - report_errno: - switch (errno) { - case 0: - /* XXX */ - return EMFILE; - case ENOENT: - krb5_set_error_message(context, ENOENT, - "Key table file '%s' not found", - KTFILENAME(id)); - return ENOENT; - default: - return errno; - } - } + errno = 0; + KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); + if (!KTFILEP(id)) + goto report_errno; + writevno = 1; + } else { + report_errno: + switch (errno) { + case 0: + /* XXX */ + return EMFILE; + case ENOENT: + krb5_set_error_message(context, ENOENT, + "Key table file '%s' not found", + KTFILENAME(id)); + return ENOENT; + default: + return errno; + } + } } set_cloexec_file(KTFILEP(id)); if ((kerror = krb5_lock_file(context, fileno(KTFILEP(id)), mode))) { - (void) fclose(KTFILEP(id)); - KTFILEP(id) = 0; - return kerror; + (void) fclose(KTFILEP(id)); + KTFILEP(id) = 0; + return kerror; } /* assume ANSI or BSD-style stdio */ setbuf(KTFILEP(id), KTFILEBUFP(id)); /* get the vno and verify it */ if (writevno) { - kt_vno = htons(krb5_kt_default_vno); - KTVERSION(id) = krb5_kt_default_vno; - if (!fwrite(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { - kerror = errno; - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); - KTFILEP(id) = 0; - return kerror; - } + kt_vno = htons(krb5_kt_default_vno); + KTVERSION(id) = krb5_kt_default_vno; + if (!fwrite(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { + kerror = errno; + (void) krb5_unlock_file(context, fileno(KTFILEP(id))); + (void) fclose(KTFILEP(id)); + KTFILEP(id) = 0; + return kerror; + } } else { - /* gotta verify it instead... */ - if (!fread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { - if (feof(KTFILEP(id))) - kerror = KRB5_KEYTAB_BADVNO; - else - kerror = errno; - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); - KTFILEP(id) = 0; - return kerror; - } - kt_vno = KTVERSION(id) = ntohs(kt_vno); - if ((kt_vno != KRB5_KT_VNO) && - (kt_vno != KRB5_KT_VNO_1)) { - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); - KTFILEP(id) = 0; - return KRB5_KEYTAB_BADVNO; - } + /* gotta verify it instead... */ + if (!fread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { + if (feof(KTFILEP(id))) + kerror = KRB5_KEYTAB_BADVNO; + else + kerror = errno; + (void) krb5_unlock_file(context, fileno(KTFILEP(id))); + (void) fclose(KTFILEP(id)); + KTFILEP(id) = 0; + return kerror; + } + kt_vno = KTVERSION(id) = ntohs(kt_vno); + if ((kt_vno != KRB5_KT_VNO) && + (kt_vno != KRB5_KT_VNO_1)) { + (void) krb5_unlock_file(context, fileno(KTFILEP(id))); + (void) fclose(KTFILEP(id)); + KTFILEP(id) = 0; + return KRB5_KEYTAB_BADVNO; + } } KTSTARTOFF(id) = ftell(KTFILEP(id)); return 0; @@ -1174,7 +1175,7 @@ krb5_ktfileint_close(krb5_context context, krb5_keytab id) KTCHECKLOCK(id); if (!KTFILEP(id)) - return 0; + return 0; kerror = krb5_unlock_file(context, fileno(KTFILEP(id))); (void) fclose(KTFILEP(id)); KTFILEP(id) = 0; @@ -1196,12 +1197,12 @@ krb5_ktfileint_delete_entry(krb5_context context, krb5_keytab id, krb5_int32 del return KRB5_KT_END; } if (KTVERSION(id) != KRB5_KT_VNO_1) - size = ntohl(size); + size = ntohl(size); if (size > 0) { krb5_int32 minus_size = -size; - if (KTVERSION(id) != KRB5_KT_VNO_1) - minus_size = htonl(minus_size); + if (KTVERSION(id) != KRB5_KT_VNO_1) + minus_size = htonl(minus_size); if (fseek(KTFILEP(id), delete_point, SEEK_SET)) { return errno; @@ -1220,8 +1221,8 @@ krb5_ktfileint_delete_entry(krb5_context context, krb5_keytab id, krb5_int32 del memset(iobuf, 0, (size_t) len); while (size > 0) { if (!fwrite(iobuf, 1, (size_t) len, KTFILEP(id))) { - return KRB5_KT_IOERR; - } + return KRB5_KT_IOERR; + } size -= len; if (size < len) { len = size; @@ -1246,8 +1247,8 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke krb5_int32 size; krb5_int32 start_pos; krb5_error_code error; - char *tmpdata; - krb5_data *princ; + char *tmpdata; + krb5_data *princ; KTCHECKLOCK(id); memset(ret_entry, 0, sizeof(krb5_keytab_entry)); @@ -1265,8 +1266,8 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke if (!fread(&size, sizeof(size), 1, KTFILEP(id))) { return KRB5_KT_END; } - if (KTVERSION(id) != KRB5_KT_VNO_1) - size = ntohl(size); + if (KTVERSION(id) != KRB5_KT_VNO_1) + size = ntohl(size); if (size < 0) { if (fseek(KTFILEP(id), -size, SEEK_CUR)) { @@ -1285,163 +1286,163 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke /* first, int16 with #princ components */ if (!fread(&count, sizeof(count), 1, KTFILEP(id))) - return KRB5_KT_END; + return KRB5_KT_END; if (KTVERSION(id) == KRB5_KT_VNO_1) { - count -= 1; /* V1 includes the realm in the count */ + count -= 1; /* V1 includes the realm in the count */ } else { - count = ntohs(count); + count = ntohs(count); } if (!count || (count < 0)) - return KRB5_KT_END; + return KRB5_KT_END; ret_entry->principal = (krb5_principal)malloc(sizeof(krb5_principal_data)); if (!ret_entry->principal) return ENOMEM; - + u_count = count; ret_entry->principal->magic = KV5M_PRINCIPAL; ret_entry->principal->length = u_count; - ret_entry->principal->data = (krb5_data *) - calloc(u_count, sizeof(krb5_data)); + ret_entry->principal->data = (krb5_data *) + calloc(u_count, sizeof(krb5_data)); if (!ret_entry->principal->data) { - free(ret_entry->principal); - ret_entry->principal = 0; - return ENOMEM; + free(ret_entry->principal); + ret_entry->principal = 0; + return ENOMEM; } /* Now, get the realm data */ if (!fread(&princ_size, sizeof(princ_size), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } if (KTVERSION(id) != KRB5_KT_VNO_1) - princ_size = ntohs(princ_size); + princ_size = ntohs(princ_size); if (!princ_size || (princ_size < 0)) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } u_princ_size = princ_size; krb5_princ_set_realm_length(context, ret_entry->principal, u_princ_size); tmpdata = malloc(u_princ_size+1); if (!tmpdata) { - error = ENOMEM; - goto fail; + error = ENOMEM; + goto fail; } if (fread(tmpdata, 1, u_princ_size, KTFILEP(id)) != (size_t) princ_size) { - free(tmpdata); - error = KRB5_KT_END; - goto fail; + free(tmpdata); + error = KRB5_KT_END; + goto fail; } - tmpdata[princ_size] = 0; /* Some things might be expecting null */ - /* termination... ``Be conservative in */ - /* what you send out'' */ + tmpdata[princ_size] = 0; /* Some things might be expecting null */ + /* termination... ``Be conservative in */ + /* what you send out'' */ krb5_princ_set_realm_data(context, ret_entry->principal, tmpdata); - + for (i = 0; i < count; i++) { - princ = krb5_princ_component(context, ret_entry->principal, i); - if (!fread(&princ_size, sizeof(princ_size), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + princ = krb5_princ_component(context, ret_entry->principal, i); + if (!fread(&princ_size, sizeof(princ_size), 1, KTFILEP(id))) { + error = KRB5_KT_END; + goto fail; } - if (KTVERSION(id) != KRB5_KT_VNO_1) - princ_size = ntohs(princ_size); - if (!princ_size || (princ_size < 0)) { - error = KRB5_KT_END; - goto fail; + if (KTVERSION(id) != KRB5_KT_VNO_1) + princ_size = ntohs(princ_size); + if (!princ_size || (princ_size < 0)) { + error = KRB5_KT_END; + goto fail; } - u_princ_size = princ_size; - princ->length = u_princ_size; - princ->data = malloc(u_princ_size+1); - if (!princ->data) { - error = ENOMEM; - goto fail; + u_princ_size = princ_size; + princ->length = u_princ_size; + princ->data = malloc(u_princ_size+1); + if (!princ->data) { + error = ENOMEM; + goto fail; } - if (!fread(princ->data, sizeof(char), u_princ_size, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + if (!fread(princ->data, sizeof(char), u_princ_size, KTFILEP(id))) { + error = KRB5_KT_END; + goto fail; } - princ->data[princ_size] = 0; /* Null terminate */ + princ->data[princ_size] = 0; /* Null terminate */ } /* read in the principal type, if we can get it */ if (KTVERSION(id) != KRB5_KT_VNO_1) { - if (!fread(&ret_entry->principal->type, - sizeof(ret_entry->principal->type), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; - } - ret_entry->principal->type = ntohl(ret_entry->principal->type); - } - + if (!fread(&ret_entry->principal->type, + sizeof(ret_entry->principal->type), 1, KTFILEP(id))) { + error = KRB5_KT_END; + goto fail; + } + ret_entry->principal->type = ntohl(ret_entry->principal->type); + } + /* read in the timestamp */ if (!fread(&ret_entry->timestamp, sizeof(ret_entry->timestamp), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } if (KTVERSION(id) != KRB5_KT_VNO_1) - ret_entry->timestamp = ntohl(ret_entry->timestamp); - + ret_entry->timestamp = ntohl(ret_entry->timestamp); + /* read in the version number */ if (!fread(&vno, sizeof(vno), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } ret_entry->vno = (krb5_kvno)vno; - + /* key type */ if (!fread(&enctype, sizeof(enctype), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } ret_entry->key.enctype = (krb5_enctype)enctype; if (KTVERSION(id) != KRB5_KT_VNO_1) - ret_entry->key.enctype = ntohs(ret_entry->key.enctype); - + ret_entry->key.enctype = ntohs(ret_entry->key.enctype); + /* key contents */ ret_entry->key.magic = KV5M_KEYBLOCK; - + if (!fread(&count, sizeof(count), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } if (KTVERSION(id) != KRB5_KT_VNO_1) - count = ntohs(count); + count = ntohs(count); if (!count || (count < 0)) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } u_count = count; ret_entry->key.length = u_count; - + ret_entry->key.contents = (krb5_octet *)malloc(u_count); if (!ret_entry->key.contents) { - error = ENOMEM; - goto fail; - } + error = ENOMEM; + goto fail; + } if (!fread(ret_entry->key.contents, sizeof(krb5_octet), count, - KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + KTFILEP(id))) { + error = KRB5_KT_END; + goto fail; } /* * Reposition file pointer to the next inter-record length field. */ if (fseek(KTFILEP(id), start_pos + size, SEEK_SET) == -1) { - error = errno; - goto fail; + error = errno; + goto fail; } return 0; fail: - + for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) { - princ = krb5_princ_component(context, ret_entry->principal, i); - if (princ->data) - free(princ->data); + princ = krb5_princ_component(context, ret_entry->principal, i); + if (princ->data) + free(princ->data); } free(ret_entry->principal->data); ret_entry->principal->data = 0; @@ -1466,10 +1467,10 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent krb5_int16 count, size, enctype; krb5_error_code retval = 0; krb5_timestamp timestamp; - krb5_int32 princ_type; + krb5_int32 princ_type; krb5_int32 size_needed; krb5_int32 commit_point = -1; - int i; + int i; KTCHECKLOCK(id); retval = krb5_ktfileint_size_entry(context, entry, &size_needed); @@ -1487,50 +1488,50 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent } if (KTVERSION(id) == KRB5_KT_VNO_1) { - count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1; + count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1; } else { - count = htons((u_short) krb5_princ_size(context, entry->principal)); + count = htons((u_short) krb5_princ_size(context, entry->principal)); } - + if (!fwrite(&count, sizeof(count), 1, KTFILEP(id))) { abend: - return KRB5_KT_IOERR; + return KRB5_KT_IOERR; } size = krb5_princ_realm(context, entry->principal)->length; if (KTVERSION(id) != KRB5_KT_VNO_1) - size = htons(size); + size = htons(size); if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { - goto abend; + goto abend; } if (!fwrite(krb5_princ_realm(context, entry->principal)->data, sizeof(char), - krb5_princ_realm(context, entry->principal)->length, KTFILEP(id))) { - goto abend; + krb5_princ_realm(context, entry->principal)->length, KTFILEP(id))) { + goto abend; } count = (krb5_int16) krb5_princ_size(context, entry->principal); for (i = 0; i < count; i++) { - princ = krb5_princ_component(context, entry->principal, i); - size = princ->length; - if (KTVERSION(id) != KRB5_KT_VNO_1) - size = htons(size); - if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { - goto abend; - } - if (!fwrite(princ->data, sizeof(char), princ->length, KTFILEP(id))) { - goto abend; - } + princ = krb5_princ_component(context, entry->principal, i); + size = princ->length; + if (KTVERSION(id) != KRB5_KT_VNO_1) + size = htons(size); + if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { + goto abend; + } + if (!fwrite(princ->data, sizeof(char), princ->length, KTFILEP(id))) { + goto abend; + } } /* * Write out the principal type */ if (KTVERSION(id) != KRB5_KT_VNO_1) { - princ_type = htonl(krb5_princ_type(context, entry->principal)); - if (!fwrite(&princ_type, sizeof(princ_type), 1, KTFILEP(id))) { - goto abend; - } + princ_type = htonl(krb5_princ_type(context, entry->principal)); + if (!fwrite(&princ_type, sizeof(princ_type), 1, KTFILEP(id))) { + goto abend; + } } - + /* * Fill in the time of day the entry was written to the keytab. */ @@ -1538,41 +1539,41 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent entry->timestamp = 0; } if (KTVERSION(id) == KRB5_KT_VNO_1) - timestamp = entry->timestamp; + timestamp = entry->timestamp; else - timestamp = htonl(entry->timestamp); + timestamp = htonl(entry->timestamp); if (!fwrite(×tamp, sizeof(timestamp), 1, KTFILEP(id))) { - goto abend; + goto abend; } - + /* key version number */ vno = (krb5_octet)entry->vno; if (!fwrite(&vno, sizeof(vno), 1, KTFILEP(id))) { - goto abend; + goto abend; } /* key type */ if (KTVERSION(id) == KRB5_KT_VNO_1) - enctype = entry->key.enctype; + enctype = entry->key.enctype; else - enctype = htons(entry->key.enctype); + enctype = htons(entry->key.enctype); if (!fwrite(&enctype, sizeof(enctype), 1, KTFILEP(id))) { - goto abend; + goto abend; } /* key length */ if (KTVERSION(id) == KRB5_KT_VNO_1) - size = entry->key.length; + size = entry->key.length; else - size = htons(entry->key.length); + size = htons(entry->key.length); if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { - goto abend; + goto abend; } if (!fwrite(entry->key.contents, sizeof(krb5_octet), - entry->key.length, KTFILEP(id))) { - goto abend; - } + entry->key.length, KTFILEP(id))) { + goto abend; + } if (fflush(KTFILEP(id))) - goto abend; + goto abend; retval = krb5_sync_disk_file(context, KTFILEP(id)); @@ -1584,12 +1585,12 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent return errno; } if (KTVERSION(id) != KRB5_KT_VNO_1) - size_needed = htonl(size_needed); + size_needed = htonl(size_needed); if (!fwrite(&size_needed, sizeof(size_needed), 1, KTFILEP(id))) { goto abend; } if (fflush(KTFILEP(id))) - goto abend; + goto abend; retval = krb5_sync_disk_file(context, KTFILEP(id)); return retval; @@ -1607,13 +1608,13 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i krb5_error_code retval = 0; count = (krb5_int16) krb5_princ_size(context, entry->principal); - + total_size = sizeof(count); total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16)); - + for (i = 0; i < count; i++) { - total_size += krb5_princ_component(context, entry->principal,i)->length - + (sizeof(krb5_int16)); + total_size += krb5_princ_component(context, entry->principal,i)->length + + (sizeof(krb5_int16)); } total_size += sizeof(entry->principal->type); @@ -1636,7 +1637,7 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i * The size_needed argument may be adjusted if we find a hole that is * larger than the size needed. (Recall that size_needed will be used * to commit the write, but that this field must indicate the size of the - * block in the file rather than the size of the actual entry) + * block in the file rather than the size of the actual entry) */ static krb5_error_code krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_needed, krb5_int32 *commit_point_ptr) @@ -1655,56 +1656,55 @@ krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_ for (;;) { commit_point = ftell(fp); - if (commit_point == -1) - return errno; + if (commit_point == -1) + return errno; if (!fread(&size, sizeof(size), 1, fp)) { /* Hit the end of file, reserve this slot. */ /* Necessary to avoid a later fseek failing on Solaris 10. */ - if (fseek(fp, 0, SEEK_CUR)) - return errno; - /* htonl(0) is 0, so no need to worry about byte order */ + if (fseek(fp, 0, SEEK_CUR)) + return errno; + /* htonl(0) is 0, so no need to worry about byte order */ size = 0; if (!fwrite(&size, sizeof(size), 1, fp)) return errno; break; } - if (KTVERSION(id) != KRB5_KT_VNO_1) - size = ntohl(size); + if (KTVERSION(id) != KRB5_KT_VNO_1) + size = ntohl(size); if (size > 0) { - /* Non-empty record; seek past it. */ + /* Non-empty record; seek past it. */ if (fseek(fp, size, SEEK_CUR)) return errno; - } else if (size < 0) { - /* Empty record; use if it's big enough, seek past otherwise. */ - size = -size; + } else if (size < 0) { + /* Empty record; use if it's big enough, seek past otherwise. */ + size = -size; if (size >= *size_needed) { *size_needed = size; - break; - } else { + break; + } else { if (fseek(fp, size, SEEK_CUR)) return errno; - } - } else { - /* Empty record at end of file; use it. */ - /* Ensure the new record will be followed by another 0. */ - zero_point = ftell(fp); - if (zero_point == -1) - return errno; - if (fseek(fp, *size_needed, SEEK_CUR)) - return errno; - /* htonl(0) is 0, so no need to worry about byte order */ + } + } else { + /* Empty record at end of file; use it. */ + /* Ensure the new record will be followed by another 0. */ + zero_point = ftell(fp); + if (zero_point == -1) + return errno; + if (fseek(fp, *size_needed, SEEK_CUR)) + return errno; + /* htonl(0) is 0, so no need to worry about byte order */ if (!fwrite(&size, sizeof(size), 1, fp)) return errno; - if (fseek(fp, zero_point, SEEK_SET)) - return errno; - break; - } + if (fseek(fp, zero_point, SEEK_SET)) + return errno; + break; + } } *commit_point_ptr = commit_point; return 0; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/kt_memory.c b/src/lib/krb5/keytab/kt_memory.c index b78e7064c..d58ffee5c 100644 --- a/src/lib/krb5/keytab/kt_memory.c +++ b/src/lib/krb5/keytab/kt_memory.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/kt_memory.c * @@ -42,15 +43,15 @@ * Constants */ -/* +/* * Types */ -/* From krb5.h: +/* From krb5.h: * typedef struct krb5_keytab_entry_st { * krb5_magic magic; * krb5_principal principal; principal of this key - * krb5_timestamp timestamp; time entry written to keytable - * krb5_kvno vno; key version number + * krb5_timestamp timestamp; time entry written to keytable + * krb5_kvno vno; key version number * krb5_keyblock key; the secret key *} krb5_keytab_entry; */ @@ -63,10 +64,10 @@ typedef struct _krb5_mkt_link { /* Per-keytab data header */ typedef struct _krb5_mkt_data { - char *name; /* Name of the keytab */ - k5_mutex_t lock; /* Thread-safety - all but link */ - krb5_int32 refcount; - krb5_mkt_cursor link; + char *name; /* Name of the keytab */ + k5_mutex_t lock; /* Thread-safety - all but link */ + krb5_int32 refcount; + krb5_mkt_cursor link; } krb5_mkt_data; /* List of memory key tables */ @@ -80,8 +81,8 @@ typedef struct _krb5_mkt_ptcursor_data { struct _krb5_mkt_list_node *cur; } krb5_mkt_ptcursor_data; -/* - * Globals +/* + * Globals */ static krb5_mkt_list_node * krb5int_mkt_list = NULL; static k5_mutex_t krb5int_mkt_mutex = K5_MUTEX_PARTIAL_INITIALIZER; @@ -103,55 +104,55 @@ static k5_mutex_t krb5int_mkt_mutex = K5_MUTEX_PARTIAL_INITIALIZER; extern const struct _krb5_kt_ops krb5_mkt_ops; -krb5_error_code KRB5_CALLCONV krb5_mkt_resolve - (krb5_context, - const char *, - krb5_keytab *); - -krb5_error_code KRB5_CALLCONV krb5_mkt_get_name - (krb5_context, - krb5_keytab, - char *, - unsigned int); - -krb5_error_code KRB5_CALLCONV krb5_mkt_close - (krb5_context, - krb5_keytab); - -krb5_error_code KRB5_CALLCONV krb5_mkt_get_entry - (krb5_context, - krb5_keytab, - krb5_const_principal, - krb5_kvno, - krb5_enctype, - krb5_keytab_entry *); - -krb5_error_code KRB5_CALLCONV krb5_mkt_start_seq_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); - -krb5_error_code KRB5_CALLCONV krb5_mkt_get_next - (krb5_context, - krb5_keytab, - krb5_keytab_entry *, - krb5_kt_cursor *); - -krb5_error_code KRB5_CALLCONV krb5_mkt_end_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); +krb5_error_code KRB5_CALLCONV krb5_mkt_resolve +(krb5_context, + const char *, + krb5_keytab *); + +krb5_error_code KRB5_CALLCONV krb5_mkt_get_name +(krb5_context, + krb5_keytab, + char *, + unsigned int); + +krb5_error_code KRB5_CALLCONV krb5_mkt_close +(krb5_context, + krb5_keytab); + +krb5_error_code KRB5_CALLCONV krb5_mkt_get_entry +(krb5_context, + krb5_keytab, + krb5_const_principal, + krb5_kvno, + krb5_enctype, + krb5_keytab_entry *); + +krb5_error_code KRB5_CALLCONV krb5_mkt_start_seq_get +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); + +krb5_error_code KRB5_CALLCONV krb5_mkt_get_next +(krb5_context, + krb5_keytab, + krb5_keytab_entry *, + krb5_kt_cursor *); + +krb5_error_code KRB5_CALLCONV krb5_mkt_end_get +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); /* routines to be included on extended version (write routines) */ -krb5_error_code KRB5_CALLCONV krb5_mkt_add - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); +krb5_error_code KRB5_CALLCONV krb5_mkt_add +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); -krb5_error_code KRB5_CALLCONV krb5_mkt_remove - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); +krb5_error_code KRB5_CALLCONV krb5_mkt_remove +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); int krb5int_mkt_initialize(void) { return k5_mutex_finish_init(&krb5int_mkt_mutex); @@ -164,33 +165,33 @@ void krb5int_mkt_finalize(void) { k5_mutex_destroy(&krb5int_mkt_mutex); for (node = krb5int_mkt_list; node; node = next_node) { - next_node = node->next; + next_node = node->next; - /* destroy the contents of node->keytab */ - free(KTNAME(node->keytab)); + /* destroy the contents of node->keytab */ + free(KTNAME(node->keytab)); - /* free the keytab entries */ - for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { - next_cursor = cursor->next; - /* the call to krb5_kt_free_entry uses a NULL in place of the - * krb5_context since we know that the context isn't used by - * krb5_kt_free_entry or krb5_free_principal. */ - krb5_kt_free_entry(NULL, cursor->entry); - free(cursor->entry); - free(cursor); - } + /* free the keytab entries */ + for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { + next_cursor = cursor->next; + /* the call to krb5_kt_free_entry uses a NULL in place of the + * krb5_context since we know that the context isn't used by + * krb5_kt_free_entry or krb5_free_principal. */ + krb5_kt_free_entry(NULL, cursor->entry); + free(cursor->entry); + free(cursor); + } - /* destroy the lock */ - k5_mutex_destroy(&(((krb5_mkt_data *)node->keytab->data)->lock)); + /* destroy the lock */ + k5_mutex_destroy(&(((krb5_mkt_data *)node->keytab->data)->lock)); - /* free the private data */ - free(node->keytab->data); + /* free the private data */ + free(node->keytab->data); - /* and the keytab */ - free(node->keytab); + /* and the keytab */ + free(node->keytab); - /* and finally the node */ - free(node); + /* and finally the node */ + free(node); } } @@ -205,34 +206,34 @@ create_list_node(const char *name, krb5_mkt_list_node **listp) list = calloc(1, sizeof(krb5_mkt_list_node)); if (list == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } list->keytab = calloc(1, sizeof(struct _krb5_kt)); if (list->keytab == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } list->keytab->ops = &krb5_mkt_ops; data = calloc(1, sizeof(krb5_mkt_data)); if (data == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } data->link = NULL; data->refcount = 0; data->name = strdup(name); if (data->name == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } err = k5_mutex_init(&data->lock); if (err) - goto cleanup; + goto cleanup; list->keytab->data = data; list->keytab->magic = KV5M_KEYTAB; @@ -243,20 +244,20 @@ create_list_node(const char *name, krb5_mkt_list_node **listp) cleanup: /* data->lock was initialized last, so no need to destroy. */ if (data) - free(data->name); + free(data->name); free(data); if (list) - free(list->keytab); + free(list->keytab); free(list); return err; } /* - * This is an implementation specific resolver. It returns a keytab + * This is an implementation specific resolver. It returns a keytab * initialized with memory keytab routines. */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) { krb5_mkt_list_node *list; @@ -267,29 +268,29 @@ krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) /* First determine if a memory keytab of this name already exists */ err = KTGLOCK; if (err) - return err; + return err; for (list = krb5int_mkt_list; list; list = list->next) { - if (strcmp(name,KTNAME(list->keytab)) == 0) - break; + if (strcmp(name,KTNAME(list->keytab)) == 0) + break; } if (!list) { - /* We will now create the new key table with the specified name. - * We do not drop the global lock, therefore the name will indeed - * be unique when we add it. - */ - err = create_list_node(name, &list); - if (err) - goto done; - list->next = krb5int_mkt_list; - krb5int_mkt_list = list; + /* We will now create the new key table with the specified name. + * We do not drop the global lock, therefore the name will indeed + * be unique when we add it. + */ + err = create_list_node(name, &list); + if (err) + goto done; + list->next = krb5int_mkt_list; + krb5int_mkt_list = list; } /* Increment the reference count on the keytab we found or created. */ err = KTLOCK(list->keytab); if (err) - goto done; + goto done; KTREFCNT(list->keytab)++; KTUNLOCK(list->keytab); *id = list->keytab; @@ -306,7 +307,7 @@ done: * a memory keytab shouldn't either. */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_close(krb5_context context, krb5_keytab id) { krb5_mkt_list_node **listp; @@ -319,71 +320,71 @@ krb5_mkt_close(krb5_context context, krb5_keytab id) /* First determine if a memory keytab of this name already exists */ err = KTGLOCK; if (err) - return(err); - + return(err); + for (listp = &krb5int_mkt_list; *listp; listp = &((*listp)->next)) { - if (id == (*listp)->keytab) { - /* Found */ - break; - } + if (id == (*listp)->keytab) { + /* Found */ + break; + } } if (*listp == NULL) { - /* The specified keytab could not be found */ - err = KRB5_KT_NOTFOUND; - goto done; + /* The specified keytab could not be found */ + err = KRB5_KT_NOTFOUND; + goto done; } /* reduce the refcount and return */ err = KTLOCK(id); if (err) - goto done; + goto done; KTREFCNT(id)--; KTUNLOCK(id); #ifdef HEIMDAL_COMPATIBLE - /* In Heimdal if the refcount hits 0, the MEMORY keytab is + /* In Heimdal if the refcount hits 0, the MEMORY keytab is * destroyed since there is no krb5_kt_destroy function. - * There is no need to lock the entry while performing + * There is no need to lock the entry while performing * these operations as the refcount will be 0 and we are * holding the global lock. */ data = (krb5_mkt_data *)id->data; if (data->refcount == 0) { - krb5_mkt_cursor cursor, next_cursor; + krb5_mkt_cursor cursor, next_cursor; - node = *listp; - *listp = node->next; + node = *listp; + *listp = node->next; - /* destroy the contents of node->keytab (aka id) */ - free(data->name); + /* destroy the contents of node->keytab (aka id) */ + free(data->name); - /* free the keytab entries */ - for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { - next_cursor = cursor->next; + /* free the keytab entries */ + for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { + next_cursor = cursor->next; - krb5_kt_free_entry(context, cursor->entry); - free(cursor->entry); - free(cursor); - } + krb5_kt_free_entry(context, cursor->entry); + free(cursor->entry); + free(cursor); + } - /* destroy the lock */ - k5_mutex_destroy(&(data->lock)); + /* destroy the lock */ + k5_mutex_destroy(&(data->lock)); - /* free the private data */ - free(data); + /* free the private data */ + free(data); - /* and the keytab */ - free(node->keytab); + /* and the keytab */ + free(node->keytab); - /* and finally the node */ - free(node); + /* and finally the node */ + free(node); } #endif /* HEIMDAL_COMPATIBLE */ - done: +done: KTGUNLOCK; return(err); } @@ -395,8 +396,8 @@ krb5_mkt_close(krb5_context context, krb5_keytab id) krb5_error_code KRB5_CALLCONV krb5_mkt_get_entry(krb5_context context, krb5_keytab id, - krb5_const_principal principal, krb5_kvno kvno, - krb5_enctype enctype, krb5_keytab_entry *out_entry) + krb5_const_principal principal, krb5_kvno kvno, + krb5_enctype enctype, krb5_keytab_entry *out_entry) { krb5_mkt_cursor cursor; krb5_keytab_entry *entry, *match = NULL; @@ -406,67 +407,67 @@ krb5_mkt_get_entry(krb5_context context, krb5_keytab id, err = KTLOCK(id); if (err) - return err; + return err; for (cursor = KTLINK(id); cursor && cursor->entry; cursor = cursor->next) { - entry = cursor->entry; - - /* if the principal isn't the one requested, continue to the next. */ - - if (!krb5_principal_compare(context, principal, entry->principal)) - continue; - - /* if the enctype is not ignored and doesn't match, - and continue to the next */ - if (enctype != IGNORE_ENCTYPE) { - if ((err = krb5_c_enctype_compare(context, enctype, - entry->key.enctype, - &similar))) { - /* we can't determine the enctype of the entry */ - continue; - } - - if (!similar) - continue; - } - - if (kvno == IGNORE_VNO) { - if (match == NULL) - match = entry; - else if (entry->vno > match->vno) - match = entry; - } else { - if (entry->vno == kvno) { - match = entry; - break; - } else { - found_wrong_kvno++; - } - } + entry = cursor->entry; + + /* if the principal isn't the one requested, continue to the next. */ + + if (!krb5_principal_compare(context, principal, entry->principal)) + continue; + + /* if the enctype is not ignored and doesn't match, + and continue to the next */ + if (enctype != IGNORE_ENCTYPE) { + if ((err = krb5_c_enctype_compare(context, enctype, + entry->key.enctype, + &similar))) { + /* we can't determine the enctype of the entry */ + continue; + } + + if (!similar) + continue; + } + + if (kvno == IGNORE_VNO) { + if (match == NULL) + match = entry; + else if (entry->vno > match->vno) + match = entry; + } else { + if (entry->vno == kvno) { + match = entry; + break; + } else { + found_wrong_kvno++; + } + } } /* if we found an entry that matches, ... */ - if (match) { - out_entry->magic = match->magic; - out_entry->timestamp = match->timestamp; - out_entry->vno = match->vno; - out_entry->key = match->key; - err = krb5_copy_keyblock_contents(context, &(match->key), - &(out_entry->key)); - /* - * Coerce the enctype of the output keyblock in case we - * got an inexact match on the enctype. - */ - if(enctype != IGNORE_ENCTYPE) - out_entry->key.enctype = enctype; - if(!err) { - err = krb5_copy_principal(context, - match->principal, - &(out_entry->principal)); - } + if (match) { + out_entry->magic = match->magic; + out_entry->timestamp = match->timestamp; + out_entry->vno = match->vno; + out_entry->key = match->key; + err = krb5_copy_keyblock_contents(context, &(match->key), + &(out_entry->key)); + /* + * Coerce the enctype of the output keyblock in case we + * got an inexact match on the enctype. + */ + if(enctype != IGNORE_ENCTYPE) + out_entry->key.enctype = enctype; + if(!err) { + err = krb5_copy_principal(context, + match->principal, + &(out_entry->principal)); + } } else { - if (!err) - err = found_wrong_kvno ? KRB5_KT_KVNONOTFOUND : KRB5_KT_NOTFOUND; + if (!err) + err = found_wrong_kvno ? KRB5_KT_KVNONOTFOUND : KRB5_KT_NOTFOUND; } KTUNLOCK(id); @@ -485,7 +486,7 @@ krb5_mkt_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int memset(name, 0, len); result = snprintf(name, len, "%s:%s", id->ops->prefix, KTNAME(id)); if (SNPRINTF_OVERFLOW(result, len)) - return(KRB5_KT_NAME_TOOLONG); + return(KRB5_KT_NAME_TOOLONG); return(0); } @@ -500,7 +501,7 @@ krb5_mkt_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cur err = KTLOCK(id); if (err) - return(err); + return(err); *cursorp = (krb5_kt_cursor)KTLINK(id); KTUNLOCK(id); @@ -512,7 +513,7 @@ krb5_mkt_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cur * krb5_mkt_get_next() */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { krb5_mkt_cursor mkt_cursor = (krb5_mkt_cursor)*cursor; @@ -520,24 +521,24 @@ krb5_mkt_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry err = KTLOCK(id); if (err) - return err; + return err; if (mkt_cursor == NULL) { - KTUNLOCK(id); - return KRB5_KT_END; + KTUNLOCK(id); + return KRB5_KT_END; } entry->magic = mkt_cursor->entry->magic; entry->timestamp = mkt_cursor->entry->timestamp; entry->vno = mkt_cursor->entry->vno; - entry->key = mkt_cursor->entry->key; - err = krb5_copy_keyblock_contents(context, &(mkt_cursor->entry->key), - &(entry->key)); - if (!err) - err = krb5_copy_principal(context, mkt_cursor->entry->principal, - &(entry->principal)); + entry->key = mkt_cursor->entry->key; + err = krb5_copy_keyblock_contents(context, &(mkt_cursor->entry->key), + &(entry->key)); + if (!err) + err = krb5_copy_principal(context, mkt_cursor->entry->principal, + &(entry->principal)); if (!err) - *cursor = (krb5_kt_cursor *)mkt_cursor->next; + *cursor = (krb5_kt_cursor *)mkt_cursor->next; KTUNLOCK(id); return(err); } @@ -546,7 +547,7 @@ krb5_mkt_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry * krb5_mkt_end_get() */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { *cursor = NULL; @@ -558,7 +559,7 @@ krb5_mkt_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) * krb5_mkt_add() */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { krb5_error_code err = 0; @@ -566,47 +567,47 @@ krb5_mkt_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) err = KTLOCK(id); if (err) - return err; + return err; cursor = (krb5_mkt_cursor)malloc(sizeof(krb5_mkt_link)); if (cursor == NULL) { - err = ENOMEM; - goto done; + err = ENOMEM; + goto done; } cursor->entry = (krb5_keytab_entry *)malloc(sizeof(krb5_keytab_entry)); if (cursor->entry == NULL) { - free(cursor); - err = ENOMEM; - goto done; + free(cursor); + err = ENOMEM; + goto done; } cursor->entry->magic = entry->magic; cursor->entry->timestamp = entry->timestamp; cursor->entry->vno = entry->vno; - err = krb5_copy_keyblock_contents(context, &(entry->key), - &(cursor->entry->key)); + err = krb5_copy_keyblock_contents(context, &(entry->key), + &(cursor->entry->key)); if (err) { - free(cursor->entry); - free(cursor); - goto done; + free(cursor->entry); + free(cursor); + goto done; } err = krb5_copy_principal(context, entry->principal, &(cursor->entry->principal)); if (err) { - krb5_free_keyblock_contents(context, &(cursor->entry->key)); - free(cursor->entry); - free(cursor); - goto done; + krb5_free_keyblock_contents(context, &(cursor->entry->key)); + free(cursor->entry); + free(cursor); + goto done; } if (KTLINK(id) == NULL) { - cursor->next = NULL; - KTLINK(id) = cursor; + cursor->next = NULL; + KTLINK(id) = cursor; } else { - cursor->next = KTLINK(id); - KTLINK(id) = cursor; + cursor->next = KTLINK(id); + KTLINK(id) = cursor; } - done: +done: KTUNLOCK(id); return err; } @@ -615,7 +616,7 @@ krb5_mkt_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) * krb5_mkt_remove() */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { krb5_mkt_cursor *pcursor, next; @@ -623,23 +624,23 @@ krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) err = KTLOCK(id); if (err) - return err; + return err; if ( KTLINK(id) == NULL ) { - err = KRB5_KT_NOTFOUND; - goto done; + err = KRB5_KT_NOTFOUND; + goto done; } - + for ( pcursor = &KTLINK(id); *pcursor; pcursor = &(*pcursor)->next ) { - if ( (*pcursor)->entry->vno == entry->vno && - (*pcursor)->entry->key.enctype == entry->key.enctype && - krb5_principal_compare(context, (*pcursor)->entry->principal, entry->principal)) - break; + if ( (*pcursor)->entry->vno == entry->vno && + (*pcursor)->entry->key.enctype == entry->key.enctype && + krb5_principal_compare(context, (*pcursor)->entry->principal, entry->principal)) + break; } if (!*pcursor) { - err = KRB5_KT_NOTFOUND; - goto done; + err = KRB5_KT_NOTFOUND; + goto done; } krb5_kt_free_entry(context, (*pcursor)->entry); @@ -648,7 +649,7 @@ krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) free(*pcursor); (*pcursor) = next; - done: +done: KTUNLOCK(id); return err; } @@ -660,9 +661,9 @@ krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) const struct _krb5_kt_ops krb5_mkt_ops = { 0, - "MEMORY", /* Prefix -- this string should not appear anywhere else! */ + "MEMORY", /* Prefix -- this string should not appear anywhere else! */ krb5_mkt_resolve, - krb5_mkt_get_name, + krb5_mkt_get_name, krb5_mkt_close, krb5_mkt_get_entry, krb5_mkt_start_seq_get, @@ -674,4 +675,3 @@ const struct _krb5_kt_ops krb5_mkt_ops = { }; #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c index 20ea3d755..a2e13040b 100644 --- a/src/lib/krb5/keytab/kt_srvtab.c +++ b/src/lib/krb5/keytab/kt_srvtab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/srvtab/kts_resolv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -27,23 +28,23 @@ #include "k5-int.h" #include -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT /* * Constants */ -#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ -#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ +#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ +#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ #define KRB5_KT_DEFAULT_VNO KRB5_KT_VNO -/* +/* * Types */ typedef struct _krb5_ktsrvtab_data { - char *name; /* Name of the file */ - FILE *openf; /* open file, if any. */ + char *name; /* Name of the file */ + FILE *openf; /* open file, if any. */ } krb5_ktsrvtab_data; /* @@ -56,59 +57,59 @@ typedef struct _krb5_ktsrvtab_data { extern const struct _krb5_kt_ops krb5_kts_ops; static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_resolve - (krb5_context, - const char *, - krb5_keytab *); +(krb5_context, + const char *, + krb5_keytab *); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_name - (krb5_context, - krb5_keytab, - char *, - unsigned int); +(krb5_context, + krb5_keytab, + char *, + unsigned int); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_close - (krb5_context, - krb5_keytab); +(krb5_context, + krb5_keytab); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_entry - (krb5_context, - krb5_keytab, - krb5_const_principal, - krb5_kvno, - krb5_enctype, - krb5_keytab_entry *); +(krb5_context, + krb5_keytab, + krb5_const_principal, + krb5_kvno, + krb5_enctype, + krb5_keytab_entry *); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_start_seq_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_next - (krb5_context, - krb5_keytab, - krb5_keytab_entry *, - krb5_kt_cursor *); +(krb5_context, + krb5_keytab, + krb5_keytab_entry *, + krb5_kt_cursor *); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_end_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); static krb5_error_code krb5_ktsrvint_open - (krb5_context, - krb5_keytab); +(krb5_context, + krb5_keytab); static krb5_error_code krb5_ktsrvint_close - (krb5_context, - krb5_keytab); +(krb5_context, + krb5_keytab); -static krb5_error_code krb5_ktsrvint_read_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); +static krb5_error_code krb5_ktsrvint_read_entry +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); /* - * This is an implementation specific resolver. It returns a keytab id + * This is an implementation specific resolver. It returns a keytab id * initialized with srvtab keytab routines. */ @@ -118,20 +119,20 @@ krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) krb5_ktsrvtab_data *data; if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) - return(ENOMEM); - + return(ENOMEM); + (*id)->ops = &krb5_kts_ops; data = (krb5_ktsrvtab_data *)malloc(sizeof(krb5_ktsrvtab_data)); if (data == NULL) { - free(*id); - return(ENOMEM); + free(*id); + return(ENOMEM); } data->name = strdup(name); if (data->name == NULL) { - free(data); - free(*id); - return(ENOMEM); + free(data); + free(*id); + return(ENOMEM); } data->openf = 0; @@ -148,13 +149,13 @@ krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_close(krb5_context context, krb5_keytab id) - /* - * This routine is responsible for freeing all memory allocated - * for this keytab. There are no system resources that need - * to be freed nor are there any open files. - * - * This routine should undo anything done by krb5_ktsrvtab_resolve(). - */ +/* + * This routine is responsible for freeing all memory allocated + * for this keytab. There are no system resources that need + * to be freed nor are there any open files. + * + * This routine should undo anything done by krb5_ktsrvtab_resolve(). + */ { free(KTFILENAME(id)); free(id->data); @@ -178,7 +179,7 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip /* Open the srvtab. */ if ((kerror = krb5_ktsrvint_open(context, id))) - return(kerror); + return(kerror); /* srvtab files only have DES_CBC_CRC keys. */ switch (enctype) { @@ -187,50 +188,50 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_RAW: case IGNORE_ENCTYPE: - break; + break; default: - return KRB5_KT_NOTFOUND; + return KRB5_KT_NOTFOUND; } best_entry.principal = 0; best_entry.vno = 0; best_entry.key.contents = 0; while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) { - ent.key.enctype = enctype; - if (krb5_principal_compare(context, principal, ent.principal)) { - if (kvno == IGNORE_VNO) { - if (!best_entry.principal || (best_entry.vno < ent.vno)) { - krb5_kt_free_entry(context, &best_entry); - best_entry = ent; - } - } else { - if (ent.vno == kvno) { - best_entry = ent; - break; - } else { - found_wrong_kvno = 1; - } - } - } else { - krb5_kt_free_entry(context, &ent); - } + ent.key.enctype = enctype; + if (krb5_principal_compare(context, principal, ent.principal)) { + if (kvno == IGNORE_VNO) { + if (!best_entry.principal || (best_entry.vno < ent.vno)) { + krb5_kt_free_entry(context, &best_entry); + best_entry = ent; + } + } else { + if (ent.vno == kvno) { + best_entry = ent; + break; + } else { + found_wrong_kvno = 1; + } + } + } else { + krb5_kt_free_entry(context, &ent); + } } if (kerror == KRB5_KT_END) { - if (best_entry.principal) - kerror = 0; - else if (found_wrong_kvno) - kerror = KRB5_KT_KVNONOTFOUND; - else - kerror = KRB5_KT_NOTFOUND; + if (best_entry.principal) + kerror = 0; + else if (found_wrong_kvno) + kerror = KRB5_KT_KVNONOTFOUND; + else + kerror = KRB5_KT_NOTFOUND; } if (kerror) { - (void) krb5_ktsrvint_close(context, id); - krb5_kt_free_entry(context, &best_entry); - return kerror; + (void) krb5_ktsrvint_close(context, id); + krb5_kt_free_entry(context, &best_entry); + return kerror; } if ((kerror = krb5_ktsrvint_close(context, id)) != 0) { - krb5_kt_free_entry(context, &best_entry); - return kerror; + krb5_kt_free_entry(context, &best_entry); + return kerror; } *entry = best_entry; return 0; @@ -242,18 +243,18 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len) - /* - * This routine returns the name of the name of the file associated with - * this srvtab-based keytab. The name is prefixed with PREFIX:, so that - * trt will happen if the name is passed back to resolve. - */ +/* + * This routine returns the name of the name of the file associated with + * this srvtab-based keytab. The name is prefixed with PREFIX:, so that + * trt will happen if the name is passed back to resolve. + */ { int result; memset(name, 0, len); result = snprintf(name, len, "%s:%s", id->ops->prefix, KTFILENAME(id)); if (SNPRINTF_OVERFLOW(result, len)) - return(KRB5_KT_NAME_TOOLONG); + return(KRB5_KT_NAME_TOOLONG); return(0); } @@ -268,11 +269,11 @@ krb5_ktsrvtab_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor long *fileoff; if ((retval = krb5_ktsrvint_open(context, id))) - return retval; + return retval; if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { - krb5_ktsrvint_close(context, id); - return ENOMEM; + krb5_ktsrvint_close(context, id); + return ENOMEM; } *fileoff = ftell(KTFILEP(id)); *cursorp = (krb5_kt_cursor)fileoff; @@ -292,9 +293,9 @@ krb5_ktsrvtab_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry * krb5_error_code kerror; if (fseek(KTFILEP(id), *fileoff, 0) == -1) - return KRB5_KT_END; + return KRB5_KT_END; if ((kerror = krb5_ktsrvint_read_entry(context, id, &cur_entry))) - return kerror; + return kerror; *fileoff = ftell(KTFILEP(id)); *entry = cur_entry; return 0; @@ -317,9 +318,9 @@ krb5_ktsrvtab_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *curs const struct _krb5_kt_ops krb5_kts_ops = { 0, - "SRVTAB", /* Prefix -- this string should not appear anywhere else! */ + "SRVTAB", /* Prefix -- this string should not appear anywhere else! */ krb5_ktsrvtab_resolve, - krb5_ktsrvtab_get_name, + krb5_ktsrvtab_get_name, krb5_ktsrvtab_close, krb5_ktsrvtab_get_entry, krb5_ktsrvtab_start_seq_get, @@ -344,7 +345,7 @@ const struct _krb5_kt_ops krb5_kts_ops = { * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -358,7 +359,7 @@ const struct _krb5_kt_ops krb5_kts_ops = { * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This function contains utilities for the srvtab based implementation * of the keytab. There are no public functions in this file. @@ -367,17 +368,17 @@ const struct _krb5_kt_ops krb5_kts_ops = { #include #ifdef ANSI_STDIO -#define READ_MODE "rb" +#define READ_MODE "rb" #else -#define READ_MODE "r" +#define READ_MODE "r" #endif /* The maximum sizes for V4 aname, realm, sname, and instance +1 */ /* Taken from krb.h */ -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 +#define ANAME_SZ 40 +#define REALM_SZ 40 +#define SNAME_SZ 40 +#define INST_SZ 40 static krb5_error_code read_field(FILE *fp, char *s, int len) @@ -385,11 +386,11 @@ read_field(FILE *fp, char *s, int len) int c; while ((c = getc(fp)) != 0) { - if (c == EOF || len <= 1) - return KRB5_KT_END; - *s = c; - s++; - len--; + if (c == EOF || len <= 1) + return KRB5_KT_END; + *s = c; + s++; + len--; } *s = 0; return 0; @@ -400,7 +401,7 @@ krb5_ktsrvint_open(krb5_context context, krb5_keytab id) { KTFILEP(id) = fopen(KTFILENAME(id), READ_MODE); if (!KTFILEP(id)) - return errno; + return errno; set_cloexec_file(KTFILEP(id)); return 0; } @@ -409,7 +410,7 @@ krb5_error_code krb5_ktsrvint_close(krb5_context context, krb5_keytab id) { if (!KTFILEP(id)) - return 0; + return 0; (void) fclose(KTFILEP(id)); KTFILEP(id) = 0; return 0; @@ -428,18 +429,18 @@ krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry fp = KTFILEP(id); kerror = read_field(fp, name, sizeof(name)); if (kerror != 0) - return kerror; + return kerror; kerror = read_field(fp, instance, sizeof(instance)); if (kerror != 0) - return kerror; + return kerror; kerror = read_field(fp, realm, sizeof(realm)); if (kerror != 0) - return kerror; + return kerror; vno = getc(fp); if (vno == EOF) - return KRB5_KT_END; + return KRB5_KT_END; if (fread(key, 1, sizeof(key), fp) != sizeof(key)) - return KRB5_KT_END; + return KRB5_KT_END; /* Fill in ret_entry with the data we read. Everything maps well * except for the timestamp, which we don't have a value for. For @@ -447,9 +448,9 @@ krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry memset(ret_entry, 0, sizeof(*ret_entry)); ret_entry->magic = KV5M_KEYTAB_ENTRY; kerror = krb5_425_conv_principal(context, name, instance, realm, - &ret_entry->principal); + &ret_entry->principal); if (kerror != 0) - return kerror; + return kerror; ret_entry->vno = vno; ret_entry->timestamp = 0; ret_entry->key.enctype = ENCTYPE_DES_CBC_CRC; @@ -457,12 +458,11 @@ krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry ret_entry->key.length = sizeof(key); ret_entry->key.contents = malloc(sizeof(key)); if (!ret_entry->key.contents) { - krb5_free_principal(context, ret_entry->principal); - return ENOMEM; + krb5_free_principal(context, ret_entry->principal); + return ENOMEM; } memcpy(ret_entry->key.contents, key, sizeof(key)); return 0; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktadd.c b/src/lib/krb5/keytab/ktadd.c index 360dd64cd..10bb24649 100644 --- a/src/lib/krb5/keytab/ktadd.c +++ b/src/lib/krb5/keytab/ktadd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktadd.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kt_add_entry() */ @@ -35,9 +36,8 @@ krb5_error_code KRB5_CALLCONV krb5_kt_add_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { if (id->ops->add) - return (*id->ops->add)(context, id, entry); + return (*id->ops->add)(context, id, entry); else - return KRB5_KT_NOWRITE; + return KRB5_KT_NOWRITE; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c index b99bee403..b88380e27 100644 --- a/src/lib/krb5/keytab/ktbase.c +++ b/src/lib/krb5/keytab/ktbase.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktbase.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Copyright 2007 by Secure Endpoints Inc. * @@ -91,12 +92,12 @@ int krb5int_kt_initialize(void) err = k5_mutex_finish_init(&kt_typehead_lock); if (err) - goto done; + goto done; err = krb5int_mkt_initialize(); if (err) - goto done; + goto done; - done: +done: return(err); } @@ -107,8 +108,8 @@ krb5int_kt_finalize(void) k5_mutex_destroy(&kt_typehead_lock); for (t = kt_typehead; t != &krb5_kt_typelist_file; t = t_next) { - t_next = t->next; - free((struct krb5_kt_typelist *)t); + t_next = t->next; + free((struct krb5_kt_typelist *)t); } krb5int_mkt_finalize(); @@ -129,16 +130,16 @@ krb5_kt_register(krb5_context context, const krb5_kt_ops *ops) err = k5_mutex_lock(&kt_typehead_lock); if (err) - return err; + return err; for (t = kt_typehead; t && strcmp(t->ops->prefix,ops->prefix);t = t->next) - ; + ; if (t) { - k5_mutex_unlock(&kt_typehead_lock); - return KRB5_KT_TYPE_EXISTS; + k5_mutex_unlock(&kt_typehead_lock); + return KRB5_KT_TYPE_EXISTS; } if (!(newt = (struct krb5_kt_typelist *) malloc(sizeof(*t)))) { - k5_mutex_unlock(&kt_typehead_lock); - return ENOMEM; + k5_mutex_unlock(&kt_typehead_lock); + return ENOMEM; } newt->next = kt_typehead; newt->ops = ops; @@ -172,7 +173,7 @@ krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid) cp = strchr (name, ':'); if (!cp) - return (*krb5_kt_dfl_ops.resolve)(context, name, ktid); + return (*krb5_kt_dfl_ops.resolve)(context, name, ktid); pfxlen = cp - name; @@ -184,13 +185,13 @@ krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid) resid = name; } else if (name[0] == '/') { - pfx = strdup("FILE"); - if (!pfx) - return ENOMEM; - resid = name; + pfx = strdup("FILE"); + if (!pfx) + return ENOMEM; + resid = name; } else { resid = name + pfxlen + 1; - + pfx = malloc (pfxlen+1); if (!pfx) return ENOMEM; @@ -203,19 +204,19 @@ krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid) err = k5_mutex_lock(&kt_typehead_lock); if (err) - goto cleanup; + goto cleanup; tlist = kt_typehead; /* Don't need to hold the lock, since entries are never modified or removed once they're in the list. Just need to protect access to the list head variable itself. */ k5_mutex_unlock(&kt_typehead_lock); for (; tlist; tlist = tlist->next) { - if (strcmp (tlist->ops->prefix, pfx) == 0) { - err = (*tlist->ops->resolve)(context, resid, &id); - if (!err) - *ktid = id; - goto cleanup; - } + if (strcmp (tlist->ops->prefix, pfx) == 0) { + err = (*tlist->ops->resolve)(context, resid, &id); + if (!err) + *ktid = id; + goto cleanup; + } } err = KRB5_KT_UNKNOWN_TYPE; @@ -226,69 +227,69 @@ cleanup: /* * Routines to deal with externalizingt krb5_keytab. - * krb5_keytab_size(); - * krb5_keytab_externalize(); - * krb5_keytab_internalize(); + * krb5_keytab_size(); + * krb5_keytab_externalize(); + * krb5_keytab_internalize(); */ static krb5_error_code krb5_keytab_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_keytab_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_keytab_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Serialization entry for this type. */ static const krb5_ser_entry krb5_keytab_ser_entry = { - KV5M_KEYTAB, /* Type */ - krb5_keytab_size, /* Sizer routine */ - krb5_keytab_externalize, /* Externalize routine */ - krb5_keytab_internalize /* Internalize routine */ + KV5M_KEYTAB, /* Type */ + krb5_keytab_size, /* Sizer routine */ + krb5_keytab_externalize, /* Externalize routine */ + krb5_keytab_internalize /* Internalize routine */ }; static krb5_error_code krb5_keytab_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_keytab keytab; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_keytab keytab; + krb5_ser_handle shandle; kret = EINVAL; if ((keytab = (krb5_keytab) arg) && - keytab->ops && - (shandle = (krb5_ser_handle) keytab->ops->serializer) && - shandle->sizer) - kret = (*shandle->sizer)(kcontext, arg, sizep); + keytab->ops && + (shandle = (krb5_ser_handle) keytab->ops->serializer) && + shandle->sizer) + kret = (*shandle->sizer)(kcontext, arg, sizep); return(kret); } static krb5_error_code krb5_keytab_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keytab keytab; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_keytab keytab; + krb5_ser_handle shandle; kret = EINVAL; if ((keytab = (krb5_keytab) arg) && - keytab->ops && - (shandle = (krb5_ser_handle) keytab->ops->serializer) && - shandle->externalizer) - kret = (*shandle->externalizer)(kcontext, arg, buffer, lenremain); + keytab->ops && + (shandle = (krb5_ser_handle) keytab->ops->serializer) && + shandle->externalizer) + kret = (*shandle->externalizer)(kcontext, arg, buffer, lenremain); return(kret); } static krb5_error_code krb5_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = EINVAL; if ((shandle = (krb5_ser_handle) krb5_kt_dfl_ops.serializer) && - shandle->internalizer) - kret = (*shandle->internalizer)(kcontext, argp, buffer, lenremain); + shandle->internalizer) + kret = (*shandle->internalizer)(kcontext, argp, buffer, lenremain); return(kret); } @@ -298,4 +299,3 @@ krb5_ser_keytab_init(krb5_context kcontext) return(krb5_register_serializer(kcontext, &krb5_keytab_ser_entry)); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktdefault.c b/src/lib/krb5/keytab/ktdefault.c index 3d7ee0946..7a4d68f1b 100644 --- a/src/lib/krb5/keytab/ktdefault.c +++ b/src/lib/krb5/keytab/ktdefault.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktdefault.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Get a default keytab. */ @@ -38,9 +39,8 @@ krb5_kt_default(krb5_context context, krb5_keytab *id) krb5_error_code retval; if ((retval = krb5_kt_default_name(context, defname, sizeof(defname)))) - return retval; + return retval; return krb5_kt_resolve(context, defname, id); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktfns.c b/src/lib/krb5/keytab/ktfns.c index 9239f3d16..3496c0964 100644 --- a/src/lib/krb5/keytab/ktfns.c +++ b/src/lib/krb5/keytab/ktfns.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktfns.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -28,7 +29,7 @@ * Dispatch methods for keytab code. */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -40,7 +41,7 @@ krb5_kt_get_type (krb5_context context, krb5_keytab keytab) krb5_error_code KRB5_CALLCONV krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name, - unsigned int namelen) + unsigned int namelen) { return krb5_x((keytab)->ops->get_name,(context, keytab,name,namelen)); } @@ -53,48 +54,47 @@ krb5_kt_close(krb5_context context, krb5_keytab keytab) krb5_error_code KRB5_CALLCONV krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, - krb5_const_principal principal, krb5_kvno vno, - krb5_enctype enctype, krb5_keytab_entry *entry) + krb5_const_principal principal, krb5_kvno vno, + krb5_enctype enctype, krb5_keytab_entry *entry) { krb5_error_code err; krb5_principal_data princ_data; if (krb5_is_referral_realm(&principal->realm)) { - char *realm; - princ_data = *principal; - principal = &princ_data; - err = krb5_get_default_realm(context, &realm); - if (err) - return err; - princ_data.realm.data = realm; - princ_data.realm.length = strlen(realm); + char *realm; + princ_data = *principal; + principal = &princ_data; + err = krb5_get_default_realm(context, &realm); + if (err) + return err; + princ_data.realm.data = realm; + princ_data.realm.length = strlen(realm); } err = krb5_x((keytab)->ops->get,(context, keytab, principal, vno, enctype, - entry)); + entry)); if (principal == &princ_data) - krb5_free_default_realm(context, princ_data.realm.data); + krb5_free_default_realm(context, princ_data.realm.data); return err; } krb5_error_code KRB5_CALLCONV krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, - krb5_kt_cursor *cursor) + krb5_kt_cursor *cursor) { return krb5_x((keytab)->ops->start_seq_get,(context, keytab, cursor)); } krb5_error_code KRB5_CALLCONV krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, - krb5_keytab_entry *entry, krb5_kt_cursor *cursor) + krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { return krb5_x((keytab)->ops->get_next,(context, keytab, entry, cursor)); } krb5_error_code KRB5_CALLCONV krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, - krb5_kt_cursor *cursor) + krb5_kt_cursor *cursor) { return krb5_x((keytab)->ops->end_get,(context, keytab, cursor)); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktfr_entry.c b/src/lib/krb5/keytab/ktfr_entry.c index 9587efc63..8fdbda2fc 100644 --- a/src/lib/krb5/keytab/ktfr_entry.c +++ b/src/lib/krb5/keytab/ktfr_entry.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktfr_entry.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,11 +23,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kt_free_entry() */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -34,12 +35,12 @@ krb5_error_code KRB5_CALLCONV krb5_free_keytab_entry_contents (krb5_context context, krb5_keytab_entry *entry) { if (!entry) - return 0; - + return 0; + krb5_free_principal(context, entry->principal); if (entry->key.contents) { - zap((char *)entry->key.contents, entry->key.length); - free(entry->key.contents); + zap((char *)entry->key.contents, entry->key.length); + free(entry->key.contents); } return 0; } @@ -50,4 +51,3 @@ krb5_kt_free_entry (krb5_context context, krb5_keytab_entry *entry) return krb5_free_keytab_entry_contents (context, entry); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktremove.c b/src/lib/krb5/keytab/ktremove.c index 4ba6063f7..1ccefd842 100644 --- a/src/lib/krb5/keytab/ktremove.c +++ b/src/lib/krb5/keytab/ktremove.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktremove.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,11 +23,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kt_remove_entry() */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -34,9 +35,8 @@ krb5_error_code KRB5_CALLCONV krb5_kt_remove_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { if (id->ops->remove) - return (*id->ops->remove)(context, id, entry); + return (*id->ops->remove)(context, id, entry); else - return KRB5_KT_NOWRITE; + return KRB5_KT_NOWRITE; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/read_servi.c b/src/lib/krb5/keytab/read_servi.c index 6638a5a92..0172edbb0 100644 --- a/src/lib/krb5/keytab/read_servi.c +++ b/src/lib/krb5/keytab/read_servi.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/read_servi.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,25 +23,25 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * * - * This routine is designed to be passed to krb5_rd_req. + * + * This routine is designed to be passed to krb5_rd_req. * It is a convenience function that reads a key out of a keytab. - * It handles all of the opening and closing of the keytab - * internally. + * It handles all of the opening and closing of the keytab + * internally. */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" #define KSUCCESS 0 /* - * effects: If keyprocarg is not NULL, it is taken to be the name of a - * keytab. Otherwise, the default keytab will be used. This - * routine opens the keytab and finds the principal associated with - * principal, vno, and enctype and returns the resulting key in *key - * or returning an error code if it is not found. + * effects: If keyprocarg is not NULL, it is taken to be the name of a + * keytab. Otherwise, the default keytab will be used. This + * routine opens the keytab and finds the principal associated with + * principal, vno, and enctype and returns the resulting key in *key + * or returning an error code if it is not found. * returns: Either KSUCCESS or error code. * errors: error code if not found or keyprocarg is invalid. */ @@ -51,28 +52,28 @@ krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_pri char keytabname[MAX_KEYTAB_NAME_LEN + 1]; /* + 1 for NULL termination */ krb5_keytab id; krb5_keytab_entry entry; - + /* - * Get the name of the file that we should use. + * Get the name of the file that we should use. */ if (!keyprocarg) { - if ((kerror = krb5_kt_default_name(context, (char *)keytabname, - sizeof(keytabname) - 1))!= KSUCCESS) - return (kerror); + if ((kerror = krb5_kt_default_name(context, (char *)keytabname, + sizeof(keytabname) - 1))!= KSUCCESS) + return (kerror); } else { - memset(keytabname, 0, sizeof(keytabname)); - (void) strncpy(keytabname, (char *)keyprocarg, - sizeof(keytabname) - 1); + memset(keytabname, 0, sizeof(keytabname)); + (void) strncpy(keytabname, (char *)keyprocarg, + sizeof(keytabname) - 1); } if ((kerror = krb5_kt_resolve(context, (char *)keytabname, &id))) - return (kerror); + return (kerror); kerror = krb5_kt_get_entry(context, id, principal, vno, enctype, &entry); krb5_kt_close(context, id); if (kerror) - return(kerror); + return(kerror); krb5_copy_keyblock(context, &entry.key, key); @@ -81,4 +82,3 @@ krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_pri return (KSUCCESS); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/t_keytab.c b/src/lib/krb5/keytab/t_keytab.c index d23502226..607ce9ffb 100644 --- a/src/lib/krb5/keytab/t_keytab.c +++ b/src/lib/krb5/keytab/t_keytab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/t_keytab.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * A set of tests for the keytab interface */ @@ -45,410 +46,410 @@ extern const krb5_kt_ops krb5_ktf_writable_ops; #define KRB5_OK 0 -#define CHECK(kret,msg) \ - if (kret != KRB5_OK) {\ - com_err(msg, kret, ""); \ - fflush(stderr);\ - exit(1);\ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK(kret,msg) \ + if (kret != KRB5_OK) { \ + com_err(msg, kret, ""); \ + fflush(stderr); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); -#define CHECK_STR(str,msg) \ - if (str == 0) {\ - com_err(msg, kret, "");\ - exit(1);\ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK_STR(str,msg) \ + if (str == 0) { \ + com_err(msg, kret, ""); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); static void test_misc(krb5_context context) { - /* Tests for certain error returns */ - krb5_error_code kret; - krb5_keytab ktid; - char defname[BUFSIZ]; - char *name; - - fprintf(stderr, "Testing miscellaneous error conditions\n"); - - kret = krb5_kt_resolve(context, "unknown_method_ep:/tmp/name", &ktid); - if (kret != KRB5_KT_UNKNOWN_TYPE) { - CHECK(kret, "resolve unknown type"); - } - - /* Test length limits on krb5_kt_default_name */ - kret = krb5_kt_default_name(context, defname, sizeof(defname)); - CHECK(kret, "krb5_kt_default_name error"); - - /* Now allocate space - without the null... */ - name = malloc(strlen(defname)); - if(!name) { - fprintf(stderr, "Out of memory in testing\n"); - exit(1); - } - kret = krb5_kt_default_name(context, name, strlen(defname)); - free(name); - if (kret != KRB5_CONFIG_NOTENUFSPACE) { - CHECK(kret, "krb5_kt_default_name limited"); - } + /* Tests for certain error returns */ + krb5_error_code kret; + krb5_keytab ktid; + char defname[BUFSIZ]; + char *name; + + fprintf(stderr, "Testing miscellaneous error conditions\n"); + + kret = krb5_kt_resolve(context, "unknown_method_ep:/tmp/name", &ktid); + if (kret != KRB5_KT_UNKNOWN_TYPE) { + CHECK(kret, "resolve unknown type"); + } + + /* Test length limits on krb5_kt_default_name */ + kret = krb5_kt_default_name(context, defname, sizeof(defname)); + CHECK(kret, "krb5_kt_default_name error"); + + /* Now allocate space - without the null... */ + name = malloc(strlen(defname)); + if(!name) { + fprintf(stderr, "Out of memory in testing\n"); + exit(1); + } + kret = krb5_kt_default_name(context, name, strlen(defname)); + free(name); + if (kret != KRB5_CONFIG_NOTENUFSPACE) { + CHECK(kret, "krb5_kt_default_name limited"); + } } static void kt_test(krb5_context context, const char *name) { - krb5_error_code kret; - krb5_keytab kt; - const char *type; - char buf[BUFSIZ]; - char *p; - krb5_keytab_entry kent, kent2; - krb5_principal princ; - krb5_kt_cursor cursor, cursor2; - int cnt; - - kret = krb5_kt_resolve(context, name, &kt); - CHECK(kret, "resolve"); - - type = krb5_kt_get_type(context, kt); - CHECK_STR(type, "getting kt type"); - printf(" Type is: %s\n", type); - - kret = krb5_kt_get_name(context, kt, buf, sizeof(buf)); - CHECK(kret, "get_name"); - printf(" Name is: %s\n", buf); - - /* Check that length checks fail */ - /* The buffer is allocated too small - to allow for valgrind test of - overflows + krb5_error_code kret; + krb5_keytab kt; + const char *type; + char buf[BUFSIZ]; + char *p; + krb5_keytab_entry kent, kent2; + krb5_principal princ; + krb5_kt_cursor cursor, cursor2; + int cnt; + + kret = krb5_kt_resolve(context, name, &kt); + CHECK(kret, "resolve"); + + type = krb5_kt_get_type(context, kt); + CHECK_STR(type, "getting kt type"); + printf(" Type is: %s\n", type); + + kret = krb5_kt_get_name(context, kt, buf, sizeof(buf)); + CHECK(kret, "get_name"); + printf(" Name is: %s\n", buf); + + /* Check that length checks fail */ + /* The buffer is allocated too small - to allow for valgrind test of + overflows + */ + p = malloc(strlen(buf)); + kret = krb5_kt_get_name(context, kt, p, 1); + if(kret != KRB5_KT_NAME_TOOLONG) { + CHECK(kret, "get_name - size 1"); + } + + + kret = krb5_kt_get_name(context, kt, p, strlen(buf)); + if(kret != KRB5_KT_NAME_TOOLONG) { + CHECK(kret, "get_name"); + } + free(p); + + /* Try to lookup unknown principal - when keytab does not exist*/ + kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); + CHECK(kret, "parsing principal"); + + + kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); + if((kret != KRB5_KT_NOTFOUND) && (kret != ENOENT)) { + CHECK(kret, "Getting non-existant entry"); + } + + + /* =================== Add entries to keytab ================= */ + /* + * Add the following for this principal + * enctype 1, kvno 1, key = "1" + * enctype 2, kvno 1, key = "1" + * enctype 1, kvno 2, key = "2" */ - p = malloc(strlen(buf)); - kret = krb5_kt_get_name(context, kt, p, 1); - if(kret != KRB5_KT_NAME_TOOLONG) { - CHECK(kret, "get_name - size 1"); - } - - - kret = krb5_kt_get_name(context, kt, p, strlen(buf)); - if(kret != KRB5_KT_NAME_TOOLONG) { - CHECK(kret, "get_name"); - } - free(p); - - /* Try to lookup unknown principal - when keytab does not exist*/ - kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); - - - kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); - if((kret != KRB5_KT_NOTFOUND) && (kret != ENOENT)) { - CHECK(kret, "Getting non-existant entry"); - } - - - /* =================== Add entries to keytab ================= */ - /* - * Add the following for this principal - * enctype 1, kvno 1, key = "1" - * enctype 2, kvno 1, key = "1" - * enctype 1, kvno 2, key = "2" - */ - memset(&kent, 0, sizeof(kent)); - kent.magic = KV5M_KEYTAB_ENTRY; - kent.principal = princ; - kent.timestamp = 327689; - kent.vno = 1; - kent.key.magic = KV5M_KEYBLOCK; - kent.key.enctype = 1; - kent.key.length = 1; - kent.key.contents = (krb5_octet *) "1"; - - - kret = krb5_kt_add_entry(context, kt, &kent); - CHECK(kret, "Adding initial entry"); - - kent.key.enctype = 2; - kret = krb5_kt_add_entry(context, kt, &kent); - CHECK(kret, "Adding second entry"); - - kent.key.enctype = 1; - kent.vno = 2; - kent.key.contents = (krb5_octet *) "2"; - kret = krb5_kt_add_entry(context, kt, &kent); - CHECK(kret, "Adding third entry"); - - /* Free memory */ - krb5_free_principal(context, princ); - - /* ============== Test iterating over contents of keytab ========= */ - - kret = krb5_kt_start_seq_get(context, kt, &cursor); - CHECK(kret, "Start sequence get"); - - - memset(&kent, 0, sizeof(kent)); - cnt = 0; - while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) { - if(((kent.vno != 1) && (kent.vno != 2)) || - ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Error in read contents\n"); - exit(1); - } + memset(&kent, 0, sizeof(kent)); + kent.magic = KV5M_KEYTAB_ENTRY; + kent.principal = princ; + kent.timestamp = 327689; + kent.vno = 1; + kent.key.magic = KV5M_KEYBLOCK; + kent.key.enctype = 1; + kent.key.length = 1; + kent.key.contents = (krb5_octet *) "1"; + + + kret = krb5_kt_add_entry(context, kt, &kent); + CHECK(kret, "Adding initial entry"); + + kent.key.enctype = 2; + kret = krb5_kt_add_entry(context, kt, &kent); + CHECK(kret, "Adding second entry"); + + kent.key.enctype = 1; + kent.vno = 2; + kent.key.contents = (krb5_octet *) "2"; + kret = krb5_kt_add_entry(context, kt, &kent); + CHECK(kret, "Adding third entry"); + + /* Free memory */ + krb5_free_principal(context, princ); + + /* ============== Test iterating over contents of keytab ========= */ + + kret = krb5_kt_start_seq_get(context, kt, &cursor); + CHECK(kret, "Start sequence get"); + + + memset(&kent, 0, sizeof(kent)); + cnt = 0; + while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) { + if(((kent.vno != 1) && (kent.vno != 2)) || + ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Error in read contents\n"); + exit(1); + } + + if((kent.magic != KV5M_KEYTAB_ENTRY) || + (kent.key.magic != KV5M_KEYBLOCK)) { + fprintf(stderr, "Magic number in sequence not proper\n"); + exit(1); + } + + cnt++; + krb5_free_keytab_entry_contents(context, &kent); + } + if (kret != KRB5_KT_END) { + CHECK(kret, "getting next entry"); + } + + if(cnt != 3) { + fprintf(stderr, "Mismatch in number of entries in keytab"); + } + + kret = krb5_kt_end_seq_get(context, kt, &cursor); + CHECK(kret, "End sequence get"); + + + /* ========================== get_entry tests ============== */ + + /* Try to lookup unknown principal - now that keytab exists*/ + kret = krb5_parse_name(context, "test3/test2@TEST.MIT.EDU", &princ); + CHECK(kret, "parsing principal"); + + + kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); + if((kret != KRB5_KT_NOTFOUND)) { + CHECK(kret, "Getting non-existant entry"); + } + + krb5_free_principal(context, princ); + + /* Try to lookup known principal */ + kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); + CHECK(kret, "parsing principal"); + + kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); + CHECK(kret, "looking up principal"); + + /* Ensure a valid answer - we did not specify an enctype or kvno */ + if (!krb5_principal_compare(context, princ, kent.principal) || + ((kent.vno != 1) && (kent.vno != 2)) || + ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); + exit(1); + } + + krb5_free_keytab_entry_contents(context, &kent); + + /* Try to lookup a specific enctype - but unspecified kvno - should give + * max kvno + */ + kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + CHECK(kret, "looking up principal"); + + /* Ensure a valid answer - we did specified an enctype */ + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); + + exit(1); + + } + + krb5_free_keytab_entry_contents(context, &kent); + + /* Try to lookup unspecified enctype, but a specified kvno */ + + kret = krb5_kt_get_entry(context, kt, princ, 2, 0, &kent); + CHECK(kret, "looking up principal"); + + /* Ensure a valid answer - we did not specify a kvno */ + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); + + exit(1); + + } - if((kent.magic != KV5M_KEYTAB_ENTRY) || - (kent.key.magic != KV5M_KEYBLOCK)) { - fprintf(stderr, "Magic number in sequence not proper\n"); - exit(1); - } + krb5_free_keytab_entry_contents(context, &kent); - cnt++; - krb5_free_keytab_entry_contents(context, &kent); - } - if (kret != KRB5_KT_END) { - CHECK(kret, "getting next entry"); - } - if(cnt != 3) { - fprintf(stderr, "Mismatch in number of entries in keytab"); - } - kret = krb5_kt_end_seq_get(context, kt, &cursor); - CHECK(kret, "End sequence get"); + /* Try to lookup specified enctype and kvno */ + kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent); + CHECK(kret, "looking up principal"); - /* ========================== get_entry tests ============== */ - - /* Try to lookup unknown principal - now that keytab exists*/ - kret = krb5_parse_name(context, "test3/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); - - - kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); - if((kret != KRB5_KT_NOTFOUND)) { - CHECK(kret, "Getting non-existant entry"); - } - - krb5_free_principal(context, princ); - - /* Try to lookup known principal */ - kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); - - kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); - CHECK(kret, "looking up principal"); - - /* Ensure a valid answer - we did not specify an enctype or kvno */ - if (!krb5_principal_compare(context, princ, kent.principal) || - ((kent.vno != 1) && (kent.vno != 2)) || - ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); - exit(1); - } - - krb5_free_keytab_entry_contents(context, &kent); - - /* Try to lookup a specific enctype - but unspecified kvno - should give - * max kvno - */ - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); - CHECK(kret, "looking up principal"); - - /* Ensure a valid answer - we did specified an enctype */ - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); - - exit(1); - - } - - krb5_free_keytab_entry_contents(context, &kent); - - /* Try to lookup unspecified enctype, but a specified kvno */ - - kret = krb5_kt_get_entry(context, kt, princ, 2, 0, &kent); - CHECK(kret, "looking up principal"); - - /* Ensure a valid answer - we did not specify a kvno */ - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); - - exit(1); - - } - - krb5_free_keytab_entry_contents(context, &kent); - - - - /* Try to lookup specified enctype and kvno */ - - kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent); - CHECK(kret, "looking up principal"); - - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 1) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 1) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); - exit(1); + exit(1); - } + } - krb5_free_keytab_entry_contents(context, &kent); + krb5_free_keytab_entry_contents(context, &kent); - /* Try lookup with active iterators. */ - kret = krb5_kt_start_seq_get(context, kt, &cursor); - CHECK(kret, "Start sequence get(2)"); - kret = krb5_kt_start_seq_get(context, kt, &cursor2); - CHECK(kret, "Start sequence get(3)"); - kret = krb5_kt_next_entry(context, kt, &kent, &cursor); - CHECK(kret, "getting next entry(2)"); - krb5_free_keytab_entry_contents(context, &kent); - kret = krb5_kt_next_entry(context, kt, &kent, &cursor); - CHECK(kret, "getting next entry(3)"); - kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); - CHECK(kret, "getting next entry(4)"); - krb5_free_keytab_entry_contents(context, &kent2); - kret = krb5_kt_get_entry(context, kt, kent.principal, 0, 0, &kent2); - CHECK(kret, "looking up principal(2)"); - krb5_free_keytab_entry_contents(context, &kent2); - kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); - CHECK(kret, "getting next entry(5)"); - if (!krb5_principal_compare(context, kent.principal, kent2.principal)) { - fprintf(stderr, "iterators not in sync\n"); - exit(1); - } - krb5_free_keytab_entry_contents(context, &kent); - krb5_free_keytab_entry_contents(context, &kent2); - kret = krb5_kt_next_entry(context, kt, &kent, &cursor); - CHECK(kret, "getting next entry(6)"); - kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); - CHECK(kret, "getting next entry(7)"); - krb5_free_keytab_entry_contents(context, &kent); - krb5_free_keytab_entry_contents(context, &kent2); - kret = krb5_kt_end_seq_get(context, kt, &cursor); - CHECK(kret, "ending sequence get(1)"); - kret = krb5_kt_end_seq_get(context, kt, &cursor2); - CHECK(kret, "ending sequence get(2)"); + /* Try lookup with active iterators. */ + kret = krb5_kt_start_seq_get(context, kt, &cursor); + CHECK(kret, "Start sequence get(2)"); + kret = krb5_kt_start_seq_get(context, kt, &cursor2); + CHECK(kret, "Start sequence get(3)"); + kret = krb5_kt_next_entry(context, kt, &kent, &cursor); + CHECK(kret, "getting next entry(2)"); + krb5_free_keytab_entry_contents(context, &kent); + kret = krb5_kt_next_entry(context, kt, &kent, &cursor); + CHECK(kret, "getting next entry(3)"); + kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); + CHECK(kret, "getting next entry(4)"); + krb5_free_keytab_entry_contents(context, &kent2); + kret = krb5_kt_get_entry(context, kt, kent.principal, 0, 0, &kent2); + CHECK(kret, "looking up principal(2)"); + krb5_free_keytab_entry_contents(context, &kent2); + kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); + CHECK(kret, "getting next entry(5)"); + if (!krb5_principal_compare(context, kent.principal, kent2.principal)) { + fprintf(stderr, "iterators not in sync\n"); + exit(1); + } + krb5_free_keytab_entry_contents(context, &kent); + krb5_free_keytab_entry_contents(context, &kent2); + kret = krb5_kt_next_entry(context, kt, &kent, &cursor); + CHECK(kret, "getting next entry(6)"); + kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); + CHECK(kret, "getting next entry(7)"); + krb5_free_keytab_entry_contents(context, &kent); + krb5_free_keytab_entry_contents(context, &kent2); + kret = krb5_kt_end_seq_get(context, kt, &cursor); + CHECK(kret, "ending sequence get(1)"); + kret = krb5_kt_end_seq_get(context, kt, &cursor2); + CHECK(kret, "ending sequence get(2)"); - /* Try to lookup specified enctype and kvno - that does not exist*/ + /* Try to lookup specified enctype and kvno - that does not exist*/ - kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent); - if(kret != KRB5_KT_KVNONOTFOUND) { - CHECK(kret, "looking up specific principal, kvno, enctype"); - } + kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent); + if(kret != KRB5_KT_KVNONOTFOUND) { + CHECK(kret, "looking up specific principal, kvno, enctype"); + } - krb5_free_principal(context, princ); + krb5_free_principal(context, princ); - /* ========================= krb5_kt_remove_entry =========== */ - /* Lookup the keytab entry w/ 2 kvno - and delete version 2 - - ensure gone */ - kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); + /* ========================= krb5_kt_remove_entry =========== */ + /* Lookup the keytab entry w/ 2 kvno - and delete version 2 - + ensure gone */ + kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); + CHECK(kret, "parsing principal"); - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); - CHECK(kret, "looking up principal"); + kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + CHECK(kret, "looking up principal"); - /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */ - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); + /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */ + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); - exit(1); + exit(1); - } + } - /* Delete it */ - kret = krb5_kt_remove_entry(context, kt, &kent); - CHECK(kret, "Removing entry"); + /* Delete it */ + kret = krb5_kt_remove_entry(context, kt, &kent); + CHECK(kret, "Removing entry"); - krb5_free_keytab_entry_contents(context, &kent); - /* And ensure gone */ + krb5_free_keytab_entry_contents(context, &kent); + /* And ensure gone */ - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); - CHECK(kret, "looking up principal"); + kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + CHECK(kret, "looking up principal"); - /* Ensure a valid answer - kvno should now be 1 - we deleted 2 */ - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 1) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Delete principal check failed\n"); - - exit(1); - - } - krb5_free_keytab_entry_contents(context, &kent); - - krb5_free_principal(context, princ); - - /* ======================= Finally close ======================= */ - - kret = krb5_kt_close(context, kt); - CHECK(kret, "close"); + /* Ensure a valid answer - kvno should now be 1 - we deleted 2 */ + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 1) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Delete principal check failed\n"); + + exit(1); + + } + krb5_free_keytab_entry_contents(context, &kent); + + krb5_free_principal(context, princ); + + /* ======================= Finally close ======================= */ + + kret = krb5_kt_close(context, kt); + CHECK(kret, "close"); } -static void do_test(krb5_context context, const char *prefix, - krb5_boolean delete) +static void do_test(krb5_context context, const char *prefix, + krb5_boolean delete) { - char *name, *filename; - - if (asprintf(&filename, "/tmp/kttest.%ld", (long) getpid()) < 0) { - perror("asprintf"); - exit(1); - } - if (asprintf(&name, "%s%s", prefix, filename) < 0) { - perror("asprintf"); - exit(1); - } - printf("Starting test on %s\n", name); - kt_test(context, name); - printf("Test on %s passed\n", name); - if(delete) - unlink(filename); - free(filename); - free(name); + char *name, *filename; + + if (asprintf(&filename, "/tmp/kttest.%ld", (long) getpid()) < 0) { + perror("asprintf"); + exit(1); + } + if (asprintf(&name, "%s%s", prefix, filename) < 0) { + perror("asprintf"); + exit(1); + } + printf("Starting test on %s\n", name); + kt_test(context, name); + printf("Test on %s passed\n", name); + if(delete) + unlink(filename); + free(filename); + free(name); } -int +int main (void) { - krb5_context context; - krb5_error_code kret; + krb5_context context; + krb5_error_code kret; - if ((kret = krb5_init_context(&context))) { - printf("Couldn't initialize krb5 library: %s\n", - error_message(kret)); - exit(1); - } + if ((kret = krb5_init_context(&context))) { + printf("Couldn't initialize krb5 library: %s\n", + error_message(kret)); + exit(1); + } - /* All keytab types are registered by default -- test for - redundant error */ - kret = krb5_kt_register(context, &krb5_ktf_writable_ops); - if(kret && kret != KRB5_KT_TYPE_EXISTS) { - CHECK(kret, "register ktf_writable"); - } + /* All keytab types are registered by default -- test for + redundant error */ + kret = krb5_kt_register(context, &krb5_ktf_writable_ops); + if(kret && kret != KRB5_KT_TYPE_EXISTS) { + CHECK(kret, "register ktf_writable"); + } - test_misc(context); - do_test(context, "WRFILE:", FALSE); - do_test(context, "MEMORY:", TRUE); + test_misc(context); + do_test(context, "WRFILE:", FALSE); + do_test(context, "MEMORY:", TRUE); - krb5_free_context(context); - return 0; + krb5_free_context(context); + return 0; } @@ -457,9 +458,9 @@ main (void) /* remove and add are functions, so that they can return NOWRITE if not a writable keytab */ krb5_error_code KRB5_CALLCONV krb5_kt_remove_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry * ); +(krb5_context, + krb5_keytab, + krb5_keytab_entry * ); diff --git a/src/lib/krb5/krb/addr_comp.c b/src/lib/krb5/krb/addr_comp.c index 16ab03bbf..194fc2bb6 100644 --- a/src/lib/krb5/krb/addr_comp.c +++ b/src/lib/krb5/krb/addr_comp.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_comp.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_compare() */ @@ -36,13 +37,13 @@ krb5_boolean KRB5_CALLCONV krb5_address_compare(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) { if (addr1->addrtype != addr2->addrtype) - return(FALSE); + return(FALSE); if (addr1->length != addr2->length) - return(FALSE); + return(FALSE); if (memcmp((char *)addr1->contents, (char *)addr2->contents, - addr1->length)) - return FALSE; + addr1->length)) + return FALSE; else - return TRUE; + return TRUE; } diff --git a/src/lib/krb5/krb/addr_order.c b/src/lib/krb5/krb/addr_order.c index 2f01e1fbc..b742d01ec 100644 --- a/src/lib/krb5/krb/addr_order.c +++ b/src/lib/krb5/krb/addr_order.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_order.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_order() */ @@ -45,18 +46,18 @@ krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_a const int minlen = min(addr1->length, addr2->length); if (addr1->addrtype != addr2->addrtype) - return(FALSE); + return(FALSE); dir = addr1->length - addr2->length; - + for (i = 0; i < minlen; i++) { - if ((unsigned char) addr1->contents[i] < - (unsigned char) addr2->contents[i]) - return -1; - else if ((unsigned char) addr1->contents[i] > - (unsigned char) addr2->contents[i]) - return 1; + if ((unsigned char) addr1->contents[i] < + (unsigned char) addr2->contents[i]) + return -1; + else if ((unsigned char) addr1->contents[i] > + (unsigned char) addr2->contents[i]) + return 1; } /* compared equal so far...which is longer? */ return dir; diff --git a/src/lib/krb5/krb/addr_srch.c b/src/lib/krb5/krb/addr_srch.c index 11a3ce0bb..7a6030490 100644 --- a/src/lib/krb5/krb/addr_srch.c +++ b/src/lib/krb5/krb/addr_srch.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_srch.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_search() */ @@ -35,10 +36,10 @@ address_count(krb5_address *const *addrlist) unsigned int i; if (addrlist == NULL) - return 0; + return 0; for (i = 0; addrlist[i]; i++) - ; + ; return i; } @@ -57,12 +58,12 @@ krb5_address_search(krb5_context context, const krb5_address *addr, krb5_address */ if (address_count(addrlist) == 1 && addrlist[0]->addrtype == ADDRTYPE_NETBIOS) - return TRUE; + return TRUE; if (!addrlist) - return TRUE; + return TRUE; for (; *addrlist; addrlist++) { - if (krb5_address_compare(context, addr, *addrlist)) - return TRUE; + if (krb5_address_compare(context, addr, *addrlist)) + return TRUE; } return FALSE; } diff --git a/src/lib/krb5/krb/appdefault.c b/src/lib/krb5/krb/appdefault.c index 94788899b..6fa8cd365 100644 --- a/src/lib/krb5/krb/appdefault.c +++ b/src/lib/krb5/krb/appdefault.c @@ -1,6 +1,7 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * appdefault - routines designed to be called from applications to - * handle the [appdefaults] profile section + * handle the [appdefaults] profile section */ #include @@ -9,158 +10,158 @@ - /*xxx Duplicating this is annoying; try to work on a better way.*/ +/*xxx Duplicating this is annoying; try to work on a better way.*/ static const char *const conf_yes[] = { - "y", "yes", "true", "t", "1", "on", - 0, + "y", "yes", "true", "t", "1", "on", + 0, }; static const char *const conf_no[] = { - "n", "no", "false", "nil", "0", "off", - 0, + "n", "no", "false", "nil", "0", "off", + 0, }; static int conf_boolean(char *s) { - const char * const *p; - for(p=conf_yes; *p; p++) { - if (!strcasecmp(*p,s)) - return 1; - } - for(p=conf_no; *p; p++) { - if (!strcasecmp(*p,s)) - return 0; - } - /* Default to "no" */ - return 0; + const char * const *p; + for(p=conf_yes; *p; p++) { + if (!strcasecmp(*p,s)) + return 1; + } + for(p=conf_no; *p; p++) { + if (!strcasecmp(*p,s)) + return 0; + } + /* Default to "no" */ + return 0; } static krb5_error_code appdefault_get(krb5_context context, const char *appname, const krb5_data *realm, const char *option, char **ret_value) { - profile_t profile; - const char *names[5]; - char **nameval = NULL; - krb5_error_code retval; - const char * realmstr = realm?realm->data:NULL; - - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; - - profile = context->profile; - - /* - * Try number one: - * - * [appdefaults] - * app = { - * SOME.REALM = { - * option = - * } - * } - */ - - names[0] = "appdefaults"; - names[1] = appname; - - if (realmstr) { - names[2] = realmstr; - names[3] = option; - names[4] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - } - - /* - * Try number two: - * - * [appdefaults] - * app = { - * option = - * } - */ - - names[2] = option; - names[3] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - - /* - * Try number three: - * - * [appdefaults] - * realm = { - * option = - */ - - if (realmstr) { - names[1] = realmstr; - names[2] = option; - names[3] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - } - - /* - * Try number four: - * - * [appdefaults] - * option = - */ - - names[1] = option; - names[2] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - } else { - return retval; - } + profile_t profile; + const char *names[5]; + char **nameval = NULL; + krb5_error_code retval; + const char * realmstr = realm?realm->data:NULL; + + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; + + profile = context->profile; + + /* + * Try number one: + * + * [appdefaults] + * app = { + * SOME.REALM = { + * option = + * } + * } + */ + + names[0] = "appdefaults"; + names[1] = appname; + + if (realmstr) { + names[2] = realmstr; + names[3] = option; + names[4] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + } + + /* + * Try number two: + * + * [appdefaults] + * app = { + * option = + * } + */ + + names[2] = option; + names[3] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + + /* + * Try number three: + * + * [appdefaults] + * realm = { + * option = + */ + + if (realmstr) { + names[1] = realmstr; + names[2] = option; + names[3] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + } + + /* + * Try number four: + * + * [appdefaults] + * option = + */ + + names[1] = option; + names[2] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + } else { + return retval; + } goodbye: - if (nameval) { - char **cpp; - for (cpp = nameval; *cpp; cpp++) - free(*cpp); - free(nameval); - } - return 0; + if (nameval) { + char **cpp; + for (cpp = nameval; *cpp; cpp++) + free(*cpp); + free(nameval); + } + return 0; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_appdefault_boolean(krb5_context context, const char *appname, const krb5_data *realm, const char *option, int default_value, int *ret_value) { - char *string = NULL; - krb5_error_code retval; + char *string = NULL; + krb5_error_code retval; - retval = appdefault_get(context, appname, realm, option, &string); + retval = appdefault_get(context, appname, realm, option, &string); - if (! retval && string) { - *ret_value = conf_boolean(string); - free(string); - } else - *ret_value = default_value; + if (! retval && string) { + *ret_value = conf_boolean(string); + free(string); + } else + *ret_value = default_value; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_appdefault_string(krb5_context context, const char *appname, const krb5_data *realm, const char *option, const char *default_value, char **ret_value) { - krb5_error_code retval; - char *string; + krb5_error_code retval; + char *string; - retval = appdefault_get(context, appname, realm, option, &string); + retval = appdefault_get(context, appname, realm, option, &string); - if (! retval && string) { - *ret_value = string; - } else { - *ret_value = strdup(default_value); - } + if (! retval && string) { + *ret_value = string; + } else { + *ret_value = strdup(default_value); + } } diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index ee31fb82b..e6bbac15a 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "auth_con.h" @@ -9,11 +10,11 @@ actx_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **ou krb5_address *tmpad; if (!(tmpad = (krb5_address *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -24,13 +25,13 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context) { *auth_context = - (krb5_auth_context)calloc(1, sizeof(struct _krb5_auth_context)); + (krb5_auth_context)calloc(1, sizeof(struct _krb5_auth_context)); if (!*auth_context) - return ENOMEM; + return ENOMEM; /* Default flags, do time not seq */ - (*auth_context)->auth_context_flags = - KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED; + (*auth_context)->auth_context_flags = + KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED; (*auth_context)->req_cksumtype = context->default_ap_req_sumtype; (*auth_context)->safe_cksumtype = context->default_safe_sumtype; @@ -45,29 +46,29 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) { if (auth_context == NULL) - return 0; - if (auth_context->local_addr) - krb5_free_address(context, auth_context->local_addr); - if (auth_context->remote_addr) - krb5_free_address(context, auth_context->remote_addr); - if (auth_context->local_port) - krb5_free_address(context, auth_context->local_port); - if (auth_context->remote_port) - krb5_free_address(context, auth_context->remote_port); - if (auth_context->authentp) - krb5_free_authenticator(context, auth_context->authentp); + return 0; + if (auth_context->local_addr) + krb5_free_address(context, auth_context->local_addr); + if (auth_context->remote_addr) + krb5_free_address(context, auth_context->remote_addr); + if (auth_context->local_port) + krb5_free_address(context, auth_context->local_port); + if (auth_context->remote_port) + krb5_free_address(context, auth_context->remote_port); + if (auth_context->authentp) + krb5_free_authenticator(context, auth_context->authentp); if (auth_context->key) - krb5_k_free_key(context, auth_context->key); - if (auth_context->send_subkey) - krb5_k_free_key(context, auth_context->send_subkey); - if (auth_context->recv_subkey) - krb5_k_free_key(context, auth_context->recv_subkey); + krb5_k_free_key(context, auth_context->key); + if (auth_context->send_subkey) + krb5_k_free_key(context, auth_context->send_subkey); + if (auth_context->recv_subkey) + krb5_k_free_key(context, auth_context->recv_subkey); if (auth_context->rcache) - krb5_rc_close(context, auth_context->rcache); + krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) - free(auth_context->permitted_etypes); + free(auth_context->permitted_etypes); if (auth_context->ad_context) - krb5_authdata_context_free(context, auth_context->ad_context); + krb5_authdata_context_free(context, auth_context->ad_context); free(auth_context); return 0; } @@ -75,28 +76,28 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) krb5_error_code krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address *local_addr, krb5_address *remote_addr) { - krb5_error_code retval; + krb5_error_code retval; /* Free old addresses */ if (auth_context->local_addr) - (void) krb5_free_address(context, auth_context->local_addr); + (void) krb5_free_address(context, auth_context->local_addr); if (auth_context->remote_addr) - (void) krb5_free_address(context, auth_context->remote_addr); + (void) krb5_free_address(context, auth_context->remote_addr); retval = 0; if (local_addr) - retval = actx_copy_addr(context, - local_addr, - &auth_context->local_addr); + retval = actx_copy_addr(context, + local_addr, + &auth_context->local_addr); else - auth_context->local_addr = NULL; + auth_context->local_addr = NULL; if (!retval && remote_addr) - retval = actx_copy_addr(context, - remote_addr, - &auth_context->remote_addr); + retval = actx_copy_addr(context, + remote_addr, + &auth_context->remote_addr); else - auth_context->remote_addr = NULL; + auth_context->remote_addr = NULL; return retval; } @@ -104,18 +105,18 @@ krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb krb5_error_code KRB5_CALLCONV krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address **local_addr, krb5_address **remote_addr) { - krb5_error_code retval; + krb5_error_code retval; retval = 0; if (local_addr && auth_context->local_addr) { - retval = actx_copy_addr(context, - auth_context->local_addr, - local_addr); + retval = actx_copy_addr(context, + auth_context->local_addr, + local_addr); } if (!retval && (remote_addr) && auth_context->remote_addr) { - retval = actx_copy_addr(context, - auth_context->remote_addr, - remote_addr); + retval = actx_copy_addr(context, + auth_context->remote_addr, + remote_addr); } return retval; } @@ -123,28 +124,28 @@ krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb krb5_error_code KRB5_CALLCONV krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb5_address *local_port, krb5_address *remote_port) { - krb5_error_code retval; + krb5_error_code retval; /* Free old addresses */ if (auth_context->local_port) - (void) krb5_free_address(context, auth_context->local_port); + (void) krb5_free_address(context, auth_context->local_port); if (auth_context->remote_port) - (void) krb5_free_address(context, auth_context->remote_port); + (void) krb5_free_address(context, auth_context->remote_port); retval = 0; if (local_port) - retval = actx_copy_addr(context, - local_port, - &auth_context->local_port); + retval = actx_copy_addr(context, + local_port, + &auth_context->local_port); else - auth_context->local_port = NULL; + auth_context->local_port = NULL; if (!retval && remote_port) - retval = actx_copy_addr(context, - remote_port, - &auth_context->remote_port); + retval = actx_copy_addr(context, + remote_port, + &auth_context->remote_port); else - auth_context->remote_port = NULL; + auth_context->remote_port = NULL; return retval; } @@ -161,7 +162,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) { if (auth_context->key) - krb5_k_free_key(context, auth_context->key); + krb5_k_free_key(context, auth_context->key); return(krb5_k_create_key(context, keyblock, &(auth_context->key))); } @@ -169,7 +170,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) { if (auth_context->key) - return krb5_k_key_keyblock(context, auth_context->key, keyblock); + return krb5_k_key_keyblock(context, auth_context->key, keyblock); *keyblock = NULL; return 0; } @@ -190,31 +191,31 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) { if (ac->send_subkey != NULL) - krb5_k_free_key(ctx, ac->send_subkey); + krb5_k_free_key(ctx, ac->send_subkey); ac->send_subkey = NULL; if (keyblock !=NULL) - return krb5_k_create_key(ctx, keyblock, &ac->send_subkey); + return krb5_k_create_key(ctx, keyblock, &ac->send_subkey); else - return 0; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) { if (ac->recv_subkey != NULL) - krb5_k_free_key(ctx, ac->recv_subkey); + krb5_k_free_key(ctx, ac->recv_subkey); ac->recv_subkey = NULL; if (keyblock != NULL) - return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey); + return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey); else - return 0; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { if (ac->send_subkey != NULL) - return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock); + return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock); *keyblock = NULL; return 0; } @@ -223,7 +224,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { if (ac->recv_subkey != NULL) - return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock); + return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock); *keyblock = NULL; return 0; } @@ -253,7 +254,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator **authenticator) { return (krb5_copy_authenticator(context, auth_context->authentp, - authenticator)); + authenticator)); } #endif @@ -271,15 +272,15 @@ krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) krb5_enctype enctype; if (auth_context->key) { - size_t blocksize; - - enctype = krb5_k_key_enctype(context, auth_context->key); - if ((ret = krb5_c_block_size(context, enctype, &blocksize))) - return(ret); - if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) { - return 0; - } - return ENOMEM; + size_t blocksize; + + enctype = krb5_k_key_enctype(context, auth_context->key); + if ((ret = krb5_c_block_size(context, enctype, &blocksize))) + return(ret); + if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) { + return 0; + } + return ENOMEM; } return EINVAL; /* XXX need an error for no keyblock */ } @@ -318,30 +319,30 @@ krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, kr auth_context->rcache = rcache; return 0; } - + krb5_error_code krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache *rcache) { *rcache = auth_context->rcache; return 0; } - + krb5_error_code krb5_auth_con_setpermetypes(krb5_context context, krb5_auth_context auth_context, const krb5_enctype *permetypes) { - krb5_enctype * newpe; + krb5_enctype * newpe; int i; for (i=0; permetypes[i]; i++) - ; + ; i++; /* include the zero */ if ((newpe = (krb5_enctype *) malloc(i*sizeof(krb5_enctype))) - == NULL) - return(ENOMEM); + == NULL) + return(ENOMEM); if (auth_context->permitted_etypes) - free(auth_context->permitted_etypes); + free(auth_context->permitted_etypes); auth_context->permitted_etypes = newpe; @@ -353,21 +354,21 @@ krb5_auth_con_setpermetypes(krb5_context context, krb5_auth_context auth_context krb5_error_code krb5_auth_con_getpermetypes(krb5_context context, krb5_auth_context auth_context, krb5_enctype **permetypes) { - krb5_enctype * newpe; + krb5_enctype * newpe; int i; if (! auth_context->permitted_etypes) { - *permetypes = NULL; - return(0); + *permetypes = NULL; + return(0); } for (i=0; auth_context->permitted_etypes[i]; i++) - ; + ; i++; /* include the zero */ if ((newpe = (krb5_enctype *) malloc(i*sizeof(krb5_enctype))) - == NULL) - return(ENOMEM); + == NULL) + return(ENOMEM); *permetypes = newpe; @@ -378,24 +379,24 @@ krb5_auth_con_getpermetypes(krb5_context context, krb5_auth_context auth_context krb5_error_code KRB5_CALLCONV krb5_auth_con_set_checksum_func( krb5_context context, - krb5_auth_context auth_context, - krb5_mk_req_checksum_func func, - void *data) + krb5_auth_context auth_context, + krb5_mk_req_checksum_func func, + void *data) { - auth_context->checksum_func = func; - auth_context->checksum_func_data = data; - return 0; + auth_context->checksum_func = func; + auth_context->checksum_func_data = data; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_get_checksum_func( krb5_context context, - krb5_auth_context auth_context, - krb5_mk_req_checksum_func *func, - void **data) + krb5_auth_context auth_context, + krb5_mk_req_checksum_func *func, + void **data) { - *func = auth_context->checksum_func; - *data = auth_context->checksum_func_data; - return 0; + *func = auth_context->checksum_func; + *data = auth_context->checksum_func_data; + return 0; } /* @@ -425,16 +426,16 @@ krb5_auth_con_get_checksum_func( krb5_context context, * compatibility with our older implementations. This also means that * encodings emitted by Heimdal are ambiguous. * - * Heimdal counter value received uint32 value + * Heimdal counter value received uint32 value * - * 0x00000080 0xFFFFFF80 - * 0x000000FF 0xFFFFFFFF - * 0x00008000 0xFFFF8000 - * 0x0000FFFF 0xFFFFFFFF - * 0x00800000 0xFF800000 - * 0x00FFFFFF 0xFFFFFFFF - * 0xFF800000 0xFF800000 - * 0xFFFFFFFF 0xFFFFFFFF + * 0x00000080 0xFFFFFF80 + * 0x000000FF 0xFFFFFFFF + * 0x00008000 0xFFFF8000 + * 0x0000FFFF 0xFFFFFFFF + * 0x00800000 0xFF800000 + * 0x00FFFFFF 0xFFFFFFFF + * 0xFF800000 0xFF800000 + * 0xFFFFFFFF 0xFFFFFFFF * * We use two auth_context flags, SANE_SEQ and HEIMDAL_SEQ, which are * only set after we can unambiguously determine the sanity of the @@ -474,38 +475,38 @@ krb5int_auth_con_chkseqnum( * If sender is known to be sane, accept _only_ exact matches. */ if (ac->auth_context_flags & KRB5_AUTH_CONN_SANE_SEQ) - return in_seq == exp_seq; + return in_seq == exp_seq; /* * If sender is not known to be sane, first check the ambiguous * range of received values, 0xFF800000..0xFFFFFFFF. */ if ((in_seq & 0xFF800000) == 0xFF800000) { - /* - * If expected sequence number is in the range - * 0xFF800000..0xFFFFFFFF, then we can't make any - * determinations about the sanity of the sending - * implementation. - */ - if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq) - return 1; - /* - * If sender is not known for certain to be a broken Heimdal - * implementation, check for exact match. - */ - if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ) - && in_seq == exp_seq) - return 1; - /* - * Now apply hairy algorithm for matching sequence numbers - * sent by broken Heimdal implementations. If it matches, we - * know for certain it's a broken Heimdal sender. - */ - if (chk_heimdal_seqnum(exp_seq, in_seq)) { - ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; - return 1; - } - return 0; + /* + * If expected sequence number is in the range + * 0xFF800000..0xFFFFFFFF, then we can't make any + * determinations about the sanity of the sending + * implementation. + */ + if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq) + return 1; + /* + * If sender is not known for certain to be a broken Heimdal + * implementation, check for exact match. + */ + if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ) + && in_seq == exp_seq) + return 1; + /* + * Now apply hairy algorithm for matching sequence numbers + * sent by broken Heimdal implementations. If it matches, we + * know for certain it's a broken Heimdal sender. + */ + if (chk_heimdal_seqnum(exp_seq, in_seq)) { + ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; + return 1; + } + return 0; } /* @@ -514,11 +515,11 @@ krb5int_auth_con_chkseqnum( * it matches the received value, sender is known to be sane. */ if (in_seq == exp_seq) { - if (( exp_seq & 0xFFFFFF80) == 0x00000080 - || (exp_seq & 0xFFFF8000) == 0x00008000 - || (exp_seq & 0xFF800000) == 0x00800000) - ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ; - return 1; + if (( exp_seq & 0xFFFFFF80) == 0x00000080 + || (exp_seq & 0xFFFF8000) == 0x00008000 + || (exp_seq & 0xFF800000) == 0x00800000) + ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ; + return 1; } /* @@ -528,17 +529,17 @@ krb5int_auth_con_chkseqnum( * and mark the sender as being a broken Heimdal implementation. */ if (exp_seq == 0 - && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) { - switch (in_seq) { - case 0x100: - case 0x10000: - case 0x1000000: - ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; - exp_seq = in_seq; - return 1; - default: - return 0; - } + && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) { + switch (in_seq) { + case 0x100: + case 0x10000: + case 0x1000000: + ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; + exp_seq = in_seq; + return 1; + default: + return 0; + } } return 0; } @@ -547,25 +548,25 @@ static krb5_boolean chk_heimdal_seqnum(krb5_ui_4 exp_seq, krb5_ui_4 in_seq) { if (( exp_seq & 0xFF800000) == 0x00800000 - && (in_seq & 0xFF800000) == 0xFF800000 - && (in_seq & 0x00FFFFFF) == exp_seq) - return 1; + && (in_seq & 0xFF800000) == 0xFF800000 + && (in_seq & 0x00FFFFFF) == exp_seq) + return 1; else if (( exp_seq & 0xFFFF8000) == 0x00008000 - && (in_seq & 0xFFFF8000) == 0xFFFF8000 - && (in_seq & 0x0000FFFF) == exp_seq) - return 1; + && (in_seq & 0xFFFF8000) == 0xFFFF8000 + && (in_seq & 0x0000FFFF) == exp_seq) + return 1; else if (( exp_seq & 0xFFFFFF80) == 0x00000080 - && (in_seq & 0xFFFFFF80) == 0xFFFFFF80 - && (in_seq & 0x000000FF) == exp_seq) - return 1; + && (in_seq & 0xFFFFFF80) == 0xFFFFFF80 + && (in_seq & 0x000000FF) == exp_seq) + return 1; else - return 0; + return 0; } krb5_error_code krb5_auth_con_get_subkey_enctype(krb5_context context, - krb5_auth_context auth_context, - krb5_enctype *etype) + krb5_auth_context auth_context, + krb5_enctype *etype) { *etype = auth_context->negotiated_etype; return 0; @@ -573,8 +574,8 @@ krb5_auth_con_get_subkey_enctype(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_auth_con_get_authdata_context(krb5_context context, - krb5_auth_context auth_context, - krb5_authdata_context *ad_context) + krb5_auth_context auth_context, + krb5_authdata_context *ad_context) { *ad_context = auth_context->ad_context; return 0; @@ -582,10 +583,9 @@ krb5_auth_con_get_authdata_context(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_auth_con_set_authdata_context(krb5_context context, - krb5_auth_context auth_context, - krb5_authdata_context ad_context) + krb5_auth_context auth_context, + krb5_authdata_context ad_context) { auth_context->ad_context = ad_context; return 0; } - diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index 684eb4e40..94d2c51a2 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -1,38 +1,39 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef KRB5_AUTH_CONTEXT #define KRB5_AUTH_CONTEXT struct _krb5_auth_context { - krb5_magic magic; - krb5_address * remote_addr; - krb5_address * remote_port; - krb5_address * local_addr; - krb5_address * local_port; + krb5_magic magic; + krb5_address * remote_addr; + krb5_address * remote_port; + krb5_address * local_addr; + krb5_address * local_port; krb5_key key; krb5_key send_subkey; krb5_key recv_subkey; - krb5_int32 auth_context_flags; - krb5_ui_4 remote_seq_number; - krb5_ui_4 local_seq_number; - krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/ - krb5_cksumtype req_cksumtype; /* mk_safe, ... */ - krb5_cksumtype safe_cksumtype; /* mk_safe, ... */ - krb5_pointer i_vector; /* mk_priv, rd_priv only */ - krb5_rcache rcache; - krb5_enctype * permitted_etypes; /* rd_req */ + krb5_int32 auth_context_flags; + krb5_ui_4 remote_seq_number; + krb5_ui_4 local_seq_number; + krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/ + krb5_cksumtype req_cksumtype; /* mk_safe, ... */ + krb5_cksumtype safe_cksumtype; /* mk_safe, ... */ + krb5_pointer i_vector; /* mk_priv, rd_priv only */ + krb5_rcache rcache; + krb5_enctype * permitted_etypes; /* rd_req */ krb5_mk_req_checksum_func checksum_func; void *checksum_func_data; - krb5_enctype negotiated_etype; + krb5_enctype negotiated_etype; krb5_authdata_context ad_context; }; /* Internal auth_context_flags */ -#define KRB5_AUTH_CONN_INITIALIZED 0x00010000 -#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000 -#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000 -#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000 -#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000 +#define KRB5_AUTH_CONN_INITIALIZED 0x00010000 +#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000 +#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000 +#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000 +#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000 #endif diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index c5992aded..5430127eb 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2009 by the Massachusetts Institute of Technology. All * Rights Reserved. @@ -39,7 +39,7 @@ static const char *objdirs[] = { #endif LIBDIR "/krb5/plugins/authdata", NULL - }; /* should be a list */ +}; /* should be a list */ /* Internal authdata systems */ static krb5plugin_authdata_client_ftable_v0 *authdata_systems[] = { @@ -648,10 +648,10 @@ krb5int_authdata_verify(krb5_context kcontext, if (authdata == NULL) { code = krb5int_find_authdata(kcontext, - ticket_authdata, - authen_authdata, - module->ad_type, - &authdata); + ticket_authdata, + authen_authdata, + module->ad_type, + &authdata); if (code != 0) break; } @@ -1244,4 +1244,3 @@ krb5_ser_authdata_context_init(krb5_context kcontext) return krb5_register_serializer(kcontext, &krb5_authdata_context_ser_entry); } - diff --git a/src/lib/krb5/krb/authdata.h b/src/lib/krb5/krb/authdata.h index 9e4dcceb0..39d80d662 100644 --- a/src/lib/krb5/krb/authdata.h +++ b/src/lib/krb5/krb/authdata.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/authdata.h * @@ -35,14 +36,13 @@ /* authdata.c */ krb5_error_code krb5int_authdata_verify(krb5_context context, - krb5_authdata_context, - krb5_flags usage, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *ap_req); + krb5_authdata_context, + krb5_flags usage, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *ap_req); /* pac.c */ extern krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable; #endif /* !KRB_AUTHDATA_H */ - diff --git a/src/lib/krb5/krb/bld_pr_ext.c b/src/lib/krb5/krb/bld_pr_ext.c index 1a288c896..899b9ee3b 100644 --- a/src/lib/krb5/krb/bld_pr_ext.c +++ b/src/lib/krb5/krb/bld_pr_ext.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/bld_pr_ext.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Build a principal from a list of lengths and strings */ @@ -33,7 +34,7 @@ krb5_error_code KRB5_CALLCONV_C krb5_build_principal_ext(krb5_context context, krb5_principal * princ, - unsigned int rlen, const char * realm, ...) + unsigned int rlen, const char * realm, ...) { va_list ap; int i, count = 0; @@ -44,8 +45,8 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, va_start(ap, realm); /* count up */ while (va_arg(ap, int) != 0) { - (void)va_arg(ap, char *); /* pass one up */ - count++; + (void)va_arg(ap, char *); /* pass one up */ + count++; } va_end(ap); @@ -54,30 +55,30 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, /* get space for array */ princ_data = (krb5_data *) malloc(sizeof(krb5_data) * count); if (!princ_data) - return ENOMEM; + return ENOMEM; princ_ret = (krb5_principal) malloc(sizeof(krb5_principal_data)); if (!princ_ret) { - free(princ_data); - return ENOMEM; + free(princ_data); + return ENOMEM; } princ_ret->data = princ_data; princ_ret->length = count; tmpdata.length = rlen; tmpdata.data = (char *) realm; if (krb5int_copy_data_contents_add0(context, &tmpdata, &princ_ret->realm) != 0) { - free(princ_data); - free(princ_ret); - return ENOMEM; - } + free(princ_data); + free(princ_ret); + return ENOMEM; + } /* process rest of components */ va_start(ap, realm); for (i = 0; i < count; i++) { - tmpdata.length = va_arg(ap, unsigned int); - tmpdata.data = va_arg(ap, char *); - if (krb5int_copy_data_contents_add0(context, &tmpdata, - &princ_data[i]) != 0) - goto free_out; + tmpdata.length = va_arg(ap, unsigned int); + tmpdata.data = va_arg(ap, char *); + if (krb5int_copy_data_contents_add0(context, &tmpdata, + &princ_data[i]) != 0) + goto free_out; } va_end(ap); *princ = princ_ret; @@ -86,7 +87,7 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, free_out: while (--i >= 0) - free(princ_data[i].data); + free(princ_data[i].data); free(princ_data); free(princ_ret->realm.data); free(princ_ret); diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c index d3e0d294b..ac2c92a9e 100644 --- a/src/lib/krb5/krb/bld_princ.c +++ b/src/lib/krb5/krb/bld_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/bld_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Build a principal from a list of strings */ @@ -30,13 +31,13 @@ #include #include "k5-int.h" -/* Takes first component as argument for KIM API, +/* Takes first component as argument for KIM API, * which does not allow realms with zero components */ static krb5_error_code -krb5int_build_principal_va(krb5_context context, - krb5_principal princ, - unsigned int rlen, - const char *realm, +krb5int_build_principal_va(krb5_context context, + krb5_principal princ, + unsigned int rlen, + const char *realm, const char *first, va_list ap) { @@ -46,26 +47,26 @@ krb5int_build_principal_va(krb5_context context, krb5_int32 count = 0; krb5_int32 size = 2; /* initial guess at needed space */ char *component = NULL; - + data = malloc(size * sizeof(krb5_data)); if (!data) { retval = ENOMEM; } - + if (!retval) { r = strdup(realm); if (!r) { retval = ENOMEM; } } - + if (!retval && first) { data[0].length = strlen(first); data[0].data = strdup(first); if (!data[0].data) { retval = ENOMEM; } count++; - + /* ap is only valid if first is non-NULL */ while (!retval && (component = va_arg(ap, char *))) { if (count == size) { krb5_data *new_data = NULL; - + size *= 2; new_data = realloc ((char *) data, sizeof(krb5_data) * size); if (new_data) { @@ -74,16 +75,16 @@ krb5int_build_principal_va(krb5_context context, retval = ENOMEM; } } - + if (!retval) { data[count].length = strlen(component); - data[count].data = strdup(component); + data[count].data = strdup(component); if (!data[count].data) { retval = ENOMEM; } count++; } } } - + if (!retval) { princ->type = KRB5_NT_UNKNOWN; princ->magic = KV5M_PRINCIPAL; @@ -94,7 +95,7 @@ krb5int_build_principal_va(krb5_context context, r = NULL; /* take ownership */ data = NULL; /* take ownership */ } - + if (data) { while (--count >= 0) { free(data[count].data); @@ -102,68 +103,68 @@ krb5int_build_principal_va(krb5_context context, free(data); } free(r); - + return retval; } krb5_error_code KRB5_CALLCONV -krb5_build_principal_va(krb5_context context, - krb5_principal princ, - unsigned int rlen, - const char *realm, +krb5_build_principal_va(krb5_context context, + krb5_principal princ, + unsigned int rlen, + const char *realm, va_list ap) { char *first = va_arg(ap, char *); - + return krb5int_build_principal_va(context, princ, rlen, realm, first, ap); } -/* Takes first component as argument for KIM API, +/* Takes first component as argument for KIM API, * which does not allow realms with zero components */ krb5_error_code KRB5_CALLCONV -krb5int_build_principal_alloc_va(krb5_context context, - krb5_principal *princ, - unsigned int rlen, - const char *realm, +krb5int_build_principal_alloc_va(krb5_context context, + krb5_principal *princ, + unsigned int rlen, + const char *realm, const char *first, va_list ap) { krb5_error_code retval = 0; - + krb5_principal p = malloc(sizeof(krb5_principal_data)); if (!p) { retval = ENOMEM; } - + if (!retval) { retval = krb5int_build_principal_va(context, p, rlen, realm, first, ap); } - + if (!retval) { - *princ = p; + *princ = p; } else { free(p); } - - return retval; + + return retval; } krb5_error_code KRB5_CALLCONV -krb5_build_principal_alloc_va(krb5_context context, - krb5_principal *princ, - unsigned int rlen, - const char *realm, +krb5_build_principal_alloc_va(krb5_context context, + krb5_principal *princ, + unsigned int rlen, + const char *realm, va_list ap) { krb5_error_code retval = 0; - + krb5_principal p = malloc(sizeof(krb5_principal_data)); if (!p) { retval = ENOMEM; } - + if (!retval) { retval = krb5_build_principal_va(context, p, rlen, realm, ap); } - + if (!retval) { - *princ = p; + *princ = p; } else { free(p); } @@ -172,17 +173,17 @@ krb5_build_principal_alloc_va(krb5_context context, } krb5_error_code KRB5_CALLCONV_C -krb5_build_principal(krb5_context context, - krb5_principal * princ, - unsigned int rlen, - const char * realm, ...) +krb5_build_principal(krb5_context context, + krb5_principal * princ, + unsigned int rlen, + const char * realm, ...) { krb5_error_code retval = 0; va_list ap; - + va_start(ap, realm); retval = krb5_build_principal_alloc_va(context, princ, rlen, realm, ap); va_end(ap); - + return retval; } diff --git a/src/lib/krb5/krb/brand.c b/src/lib/krb5/krb/brand.c index 7e4e0dbd0..fc098ddb5 100644 --- a/src/lib/krb5/krb/brand.c +++ b/src/lib/krb5/krb/brand.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/brand.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c index 9af063ce3..3c014817c 100644 --- a/src/lib/krb5/krb/chk_trans.c +++ b/src/lib/krb5/krb/chk_trans.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/chk_trans.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_check_transited_list() */ @@ -46,12 +47,12 @@ static int verbose = 0; static krb5_error_code process_intermediates (krb5_error_code (*fn)(krb5_data *, void *), void *data, - const krb5_data *n1, const krb5_data *n2) { + const krb5_data *n1, const krb5_data *n2) { unsigned int len1, len2, i; char *p1, *p2; Tprintf (("process_intermediates(%.*s,%.*s)\n", - (int) n1->length, n1->data, (int) n2->length, n2->data)); + (int) n1->length, n1->data, (int) n2->length, n2->data)); len1 = n1->length; len2 = n2->length; @@ -59,78 +60,78 @@ process_intermediates (krb5_error_code (*fn)(krb5_data *, void *), void *data, Tprintf (("(walking intermediates now)\n")); /* Simplify... */ if (len1 > len2) { - const krb5_data *p; - int tmp = len1; - len1 = len2; - len2 = tmp; - p = n1; - n1 = n2; - n2 = p; + const krb5_data *p; + int tmp = len1; + len1 = len2; + len2 = tmp; + p = n1; + n1 = n2; + n2 = p; } /* Okay, now len1 is always shorter or equal. */ if (len1 == len2) { - if (memcmp (n1->data, n2->data, len1)) { - Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n", - (int) n1->length, n1->data, (int) n2->length, n2->data)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - Tprintf (("(end intermediates)\n")); - return 0; + if (memcmp (n1->data, n2->data, len1)) { + Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n", + (int) n1->length, n1->data, (int) n2->length, n2->data)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + Tprintf (("(end intermediates)\n")); + return 0; } /* Now len1 is always shorter. */ if (len1 == 0) - /* Shouldn't be possible. Internal error? */ - return KRB5KRB_AP_ERR_ILL_CR_TKT; + /* Shouldn't be possible. Internal error? */ + return KRB5KRB_AP_ERR_ILL_CR_TKT; p1 = n1->data; p2 = n2->data; if (p1[0] == '/') { - /* X.500 style names, with common prefix. */ - if (p2[0] != '/') { - Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - if (memcmp (p1, p2, len1)) { - Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - for (i = len1 + 1; i < len2; i++) - if (p2[i] == '/') { - krb5_data d; - krb5_error_code r; - - d.data = p2; - d.length = i; - r = (*fn) (&d, data); - if (r) - return r; - } + /* X.500 style names, with common prefix. */ + if (p2[0] != '/') { + Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + if (memcmp (p1, p2, len1)) { + Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + for (i = len1 + 1; i < len2; i++) + if (p2[i] == '/') { + krb5_data d; + krb5_error_code r; + + d.data = p2; + d.length = i; + r = (*fn) (&d, data); + if (r) + return r; + } } else { - /* Domain style names, with common suffix. */ - if (p2[0] == '/') { - Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - if (memcmp (p1, p2 + (len2 - len1), len1)) { - Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - for (i = len2 - len1 - 1; i > 0; i--) { - Tprintf (("looking at '%.*s'\n", (int) (len2 - i), p2+i)); - if (p2[i-1] == '.') { - krb5_data d; - krb5_error_code r; - - d.data = p2+i; - d.length = len2 - i; - r = (*fn) (&d, data); - if (r) - return r; - } - } + /* Domain style names, with common suffix. */ + if (p2[0] == '/') { + Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + if (memcmp (p1, p2 + (len2 - len1), len1)) { + Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + for (i = len2 - len1 - 1; i > 0; i--) { + Tprintf (("looking at '%.*s'\n", (int) (len2 - i), p2+i)); + if (p2[i-1] == '.') { + krb5_data d; + krb5_error_code r; + + d.data = p2+i; + d.length = len2 - i; + r = (*fn) (&d, data); + if (r) + return r; + } + } } Tprintf (("(end intermediates)\n")); return 0; @@ -140,25 +141,25 @@ static krb5_error_code maybe_join (krb5_data *last, krb5_data *buf, unsigned int bufsiz) { if (buf->length == 0) - return 0; + return 0; if (buf->data[0] == '/') { - if (last->length + buf->length > bufsiz) { - Tprintf (("too big: last=%d cur=%d max=%d\n", last->length, buf->length, bufsiz)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - memmove (buf->data+last->length, buf->data, buf->length); - memcpy (buf->data, last->data, last->length); - buf->length += last->length; + if (last->length + buf->length > bufsiz) { + Tprintf (("too big: last=%d cur=%d max=%d\n", last->length, buf->length, bufsiz)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + memmove (buf->data+last->length, buf->data, buf->length); + memcpy (buf->data, last->data, last->length); + buf->length += last->length; } else if (buf->data[buf->length-1] == '.') { - /* We can ignore the case where the previous component was - empty; the strcat will be a no-op. It should probably - be an error case, but let's be flexible. */ - if (last->length+buf->length > bufsiz) { - Tprintf (("too big\n")); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - memcpy (buf->data + buf->length, last->data, last->length); - buf->length += last->length; + /* We can ignore the case where the previous component was + empty; the strcat will be a no-op. It should probably + be an error case, but let's be flexible. */ + if (last->length+buf->length > bufsiz) { + Tprintf (("too big\n")); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + memcpy (buf->data + buf->length, last->data, last->length); + buf->length += last->length; } /* Otherwise, do nothing. */ return 0; @@ -170,8 +171,8 @@ maybe_join (krb5_data *last, krb5_data *buf, unsigned int bufsiz) of C strings. */ static krb5_error_code foreach_realm (krb5_error_code (*fn)(krb5_data *comp,void *data), void *data, - const krb5_data *crealm, const krb5_data *srealm, - const krb5_data *transit) + const krb5_data *crealm, const krb5_data *srealm, + const krb5_data *transit) { char buf[MAXLEN], last[MAXLEN]; char *p, *bufp; @@ -201,88 +202,88 @@ foreach_realm (krb5_error_code (*fn)(krb5_data *comp,void *data), void *data, print_data ("transit enc.: %.*s\n", transit); if (transit->length == 0) { - Tprintf (("no other realms transited\n")); - return 0; + Tprintf (("no other realms transited\n")); + return 0; } bufp = buf; for (p = transit->data, l = transit->length; l; p++, l--) { - if (next_lit) { - *bufp++ = *p; - if (bufp == buf+sizeof(buf)) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - next_lit = 0; - } else if (*p == '\\') { - next_lit = 1; - } else if (*p == ',') { - if (bufp != buf) { - this_component.length = bufp - buf; - r = maybe_join (&last_component, &this_component, sizeof(buf)); - if (r) - return r; - r = (*fn) (&this_component, data); - if (r) - return r; - if (intermediates) { - if (p == transit->data) - r = process_intermediates (fn, data, - &this_component, crealm); - else { - r = process_intermediates (fn, data, &this_component, - &last_component); - } - if (r) - return r; - } - intermediates = 0; - memcpy (last, buf, sizeof (buf)); - last_component.length = this_component.length; - memset (buf, 0, sizeof (buf)); - bufp = buf; - } else { - intermediates = 1; - if (p == transit->data) { - if (crealm->length >= MAXLEN) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - memcpy (last, crealm->data, crealm->length); - last[crealm->length] = '\0'; - last_component.length = crealm->length; - } - } - } else if (*p == ' ' && bufp == buf) { - /* This next component stands alone, even if it has a - trailing dot or leading slash. */ - memset (last, 0, sizeof (last)); - last_component.length = 0; - } else { - /* Not a special character; literal. */ - *bufp++ = *p; - if (bufp == buf+sizeof(buf)) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } + if (next_lit) { + *bufp++ = *p; + if (bufp == buf+sizeof(buf)) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + next_lit = 0; + } else if (*p == '\\') { + next_lit = 1; + } else if (*p == ',') { + if (bufp != buf) { + this_component.length = bufp - buf; + r = maybe_join (&last_component, &this_component, sizeof(buf)); + if (r) + return r; + r = (*fn) (&this_component, data); + if (r) + return r; + if (intermediates) { + if (p == transit->data) + r = process_intermediates (fn, data, + &this_component, crealm); + else { + r = process_intermediates (fn, data, &this_component, + &last_component); + } + if (r) + return r; + } + intermediates = 0; + memcpy (last, buf, sizeof (buf)); + last_component.length = this_component.length; + memset (buf, 0, sizeof (buf)); + bufp = buf; + } else { + intermediates = 1; + if (p == transit->data) { + if (crealm->length >= MAXLEN) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + memcpy (last, crealm->data, crealm->length); + last[crealm->length] = '\0'; + last_component.length = crealm->length; + } + } + } else if (*p == ' ' && bufp == buf) { + /* This next component stands alone, even if it has a + trailing dot or leading slash. */ + memset (last, 0, sizeof (last)); + last_component.length = 0; + } else { + /* Not a special character; literal. */ + *bufp++ = *p; + if (bufp == buf+sizeof(buf)) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } } /* At end. Must be normal state. */ if (next_lit) - Tprintf (("ending in next-char-literal state\n")); + Tprintf (("ending in next-char-literal state\n")); /* Process trailing element or comma. */ if (bufp == buf) { - /* Trailing comma. */ - r = process_intermediates (fn, data, &last_component, srealm); + /* Trailing comma. */ + r = process_intermediates (fn, data, &last_component, srealm); } else { - /* Trailing component. */ - this_component.length = bufp - buf; - r = maybe_join (&last_component, &this_component, sizeof(buf)); - if (r) - return r; - r = (*fn) (&this_component, data); - if (r) - return r; - if (intermediates) - r = process_intermediates (fn, data, &this_component, - &last_component); + /* Trailing component. */ + this_component.length = bufp - buf; + r = maybe_join (&last_component, &this_component, sizeof(buf)); + if (r) + return r; + r = (*fn) (&this_component, data); + if (r) + return r; + if (intermediates) + r = process_intermediates (fn, data, &this_component, + &last_component); } if (r != 0) - return r; + return r; return 0; } @@ -300,8 +301,8 @@ check_realm_in_list (krb5_data *realm, void *data) Tprintf ((".. checking '%.*s'\n", (int) realm->length, realm->data)); for (i = 0; cdata->tgs[i]; i++) { - if (data_eq (*krb5_princ_realm (cdata->ctx, cdata->tgs[i]), *realm)) - return 0; + if (data_eq (*krb5_princ_realm (cdata->ctx, cdata->tgs[i]), *realm)) + return 0; } Tprintf (("BAD!\n")); return KRB5KRB_AP_ERR_ILL_CR_TKT; @@ -309,7 +310,7 @@ check_realm_in_list (krb5_data *realm, void *data) krb5_error_code krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in, - const krb5_data *crealm, const krb5_data *srealm) + const krb5_data *crealm, const krb5_data *srealm) { krb5_data trans; struct check_data cdata; @@ -318,31 +319,31 @@ krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in, trans.length = trans_in->length; trans.data = (char *) trans_in->data; if (trans.length && (trans.data[trans.length-1] == '\0')) - trans.length--; + trans.length--; Tprintf (("krb5_check_transited_list(trans=\"%.*s\", crealm=\"%.*s\", srealm=\"%.*s\")\n", - (int) trans.length, trans.data, - (int) crealm->length, crealm->data, - (int) srealm->length, srealm->data)); + (int) trans.length, trans.data, + (int) crealm->length, crealm->data, + (int) srealm->length, srealm->data)); if (trans.length == 0) - return 0; + return 0; r = krb5_walk_realm_tree (ctx, crealm, srealm, &cdata.tgs, - KRB5_REALM_BRANCH_CHAR); + KRB5_REALM_BRANCH_CHAR); if (r) { - Tprintf (("error %ld\n", (long) r)); - return r; + Tprintf (("error %ld\n", (long) r)); + return r; } #ifdef DEBUG /* avoid compiler warning about 'd' unused */ { - int i; - Tprintf (("tgs list = {\n")); - for (i = 0; cdata.tgs[i]; i++) { - char *name; - r = krb5_unparse_name (ctx, cdata.tgs[i], &name); - Tprintf (("\t'%s'\n", name)); - free (name); - } - Tprintf (("}\n")); + int i; + Tprintf (("tgs list = {\n")); + for (i = 0; cdata.tgs[i]; i++) { + char *name; + r = krb5_unparse_name (ctx, cdata.tgs[i], &name); + Tprintf (("\t'%s'\n", name)); + free (name); + } + Tprintf (("}\n")); } #endif cdata.ctx = ctx; @@ -370,19 +371,19 @@ int main (int argc, char *argv[]) { me = me ? me+1 : argv[0]; while (argc > 3 && argv[1][0] == '-') { - if (!strcmp ("-v", argv[1])) - verbose++, argc--, argv++; - else if (!strcmp ("-x", argv[1])) - expand_only++, argc--, argv++; - else - goto usage; + if (!strcmp ("-v", argv[1])) + verbose++, argc--, argv++; + else if (!strcmp ("-x", argv[1])) + expand_only++, argc--, argv++; + else + goto usage; } if (argc != 4) { usage: - printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n", - me); - return 1; + printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n", + me); + return 1; } crealm.data = argv[1]; @@ -394,40 +395,40 @@ int main (int argc, char *argv[]) { if (expand_only) { - printf ("client realm: %s\n", argv[1]); - printf ("server realm: %s\n", argv[2]); - printf ("transit enc.: %s\n", argv[3]); + printf ("client realm: %s\n", argv[1]); + printf ("server realm: %s\n", argv[2]); + printf ("transit enc.: %s\n", argv[3]); - if (argv[3][0] == 0) { - printf ("no other realms transited\n"); - return 0; - } + if (argv[3][0] == 0) { + printf ("no other realms transited\n"); + return 0; + } - r = foreach_realm (print_a_realm, NULL, &crealm, &srealm, &transit); - if (r) - printf ("--> returned error %ld\n", (long) r); - return r != 0; + r = foreach_realm (print_a_realm, NULL, &crealm, &srealm, &transit); + if (r) + printf ("--> returned error %ld\n", (long) r); + return r != 0; } else { - /* Actually check the values against the supplied krb5.conf file. */ - krb5_context ctx; - r = krb5_init_context (&ctx); - if (r) { - com_err (me, r, "initializing krb5 context"); - return 1; - } - r = krb5_check_transited_list (ctx, &transit, &crealm, &srealm); - if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) { - printf ("NO\n"); - } else if (r == 0) { - printf ("YES\n"); - } else { - printf ("kablooey!\n"); - com_err (me, r, "checking transited-realm list"); - return 1; - } - return 0; + /* Actually check the values against the supplied krb5.conf file. */ + krb5_context ctx; + r = krb5_init_context (&ctx); + if (r) { + com_err (me, r, "initializing krb5 context"); + return 1; + } + r = krb5_check_transited_list (ctx, &transit, &crealm, &srealm); + if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) { + printf ("NO\n"); + } else if (r == 0) { + printf ("YES\n"); + } else { + printf ("kablooey!\n"); + com_err (me, r, "checking transited-realm list"); + return 1; + } + return 0; } } diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c index d38a7ef39..1488f627e 100644 --- a/src/lib/krb5/krb/chpw.c +++ b/src/lib/krb5/krb/chpw.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* ** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc. */ @@ -7,12 +8,12 @@ #include "auth_con.h" -krb5_error_code -krb5int_mk_chpw_req(krb5_context context, - krb5_auth_context auth_context, - krb5_data *ap_req, - char *passwd, - krb5_data *packet) +krb5_error_code +krb5int_mk_chpw_req(krb5_context context, + krb5_auth_context auth_context, + krb5_data *ap_req, + char *passwd, + krb5_data *packet) { krb5_error_code ret = 0; krb5_data clearpw; @@ -23,21 +24,21 @@ krb5int_mk_chpw_req(krb5_context context, cipherpw.data = NULL; if ((ret = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE))) - goto cleanup; + KRB5_AUTH_CONTEXT_DO_SEQUENCE))) + goto cleanup; clearpw.length = strlen(passwd); clearpw.data = passwd; if ((ret = krb5_mk_priv(context, auth_context, - &clearpw, &cipherpw, &replay))) - goto cleanup; + &clearpw, &cipherpw, &replay))) + goto cleanup; packet->length = 6 + ap_req->length + cipherpw.length; packet->data = (char *) malloc(packet->length); if (packet->data == NULL) { - ret = ENOMEM; - goto cleanup; + ret = ENOMEM; + goto cleanup; } ptr = packet->data; @@ -67,14 +68,14 @@ krb5int_mk_chpw_req(krb5_context context, cleanup: if (cipherpw.data != NULL) /* allocated by krb5_mk_priv */ - free(cipherpw.data); - + free(cipherpw.data); + return(ret); } -krb5_error_code +krb5_error_code krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *packet, int *result_code, krb5_data *result_data) + krb5_data *packet, int *result_code, krb5_data *result_data) { char *ptr; int plen, vno; @@ -88,9 +89,9 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *tmp; if (packet->length < 4) - /* either this, or the server is printing bad messages, - or the caller passed in garbage */ - return(KRB5KRB_AP_ERR_MODIFIED); + /* either this, or the server is printing bad messages, + or the caller passed in garbage */ + return(KRB5KRB_AP_ERR_MODIFIED); ptr = packet->data; @@ -100,27 +101,27 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, plen = (plen<<8) | (*ptr++ & 0xff); if (plen != packet->length) { - /* - * MS KDCs *may* send back a KRB_ERROR. Although - * not 100% correct via RFC3244, it's something - * we can workaround here. - */ - if (krb5_is_krb_error(packet)) { - - if ((ret = krb5_rd_error(context, packet, &krberror))) - return(ret); - - if (krberror->e_data.data == NULL) - ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - else - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_free_error(context, krberror); - return(ret); - } else { - return(KRB5KRB_AP_ERR_MODIFIED); - } + /* + * MS KDCs *may* send back a KRB_ERROR. Although + * not 100% correct via RFC3244, it's something + * we can workaround here. + */ + if (krb5_is_krb_error(packet)) { + + if ((ret = krb5_rd_error(context, packet, &krberror))) + return(ret); + + if (krberror->e_data.data == NULL) + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + else + ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_free_error(context, krberror); + return(ret); + } else { + return(KRB5KRB_AP_ERR_MODIFIED); + } } - + /* verify version number */ @@ -128,7 +129,7 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, vno = (vno<<8) | (*ptr++ & 0xff); if (vno != 1) - return(KRB5KDC_ERR_BAD_PVNO); + return(KRB5KDC_ERR_BAD_PVNO); /* read, check ap-rep length */ @@ -136,59 +137,59 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, ap_rep.length = (ap_rep.length<<8) | (*ptr++ & 0xff); if (ptr + ap_rep.length >= packet->data + packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); + return(KRB5KRB_AP_ERR_MODIFIED); if (ap_rep.length) { - /* verify ap_rep */ - ap_rep.data = ptr; - ptr += ap_rep.length; - - /* - * Save send_subkey to later smash recv_subkey. - */ - ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); - if (ret) - return ret; - - ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); - if (ret) { - krb5_free_keyblock(context, tmp); - return(ret); - } - - krb5_free_ap_rep_enc_part(context, ap_rep_enc); - - /* extract and decrypt the result */ - - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; - - /* - * Smash recv_subkey to be send_subkey, per spec. - */ - ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); - krb5_free_keyblock(context, tmp); - if (ret) - return ret; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - &replay); - - if (ret) - return(ret); + /* verify ap_rep */ + ap_rep.data = ptr; + ptr += ap_rep.length; + + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmp); + return(ret); + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); + + /* extract and decrypt the result */ + + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; + + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); + krb5_free_keyblock(context, tmp); + if (ret) + return ret; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + &replay); + + if (ret) + return(ret); } else { - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; - if ((ret = krb5_rd_error(context, &cipherresult, &krberror))) - return(ret); + if ((ret = krb5_rd_error(context, &cipherresult, &krberror))) + return(ret); - clearresult = krberror->e_data; + clearresult = krberror->e_data; } if (clearresult.length < 2) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } ptr = clearresult.data; @@ -197,38 +198,38 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, *result_code = (*result_code<<8) | (*ptr++ & 0xff); if ((*result_code < KRB5_KPASSWD_SUCCESS) || - (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* all success replies should be authenticated/encrypted */ if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } result_data->length = (clearresult.data + clearresult.length) - ptr; if (result_data->length) { - result_data->data = (char *) malloc(result_data->length); - if (result_data->data == NULL) { - ret = ENOMEM; - goto cleanup; - } - memcpy(result_data->data, ptr, result_data->length); + result_data->data = (char *) malloc(result_data->length); + if (result_data->data == NULL) { + ret = ENOMEM; + goto cleanup; + } + memcpy(result_data->data, ptr, result_data->length); } else { - result_data->data = NULL; + result_data->data = NULL; } ret = 0; cleanup: if (ap_rep.length) { - free(clearresult.data); + free(clearresult.data); } else { - krb5_free_error(context, krberror); + krb5_free_error(context, krberror); } return(ret); @@ -236,71 +237,71 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string(krb5_context context, int result_code, - char **code_string) + char **code_string) { switch (result_code) { case KRB5_KPASSWD_MALFORMED: - *code_string = "Malformed request error"; - break; + *code_string = "Malformed request error"; + break; case KRB5_KPASSWD_HARDERROR: - *code_string = "Server error"; - break; + *code_string = "Server error"; + break; case KRB5_KPASSWD_AUTHERROR: - *code_string = "Authentication error"; - break; + *code_string = "Authentication error"; + break; case KRB5_KPASSWD_SOFTERROR: - *code_string = "Password change rejected"; - break; + *code_string = "Password change rejected"; + break; default: - *code_string = "Password change failed"; - break; + *code_string = "Password change failed"; + break; } return(0); } -krb5_error_code +krb5_error_code krb5int_mk_setpw_req(krb5_context context, - krb5_auth_context auth_context, - krb5_data *ap_req, - krb5_principal targprinc, - char *passwd, - krb5_data *packet) + krb5_auth_context auth_context, + krb5_data *ap_req, + krb5_principal targprinc, + char *passwd, + krb5_data *packet) { krb5_error_code ret; - krb5_data cipherpw; - krb5_data *encoded_setpw; + krb5_data cipherpw; + krb5_data *encoded_setpw; struct krb5_setpw_req req; char *ptr; cipherpw.data = NULL; cipherpw.length = 0; - + if ((ret = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE))) - return(ret); + KRB5_AUTH_CONTEXT_DO_SEQUENCE))) + return(ret); req.target = targprinc; req.password.data = passwd; req.password.length = strlen(passwd); ret = encode_krb5_setpw_req(&req, &encoded_setpw); if (ret) { - return ret; + return ret; } if ((ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) { - krb5_free_data(context, encoded_setpw); - return(ret); + krb5_free_data(context, encoded_setpw); + return(ret); } krb5_free_data(context, encoded_setpw); - + packet->length = 6 + ap_req->length + cipherpw.length; packet->data = (char *) malloc(packet->length); if (packet->data == NULL) { - ret = ENOMEM; - goto cleanup; + ret = ENOMEM; + goto cleanup; } ptr = packet->data; /* @@ -325,18 +326,18 @@ krb5int_mk_setpw_req(krb5_context context, ret = 0; cleanup: if (cipherpw.data) - krb5_free_data_contents(context, &cipherpw); + krb5_free_data_contents(context, &cipherpw); if ((ret != 0) && packet->data) { - free(packet->data); - packet->data = NULL; + free(packet->data); + packet->data = NULL; } return ret; } -krb5_error_code +krb5_error_code krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *packet, - int *result_code, krb5_data *result_data) + krb5_data *packet, + int *result_code, krb5_data *result_data) { char *ptr; unsigned int message_length, version_number; @@ -350,7 +351,7 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** validate the packet length - */ if (packet->length < 4) - return(KRB5KRB_AP_ERR_MODIFIED); + return(KRB5KRB_AP_ERR_MODIFIED); ptr = packet->data; @@ -358,109 +359,109 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** see if it is an error */ if (krb5_is_krb_error(packet)) { - krb5_error *krberror; - if ((ret = krb5_rd_error(context, packet, &krberror))) - return(ret); - if (krberror->e_data.data == NULL) { - ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - krb5_free_error(context, krberror); - return (ret); - } - clearresult = krberror->e_data; - krberror->e_data.data = NULL; /*So we can free it later*/ - krberror->e_data.length = 0; - krb5_free_error(context, krberror); - ap_rep.length = 0; + krb5_error *krberror; + if ((ret = krb5_rd_error(context, packet, &krberror))) + return(ret); + if (krberror->e_data.data == NULL) { + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + krb5_free_error(context, krberror); + return (ret); + } + clearresult = krberror->e_data; + krberror->e_data.data = NULL; /*So we can free it later*/ + krberror->e_data.length = 0; + krb5_free_error(context, krberror); + ap_rep.length = 0; } else { /* Not an error*/ - /* - ** validate the message length - - ** length is big endian - */ - message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** make sure the message length and packet length agree - - */ - if (message_length != packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); - /* - ** get the version number - - */ - version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** make sure we support the version returned - - */ - /* - ** set password version is 0xff80, change password version is 1 - */ - if (version_number != 1 && version_number != 0xff80) - return(KRB5KDC_ERR_BAD_PVNO); - /* - ** now fill in ap_rep with the reply - - */ - /* - ** get the reply length - - */ - ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** validate ap_rep length agrees with the packet length - - */ - if (ptr + ap_rep.length >= packet->data + packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); - /* - ** if data was returned, set the ap_rep ptr - - */ - if (ap_rep.length) { - ap_rep.data = ptr; - ptr += ap_rep.length; - - /* - * Save send_subkey to later smash recv_subkey. - */ - ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); - if (ret) - return ret; - - ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); - if (ret) { - krb5_free_keyblock(context, tmpkey); - return(ret); - } - - krb5_free_ap_rep_enc_part(context, ap_rep_enc); - /* - ** now decrypt the result - - */ - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; - - /* - * Smash recv_subkey to be send_subkey, per spec. - */ - ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); - krb5_free_keyblock(context, tmpkey); - if (ret) - return ret; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - NULL); - if (ret) - return(ret); - } /*We got an ap_rep*/ - else - return (KRB5KRB_AP_ERR_MODIFIED); + /* + ** validate the message length - + ** length is big endian + */ + message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** make sure the message length and packet length agree - + */ + if (message_length != packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); + /* + ** get the version number - + */ + version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** make sure we support the version returned - + */ + /* + ** set password version is 0xff80, change password version is 1 + */ + if (version_number != 1 && version_number != 0xff80) + return(KRB5KDC_ERR_BAD_PVNO); + /* + ** now fill in ap_rep with the reply - + */ + /* + ** get the reply length - + */ + ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** validate ap_rep length agrees with the packet length - + */ + if (ptr + ap_rep.length >= packet->data + packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); + /* + ** if data was returned, set the ap_rep ptr - + */ + if (ap_rep.length) { + ap_rep.data = ptr; + ptr += ap_rep.length; + + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmpkey); + return(ret); + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); + /* + ** now decrypt the result - + */ + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; + + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); + krb5_free_keyblock(context, tmpkey); + if (ret) + return ret; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + NULL); + if (ret) + return(ret); + } /*We got an ap_rep*/ + else + return (KRB5KRB_AP_ERR_MODIFIED); } /*Response instead of error*/ /* - ** validate the cleartext length + ** validate the cleartext length */ if (clearresult.length < 2) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* ** now decode the result - @@ -474,68 +475,67 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** result code 5 is access denied */ if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* ** all success replies should be authenticated/encrypted */ if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } if (result_data) { - result_data->length = (clearresult.data + clearresult.length) - ptr; - - if (result_data->length) { - result_data->data = (char *) malloc(result_data->length); - if (result_data->data) - memcpy(result_data->data, ptr, result_data->length); - } else - result_data->data = NULL; + result_data->length = (clearresult.data + clearresult.length) - ptr; + + if (result_data->length) { + result_data->data = (char *) malloc(result_data->length); + if (result_data->data) + memcpy(result_data->data, ptr, result_data->length); + } else + result_data->data = NULL; } ret = 0; - cleanup: +cleanup: krb5_free_data_contents(context, &clearresult); return(ret); } -krb5_error_code +krb5_error_code krb5int_setpw_result_code_string(krb5_context context, int result_code, - const char **code_string) + const char **code_string) { switch (result_code) { case KRB5_KPASSWD_MALFORMED: - *code_string = "Malformed request error"; - break; + *code_string = "Malformed request error"; + break; case KRB5_KPASSWD_HARDERROR: - *code_string = "Server error"; - break; + *code_string = "Server error"; + break; case KRB5_KPASSWD_AUTHERROR: - *code_string = "Authentication error"; - break; + *code_string = "Authentication error"; + break; case KRB5_KPASSWD_SOFTERROR: - *code_string = "Password change rejected"; - break; + *code_string = "Password change rejected"; + break; case 5: /* access denied */ - *code_string = "Access denied"; - break; - case 6: /* bad version */ - *code_string = "Wrong protocol version"; - break; + *code_string = "Access denied"; + break; + case 6: /* bad version */ + *code_string = "Wrong protocol version"; + break; case 7: /* initial flag is needed */ - *code_string = "Initial password required"; - break; + *code_string = "Initial password required"; + break; case 0: - *code_string = "Success"; - break; + *code_string = "Success"; + break; default: - *code_string = "Password change failed"; - break; + *code_string = "Password change failed"; + break; } return(0); } - diff --git a/src/lib/krb5/krb/cleanup.h b/src/lib/krb5/krb/cleanup.h index 94b39f757..3a018330a 100644 --- a/src/lib/krb5/krb/cleanup.h +++ b/src/lib/krb5/krb/cleanup.h @@ -1,29 +1,30 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef KRB5_CLEANUP #define KRB5_CLEANUP struct cleanup { - void * arg; - void (*func)(void *); + void * arg; + void (*func)(void *); }; -#define CLEANUP_INIT(x) \ - struct cleanup cleanup_data[x]; \ - int cleanup_count = 0; +#define CLEANUP_INIT(x) \ + struct cleanup cleanup_data[x]; \ + int cleanup_count = 0; -#define CLEANUP_PUSH(x, y) \ - cleanup_data[cleanup_count].arg = x; \ - cleanup_data[cleanup_count].func = y; \ +#define CLEANUP_PUSH(x, y) \ + cleanup_data[cleanup_count].arg = x; \ + cleanup_data[cleanup_count].func = y; \ cleanup_count++; -#define CLEANUP_POP(x) \ - if ((--cleanup_count) && x && (cleanup_data[cleanup_count].func)) \ - cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); - -#define CLEANUP_DONE() \ - while(cleanup_count--) \ - if (cleanup_data[cleanup_count].func) \ - cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); - +#define CLEANUP_POP(x) \ + if ((--cleanup_count) && x && (cleanup_data[cleanup_count].func)) \ + cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); + +#define CLEANUP_DONE() \ + while(cleanup_count--) \ + if (cleanup_data[cleanup_count].func) \ + cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); + #endif diff --git a/src/lib/krb5/krb/conv_creds.c b/src/lib/krb5/krb/conv_creds.c index b6c610842..6f4608817 100644 --- a/src/lib/krb5/krb/conv_creds.c +++ b/src/lib/krb5/krb/conv_creds.c @@ -1,6 +1,7 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1994 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -29,7 +30,7 @@ krb5_error_code KRB5_CALLCONV krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds) + struct credentials *v4creds) { return KRB524_KRB4_DISABLED; } @@ -45,11 +46,11 @@ krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, void KRB5_CALLCONV krb524_init_ets (void); krb5_error_code KRB5_CALLCONV krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds); + struct credentials *v4creds); krb5_error_code KRB5_CALLCONV krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds) + struct credentials *v4creds) { return KRB524_KRB4_DISABLED; } diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c index 43c588f0f..5f63f465a 100644 --- a/src/lib/krb5/krb/conv_princ.c +++ b/src/lib/krb5/krb/conv_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/conv_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,10 +23,10 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Build a principal from a V4 specification, or separate a V5 * principal into name, instance, and realm. - * + * * NOTE: This is highly site specific, and is only really necessary * for sites who need to convert from V4 to V5. It is used by both * the KDC and the kdb5_convert program. Since its use is highly @@ -39,16 +40,16 @@ /* The maximum sizes for V4 aname, realm, sname, and instance +1 */ /* Taken from krb.h */ -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 +#define ANAME_SZ 40 +#define REALM_SZ 40 +#define SNAME_SZ 40 +#define INST_SZ 40 struct krb_convert { - char *v4_str; - char *v5_str; - unsigned int flags : 8; - unsigned int len : 8; + char *v4_str; + char *v5_str; + unsigned int flags : 8; + unsigned int len : 8; }; #define DO_REALM_CONVERSION 0x00000001 @@ -71,9 +72,9 @@ static const struct krb_convert sconv_list[] = { /* Realm conversion, Change service name */ #define RC(V5NAME,V4NAME) { V5NAME, V4NAME, DO_REALM_CONVERSION, sizeof(V5NAME)-1 } /* Realm conversion */ -#define R(NAME) { NAME, NAME, DO_REALM_CONVERSION, sizeof(NAME)-1 } +#define R(NAME) { NAME, NAME, DO_REALM_CONVERSION, sizeof(NAME)-1 } /* No Realm conversion */ -#define NR(NAME) { NAME, NAME, 0, sizeof(NAME)-1 } +#define NR(NAME) { NAME, NAME, 0, sizeof(NAME)-1 } NR("kadmin"), RC("rcmd", "host"), @@ -128,18 +129,18 @@ static const struct krb_convert sconv_list[] = { * This falls in the "should have been in the ANSI C library" * category. :-) */ -static char *strnchr(register char *s, register int c, - register unsigned int n) +static char *strnchr(register char *s, register int c, + register unsigned int n) { - if (n < 1) - return 0; - - while (n-- && *s) { - if (*s == c) - return s; - s++; - } - return 0; + if (n < 1) + return 0; + + while (n-- && *s) { + if (*s == c) + return s; + s++; + } + return 0; } @@ -148,207 +149,207 @@ static char *strnchr(register char *s, register int c, krb5_error_code KRB5_CALLCONV krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, - char *name, char *inst, char *realm) + char *name, char *inst, char *realm) { - const struct krb_convert *p; - const krb5_data *compo; - char *c, *tmp_realm, *tmp_prealm; - unsigned int tmp_realm_len; - int retval; + const struct krb_convert *p; + const krb5_data *compo; + char *c, *tmp_realm, *tmp_prealm; + unsigned int tmp_realm_len; + int retval; - if (context->profile == 0) - return KRB5_CONFIG_CANTOPEN; + if (context->profile == 0) + return KRB5_CONFIG_CANTOPEN; - *name = *inst = '\0'; - switch (krb5_princ_size(context, princ)) { - case 2: - /* Check if this principal is listed in the table */ - compo = krb5_princ_component(context, princ, 0); - p = sconv_list; - while (p->v4_str) { - if (p->len == compo->length - && memcmp(p->v5_str, compo->data, compo->length) == 0) { - /* - * It is, so set the new name now, and chop off - * instance's domain name if requested. - */ - if (strlcpy(name, p->v4_str, ANAME_SZ) >= ANAME_SZ) - return KRB5_INVALID_PRINCIPAL; - if (p->flags & DO_REALM_CONVERSION) { - compo = krb5_princ_component(context, princ, 1); - c = strnchr(compo->data, '.', compo->length); - if (!c || (c - compo->data) >= INST_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - memcpy(inst, compo->data, (size_t) (c - compo->data)); - inst[c - compo->data] = '\0'; - } - break; - } - p++; - } - /* If inst isn't set, the service isn't listed in the table, */ - /* so just copy it. */ - if (*inst == '\0') { - compo = krb5_princ_component(context, princ, 1); - if (compo->length >= INST_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - memcpy(inst, compo->data, compo->length); - inst[compo->length] = '\0'; - } - /* fall through */ - case 1: - /* name may have been set above; otherwise, just copy it */ - if (*name == '\0') { - compo = krb5_princ_component(context, princ, 0); - if (compo->length >= ANAME_SZ) - return KRB5_INVALID_PRINCIPAL; - memcpy(name, compo->data, compo->length); - name[compo->length] = '\0'; - } - break; - default: - return KRB5_INVALID_PRINCIPAL; - } + *name = *inst = '\0'; + switch (krb5_princ_size(context, princ)) { + case 2: + /* Check if this principal is listed in the table */ + compo = krb5_princ_component(context, princ, 0); + p = sconv_list; + while (p->v4_str) { + if (p->len == compo->length + && memcmp(p->v5_str, compo->data, compo->length) == 0) { + /* + * It is, so set the new name now, and chop off + * instance's domain name if requested. + */ + if (strlcpy(name, p->v4_str, ANAME_SZ) >= ANAME_SZ) + return KRB5_INVALID_PRINCIPAL; + if (p->flags & DO_REALM_CONVERSION) { + compo = krb5_princ_component(context, princ, 1); + c = strnchr(compo->data, '.', compo->length); + if (!c || (c - compo->data) >= INST_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + memcpy(inst, compo->data, (size_t) (c - compo->data)); + inst[c - compo->data] = '\0'; + } + break; + } + p++; + } + /* If inst isn't set, the service isn't listed in the table, */ + /* so just copy it. */ + if (*inst == '\0') { + compo = krb5_princ_component(context, princ, 1); + if (compo->length >= INST_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + memcpy(inst, compo->data, compo->length); + inst[compo->length] = '\0'; + } + /* fall through */ + case 1: + /* name may have been set above; otherwise, just copy it */ + if (*name == '\0') { + compo = krb5_princ_component(context, princ, 0); + if (compo->length >= ANAME_SZ) + return KRB5_INVALID_PRINCIPAL; + memcpy(name, compo->data, compo->length); + name[compo->length] = '\0'; + } + break; + default: + return KRB5_INVALID_PRINCIPAL; + } - compo = krb5_princ_realm(context, princ); + compo = krb5_princ_realm(context, princ); - tmp_prealm = malloc(compo->length + 1); - if (tmp_prealm == NULL) - return ENOMEM; - strncpy(tmp_prealm, compo->data, compo->length); - tmp_prealm[compo->length] = '\0'; + tmp_prealm = malloc(compo->length + 1); + if (tmp_prealm == NULL) + return ENOMEM; + strncpy(tmp_prealm, compo->data, compo->length); + tmp_prealm[compo->length] = '\0'; - /* Ask for v4_realm corresponding to - krb5 principal realm from krb5.conf realms stanza */ + /* Ask for v4_realm corresponding to + krb5 principal realm from krb5.conf realms stanza */ - retval = profile_get_string(context->profile, KRB5_CONF_REALMS, - tmp_prealm, KRB5_CONF_V4_REALM, 0, - &tmp_realm); - free(tmp_prealm); - if (retval) { - return retval; - } else { - if (tmp_realm == 0) { - if (compo->length > REALM_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - strncpy(realm, compo->data, compo->length); - realm[compo->length] = '\0'; - } else { - tmp_realm_len = strlen(tmp_realm); - if (tmp_realm_len > REALM_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - strncpy(realm, tmp_realm, tmp_realm_len); - realm[tmp_realm_len] = '\0'; - profile_release_string(tmp_realm); - } - } - return 0; + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + tmp_prealm, KRB5_CONF_V4_REALM, 0, + &tmp_realm); + free(tmp_prealm); + if (retval) { + return retval; + } else { + if (tmp_realm == 0) { + if (compo->length > REALM_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strncpy(realm, compo->data, compo->length); + realm[compo->length] = '\0'; + } else { + tmp_realm_len = strlen(tmp_realm); + if (tmp_realm_len > REALM_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strncpy(realm, tmp_realm, tmp_realm_len); + realm[tmp_realm_len] = '\0'; + profile_release_string(tmp_realm); + } + } + return 0; } krb5_error_code KRB5_CALLCONV krb5_425_conv_principal(krb5_context context, const char *name, - const char *instance, const char *realm, - krb5_principal *princ) + const char *instance, const char *realm, + krb5_principal *princ) { - const struct krb_convert *p; - char buf[256]; /* V4 instances are limited to 40 characters */ - krb5_error_code retval; - char *domain, *cp; - char **full_name = 0; - const char *names[5], *names2[2]; - void* iterator = NULL; - char** v4realms = NULL; - char* realm_name = NULL; - char* dummy_value = NULL; - - /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm - To do that, iterate over all the realms in the config file, looking for a matching - v4_realm line */ - names2 [0] = KRB5_CONF_REALMS; - names2 [1] = NULL; - retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator); - while (retval == 0) { - retval = profile_iterator (&iterator, &realm_name, &dummy_value); - if ((retval == 0) && (realm_name != NULL)) { - names [0] = KRB5_CONF_REALMS; - names [1] = realm_name; - names [2] = KRB5_CONF_V4_REALM; - names [3] = NULL; + const struct krb_convert *p; + char buf[256]; /* V4 instances are limited to 40 characters */ + krb5_error_code retval; + char *domain, *cp; + char **full_name = 0; + const char *names[5], *names2[2]; + void* iterator = NULL; + char** v4realms = NULL; + char* realm_name = NULL; + char* dummy_value = NULL; + + /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm + To do that, iterate over all the realms in the config file, looking for a matching + v4_realm line */ + names2 [0] = KRB5_CONF_REALMS; + names2 [1] = NULL; + retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator); + while (retval == 0) { + retval = profile_iterator (&iterator, &realm_name, &dummy_value); + if ((retval == 0) && (realm_name != NULL)) { + names [0] = KRB5_CONF_REALMS; + names [1] = realm_name; + names [2] = KRB5_CONF_V4_REALM; + names [3] = NULL; + + retval = profile_get_values (context -> profile, names, &v4realms); + if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) { + realm = realm_name; + break; + } else if (retval == PROF_NO_RELATION) { + /* If it's not found, just keep going */ + retval = 0; + } + } else if ((retval == 0) && (realm_name == NULL)) { + break; + } + if (v4realms != NULL) { + profile_free_list(v4realms); + v4realms = NULL; + } + if (realm_name != NULL) { + profile_release_string (realm_name); + realm_name = NULL; + } + if (dummy_value != NULL) { + profile_release_string (dummy_value); + dummy_value = NULL; + } + } + + if (instance) { + if (instance[0] == '\0') { + instance = 0; + goto not_service; + } + p = sconv_list; + while (1) { + if (!p->v4_str) + goto not_service; + if (!strcmp(p->v4_str, name)) + break; + p++; + } + name = p->v5_str; + if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) { + names[0] = KRB5_CONF_REALMS; + names[1] = realm; + names[2] = KRB5_CONF_V4_INSTANCE_CONVERT; + names[3] = instance; + names[4] = 0; + retval = profile_get_values(context->profile, names, &full_name); + if (retval == 0 && full_name && full_name[0]) { + instance = full_name[0]; + } else { + strncpy(buf, instance, sizeof(buf)); + buf[sizeof(buf) - 1] = '\0'; + retval = krb5_get_realm_domain(context, realm, &domain); + if (retval) + return retval; + if (domain) { + for (cp = domain; *cp; cp++) + if (isupper((unsigned char) (*cp))) + *cp = tolower((unsigned char) *cp); + strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); + strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); + free(domain); + } + instance = buf; + } + } + } - retval = profile_get_values (context -> profile, names, &v4realms); - if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) { - realm = realm_name; - break; - } else if (retval == PROF_NO_RELATION) { - /* If it's not found, just keep going */ - retval = 0; - } - } else if ((retval == 0) && (realm_name == NULL)) { - break; - } - if (v4realms != NULL) { - profile_free_list(v4realms); - v4realms = NULL; - } - if (realm_name != NULL) { - profile_release_string (realm_name); - realm_name = NULL; - } - if (dummy_value != NULL) { - profile_release_string (dummy_value); - dummy_value = NULL; - } - } - - if (instance) { - if (instance[0] == '\0') { - instance = 0; - goto not_service; - } - p = sconv_list; - while (1) { - if (!p->v4_str) - goto not_service; - if (!strcmp(p->v4_str, name)) - break; - p++; - } - name = p->v5_str; - if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) { - names[0] = KRB5_CONF_REALMS; - names[1] = realm; - names[2] = KRB5_CONF_V4_INSTANCE_CONVERT; - names[3] = instance; - names[4] = 0; - retval = profile_get_values(context->profile, names, &full_name); - if (retval == 0 && full_name && full_name[0]) { - instance = full_name[0]; - } else { - strncpy(buf, instance, sizeof(buf)); - buf[sizeof(buf) - 1] = '\0'; - retval = krb5_get_realm_domain(context, realm, &domain); - if (retval) - return retval; - if (domain) { - for (cp = domain; *cp; cp++) - if (isupper((unsigned char) (*cp))) - *cp = tolower((unsigned char) *cp); - strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); - strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); - free(domain); - } - instance = buf; - } - } - } - not_service: - retval = krb5_build_principal(context, princ, strlen(realm), realm, name, - instance, NULL); - if (iterator) profile_iterator_free (&iterator); - if (full_name) profile_free_list(full_name); - if (v4realms) profile_free_list(v4realms); - if (realm_name) profile_release_string (realm_name); - if (dummy_value) profile_release_string (dummy_value); - return retval; + retval = krb5_build_principal(context, princ, strlen(realm), realm, name, + instance, NULL); + if (iterator) profile_iterator_free (&iterator); + if (full_name) profile_free_list(full_name); + if (v4realms) profile_free_list(v4realms); + if (realm_name) profile_release_string (realm_name); + if (dummy_value) profile_release_string (dummy_value); + return retval; } diff --git a/src/lib/krb5/krb/copy_addrs.c b/src/lib/krb5/krb/copy_addrs.c index c3dcd57d0..7207c4c27 100644 --- a/src/lib/krb5/krb/copy_addrs.c +++ b/src/lib/krb5/krb/copy_addrs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_addrs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_addresses() */ @@ -35,11 +36,11 @@ krb5_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **ou krb5_address *tmpad; if (!(tmpad = (krb5_address *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -57,22 +58,22 @@ krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_addr register unsigned int nelems = 0; if (!inaddr) { - *outaddr = 0; - return 0; + *outaddr = 0; + return 0; } - + while (inaddr[nelems]) nelems++; /* one more for a null terminated list */ if (!(tempaddr = (krb5_address **) calloc(nelems+1, sizeof(*tempaddr)))) - return ENOMEM; + return ENOMEM; for (nelems = 0; inaddr[nelems]; nelems++) { - retval = krb5_copy_addr(context, inaddr[nelems], &tempaddr[nelems]); + retval = krb5_copy_addr(context, inaddr[nelems], &tempaddr[nelems]); if (retval) { - krb5_free_addresses(context, tempaddr); - return retval; - } + krb5_free_addresses(context, tempaddr); + return retval; + } } *outaddr = tempaddr; @@ -88,8 +89,8 @@ krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_addr krb5_error_code krb5_append_addresses(context, inaddr, outaddr) krb5_context context; - krb5_address * const * inaddr; - krb5_address ***outaddr; + krb5_address * const * inaddr; + krb5_address ***outaddr; { krb5_error_code retval; krb5_address ** tempaddr; @@ -98,7 +99,7 @@ krb5_append_addresses(context, inaddr, outaddr) register int norigelems = 0; if (!inaddr) - return 0; + return 0; tempaddr2 = *outaddr; @@ -106,34 +107,33 @@ krb5_append_addresses(context, inaddr, outaddr) while (tempaddr2[norigelems]) norigelems++; tempaddr = (krb5_address **) realloc((char *)*outaddr, - (nelems + norigelems + 1) * sizeof(*tempaddr)); + (nelems + norigelems + 1) * sizeof(*tempaddr)); if (!tempaddr) - return ENOMEM; + return ENOMEM; /* The old storage has been freed. */ *outaddr = tempaddr; for (nelems = 0; inaddr[nelems]; nelems++) { - retval = krb5_copy_addr(context, inaddr[nelems], - &tempaddr[norigelems + nelems]); - if (retval) - goto cleanup; + retval = krb5_copy_addr(context, inaddr[nelems], + &tempaddr[norigelems + nelems]); + if (retval) + goto cleanup; } tempaddr[norigelems + nelems] = 0; return 0; - cleanup: +cleanup: while (--nelems >= 0) - krb5_free_address(context, tempaddr[norigelems + nelems]); + krb5_free_address(context, tempaddr[norigelems + nelems]); /* Try to allocate a smaller amount of memory for *outaddr. */ tempaddr = (krb5_address **) realloc((char *)tempaddr, - (norigelems + 1) * sizeof(*tempaddr)); + (norigelems + 1) * sizeof(*tempaddr)); if (tempaddr) - *outaddr = tempaddr; + *outaddr = tempaddr; return retval; } #endif - diff --git a/src/lib/krb5/krb/copy_athctr.c b/src/lib/krb5/krb/copy_athctr.c index c356fbf78..3345486e4 100644 --- a/src/lib/krb5/krb/copy_athctr.c +++ b/src/lib/krb5/krb/copy_athctr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_athctr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_authenticator() */ @@ -36,48 +37,47 @@ krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom krb5_authenticator *tempto; if (!(tempto = (krb5_authenticator *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *authfrom; retval = krb5_copy_principal(context, authfrom->client, &tempto->client); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } - + if (authfrom->checksum && - (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { - krb5_free_principal(context, tempto->client); - free(tempto); - return retval; + (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { + krb5_free_principal(context, tempto->client); + free(tempto); + return retval; } - + if (authfrom->subkey) { - retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); - if (retval) { - free(tempto->subkey); - krb5_free_checksum(context, tempto->checksum); - krb5_free_principal(context, tempto->client); - free(tempto); - return retval; - } + retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); + if (retval) { + free(tempto->subkey); + krb5_free_checksum(context, tempto->checksum); + krb5_free_principal(context, tempto->client); + free(tempto); + return retval; + } } - + if (authfrom->authorization_data) { - retval = krb5_copy_authdata(context, authfrom->authorization_data, - &tempto->authorization_data); - if (retval) { - free(tempto->subkey); - krb5_free_checksum(context, tempto->checksum); - krb5_free_principal(context, tempto->client); - krb5_free_authdata(context, tempto->authorization_data); - free(tempto); - return retval; - } + retval = krb5_copy_authdata(context, authfrom->authorization_data, + &tempto->authorization_data); + if (retval) { + free(tempto->subkey); + krb5_free_checksum(context, tempto->checksum); + krb5_free_principal(context, tempto->client); + krb5_free_authdata(context, tempto->authorization_data); + free(tempto); + return retval; + } } *authto = tempto; return 0; } #endif - diff --git a/src/lib/krb5/krb/copy_auth.c b/src/lib/krb5/krb/copy_auth.c index 6f36b2698..303badd2f 100644 --- a/src/lib/krb5/krb/copy_auth.c +++ b/src/lib/krb5/krb/copy_auth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_auth.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_authdata() */ @@ -62,11 +63,11 @@ krb5_copy_authdatum(krb5_context context, const krb5_authdata *inad, krb5_authda krb5_authdata *tmpad; if (!(tmpad = (krb5_authdata *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -78,7 +79,7 @@ krb5_copy_authdatum(krb5_context context, const krb5_authdata *inad, krb5_authda */ krb5_error_code KRB5_CALLCONV krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5_authdata * const *inauthdat2, - krb5_authdata ***outauthdat) + krb5_authdata ***outauthdat) { krb5_error_code retval; krb5_authdata ** tempauthdat; @@ -86,40 +87,40 @@ krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5 *outauthdat = NULL; if (!inauthdat1 && !inauthdat2) { - *outauthdat = 0; - return 0; + *outauthdat = 0; + return 0; } - if (inauthdat1) - while (inauthdat1[nelems]) nelems++; - if (inauthdat2) - while (inauthdat2[nelems2]) nelems2++; + if (inauthdat1) + while (inauthdat1[nelems]) nelems++; + if (inauthdat2) + while (inauthdat2[nelems2]) nelems2++; /* one more for a null terminated list */ if (!(tempauthdat = (krb5_authdata **) calloc(nelems+nelems2+1, - sizeof(*tempauthdat)))) - return ENOMEM; + sizeof(*tempauthdat)))) + return ENOMEM; if (inauthdat1) { - for (nelems = 0; inauthdat1[nelems]; nelems++) { - retval = krb5_copy_authdatum(context, inauthdat1[nelems], - &tempauthdat[nelems]); - if (retval) { - krb5_free_authdata(context, tempauthdat); - return retval; - } - } + for (nelems = 0; inauthdat1[nelems]; nelems++) { + retval = krb5_copy_authdatum(context, inauthdat1[nelems], + &tempauthdat[nelems]); + if (retval) { + krb5_free_authdata(context, tempauthdat); + return retval; + } + } } if (inauthdat2) { - for (nelems2 = 0; inauthdat2[nelems2]; nelems2++) { - retval = krb5_copy_authdatum(context, inauthdat2[nelems2], - &tempauthdat[nelems++]); - if (retval) { - krb5_free_authdata(context, tempauthdat); - return retval; - } - } + for (nelems2 = 0; inauthdat2[nelems2]; nelems2++) { + retval = krb5_copy_authdatum(context, inauthdat2[nelems2], + &tempauthdat[nelems++]); + if (retval) { + krb5_free_authdata(context, tempauthdat); + return retval; + } + } } *outauthdat = tempauthdat; @@ -128,16 +129,16 @@ krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5 krb5_error_code KRB5_CALLCONV krb5_copy_authdata(krb5_context context, - krb5_authdata *const *in_authdat, krb5_authdata ***out) + krb5_authdata *const *in_authdat, krb5_authdata ***out) { return krb5_merge_authdata(context, in_authdat, NULL, out); } krb5_error_code KRB5_CALLCONV krb5_decode_authdata_container(krb5_context context, - krb5_authdatatype type, - const krb5_authdata *container, - krb5_authdata ***authdata) + krb5_authdatatype type, + const krb5_authdata *container, + krb5_authdata ***authdata) { krb5_error_code code; krb5_data data; @@ -145,23 +146,23 @@ krb5_decode_authdata_container(krb5_context context, *authdata = NULL; if ((container->ad_type & AD_TYPE_FIELD_TYPE_MASK) != type) - return EINVAL; + return EINVAL; data.length = container->length; data.data = (char *)container->contents; code = decode_krb5_authdata(&data, authdata); if (code) - return code; + return code; return 0; } krb5_error_code KRB5_CALLCONV krb5_encode_authdata_container(krb5_context context, - krb5_authdatatype type, - krb5_authdata *const*authdata, - krb5_authdata ***container) + krb5_authdatatype type, + krb5_authdata *const*authdata, + krb5_authdata ***container) { krb5_error_code code; krb5_data *data; @@ -172,7 +173,7 @@ krb5_encode_authdata_container(krb5_context context, code = encode_krb5_authdata((krb5_authdata * const *)authdata, &data); if (code) - return code; + return code; ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK; ad_datum.length = data->length; @@ -189,67 +190,67 @@ krb5_encode_authdata_container(krb5_context context, } struct find_authdata_context { - krb5_authdata **out; - size_t space; - size_t length; + krb5_authdata **out; + size_t space; + size_t length; }; static krb5_error_code grow_find_authdata (krb5_context context, struct find_authdata_context *fctx, krb5_authdata *elem) { - krb5_error_code retval = 0; - if (fctx->length == fctx->space) { - krb5_authdata **new; - if (fctx->space >= 256) { - krb5_set_error_message(context, ERANGE, "More than 256 authdata matched a query"); - return ERANGE; + krb5_error_code retval = 0; + if (fctx->length == fctx->space) { + krb5_authdata **new; + if (fctx->space >= 256) { + krb5_set_error_message(context, ERANGE, "More than 256 authdata matched a query"); + return ERANGE; + } + new = realloc(fctx->out, + sizeof (krb5_authdata *)*(2*fctx->space+1)); + if (new == NULL) + return ENOMEM; + fctx->out = new; + fctx->space *=2; } - new = realloc(fctx->out, - sizeof (krb5_authdata *)*(2*fctx->space+1)); - if (new == NULL) - return ENOMEM; - fctx->out = new; - fctx->space *=2; - } - fctx->out[fctx->length+1] = NULL; - retval = krb5_copy_authdatum(context, elem, - &fctx->out[fctx->length]); - if (retval == 0) - fctx->length++; - return retval; + fctx->out[fctx->length+1] = NULL; + retval = krb5_copy_authdatum(context, elem, + &fctx->out[fctx->length]); + if (retval == 0) + fctx->length++; + return retval; } - - + + static krb5_error_code find_authdata_1 (krb5_context context, krb5_authdata *const *in_authdat, krb5_authdatatype ad_type, struct find_authdata_context *fctx) { - int i = 0; - krb5_error_code retval=0; - - for (i = 0; in_authdat[i]; i++) { - krb5_authdata *ad = in_authdat[i]; - if (ad->ad_type == ad_type && retval ==0) - retval = grow_find_authdata(context, fctx, ad); - else switch (ad->ad_type) { - krb5_authdata **decoded_container; - case KRB5_AUTHDATA_IF_RELEVANT: - if (retval == 0) - retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container); - if (retval == 0) { - retval = find_authdata_1(context, - decoded_container, ad_type, fctx); - krb5_free_authdata(context, decoded_container); - } - break; - default: - break; + int i = 0; + krb5_error_code retval=0; + + for (i = 0; in_authdat[i]; i++) { + krb5_authdata *ad = in_authdat[i]; + if (ad->ad_type == ad_type && retval ==0) + retval = grow_find_authdata(context, fctx, ad); + else switch (ad->ad_type) { + krb5_authdata **decoded_container; + case KRB5_AUTHDATA_IF_RELEVANT: + if (retval == 0) + retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container); + if (retval == 0) { + retval = find_authdata_1(context, + decoded_container, ad_type, fctx); + krb5_free_authdata(context, decoded_container); + } + break; + default: + break; + } } - } - return retval; + return retval; } @@ -259,30 +260,30 @@ krb5_error_code krb5int_find_authdata krb5_authdatatype ad_type, krb5_authdata ***results) { - krb5_error_code retval = 0; - struct find_authdata_context fctx; - fctx.length = 0; - fctx.space = 2; - fctx.out = calloc(fctx.space+1, sizeof (krb5_authdata *)); - *results = NULL; - if (fctx.out == NULL) - return ENOMEM; - if (ticket_authdata) - retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx); - if ((retval==0) && ap_req_authdata) - retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx); - if ((retval== 0) && fctx.length) - *results = fctx.out; - else krb5_free_authdata(context, fctx.out); - return retval; + krb5_error_code retval = 0; + struct find_authdata_context fctx; + fctx.length = 0; + fctx.space = 2; + fctx.out = calloc(fctx.space+1, sizeof (krb5_authdata *)); + *results = NULL; + if (fctx.out == NULL) + return ENOMEM; + if (ticket_authdata) + retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx); + if ((retval==0) && ap_req_authdata) + retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx); + if ((retval== 0) && fctx.length) + *results = fctx.out; + else krb5_free_authdata(context, fctx.out); + return retval; } krb5_error_code KRB5_CALLCONV krb5_make_authdata_kdc_issued(krb5_context context, - const krb5_keyblock *key, - krb5_const_principal issuer, - krb5_authdata *const *authdata, - krb5_authdata ***ad_kdcissued) + const krb5_keyblock *key, + krb5_const_principal issuer, + krb5_authdata *const *authdata, + krb5_authdata ***ad_kdcissued) { krb5_error_code code; krb5_ad_kdcissued ad_kdci; @@ -337,10 +338,10 @@ krb5_make_authdata_kdc_issued(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_verify_authdata_kdc_issued(krb5_context context, - const krb5_keyblock *key, - const krb5_authdata *ad_kdcissued, - krb5_principal *issuer, - krb5_authdata ***authdata) + const krb5_keyblock *key, + const krb5_authdata *ad_kdcissued, + krb5_principal *issuer, + krb5_authdata ***authdata) { krb5_error_code code; krb5_ad_kdcissued *ad_kdci; @@ -348,8 +349,8 @@ krb5_verify_authdata_kdc_issued(krb5_context context, krb5_boolean valid = FALSE; if ((ad_kdcissued->ad_type & AD_TYPE_FIELD_TYPE_MASK) != - KRB5_AUTHDATA_KDC_ISSUED) - return EINVAL; + KRB5_AUTHDATA_KDC_ISSUED) + return EINVAL; if (issuer != NULL) *issuer = NULL; @@ -399,4 +400,3 @@ krb5_verify_authdata_kdc_issued(krb5_context context, return 0; } - diff --git a/src/lib/krb5/krb/copy_cksum.c b/src/lib/krb5/krb/copy_cksum.c index c7c1b161c..68822d213 100644 --- a/src/lib/krb5/krb/copy_cksum.c +++ b/src/lib/krb5/krb/copy_cksum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_cksum.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_checksum() */ @@ -35,12 +36,12 @@ krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, krb5_check krb5_checksum *tempto; if (!(tempto = (krb5_checksum *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *ckfrom; if (!(tempto->contents = (krb5_octet *)malloc(tempto->length))) { - free(tempto); - return ENOMEM; + free(tempto); + return ENOMEM; } memcpy(tempto->contents, ckfrom->contents, ckfrom->length); diff --git a/src/lib/krb5/krb/copy_creds.c b/src/lib/krb5/krb/copy_creds.c index e6fece383..0e1a814cc 100644 --- a/src/lib/krb5/krb/copy_creds.c +++ b/src/lib/krb5/krb/copy_creds.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_creds.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_cred() */ @@ -40,13 +41,13 @@ krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **out krb5_error_code retval; if (!(tempcred = (krb5_creds *)malloc(sizeof(*tempcred)))) - return ENOMEM; + return ENOMEM; retval = krb5int_copy_creds_contents(context, incred, tempcred); if (retval) - free(tempcred); + free(tempcred); else - *outcred = tempcred; + *outcred = tempcred; return retval; } @@ -58,7 +59,7 @@ krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **out */ krb5_error_code krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, - krb5_creds *tempcred) + krb5_creds *tempcred) { krb5_error_code retval; krb5_data *scratch; @@ -66,25 +67,25 @@ krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, *tempcred = *incred; retval = krb5_copy_principal(context, incred->client, &tempcred->client); if (retval) - goto cleanlast; + goto cleanlast; retval = krb5_copy_principal(context, incred->server, &tempcred->server); if (retval) - goto cleanclient; + goto cleanclient; retval = krb5_copy_keyblock_contents(context, &incred->keyblock, - &tempcred->keyblock); + &tempcred->keyblock); if (retval) - goto cleanserver; + goto cleanserver; retval = krb5_copy_addresses(context, incred->addresses, &tempcred->addresses); if (retval) - goto cleanblock; + goto cleanblock; retval = krb5_copy_data(context, &incred->ticket, &scratch); if (retval) - goto cleanaddrs; + goto cleanaddrs; tempcred->ticket = *scratch; free(scratch); retval = krb5_copy_data(context, &incred->second_ticket, &scratch); if (retval) - goto clearticket; + goto clearticket; tempcred->second_ticket = *scratch; free(scratch); @@ -95,22 +96,22 @@ krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, return 0; - clearsecondticket: +clearsecondticket: memset(tempcred->second_ticket.data,0,tempcred->second_ticket.length); free(tempcred->second_ticket.data); - clearticket: +clearticket: memset(tempcred->ticket.data,0,tempcred->ticket.length); free(tempcred->ticket.data); - cleanaddrs: +cleanaddrs: krb5_free_addresses(context, tempcred->addresses); - cleanblock: +cleanblock: free(tempcred->keyblock.contents); - cleanserver: +cleanserver: krb5_free_principal(context, tempcred->server); - cleanclient: +cleanclient: krb5_free_principal(context, tempcred->client); - cleanlast: - /* Do not free tempcred - we did not allocate it - its contents are +cleanlast: + /* Do not free tempcred - we did not allocate it - its contents are garbage - but we should not free it */ return retval; } diff --git a/src/lib/krb5/krb/copy_data.c b/src/lib/krb5/krb/copy_data.c index 4896e8804..fa4b6ed7c 100644 --- a/src/lib/krb5/krb/copy_data.c +++ b/src/lib/krb5/krb/copy_data.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_data.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_data() */ @@ -39,38 +40,38 @@ krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdat krb5_error_code retval; if (!indata) { - *outdata = 0; - return 0; + *outdata = 0; + return 0; } - + if (!(tempdata = (krb5_data *)malloc(sizeof(*tempdata)))) - return ENOMEM; + return ENOMEM; retval = krb5int_copy_data_contents(context, indata, tempdata); if (retval) { - free(tempdata); - return retval; + free(tempdata); + return retval; } *outdata = tempdata; return 0; } -krb5_error_code +krb5_error_code krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_data *outdata) { if (!indata) { - return EINVAL; + return EINVAL; } outdata->length = indata->length; if (outdata->length) { - if (!(outdata->data = malloc(outdata->length))) { - return ENOMEM; - } - memcpy(outdata->data, indata->data, outdata->length); + if (!(outdata->data = malloc(outdata->length))) { + return ENOMEM; + } + memcpy(outdata->data, indata->data, outdata->length); } else - outdata->data = 0; + outdata->data = 0; outdata->magic = KV5M_DATA; return 0; @@ -79,16 +80,16 @@ krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_d /* As above, but add an (uncounted) extra byte at the end to null-terminate the data so it can be used as a standard C string. */ -krb5_error_code +krb5_error_code krb5int_copy_data_contents_add0(krb5_context context, const krb5_data *indata, krb5_data *outdata) { if (!indata) - return EINVAL; + return EINVAL; outdata->length = indata->length; if (!(outdata->data = malloc(outdata->length + 1))) - return ENOMEM; + return ENOMEM; if (outdata->length) - memcpy(outdata->data, indata->data, outdata->length); + memcpy(outdata->data, indata->data, outdata->length); outdata->data[outdata->length] = 0; outdata->magic = KV5M_DATA; diff --git a/src/lib/krb5/krb/copy_key.c b/src/lib/krb5/krb/copy_key.c index 4772c58c1..532cced46 100644 --- a/src/lib/krb5/krb/copy_key.c +++ b/src/lib/krb5/krb/copy_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_key.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_keyblock() */ diff --git a/src/lib/krb5/krb/copy_princ.c b/src/lib/krb5/krb/copy_princ.c index 4e168b002..b7badefa2 100644 --- a/src/lib/krb5/krb/copy_princ.c +++ b/src/lib/krb5/krb/copy_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_principal() */ @@ -41,7 +42,7 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pri tempprinc = (krb5_principal)malloc(sizeof(krb5_principal_data)); if (tempprinc == 0) - return ENOMEM; + return ENOMEM; *tempprinc = *inprinc; @@ -49,29 +50,29 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pri tempprinc->data = malloc(nelems * sizeof(krb5_data)); if (tempprinc->data == 0) { - free(tempprinc); - return ENOMEM; + free(tempprinc); + return ENOMEM; } for (i = 0; i < nelems; i++) { - if (krb5int_copy_data_contents(context, - krb5_princ_component(context, inprinc, i), - krb5_princ_component(context, tempprinc, i)) != 0) { - while (--i >= 0) - free(krb5_princ_component(context, tempprinc, i)->data); - free (tempprinc->data); - free (tempprinc); - return ENOMEM; + if (krb5int_copy_data_contents(context, + krb5_princ_component(context, inprinc, i), + krb5_princ_component(context, tempprinc, i)) != 0) { + while (--i >= 0) + free(krb5_princ_component(context, tempprinc, i)->data); + free (tempprinc->data); + free (tempprinc); + return ENOMEM; } } if (krb5int_copy_data_contents_add0(context, &inprinc->realm, - &tempprinc->realm) != 0) { + &tempprinc->realm) != 0) { for (i = 0; i < nelems; i++) - free(krb5_princ_component(context, tempprinc, i)->data); - free(tempprinc->data); - free(tempprinc); - return ENOMEM; + free(krb5_princ_component(context, tempprinc, i)->data); + free(tempprinc->data); + free(tempprinc); + return ENOMEM; } *outprinc = tempprinc; diff --git a/src/lib/krb5/krb/copy_tick.c b/src/lib/krb5/krb/copy_tick.c index 1dc3362d0..1fd3e681c 100644 --- a/src/lib/krb5/krb/copy_tick.c +++ b/src/lib/krb5/krb/copy_tick.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_tick.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_ticket() */ @@ -36,56 +37,56 @@ krb5_copy_enc_tkt_part(krb5_context context, const krb5_enc_tkt_part *partfrom, krb5_enc_tkt_part *tempto; if (!(tempto = (krb5_enc_tkt_part *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *partfrom; retval = krb5_copy_keyblock(context, partfrom->session, - &tempto->session); + &tempto->session); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } retval = krb5_copy_principal(context, partfrom->client, &tempto->client); if (retval) { - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; } tempto->transited = partfrom->transited; if (tempto->transited.tr_contents.length == 0) { - tempto->transited.tr_contents.data = 0; + tempto->transited.tr_contents.data = 0; } else { - tempto->transited.tr_contents.data = - malloc(partfrom->transited.tr_contents.length); - if (!tempto->transited.tr_contents.data) { - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return ENOMEM; - } - memcpy(tempto->transited.tr_contents.data, - (char *)partfrom->transited.tr_contents.data, - partfrom->transited.tr_contents.length); + tempto->transited.tr_contents.data = + malloc(partfrom->transited.tr_contents.length); + if (!tempto->transited.tr_contents.data) { + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return ENOMEM; + } + memcpy(tempto->transited.tr_contents.data, + (char *)partfrom->transited.tr_contents.data, + partfrom->transited.tr_contents.length); } retval = krb5_copy_addresses(context, partfrom->caddrs, &tempto->caddrs); if (retval) { - free(tempto->transited.tr_contents.data); - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; + free(tempto->transited.tr_contents.data); + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; } if (partfrom->authorization_data) { - retval = krb5_copy_authdata(context, partfrom->authorization_data, - &tempto->authorization_data); - if (retval) { - krb5_free_addresses(context, tempto->caddrs); - free(tempto->transited.tr_contents.data); - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; - } + retval = krb5_copy_authdata(context, partfrom->authorization_data, + &tempto->authorization_data); + if (retval) { + krb5_free_addresses(context, tempto->caddrs); + free(tempto->transited.tr_contents.data); + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; + } } *partto = tempto; return 0; @@ -99,28 +100,28 @@ krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pt krb5_data *scratch; if (!(tempto = (krb5_ticket *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *from; retval = krb5_copy_principal(context, from->server, &tempto->server); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } retval = krb5_copy_data(context, &from->enc_part.ciphertext, &scratch); if (retval) { - krb5_free_principal(context, tempto->server); - free(tempto); - return retval; + krb5_free_principal(context, tempto->server); + free(tempto); + return retval; } tempto->enc_part.ciphertext = *scratch; free(scratch); retval = krb5_copy_enc_tkt_part(context, from->enc_part2, &tempto->enc_part2); if (retval) { - free(tempto->enc_part.ciphertext.data); - krb5_free_principal(context, tempto->server); - free(tempto); - return retval; - } + free(tempto->enc_part.ciphertext.data); + krb5_free_principal(context, tempto->server); + free(tempto); + return retval; + } *pto = tempto; return 0; } diff --git a/src/lib/krb5/krb/cp_key_cnt.c b/src/lib/krb5/krb/cp_key_cnt.c index 74efb5ef1..2f97dbd0c 100644 --- a/src/lib/krb5/krb/cp_key_cnt.c +++ b/src/lib/krb5/krb/cp_key_cnt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/cp_key_cnt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_keyblock() */ diff --git a/src/lib/krb5/krb/decode_kdc.c b/src/lib/krb5/krb/decode_kdc.c index 689e2a241..19451eea4 100644 --- a/src/lib/krb5/krb/decode_kdc.c +++ b/src/lib/krb5/krb/decode_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/decode_kdc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_decode_kdc_rep() function. */ @@ -30,41 +31,40 @@ #include "k5-int.h" /* - Takes a KDC_REP message and decrypts encrypted part using etype and - *key, putting result in *rep. - dec_rep->client,ticket,session,last_req,server,caddrs - are all set to allocated storage which should be freed by the caller - when finished with the response. + Takes a KDC_REP message and decrypts encrypted part using etype and + *key, putting result in *rep. + dec_rep->client,ticket,session,last_req,server,caddrs + are all set to allocated storage which should be freed by the caller + when finished with the response. - If the response isn't a KDC_REP (tgs or as), it returns an error from - the decoding routines. + If the response isn't a KDC_REP (tgs or as), it returns an error from + the decoding routines. - returns errors from encryption routines, system errors - */ + returns errors from encryption routines, system errors +*/ krb5_error_code krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, - krb5_keyusage usage, krb5_kdc_rep **dec_rep) + krb5_keyusage usage, krb5_kdc_rep **dec_rep) { krb5_error_code retval; krb5_kdc_rep *local_dec_rep; if (krb5_is_as_rep(enc_rep)) { - retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); + retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); } else if (krb5_is_tgs_rep(enc_rep)) { - retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); + retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); } else { - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; } if (retval) - return retval; + return retval; if ((retval = krb5_kdc_rep_decrypt_proc(context, key, &usage, - local_dec_rep))) - krb5_free_kdc_rep(context, local_dec_rep); + local_dec_rep))) + krb5_free_kdc_rep(context, local_dec_rep); else - *dec_rep = local_dec_rep; + *dec_rep = local_dec_rep; return(retval); } - diff --git a/src/lib/krb5/krb/decrypt_tk.c b/src/lib/krb5/krb/decrypt_tk.c index 36ecbb45b..c06353b9e 100644 --- a/src/lib/krb5/krb/decrypt_tk.c +++ b/src/lib/krb5/krb/decrypt_tk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/decrypt_tk.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_decrypt_tkt_part() function. */ @@ -30,11 +31,11 @@ #include "k5-int.h" /* - Decrypts dec_ticket->enc_part - using *srv_key, and places result in dec_ticket->enc_part2. - The storage of dec_ticket->enc_part2 will be allocated before return. + Decrypts dec_ticket->enc_part + using *srv_key, and places result in dec_ticket->enc_part2. + The storage of dec_ticket->enc_part2 will be allocated before return. - returns errors from encryption routines, system errors + returns errors from encryption routines, system errors */ @@ -46,27 +47,27 @@ krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist krb5_error_code retval; if (!krb5_c_valid_enctype(ticket->enc_part.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; scratch.length = ticket->enc_part.ciphertext.length; if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length))) - return(ENOMEM); + return(ENOMEM); /* call the encryption routine */ if ((retval = krb5_c_decrypt(context, srv_key, - KRB5_KEYUSAGE_KDC_REP_TICKET, 0, - &ticket->enc_part, &scratch))) { - free(scratch.data); - return retval; + KRB5_KEYUSAGE_KDC_REP_TICKET, 0, + &ticket->enc_part, &scratch))) { + free(scratch.data); + return retval; } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* now decode the decrypted stuff */ retval = decode_krb5_enc_tkt_part(&scratch, &dec_tkt_part); if (!retval) { - ticket->enc_part2 = dec_tkt_part; + ticket->enc_part2 = dec_tkt_part; } clean_scratch(); return retval; diff --git a/src/lib/krb5/krb/deltat.c b/src/lib/krb5/krb/deltat.c index 2541591f8..36c0d0e95 100644 --- a/src/lib/krb5/krb/deltat.c +++ b/src/lib/krb5/krb/deltat.c @@ -95,14 +95,14 @@ struct param { #define MAX_MIN (MAX_TIME / 60) #define MIN_MIN (MIN_TIME / 60) -/* An explanation of the tests being performed. - We do not want to overflow a 32 bit integer with out manipulations, +/* An explanation of the tests being performed. + We do not want to overflow a 32 bit integer with out manipulations, even for testing for overflow. Therefore we rely on the following: The lex parser will not return a number > MAX_TIME (which is out 32 bit limit). - Therefore, seconds (s) will require + Therefore, seconds (s) will require MIN_TIME < s < MAX_TIME For subsequent tests, the logic is as follows: @@ -110,7 +110,7 @@ struct param { If A < MAX_TIME and B < MAX_TIME If we want to test if A+B < MAX_TIME, there are two cases - if (A > 0) + if (A > 0) then A + B < MAX_TIME if B < MAX_TIME - A else A + B < MAX_TIME always. @@ -131,7 +131,7 @@ struct param { res = (a) + (b) -#define OUT_D ((struct param *)tmv)->delta +#define OUT_D ((struct param *)tmv)->delta #define DO(D,H,M,S) \ { \ /* Overflow testing - this does not handle negative values well.. */ \ @@ -1420,10 +1420,10 @@ mylex (krb5_int32 *intp, char **pp) /* XXX assumes ASCII */ num = c - '0'; while (isdigit ((int) *P)) { - if (num > MAX_TIME / 10) + if (num > MAX_TIME / 10) return OVERFLOW; num *= 10; - if (num > MAX_TIME - (*P - '0')) + if (num > MAX_TIME - (*P - '0')) return OVERFLOW; num += *P++ - '0'; } @@ -1451,5 +1451,3 @@ krb5_string_to_deltat(char *string, krb5_deltat *deltatp) *deltatp = p.delta; return 0; } - - diff --git a/src/lib/krb5/krb/enc_helper.c b/src/lib/krb5/krb/enc_helper.c index 01324d014..41d2f00f7 100644 --- a/src/lib/krb5/krb/enc_helper.c +++ b/src/lib/krb5/krb/enc_helper.c @@ -1,13 +1,14 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +19,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -33,24 +34,24 @@ krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key, krb5_keyusag size_t enclen; if ((ret = krb5_c_encrypt_length(context, key->enctype, plain->length, - &enclen))) - return(ret); + &enclen))) + return(ret); cipher->ciphertext.length = enclen; if ((cipher->ciphertext.data = (char *) malloc(enclen)) == NULL) - return(ENOMEM); + return(ENOMEM); ret = krb5_c_encrypt(context, key, usage, 0, plain, cipher); if (ret) { - free(cipher->ciphertext.data); - cipher->ciphertext.data = NULL; + free(cipher->ciphertext.data); + cipher->ciphertext.data = NULL; } return(ret); } - + krb5_error_code krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage, - const krb5_data *plain, krb5_enc_data *cipher) + const krb5_data *plain, krb5_enc_data *cipher) { krb5_enctype enctype; krb5_error_code ret; @@ -59,16 +60,16 @@ krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage, enctype = krb5_k_key_enctype(context, key); ret = krb5_c_encrypt_length(context, enctype, plain->length, &enclen); if (ret != 0) - return ret; + return ret; cipher->ciphertext.length = enclen; cipher->ciphertext.data = malloc(enclen); if (cipher->ciphertext.data == NULL) - return ENOMEM; + return ENOMEM; ret = krb5_k_encrypt(context, key, usage, 0, plain, cipher); if (ret) { - free(cipher->ciphertext.data); - cipher->ciphertext.data = NULL; + free(cipher->ciphertext.data); + cipher->ciphertext.data = NULL; } return ret; diff --git a/src/lib/krb5/krb/encode_kdc.c b/src/lib/krb5/krb/encode_kdc.c index 8b879c015..c86bd4cd5 100644 --- a/src/lib/krb5/krb/encode_kdc.c +++ b/src/lib/krb5/krb/encode_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/encode_kdc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_encode_kdc_rep() function. */ @@ -30,24 +31,24 @@ #include "k5-int.h" /* - Takes KDC rep parts in *rep and *encpart, and formats it into *enc_rep, - using message type type and encryption key client_key and encryption type - etype. + Takes KDC rep parts in *rep and *encpart, and formats it into *enc_rep, + using message type type and encryption key client_key and encryption type + etype. - The string *enc_rep will be allocated before formatting; the caller should - free when finished. + The string *enc_rep will be allocated before formatting; the caller should + free when finished. - returns system errors + returns system errors - dec_rep->enc_part.ciphertext is allocated and filled in. + dec_rep->enc_part.ciphertext is allocated and filled in. */ /* due to argument promotion rules, we need to use the DECLARG/OLDDECLARG stuff... */ krb5_error_code krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, - const krb5_enc_kdc_rep_part *encpart, - int using_subkey, const krb5_keyblock *client_key, - krb5_kdc_rep *dec_rep, krb5_data **enc_rep) + const krb5_enc_kdc_rep_part *encpart, + int using_subkey, const krb5_keyblock *client_key, + krb5_kdc_rep *dec_rep, krb5_data **enc_rep) { krb5_data *scratch; krb5_error_code retval; @@ -55,27 +56,27 @@ krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, krb5_keyusage usage; if (!krb5_c_valid_enctype(dec_rep->enc_part.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; switch (type) { case KRB5_AS_REP: - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; - break; + usage = KRB5_KEYUSAGE_AS_REP_ENCPART; + break; case KRB5_TGS_REP: - if (using_subkey) - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; - else - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY; - break; + if (using_subkey) + usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; + else + usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY; + break; default: - return KRB5_BADMSGTYPE; + return KRB5_BADMSGTYPE; } /* * We don't want to modify encpart, but we need to be able to pass * in the message type to the encoder, so it can set the ASN.1 * type correct. - * + * * Although note that it may be doing nothing with the message * type, to be compatible with old versions of Kerberos that always * encode this as a TGS_REP regardly of what it really should be; @@ -88,41 +89,41 @@ krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, tmp_encpart.msg_type = type; retval = encode_krb5_enc_kdc_rep_part(&tmp_encpart, &scratch); if (retval) { - return retval; + return retval; } memset(&tmp_encpart, 0, sizeof(tmp_encpart)); #define cleanup_scratch() { (void) memset(scratch->data, 0, scratch->length); \ -krb5_free_data(context, scratch); } + krb5_free_data(context, scratch); } retval = krb5_encrypt_helper(context, client_key, usage, scratch, - &dec_rep->enc_part); + &dec_rep->enc_part); -#define cleanup_encpart() { \ -(void) memset(dec_rep->enc_part.ciphertext.data, 0, \ - dec_rep->enc_part.ciphertext.length); \ -free(dec_rep->enc_part.ciphertext.data); \ -dec_rep->enc_part.ciphertext.length = 0; \ -dec_rep->enc_part.ciphertext.data = 0;} +#define cleanup_encpart() { \ + (void) memset(dec_rep->enc_part.ciphertext.data, 0, \ + dec_rep->enc_part.ciphertext.length); \ + free(dec_rep->enc_part.ciphertext.data); \ + dec_rep->enc_part.ciphertext.length = 0; \ + dec_rep->enc_part.ciphertext.data = 0;} cleanup_scratch(); if (retval) - return(retval); + return(retval); /* now it's ready to be encoded for the wire! */ switch (type) { case KRB5_AS_REP: - retval = encode_krb5_as_rep(dec_rep, enc_rep); - break; + retval = encode_krb5_as_rep(dec_rep, enc_rep); + break; case KRB5_TGS_REP: - retval = encode_krb5_tgs_rep(dec_rep, enc_rep); - break; + retval = encode_krb5_tgs_rep(dec_rep, enc_rep); + break; } if (retval) - cleanup_encpart(); + cleanup_encpart(); return retval; } diff --git a/src/lib/krb5/krb/encrypt_tk.c b/src/lib/krb5/krb/encrypt_tk.c index ed2b8c1b8..acf9c6fa4 100644 --- a/src/lib/krb5/krb/encrypt_tk.c +++ b/src/lib/krb5/krb/encrypt_tk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/encrypt_tk.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_encrypt_tkt_part() routine. */ @@ -30,15 +31,15 @@ #include "k5-int.h" /* - Takes unencrypted dec_ticket & dec_tkt_part, encrypts with - dec_ticket->enc_part.etype - using *srv_key, and places result in dec_ticket->enc_part. - The string dec_ticket->enc_part.ciphertext will be allocated before - formatting. + Takes unencrypted dec_ticket & dec_tkt_part, encrypts with + dec_ticket->enc_part.etype + using *srv_key, and places result in dec_ticket->enc_part. + The string dec_ticket->enc_part.ciphertext will be allocated before + formatting. - returns errors from encryption routines, system errors + returns errors from encryption routines, system errors - enc_part->ciphertext.data allocated & filled in with encrypted stuff + enc_part->ciphertext.data allocated & filled in with encrypted stuff */ krb5_error_code @@ -50,16 +51,16 @@ krb5_encrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist /* start by encoding the to-be-encrypted part. */ if ((retval = encode_krb5_enc_tkt_part(dec_tkt_part, &scratch))) { - return retval; + return retval; } #define cleanup_scratch() { (void) memset(scratch->data, 0, scratch->length); \ -krb5_free_data(context, scratch); } + krb5_free_data(context, scratch); } /* call the encryption routine */ retval = krb5_encrypt_helper(context, srv_key, - KRB5_KEYUSAGE_KDC_REP_TICKET, scratch, - &dec_ticket->enc_part); + KRB5_KEYUSAGE_KDC_REP_TICKET, scratch, + &dec_ticket->enc_part); cleanup_scratch(); diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index 381173d5c..ae5602cde 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/fast.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * */ @@ -66,65 +67,65 @@ static krb5_error_code fast_armor_ap_request memset(&creds, 0, sizeof(creds)); retval = krb5_tgtname(context, target_realm, target_realm, &creds.server); if (retval ==0) - retval = krb5_cc_get_principal(context, ccache, &creds.client); + retval = krb5_cc_get_principal(context, ccache, &creds.client); if (retval == 0) - retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); + retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); if (retval == 0) - retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, - out_creds, &encoded_authenticator); + retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, + out_creds, &encoded_authenticator); if (retval == 0) - retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); + retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); if (retval == 0) - retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", - &out_creds->keyblock, "ticketarmor", &armor_key); + retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", + &out_creds->keyblock, "ticketarmor", &armor_key); if (retval == 0) { - armor = calloc(1, sizeof(krb5_fast_armor)); - if (armor == NULL) - retval = ENOMEM; + armor = calloc(1, sizeof(krb5_fast_armor)); + if (armor == NULL) + retval = ENOMEM; } if (retval == 0) { - armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; - armor->armor_value = encoded_authenticator; - encoded_authenticator.data = NULL; - encoded_authenticator.length = 0; - state->armor = armor; - armor = NULL; - state->armor_key = armor_key; - armor_key = NULL; + armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; + armor->armor_value = encoded_authenticator; + encoded_authenticator.data = NULL; + encoded_authenticator.length = 0; + state->armor = armor; + armor = NULL; + state->armor_key = armor_key; + armor_key = NULL; } krb5_free_keyblock(context, armor_key); krb5_free_keyblock(context, subkey); if (out_creds) - krb5_free_creds(context, out_creds); + krb5_free_creds(context, out_creds); krb5_free_cred_contents(context, &creds); if (encoded_authenticator.data) - krb5_free_data_contents(context, &encoded_authenticator); + krb5_free_data_contents(context, &encoded_authenticator); krb5_auth_con_free(context, authcontext); return retval; } krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, krb5_data **encoded_request_body) + krb5_kdc_req *request, krb5_data **encoded_request_body) { krb5_error_code retval = 0; krb5_data *local_encoded_request_body = NULL; assert(state != NULL); *encoded_request_body = NULL; if (state->armor_key == NULL) { - return encode_krb5_kdc_req_body(request, encoded_request_body); + return encode_krb5_kdc_req_body(request, encoded_request_body); } state->fast_outer_request = *request; state->fast_outer_request.padata = NULL; if (retval == 0) - retval = encode_krb5_kdc_req_body(&state->fast_outer_request, - &local_encoded_request_body); + retval = encode_krb5_kdc_req_body(&state->fast_outer_request, + &local_encoded_request_body); if (retval == 0) { - *encoded_request_body = local_encoded_request_body; - local_encoded_request_body = NULL; + *encoded_request_body = local_encoded_request_body; + local_encoded_request_body = NULL; } if (local_encoded_request_body != NULL) - krb5_free_data(context, local_encoded_request_body); + krb5_free_data(context, local_encoded_request_body); return retval; } @@ -137,31 +138,31 @@ krb5_error_code krb5int_fast_as_armor krb5_ccache ccache = NULL; krb5_clear_error_message(context); if (opte->opt_private->fast_ccache_name) { - retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, - &ccache); - if (retval==0) - retval = fast_armor_ap_request(context, state, ccache, - krb5_princ_realm(context, request->server)); - if (retval != 0) { - const char * errmsg; - errmsg = krb5_get_error_message(context, retval); - if (errmsg) { - krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); - krb5_free_error_message(context, errmsg); - } - } + retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, + &ccache); + if (retval==0) + retval = fast_armor_ap_request(context, state, ccache, + krb5_princ_realm(context, request->server)); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + if (errmsg) { + krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); + krb5_free_error_message(context, errmsg); + } + } } if (ccache) - krb5_cc_close(context, ccache); + krb5_cc_close(context, ccache); return retval; } -krb5_error_code +krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, - const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, - krb5_data **encoded_request) + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request) { krb5_error_code retval = 0; krb5_pa_data *pa_array[2]; @@ -180,68 +181,68 @@ krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state * assert(state->fast_outer_request.padata == NULL); memset(pa_array, 0, sizeof pa_array); if (state->armor_key == NULL) { - return encoder(request, encoded_request); + return encoder(request, encoded_request); } /* Fill in a fresh random nonce for each inner request*/ - random_data.length = 4; - random_data.data = (char *)random_buf; - retval = krb5_c_random_make_octets(context, &random_data); - if (retval == 0) { - request->nonce = 0x7fffffff & load_32_n(random_buf); - state->nonce = request->nonce; - } + random_data.length = 4; + random_data.data = (char *)random_buf; + retval = krb5_c_random_make_octets(context, &random_data); + if (retval == 0) { + request->nonce = 0x7fffffff & load_32_n(random_buf); + state->nonce = request->nonce; + } fast_req.req_body = request; if (fast_req.req_body->padata == NULL) { - fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); - if (fast_req.req_body->padata == NULL) - retval = ENOMEM; + fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); + if (fast_req.req_body->padata == NULL) + retval = ENOMEM; } fast_req.fast_options = state->fast_options; if (retval == 0) - retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); + retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); if (retval == 0) { - armored_req = calloc(1, sizeof(krb5_fast_armored_req)); - if (armored_req == NULL) - retval = ENOMEM; + armored_req = calloc(1, sizeof(krb5_fast_armored_req)); + if (armored_req == NULL) + retval = ENOMEM; } if (retval == 0) - armored_req->armor = state->armor; + armored_req->armor = state->armor; if (retval == 0) - retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, - &cksumtype); + retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, + &cksumtype); if (retval ==0) - retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, - KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, - &armored_req->req_checksum); + retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, + &armored_req->req_checksum); if (retval == 0) - retval = krb5_encrypt_helper(context, state->armor_key, - KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, - &armored_req->enc_part); + retval = krb5_encrypt_helper(context, state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, + &armored_req->enc_part); if (retval == 0) - retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); + retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); if (retval==0) { - pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].contents = (unsigned char *) encoded_armored_req->data; - pa[0].length = encoded_armored_req->length; - pa_array[0] = &pa[0]; + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].contents = (unsigned char *) encoded_armored_req->data; + pa[0].length = encoded_armored_req->length; + pa_array[0] = &pa[0]; } state->fast_outer_request.padata = pa_array; if(retval == 0) - retval = encoder(&state->fast_outer_request, &local_encoded_result); + retval = encoder(&state->fast_outer_request, &local_encoded_result); if (retval == 0) { - *encoded_request = local_encoded_result; - local_encoded_result = NULL; + *encoded_request = local_encoded_result; + local_encoded_result = NULL; } if (encoded_armored_req) - krb5_free_data(context, encoded_armored_req); + krb5_free_data(context, encoded_armored_req); if (armored_req) { - armored_req->armor = NULL; /*owned by state*/ - krb5_free_fast_armored_req(context, armored_req); + armored_req->armor = NULL; /*owned by state*/ + krb5_free_fast_armored_req(context, armored_req); } if (encoded_fast_req) - krb5_free_data(context, encoded_fast_req); + krb5_free_data(context, encoded_fast_req); if (local_encoded_result) - krb5_free_data(context, local_encoded_result); + krb5_free_data(context, local_encoded_result); state->fast_outer_request.padata = NULL; return retval; } @@ -258,49 +259,49 @@ static krb5_error_code decrypt_fast_reply krb5_fast_response *local_resp = NULL; assert(state != NULL); assert(state->armor_key); - fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); + fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); if (fx_reply == NULL) - retval = KRB5_ERR_FAST_REQUIRED; + retval = KRB5_ERR_FAST_REQUIRED; if (retval == 0) { - scratch.data = (char *) fx_reply->contents; - scratch.length = fx_reply->length; - retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); + scratch.data = (char *) fx_reply->contents; + scratch.length = fx_reply->length; + retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); } scratch.data = NULL; if (retval == 0) { - scratch.data = malloc(encrypted_response->ciphertext.length); - if (scratch.data == NULL) - retval = ENOMEM; - scratch.length = encrypted_response->ciphertext.length; + scratch.data = malloc(encrypted_response->ciphertext.length); + if (scratch.data == NULL) + retval = ENOMEM; + scratch.length = encrypted_response->ciphertext.length; } if (retval == 0) - retval = krb5_c_decrypt(context, state->armor_key, - KRB5_KEYUSAGE_FAST_REP, NULL, - encrypted_response, &scratch); + retval = krb5_c_decrypt(context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, NULL, + encrypted_response, &scratch); if (retval != 0) { - const char * errmsg; - errmsg = krb5_get_error_message(context, retval); - krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); - krb5_free_error_message(context, errmsg); + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); + krb5_free_error_message(context, errmsg); } if (retval == 0) - retval = decode_krb5_fast_response(&scratch, &local_resp); + retval = decode_krb5_fast_response(&scratch, &local_resp); if (retval == 0) { - if (local_resp->nonce != state->nonce) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); - } + if (local_resp->nonce != state->nonce) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); + } } if (retval == 0) { - *response = local_resp; - local_resp = NULL; + *response = local_resp; + local_resp = NULL; } if (scratch.data) - free(scratch.data); + free(scratch.data); if (encrypted_response) - krb5_free_enc_data(context, encrypted_response); + krb5_free_enc_data(context, encrypted_response); if (local_resp) - krb5_free_fast_response(context, local_resp); + krb5_free_fast_response(context, local_resp); return retval; } @@ -319,91 +320,91 @@ static krb5_error_code decrypt_fast_reply */ krb5_error_code krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, - krb5_error **err_replyptr , krb5_pa_data ***out_padata, - krb5_boolean *retry) + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry) { krb5_error_code retval = 0; krb5_error *err_reply = *err_replyptr; *out_padata = NULL; *retry = 0; if (state->armor_key) { - krb5_pa_data *fx_error_pa; - krb5_pa_data **result = NULL; - krb5_data scratch, *encoded_td = NULL; - krb5_error *fx_error = NULL; - krb5_fast_response *fast_response = NULL; - retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); - if (retval == 0) - retval = decrypt_fast_reply(context, state, result, &fast_response); - if (retval) { - /*This can happen if the KDC does not understand FAST. We - * don't expect that, but treating it as the fatal error - * indicated by the KDC seems reasonable. - */ - *retry = 0; - krb5_free_pa_data(context, result); - return 0; - } - krb5_free_pa_data(context, result); - result = NULL; - if (retval == 0) { - fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); - if (fx_error_pa == NULL) { - krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); - retval = KRB5KDC_ERR_PREAUTH_FAILED; - } - } - if (retval == 0) { - scratch.data = (char *) fx_error_pa->contents; - scratch.length = fx_error_pa->length; - retval = decode_krb5_error(&scratch, &fx_error); - } - /* - * krb5_pa_data and krb5_typed_data are safe to cast between: - * they have the same type fields in the same order. - * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is - * ever changed then this will need to be a copy not a cast. - */ - if (retval == 0) - retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, - &encoded_td); - if (retval == 0) { - fx_error->e_data = *encoded_td; - free(encoded_td); /*contents owned by fx_error*/ - encoded_td = NULL; - krb5_free_error(context, err_reply); - *err_replyptr = fx_error; - fx_error = NULL; - *out_padata = fast_response->padata; - fast_response->padata = NULL; - /* - * If there is more than the fx_error padata, then we want - * to retry the error if a cookie is present - */ - *retry = (*out_padata)[1] != NULL; - if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) - *retry = 0; - } - if (fx_error) - krb5_free_error(context, fx_error); - krb5_free_fast_response(context, fast_response); + krb5_pa_data *fx_error_pa; + krb5_pa_data **result = NULL; + krb5_data scratch, *encoded_td = NULL; + krb5_error *fx_error = NULL; + krb5_fast_response *fast_response = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + retval = decrypt_fast_reply(context, state, result, &fast_response); + if (retval) { + /*This can happen if the KDC does not understand FAST. We + * don't expect that, but treating it as the fatal error + * indicated by the KDC seems reasonable. + */ + *retry = 0; + krb5_free_pa_data(context, result); + return 0; + } + krb5_free_pa_data(context, result); + result = NULL; + if (retval == 0) { + fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); + if (fx_error_pa == NULL) { + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + scratch.data = (char *) fx_error_pa->contents; + scratch.length = fx_error_pa->length; + retval = decode_krb5_error(&scratch, &fx_error); + } + /* + * krb5_pa_data and krb5_typed_data are safe to cast between: + * they have the same type fields in the same order. + * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is + * ever changed then this will need to be a copy not a cast. + */ + if (retval == 0) + retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, + &encoded_td); + if (retval == 0) { + fx_error->e_data = *encoded_td; + free(encoded_td); /*contents owned by fx_error*/ + encoded_td = NULL; + krb5_free_error(context, err_reply); + *err_replyptr = fx_error; + fx_error = NULL; + *out_padata = fast_response->padata; + fast_response->padata = NULL; + /* + * If there is more than the fx_error padata, then we want + * to retry the error if a cookie is present + */ + *retry = (*out_padata)[1] != NULL; + if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) + *retry = 0; + } + if (fx_error) + krb5_free_error(context, fx_error); + krb5_free_fast_response(context, fast_response); } else { /*not FAST*/ - *retry = (err_reply->e_data.length > 0); - if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED - ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { - krb5_pa_data **result = NULL; - retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); - if (retval == 0) - if (retval == 0) { - *out_padata = result; + *retry = (err_reply->e_data.length > 0); + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED + ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { + krb5_pa_data **result = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + if (retval == 0) { + *out_padata = result; - return 0; - } - krb5_free_pa_data(context, result); - krb5_set_error_message(context, retval, - "Error decoding padata in error reply"); - return retval; - } + return 0; + } + krb5_free_pa_data(context, result); + krb5_set_error_message(context, retval, + "Error decoding padata in error reply"); + return retval; + } } return retval; } @@ -421,61 +422,61 @@ krb5_error_code krb5int_fast_process_response krb5_clear_error_message(context); *strengthen_key = NULL; if (state->armor_key == 0) - return 0; - retval = decrypt_fast_reply(context, state, resp->padata, - &fast_response); + return 0; + retval = decrypt_fast_reply(context, state, resp->padata, + &fast_response); if (retval == 0) { - if (fast_response->finished == 0) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); - } + if (fast_response->finished == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); + } } if (retval == 0) - retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); + retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); if (retval == 0) - retval = krb5_c_verify_checksum(context, state->armor_key, - KRB5_KEYUSAGE_FAST_FINISHED, - encoded_ticket, - &fast_response->finished->ticket_checksum, - &cksum_valid); + retval = krb5_c_verify_checksum(context, state->armor_key, + KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, + &fast_response->finished->ticket_checksum, + &cksum_valid); if (retval == 0 && cksum_valid == 0) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "ticket modified in KDC reply"); + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "ticket modified in KDC reply"); } if (retval == 0) { - krb5_free_principal(context, resp->client); - resp->client = fast_response->finished->client; - fast_response->finished->client = NULL; - *strengthen_key = fast_response->strengthen_key; - fast_response->strengthen_key = NULL; - krb5_free_pa_data(context, resp->padata); - resp->padata = fast_response->padata; - fast_response->padata = NULL; + krb5_free_principal(context, resp->client); + resp->client = fast_response->finished->client; + fast_response->finished->client = NULL; + *strengthen_key = fast_response->strengthen_key; + fast_response->strengthen_key = NULL; + krb5_free_pa_data(context, resp->padata); + resp->padata = fast_response->padata; + fast_response->padata = NULL; } if (fast_response) - krb5_free_fast_response(context, fast_response); + krb5_free_fast_response(context, fast_response); if (encoded_ticket) - krb5_free_data(context, encoded_ticket); + krb5_free_data(context, encoded_ticket); return retval; } krb5_error_code krb5int_fast_reply_key(krb5_context context, - krb5_keyblock *strengthen_key, - krb5_keyblock *existing_key, - krb5_keyblock *out_key) + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *out_key) { krb5_keyblock *key = NULL; krb5_error_code retval = 0; krb5_free_keyblock_contents(context, out_key); if (strengthen_key) { - retval = krb5_c_fx_cf2_simple(context, strengthen_key, - "strengthenkey", existing_key, "replykey", &key); - if (retval == 0) { - *out_key = *key; - free(key); - } + retval = krb5_c_fx_cf2_simple(context, strengthen_key, + "strengthenkey", existing_key, "replykey", &key); + if (retval == 0) { + *out_key = *key; + free(key); + } } else { - retval = krb5_copy_keyblock_contents(context, existing_key, out_key); + retval = krb5_copy_keyblock_contents(context, existing_key, out_key); } return retval; } @@ -487,7 +488,7 @@ krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state struct krb5int_fast_request_state *local_state ; local_state = malloc(sizeof *local_state); if (local_state == NULL) - return ENOMEM; + return ENOMEM; memset(local_state, 0, sizeof(*local_state)); *state = local_state; return 0; @@ -505,16 +506,15 @@ krb5int_fast_free_state( krb5_context context, struct krb5int_fast_request_state krb5_pa_data * krb5int_find_pa_data (krb5_context context, krb5_pa_data *const *padata, krb5_preauthtype pa_type) { - krb5_pa_data * const *tmppa; + krb5_pa_data * const *tmppa; if (padata == NULL) - return NULL; + return NULL; for (tmppa = padata; *tmppa != NULL; tmppa++) { - if ((*tmppa)->pa_type == pa_type) - break; + if ((*tmppa)->pa_type == pa_type) + break; } return *tmppa; } - diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h index 4cc142335..443f3e196 100644 --- a/src/lib/krb5/krb/fast.h +++ b/src/lib/krb5/krb/fast.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/fast.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * <<< Description >>> */ @@ -34,7 +35,7 @@ struct krb5int_fast_request_state { krb5_kdc_req fast_outer_request; - krb5_keyblock *armor_key; /*non-null means fast is in use*/ + krb5_keyblock *armor_key; /*non-null means fast is in use*/ krb5_fast_armor *armor; krb5_ui_4 fast_state_flags; krb5_ui_4 fast_options; @@ -43,19 +44,19 @@ struct krb5int_fast_request_state { krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, krb5_data **encoded_req_body); + krb5_kdc_req *request, krb5_data **encoded_req_body); typedef krb5_error_code(*kdc_req_encoder_proc) (const krb5_kdc_req *, krb5_data **); -krb5_error_code +krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, - const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, - krb5_data **encoded_request); + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request); krb5_error_code krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, - krb5_error **err_replyptr , krb5_pa_data ***out_padata, - krb5_boolean *retry); + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry); krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, @@ -73,10 +74,10 @@ krb5_error_code krb5int_fast_as_armor krb5_kdc_req *request); krb5_error_code krb5int_fast_reply_key(krb5_context context, - krb5_keyblock *strengthen_key, - krb5_keyblock *existing_key, - krb5_keyblock *output_key); + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *output_key); + - #endif diff --git a/src/lib/krb5/krb/free_rtree.c b/src/lib/krb5/krb/free_rtree.c index 90c9dd3c8..951d55dd3 100644 --- a/src/lib/krb5/krb/free_rtree.c +++ b/src/lib/krb5/krb/free_rtree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/free_rtree.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_free_realm_tree() */ @@ -34,10 +35,10 @@ krb5_free_realm_tree(krb5_context context, krb5_principal *realms) { register krb5_principal *nrealms = realms; if (realms == NULL) - return; + return; while (*nrealms) { - krb5_free_principal(context, *nrealms); - nrealms++; + krb5_free_principal(context, *nrealms); + nrealms++; } free(realms); } diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index 08646da6e..5725e4931 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_in_tkt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -35,14 +36,14 @@ /* Get a TGT for use at the remote host */ krb5_error_code KRB5_CALLCONV krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data *outbuf) - - - - - - - /* Should forwarded TGT also be forwardable? */ - + + + + + + +/* Should forwarded TGT also be forwardable? */ + { krb5_replay_data replaydata; krb5_data * scratch = 0; @@ -61,136 +62,136 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r memset(&tgt, 0, sizeof(creds)); if (cc == 0) { - if ((retval = krb5int_cc_default(context, &cc))) - goto errout; - close_cc = 1; + if ((retval = krb5int_cc_default(context, &cc))) + goto errout; + close_cc = 1; } retval = krb5_auth_con_getkey (context, auth_context, &session_key); if (retval) - goto errout; + goto errout; if (session_key) { - enctype = session_key->enctype; - krb5_free_keyblock (context, session_key); - session_key = NULL; + enctype = session_key->enctype; + krb5_free_keyblock (context, session_key); + session_key = NULL; } else if (server) { /* must server be non-NULL when rhost is given? */ - /* Try getting credentials to see what the remote side supports. - Not bulletproof, just a heuristic. */ - krb5_creds in, *out = 0; - memset (&in, 0, sizeof(in)); - - retval = krb5_copy_principal (context, server, &in.server); - if (retval) - goto punt; - retval = krb5_copy_principal (context, client, &in.client); - if (retval) - goto punt; - retval = krb5_get_credentials (context, 0, cc, &in, &out); - if (retval) - goto punt; - /* Got the credentials. Okay, now record the enctype and - throw them away. */ - enctype = out->keyblock.enctype; - krb5_free_creds (context, out); + /* Try getting credentials to see what the remote side supports. + Not bulletproof, just a heuristic. */ + krb5_creds in, *out = 0; + memset (&in, 0, sizeof(in)); + + retval = krb5_copy_principal (context, server, &in.server); + if (retval) + goto punt; + retval = krb5_copy_principal (context, client, &in.client); + if (retval) + goto punt; + retval = krb5_get_credentials (context, 0, cc, &in, &out); + if (retval) + goto punt; + /* Got the credentials. Okay, now record the enctype and + throw them away. */ + enctype = out->keyblock.enctype; + krb5_free_creds (context, out); punt: - krb5_free_cred_contents (context, &in); + krb5_free_cred_contents (context, &in); } if ((retval = krb5_copy_principal(context, client, &creds.client))) - goto errout; - + goto errout; + if ((retval = krb5_build_principal_ext(context, &creds.server, - client->realm.length, - client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0))) - goto errout; - + client->realm.length, + client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + client->realm.length, + client->realm.data, + 0))) + goto errout; + /* fetch tgt directly from cache */ context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES, - &creds, &tgt); + &creds, &tgt); context->use_conf_ktypes = old_use_conf_ktypes; if (retval) - goto errout; + goto errout; /* tgt->client must be equal to creds.client */ if (!krb5_principal_compare(context, tgt.client, creds.client)) { - retval = KRB5_PRINC_NOMATCH; - goto errout; + retval = KRB5_PRINC_NOMATCH; + goto errout; } if (!tgt.ticket.length) { - retval = KRB5_NO_TKT_SUPPLIED; - goto errout; + retval = KRB5_NO_TKT_SUPPLIED; + goto errout; } - + if (tgt.addresses && *tgt.addresses) { - if (rhost == NULL) { - if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) { -retval = KRB5_FWD_BAD_PRINCIPAL; - goto errout; - } - - if (krb5_princ_size(context, server) < 2){ - retval = KRB5_CC_BADNAME; - goto errout; - } - - rhost = malloc(server->data[1].length+1); - if (!rhost) { - retval = ENOMEM; - goto errout; - } - free_rhost = 1; - memcpy(rhost, server->data[1].data, server->data[1].length); - rhost[server->data[1].length] = '\0'; - } - - retval = krb5_os_hostaddr(context, rhost, &addrs); - if (retval) - goto errout; + if (rhost == NULL) { + if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) { + retval = KRB5_FWD_BAD_PRINCIPAL; + goto errout; + } + + if (krb5_princ_size(context, server) < 2){ + retval = KRB5_CC_BADNAME; + goto errout; + } + + rhost = malloc(server->data[1].length+1); + if (!rhost) { + retval = ENOMEM; + goto errout; + } + free_rhost = 1; + memcpy(rhost, server->data[1].data, server->data[1].length); + rhost[server->data[1].length] = '\0'; + } + + retval = krb5_os_hostaddr(context, rhost, &addrs); + if (retval) + goto errout; } - + creds.keyblock.enctype = enctype; creds.times = tgt.times; creds.times.starttime = 0; kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED; if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */ - kdcoptions &= ~(KDC_OPT_FORWARDABLE); + kdcoptions &= ~(KDC_OPT_FORWARDABLE); if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) { - if (enctype) { - creds.keyblock.enctype = 0; - if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) - goto errout; - } - else goto errout; + addrs, &creds, &pcreds))) { + if (enctype) { + creds.keyblock.enctype = 0; + if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, + addrs, &creds, &pcreds))) + goto errout; + } + else goto errout; } retval = krb5_mk_1cred(context, auth_context, pcreds, &scratch, &replaydata); krb5_free_creds(context, pcreds); if (retval) { - if (scratch) - krb5_free_data(context, scratch); + if (scratch) + krb5_free_data(context, scratch); } else { - *outbuf = *scratch; - free(scratch); + *outbuf = *scratch; + free(scratch); } - + errout: if (addrs) - krb5_free_addresses(context, addrs); + krb5_free_addresses(context, addrs); if (close_cc) - krb5_cc_close(context, cc); + krb5_cc_close(context, cc); if (free_rhost) - free(rhost); + free(rhost); krb5_free_cred_contents(context, &creds); krb5_free_cred_contents(context, &tgt); return retval; diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index 4102dd728..581d89d4d 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1994,2003,2005,2007 by the Massachusetts Institute of Technology. * Copyright (c) 1994 CyberSAFE Corporation @@ -9,7 +10,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * permission. Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a * fashion that it might be confused with the original M.I.T. software. - * Neither M.I.T., the Open Computing Security Group, nor + * Neither M.I.T., the Open Computing Security Group, nor * CyberSAFE Corporation make any representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * krb5_get_cred_from_kdc() and related functions: * * Get credentials from some KDC somewhere, possibly accumulating TGTs @@ -50,13 +51,13 @@ struct cc_tgts { }; /* NOTE: This only checks if NXT_TGT is CUR_CC_TGT. */ -#define NXT_TGT_IS_CACHED(ts) \ - ((ts)->nxt_tgt == (ts)->cur_cc_tgt) +#define NXT_TGT_IS_CACHED(ts) \ + ((ts)->nxt_tgt == (ts)->cur_cc_tgt) -#define MARK_CUR_CC_TGT_CLEAN(ts) \ -do { \ - (ts)->cc_tgts.dirty[(ts)->cc_tgts.cur] = 0; \ -} while (0) +#define MARK_CUR_CC_TGT_CLEAN(ts) \ + do { \ + (ts)->cc_tgts.dirty[(ts)->cc_tgts.cur] = 0; \ + } while (0) static void init_cc_tgts(struct tr_state *); static void shift_cc_tgts(struct tr_state *); @@ -137,8 +138,8 @@ static void tr_dbg_rtree(struct tr_state *, const char *, krb5_principal); * Certain krb5_cc_retrieve_cred() errors are soft errors when looking * for a cross-realm TGT. */ -#define HARD_CC_ERR(r) ((r) && (r) != KRB5_CC_NOTFOUND && \ - (r) != KRB5_CC_NOT_KTYPE) +#define HARD_CC_ERR(r) ((r) && (r) != KRB5_CC_NOTFOUND && \ + (r) != KRB5_CC_NOT_KTYPE) /* * Flags for ccache lookups of cross-realm TGTs. @@ -152,24 +153,24 @@ static void tr_dbg_rtree(struct tr_state *, const char *, krb5_principal); * Prototypes of helper functions */ static krb5_error_code tgt_mcred(krb5_context, krb5_principal, - krb5_principal, krb5_principal, krb5_creds *); + krb5_principal, krb5_principal, krb5_creds *); static krb5_error_code retr_local_tgt(struct tr_state *, krb5_principal); static krb5_error_code try_ccache(struct tr_state *, krb5_creds *); static krb5_error_code find_nxt_kdc(struct tr_state *); static krb5_error_code try_kdc(struct tr_state *, krb5_creds *); static krb5_error_code kdc_mcred(struct tr_state *, krb5_principal, - krb5_creds *mcreds); + krb5_creds *mcreds); static krb5_error_code next_closest_tgt(struct tr_state *, krb5_principal); static krb5_error_code init_rtree(struct tr_state *, - krb5_principal, krb5_principal); + krb5_principal, krb5_principal); static krb5_error_code do_traversal(krb5_context ctx, krb5_ccache, - krb5_principal client, krb5_principal server, - krb5_creds *out_cc_tgt, krb5_creds **out_tgt, - krb5_creds ***out_kdc_tgts, int *tgtptr_isoffpath); + krb5_principal client, krb5_principal server, + krb5_creds *out_cc_tgt, krb5_creds **out_tgt, + krb5_creds ***out_kdc_tgts, int *tgtptr_isoffpath); static krb5_error_code chase_offpath(struct tr_state *, krb5_principal, - krb5_principal); + krb5_principal); static krb5_error_code offpath_loopchk(struct tr_state *ts, - krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount); + krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount); /* * init_cc_tgts() @@ -210,8 +211,8 @@ shift_cc_tgts(struct tr_state *ts) rb->nxt = i; ts->nxt_cc_tgt = &rb->cred[i]; if (rb->dirty[i]) { - krb5_free_cred_contents(ts->ctx, &rb->cred[i]); - rb->dirty[i] = 0; + krb5_free_cred_contents(ts->ctx, &rb->cred[i]); + rb->dirty[i] = 0; } } @@ -228,10 +229,10 @@ clean_cc_tgts(struct tr_state *ts) rb = &ts->cc_tgts; for (i = 0; i < NCC_TGTS; i++) { - if (rb->dirty[i]) { - krb5_free_cred_contents(ts->ctx, &rb->cred[i]); - rb->dirty[i] = 0; - } + if (rb->dirty[i]) { + krb5_free_cred_contents(ts->ctx, &rb->cred[i]); + rb->dirty[i] = 0; + } } } @@ -257,18 +258,18 @@ tr_dbg(struct tr_state *ts, const char *prog) fprintf(stderr, "%s: nxt_kdc %s\n", prog, nxt_kdc_str); cleanup: if (cur_tgt_str) - krb5_free_unparsed_name(ts->ctx, cur_tgt_str); + krb5_free_unparsed_name(ts->ctx, cur_tgt_str); if (cur_kdc_str) - krb5_free_unparsed_name(ts->ctx, cur_kdc_str); + krb5_free_unparsed_name(ts->ctx, cur_kdc_str); if (nxt_kdc_str) - krb5_free_unparsed_name(ts->ctx, nxt_kdc_str); + krb5_free_unparsed_name(ts->ctx, nxt_kdc_str); } static void tr_dbg_ret(struct tr_state *ts, const char *prog, krb5_error_code ret) { fprintf(stderr, "%s: return %d (%s)\n", prog, (int)ret, - error_message(ret)); + error_message(ret)); } static void @@ -277,7 +278,7 @@ tr_dbg_rtree(struct tr_state *ts, const char *prog, krb5_principal princ) char *str; if (krb5_unparse_name(ts->ctx, princ, &str)) - return; + return; fprintf(stderr, "%s: %s\n", prog, str); krb5_free_unparsed_name(ts->ctx, str); } @@ -296,8 +297,8 @@ tr_dbg_rtree(struct tr_state *ts, const char *prog, krb5_principal princ) */ static krb5_error_code tgt_mcred(krb5_context ctx, krb5_principal client, - krb5_principal dst, krb5_principal src, - krb5_creds *mcreds) + krb5_principal dst, krb5_principal src, + krb5_creds *mcreds) { krb5_error_code retval; @@ -306,16 +307,16 @@ tgt_mcred(krb5_context ctx, krb5_principal client, retval = krb5_copy_principal(ctx, client, &mcreds->client); if (retval) - goto cleanup; + goto cleanup; retval = krb5_tgtname(ctx, krb5_princ_realm(ctx, dst), - krb5_princ_realm(ctx, src), &mcreds->server); + krb5_princ_realm(ctx, src), &mcreds->server); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) - krb5_free_cred_contents(ctx, mcreds); + krb5_free_cred_contents(ctx, mcreds); return retval; } @@ -327,27 +328,27 @@ cleanup: */ static krb5_error_code init_rtree(struct tr_state *ts, - krb5_principal client, krb5_principal server) + krb5_principal client, krb5_principal server) { krb5_error_code retval; ts->kdc_list = NULL; retval = krb5_walk_realm_tree(ts->ctx, krb5_princ_realm(ts->ctx, client), - krb5_princ_realm(ts->ctx, server), - &ts->kdc_list, KRB5_REALM_BRANCH_CHAR); + krb5_princ_realm(ts->ctx, server), + &ts->kdc_list, KRB5_REALM_BRANCH_CHAR); if (retval) - return retval; + return retval; for (ts->nkdcs = 0; ts->kdc_list[ts->nkdcs]; ts->nkdcs++) { - assert(krb5_princ_size(ts->ctx, ts->kdc_list[ts->nkdcs]) == 2); - TR_DBG_RTREE(ts, "init_rtree", ts->kdc_list[ts->nkdcs]); + assert(krb5_princ_size(ts->ctx, ts->kdc_list[ts->nkdcs]) == 2); + TR_DBG_RTREE(ts, "init_rtree", ts->kdc_list[ts->nkdcs]); } assert(ts->nkdcs > 1); ts->lst_kdc = ts->kdc_list + ts->nkdcs - 1; ts->kdc_tgts = calloc(ts->nkdcs + 1, sizeof(krb5_creds)); if (ts->kdc_tgts == NULL) - return ENOMEM; + return ENOMEM; return 0; } @@ -366,16 +367,16 @@ retr_local_tgt(struct tr_state *ts, krb5_principal client) memset(&tgtq, 0, sizeof(tgtq)); retval = tgt_mcred(ts->ctx, client, client, client, &tgtq); if (retval) - return retval; + return retval; /* Match realm, unlike other ccache retrievals here. */ retval = krb5_cc_retrieve_cred(ts->ctx, ts->ccache, - KRB5_TC_SUPPORTED_KTYPES, - &tgtq, ts->nxt_cc_tgt); + KRB5_TC_SUPPORTED_KTYPES, + &tgtq, ts->nxt_cc_tgt); krb5_free_cred_contents(ts->ctx, &tgtq); if (!retval) { - shift_cc_tgts(ts); - ts->nxt_tgt = ts->cur_tgt = ts->cur_cc_tgt; + shift_cc_tgts(ts); + ts->nxt_tgt = ts->cur_tgt = ts->cur_cc_tgt; } return retval; } @@ -393,10 +394,10 @@ try_ccache(struct tr_state *ts, krb5_creds *tgtq) TR_DBG(ts, "try_ccache"); retval = krb5_cc_retrieve_cred(ts->ctx, ts->ccache, RETR_FLAGS, - tgtq, ts->nxt_cc_tgt); + tgtq, ts->nxt_cc_tgt); if (!retval) { - shift_cc_tgts(ts); - ts->nxt_tgt = ts->cur_cc_tgt; + shift_cc_tgts(ts); + ts->nxt_tgt = ts->cur_cc_tgt; } TR_DBG_RET(ts, "try_ccache", retval); return retval; @@ -436,31 +437,31 @@ find_nxt_kdc(struct tr_state *ts) assert(ts->ntgts > 0); assert(ts->nxt_tgt == ts->kdc_tgts[ts->ntgts-1]); if (krb5_princ_size(ts->ctx, ts->nxt_tgt->server) != 2) - return KRB5_KDCREP_MODIFIED; + return KRB5_KDCREP_MODIFIED; r1 = krb5_princ_component(ts->ctx, ts->nxt_tgt->server, 1); for (kdcptr = ts->cur_kdc + 1; *kdcptr != NULL; kdcptr++) { - r2 = krb5_princ_component(ts->ctx, *kdcptr, 1); + r2 = krb5_princ_component(ts->ctx, *kdcptr, 1); - if (r1 != NULL && r2 != NULL && data_eq(*r1, *r2)) { - break; - } + if (r1 != NULL && r2 != NULL && data_eq(*r1, *r2)) { + break; + } } if (*kdcptr != NULL) { - ts->nxt_kdc = kdcptr; - TR_DBG_RET(ts, "find_nxt_kdc", 0); - return 0; + ts->nxt_kdc = kdcptr; + TR_DBG_RET(ts, "find_nxt_kdc", 0); + return 0; } r2 = krb5_princ_component(ts->ctx, ts->kdc_list[0], 1); if (r1 != NULL && r2 != NULL && - r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) { - TR_DBG_RET(ts, "find_nxt_kdc: looped back to local", - KRB5_KDCREP_MODIFIED); - return KRB5_KDCREP_MODIFIED; + r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) { + TR_DBG_RET(ts, "find_nxt_kdc: looped back to local", + KRB5_KDCREP_MODIFIED); + return KRB5_KDCREP_MODIFIED; } /* @@ -469,11 +470,11 @@ find_nxt_kdc(struct tr_state *ts) */ ts->offpath_tgt = ts->nxt_tgt; if (ts->cur_kdc == ts->kdc_list) { - /* - * Local KDC referred us off path; trust it for caching - * purposes. - */ - return 0; + /* + * Local KDC referred us off path; trust it for caching + * purposes. + */ + return 0; } /* * Unlink the off-path TGT from KDC_TGTS but don't free it, @@ -500,20 +501,20 @@ try_kdc(struct tr_state *ts, krb5_creds *tgtq) TR_DBG(ts, "try_kdc"); /* This check should probably be in gc_via_tkt. */ if (!krb5_c_valid_enctype(ts->cur_tgt->keyblock.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; ltgtq = *tgtq; ltgtq.is_skey = FALSE; ltgtq.ticket_flags = ts->cur_tgt->ticket_flags; retval = krb5_get_cred_via_tkt(ts->ctx, ts->cur_tgt, - FLAGS2OPTS(ltgtq.ticket_flags), - ts->cur_tgt->addresses, - <gtq, &ts->kdc_tgts[ts->ntgts++]); + FLAGS2OPTS(ltgtq.ticket_flags), + ts->cur_tgt->addresses, + <gtq, &ts->kdc_tgts[ts->ntgts++]); if (retval) { - ts->ntgts--; - ts->nxt_tgt = ts->cur_tgt; - TR_DBG_RET(ts, "try_kdc", retval); - return retval; + ts->ntgts--; + ts->nxt_tgt = ts->cur_tgt; + TR_DBG_RET(ts, "try_kdc", retval); + return retval; } ts->nxt_tgt = ts->kdc_tgts[ts->ntgts-1]; retval = find_nxt_kdc(ts); @@ -544,15 +545,15 @@ kdc_mcred(struct tr_state *ts, krb5_principal client, krb5_creds *mcreds) rsrc = krb5_princ_component(ts->ctx, *ts->cur_kdc, 1); retval = krb5_copy_principal(ts->ctx, client, &mcreds->client); if (retval) - goto cleanup; + goto cleanup; retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcreds->server); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) - krb5_free_cred_contents(ts->ctx, mcreds); + krb5_free_cred_contents(ts->ctx, mcreds); return retval; } @@ -574,30 +575,30 @@ next_closest_tgt(struct tr_state *ts, krb5_principal client) memset(&tgtq, 0, sizeof(tgtq)); for (ts->nxt_kdc = ts->lst_kdc; - ts->nxt_kdc > ts->cur_kdc; - ts->nxt_kdc--) { - - krb5_free_cred_contents(ts->ctx, &tgtq); - retval = kdc_mcred(ts, client, &tgtq); - if (retval) - goto cleanup; - /* Don't waste time retrying ccache for direct path. */ - if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) { - retval = try_ccache(ts, &tgtq); - if (!retval) - break; - if (HARD_CC_ERR(retval)) - goto cleanup; - } - /* Not in the ccache, so talk to a KDC. */ - retval = try_kdc(ts, &tgtq); - if (!retval) { - break; - } - /* - * In case of errors in try_kdc() or find_nxt_kdc(), continue - * looping through the KDC list. - */ + ts->nxt_kdc > ts->cur_kdc; + ts->nxt_kdc--) { + + krb5_free_cred_contents(ts->ctx, &tgtq); + retval = kdc_mcred(ts, client, &tgtq); + if (retval) + goto cleanup; + /* Don't waste time retrying ccache for direct path. */ + if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) { + retval = try_ccache(ts, &tgtq); + if (!retval) + break; + if (HARD_CC_ERR(retval)) + goto cleanup; + } + /* Not in the ccache, so talk to a KDC. */ + retval = try_kdc(ts, &tgtq); + if (!retval) { + break; + } + /* + * In case of errors in try_kdc() or find_nxt_kdc(), continue + * looping through the KDC list. + */ } /* * If we have a non-zero retval, we either have a hard error or we @@ -700,13 +701,13 @@ cleanup: */ static krb5_error_code do_traversal(krb5_context ctx, - krb5_ccache ccache, - krb5_principal client, - krb5_principal server, - krb5_creds *out_cc_tgt, - krb5_creds **out_tgt, - krb5_creds ***out_kdc_tgts, - int *tgtptr_isoffpath) + krb5_ccache ccache, + krb5_principal client, + krb5_principal server, + krb5_creds *out_cc_tgt, + krb5_creds **out_tgt, + krb5_creds ***out_kdc_tgts, + int *tgtptr_isoffpath) { krb5_error_code retval; struct tr_state state, *ts; @@ -721,51 +722,51 @@ do_traversal(krb5_context ctx, retval = init_rtree(ts, client, server); if (retval) - goto cleanup; + goto cleanup; retval = retr_local_tgt(ts, client); if (retval) - goto cleanup; + goto cleanup; for (ts->cur_kdc = ts->kdc_list, ts->nxt_kdc = NULL; - ts->cur_kdc != NULL && ts->cur_kdc < ts->lst_kdc; - ts->cur_kdc = ts->nxt_kdc, ts->cur_tgt = ts->nxt_tgt) { - - retval = next_closest_tgt(ts, client); - if (retval) - goto cleanup; - - if (ts->offpath_tgt != NULL) { - retval = chase_offpath(ts, client, server); - if (retval) - goto cleanup; - break; - } - assert(ts->cur_kdc != ts->nxt_kdc); + ts->cur_kdc != NULL && ts->cur_kdc < ts->lst_kdc; + ts->cur_kdc = ts->nxt_kdc, ts->cur_tgt = ts->nxt_tgt) { + + retval = next_closest_tgt(ts, client); + if (retval) + goto cleanup; + + if (ts->offpath_tgt != NULL) { + retval = chase_offpath(ts, client, server); + if (retval) + goto cleanup; + break; + } + assert(ts->cur_kdc != ts->nxt_kdc); } if (NXT_TGT_IS_CACHED(ts)) { - assert(ts->offpath_tgt == NULL); - *out_cc_tgt = *ts->cur_cc_tgt; - *out_tgt = out_cc_tgt; - MARK_CUR_CC_TGT_CLEAN(ts); + assert(ts->offpath_tgt == NULL); + *out_cc_tgt = *ts->cur_cc_tgt; + *out_tgt = out_cc_tgt; + MARK_CUR_CC_TGT_CLEAN(ts); } else if (ts->offpath_tgt != NULL){ - *out_tgt = ts->offpath_tgt; + *out_tgt = ts->offpath_tgt; } else { - /* CUR_TGT is somewhere in KDC_TGTS; no need to copy. */ - *out_tgt = ts->nxt_tgt; + /* CUR_TGT is somewhere in KDC_TGTS; no need to copy. */ + *out_tgt = ts->nxt_tgt; } cleanup: clean_cc_tgts(ts); if (ts->kdc_list != NULL) - krb5_free_realm_tree(ctx, ts->kdc_list); + krb5_free_realm_tree(ctx, ts->kdc_list); if (ts->ntgts == 0) { - *out_kdc_tgts = NULL; - if (ts->kdc_tgts != NULL) - free(ts->kdc_tgts); + *out_kdc_tgts = NULL; + if (ts->kdc_tgts != NULL) + free(ts->kdc_tgts); } else - *out_kdc_tgts = ts->kdc_tgts; + *out_kdc_tgts = ts->kdc_tgts; *tgtptr_isoffpath = (ts->offpath_tgt != NULL); return retval; } @@ -785,7 +786,7 @@ cleanup: */ static krb5_error_code chase_offpath(struct tr_state *ts, - krb5_principal client, krb5_principal server) + krb5_principal client, krb5_principal server) { krb5_error_code retval; krb5_creds mcred; @@ -797,61 +798,61 @@ chase_offpath(struct tr_state *ts, cur_tgt = ts->offpath_tgt; for (rcount = 0; rcount < KRB5_REFERRAL_MAXHOPS; rcount++) { - nxt_tgt = NULL; - memset(&mcred, 0, sizeof(mcred)); - rsrc = krb5_princ_component(ts->ctx, cur_tgt->server, 1); - retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcred.server); - if (retval) - goto cleanup; - mcred.client = client; + nxt_tgt = NULL; + memset(&mcred, 0, sizeof(mcred)); + rsrc = krb5_princ_component(ts->ctx, cur_tgt->server, 1); + retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcred.server); + if (retval) + goto cleanup; + mcred.client = client; retval = krb5_get_cred_via_tkt(ts->ctx, cur_tgt, - FLAGS2OPTS(cur_tgt->ticket_flags), - cur_tgt->addresses, &mcred, &nxt_tgt); - mcred.client = NULL; - krb5_free_principal(ts->ctx, mcred.server); - mcred.server = NULL; - if (retval) - goto cleanup; - if (!IS_TGS_PRINC(ts->ctx, nxt_tgt->server)) { - retval = KRB5_KDCREP_MODIFIED; - goto cleanup; - } - r1 = krb5_princ_component(ts->ctx, nxt_tgt->server, 1); - if (rdst->length == r1->length && - !memcmp(rdst->data, r1->data, rdst->length)) { - retval = 0; - goto cleanup; - } - retval = offpath_loopchk(ts, nxt_tgt, reftgts, rcount); - if (retval) - goto cleanup; - reftgts[rcount] = nxt_tgt; - cur_tgt = nxt_tgt; - nxt_tgt = NULL; + FLAGS2OPTS(cur_tgt->ticket_flags), + cur_tgt->addresses, &mcred, &nxt_tgt); + mcred.client = NULL; + krb5_free_principal(ts->ctx, mcred.server); + mcred.server = NULL; + if (retval) + goto cleanup; + if (!IS_TGS_PRINC(ts->ctx, nxt_tgt->server)) { + retval = KRB5_KDCREP_MODIFIED; + goto cleanup; + } + r1 = krb5_princ_component(ts->ctx, nxt_tgt->server, 1); + if (rdst->length == r1->length && + !memcmp(rdst->data, r1->data, rdst->length)) { + retval = 0; + goto cleanup; + } + retval = offpath_loopchk(ts, nxt_tgt, reftgts, rcount); + if (retval) + goto cleanup; + reftgts[rcount] = nxt_tgt; + cur_tgt = nxt_tgt; + nxt_tgt = NULL; } /* Max hop count exceeded. */ retval = KRB5_KDCREP_MODIFIED; cleanup: if (mcred.server != NULL) { - krb5_free_principal(ts->ctx, mcred.server); + krb5_free_principal(ts->ctx, mcred.server); } /* * Don't free TS->OFFPATH_TGT if it's in the list of cacheable * TGTs to be returned by do_traversal(). */ if (ts->offpath_tgt != ts->nxt_tgt) { - krb5_free_creds(ts->ctx, ts->offpath_tgt); + krb5_free_creds(ts->ctx, ts->offpath_tgt); } ts->offpath_tgt = NULL; if (nxt_tgt != NULL) { - if (retval) - krb5_free_creds(ts->ctx, nxt_tgt); - else - ts->offpath_tgt = nxt_tgt; + if (retval) + krb5_free_creds(ts->ctx, nxt_tgt); + else + ts->offpath_tgt = nxt_tgt; } for (i = 0; i < rcount; i++) { - krb5_free_creds(ts->ctx, reftgts[i]); + krb5_free_creds(ts->ctx, reftgts[i]); } return retval; } @@ -864,23 +865,23 @@ cleanup: */ static krb5_error_code offpath_loopchk(struct tr_state *ts, - krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount) + krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount) { krb5_data *r1, *r2; unsigned int i; r1 = krb5_princ_component(ts->ctx, tgt->server, 1); for (i = 0; i < rcount; i++) { - r2 = krb5_princ_component(ts->ctx, reftgts[i]->server, 1); - if (r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) - return KRB5_KDCREP_MODIFIED; + r2 = krb5_princ_component(ts->ctx, reftgts[i]->server, 1); + if (r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) + return KRB5_KDCREP_MODIFIED; } for (i = 0; i < ts->ntgts; i++) { - r2 = krb5_princ_component(ts->ctx, ts->kdc_tgts[i]->server, 1); - if (r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) - return KRB5_KDCREP_MODIFIED; + r2 = krb5_princ_component(ts->ctx, ts->kdc_tgts[i]->server, 1); + if (r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) + return KRB5_KDCREP_MODIFIED; } return 0; } @@ -923,8 +924,8 @@ offpath_loopchk(struct tr_state *ts, krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts, int kdcopt) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts, int kdcopt) { krb5_error_code retval, subretval; krb5_principal client, server, supplied_server, out_supplied_server; @@ -936,7 +937,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, unsigned int referral_count, i; krb5_authdata **supplied_authdata, **out_supplied_authdata = NULL; - /* + /* * Set up client and server pointers. Make a fresh and modifyable * copy of the in_cred server and save the supplied version. */ @@ -945,17 +946,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, return retval; /* We need a second copy for the output creds. */ if ((retval = krb5_copy_principal(context, server, - &out_supplied_server)) != 0 ) { - krb5_free_principal(context, server); - return retval; + &out_supplied_server)) != 0 ) { + krb5_free_principal(context, server); + return retval; } if (in_cred->authdata != NULL) { - if ((retval = krb5_copy_authdata(context, in_cred->authdata, - &out_supplied_authdata)) != 0) { - krb5_free_principal(context, out_supplied_server); - krb5_free_principal(context, server); - return retval; - } + if ((retval = krb5_copy_authdata(context, in_cred->authdata, + &out_supplied_authdata)) != 0) { + krb5_free_principal(context, out_supplied_server); + krb5_free_principal(context, server); + return retval; + } } supplied_server = in_cred->server; @@ -977,16 +978,16 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, if (krb5_is_referral_realm(&server->realm)) { /* Use the client realm. */ DPRINTF(("gc_from_kdc: no server realm supplied, " - "using client realm.\n")); - krb5_free_data_contents(context, &server->realm); - server->realm.data = malloc(client->realm.length + 1); - if (server->realm.data == NULL) { - retval = ENOMEM; - goto cleanup; - } - memcpy(server->realm.data, client->realm.data, client->realm.length); - server->realm.length = client->realm.length; - server->realm.data[server->realm.length] = 0; + "using client realm.\n")); + krb5_free_data_contents(context, &server->realm); + server->realm.data = malloc(client->realm.length + 1); + if (server->realm.data == NULL) { + retval = ENOMEM; + goto cleanup; + } + memcpy(server->realm.data, client->realm.data, client->realm.length); + server->realm.length = client->realm.length; + server->realm.data[server->realm.length] = 0; } /* * Retreive initial TGT to match the specified server, either for the @@ -995,21 +996,21 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ retval = tgt_mcred(context, client, server, client, &tgtq); if (retval) - goto cleanup; + goto cleanup; /* Fast path: Is it in the ccache? */ context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, - &tgtq, &cc_tgt); + &tgtq, &cc_tgt); if (!retval) { - tgtptr = &cc_tgt; + tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { DPRINTF(("gc_from_kdc: starting do_traversal to find " - "initial TGT for referral\n")); - tgtptr_isoffpath = 0; - otgtptr = NULL; - retval = do_traversal(context, ccache, client, server, - &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); + "initial TGT for referral\n")); + tgtptr_isoffpath = 0; + otgtptr = NULL; + retval = do_traversal(context, ccache, client, server, + &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) { DPRINTF(("gc_from_kdc: failed to find initial TGT for referral\n")); @@ -1019,8 +1020,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, DUMP_PRINC("gc_from_kdc: server as requested", supplied_server); if (in_cred->second_ticket.length != 0 && - (kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { - kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY; + (kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { + kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY; } /* @@ -1035,152 +1036,152 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ otgtptr = tgtptr; for (referral_count = 0; - referral_count < KRB5_REFERRAL_MAXHOPS; - referral_count++) { + referral_count < KRB5_REFERRAL_MAXHOPS; + referral_count++) { #if 0 DUMP_PRINC("gc_from_kdc: referral loop: tgt in use", tgtptr->server); DUMP_PRINC("gc_from_kdc: referral loop: request is for", server); #endif retval = krb5_get_cred_via_tkt(context, tgtptr, - KDC_OPT_CANONICALIZE | - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, in_cred, out_cred); - if (retval) { - DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n", - error_message(retval))); - /* If we haven't gone anywhere yet, fail through to the - non-referral case. */ - if (referral_count==0) { - DPRINTF(("gc_from_kdc: initial referral failed; " - "punting to fallback.\n")); - break; - } - /* Otherwise, try the same query without canonicalization - set, and fail hard if that doesn't work. */ - DPRINTF(("gc_from_kdc: referral #%d failed; " - "retrying without option.\n", referral_count + 1)); - retval = krb5_get_cred_via_tkt(context, tgtptr, - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, - in_cred, out_cred); - /* Whether or not that succeeded, we're done. */ - goto cleanup; - } - /* Referral request succeeded; let's see what it is. */ - if (krb5_principal_compare(context, in_cred->server, - (*out_cred)->server)) { - DPRINTF(("gc_from_kdc: request generated ticket " - "for requested server principal\n")); - DUMP_PRINC("gc_from_kdc final referred reply", - in_cred->server); - - /* - * Check if the return enctype is one that we requested if - * needed. - */ - if (old_use_conf_ktypes || !context->tgs_etypes) - goto cleanup; - for (i = 0; context->tgs_etypes[i]; i++) { - if ((*out_cred)->keyblock.enctype == context->tgs_etypes[i]) { - /* Found an allowable etype, so we're done */ - goto cleanup; - } - } - /* - * We need to try again, but this time use the - * tgs_ktypes in the context. At this point we should - * have all the tgts to succeed. - */ - - /* Free "wrong" credential */ - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - /* Re-establish tgs etypes */ - context->use_conf_ktypes = old_use_conf_ktypes; - retval = krb5_get_cred_via_tkt(context, tgtptr, - KDC_OPT_CANONICALIZE | - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, - in_cred, out_cred); - goto cleanup; - } - else if (IS_TGS_PRINC(context, (*out_cred)->server)) { - krb5_data *r1, *r2; - - DPRINTF(("gc_from_kdc: request generated referral tgt\n")); - DUMP_PRINC("gc_from_kdc credential received", - (*out_cred)->server); - - if (referral_count == 0) - r1 = &tgtptr->server->data[1]; - else - r1 = &referral_tgts[referral_count-1]->server->data[1]; - - r2 = &(*out_cred)->server->data[1]; - if (data_eq(*r1, *r2)) { - DPRINTF(("gc_from_kdc: referred back to " - "previous realm; fall back\n")); - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - break; - } - /* Check for referral routing loop. */ - for (i=0;iticket_flags) | + kdcopt, + tgtptr->addresses, in_cred, out_cred); + if (retval) { + DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n", + error_message(retval))); + /* If we haven't gone anywhere yet, fail through to the + non-referral case. */ + if (referral_count==0) { + DPRINTF(("gc_from_kdc: initial referral failed; " + "punting to fallback.\n")); + break; + } + /* Otherwise, try the same query without canonicalization + set, and fail hard if that doesn't work. */ + DPRINTF(("gc_from_kdc: referral #%d failed; " + "retrying without option.\n", referral_count + 1)); + retval = krb5_get_cred_via_tkt(context, tgtptr, + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, + in_cred, out_cred); + /* Whether or not that succeeded, we're done. */ + goto cleanup; + } + /* Referral request succeeded; let's see what it is. */ + if (krb5_principal_compare(context, in_cred->server, + (*out_cred)->server)) { + DPRINTF(("gc_from_kdc: request generated ticket " + "for requested server principal\n")); + DUMP_PRINC("gc_from_kdc final referred reply", + in_cred->server); + + /* + * Check if the return enctype is one that we requested if + * needed. + */ + if (old_use_conf_ktypes || !context->tgs_etypes) + goto cleanup; + for (i = 0; context->tgs_etypes[i]; i++) { + if ((*out_cred)->keyblock.enctype == context->tgs_etypes[i]) { + /* Found an allowable etype, so we're done */ + goto cleanup; + } + } + /* + * We need to try again, but this time use the + * tgs_ktypes in the context. At this point we should + * have all the tgts to succeed. + */ + + /* Free "wrong" credential */ + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + /* Re-establish tgs etypes */ + context->use_conf_ktypes = old_use_conf_ktypes; + retval = krb5_get_cred_via_tkt(context, tgtptr, + KDC_OPT_CANONICALIZE | + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, + in_cred, out_cred); + goto cleanup; + } + else if (IS_TGS_PRINC(context, (*out_cred)->server)) { + krb5_data *r1, *r2; + + DPRINTF(("gc_from_kdc: request generated referral tgt\n")); + DUMP_PRINC("gc_from_kdc credential received", + (*out_cred)->server); + + if (referral_count == 0) + r1 = &tgtptr->server->data[1]; + else + r1 = &referral_tgts[referral_count-1]->server->data[1]; + + r2 = &(*out_cred)->server->data[1]; + if (data_eq(*r1, *r2)) { + DPRINTF(("gc_from_kdc: referred back to " + "previous realm; fall back\n")); + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + break; + } + /* Check for referral routing loop. */ + for (i=0;iserver); - DUMP_PRINC("gc_from_kdc: loop compare #2", - referral_tgts[i]->server); + DUMP_PRINC("gc_from_kdc: loop compare #1", + (*out_cred)->server); + DUMP_PRINC("gc_from_kdc: loop compare #2", + referral_tgts[i]->server); #endif - if (krb5_principal_compare(context, - (*out_cred)->server, - referral_tgts[i]->server)) { - DFPRINTF((stderr, - "krb5_get_cred_from_kdc_opt: " - "referral routing loop - " - "got referral back to hop #%d\n", i)); - retval=KRB5_KDC_UNREACH; - goto cleanup; - } - } - /* Point current tgt pointer at newly-received TGT. */ - if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); - tgtptr=*out_cred; - /* Save requested auth data with TGT in case it ends up stored */ - if (supplied_authdata != NULL) { - /* Ensure we note TGT contains authorization data */ - retval = krb5_copy_authdata(context, - supplied_authdata, - &(*out_cred)->authdata); - if (retval) - goto cleanup; - } - /* Save pointer to tgt in referral_tgts. */ - referral_tgts[referral_count]=*out_cred; - *out_cred = NULL; - /* Copy krbtgt realm to server principal. */ - krb5_free_data_contents(context, &server->realm); - retval = krb5int_copy_data_contents(context, - &tgtptr->server->data[1], - &server->realm); - if (retval) - goto cleanup; - /* Don't ask for KDC to add auth data multiple times */ - in_cred->authdata = NULL; - /* - * Future work: rewrite server principal per any - * supplied padata. - */ - } else { - /* Not a TGT; punt to fallback. */ - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - break; - } + if (krb5_principal_compare(context, + (*out_cred)->server, + referral_tgts[i]->server)) { + DFPRINTF((stderr, + "krb5_get_cred_from_kdc_opt: " + "referral routing loop - " + "got referral back to hop #%d\n", i)); + retval=KRB5_KDC_UNREACH; + goto cleanup; + } + } + /* Point current tgt pointer at newly-received TGT. */ + if (tgtptr == &cc_tgt) + krb5_free_cred_contents(context, tgtptr); + tgtptr=*out_cred; + /* Save requested auth data with TGT in case it ends up stored */ + if (supplied_authdata != NULL) { + /* Ensure we note TGT contains authorization data */ + retval = krb5_copy_authdata(context, + supplied_authdata, + &(*out_cred)->authdata); + if (retval) + goto cleanup; + } + /* Save pointer to tgt in referral_tgts. */ + referral_tgts[referral_count]=*out_cred; + *out_cred = NULL; + /* Copy krbtgt realm to server principal. */ + krb5_free_data_contents(context, &server->realm); + retval = krb5int_copy_data_contents(context, + &tgtptr->server->data[1], + &server->realm); + if (retval) + goto cleanup; + /* Don't ask for KDC to add auth data multiple times */ + in_cred->authdata = NULL; + /* + * Future work: rewrite server principal per any + * supplied padata. + */ + } else { + /* Not a TGT; punt to fallback. */ + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + break; + } } DUMP_PRINC("gc_from_kdc client at fallback", client); @@ -1198,33 +1199,33 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ if (krb5_is_referral_realm(&supplied_server->realm)) { if (server->length >= 2) { - retval=krb5_get_fallback_host_realm(context, &server->data[1], - &hrealms); - if (retval) goto cleanup; + retval=krb5_get_fallback_host_realm(context, &server->data[1], + &hrealms); + if (retval) goto cleanup; #if 0 - DPRINTF(("gc_from_kdc: using fallback realm of %s\n", - hrealms[0])); + DPRINTF(("gc_from_kdc: using fallback realm of %s\n", + hrealms[0])); #endif - krb5_free_data_contents(context,&in_cred->server->realm); - server->realm.data=hrealms[0]; - server->realm.length=strlen(hrealms[0]); - free(hrealms); - } - else { - /* - * Problem case: Realm tagged for referral but apparently not - * in a / format that - * krb5_get_fallback_host_realm can deal with. - */ - DPRINTF(("gc_from_kdc: referral specified " - "but no fallback realm avaiable!\n")); - retval = KRB5_ERR_HOST_REALM_UNKNOWN; - goto cleanup; - } + krb5_free_data_contents(context,&in_cred->server->realm); + server->realm.data=hrealms[0]; + server->realm.length=strlen(hrealms[0]); + free(hrealms); + } + else { + /* + * Problem case: Realm tagged for referral but apparently not + * in a / format that + * krb5_get_fallback_host_realm can deal with. + */ + DPRINTF(("gc_from_kdc: referral specified " + "but no fallback realm avaiable!\n")); + retval = KRB5_ERR_HOST_REALM_UNKNOWN; + goto cleanup; + } } DUMP_PRINC("gc_from_kdc server at fallback after fallback rewrite", - server); + server); /* * Get a TGT for the target realm. @@ -1233,37 +1234,37 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_free_cred_contents(context, &tgtq); retval = tgt_mcred(context, client, server, client, &tgtq); if (retval) - goto cleanup; + goto cleanup; /* Fast path: Is it in the ccache? */ /* Free tgtptr data if reused from above. */ if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); + krb5_free_cred_contents(context, tgtptr); tgtptr = NULL; /* Free saved TGT in OTGTPTR if it was off-path. */ if (tgtptr_isoffpath) - krb5_free_creds(context, otgtptr); + krb5_free_creds(context, otgtptr); otgtptr = NULL; /* Free TGTS if previously filled by do_traversal() */ if (*tgts != NULL) { - for (i = 0; (*tgts)[i] != NULL; i++) { - krb5_free_creds(context, (*tgts)[i]); - } - free(*tgts); - *tgts = NULL; + for (i = 0; (*tgts)[i] != NULL; i++) { + krb5_free_creds(context, (*tgts)[i]); + } + free(*tgts); + *tgts = NULL; } context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, - &tgtq, &cc_tgt); + &tgtq, &cc_tgt); if (!retval) { - tgtptr = &cc_tgt; + tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { - tgtptr_isoffpath = 0; - retval = do_traversal(context, ccache, client, server, - &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); + tgtptr_isoffpath = 0; + retval = do_traversal(context, ccache, client, server, + &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) - goto cleanup; + goto cleanup; otgtptr = tgtptr; /* @@ -1271,44 +1272,44 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ if (!krb5_c_valid_enctype(tgtptr->keyblock.enctype)) { - retval = KRB5_PROG_ETYPE_NOSUPP; - goto cleanup; + retval = KRB5_PROG_ETYPE_NOSUPP; + goto cleanup; } context->use_conf_ktypes = old_use_conf_ktypes; retval = krb5_get_cred_via_tkt(context, tgtptr, - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, in_cred, out_cred); + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, in_cred, out_cred); cleanup: krb5_free_cred_contents(context, &tgtq); if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); + krb5_free_cred_contents(context, tgtptr); if (tgtptr_isoffpath) - krb5_free_creds(context, otgtptr); + krb5_free_creds(context, otgtptr); context->use_conf_ktypes = old_use_conf_ktypes; /* Drop the original principal back into in_cred so that it's cached in the expected format. */ DUMP_PRINC("gc_from_kdc: final hacked server principal at cleanup", - server); + server); krb5_free_principal(context, server); in_cred->server = supplied_server; in_cred->authdata = supplied_authdata; if (*out_cred && !retval) { /* Success: free server, swap supplied server back in. */ krb5_free_principal (context, (*out_cred)->server); - (*out_cred)->server = out_supplied_server; - assert((*out_cred)->authdata == NULL); - (*out_cred)->authdata = out_supplied_authdata; + (*out_cred)->server = out_supplied_server; + assert((*out_cred)->authdata == NULL); + (*out_cred)->authdata = out_supplied_authdata; } else { - /* - * Failure: free out_supplied_server. Don't free out_cred here - * since it's either null or a referral TGT that we free below, - * and we may need it to return. - */ + /* + * Failure: free out_supplied_server. Don't free out_cred here + * since it's either null or a referral TGT that we free below, + * and we may need it to return. + */ krb5_free_principal(context, out_supplied_server); - krb5_free_authdata(context, out_supplied_authdata); + krb5_free_authdata(context, out_supplied_authdata); } DUMP_PRINC("gc_from_kdc: final server after reversion", in_cred->server); /* @@ -1323,74 +1324,74 @@ cleanup: if (*tgts == NULL) { if (referral_tgts[0]) { #if 0 - /* - * This should possibly be a check on the candidate return - * credential against the cache, in the circumstance where we - * don't want to clutter the cache with near-duplicate - * credentials on subsequent iterations. For now, it is - * disabled. - */ - subretval=...?; - if (subretval) { + /* + * This should possibly be a check on the candidate return + * credential against the cache, in the circumstance where we + * don't want to clutter the cache with near-duplicate + * credentials on subsequent iterations. For now, it is + * disabled. + */ + subretval=...?; + if (subretval) { #endif - /* Allocate returnable TGT list. */ - *tgts = calloc(2, sizeof (krb5_creds *)); - if (*tgts == NULL && retval == 0) - retval = ENOMEM; - if (*tgts) { - subretval = krb5_copy_creds(context, referral_tgts[0], - &((*tgts)[0])); - if (subretval) { - if (retval == 0) - retval = subretval; - free(*tgts); - *tgts = NULL; - } else { - (*tgts)[1] = NULL; - DUMP_PRINC("gc_from_kdc: referral TGT for ccache", - (*tgts)[0]->server); - } - } + /* Allocate returnable TGT list. */ + *tgts = calloc(2, sizeof (krb5_creds *)); + if (*tgts == NULL && retval == 0) + retval = ENOMEM; + if (*tgts) { + subretval = krb5_copy_creds(context, referral_tgts[0], + &((*tgts)[0])); + if (subretval) { + if (retval == 0) + retval = subretval; + free(*tgts); + *tgts = NULL; + } else { + (*tgts)[1] = NULL; + DUMP_PRINC("gc_from_kdc: referral TGT for ccache", + (*tgts)[0]->server); + } + } #if 0 - } + } #endif - } + } } /* Free referral TGTs list. */ for (i=0;iclient, - &(*ppcreds)->client))) + &(*ppcreds)->client))) goto cleanup; if ((retval = krb5_copy_principal(context, pkdcrep->enc_part2->server, - &(*ppcreds)->server))) + &(*ppcreds)->server))) goto cleanup; - if ((retval = krb5_copy_keyblock_contents(context, - pkdcrep->enc_part2->session, - &(*ppcreds)->keyblock))) + if ((retval = krb5_copy_keyblock_contents(context, + pkdcrep->enc_part2->session, + &(*ppcreds)->keyblock))) goto cleanup; if ((retval = krb5_copy_data(context, psectkt, &pdata))) - goto cleanup_keyblock; + goto cleanup_keyblock; (*ppcreds)->second_ticket = *pdata; free(pdata); @@ -63,22 +64,22 @@ krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *con (*ppcreds)->times = pkdcrep->enc_part2->times; (*ppcreds)->magic = KV5M_CREDS; - (*ppcreds)->authdata = NULL; /* not used */ + (*ppcreds)->authdata = NULL; /* not used */ (*ppcreds)->is_skey = psectkt->length != 0; if (pkdcrep->enc_part2->caddrs) { - if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, - &(*ppcreds)->addresses))) - goto cleanup_keyblock; + if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, + &(*ppcreds)->addresses))) + goto cleanup_keyblock; } else { - /* no addresses in the list means we got what we had */ - if ((retval = krb5_copy_addresses(context, address, - &(*ppcreds)->addresses))) - goto cleanup_keyblock; + /* no addresses in the list means we got what we had */ + if ((retval = krb5_copy_addresses(context, address, + &(*ppcreds)->addresses))) + goto cleanup_keyblock; } if ((retval = encode_krb5_ticket(pkdcrep->ticket, &pdata))) - goto cleanup_keyblock; + goto cleanup_keyblock; (*ppcreds)->ticket = *pdata; free(pdata); @@ -92,43 +93,43 @@ cleanup: *ppcreds = NULL; return retval; } - + static krb5_error_code check_reply_server(krb5_context context, krb5_flags kdcoptions, - krb5_creds *in_cred, krb5_kdc_rep *dec_rep) + krb5_creds *in_cred, krb5_kdc_rep *dec_rep) { if (!krb5_principal_compare(context, dec_rep->ticket->server, - dec_rep->enc_part2->server)) - return KRB5_KDCREP_MODIFIED; + dec_rep->enc_part2->server)) + return KRB5_KDCREP_MODIFIED; /* Reply is self-consistent. */ if (krb5_principal_compare(context, dec_rep->ticket->server, - in_cred->server)) - return 0; + in_cred->server)) + return 0; /* Server in reply differs from what we requested. */ if (kdcoptions & KDC_OPT_CANONICALIZE) { - /* in_cred server differs from ticket returned, but ticket - returned is consistent and we requested canonicalization. */ + /* in_cred server differs from ticket returned, but ticket + returned is consistent and we requested canonicalization. */ #if 0 #ifdef DEBUG_REFERRALS - printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); - krb5int_dbgref_dump_principal("gc_via_tkt: in_cred",in_cred->server); - krb5int_dbgref_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); + printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); + krb5int_dbgref_dump_principal("gc_via_tkt: in_cred",in_cred->server); + krb5int_dbgref_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); #endif #endif - return 0; + return 0; } /* We didn't request canonicalization. */ if (!IS_TGS_PRINC(context, in_cred->server) || - !IS_TGS_PRINC(context, dec_rep->ticket->server)) { - /* Canonicalization not requested, and not a TGS referral. */ - return KRB5_KDCREP_MODIFIED; + !IS_TGS_PRINC(context, dec_rep->ticket->server)) { + /* Canonicalization not requested, and not a TGS referral. */ + return KRB5_KDCREP_MODIFIED; } #if 0 /* @@ -136,288 +137,288 @@ check_reply_server(krb5_context context, krb5_flags kdcoptions, * effectively checks this. */ if (krb5_realm_compare(context, in_cred->client, in_cred->server) && - data_eq(*in_cred->server->data[1], *in_cred->client->realm) { - /* Attempted to rewrite local TGS. */ - return KRB5_KDCREP_MODIFIED; - } + data_eq(*in_cred->server->data[1], *in_cred->client->realm) { + /* Attempted to rewrite local TGS. */ + return KRB5_KDCREP_MODIFIED; + } #endif - return 0; -} + return 0; + } /* Return true if a TGS credential is for the client's local realm. */ -static inline int -tgt_is_local_realm(krb5_creds *tgt) -{ - return (tgt->server->length == 2 - && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) - && data_eq(tgt->server->data[1], tgt->client->realm) - && data_eq(tgt->server->realm, tgt->client->realm)); -} + static inline int + tgt_is_local_realm(krb5_creds *tgt) + { + return (tgt->server->length == 2 + && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) + && data_eq(tgt->server->data[1], tgt->client->realm) + && data_eq(tgt->server->realm, tgt->client->realm)); + } -krb5_error_code -krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_creds *in_cred, krb5_creds **out_cred) -{ - return krb5_get_cred_via_tkt_ext (context, tkt, - kdcoptions, address, - NULL, in_cred, NULL, NULL, - NULL, NULL, out_cred, NULL); -} + krb5_error_code + krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, + krb5_flags kdcoptions, krb5_address *const *address, + krb5_creds *in_cred, krb5_creds **out_cred) + { + return krb5_get_cred_via_tkt_ext (context, tkt, + kdcoptions, address, + NULL, in_cred, NULL, NULL, + NULL, NULL, out_cred, NULL); + } -krb5_error_code -krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_pa_data **in_padata, - krb5_creds *in_cred, - krb5_error_code (*pacb_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *pacb_data, - krb5_pa_data ***out_padata, - krb5_pa_data ***out_enc_padata, - krb5_creds **out_cred, - krb5_keyblock **out_subkey) -{ - krb5_error_code retval; - krb5_kdc_rep *dec_rep; - krb5_error *err_reply; - krb5_response tgsrep; - krb5_enctype *enctypes = 0; - krb5_keyblock *subkey = NULL; - krb5_boolean s4u2self = FALSE, second_tkt; + krb5_error_code + krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, + krb5_flags kdcoptions, krb5_address *const *address, + krb5_pa_data **in_padata, + krb5_creds *in_cred, + krb5_error_code (*pacb_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *pacb_data, + krb5_pa_data ***out_padata, + krb5_pa_data ***out_enc_padata, + krb5_creds **out_cred, + krb5_keyblock **out_subkey) + { + krb5_error_code retval; + krb5_kdc_rep *dec_rep; + krb5_error *err_reply; + krb5_response tgsrep; + krb5_enctype *enctypes = 0; + krb5_keyblock *subkey = NULL; + krb5_boolean s4u2self = FALSE, second_tkt; #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); - krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server); - krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server); + printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); + krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server); + krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server); #endif - /* tkt->client must be equal to in_cred->client */ - if (!krb5_principal_compare(context, tkt->client, in_cred->client)) - return KRB5_PRINC_NOMATCH; + /* tkt->client must be equal to in_cred->client */ + if (!krb5_principal_compare(context, tkt->client, in_cred->client)) + return KRB5_PRINC_NOMATCH; - if (!tkt->ticket.length) - return KRB5_NO_TKT_SUPPLIED; + if (!tkt->ticket.length) + return KRB5_NO_TKT_SUPPLIED; - second_tkt = ((kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) != 0); + second_tkt = ((kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) != 0); - if (second_tkt && !in_cred->second_ticket.length) - return(KRB5_NO_2ND_TKT); + if (second_tkt && !in_cred->second_ticket.length) + return(KRB5_NO_2ND_TKT); - s4u2self = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_S4U_X509_USER) || - krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FOR_USER); + s4u2self = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_S4U_X509_USER) || + krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FOR_USER); - /* check if we have the right TGT */ - /* tkt->server must be equal to */ - /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ + /* check if we have the right TGT */ + /* tkt->server must be equal to */ + /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ /* - { - krb5_principal tempprinc; - if (retval = krb5_tgtname(context, - krb5_princ_realm(context, in_cred->server), - krb5_princ_realm(context, tkt->server), &tempprinc)) - return(retval); - - if (!krb5_principal_compare(context, tempprinc, tkt->server)) { - krb5_free_principal(context, tempprinc); - return (KRB5_PRINC_NOMATCH); - } - krb5_free_principal(context, tempprinc); - } + { + krb5_principal tempprinc; + if (retval = krb5_tgtname(context, + krb5_princ_realm(context, in_cred->server), + krb5_princ_realm(context, tkt->server), &tempprinc)) + return(retval); + + if (!krb5_principal_compare(context, tempprinc, tkt->server)) { + krb5_free_principal(context, tempprinc); + return (KRB5_PRINC_NOMATCH); + } + krb5_free_principal(context, tempprinc); + } */ - if (in_cred->keyblock.enctype) { - enctypes = (krb5_enctype *) malloc(sizeof(krb5_enctype)*2); - if (!enctypes) - return ENOMEM; - enctypes[0] = in_cred->keyblock.enctype; - enctypes[1] = 0; - } + if (in_cred->keyblock.enctype) { + enctypes = (krb5_enctype *) malloc(sizeof(krb5_enctype)*2); + if (!enctypes) + return ENOMEM; + enctypes[0] = in_cred->keyblock.enctype; + enctypes[1] = 0; + } - retval = krb5int_send_tgs(context, kdcoptions, &in_cred->times, enctypes, - in_cred->server, address, in_cred->authdata, - in_padata, - second_tkt ? &in_cred->second_ticket : NULL, - tkt, pacb_fct, pacb_data, &tgsrep, &subkey); - if (enctypes) - free(enctypes); - if (retval) { + retval = krb5int_send_tgs(context, kdcoptions, &in_cred->times, enctypes, + in_cred->server, address, in_cred->authdata, + in_padata, + second_tkt ? &in_cred->second_ticket : NULL, + tkt, pacb_fct, pacb_data, &tgsrep, &subkey); + if (enctypes) + free(enctypes); + if (retval) { #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", - error_message(retval)); + printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", + error_message(retval)); #endif - return retval; - } + return retval; + } - switch (tgsrep.message_type) { - case KRB5_TGS_REP: - break; - case KRB5_ERROR: - default: - if (krb5_is_krb_error(&tgsrep.response)) - retval = decode_krb5_error(&tgsrep.response, &err_reply); - else - retval = KRB5KRB_AP_ERR_MSG_TYPE; - - if (retval) /* neither proper reply nor error! */ - goto error_4; - - retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; - if (err_reply->text.length > 0) { + switch (tgsrep.message_type) { + case KRB5_TGS_REP: + break; + case KRB5_ERROR: + default: + if (krb5_is_krb_error(&tgsrep.response)) + retval = decode_krb5_error(&tgsrep.response, &err_reply); + else + retval = KRB5KRB_AP_ERR_MSG_TYPE; + + if (retval) /* neither proper reply nor error! */ + goto error_4; + + retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; + if (err_reply->text.length > 0) { #if 0 - const char *m; + const char *m; #endif - switch (err_reply->error) { - case KRB_ERR_GENERIC: - krb5_set_error_message(context, retval, - "KDC returned error string: %.*s", - err_reply->text.length, - err_reply->text.data); - break; - case KDC_ERR_S_PRINCIPAL_UNKNOWN: - { - char *s_name; - if (krb5_unparse_name(context, in_cred->server, &s_name) == 0) { - krb5_set_error_message(context, retval, - "Server %s not found in Kerberos database", - s_name); - krb5_free_unparsed_name(context, s_name); - } else - /* In case there's a stale S_PRINCIPAL_UNKNOWN - report already noted. */ - krb5_clear_error_message(context); - } - break; - default: + switch (err_reply->error) { + case KRB_ERR_GENERIC: + krb5_set_error_message(context, retval, + "KDC returned error string: %.*s", + err_reply->text.length, + err_reply->text.data); + break; + case KDC_ERR_S_PRINCIPAL_UNKNOWN: + { + char *s_name; + if (krb5_unparse_name(context, in_cred->server, &s_name) == 0) { + krb5_set_error_message(context, retval, + "Server %s not found in Kerberos database", + s_name); + krb5_free_unparsed_name(context, s_name); + } else + /* In case there's a stale S_PRINCIPAL_UNKNOWN + report already noted. */ + krb5_clear_error_message(context); + } + break; + default: #if 0 /* We should stop the KDC from sending back this text, because - if the local language doesn't match the KDC's language, we'd - just wind up printing out the error message in two languages. - Well, when we get some localization. Which is already - happening in KfM. */ - m = error_message(retval); - /* Special case: MIT KDC may return this same string - in the e-text field. */ - if (strlen (m) == err_reply->text.length-1 - && !strcmp(m, err_reply->text.data)) - break; - krb5_set_error_message(context, retval, - "%s (KDC supplied additional data: %s)", - m, err_reply->text.data); + if the local language doesn't match the KDC's language, we'd + just wind up printing out the error message in two languages. + Well, when we get some localization. Which is already + happening in KfM. */ + m = error_message(retval); + /* Special case: MIT KDC may return this same string + in the e-text field. */ + if (strlen (m) == err_reply->text.length-1 + && !strcmp(m, err_reply->text.data)) + break; + krb5_set_error_message(context, retval, + "%s (KDC supplied additional data: %s)", + m, err_reply->text.data); #endif - break; - } - } + break; + } + } - krb5_free_error(context, err_reply); - goto error_4; - } + krb5_free_error(context, err_reply); + goto error_4; + } - /* Unfortunately, Heimdal at least up through 1.2 encrypts using - the session key not the subsession key. So we try both. */ - if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, - subkey, - KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { - if ((krb5int_decode_tgs_rep(context, &tgsrep.response, - &tkt->keyblock, - KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) - retval = 0; - else goto error_4; - } + /* Unfortunately, Heimdal at least up through 1.2 encrypts using + the session key not the subsession key. So we try both. */ + if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, + subkey, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { + if ((krb5int_decode_tgs_rep(context, &tgsrep.response, + &tkt->keyblock, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) + retval = 0; + else goto error_4; + } - if (dec_rep->msg_type != KRB5_TGS_REP) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - goto error_3; - } - - /* - * Don't trust the ok-as-delegate flag from foreign KDCs unless the - * cross-realm TGT also had the ok-as-delegate flag set. - */ - if (!tgt_is_local_realm(tkt) - && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) - dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; - - /* make sure the response hasn't been tampered with..... */ - retval = 0; - - if (s4u2self && !IS_TGS_PRINC(context, dec_rep->ticket->server)) { - /* Final hop, check whether KDC supports S4U2Self */ - if (krb5_principal_compare(context, dec_rep->client, in_cred->server)) - retval = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - } else if ((kdcoptions & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { - /* XXX for constrained delegation this check must be performed by caller - * as we don't have access to the key to decrypt the evidence ticket. - */ - if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) - retval = KRB5_KDCREP_MODIFIED; - } + if (dec_rep->msg_type != KRB5_TGS_REP) { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + goto error_3; + } - if (retval == 0) - retval = check_reply_server(context, kdcoptions, in_cred, dec_rep); + /* + * Don't trust the ok-as-delegate flag from foreign KDCs unless the + * cross-realm TGT also had the ok-as-delegate flag set. + */ + if (!tgt_is_local_realm(tkt) + && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; + + /* make sure the response hasn't been tampered with..... */ + retval = 0; + + if (s4u2self && !IS_TGS_PRINC(context, dec_rep->ticket->server)) { + /* Final hop, check whether KDC supports S4U2Self */ + if (krb5_principal_compare(context, dec_rep->client, in_cred->server)) + retval = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + } else if ((kdcoptions & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { + /* XXX for constrained delegation this check must be performed by caller + * as we don't have access to the key to decrypt the evidence ticket. + */ + if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) + retval = KRB5_KDCREP_MODIFIED; + } - if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) - retval = KRB5_KDCREP_MODIFIED; + if (retval == 0) + retval = check_reply_server(context, kdcoptions, in_cred, dec_rep); - if ((kdcoptions & KDC_OPT_POSTDATED) && - (in_cred->times.starttime != 0) && - (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) - retval = KRB5_KDCREP_MODIFIED; + if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) + retval = KRB5_KDCREP_MODIFIED; - if ((in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) - retval = KRB5_KDCREP_MODIFIED; + if ((kdcoptions & KDC_OPT_POSTDATED) && + (in_cred->times.starttime != 0) && + (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) + retval = KRB5_KDCREP_MODIFIED; - if ((kdcoptions & KDC_OPT_RENEWABLE) && - (in_cred->times.renew_till != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) - retval = KRB5_KDCREP_MODIFIED; + if ((in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) + retval = KRB5_KDCREP_MODIFIED; - if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && - (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && - (in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) - retval = KRB5_KDCREP_MODIFIED; + if ((kdcoptions & KDC_OPT_RENEWABLE) && + (in_cred->times.renew_till != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) + retval = KRB5_KDCREP_MODIFIED; - if (retval != 0) - goto error_3; + if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && + (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && + (in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) + retval = KRB5_KDCREP_MODIFIED; - if (!in_cred->times.starttime && - !in_clock_skew(dec_rep->enc_part2->times.starttime, - tgsrep.request_time)) { - retval = KRB5_KDCREP_SKEW; - goto error_3; - } + if (retval != 0) + goto error_3; - if (out_padata != NULL) { - *out_padata = dec_rep->padata; - dec_rep->padata = NULL; - } - if (out_enc_padata != NULL) { - *out_enc_padata = dec_rep->enc_part2->enc_padata; - dec_rep->enc_part2->enc_padata = NULL; - } - - retval = krb5_kdcrep2creds(context, dec_rep, address, - &in_cred->second_ticket, out_cred); - -error_3:; - if (subkey != NULL) { - if (retval == 0 && out_subkey != NULL) - *out_subkey = subkey; - else - krb5_free_keyblock(context, subkey); - } - - memset(dec_rep->enc_part2->session->contents, 0, - dec_rep->enc_part2->session->length); - krb5_free_kdc_rep(context, dec_rep); + if (!in_cred->times.starttime && + !in_clock_skew(dec_rep->enc_part2->times.starttime, + tgsrep.request_time)) { + retval = KRB5_KDCREP_SKEW; + goto error_3; + } + + if (out_padata != NULL) { + *out_padata = dec_rep->padata; + dec_rep->padata = NULL; + } + if (out_enc_padata != NULL) { + *out_enc_padata = dec_rep->enc_part2->enc_padata; + dec_rep->enc_part2->enc_padata = NULL; + } + + retval = krb5_kdcrep2creds(context, dec_rep, address, + &in_cred->second_ticket, out_cred); -error_4:; - free(tgsrep.response.data); + error_3:; + if (subkey != NULL) { + if (retval == 0 && out_subkey != NULL) + *out_subkey = subkey; + else + krb5_free_keyblock(context, subkey); + } + + memset(dec_rep->enc_part2->session->contents, 0, + dec_rep->enc_part2->session->length); + krb5_free_kdc_rep(context, dec_rep); + + error_4:; + free(tgsrep.response.data); #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); + printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); #endif - return retval; -} + return retval; + } diff --git a/src/lib/krb5/krb/gen_seqnum.c b/src/lib/krb5/krb/gen_seqnum.c index 06564ee4a..8703457be 100644 --- a/src/lib/krb5/krb/gen_seqnum.c +++ b/src/lib/krb5/krb/gen_seqnum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gen_seqnum.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Routine to automatically generate a starting sequence number. * We do this by getting a random key and encrypting something with it, @@ -53,13 +54,13 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui seed = key2data(*key); if ((retval = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed))) - return(retval); + return(retval); seed.length = sizeof(*seqno); seed.data = (char *) seqno; retval = krb5_c_random_make_octets(context, &seed); if (retval) - return retval; + return retval; /* * Work around implementation incompatibilities by not generating * initial sequence numbers greater than 2^30. Previous MIT @@ -71,6 +72,6 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui */ *seqno &= 0x3fffffff; if (*seqno == 0) - *seqno = 1; + *seqno = 1; return 0; } diff --git a/src/lib/krb5/krb/gen_subkey.c b/src/lib/krb5/krb/gen_subkey.c index 501428b1d..7739f04ef 100644 --- a/src/lib/krb5/krb/gen_subkey.c +++ b/src/lib/krb5/krb/gen_subkey.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gen_subkey.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Routine to automatically generate a subsession key based on an input key. */ @@ -41,9 +42,9 @@ key2data (krb5_keyblock k) krb5_error_code krb5_generate_subkey_extended(krb5_context context, - const krb5_keyblock *key, - krb5_enctype enctype, - krb5_keyblock **subkey) + const krb5_keyblock *key, + krb5_enctype enctype, + krb5_keyblock **subkey) { krb5_error_code retval; krb5_data seed; @@ -53,18 +54,18 @@ krb5_generate_subkey_extended(krb5_context context, seed = key2data(*key); retval = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TRUSTEDPARTY, - &seed); + &seed); if (retval) - return retval; + return retval; keyblock = malloc(sizeof(krb5_keyblock)); if (!keyblock) - return ENOMEM; + return ENOMEM; retval = krb5_c_make_random_key(context, enctype, keyblock); if (retval) { - free(*subkey); - return retval; + free(*subkey); + return retval; } *subkey = keyblock; diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index 88148d772..491f86452 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_creds.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_credentials() */ @@ -30,18 +31,18 @@ /* - Attempts to use the credentials cache or TGS exchange to get an additional - ticket for the - client identified by in_creds->client, the server identified by - in_creds->server, with options options, expiration date specified in - in_creds->times.endtime (0 means as long as possible), session key type - specified in in_creds->keyblock.enctype (if non-zero) + Attempts to use the credentials cache or TGS exchange to get an additional + ticket for the + client identified by in_creds->client, the server identified by + in_creds->server, with options options, expiration date specified in + in_creds->times.endtime (0 means as long as possible), session key type + specified in in_creds->keyblock.enctype (if non-zero) - Any returned ticket and intermediate ticket-granting tickets are - stored in ccache. + Any returned ticket and intermediate ticket-granting tickets are + stored in ccache. - returns errors from encryption routines, system errors - */ + returns errors from encryption routines, system errors +*/ #include "k5-int.h" #include "int-proto.h" @@ -54,8 +55,8 @@ */ krb5_error_code krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields) + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields) { if (!in_creds || !in_creds->server || !in_creds->client) return EINVAL; @@ -63,47 +64,47 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, memset(mcreds, 0, sizeof(krb5_creds)); mcreds->magic = KV5M_CREDS; if (in_creds->times.endtime != 0) { - mcreds->times.endtime = in_creds->times.endtime; + mcreds->times.endtime = in_creds->times.endtime; } else { - krb5_error_code retval; - retval = krb5_timeofday(context, &mcreds->times.endtime); - if (retval != 0) return retval; + krb5_error_code retval; + retval = krb5_timeofday(context, &mcreds->times.endtime); + if (retval != 0) return retval; } mcreds->keyblock = in_creds->keyblock; mcreds->authdata = in_creds->authdata; mcreds->server = in_creds->server; mcreds->client = in_creds->client; - + *fields = KRB5_TC_MATCH_TIMES /*XXX |KRB5_TC_MATCH_SKEY_TYPE */ - | KRB5_TC_MATCH_AUTHDATA - | KRB5_TC_SUPPORTED_KTYPES; + | KRB5_TC_MATCH_AUTHDATA + | KRB5_TC_SUPPORTED_KTYPES; if (mcreds->keyblock.enctype) { - krb5_enctype *ktypes; - krb5_error_code ret; - int i; - - *fields |= KRB5_TC_MATCH_KTYPE; - ret = krb5_get_tgs_ktypes(context, mcreds->server, &ktypes); - for (i = 0; ktypes[i]; i++) - if (ktypes[i] == mcreds->keyblock.enctype) - break; - if (ktypes[i] == 0) - ret = KRB5_CC_NOT_KTYPE; - free (ktypes); - if (ret) - return ret; + krb5_enctype *ktypes; + krb5_error_code ret; + int i; + + *fields |= KRB5_TC_MATCH_KTYPE; + ret = krb5_get_tgs_ktypes(context, mcreds->server, &ktypes); + for (i = 0; ktypes[i]; i++) + if (ktypes[i] == mcreds->keyblock.enctype) + break; + if (ktypes[i] == 0) + ret = KRB5_CC_NOT_KTYPE; + free (ktypes); + if (ret) + return ret; } if (options & (KRB5_GC_USER_USER | KRB5_GC_CONSTRAINED_DELEGATION)) { - /* also match on identical 2nd tkt and tkt encrypted in a - session key */ - *fields |= KRB5_TC_MATCH_2ND_TKT; - if (options & KRB5_GC_USER_USER) { - *fields |= KRB5_TC_MATCH_IS_SKEY; - mcreds->is_skey = TRUE; - } - mcreds->second_ticket = in_creds->second_ticket; - if (!in_creds->second_ticket.length) - return KRB5_NO_2ND_TKT; + /* also match on identical 2nd tkt and tkt encrypted in a + session key */ + *fields |= KRB5_TC_MATCH_2ND_TKT; + if (options & KRB5_GC_USER_USER) { + *fields |= KRB5_TC_MATCH_IS_SKEY; + mcreds->is_skey = TRUE; + } + mcreds->second_ticket = in_creds->second_ticket; + if (!in_creds->second_ticket.length) + return KRB5_NO_2ND_TKT; } return 0; @@ -111,8 +112,8 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, krb5_error_code KRB5_CALLCONV krb5_get_credentials(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { krb5_error_code retval; krb5_creds mcreds, *ncreds, **tgts, **tgts_iter; @@ -128,53 +129,53 @@ krb5_get_credentials(krb5_context context, krb5_flags options, * second_ticket, which we can't do. */ if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) { - retval = krb5int_construct_matching_creds(context, options, in_creds, - &mcreds, &fields); - - if (retval) - return retval; - - ncreds = malloc(sizeof(krb5_creds)); - if (!ncreds) - return ENOMEM; - - memset(ncreds, 0, sizeof(krb5_creds)); - ncreds->magic = KV5M_CREDS; - - retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, - ncreds); - if (retval == 0) { - *out_creds = ncreds; - return 0; - } - free(ncreds); - ncreds = NULL; - if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE) - || options & KRB5_GC_CACHED) - return retval; - not_ktype = (retval == KRB5_CC_NOT_KTYPE); + retval = krb5int_construct_matching_creds(context, options, in_creds, + &mcreds, &fields); + + if (retval) + return retval; + + ncreds = malloc(sizeof(krb5_creds)); + if (!ncreds) + return ENOMEM; + + memset(ncreds, 0, sizeof(krb5_creds)); + ncreds->magic = KV5M_CREDS; + + retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, + ncreds); + if (retval == 0) { + *out_creds = ncreds; + return 0; + } + free(ncreds); + ncreds = NULL; + if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE) + || options & KRB5_GC_CACHED) + return retval; + not_ktype = (retval == KRB5_CC_NOT_KTYPE); } else if (options & KRB5_GC_CACHED) - return KRB5_CC_NOTFOUND; + return KRB5_CC_NOTFOUND; if (options & KRB5_GC_CANONICALIZE) - kdcopt |= KDC_OPT_CANONICALIZE; + kdcopt |= KDC_OPT_CANONICALIZE; if (options & KRB5_GC_FORWARDABLE) - kdcopt |= KDC_OPT_FORWARDABLE; + kdcopt |= KDC_OPT_FORWARDABLE; if (options & KRB5_GC_NO_TRANSIT_CHECK) - kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK; + kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK; if (options & KRB5_GC_CONSTRAINED_DELEGATION) { - if (options & KRB5_GC_USER_USER) - return EINVAL; - kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT; + if (options & KRB5_GC_USER_USER) + return EINVAL; + kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT; } retval = krb5_get_cred_from_kdc_opt(context, ccache, in_creds, - &ncreds, &tgts, kdcopt); + &ncreds, &tgts, kdcopt); if (tgts) { - /* Attempt to cache intermediate ticket-granting tickets. */ - for (tgts_iter = tgts; *tgts_iter; tgts_iter++) - (void) krb5_cc_store_cred(context, ccache, *tgts_iter); - krb5_free_tgt_creds(context, tgts); + /* Attempt to cache intermediate ticket-granting tickets. */ + for (tgts_iter = tgts; *tgts_iter; tgts_iter++) + (void) krb5_cc_store_cred(context, ccache, *tgts_iter); + krb5_free_tgt_creds(context, tgts); } /* @@ -189,21 +190,21 @@ krb5_get_credentials(krb5_context context, krb5_flags options, * enctype rather than the missing TGT. */ if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE) - && not_ktype) - return KRB5_CC_NOT_KTYPE; + && not_ktype) + return KRB5_CC_NOT_KTYPE; else if (retval) - return retval; + return retval; if ((options & KRB5_GC_CONSTRAINED_DELEGATION) - && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) { - /* This ticket won't work for constrained delegation. */ - krb5_free_creds(context, ncreds); - return KRB5_TKT_NOT_FORWARDABLE; + && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) { + /* This ticket won't work for constrained delegation. */ + krb5_free_creds(context, ncreds); + return KRB5_TKT_NOT_FORWARDABLE; } /* Attempt to cache the returned ticket. */ if (!(options & KRB5_GC_NO_STORE)) - (void) krb5_cc_store_cred(context, ccache, ncreds); + (void) krb5_cc_store_cred(context, ccache, ncreds); *out_creds = ncreds; return 0; @@ -212,10 +213,10 @@ krb5_get_credentials(krb5_context context, krb5_flags options, #define INT_GC_VALIDATE 1 #define INT_GC_RENEW 2 -static krb5_error_code +static krb5_error_code krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds, int which) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds, int which) { krb5_error_code retval; krb5_principal tmp; @@ -223,17 +224,17 @@ krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, switch(which) { case INT_GC_VALIDATE: - retval = krb5_get_cred_from_kdc_validate(context, ccache, - in_creds, out_creds, &tgts); - break; + retval = krb5_get_cred_from_kdc_validate(context, ccache, + in_creds, out_creds, &tgts); + break; case INT_GC_RENEW: - retval = krb5_get_cred_from_kdc_renew(context, ccache, - in_creds, out_creds, &tgts); - break; + retval = krb5_get_cred_from_kdc_renew(context, ccache, + in_creds, out_creds, &tgts); + break; default: - /* Should never happen */ - retval = 255; - break; + /* Should never happen */ + retval = 255; + break; } /* * Callers to krb5_get_cred_blah... must free up tgts even in @@ -244,39 +245,39 @@ krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, retval = krb5_cc_get_principal(context, ccache, &tmp); if (retval) return retval; - + retval = krb5_cc_initialize(context, ccache, tmp); if (retval) return retval; - + retval = krb5_cc_store_cred(context, ccache, *out_creds); return retval; } krb5_error_code KRB5_CALLCONV krb5_get_credentials_validate(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { - return(krb5_get_credentials_val_renew_core(context, options, ccache, - in_creds, out_creds, - INT_GC_VALIDATE)); + return(krb5_get_credentials_val_renew_core(context, options, ccache, + in_creds, out_creds, + INT_GC_VALIDATE)); } krb5_error_code KRB5_CALLCONV krb5_get_credentials_renew(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { - return(krb5_get_credentials_val_renew_core(context, options, ccache, - in_creds, out_creds, - INT_GC_RENEW)); + return(krb5_get_credentials_val_renew_core(context, options, ccache, + in_creds, out_creds, + INT_GC_RENEW)); } static krb5_error_code krb5_validate_or_renew_creds(krb5_context context, krb5_creds *creds, - krb5_principal client, krb5_ccache ccache, - char *in_tkt_service, int validate) + krb5_principal client, krb5_ccache ccache, + char *in_tkt_service, int validate) { krb5_error_code ret; krb5_creds in_creds; /* only client and server need to be filled in */ @@ -291,57 +292,57 @@ krb5_validate_or_renew_creds(krb5_context context, krb5_creds *creds, in_creds.client = client; if (in_tkt_service) { - /* this is ugly, because so are the data structures involved. I'm - in the library, so I'm going to manipulate the data structures - directly, otherwise, it will be worse. */ + /* this is ugly, because so are the data structures involved. I'm + in the library, so I'm going to manipulate the data structures + directly, otherwise, it will be worse. */ if ((ret = krb5_parse_name(context, in_tkt_service, &in_creds.server))) - goto cleanup; - - /* stuff the client realm into the server principal. - realloc if necessary */ - if (in_creds.server->realm.length < in_creds.client->realm.length) - if ((in_creds.server->realm.data = - (char *) realloc(in_creds.server->realm.data, - in_creds.client->realm.length)) == NULL) { - ret = ENOMEM; - goto cleanup; - } - - in_creds.server->realm.length = in_creds.client->realm.length; - memcpy(in_creds.server->realm.data, in_creds.client->realm.data, - in_creds.client->realm.length); + goto cleanup; + + /* stuff the client realm into the server principal. + realloc if necessary */ + if (in_creds.server->realm.length < in_creds.client->realm.length) + if ((in_creds.server->realm.data = + (char *) realloc(in_creds.server->realm.data, + in_creds.client->realm.length)) == NULL) { + ret = ENOMEM; + goto cleanup; + } + + in_creds.server->realm.length = in_creds.client->realm.length; + memcpy(in_creds.server->realm.data, in_creds.client->realm.data, + in_creds.client->realm.length); } else { - if ((ret = krb5_build_principal_ext(context, &in_creds.server, - in_creds.client->realm.length, - in_creds.client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - in_creds.client->realm.length, - in_creds.client->realm.data, - 0))) - goto cleanup; + if ((ret = krb5_build_principal_ext(context, &in_creds.server, + in_creds.client->realm.length, + in_creds.client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + in_creds.client->realm.length, + in_creds.client->realm.data, + 0))) + goto cleanup; } if (validate) - ret = krb5_get_cred_from_kdc_validate(context, ccache, - &in_creds, &out_creds, &tgts); + ret = krb5_get_cred_from_kdc_validate(context, ccache, + &in_creds, &out_creds, &tgts); else - ret = krb5_get_cred_from_kdc_renew(context, ccache, - &in_creds, &out_creds, &tgts); - + ret = krb5_get_cred_from_kdc_renew(context, ccache, + &in_creds, &out_creds, &tgts); + /* ick. copy the struct contents, free the container */ if (out_creds) { - *creds = *out_creds; - free(out_creds); + *creds = *out_creds; + free(out_creds); } cleanup: if (in_creds.server) - krb5_free_principal(context, in_creds.server); + krb5_free_principal(context, in_creds.server); if (tgts) - krb5_free_tgt_creds(context, tgts); + krb5_free_tgt_creds(context, tgts); return(ret); } @@ -350,13 +351,12 @@ krb5_error_code KRB5_CALLCONV krb5_get_validated_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service) { return(krb5_validate_or_renew_creds(context, creds, client, ccache, - in_tkt_service, 1)); + in_tkt_service, 1)); } krb5_error_code KRB5_CALLCONV krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service) { return(krb5_validate_or_renew_creds(context, creds, client, ccache, - in_tkt_service, 0)); + in_tkt_service, 0)); } - diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index a381c5c7e..40afea56d 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_in_tkt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_in_tkt() */ @@ -36,7 +37,7 @@ #if APPLE_PKINIT #define IN_TKT_DEBUG 0 -#if IN_TKT_DEBUG +#if IN_TKT_DEBUG #define inTktDebug(args...) printf(args) #else #define inTktDebug(args...) @@ -44,53 +45,53 @@ #endif /* APPLE_PKINIT */ /* - All-purpose initial ticket routine, usually called via - krb5_get_in_tkt_with_password or krb5_get_in_tkt_with_skey. + All-purpose initial ticket routine, usually called via + krb5_get_in_tkt_with_password or krb5_get_in_tkt_with_skey. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - key_proc is called to fill in the key to be used for decryption. - keyseed is passed on to key_proc. + key_proc is called to fill in the key to be used for decryption. + keyseed is passed on to key_proc. - decrypt_proc is called to perform the decryption of the response (the - encrypted part is in dec_rep->enc_part; the decrypted part should be - allocated and filled into dec_rep->enc_part2 - arg is passed on to decrypt_proc. + decrypt_proc is called to perform the decryption of the response (the + encrypted part is in dec_rep->enc_part; the decrypted part should be + allocated and filled into dec_rep->enc_part2 + arg is passed on to decrypt_proc. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - A succesful call will place the ticket in the credentials cache ccache - and fill in creds with the ticket information used/returned.. + A succesful call will place the ticket in the credentials cache ccache + and fill in creds with the ticket information used/returned.. - returns system errors, encryption errors + returns system errors, encryption errors - */ +*/ /* some typedef's for the function args to make things look a bit cleaner */ typedef krb5_error_code (*git_key_proc) (krb5_context, - krb5_enctype, - krb5_data *, - krb5_const_pointer, - krb5_keyblock **); + krb5_enctype, + krb5_data *, + krb5_const_pointer, + krb5_keyblock **); typedef krb5_error_code (*git_decrypt_proc) (krb5_context, - const krb5_keyblock *, - krb5_const_pointer, - krb5_kdc_rep * ); + const krb5_keyblock *, + krb5_const_pointer, + krb5_kdc_rep * ); -static krb5_error_code make_preauth_list (krb5_context, - krb5_preauthtype *, - int, krb5_pa_data ***); +static krb5_error_code make_preauth_list (krb5_context, + krb5_preauthtype *, + int, krb5_pa_data ***); static krb5_error_code sort_krb5_padata_sequence(krb5_context context, - krb5_data *realm, - krb5_pa_data **padata); + krb5_data *realm, + krb5_pa_data **padata); /* * This function performs 32 bit bounded addition so we can generate @@ -105,7 +106,7 @@ static krb5_int32 krb5int_addint32 (krb5_int32 x, krb5_int32 y) /* sum will be less than KRB5_INT32_MIN */ return KRB5_INT32_MIN; } - + return x + y; } @@ -115,14 +116,14 @@ static krb5_int32 krb5int_addint32 (krb5_int32 x, krb5_int32 y) * just uses krb5_timeofday(); it should use a PRNG. Even more unfortunately this * value is used interchangeably with an explicit now_time throughout this module... */ -static krb5_error_code +static krb5_error_code gen_nonce(krb5_context context, krb5_int32 *nonce) { krb5_int32 time_now; krb5_error_code retval = krb5_timeofday(context, &time_now); if(retval) { - return retval; + return retval; } *nonce = time_now; return 0; @@ -136,16 +137,16 @@ gen_nonce(krb5_context context, * unexpected response, an error is returned. */ static krb5_error_code -send_as_request(krb5_context context, - krb5_data *packet, const krb5_data *realm, - krb5_error ** ret_err_reply, - krb5_kdc_rep ** ret_as_reply, - int *use_master) +send_as_request(krb5_context context, + krb5_data *packet, const krb5_data *realm, + krb5_error ** ret_err_reply, + krb5_kdc_rep ** ret_as_reply, + int *use_master) { krb5_kdc_rep *as_reply = 0; krb5_error_code retval; krb5_data reply; - char k4_version; /* same type as *(krb5_data::data) */ + char k4_version; /* same type as *(krb5_data::data) */ int tcp_only = 0; reply.data = 0; @@ -154,37 +155,37 @@ send_as_request(krb5_context context, k4_version = packet->data[0]; send_again: - retval = krb5_sendto_kdc(context, packet, - realm, - &reply, use_master, tcp_only); + retval = krb5_sendto_kdc(context, packet, + realm, + &reply, use_master, tcp_only); #if APPLE_PKINIT inTktDebug("krb5_sendto_kdc returned %d\n", (int)retval); #endif /* APPLE_PKINIT */ if (retval) - goto cleanup; + goto cleanup; /* now decode the reply...could be error or as_rep */ if (krb5_is_krb_error(&reply)) { - krb5_error *err_reply; - - if ((retval = decode_krb5_error(&reply, &err_reply))) - /* some other error code--??? */ - goto cleanup; - - if (ret_err_reply) { - if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG - && tcp_only == 0) { - tcp_only = 1; - krb5_free_error(context, err_reply); - free(reply.data); - reply.data = 0; - goto send_again; - } - *ret_err_reply = err_reply; - } else - krb5_free_error(context, err_reply); - goto cleanup; + krb5_error *err_reply; + + if ((retval = decode_krb5_error(&reply, &err_reply))) + /* some other error code--??? */ + goto cleanup; + + if (ret_err_reply) { + if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG + && tcp_only == 0) { + tcp_only = 1; + krb5_free_error(context, err_reply); + free(reply.data); + reply.data = 0; + goto send_again; + } + *ret_err_reply = err_reply; + } else + krb5_free_error(context, err_reply); + goto cleanup; } /* @@ -192,108 +193,108 @@ send_again: */ if (!krb5_is_as_rep(&reply)) { /* these are in as well but it isn't worth including. */ -#define V4_KRB_PROT_VERSION 4 -#define V4_AUTH_MSG_ERR_REPLY (5<<1) - /* check here for V4 reply */ - unsigned int t_switch; - - /* From v4 g_in_tkt.c: This used to be - switch (pkt_msg_type(rpkt) & ~1) { - but SCO 3.2v4 cc compiled that incorrectly. */ - t_switch = reply.data[1]; - t_switch &= ~1; - - if (t_switch == V4_AUTH_MSG_ERR_REPLY - && (reply.data[0] == V4_KRB_PROT_VERSION - || reply.data[0] == k4_version)) { - retval = KRB5KRB_AP_ERR_V4_REPLY; - } else { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - } - goto cleanup; +#define V4_KRB_PROT_VERSION 4 +#define V4_AUTH_MSG_ERR_REPLY (5<<1) + /* check here for V4 reply */ + unsigned int t_switch; + + /* From v4 g_in_tkt.c: This used to be + switch (pkt_msg_type(rpkt) & ~1) { + but SCO 3.2v4 cc compiled that incorrectly. */ + t_switch = reply.data[1]; + t_switch &= ~1; + + if (t_switch == V4_AUTH_MSG_ERR_REPLY + && (reply.data[0] == V4_KRB_PROT_VERSION + || reply.data[0] == k4_version)) { + retval = KRB5KRB_AP_ERR_V4_REPLY; + } else { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + } + goto cleanup; } /* It must be a KRB_AS_REP message, or an bad returned packet */ if ((retval = decode_krb5_as_rep(&reply, &as_reply))) - /* some other error code ??? */ - goto cleanup; + /* some other error code ??? */ + goto cleanup; if (as_reply->msg_type != KRB5_AS_REP) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_free_kdc_rep(context, as_reply); - goto cleanup; + retval = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_free_kdc_rep(context, as_reply); + goto cleanup; } if (ret_as_reply) - *ret_as_reply = as_reply; + *ret_as_reply = as_reply; else - krb5_free_kdc_rep(context, as_reply); + krb5_free_kdc_rep(context, as_reply); cleanup: if (reply.data) - free(reply.data); + free(reply.data); return retval; } static krb5_error_code -decrypt_as_reply(krb5_context context, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply, - git_key_proc key_proc, - krb5_const_pointer keyseed, - krb5_keyblock * key, - git_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg) +decrypt_as_reply(krb5_context context, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply, + git_key_proc key_proc, + krb5_const_pointer keyseed, + krb5_keyblock * key, + git_decrypt_proc decrypt_proc, + krb5_const_pointer decryptarg) { - krb5_error_code retval; - krb5_keyblock * decrypt_key = 0; - krb5_data salt; - + krb5_error_code retval; + krb5_keyblock * decrypt_key = 0; + krb5_data salt; + if (as_reply->enc_part2) - return 0; + return 0; if (key) - decrypt_key = key; + decrypt_key = key; else { - /* - * Use salt corresponding to the client principal supplied by - * the KDC, which may differ from the requested principal if - * canonicalization is in effect. We will check - * as_reply->client later in verify_as_reply. - */ - if ((retval = krb5_principal2salt(context, as_reply->client, &salt))) - return(retval); - - retval = (*key_proc)(context, as_reply->enc_part.enctype, - &salt, keyseed, &decrypt_key); - free(salt.data); - if (retval) - goto cleanup; + /* + * Use salt corresponding to the client principal supplied by + * the KDC, which may differ from the requested principal if + * canonicalization is in effect. We will check + * as_reply->client later in verify_as_reply. + */ + if ((retval = krb5_principal2salt(context, as_reply->client, &salt))) + return(retval); + + retval = (*key_proc)(context, as_reply->enc_part.enctype, + &salt, keyseed, &decrypt_key); + free(salt.data); + if (retval) + goto cleanup; } - + if ((retval = (*decrypt_proc)(context, decrypt_key, decryptarg, as_reply))) - goto cleanup; + goto cleanup; cleanup: if (!key && decrypt_key) - krb5_free_keyblock(context, decrypt_key); + krb5_free_keyblock(context, decrypt_key); return (retval); } static krb5_error_code -verify_as_reply(krb5_context context, - krb5_timestamp time_now, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply) +verify_as_reply(krb5_context context, + krb5_timestamp time_now, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply) { - krb5_error_code retval; - int canon_req; - int canon_ok; + krb5_error_code retval; + int canon_req; + int canon_ok; /* check the contents for sanity: */ if (!as_reply->enc_part2->times.starttime) - as_reply->enc_part2->times.starttime = - as_reply->enc_part2->times.authtime; + as_reply->enc_part2->times.starttime = + as_reply->enc_part2->times.authtime; /* * We only allow the AS-REP server name to be changed if the @@ -301,184 +302,184 @@ verify_as_reply(krb5_context context, * principal) and we requested (and received) a TGT. */ canon_req = ((request->kdc_options & KDC_OPT_CANONICALIZE) != 0) || - (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL); + (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL); if (canon_req) { - canon_ok = IS_TGS_PRINC(context, request->server) && - IS_TGS_PRINC(context, as_reply->enc_part2->server); + canon_ok = IS_TGS_PRINC(context, request->server) && + IS_TGS_PRINC(context, as_reply->enc_part2->server); } else - canon_ok = 0; - + canon_ok = 0; + if ((!canon_ok && - (!krb5_principal_compare(context, as_reply->client, request->client) || - !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) - || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) - || (request->nonce != as_reply->enc_part2->nonce) - /* XXX check for extraneous flags */ - /* XXX || (!krb5_addresses_compare(context, addrs, as_reply->enc_part2->caddrs)) */ - || ((request->kdc_options & KDC_OPT_POSTDATED) && - (request->from != 0) && - (request->from != as_reply->enc_part2->times.starttime)) - || ((request->till != 0) && - (as_reply->enc_part2->times.endtime > request->till)) - || ((request->kdc_options & KDC_OPT_RENEWABLE) && - (request->rtime != 0) && - (as_reply->enc_part2->times.renew_till > request->rtime)) - || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && - !(request->kdc_options & KDC_OPT_RENEWABLE) && - (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && - (request->till != 0) && - (as_reply->enc_part2->times.renew_till > request->till)) - ) { + (!krb5_principal_compare(context, as_reply->client, request->client) || + !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) + || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) + || (request->nonce != as_reply->enc_part2->nonce) + /* XXX check for extraneous flags */ + /* XXX || (!krb5_addresses_compare(context, addrs, as_reply->enc_part2->caddrs)) */ + || ((request->kdc_options & KDC_OPT_POSTDATED) && + (request->from != 0) && + (request->from != as_reply->enc_part2->times.starttime)) + || ((request->till != 0) && + (as_reply->enc_part2->times.endtime > request->till)) + || ((request->kdc_options & KDC_OPT_RENEWABLE) && + (request->rtime != 0) && + (as_reply->enc_part2->times.renew_till > request->rtime)) + || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && + !(request->kdc_options & KDC_OPT_RENEWABLE) && + (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && + (request->till != 0) && + (as_reply->enc_part2->times.renew_till > request->till)) + ) { #if APPLE_PKINIT - inTktDebug("verify_as_reply: KDCREP_MODIFIED\n"); - #if IN_TKT_DEBUG - if(request->client->realm.length && request->client->data->length) - inTktDebug("request: name %s realm %s\n", - request->client->realm.data, request->client->data->data); - if(as_reply->client->realm.length && as_reply->client->data->length) - inTktDebug("reply : name %s realm %s\n", - as_reply->client->realm.data, as_reply->client->data->data); - #endif + inTktDebug("verify_as_reply: KDCREP_MODIFIED\n"); +#if IN_TKT_DEBUG + if(request->client->realm.length && request->client->data->length) + inTktDebug("request: name %s realm %s\n", + request->client->realm.data, request->client->data->data); + if(as_reply->client->realm.length && as_reply->client->data->length) + inTktDebug("reply : name %s realm %s\n", + as_reply->client->realm.data, as_reply->client->data->data); +#endif #endif /* APPLE_PKINIT */ - return KRB5_KDCREP_MODIFIED; + return KRB5_KDCREP_MODIFIED; } if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { - retval = krb5_set_real_time(context, - as_reply->enc_part2->times.authtime, -1); - if (retval) - return retval; + retval = krb5_set_real_time(context, + as_reply->enc_part2->times.authtime, -1); + if (retval) + return retval; } else { - if ((request->from == 0) && - (labs(as_reply->enc_part2->times.starttime - time_now) - > context->clockskew)) - return (KRB5_KDCREP_SKEW); + if ((request->from == 0) && + (labs(as_reply->enc_part2->times.starttime - time_now) + > context->clockskew)) + return (KRB5_KDCREP_SKEW); } return 0; } static krb5_error_code -stash_as_reply(krb5_context context, - krb5_timestamp time_now, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply, - krb5_creds * creds, - krb5_ccache ccache) +stash_as_reply(krb5_context context, + krb5_timestamp time_now, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply, + krb5_creds * creds, + krb5_ccache ccache) { - krb5_error_code retval; - krb5_data * packet; - krb5_principal client; - krb5_principal server; + krb5_error_code retval; + krb5_data * packet; + krb5_principal client; + krb5_principal server; client = NULL; server = NULL; if (!creds->client) if ((retval = krb5_copy_principal(context, as_reply->client, &client))) - goto cleanup; + goto cleanup; if (!creds->server) - if ((retval = krb5_copy_principal(context, as_reply->enc_part2->server, - &server))) - goto cleanup; + if ((retval = krb5_copy_principal(context, as_reply->enc_part2->server, + &server))) + goto cleanup; /* fill in the credentials */ - if ((retval = krb5_copy_keyblock_contents(context, - as_reply->enc_part2->session, - &creds->keyblock))) - goto cleanup; + if ((retval = krb5_copy_keyblock_contents(context, + as_reply->enc_part2->session, + &creds->keyblock))) + goto cleanup; creds->times = as_reply->enc_part2->times; - creds->is_skey = FALSE; /* this is an AS_REQ, so cannot - be encrypted in skey */ + creds->is_skey = FALSE; /* this is an AS_REQ, so cannot + be encrypted in skey */ creds->ticket_flags = as_reply->enc_part2->flags; if ((retval = krb5_copy_addresses(context, as_reply->enc_part2->caddrs, - &creds->addresses))) - goto cleanup; + &creds->addresses))) + goto cleanup; creds->second_ticket.length = 0; creds->second_ticket.data = 0; if ((retval = encode_krb5_ticket(as_reply->ticket, &packet))) - goto cleanup; + goto cleanup; creds->ticket = *packet; free(packet); /* store it in the ccache! */ if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - goto cleanup; + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; if (!creds->client) - creds->client = client; + creds->client = client; if (!creds->server) - creds->server = server; + creds->server = server; cleanup: if (retval) { - if (client) - krb5_free_principal(context, client); - if (server) - krb5_free_principal(context, server); - if (creds->keyblock.contents) { - memset(creds->keyblock.contents, 0, - creds->keyblock.length); - free(creds->keyblock.contents); - creds->keyblock.contents = 0; - creds->keyblock.length = 0; - } - if (creds->ticket.data) { - free(creds->ticket.data); - creds->ticket.data = 0; - } - if (creds->addresses) { - krb5_free_addresses(context, creds->addresses); - creds->addresses = 0; - } + if (client) + krb5_free_principal(context, client); + if (server) + krb5_free_principal(context, server); + if (creds->keyblock.contents) { + memset(creds->keyblock.contents, 0, + creds->keyblock.length); + free(creds->keyblock.contents); + creds->keyblock.contents = 0; + creds->keyblock.length = 0; + } + if (creds->ticket.data) { + free(creds->ticket.data); + creds->ticket.data = 0; + } + if (creds->addresses) { + krb5_free_addresses(context, creds->addresses); + creds->addresses = 0; + } } return (retval); } static krb5_error_code -make_preauth_list(krb5_context context, - krb5_preauthtype * ptypes, - int nptypes, - krb5_pa_data *** ret_list) +make_preauth_list(krb5_context context, + krb5_preauthtype * ptypes, + int nptypes, + krb5_pa_data *** ret_list) { - krb5_preauthtype * ptypep; - krb5_pa_data ** preauthp; - int i; + krb5_preauthtype * ptypep; + krb5_pa_data ** preauthp; + int i; if (nptypes < 0) { - for (nptypes=0, ptypep = ptypes; *ptypep; ptypep++, nptypes++) - ; + for (nptypes=0, ptypep = ptypes; *ptypep; ptypep++, nptypes++) + ; } - + /* allocate space for a NULL to terminate the list */ - + if ((preauthp = - (krb5_pa_data **) malloc((nptypes+1)*sizeof(krb5_pa_data *))) == NULL) - return(ENOMEM); - + (krb5_pa_data **) malloc((nptypes+1)*sizeof(krb5_pa_data *))) == NULL) + return(ENOMEM); + for (i=0; i=0; i--) - free(preauthp[i]); - free(preauthp); - return (ENOMEM); - } - preauthp[i]->magic = KV5M_PA_DATA; - preauthp[i]->pa_type = ptypes[i]; - preauthp[i]->length = 0; - preauthp[i]->contents = 0; + if ((preauthp[i] = + (krb5_pa_data *) malloc(sizeof(krb5_pa_data))) == NULL) { + for (; i>=0; i--) + free(preauthp[i]); + free(preauthp); + return (ENOMEM); + } + preauthp[i]->magic = KV5M_PA_DATA; + preauthp[i]->pa_type = ptypes[i]; + preauthp[i]->length = 0; + preauthp[i]->contents = 0; } - + /* fill in the terminating NULL */ - + preauthp[nptypes] = NULL; - + *ret_list = preauthp; return 0; } @@ -495,10 +496,10 @@ static const krb5_enctype get_in_tkt_enctypes[] = { static krb5_error_code rewrite_server_realm(krb5_context context, - krb5_const_principal old_server, - const krb5_data *realm, - krb5_boolean tgs, - krb5_principal *server) + krb5_const_principal old_server, + const krb5_data *realm, + krb5_boolean tgs, + krb5_principal *server) { krb5_error_code retval; @@ -506,28 +507,28 @@ rewrite_server_realm(krb5_context context, retval = krb5_copy_principal(context, old_server, server); if (retval) - return retval; + return retval; krb5_free_data_contents(context, &(*server)->realm); (*server)->realm.data = NULL; retval = krb5int_copy_data_contents(context, realm, &(*server)->realm); if (retval) - goto cleanup; + goto cleanup; if (tgs) { - krb5_free_data_contents(context, &(*server)->data[1]); - (*server)->data[1].data = NULL; + krb5_free_data_contents(context, &(*server)->data[1]); + (*server)->data[1].data = NULL; - retval = krb5int_copy_data_contents(context, realm, &(*server)->data[1]); - if (retval) - goto cleanup; + retval = krb5int_copy_data_contents(context, realm, &(*server)->data[1]); + if (retval) + goto cleanup; } cleanup: if (retval) { - krb5_free_principal(context, *server); - *server = NULL; + krb5_free_principal(context, *server); + *server = NULL; } return retval; @@ -544,44 +545,44 @@ tgt_is_local_realm(krb5_creds *tgt) krb5_error_code KRB5_CALLCONV krb5_get_in_tkt(krb5_context context, - krb5_flags options, - krb5_address * const * addrs, - krb5_enctype * ktypes, - krb5_preauthtype * ptypes, - git_key_proc key_proc, - krb5_const_pointer keyseed, - git_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg, - krb5_creds * creds, - krb5_ccache ccache, - krb5_kdc_rep ** ret_as_reply) + krb5_flags options, + krb5_address * const * addrs, + krb5_enctype * ktypes, + krb5_preauthtype * ptypes, + git_key_proc key_proc, + krb5_const_pointer keyseed, + git_decrypt_proc decrypt_proc, + krb5_const_pointer decryptarg, + krb5_creds * creds, + krb5_ccache ccache, + krb5_kdc_rep ** ret_as_reply) { - krb5_error_code retval; - krb5_timestamp time_now; - krb5_keyblock * decrypt_key = 0; - krb5_kdc_req request; + krb5_error_code retval; + krb5_timestamp time_now; + krb5_keyblock * decrypt_key = 0; + krb5_kdc_req request; krb5_data *encoded_request; - krb5_error * err_reply; - krb5_kdc_rep * as_reply = 0; - krb5_pa_data ** preauth_to_use = 0; - int loopcount = 0; - krb5_int32 do_more = 0; - int canon_flag; + krb5_error * err_reply; + krb5_kdc_rep * as_reply = 0; + krb5_pa_data ** preauth_to_use = 0; + int loopcount = 0; + krb5_int32 do_more = 0; + int canon_flag; int use_master = 0; - int referral_count = 0; - krb5_principal_data referred_client; - krb5_principal referred_server = NULL; - krb5_boolean is_tgt_req; + int referral_count = 0; + krb5_principal_data referred_client; + krb5_principal referred_server = NULL; + krb5_boolean is_tgt_req; #if APPLE_PKINIT inTktDebug("krb5_get_in_tkt top\n"); #endif /* APPLE_PKINIT */ if (! krb5_realm_compare(context, creds->client, creds->server)) - return KRB5_IN_TKT_REALM_MISMATCH; + return KRB5_IN_TKT_REALM_MISMATCH; if (ret_as_reply) - *ret_as_reply = 0; + *ret_as_reply = 0; referred_client = *(creds->client); referred_client.realm.data = NULL; @@ -589,8 +590,8 @@ krb5_get_in_tkt(krb5_context context, /* per referrals draft, enterprise principals imply canonicalization */ canon_flag = ((options & KDC_OPT_CANONICALIZE) != 0) || - creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; - + creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + /* * Set up the basic request structure */ @@ -600,10 +601,10 @@ krb5_get_in_tkt(krb5_context context, request.ktype = 0; request.padata = 0; if (addrs) - request.addresses = (krb5_address **) addrs; + request.addresses = (krb5_address **) addrs; else - if ((retval = krb5_os_localaddr(context, &request.addresses))) - goto cleanup; + if ((retval = krb5_os_localaddr(context, &request.addresses))) + goto cleanup; request.kdc_options = options; request.client = creds->client; request.server = creds->server; @@ -614,43 +615,43 @@ krb5_get_in_tkt(krb5_context context, #if APPLE_PKINIT retval = gen_nonce(context, (krb5_int32 *)&time_now); if(retval) { - goto cleanup; + goto cleanup; } request.nonce = time_now; #endif /* APPLE_PKINIT */ request.ktype = malloc (sizeof(get_in_tkt_enctypes)); if (request.ktype == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memcpy(request.ktype, get_in_tkt_enctypes, sizeof(get_in_tkt_enctypes)); for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++); if (ktypes) { - int i, req, next = 0; - for (req = 0; ktypes[req]; req++) { - if (ktypes[req] == request.ktype[next]) { - next++; - continue; - } - for (i = next + 1; i < request.nktypes; i++) - if (ktypes[req] == request.ktype[i]) { - /* Found the enctype we want, but not in the - position we want. Move it, but keep the old - one from the desired slot around in case it's - later in our requested-ktypes list. */ - krb5_enctype t; - t = request.ktype[next]; - request.ktype[next] = request.ktype[i]; - request.ktype[i] = t; - next++; - break; - } - /* If we didn't find it, don't do anything special, just - drop it. */ - } - request.ktype[next] = 0; - request.nktypes = next; + int i, req, next = 0; + for (req = 0; ktypes[req]; req++) { + if (ktypes[req] == request.ktype[next]) { + next++; + continue; + } + for (i = next + 1; i < request.nktypes; i++) + if (ktypes[req] == request.ktype[i]) { + /* Found the enctype we want, but not in the + position we want. Move it, but keep the old + one from the desired slot around in case it's + later in our requested-ktypes list. */ + krb5_enctype t; + t = request.ktype[next]; + request.ktype[next] = request.ktype[i]; + request.ktype[i] = t; + next++; + break; + } + /* If we didn't find it, don't do anything special, just + drop it. */ + } + request.ktype[next] = 0; + request.nktypes = next; } request.authorization_data.ciphertext.length = 0; request.authorization_data.ciphertext.data = 0; @@ -662,153 +663,153 @@ krb5_get_in_tkt(krb5_context context, * preauth_to_use list. */ if (ptypes) { - retval = make_preauth_list(context, ptypes, -1, &preauth_to_use); - if (retval) - goto cleanup; + retval = make_preauth_list(context, ptypes, -1, &preauth_to_use); + if (retval) + goto cleanup; } - + is_tgt_req = tgt_is_local_realm(creds); while (1) { - if (loopcount++ > MAX_IN_TKT_LOOPS) { - retval = KRB5_GET_IN_TKT_LOOP; - goto cleanup; - } + if (loopcount++ > MAX_IN_TKT_LOOPS) { + retval = KRB5_GET_IN_TKT_LOOP; + goto cleanup; + } #if APPLE_PKINIT - inTktDebug("krb5_get_in_tkt calling krb5_obtain_padata\n"); + inTktDebug("krb5_get_in_tkt calling krb5_obtain_padata\n"); #endif /* APPLE_PKINIT */ - if ((retval = krb5_obtain_padata(context, preauth_to_use, key_proc, - keyseed, creds, &request)) != 0) - goto cleanup; - if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); - preauth_to_use = 0; - - err_reply = 0; - as_reply = 0; + if ((retval = krb5_obtain_padata(context, preauth_to_use, key_proc, + keyseed, creds, &request)) != 0) + goto cleanup; + if (preauth_to_use) + krb5_free_pa_data(context, preauth_to_use); + preauth_to_use = 0; + + err_reply = 0; + as_reply = 0; if ((retval = krb5_timeofday(context, &time_now))) - goto cleanup; + goto cleanup; /* * XXX we know they are the same size... and we should do * something better than just the current time */ - request.nonce = (krb5_int32) time_now; - - if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0) - goto cleanup; - retval = send_as_request(context, encoded_request, - krb5_princ_realm(context, request.client), &err_reply, - &as_reply, &use_master); - krb5_free_data(context, encoded_request); - if (retval != 0) - goto cleanup; - - if (err_reply) { - if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && - err_reply->e_data.length > 0) { - retval = decode_krb5_padata_sequence(&err_reply->e_data, - &preauth_to_use); - krb5_free_error(context, err_reply); - if (retval) - goto cleanup; + request.nonce = (krb5_int32) time_now; + + if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0) + goto cleanup; + retval = send_as_request(context, encoded_request, + krb5_princ_realm(context, request.client), &err_reply, + &as_reply, &use_master); + krb5_free_data(context, encoded_request); + if (retval != 0) + goto cleanup; + + if (err_reply) { + if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && + err_reply->e_data.length > 0) { + retval = decode_krb5_padata_sequence(&err_reply->e_data, + &preauth_to_use); + krb5_free_error(context, err_reply); + if (retval) + goto cleanup; retval = sort_krb5_padata_sequence(context, - &request.server->realm, - preauth_to_use); - if (retval) - goto cleanup; - continue; - } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { - if (++referral_count > KRB5_REFERRAL_MAXHOPS || - err_reply->client == NULL || - err_reply->client->realm.length == 0) { - retval = KRB5KDC_ERR_WRONG_REALM; - krb5_free_error(context, err_reply); - goto cleanup; - } - /* Rewrite request.client with realm from error reply */ - if (referred_client.realm.data) { - krb5_free_data_contents(context, &referred_client.realm); - referred_client.realm.data = NULL; - } - retval = krb5int_copy_data_contents(context, - &err_reply->client->realm, - &referred_client.realm); - krb5_free_error(context, err_reply); - if (retval) - goto cleanup; - request.client = &referred_client; - - if (referred_server != NULL) { - krb5_free_principal(context, referred_server); - referred_server = NULL; - } - - retval = rewrite_server_realm(context, - creds->server, - &referred_client.realm, - is_tgt_req, - &referred_server); - if (retval) - goto cleanup; - request.server = referred_server; - - continue; - } else { - retval = (krb5_error_code) err_reply->error - + ERROR_TABLE_BASE_krb5; - krb5_free_error(context, err_reply); - goto cleanup; - } - } else if (!as_reply) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - goto cleanup; - } - if ((retval = krb5_process_padata(context, &request, as_reply, - key_proc, keyseed, decrypt_proc, - &decrypt_key, creds, - &do_more)) != 0) - goto cleanup; - - if (!do_more) - break; + &request.server->realm, + preauth_to_use); + if (retval) + goto cleanup; + continue; + } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { + if (++referral_count > KRB5_REFERRAL_MAXHOPS || + err_reply->client == NULL || + err_reply->client->realm.length == 0) { + retval = KRB5KDC_ERR_WRONG_REALM; + krb5_free_error(context, err_reply); + goto cleanup; + } + /* Rewrite request.client with realm from error reply */ + if (referred_client.realm.data) { + krb5_free_data_contents(context, &referred_client.realm); + referred_client.realm.data = NULL; + } + retval = krb5int_copy_data_contents(context, + &err_reply->client->realm, + &referred_client.realm); + krb5_free_error(context, err_reply); + if (retval) + goto cleanup; + request.client = &referred_client; + + if (referred_server != NULL) { + krb5_free_principal(context, referred_server); + referred_server = NULL; + } + + retval = rewrite_server_realm(context, + creds->server, + &referred_client.realm, + is_tgt_req, + &referred_server); + if (retval) + goto cleanup; + request.server = referred_server; + + continue; + } else { + retval = (krb5_error_code) err_reply->error + + ERROR_TABLE_BASE_krb5; + krb5_free_error(context, err_reply); + goto cleanup; + } + } else if (!as_reply) { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + goto cleanup; + } + if ((retval = krb5_process_padata(context, &request, as_reply, + key_proc, keyseed, decrypt_proc, + &decrypt_key, creds, + &do_more)) != 0) + goto cleanup; + + if (!do_more) + break; } - + if ((retval = decrypt_as_reply(context, &request, as_reply, key_proc, - keyseed, decrypt_key, decrypt_proc, - decryptarg))) - goto cleanup; + keyseed, decrypt_key, decrypt_proc, + decryptarg))) + goto cleanup; if ((retval = verify_as_reply(context, time_now, &request, as_reply))) - goto cleanup; + goto cleanup; if ((retval = stash_as_reply(context, time_now, &request, as_reply, - creds, ccache))) - goto cleanup; + creds, ccache))) + goto cleanup; cleanup: if (request.ktype) - free(request.ktype); + free(request.ktype); if (!addrs && request.addresses) - krb5_free_addresses(context, request.addresses); + krb5_free_addresses(context, request.addresses); if (request.padata) - krb5_free_pa_data(context, request.padata); + krb5_free_pa_data(context, request.padata); if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); + krb5_free_pa_data(context, preauth_to_use); if (decrypt_key) - krb5_free_keyblock(context, decrypt_key); + krb5_free_keyblock(context, decrypt_key); if (as_reply) { - if (ret_as_reply) - *ret_as_reply = as_reply; - else - krb5_free_kdc_rep(context, as_reply); + if (ret_as_reply) + *ret_as_reply = as_reply; + else + krb5_free_kdc_rep(context, as_reply); } if (referred_client.realm.data) - krb5_free_data_contents(context, &referred_client.realm); + krb5_free_data_contents(context, &referred_client.realm); if (referred_server) - krb5_free_principal(context, referred_server); + krb5_free_principal(context, referred_server); return (retval); } @@ -833,13 +834,13 @@ _krb5_conf_boolean(const char *s) const char *const *p; for(p=conf_yes; *p; p++) { - if (!strcasecmp(*p,s)) - return 1; + if (!strcasecmp(*p,s)) + return 1; } for(p=conf_no; *p; p++) { - if (!strcasecmp(*p,s)) - return 0; + if (!strcasecmp(*p,s)) + return 0; } /* Default to "no" */ @@ -848,7 +849,7 @@ _krb5_conf_boolean(const char *s) static krb5_error_code krb5_libdefault_string(krb5_context context, const krb5_data *realm, - const char *option, char **ret_value) + const char *option, char **ret_value) { profile_t profile; const char *names[5]; @@ -857,25 +858,25 @@ krb5_libdefault_string(krb5_context context, const krb5_data *realm, char realmstr[1024]; if (realm->length > sizeof(realmstr)-1) - return(EINVAL); + return(EINVAL); strncpy(realmstr, realm->data, realm->length); realmstr[realm->length] = '\0'; - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; profile = context->profile; - + names[0] = KRB5_CONF_LIBDEFAULTS; /* * Try number one: * * [libdefaults] - * REALM = { - * option = - * } + * REALM = { + * option = + * } */ names[1] = realmstr; @@ -883,24 +884,24 @@ krb5_libdefault_string(krb5_context context, const krb5_data *realm, names[3] = 0; retval = profile_get_values(profile, names, &nameval); if (retval == 0 && nameval && nameval[0]) - goto goodbye; + goto goodbye; /* * Try number two: * * [libdefaults] - * option = + * option = */ - + names[1] = option; names[2] = 0; retval = profile_get_values(profile, names, &nameval); if (retval == 0 && nameval && nameval[0]) - goto goodbye; + goto goodbye; goodbye: - if (!nameval) - return(ENOENT); + if (!nameval) + return(ENOENT); if (!nameval[0]) { retval = ENOENT; @@ -920,7 +921,7 @@ goodbye: krb5_error_code krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, - const char *option, int *ret_value) + const char *option, int *ret_value) { char *string = NULL; krb5_error_code retval; @@ -928,7 +929,7 @@ krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, retval = krb5_libdefault_string(context, realm, option, &string); if (retval) - return(retval); + return(retval); *ret_value = _krb5_conf_boolean(string); free(string); @@ -940,7 +941,7 @@ krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, * libdefaults entry are listed before any others. */ static krb5_error_code sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, - krb5_pa_data **padata) + krb5_pa_data **padata) { int i, j, base; krb5_error_code ret; @@ -951,58 +952,58 @@ sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, int need_free_string = 1; if ((padata == NULL) || (padata[0] == NULL)) { - return 0; + return 0; } ret = krb5_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES, - &preauth_types); + &preauth_types); if ((ret != 0) || (preauth_types == NULL)) { - /* Try to use PKINIT first. */ - preauth_types = "17, 16, 15, 14"; - need_free_string = 0; + /* Try to use PKINIT first. */ + preauth_types = "17, 16, 15, 14"; + need_free_string = 0; } #ifdef DEBUG fprintf (stderr, "preauth data types before sorting:"); for (i = 0; padata[i]; i++) { - fprintf (stderr, " %d", padata[i]->pa_type); + fprintf (stderr, " %d", padata[i]->pa_type); } fprintf (stderr, "\n"); #endif base = 0; for (p = preauth_types; *p != '\0';) { - /* skip whitespace to find an entry */ - p += strspn(p, ", "); - if (*p != '\0') { - /* see if we can extract a number */ - l = strtol(p, &q, 10); - if ((q != NULL) && (q > p)) { - /* got a valid number; search for a matchin entry */ - for (i = base; padata[i] != NULL; i++) { - /* bubble the matching entry to the front of the list */ - if (padata[i]->pa_type == l) { - tmp = padata[i]; - for (j = i; j > base; j--) - padata[j] = padata[j - 1]; - padata[base] = tmp; - base++; - break; - } - } - p = q; - } else { - break; - } - } + /* skip whitespace to find an entry */ + p += strspn(p, ", "); + if (*p != '\0') { + /* see if we can extract a number */ + l = strtol(p, &q, 10); + if ((q != NULL) && (q > p)) { + /* got a valid number; search for a matchin entry */ + for (i = base; padata[i] != NULL; i++) { + /* bubble the matching entry to the front of the list */ + if (padata[i]->pa_type == l) { + tmp = padata[i]; + for (j = i; j > base; j--) + padata[j] = padata[j - 1]; + padata[base] = tmp; + base++; + break; + } + } + p = q; + } else { + break; + } + } } if (need_free_string) - free(preauth_types); + free(preauth_types); #ifdef DEBUG fprintf (stderr, "preauth data types after sorting:"); for (i = 0; padata[i]; i++) - fprintf (stderr, " %d", padata[i]->pa_type); + fprintf (stderr, " %d", padata[i]->pa_type); fprintf (stderr, "\n"); #endif @@ -1011,46 +1012,46 @@ sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, static krb5_error_code build_in_tkt_name(krb5_context context, - char *in_tkt_service, - krb5_const_principal client, - krb5_principal *server) + char *in_tkt_service, + krb5_const_principal client, + krb5_principal *server) { krb5_error_code ret; *server = NULL; if (in_tkt_service) { - /* this is ugly, because so are the data structures involved. I'm - in the library, so I'm going to manipulate the data structures - directly, otherwise, it will be worse. */ + /* this is ugly, because so are the data structures involved. I'm + in the library, so I'm going to manipulate the data structures + directly, otherwise, it will be worse. */ if ((ret = krb5_parse_name(context, in_tkt_service, server))) - return ret; - - /* stuff the client realm into the server principal. - realloc if necessary */ - if ((*server)->realm.length < client->realm.length) { - char *p = realloc((*server)->realm.data, - client->realm.length); - if (p == NULL) { - krb5_free_principal(context, *server); - *server = NULL; - return ENOMEM; - } - (*server)->realm.data = p; - } - - (*server)->realm.length = client->realm.length; - memcpy((*server)->realm.data, client->realm.data, client->realm.length); + return ret; + + /* stuff the client realm into the server principal. + realloc if necessary */ + if ((*server)->realm.length < client->realm.length) { + char *p = realloc((*server)->realm.data, + client->realm.length); + if (p == NULL) { + krb5_free_principal(context, *server); + *server = NULL; + return ENOMEM; + } + (*server)->realm.data = p; + } + + (*server)->realm.length = client->realm.length; + memcpy((*server)->realm.data, client->realm.data, client->realm.length); } else { - ret = krb5_build_principal_ext(context, server, - client->realm.length, - client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0); + ret = krb5_build_principal_ext(context, server, + client->realm.length, + client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + client->realm.length, + client->realm.data, + 0); } return ret; } @@ -1067,22 +1068,22 @@ should_continue_preauth(krb5_ui_4 error, int loopcount) * currently it does not do so for built-in mechanisms. */ return (error == KDC_ERR_PREAUTH_REQUIRED || - (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0)); + (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0)); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_deltat start_time, - char *in_tkt_service, - krb5_gic_opt_ext *options, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data, - int *use_master, - krb5_kdc_rep **as_reply) + krb5_creds *creds, + krb5_principal client, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_deltat start_time, + char *in_tkt_service, + krb5_gic_opt_ext *options, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data, + int *use_master, + krb5_kdc_rep **as_reply) { krb5_error_code ret; krb5_kdc_req request; @@ -1107,7 +1108,7 @@ krb5_get_init_creds(krb5_context context, krb5_boolean retry = 0; struct krb5int_fast_request_state *fast_state = NULL; krb5_pa_data **out_padata = NULL; - + /* initialize everything which will be freed at cleanup */ @@ -1124,14 +1125,14 @@ krb5_get_init_creds(krb5_context context, as_key.length = 0; encrypting_key.length = 0; encrypting_key.contents = NULL; - salt.length = 0; + salt.length = 0; salt.data = NULL; - local_as_reply = 0; + local_as_reply = 0; #if APPLE_PKINIT inTktDebug("krb5_get_init_creds top\n"); #endif /* APPLE_PKINIT */ - + err_reply = NULL; /* referred_client is used to rewrite the client realm for referrals */ @@ -1140,7 +1141,7 @@ krb5_get_init_creds(krb5_context context, referred_client.realm.length = 0; ret = krb5int_fast_make_state(context, &fast_state); if (ret) - goto cleanup; + goto cleanup; /* * Set up the basic request structure @@ -1158,137 +1159,137 @@ krb5_get_init_creds(krb5_context context, /* forwardable */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)) - tempint = options->forwardable; + tempint = options->forwardable; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_FORWARDABLE, &tempint)) == 0) - ; + KRB5_CONF_FORWARDABLE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_FORWARDABLE; + request.kdc_options |= KDC_OPT_FORWARDABLE; /* proxiable */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)) - tempint = options->proxiable; + tempint = options->proxiable; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_PROXIABLE, &tempint)) == 0) - ; + KRB5_CONF_PROXIABLE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_PROXIABLE; + request.kdc_options |= KDC_OPT_PROXIABLE; /* canonicalize */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_CANONICALIZE)) - tempint = 1; + tempint = 1; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_CANONICALIZE, &tempint)) == 0) - ; + KRB5_CONF_CANONICALIZE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_CANONICALIZE; + request.kdc_options |= KDC_OPT_CANONICALIZE; /* allow_postdate */ - + if (start_time > 0) - request.kdc_options |= (KDC_OPT_ALLOW_POSTDATE|KDC_OPT_POSTDATED); - + request.kdc_options |= (KDC_OPT_ALLOW_POSTDATE|KDC_OPT_POSTDATED); + /* ticket lifetime */ - + if ((ret = krb5_timeofday(context, &request.from))) - goto cleanup; + goto cleanup; request.from = krb5int_addint32(request.from, start_time); - + if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) { tkt_life = options->tkt_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, - KRB5_CONF_TICKET_LIFETIME, &tempstr)) - == 0) { - ret = krb5_string_to_deltat(tempstr, &tkt_life); - free(tempstr); - if (ret) { - goto cleanup; - } + KRB5_CONF_TICKET_LIFETIME, &tempstr)) + == 0) { + ret = krb5_string_to_deltat(tempstr, &tkt_life); + free(tempstr); + if (ret) { + goto cleanup; + } } else { - /* this used to be hardcoded in kinit.c */ - tkt_life = 24*60*60; + /* this used to be hardcoded in kinit.c */ + tkt_life = 24*60*60; } request.till = krb5int_addint32(request.from, tkt_life); - + /* renewable lifetime */ - + if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) { - renew_life = options->renew_life; + renew_life = options->renew_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, - KRB5_CONF_RENEW_LIFETIME, &tempstr)) - == 0) { - ret = krb5_string_to_deltat(tempstr, &renew_life); - free(tempstr); - if (ret) { - goto cleanup; - } + KRB5_CONF_RENEW_LIFETIME, &tempstr)) + == 0) { + ret = krb5_string_to_deltat(tempstr, &renew_life); + free(tempstr); + if (ret) { + goto cleanup; + } } else { - renew_life = 0; + renew_life = 0; } if (renew_life > 0) - request.kdc_options |= KDC_OPT_RENEWABLE; - + request.kdc_options |= KDC_OPT_RENEWABLE; + if (renew_life > 0) { - request.rtime = krb5int_addint32(request.from, renew_life); + request.rtime = krb5int_addint32(request.from, renew_life); if (request.rtime < request.till) { /* don't ask for a smaller renewable time than the lifetime */ request.rtime = request.till; } /* we are already asking for renewable tickets so strip this option */ - request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK); + request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK); } else { - request.rtime = 0; + request.rtime = 0; } - + /* client */ request.client = client; /* per referrals draft, enterprise principals imply canonicalization */ canon_flag = ((request.kdc_options & KDC_OPT_CANONICALIZE) != 0) || - client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; /* service */ if ((ret = build_in_tkt_name(context, in_tkt_service, - request.client, &request.server))) - goto cleanup; + request.client, &request.server))) + goto cleanup; krb5_preauth_request_context_init(context); if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) { - request.ktype = options->etype_list; - request.nktypes = options->etype_list_length; + request.ktype = options->etype_list; + request.nktypes = options->etype_list_length; } else if ((ret = krb5_get_default_in_tkt_ktypes(context, - &request.ktype)) == 0) { - for (request.nktypes = 0; - request.ktype[request.nktypes]; - request.nktypes++) - ; + &request.ktype)) == 0) { + for (request.nktypes = 0; + request.ktype[request.nktypes]; + request.nktypes++) + ; } else { - /* there isn't any useful default here. ret is set from above */ - goto cleanup; + /* there isn't any useful default here. ret is set from above */ + goto cleanup; } if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)) { - request.addresses = options->address_list; + request.addresses = options->address_list; } /* it would be nice if this parsed out an address list, but that would be work. */ else if (((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_NOADDRESSES, &tempint)) != 0) - || (tempint == 1)) { - ; + KRB5_CONF_NOADDRESSES, &tempint)) != 0) + || (tempint == 1)) { + ; } else { - if ((ret = krb5_os_localaddr(context, &request.addresses))) - goto cleanup; + if ((ret = krb5_os_localaddr(context, &request.addresses))) + goto cleanup; } request.authorization_data.ciphertext.length = 0; @@ -1299,228 +1300,228 @@ krb5_get_init_creds(krb5_context context, /* set up the other state. */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) { - if ((ret = make_preauth_list(context, options->preauth_list, - options->preauth_list_length, - &preauth_to_use))) - goto cleanup; + if ((ret = make_preauth_list(context, options->preauth_list, + options->preauth_list_length, + &preauth_to_use))) + goto cleanup; } /* the salt is allocated from somewhere, unless it is from the caller, then it is a reference */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)) { - salt = *options->salt; + salt = *options->salt; } else { - salt.length = SALT_TYPE_AFS_LENGTH; - salt.data = NULL; + salt.length = SALT_TYPE_AFS_LENGTH; + salt.data = NULL; } /* set the request nonce */ if ((ret = krb5_timeofday(context, &time_now))) - goto cleanup; + goto cleanup; /* * XXX we know they are the same size... and we should do * something better than just the current time */ { - unsigned char random_buf[4]; - krb5_data random_data; - - random_data.length = 4; - random_data.data = (char *)random_buf; - if (krb5_c_random_make_octets(context, &random_data) == 0) - /* See RT ticket 3196 at MIT. If we set the high bit, we - may have compatibility problems with Heimdal, because - we (incorrectly) encode this value as signed. */ - request.nonce = 0x7fffffff & load_32_n(random_buf); - else - /* XXX Yuck. Old version. */ - request.nonce = (krb5_int32) time_now; + unsigned char random_buf[4]; + krb5_data random_data; + + random_data.length = 4; + random_data.data = (char *)random_buf; + if (krb5_c_random_make_octets(context, &random_data) == 0) + /* See RT ticket 3196 at MIT. If we set the high bit, we + may have compatibility problems with Heimdal, because + we (incorrectly) encode this value as signed. */ + request.nonce = 0x7fffffff & load_32_n(random_buf); + else + /* XXX Yuck. Old version. */ + request.nonce = (krb5_int32) time_now; } ret = krb5int_fast_as_armor(context, fast_state, options, &request); if (ret != 0) - goto cleanup; + goto cleanup; /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, options, &request); ret = krb5int_fast_prep_req_body(context, fast_state, - &request, &encoded_request_body); + &request, &encoded_request_body); if (ret) goto cleanup; get_data_rock.magic = CLIENT_ROCK_MAGIC; get_data_rock.etype = &etype; get_data_rock.fast_state = fast_state; - + /* now, loop processing preauth data and talking to the kdc */ for (loopcount = 0; loopcount < MAX_IN_TKT_LOOPS; loopcount++) { - if (request.padata) { - krb5_free_pa_data(context, request.padata); - request.padata = NULL; - } - if (!err_reply) { + if (request.padata) { + krb5_free_pa_data(context, request.padata); + request.padata = NULL; + } + if (!err_reply) { /* either our first attempt, or retrying after PREAUTH_NEEDED */ - if ((ret = krb5_do_preauth(context, - &request, - encoded_request_body, - encoded_previous_request, - preauth_to_use, &request.padata, - &salt, &s2kparams, &etype, &as_key, - prompter, prompter_data, - gak_fct, gak_data, - &get_data_rock, options))) - goto cleanup; - if (out_padata) { - krb5_free_pa_data(context, out_padata); - out_padata = NULL; - } - } else { - if (preauth_to_use != NULL) { - /* - * Retry after an error other than PREAUTH_NEEDED, - * using e-data to figure out what to change. - */ - ret = krb5_do_preauth_tryagain(context, - &request, - encoded_request_body, - encoded_previous_request, - preauth_to_use, &request.padata, - err_reply, - &salt, &s2kparams, &etype, - &as_key, - prompter, prompter_data, - gak_fct, gak_data, - &get_data_rock, options); - } else { - /* No preauth supplied, so can't query the plug-ins. */ - ret = KRB5KRB_ERR_GENERIC; - } - if (ret) { - /* couldn't come up with anything better */ - ret = err_reply->error + ERROR_TABLE_BASE_krb5; - } - krb5_free_error(context, err_reply); - err_reply = NULL; - if (ret) - goto cleanup; - } + if ((ret = krb5_do_preauth(context, + &request, + encoded_request_body, + encoded_previous_request, + preauth_to_use, &request.padata, + &salt, &s2kparams, &etype, &as_key, + prompter, prompter_data, + gak_fct, gak_data, + &get_data_rock, options))) + goto cleanup; + if (out_padata) { + krb5_free_pa_data(context, out_padata); + out_padata = NULL; + } + } else { + if (preauth_to_use != NULL) { + /* + * Retry after an error other than PREAUTH_NEEDED, + * using e-data to figure out what to change. + */ + ret = krb5_do_preauth_tryagain(context, + &request, + encoded_request_body, + encoded_previous_request, + preauth_to_use, &request.padata, + err_reply, + &salt, &s2kparams, &etype, + &as_key, + prompter, prompter_data, + gak_fct, gak_data, + &get_data_rock, options); + } else { + /* No preauth supplied, so can't query the plug-ins. */ + ret = KRB5KRB_ERR_GENERIC; + } + if (ret) { + /* couldn't come up with anything better */ + ret = err_reply->error + ERROR_TABLE_BASE_krb5; + } + krb5_free_error(context, err_reply); + err_reply = NULL; + if (ret) + goto cleanup; + } if (encoded_previous_request != NULL) { - krb5_free_data(context, encoded_previous_request); - encoded_previous_request = NULL; + krb5_free_data(context, encoded_previous_request); + encoded_previous_request = NULL; + } + ret = krb5int_fast_prep_req(context, fast_state, + &request, encoded_request_body, + encode_krb5_as_req, &encoded_previous_request); + if (ret) + goto cleanup; + + err_reply = 0; + local_as_reply = 0; + if ((ret = send_as_request(context, encoded_previous_request, + krb5_princ_realm(context, request.client), &err_reply, + &local_as_reply, use_master))) + goto cleanup; + + if (err_reply) { + ret = krb5int_fast_process_error(context, fast_state, &err_reply, + &out_padata, &retry); + if (ret !=0) + goto cleanup; + if (should_continue_preauth(err_reply->error, loopcount) && retry) { + /* reset the list of preauth types to try */ + if (preauth_to_use) { + krb5_free_pa_data(context, preauth_to_use); + preauth_to_use = NULL; + } + preauth_to_use = out_padata; + out_padata = NULL; + krb5_free_error(context, err_reply); + err_reply = NULL; + ret = sort_krb5_padata_sequence(context, + &request.server->realm, + preauth_to_use); + if (ret) + goto cleanup; + /* continue to next iteration */ + } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { + if (err_reply->client == NULL || + err_reply->client->realm.length == 0) { + ret = KRB5KDC_ERR_WRONG_REALM; + krb5_free_error(context, err_reply); + goto cleanup; + } + /* Rewrite request.client with realm from error reply */ + if (referred_client.realm.data) { + krb5_free_data_contents(context, &referred_client.realm); + referred_client.realm.data = NULL; + } + ret = krb5int_copy_data_contents(context, + &err_reply->client->realm, + &referred_client.realm); + krb5_free_error(context, err_reply); + err_reply = NULL; + if (ret) + goto cleanup; + request.client = &referred_client; + + krb5_free_principal(context, request.server); + request.server = NULL; + + ret = build_in_tkt_name(context, in_tkt_service, + request.client, &request.server); + if (ret) + goto cleanup; + } else { + if (retry) { + /* continue to next iteration */ + } else { + /* error + no hints = give up */ + ret = (krb5_error_code) err_reply->error + + ERROR_TABLE_BASE_krb5; + krb5_free_error(context, err_reply); + goto cleanup; + } + } + } else if (local_as_reply) { + break; + } else { + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto cleanup; } - ret = krb5int_fast_prep_req(context, fast_state, - &request, encoded_request_body, - encode_krb5_as_req, &encoded_previous_request); - if (ret) - goto cleanup; - - err_reply = 0; - local_as_reply = 0; - if ((ret = send_as_request(context, encoded_previous_request, - krb5_princ_realm(context, request.client), &err_reply, - &local_as_reply, use_master))) - goto cleanup; - - if (err_reply) { - ret = krb5int_fast_process_error(context, fast_state, &err_reply, - &out_padata, &retry); - if (ret !=0) - goto cleanup; - if (should_continue_preauth(err_reply->error, loopcount) && retry) { - /* reset the list of preauth types to try */ - if (preauth_to_use) { - krb5_free_pa_data(context, preauth_to_use); - preauth_to_use = NULL; - } - preauth_to_use = out_padata; - out_padata = NULL; - krb5_free_error(context, err_reply); - err_reply = NULL; - ret = sort_krb5_padata_sequence(context, - &request.server->realm, - preauth_to_use); - if (ret) - goto cleanup; - /* continue to next iteration */ - } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { - if (err_reply->client == NULL || - err_reply->client->realm.length == 0) { - ret = KRB5KDC_ERR_WRONG_REALM; - krb5_free_error(context, err_reply); - goto cleanup; - } - /* Rewrite request.client with realm from error reply */ - if (referred_client.realm.data) { - krb5_free_data_contents(context, &referred_client.realm); - referred_client.realm.data = NULL; - } - ret = krb5int_copy_data_contents(context, - &err_reply->client->realm, - &referred_client.realm); - krb5_free_error(context, err_reply); - err_reply = NULL; - if (ret) - goto cleanup; - request.client = &referred_client; - - krb5_free_principal(context, request.server); - request.server = NULL; - - ret = build_in_tkt_name(context, in_tkt_service, - request.client, &request.server); - if (ret) - goto cleanup; - } else { - if (retry) { - /* continue to next iteration */ - } else { - /* error + no hints = give up */ - ret = (krb5_error_code) err_reply->error - + ERROR_TABLE_BASE_krb5; - krb5_free_error(context, err_reply); - goto cleanup; - } - } - } else if (local_as_reply) { - break; - } else { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - goto cleanup; - } } #if APPLE_PKINIT inTktDebug("krb5_get_init_creds done with send_as_request loop lc %d\n", - (int)loopcount); + (int)loopcount); #endif /* APPLE_PKINIT */ if (loopcount == MAX_IN_TKT_LOOPS) { - ret = KRB5_GET_IN_TKT_LOOP; - goto cleanup; + ret = KRB5_GET_IN_TKT_LOOP; + goto cleanup; } /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); ret = krb5int_fast_process_response(context, fast_state, - local_as_reply, &strengthen_key); + local_as_reply, &strengthen_key); if (ret) - goto cleanup; + goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, - local_as_reply->padata))) - goto cleanup; + local_as_reply->padata))) + goto cleanup; etype = local_as_reply->enc_part.enctype; if ((ret = krb5_do_preauth(context, - &request, - encoded_request_body, encoded_previous_request, - local_as_reply->padata, &kdc_padata, - &salt, &s2kparams, &etype, &as_key, prompter, - prompter_data, gak_fct, gak_data, - &get_data_rock, options))) { + &request, + encoded_request_body, encoded_previous_request, + local_as_reply->padata, &kdc_padata, + &salt, &s2kparams, &etype, &as_key, prompter, + prompter_data, gak_fct, gak_data, + &get_data_rock, options))) { #if APPLE_PKINIT inTktDebug("krb5_get_init_creds krb5_do_preauth returned %d\n", (int)ret); #endif /* APPLE_PKINIT */ - goto cleanup; - } + goto cleanup; + } /* * If we haven't gotten a salt from another source yet, set up one @@ -1533,9 +1534,9 @@ krb5_get_init_creds(krb5_context context, * verify_as_reply. */ if (salt.length == SALT_TYPE_AFS_LENGTH && salt.data == NULL) { - ret = krb5_principal2salt(context, local_as_reply->client, &salt); - if (ret) - goto cleanup; + ret = krb5_principal2salt(context, local_as_reply->client, &salt); + if (ret) + goto cleanup; } /* XXX For 1.1.1 and prior KDC's, when SAM is used w/ USE_SAD_AS_KEY, @@ -1543,7 +1544,7 @@ krb5_get_init_creds(krb5_context context, instead of in the SAD. If there was a SAM preauth, there will be an as_key here which will be the SAD. If that fails, use the gak_fct to get the password, and try again. */ - + /* XXX because etypes are handled poorly (particularly wrt SAM, where the etype is fixed by the kdc), we may want to try decrypt_as_reply twice. If there's an as_key available, try @@ -1551,37 +1552,37 @@ krb5_get_init_creds(krb5_context context, as_key at all yet, then use the gak_fct to get one, and try again. */ if (as_key.length) { - ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, - &encrypting_key); - if (ret) - goto cleanup; - ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, - NULL); + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, + NULL); } else - ret = -1; - + ret = -1; + if (ret) { - /* if we haven't get gotten a key, get it now */ - - if ((ret = ((*gak_fct)(context, request.client, - local_as_reply->enc_part.enctype, - prompter, prompter_data, &salt, &s2kparams, - &as_key, gak_data)))) - goto cleanup; - - ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, - &encrypting_key); - if (ret) - goto cleanup; - if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, - NULL))) - goto cleanup; + /* if we haven't get gotten a key, get it now */ + + if ((ret = ((*gak_fct)(context, request.client, + local_as_reply->enc_part.enctype, + prompter, prompter_data, &salt, &s2kparams, + &as_key, gak_data)))) + goto cleanup; + + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, + NULL))) + goto cleanup; } if ((ret = verify_as_reply(context, time_now, &request, local_as_reply))) - goto cleanup; + goto cleanup; /* XXX this should be inside stash_as_reply, but as long as get_in_tkt is still around using that arg as an in/out, I can't @@ -1589,8 +1590,8 @@ krb5_get_init_creds(krb5_context context, memset(creds, 0, sizeof(*creds)); if ((ret = stash_as_reply(context, time_now, &request, local_as_reply, - creds, NULL))) - goto cleanup; + creds, NULL))) + goto cleanup; /* success */ @@ -1598,65 +1599,65 @@ krb5_get_init_creds(krb5_context context, cleanup: if (ret != 0) { - char *client_name; - /* See if we can produce a more detailed error message. */ - switch (ret) { - case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: - client_name = NULL; - if (krb5_unparse_name(context, client, &client_name) == 0) { - krb5_set_error_message(context, ret, - "Client '%s' not found in Kerberos database", - client_name); - free(client_name); - } - break; - default: - break; - } + char *client_name; + /* See if we can produce a more detailed error message. */ + switch (ret) { + case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: + client_name = NULL; + if (krb5_unparse_name(context, client, &client_name) == 0) { + krb5_set_error_message(context, ret, + "Client '%s' not found in Kerberos database", + client_name); + free(client_name); + } + break; + default: + break; + } } krb5_preauth_request_context_fini(context); - krb5_free_keyblock(context, strengthen_key); - if (encrypting_key.contents) - krb5_free_keyblock_contents(context, &encrypting_key); - if (fast_state) - krb5int_fast_free_state(context, fast_state); + krb5_free_keyblock(context, strengthen_key); + if (encrypting_key.contents) + krb5_free_keyblock_contents(context, &encrypting_key); + if (fast_state) + krb5int_fast_free_state(context, fast_state); if (out_padata) - krb5_free_pa_data(context, out_padata); + krb5_free_pa_data(context, out_padata); if (encoded_previous_request != NULL) { - krb5_free_data(context, encoded_previous_request); - encoded_previous_request = NULL; + krb5_free_data(context, encoded_previous_request); + encoded_previous_request = NULL; } if (encoded_request_body != NULL) { - krb5_free_data(context, encoded_request_body); - encoded_request_body = NULL; + krb5_free_data(context, encoded_request_body); + encoded_request_body = NULL; } if (request.server) - krb5_free_principal(context, request.server); + krb5_free_principal(context, request.server); if (request.ktype && - (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)))) - free(request.ktype); + (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)))) + free(request.ktype); if (request.addresses && - (!(options && - (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)))) - krb5_free_addresses(context, request.addresses); + (!(options && + (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)))) + krb5_free_addresses(context, request.addresses); if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); + krb5_free_pa_data(context, preauth_to_use); if (kdc_padata) - krb5_free_pa_data(context, kdc_padata); + krb5_free_pa_data(context, kdc_padata); if (request.padata) - krb5_free_pa_data(context, request.padata); + krb5_free_pa_data(context, request.padata); if (as_key.length) - krb5_free_keyblock_contents(context, &as_key); + krb5_free_keyblock_contents(context, &as_key); if (salt.data && - (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) - free(salt.data); + (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) + free(salt.data); krb5_free_data_contents(context, &s2kparams); if (as_reply) - *as_reply = local_as_reply; + *as_reply = local_as_reply; else if (local_as_reply) - krb5_free_kdc_rep(context, local_as_reply); + krb5_free_kdc_rep(context, local_as_reply); if (referred_client.realm.data) - krb5_free_data_contents(context, &referred_client.realm); + krb5_free_data_contents(context, &referred_client.realm); return(ret); } diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index 33db55278..ab064ebcd 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gic_keytab.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -23,7 +24,7 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -49,20 +50,20 @@ krb5_get_as_key_keytab( a new one. */ if (as_key->length) { - if (as_key->enctype == etype) - return(0); + if (as_key->enctype == etype) + return(0); - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; } if (!krb5_c_valid_enctype(etype)) - return(KRB5_PROG_ETYPE_NOSUPP); + return(KRB5_PROG_ETYPE_NOSUPP); if ((ret = krb5_kt_get_entry(context, keytab, client, - 0, /* don't have vno available */ - etype, &kt_ent))) - return(ret); + 0, /* don't have vno available */ + etype, &kt_ent))) + return(ret); ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key); @@ -78,93 +79,93 @@ krb5_get_as_key_keytab( krb5_error_code KRB5_CALLCONV krb5_get_init_creds_keytab(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_keytab arg_keytab, - krb5_deltat start_time, - char *in_tkt_service, - krb5_get_init_creds_opt *options) + krb5_creds *creds, + krb5_principal client, + krb5_keytab arg_keytab, + krb5_deltat start_time, + char *in_tkt_service, + krb5_get_init_creds_opt *options) { - krb5_error_code ret, ret2; - int use_master; - krb5_keytab keytab; - krb5_gic_opt_ext *opte = NULL; + krb5_error_code ret, ret2; + int use_master; + krb5_keytab keytab; + krb5_gic_opt_ext *opte = NULL; + + if (arg_keytab == NULL) { + if ((ret = krb5_kt_default(context, &keytab))) + return ret; + } else { + keytab = arg_keytab; + } - if (arg_keytab == NULL) { - if ((ret = krb5_kt_default(context, &keytab))) - return ret; - } else { - keytab = arg_keytab; - } + ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, + "krb5_get_init_creds_keytab"); + if (ret) + return ret; - ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, - "krb5_get_init_creds_keytab"); - if (ret) - return ret; + use_master = 0; - use_master = 0; + /* first try: get the requested tkt from any kdc */ - /* first try: get the requested tkt from any kdc */ + ret = krb5_get_init_creds(context, creds, client, NULL, NULL, + start_time, in_tkt_service, opte, + krb5_get_as_key_keytab, (void *) keytab, + &use_master,NULL); - ret = krb5_get_init_creds(context, creds, client, NULL, NULL, - start_time, in_tkt_service, opte, - krb5_get_as_key_keytab, (void *) keytab, - &use_master,NULL); + /* check for success */ - /* check for success */ + if (ret == 0) + goto cleanup; - if (ret == 0) - goto cleanup; + /* If all the kdc's are unavailable fail */ - /* If all the kdc's are unavailable fail */ + if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE)) + goto cleanup; - if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE)) - goto cleanup; + /* if the reply did not come from the master kdc, try again with + the master kdc */ - /* if the reply did not come from the master kdc, try again with - the master kdc */ + if (!use_master) { + use_master = 1; - if (!use_master) { - use_master = 1; + ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL, + start_time, in_tkt_service, opte, + krb5_get_as_key_keytab, (void *) keytab, + &use_master, NULL); - ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL, - start_time, in_tkt_service, opte, - krb5_get_as_key_keytab, (void *) keytab, - &use_master, NULL); - - if (ret2 == 0) { - ret = 0; - goto cleanup; - } + if (ret2 == 0) { + ret = 0; + goto cleanup; + } - /* if the master is unreachable, return the error from the - slave we were able to contact */ + /* if the master is unreachable, return the error from the + slave we were able to contact */ - if ((ret2 == KRB5_KDC_UNREACH) || - (ret2 == KRB5_REALM_CANT_RESOLVE) || - (ret2 == KRB5_REALM_UNKNOWN)) - goto cleanup; + if ((ret2 == KRB5_KDC_UNREACH) || + (ret2 == KRB5_REALM_CANT_RESOLVE) || + (ret2 == KRB5_REALM_UNKNOWN)) + goto cleanup; - ret = ret2; - } + ret = ret2; + } - /* at this point, we have a response from the master. Since we don't - do any prompting or changing for keytabs, that's it. */ + /* at this point, we have a response from the master. Since we don't + do any prompting or changing for keytabs, that's it. */ cleanup: - if (opte && krb5_gic_opt_is_shadowed(opte)) - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - if (arg_keytab == NULL) - krb5_kt_close(context, keytab); + if (opte && krb5_gic_opt_is_shadowed(opte)) + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + if (arg_keytab == NULL) + krb5_kt_close(context, keytab); - return(ret); + return(ret); } krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - krb5_keytab arg_keytab, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + krb5_keytab arg_keytab, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { krb5_error_code retval; krb5_gic_opt_ext *opte; @@ -172,49 +173,48 @@ krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, krb5_keytab keytab; krb5_principal client_princ, server_princ; int use_master = 0; - + retval = krb5int_populate_gic_opt(context, &opte, - options, addrs, ktypes, - pre_auth_types, creds); + options, addrs, ktypes, + pre_auth_types, creds); if (retval) - return retval; + return retval; if (arg_keytab == NULL) { - retval = krb5_kt_default(context, &keytab); - if (retval) - return retval; + retval = krb5_kt_default(context, &keytab); + if (retval) + return retval; } else keytab = arg_keytab; - + retval = krb5_unparse_name( context, creds->server, &server); if (retval) - goto cleanup; + goto cleanup; server_princ = creds->server; client_princ = creds->client; retval = krb5_get_init_creds (context, - creds, creds->client, - krb5_prompter_posix, NULL, - 0, server, opte, - krb5_get_as_key_keytab, (void *)keytab, - &use_master, ret_as_reply); + creds, creds->client, + krb5_prompter_posix, NULL, + 0, server, opte, + krb5_get_as_key_keytab, (void *)keytab, + &use_master, ret_as_reply); krb5_free_unparsed_name( context, server); krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); if (retval) { - goto cleanup; + goto cleanup; } krb5_free_principal(context, creds->server); krb5_free_principal(context, creds->client); - creds->client = client_princ; - creds->server = server_princ; - + creds->client = client_princ; + creds->server = server_princ; + /* store it in the ccache! */ if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - goto cleanup; - cleanup: if (arg_keytab == NULL) - krb5_kt_close(context, keytab); + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; +cleanup: if (arg_keytab == NULL) + krb5_kt_close(context, keytab); return retval; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index 72203f0e7..bff45392f 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "int-proto.h" @@ -17,77 +18,77 @@ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) void KRB5_CALLCONV krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE; - opt->tkt_life = tkt_life; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE; + opt->tkt_life = tkt_life; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE; - opt->renew_life = renew_life; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE; + opt->renew_life = renew_life; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE; - opt->forwardable = forwardable; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE; + opt->forwardable = forwardable; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE; - opt->proxiable = proxiable; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE; + opt->proxiable = proxiable; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt, int canonicalize) { if (canonicalize) - opt->flags |= KRB5_GET_INIT_CREDS_OPT_CANONICALIZE; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_CANONICALIZE; else - opt->flags &= ~(KRB5_GET_INIT_CREDS_OPT_CANONICALIZE); + opt->flags &= ~(KRB5_GET_INIT_CREDS_OPT_CANONICALIZE); } void KRB5_CALLCONV krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST; - opt->etype_list = etype_list; - opt->etype_list_length = etype_list_length; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST; + opt->etype_list = etype_list; + opt->etype_list_length = etype_list_length; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_address **addresses) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; - opt->address_list = addresses; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; + opt->address_list = addresses; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST; - opt->preauth_list = preauth_list; - opt->preauth_list_length = preauth_list_length; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST; + opt->preauth_list = preauth_list; + opt->preauth_list_length = preauth_list_length; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; - opt->salt = salt; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; + opt->salt = salt; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, int prompt) { - if (prompt) - opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; - else - opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; + if (prompt) + opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; + else + opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; } /* @@ -109,7 +110,7 @@ krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, * with the new krb5_get_init_creds_opt_alloc() function. * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended * structure is a shadow copy of an original krb5_get_init_creds_opt - * structure. + * structure. * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to * krb5int_gic_opt_to_opte(), the resulting extended structure should be * freed (using krb5_get_init_creds_free). Otherwise, the original @@ -119,17 +120,17 @@ krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, /* Forward prototype */ static void free_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte); + krb5_gic_opt_ext *opte); static krb5_error_code krb5int_gic_opte_private_alloc(krb5_context context, krb5_gic_opt_ext *opte) { if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return EINVAL; + return EINVAL; opte->opt_private = calloc(1, sizeof(*opte->opt_private)); if (NULL == opte->opt_private) { - return ENOMEM; + return ENOMEM; } /* Allocate any private stuff */ opte->opt_private->num_preauth_data = 0; @@ -141,13 +142,13 @@ static krb5_error_code krb5int_gic_opte_private_free(krb5_context context, krb5_gic_opt_ext *opte) { if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return EINVAL; - + return EINVAL; + /* Free up any private stuff */ if (opte->opt_private->preauth_data != NULL) - free_gic_opt_ext_preauth_data(context, opte); + free_gic_opt_ext_preauth_data(context, opte); if (opte->opt_private->fast_ccache_name) - free(opte->opt_private->fast_ccache_name); + free(opte->opt_private->fast_ccache_name); free(opte->opt_private); opte->opt_private = NULL; return 0; @@ -161,27 +162,27 @@ krb5int_gic_opte_alloc(krb5_context context) opte = calloc(1, sizeof(*opte)); if (NULL == opte) - return NULL; + return NULL; opte->flags = KRB5_GET_INIT_CREDS_OPT_EXTENDED; code = krb5int_gic_opte_private_alloc(context, opte); if (code) { - krb5int_set_error(&context->err, code, - "krb5int_gic_opte_alloc: krb5int_gic_opte_private_alloc failed"); - free(opte); - return NULL; + krb5int_set_error(&context->err, code, + "krb5int_gic_opte_alloc: krb5int_gic_opte_private_alloc failed"); + free(opte); + return NULL; } return(opte); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_alloc(krb5_context context, - krb5_get_init_creds_opt **opt) + krb5_get_init_creds_opt **opt) { krb5_gic_opt_ext *opte; if (NULL == opt) - return EINVAL; + return EINVAL; *opt = NULL; /* @@ -189,7 +190,7 @@ krb5_get_init_creds_opt_alloc(krb5_context context, */ opte = krb5int_gic_opte_alloc(context); if (NULL == opte) - return ENOMEM; + return ENOMEM; *opt = (krb5_get_init_creds_opt *) opte; init_common(*opt); @@ -198,47 +199,47 @@ krb5_get_init_creds_opt_alloc(krb5_context context, void KRB5_CALLCONV krb5_get_init_creds_opt_free(krb5_context context, - krb5_get_init_creds_opt *opt) + krb5_get_init_creds_opt *opt) { krb5_gic_opt_ext *opte; if (NULL == opt) - return; + return; /* Don't touch it if we didn't allocate it */ if (!krb5_gic_opt_is_extended(opt)) - return; - + return; + opte = (krb5_gic_opt_ext *)opt; if (opte->opt_private) - krb5int_gic_opte_private_free(context, opte); + krb5int_gic_opte_private_free(context, opte); free(opte); } static krb5_error_code krb5int_gic_opte_copy(krb5_context context, - krb5_get_init_creds_opt *opt, - krb5_gic_opt_ext **opte) + krb5_get_init_creds_opt *opt, + krb5_gic_opt_ext **opte) { krb5_gic_opt_ext *oe; oe = krb5int_gic_opte_alloc(context); if (NULL == oe) - return ENOMEM; + return ENOMEM; if (opt) { - oe->flags = opt->flags; - oe->tkt_life = opt->tkt_life; - oe->renew_life = opt->renew_life; - oe->forwardable = opt->forwardable; - oe->proxiable = opt->proxiable; - oe->etype_list = opt->etype_list; - oe->etype_list_length = opt->etype_list_length; - oe->address_list = opt->address_list; - oe->preauth_list = opt->preauth_list; - oe->preauth_list_length = opt->preauth_list_length; - oe->salt = opt->salt; + oe->flags = opt->flags; + oe->tkt_life = opt->tkt_life; + oe->renew_life = opt->renew_life; + oe->forwardable = opt->forwardable; + oe->proxiable = opt->proxiable; + oe->etype_list = opt->etype_list; + oe->etype_list_length = opt->etype_list_length; + oe->address_list = opt->address_list; + oe->preauth_list = opt->preauth_list; + oe->preauth_list_length = opt->preauth_list_length; + oe->salt = opt->salt; } /* @@ -250,7 +251,7 @@ krb5int_gic_opte_copy(krb5_context context, * application is unaware of its existence. */ oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED | - KRB5_GET_INIT_CREDS_OPT_SHADOWED); + KRB5_GET_INIT_CREDS_OPT_SHADOWED); *opte = oe; return 0; @@ -268,20 +269,20 @@ krb5int_gic_opte_copy(krb5_context context, */ krb5_error_code krb5int_gic_opt_to_opte(krb5_context context, - krb5_get_init_creds_opt *opt, - krb5_gic_opt_ext **opte, - unsigned int force, - const char *where) + krb5_get_init_creds_opt *opt, + krb5_gic_opt_ext **opte, + unsigned int force, + const char *where) { if (!krb5_gic_opt_is_extended(opt)) { - if (force) { - return krb5int_gic_opte_copy(context, opt, opte); - } else { - krb5int_set_error(&context->err, EINVAL, - "%s: attempt to convert non-extended krb5_get_init_creds_opt", - where); - return EINVAL; - } + if (force) { + return krb5int_gic_opte_copy(context, opt, opte); + } else { + krb5int_set_error(&context->err, EINVAL, + "%s: attempt to convert non-extended krb5_get_init_creds_opt", + where); + return EINVAL; + } } /* If it is already extended, just return it */ *opte = (krb5_gic_opt_ext *)opt; @@ -290,20 +291,20 @@ krb5int_gic_opt_to_opte(krb5_context context, static void free_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte) + krb5_gic_opt_ext *opte) { int i; if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return; + return; if (NULL == opte->opt_private || NULL == opte->opt_private->preauth_data) - return; + return; for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - if (opte->opt_private->preauth_data[i].attr != NULL) - free(opte->opt_private->preauth_data[i].attr); - if (opte->opt_private->preauth_data[i].value != NULL) - free(opte->opt_private->preauth_data[i].value); + if (opte->opt_private->preauth_data[i].attr != NULL) + free(opte->opt_private->preauth_data[i].attr); + if (opte->opt_private->preauth_data[i].value != NULL) + free(opte->opt_private->preauth_data[i].value); } free(opte->opt_private->preauth_data); opte->opt_private->preauth_data = NULL; @@ -312,9 +313,9 @@ free_gic_opt_ext_preauth_data(krb5_context context, static krb5_error_code add_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value) + krb5_gic_opt_ext *opte, + const char *attr, + const char *value) { size_t newsize; int i; @@ -323,21 +324,21 @@ add_gic_opt_ext_preauth_data(krb5_context context, newsize = opte->opt_private->num_preauth_data + 1; newsize = newsize * sizeof(*opte->opt_private->preauth_data); if (opte->opt_private->preauth_data == NULL) - newpad = malloc(newsize); + newpad = malloc(newsize); else - newpad = realloc(opte->opt_private->preauth_data, newsize); + newpad = realloc(opte->opt_private->preauth_data, newsize); if (newpad == NULL) - return ENOMEM; + return ENOMEM; opte->opt_private->preauth_data = newpad; i = opte->opt_private->num_preauth_data; newpad[i].attr = strdup(attr); if (newpad[i].attr == NULL) - return ENOMEM; + return ENOMEM; newpad[i].value = strdup(value); if (newpad[i].value == NULL) { - free(newpad[i].attr); - return ENOMEM; + free(newpad[i].attr); + return ENOMEM; } opte->opt_private->num_preauth_data += 1; return 0; @@ -353,24 +354,24 @@ add_gic_opt_ext_preauth_data(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_pa(krb5_context context, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value) { krb5_error_code retval; krb5_gic_opt_ext *opte; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_set_pa"); + "krb5_get_init_creds_opt_set_pa"); if (retval) - return retval; + return retval; /* * Copy the option into the extended get_init_creds_opt structure */ retval = add_gic_opt_ext_preauth_data(context, opte, attr, value); if (retval) - return retval; + return retval; /* * Give the plugins a chance to look at the option now. @@ -389,9 +390,9 @@ krb5_get_init_creds_opt_set_pa(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_get_pa(krb5_context context, - krb5_get_init_creds_opt *opt, - int *num_preauth_data, - krb5_gic_opt_pa_data **preauth_data) + krb5_get_init_creds_opt *opt, + int *num_preauth_data, + krb5_gic_opt_pa_data **preauth_data) { krb5_error_code retval; krb5_gic_opt_ext *opte; @@ -400,70 +401,70 @@ krb5_get_init_creds_opt_get_pa(krb5_context context, size_t allocsize; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_get_pa"); + "krb5_get_init_creds_opt_get_pa"); if (retval) - return retval; + return retval; if (num_preauth_data == NULL || preauth_data == NULL) - return EINVAL; + return EINVAL; *num_preauth_data = 0; *preauth_data = NULL; if (opte->opt_private->num_preauth_data == 0) - return 0; + return 0; allocsize = - opte->opt_private->num_preauth_data * sizeof(krb5_gic_opt_pa_data); + opte->opt_private->num_preauth_data * sizeof(krb5_gic_opt_pa_data); p = malloc(allocsize); if (p == NULL) - return ENOMEM; + return ENOMEM; /* Init these to make cleanup easier */ for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - p[i].attr = NULL; - p[i].value = NULL; + p[i].attr = NULL; + p[i].value = NULL; } for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - p[i].attr = strdup(opte->opt_private->preauth_data[i].attr); - p[i].value = strdup(opte->opt_private->preauth_data[i].value); - if (p[i].attr == NULL || p[i].value == NULL) - goto cleanup; + p[i].attr = strdup(opte->opt_private->preauth_data[i].attr); + p[i].value = strdup(opte->opt_private->preauth_data[i].value); + if (p[i].attr == NULL || p[i].value == NULL) + goto cleanup; } *num_preauth_data = i; *preauth_data = p; return 0; cleanup: for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - if (p[i].attr != NULL) - free(p[i].attr); - if (p[i].value != NULL) - free(p[i].value); + if (p[i].attr != NULL) + free(p[i].attr); + if (p[i].value != NULL) + free(p[i].value); } free(p); return ENOMEM; } /* - * This function frees the preauth_data that was returned by + * This function frees the preauth_data that was returned by * krb5_get_init_creds_opt_get_pa(). */ void KRB5_CALLCONV krb5_get_init_creds_opt_free_pa(krb5_context context, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data) + int num_preauth_data, + krb5_gic_opt_pa_data *preauth_data) { int i; if (num_preauth_data <= 0 || preauth_data == NULL) - return; + return; for (i = 0; i < num_preauth_data; i++) { - if (preauth_data[i].attr != NULL) - free(preauth_data[i].attr); - if (preauth_data[i].value != NULL) - free(preauth_data[i].value); + if (preauth_data[i].attr != NULL) + free(preauth_data[i].attr); + if (preauth_data[i].value != NULL) + free(preauth_data[i].value); } free(preauth_data); } @@ -474,14 +475,14 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name krb5_gic_opt_ext *opte; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_set_fast_ccache_name"); + "krb5_get_init_creds_opt_set_fast_ccache_name"); if (retval) - return retval; + return retval; if (opte->opt_private->fast_ccache_name) { - free(opte->opt_private->fast_ccache_name); + free(opte->opt_private->fast_ccache_name); } opte->opt_private->fast_ccache_name = strdup(ccache_name); if (opte->opt_private->fast_ccache_name == NULL) - retval = ENOMEM; + retval = ENOMEM; return retval; } diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 0109104df..fa0c1739a 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "com_err.h" @@ -32,168 +33,168 @@ krb5_get_as_key_password( cases? */ if (as_key->length) { - if (as_key->enctype != etype) { - krb5_free_keyblock_contents (context, as_key); - as_key->length = 0; - } + if (as_key->enctype != etype) { + krb5_free_keyblock_contents (context, as_key); + as_key->length = 0; + } } if (password->data[0] == '\0') { - if (prompter == NULL) - return(EIO); - - if ((ret = krb5_unparse_name(context, client, &clientstr))) - return(ret); - - snprintf(promptstr, sizeof(promptstr), "Password for %s", clientstr); - free(clientstr); - - prompt.prompt = promptstr; - prompt.hidden = 1; - prompt.reply = password; - prompt_type = KRB5_PROMPT_TYPE_PASSWORD; - - /* PROMPTER_INVOCATION */ - krb5int_set_prompt_types(context, &prompt_type); - if ((ret = (((*prompter)(context, prompter_data, NULL, NULL, - 1, &prompt))))) { - krb5int_set_prompt_types(context, 0); - return(ret); - } - krb5int_set_prompt_types(context, 0); + if (prompter == NULL) + return(EIO); + + if ((ret = krb5_unparse_name(context, client, &clientstr))) + return(ret); + + snprintf(promptstr, sizeof(promptstr), "Password for %s", clientstr); + free(clientstr); + + prompt.prompt = promptstr; + prompt.hidden = 1; + prompt.reply = password; + prompt_type = KRB5_PROMPT_TYPE_PASSWORD; + + /* PROMPTER_INVOCATION */ + krb5int_set_prompt_types(context, &prompt_type); + if ((ret = (((*prompter)(context, prompter_data, NULL, NULL, + 1, &prompt))))) { + krb5int_set_prompt_types(context, 0); + return(ret); + } + krb5int_set_prompt_types(context, 0); } if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if ((ret = krb5_principal2salt(context, client, &defsalt))) - return(ret); + if ((ret = krb5_principal2salt(context, client, &defsalt))) + return(ret); - salt = &defsalt; + salt = &defsalt; } else { - defsalt.length = 0; + defsalt.length = 0; } ret = krb5_c_string_to_key_with_params(context, etype, password, salt, - params->data?params:NULL, as_key); + params->data?params:NULL, as_key); if (defsalt.length) - free(defsalt.data); + free(defsalt.data); return(ret); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(krb5_context context, - krb5_creds *creds, - krb5_principal client, - char *password, - krb5_prompter_fct prompter, - void *data, - krb5_deltat start_time, - char *in_tkt_service, - krb5_get_init_creds_opt *options) + krb5_creds *creds, + krb5_principal client, + char *password, + krb5_prompter_fct prompter, + void *data, + krb5_deltat start_time, + char *in_tkt_service, + krb5_get_init_creds_opt *options) { - krb5_error_code ret, ret2; - int use_master; - krb5_kdc_rep *as_reply; - int tries; - krb5_creds chpw_creds; - krb5_get_init_creds_opt *chpw_opts = NULL; - krb5_data pw0, pw1; - char banner[1024], pw0array[1024], pw1array[1024]; - krb5_prompt prompt[2]; - krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])]; - krb5_gic_opt_ext *opte = NULL; - krb5_gic_opt_ext *chpw_opte = NULL; - - use_master = 0; - as_reply = NULL; - memset(&chpw_creds, 0, sizeof(chpw_creds)); - - pw0.data = pw0array; - - if (password && password[0]) { - if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) { - ret = EINVAL; - goto cleanup; - } - pw0.length = strlen(password); - } else { - pw0.data[0] = '\0'; - pw0.length = sizeof(pw0array); - } - - pw1.data = pw1array; - pw1.data[0] = '\0'; - pw1.length = sizeof(pw1array); - - ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, - "krb5_get_init_creds_password"); - if (ret) - goto cleanup; - - /* first try: get the requested tkt from any kdc */ - - ret = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); - - /* check for success */ - - if (ret == 0) - goto cleanup; - - /* If all the kdc's are unavailable, or if the error was due to a - user interrupt, fail */ - - if ((ret == KRB5_KDC_UNREACH) || - (ret == KRB5_LIBOS_PWDINTR) || - (ret == KRB5_REALM_CANT_RESOLVE)) - goto cleanup; - - /* if the reply did not come from the master kdc, try again with - the master kdc */ - - if (!use_master) { - use_master = 1; - - if (as_reply) { - krb5_free_kdc_rep( context, as_reply); - as_reply = NULL; - } - ret2 = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); - - if (ret2 == 0) { - ret = 0; - goto cleanup; - } - - /* if the master is unreachable, return the error from the - slave we were able to contact or reset the use_master flag */ - - if ((ret2 != KRB5_KDC_UNREACH) && - (ret2 != KRB5_REALM_CANT_RESOLVE) && - (ret2 != KRB5_REALM_UNKNOWN)) - ret = ret2; - else - use_master = 0; - } + krb5_error_code ret, ret2; + int use_master; + krb5_kdc_rep *as_reply; + int tries; + krb5_creds chpw_creds; + krb5_get_init_creds_opt *chpw_opts = NULL; + krb5_data pw0, pw1; + char banner[1024], pw0array[1024], pw1array[1024]; + krb5_prompt prompt[2]; + krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])]; + krb5_gic_opt_ext *opte = NULL; + krb5_gic_opt_ext *chpw_opte = NULL; + + use_master = 0; + as_reply = NULL; + memset(&chpw_creds, 0, sizeof(chpw_creds)); + + pw0.data = pw0array; + + if (password && password[0]) { + if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) { + ret = EINVAL; + goto cleanup; + } + pw0.length = strlen(password); + } else { + pw0.data[0] = '\0'; + pw0.length = sizeof(pw0array); + } + + pw1.data = pw1array; + pw1.data[0] = '\0'; + pw1.length = sizeof(pw1array); + + ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, + "krb5_get_init_creds_password"); + if (ret) + goto cleanup; + + /* first try: get the requested tkt from any kdc */ + + ret = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); + + /* check for success */ + + if (ret == 0) + goto cleanup; + + /* If all the kdc's are unavailable, or if the error was due to a + user interrupt, fail */ + + if ((ret == KRB5_KDC_UNREACH) || + (ret == KRB5_LIBOS_PWDINTR) || + (ret == KRB5_REALM_CANT_RESOLVE)) + goto cleanup; + + /* if the reply did not come from the master kdc, try again with + the master kdc */ + + if (!use_master) { + use_master = 1; + + if (as_reply) { + krb5_free_kdc_rep( context, as_reply); + as_reply = NULL; + } + ret2 = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); + + if (ret2 == 0) { + ret = 0; + goto cleanup; + } + + /* if the master is unreachable, return the error from the + slave we were able to contact or reset the use_master flag */ + + if ((ret2 != KRB5_KDC_UNREACH) && + (ret2 != KRB5_REALM_CANT_RESOLVE) && + (ret2 != KRB5_REALM_UNKNOWN)) + ret = ret2; + else + use_master = 0; + } #ifdef USE_KIM - if (ret == KRB5KDC_ERR_KEY_EXP) - goto cleanup; /* Login library will deal appropriately with this error */ + if (ret == KRB5KDC_ERR_KEY_EXP) + goto cleanup; /* Login library will deal appropriately with this error */ #endif - /* at this point, we have an error from the master. if the error - is not password expired, or if it is but there's no prompter, - return this error */ + /* at this point, we have an error from the master. if the error + is not password expired, or if it is but there's no prompter, + return this error */ - if ((ret != KRB5KDC_ERR_KEY_EXP) || - (prompter == NULL)) - goto cleanup; + if ((ret != KRB5KDC_ERR_KEY_EXP) || + (prompter == NULL)) + goto cleanup; /* historically the default has been to prompt for password change. * if the change password prompt option has not been set, we continue @@ -201,253 +202,253 @@ krb5_get_init_creds_password(krb5_context context, * and the value has been set to false. */ if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) - goto cleanup; + goto cleanup; /* ok, we have an expired password. Give the user a few chances - to change it */ - - /* use a minimal set of options */ - - ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts); - if (ret) - goto cleanup; - krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60); - krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0); - krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0); - krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0); - ret = krb5int_gic_opt_to_opte(context, chpw_opts, &chpw_opte, 0, - "krb5_get_init_creds_password (changing password)"); - if (ret) - goto cleanup; - - if ((ret = krb5_get_init_creds(context, &chpw_creds, client, - prompter, data, - start_time, "kadmin/changepw", chpw_opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, NULL))) - goto cleanup; - - prompt[0].prompt = "Enter new password"; - prompt[0].hidden = 1; - prompt[0].reply = &pw0; - prompt_types[0] = KRB5_PROMPT_TYPE_NEW_PASSWORD; - - prompt[1].prompt = "Enter it again"; - prompt[1].hidden = 1; - prompt[1].reply = &pw1; - prompt_types[1] = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN; - - strlcpy(banner, "Password expired. You must change it now.", - sizeof(banner)); - - for (tries = 3; tries; tries--) { - pw0.length = sizeof(pw0array); - pw1.length = sizeof(pw1array); - - /* PROMPTER_INVOCATION */ - krb5int_set_prompt_types(context, prompt_types); - if ((ret = ((*prompter)(context, data, 0, banner, - sizeof(prompt)/sizeof(prompt[0]), prompt)))) - goto cleanup; - krb5int_set_prompt_types(context, 0); - - - if (strcmp(pw0.data, pw1.data) != 0) { - ret = KRB5_LIBOS_BADPWDMATCH; - snprintf(banner, sizeof(banner), - "%s. Please try again.", error_message(ret)); - } else if (pw0.length == 0) { - ret = KRB5_CHPW_PWDNULL; - snprintf(banner, sizeof(banner), - "%s. Please try again.", error_message(ret)); - } else { - int result_code; - krb5_data code_string; - krb5_data result_string; - - if ((ret = krb5_change_password(context, &chpw_creds, pw0array, - &result_code, &code_string, - &result_string))) - goto cleanup; - - /* the change succeeded. go on */ - - if (result_code == 0) { - free(result_string.data); - break; - } - - /* set this in case the retry loop falls through */ - - ret = KRB5_CHPW_FAIL; - - if (result_code != KRB5_KPASSWD_SOFTERROR) { - free(result_string.data); - goto cleanup; - } - - /* the error was soft, so try again */ - - /* 100 is I happen to know that no code_string will be longer - than 100 chars */ - - if (result_string.length > (sizeof(banner)-100)) - result_string.length = sizeof(banner)-100; - - snprintf(banner, sizeof(banner), "%.*s%s%.*s. Please try again.\n", - (int) code_string.length, code_string.data, - result_string.length ? ": " : "", - (int) result_string.length, - result_string.data ? result_string.data : ""); - - free(code_string.data); - free(result_string.data); - } - } - - if (ret) - goto cleanup; - - /* the password change was successful. Get an initial ticket - from the master. this is the last try. the return from this - is final. */ - - ret = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); + to change it */ + + /* use a minimal set of options */ + + ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts); + if (ret) + goto cleanup; + krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60); + krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0); + krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0); + krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0); + ret = krb5int_gic_opt_to_opte(context, chpw_opts, &chpw_opte, 0, + "krb5_get_init_creds_password (changing password)"); + if (ret) + goto cleanup; + + if ((ret = krb5_get_init_creds(context, &chpw_creds, client, + prompter, data, + start_time, "kadmin/changepw", chpw_opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, NULL))) + goto cleanup; + + prompt[0].prompt = "Enter new password"; + prompt[0].hidden = 1; + prompt[0].reply = &pw0; + prompt_types[0] = KRB5_PROMPT_TYPE_NEW_PASSWORD; + + prompt[1].prompt = "Enter it again"; + prompt[1].hidden = 1; + prompt[1].reply = &pw1; + prompt_types[1] = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN; + + strlcpy(banner, "Password expired. You must change it now.", + sizeof(banner)); + + for (tries = 3; tries; tries--) { + pw0.length = sizeof(pw0array); + pw1.length = sizeof(pw1array); + + /* PROMPTER_INVOCATION */ + krb5int_set_prompt_types(context, prompt_types); + if ((ret = ((*prompter)(context, data, 0, banner, + sizeof(prompt)/sizeof(prompt[0]), prompt)))) + goto cleanup; + krb5int_set_prompt_types(context, 0); + + + if (strcmp(pw0.data, pw1.data) != 0) { + ret = KRB5_LIBOS_BADPWDMATCH; + snprintf(banner, sizeof(banner), + "%s. Please try again.", error_message(ret)); + } else if (pw0.length == 0) { + ret = KRB5_CHPW_PWDNULL; + snprintf(banner, sizeof(banner), + "%s. Please try again.", error_message(ret)); + } else { + int result_code; + krb5_data code_string; + krb5_data result_string; + + if ((ret = krb5_change_password(context, &chpw_creds, pw0array, + &result_code, &code_string, + &result_string))) + goto cleanup; + + /* the change succeeded. go on */ + + if (result_code == 0) { + free(result_string.data); + break; + } + + /* set this in case the retry loop falls through */ + + ret = KRB5_CHPW_FAIL; + + if (result_code != KRB5_KPASSWD_SOFTERROR) { + free(result_string.data); + goto cleanup; + } + + /* the error was soft, so try again */ + + /* 100 is I happen to know that no code_string will be longer + than 100 chars */ + + if (result_string.length > (sizeof(banner)-100)) + result_string.length = sizeof(banner)-100; + + snprintf(banner, sizeof(banner), "%.*s%s%.*s. Please try again.\n", + (int) code_string.length, code_string.data, + result_string.length ? ": " : "", + (int) result_string.length, + result_string.data ? result_string.data : ""); + + free(code_string.data); + free(result_string.data); + } + } + + if (ret) + goto cleanup; + + /* the password change was successful. Get an initial ticket + from the master. this is the last try. the return from this + is final. */ + + ret = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); cleanup: - krb5int_set_prompt_types(context, 0); - /* if getting the password was successful, then check to see if the - password is about to expire, and warn if so */ - - if (ret == 0) { - krb5_timestamp now; - krb5_last_req_entry **last_req; - int hours; - - /* XXX 7 days should be configurable. This is all pretty ad hoc, - and could probably be improved if I was willing to screw around - with timezones, etc. */ - - if (prompter && - (!in_tkt_service || - (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && - ((ret = krb5_timeofday(context, &now)) == 0) && - as_reply->enc_part2->key_exp && - ((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) && - (hours >= 0)) { - if (hours < 1) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in less than one hour."); - else if (hours <= 48) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d hour%s.", - hours, (hours == 1)?"":"s"); - else - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d days.", - hours/24); - - /* ignore an error here */ - /* PROMPTER_INVOCATION */ - (*prompter)(context, data, 0, banner, 0, 0); - } else if (prompter && - (!in_tkt_service || - (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && - as_reply->enc_part2 && as_reply->enc_part2->last_req) { - /* - * Check the last_req fields - */ - - for (last_req = as_reply->enc_part2->last_req; *last_req; last_req++) - if ((*last_req)->lr_type == KRB5_LRQ_ALL_PW_EXPTIME || - (*last_req)->lr_type == KRB5_LRQ_ONE_PW_EXPTIME) { - krb5_deltat delta; - char ts[256]; - - if ((ret = krb5_timeofday(context, &now))) - break; - - if ((ret = krb5_timestamp_to_string((*last_req)->value, - ts, sizeof(ts)))) - break; - - delta = (*last_req)->value - now; - if (delta < 3600) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in less than one hour on %s", - ts); - else if (delta < 86400*2) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d hour%s on %s", - delta / 3600, delta < 7200 ? "" : "s", ts); - else - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d days on %s", - delta / 86400, ts); - /* ignore an error here */ - /* PROMPTER_INVOCATION */ - (*prompter)(context, data, 0, banner, 0, 0); - } - } - } - - if (chpw_opts) - krb5_get_init_creds_opt_free(context, chpw_opts); - if (opte && krb5_gic_opt_is_shadowed(opte)) - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - memset(pw0array, 0, sizeof(pw0array)); - memset(pw1array, 0, sizeof(pw1array)); - krb5_free_cred_contents(context, &chpw_creds); - if (as_reply) - krb5_free_kdc_rep(context, as_reply); - - return(ret); + krb5int_set_prompt_types(context, 0); + /* if getting the password was successful, then check to see if the + password is about to expire, and warn if so */ + + if (ret == 0) { + krb5_timestamp now; + krb5_last_req_entry **last_req; + int hours; + + /* XXX 7 days should be configurable. This is all pretty ad hoc, + and could probably be improved if I was willing to screw around + with timezones, etc. */ + + if (prompter && + (!in_tkt_service || + (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && + ((ret = krb5_timeofday(context, &now)) == 0) && + as_reply->enc_part2->key_exp && + ((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) && + (hours >= 0)) { + if (hours < 1) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in less than one hour."); + else if (hours <= 48) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d hour%s.", + hours, (hours == 1)?"":"s"); + else + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d days.", + hours/24); + + /* ignore an error here */ + /* PROMPTER_INVOCATION */ + (*prompter)(context, data, 0, banner, 0, 0); + } else if (prompter && + (!in_tkt_service || + (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && + as_reply->enc_part2 && as_reply->enc_part2->last_req) { + /* + * Check the last_req fields + */ + + for (last_req = as_reply->enc_part2->last_req; *last_req; last_req++) + if ((*last_req)->lr_type == KRB5_LRQ_ALL_PW_EXPTIME || + (*last_req)->lr_type == KRB5_LRQ_ONE_PW_EXPTIME) { + krb5_deltat delta; + char ts[256]; + + if ((ret = krb5_timeofday(context, &now))) + break; + + if ((ret = krb5_timestamp_to_string((*last_req)->value, + ts, sizeof(ts)))) + break; + + delta = (*last_req)->value - now; + if (delta < 3600) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in less than one hour on %s", + ts); + else if (delta < 86400*2) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d hour%s on %s", + delta / 3600, delta < 7200 ? "" : "s", ts); + else + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d days on %s", + delta / 86400, ts); + /* ignore an error here */ + /* PROMPTER_INVOCATION */ + (*prompter)(context, data, 0, banner, 0, 0); + } + } + } + + if (chpw_opts) + krb5_get_init_creds_opt_free(context, chpw_opts); + if (opte && krb5_gic_opt_is_shadowed(opte)) + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + memset(pw0array, 0, sizeof(pw0array)); + memset(pw1array, 0, sizeof(pw1array)); + krb5_free_cred_contents(context, &chpw_creds); + if (as_reply) + krb5_free_kdc_rep(context, as_reply); + + return(ret); } krb5_error_code krb5int_populate_gic_opt ( krb5_context context, krb5_gic_opt_ext **opte, krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types, krb5_creds *creds) { - int i; - krb5_int32 starttime; - krb5_get_init_creds_opt *opt; - krb5_error_code retval; + int i; + krb5_int32 starttime; + krb5_get_init_creds_opt *opt; + krb5_error_code retval; *opte = NULL; retval = krb5_get_init_creds_opt_alloc(context, &opt); if (retval) - return(retval); + return(retval); if (addrs) - krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); + krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); if (ktypes) { - for (i=0; ktypes[i]; i++); - if (i) - krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); + for (i=0; ktypes[i]; i++); + if (i) + krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); } if (pre_auth_types) { - for (i=0; pre_auth_types[i]; i++); - if (i) - krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); + for (i=0; pre_auth_types[i]; i++); + if (i) + krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); } if (options&KDC_OPT_FORWARDABLE) - krb5_get_init_creds_opt_set_forwardable(opt, 1); + krb5_get_init_creds_opt_set_forwardable(opt, 1); else krb5_get_init_creds_opt_set_forwardable(opt, 0); if (options&KDC_OPT_PROXIABLE) - krb5_get_init_creds_opt_set_proxiable(opt, 1); + krb5_get_init_creds_opt_set_proxiable(opt, 1); else krb5_get_init_creds_opt_set_proxiable(opt, 0); if (creds && creds->times.endtime) { - retval = krb5_timeofday(context, &starttime); - if (retval) - goto cleanup; + retval = krb5_timeofday(context, &starttime); + if (retval) + goto cleanup; if (creds->times.starttime) starttime = creds->times.starttime; krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime); } return krb5int_gic_opt_to_opte(context, opt, opte, 0, - "krb5int_populate_gic_opt"); + "krb5int_populate_gic_opt"); cleanup: krb5_get_init_creds_opt_free(context, opt); return retval; @@ -455,30 +456,30 @@ cleanup: /* Rewrites get_in_tkt in terms of newer get_init_creds API. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - If password is non-NULL, it is converted using the cryptosystem entry - point for a string conversion routine, seeded with the client's name. - If password is passed as NULL, the password is read from the terminal, - and then converted into a key. + If password is non-NULL, it is converted using the cryptosystem entry + point for a string conversion routine, seeded with the client's name. + If password is passed as NULL, the password is read from the terminal, + and then converted into a key. - A succesful call will place the ticket in the credentials cache ccache. + A succesful call will place the ticket in the credentials cache ccache. - returns system errors, encryption errors - */ + returns system errors, encryption errors +*/ krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - const char *password, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + const char *password, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { krb5_error_code retval; krb5_data pw0; @@ -490,44 +491,43 @@ krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, pw0.data = pw0array; if (password && password[0]) { - if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) - return EINVAL; - pw0.length = strlen(password); + if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) + return EINVAL; + pw0.length = strlen(password); } else { - pw0.data[0] = '\0'; - pw0.length = sizeof(pw0array); + pw0.data[0] = '\0'; + pw0.length = sizeof(pw0array); } retval = krb5int_populate_gic_opt(context, &opte, - options, addrs, ktypes, - pre_auth_types, creds); + options, addrs, ktypes, + pre_auth_types, creds); if (retval) - return (retval); + return (retval); retval = krb5_unparse_name( context, creds->server, &server); if (retval) { - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - return (retval); + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + return (retval); } server_princ = creds->server; client_princ = creds->client; - retval = krb5_get_init_creds (context, - creds, creds->client, - krb5_prompter_posix, NULL, - 0, server, opte, - krb5_get_as_key_password, &pw0, - &use_master, ret_as_reply); - krb5_free_unparsed_name( context, server); - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - if (retval) { - return (retval); - } - krb5_free_principal( context, creds->server); - krb5_free_principal( context, creds->client); - creds->client = client_princ; - creds->server = server_princ; - /* store it in the ccache! */ - if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - return (retval); - return retval; - } - + retval = krb5_get_init_creds (context, + creds, creds->client, + krb5_prompter_posix, NULL, + 0, server, opte, + krb5_get_as_key_password, &pw0, + &use_master, ret_as_reply); + krb5_free_unparsed_name( context, server); + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + if (retval) { + return (retval); + } + krb5_free_principal( context, creds->server); + krb5_free_principal( context, creds->client); + creds->client = client_princ; + creds->server = server_princ; + /* store it in the ccache! */ + if (ccache) + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + return (retval); + return retval; +} diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c index d98411fd7..01c8905f8 100644 --- a/src/lib/krb5/krb/in_tkt_sky.c +++ b/src/lib/krb5/krb/in_tkt_sky.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/in_tkt_sky.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,17 +23,17 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_in_tkt_with_skey() - * + * */ #include "k5-int.h" struct skey_keyproc_arg { const krb5_keyblock *key; - krb5_principal client; /* it's a pointer, really! */ + krb5_principal client; /* it's a pointer, really! */ }; /* @@ -42,7 +43,7 @@ struct skey_keyproc_arg { */ static krb5_error_code skey_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt, - krb5_const_pointer keyseed, krb5_keyblock **key) + krb5_const_pointer keyseed, krb5_keyblock **key) { krb5_keyblock *realkey; krb5_error_code retval; @@ -51,57 +52,57 @@ skey_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt, keyblock = (const krb5_keyblock *)keyseed; if (!krb5_c_valid_enctype(type)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; if ((retval = krb5_copy_keyblock(context, keyblock, &realkey))) - return retval; - + return retval; + if (realkey->enctype != type) { - krb5_free_keyblock(context, realkey); - return KRB5_PROG_ETYPE_NOSUPP; - } + krb5_free_keyblock(context, realkey); + return KRB5_PROG_ETYPE_NOSUPP; + } *key = realkey; return 0; } /* - Similar to krb5_get_in_tkt_with_password. + Similar to krb5_get_in_tkt_with_password. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - If keyblock is NULL, an appropriate key for creds->client is retrieved - from the system key store (e.g. /etc/srvtab). If keyblock is non-NULL, - it is used as the decryption key. + If keyblock is NULL, an appropriate key for creds->client is retrieved + from the system key store (e.g. /etc/srvtab). If keyblock is non-NULL, + it is used as the decryption key. - A succesful call will place the ticket in the credentials cache ccache. + A succesful call will place the ticket in the credentials cache ccache. - returns system errors, encryption errors + returns system errors, encryption errors - */ +*/ krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - const krb5_keyblock *key, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + const krb5_keyblock *key, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { - if (key) - return krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, - skey_keyproc, (krb5_const_pointer)key, - krb5_kdc_rep_decrypt_proc, 0, creds, - ccache, ret_as_reply); -#ifndef LEAN_CLIENT - else - return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, - pre_auth_types, NULL, ccache, - creds, ret_as_reply); + if (key) + return krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, + skey_keyproc, (krb5_const_pointer)key, + krb5_kdc_rep_decrypt_proc, 0, creds, + ccache, ret_as_reply); +#ifndef LEAN_CLIENT + else + return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, + pre_auth_types, NULL, ccache, + creds, ret_as_reply); #endif /* LEAN_CLIENT */ } diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index ea78e0da7..8667897b9 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/init_ctx.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -28,14 +29,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -46,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -86,16 +87,16 @@ krb5_error_code KRB5_CALLCONV krb5_init_context(krb5_context *context) { - return init_common (context, FALSE, FALSE); + return init_common (context, FALSE, FALSE); } krb5_error_code KRB5_CALLCONV krb5_init_secure_context(krb5_context *context) { - /* This is to make gcc -Wall happy */ - if(0) krb5_brand[0] = krb5_brand[0]; - return init_common (context, TRUE, FALSE); + /* This is to make gcc -Wall happy */ + if(0) krb5_brand[0] = krb5_brand[0]; + return init_common (context, TRUE, FALSE); } krb5_error_code @@ -107,179 +108,179 @@ krb5int_init_context_kdc(krb5_context *context) static krb5_error_code init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) { - krb5_context ctx = 0; - krb5_error_code retval; - struct { - krb5_int32 now, now_usec; - long pid; - } seed_data; - krb5_data seed; - int tmp; - - /* Verify some assumptions. If the assumptions hold and the - compiler is optimizing, this should result in no code being - executed. If we're guessing "unsigned long long" instead - of using uint64_t, the possibility does exist that we're - wrong. */ - { - krb5_ui_8 i64; - assert(sizeof(i64) == 8); - i64 = 0, i64--, i64 >>= 62; - assert(i64 == 3); - i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1; - assert(i64 != 0); - i64 <<= 1; - assert(i64 == 0); - } - - retval = krb5int_initialize_library(); - if (retval) - return retval; + krb5_context ctx = 0; + krb5_error_code retval; + struct { + krb5_int32 now, now_usec; + long pid; + } seed_data; + krb5_data seed; + int tmp; + + /* Verify some assumptions. If the assumptions hold and the + compiler is optimizing, this should result in no code being + executed. If we're guessing "unsigned long long" instead + of using uint64_t, the possibility does exist that we're + wrong. */ + { + krb5_ui_8 i64; + assert(sizeof(i64) == 8); + i64 = 0, i64--, i64 >>= 62; + assert(i64 == 3); + i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1; + assert(i64 != 0); + i64 <<= 1; + assert(i64 == 0); + } + + retval = krb5int_initialize_library(); + if (retval) + return retval; #if (defined(_WIN32)) - /* - * Load the krbcc32.dll if necessary. We do this here so that - * we know to use API: later on during initialization. - * The context being NULL is ok. - */ - krb5_win_ccdll_load(ctx); - - /* - * krb5_vercheck() is defined in win_glue.c, and this is - * where we handle the timebomb and version server checks. - */ - retval = krb5_vercheck(); - if (retval) - return retval; + /* + * Load the krbcc32.dll if necessary. We do this here so that + * we know to use API: later on during initialization. + * The context being NULL is ok. + */ + krb5_win_ccdll_load(ctx); + + /* + * krb5_vercheck() is defined in win_glue.c, and this is + * where we handle the timebomb and version server checks. + */ + retval = krb5_vercheck(); + if (retval) + return retval; #endif - *context = 0; + *context = 0; - ctx = calloc(1, sizeof(struct _krb5_context)); - if (!ctx) - return ENOMEM; - ctx->magic = KV5M_CONTEXT; + ctx = calloc(1, sizeof(struct _krb5_context)); + if (!ctx) + return ENOMEM; + ctx->magic = KV5M_CONTEXT; - ctx->profile_secure = secure; + ctx->profile_secure = secure; - /* Set the default encryption types, possible defined in krb5/conf */ - if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL))) - goto cleanup; + /* Set the default encryption types, possible defined in krb5/conf */ + if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL))) + goto cleanup; - if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL))) - goto cleanup; + if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL))) + goto cleanup; - if ((retval = krb5_os_init_context(ctx, kdc))) - goto cleanup; + if ((retval = krb5_os_init_context(ctx, kdc))) + goto cleanup; - retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); - if (retval) - goto cleanup; - ctx->allow_weak_crypto = tmp; + retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); + if (retval) + goto cleanup; + ctx->allow_weak_crypto = tmp; - /* initialize the prng (not well, but passable) */ - if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0) - goto cleanup; - if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec))) - goto cleanup; - seed_data.pid = getpid (); - seed.length = sizeof(seed_data); - seed.data = (char *) &seed_data; - if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed))) - goto cleanup; + /* initialize the prng (not well, but passable) */ + if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0) + goto cleanup; + if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec))) + goto cleanup; + seed_data.pid = getpid (); + seed.length = sizeof(seed_data); + seed.data = (char *) &seed_data; + if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed))) + goto cleanup; - ctx->default_realm = 0; - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW, - 0, 5 * 60, &tmp); - ctx->clockskew = tmp; + ctx->default_realm = 0; + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW, + 0, 5 * 60, &tmp); + ctx->clockskew = tmp; #if 0 - /* Default ticket lifetime is currently not supported */ - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", - 0, 10 * 60 * 60, &tmp); - ctx->tkt_lifetime = tmp; + /* Default ticket lifetime is currently not supported */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", + 0, 10 * 60 * 60, &tmp); + ctx->tkt_lifetime = tmp; #endif - /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ - /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, - &tmp); - ctx->kdc_req_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, - &tmp); - ctx->default_ap_req_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_SAFE_CHECKSUM_TYPE, 0, - CKSUMTYPE_RSA_MD5_DES, &tmp); - ctx->default_safe_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_DEFAULT_OPTIONS, 0, - KDC_OPT_RENEWABLE_OK, &tmp); - ctx->kdc_default_options = tmp; + /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ + /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, + &tmp); + ctx->kdc_req_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, + &tmp); + ctx->default_ap_req_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_SAFE_CHECKSUM_TYPE, 0, + CKSUMTYPE_RSA_MD5_DES, &tmp); + ctx->default_safe_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_DEFAULT_OPTIONS, 0, + KDC_OPT_RENEWABLE_OK, &tmp); + ctx->kdc_default_options = tmp; #define DEFAULT_KDC_TIMESYNC 1 - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC, - &tmp); - ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; - - /* - * We use a default file credentials cache of 3. See - * lib/krb5/krb/ccache/file/fcc.h for a description of the - * credentials cache types. - * - * Note: DCE 1.0.3a only supports a cache type of 1 - * DCE 1.1 supports a cache type of 2. - */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC, + &tmp); + ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; + + /* + * We use a default file credentials cache of 3. See + * lib/krb5/krb/ccache/file/fcc.h for a description of the + * credentials cache types. + * + * Note: DCE 1.0.3a only supports a cache type of 1 + * DCE 1.1 supports a cache type of 2. + */ #define DEFAULT_CCACHE_TYPE 4 - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE, - 0, DEFAULT_CCACHE_TYPE, &tmp); - ctx->fcc_default_format = tmp + 0x0500; - ctx->prompt_types = 0; - ctx->use_conf_ktypes = 0; - - ctx->udp_pref_limit = -1; - *context = ctx; - return 0; + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE, + 0, DEFAULT_CCACHE_TYPE, &tmp); + ctx->fcc_default_format = tmp + 0x0500; + ctx->prompt_types = 0; + ctx->use_conf_ktypes = 0; + + ctx->udp_pref_limit = -1; + *context = ctx; + return 0; cleanup: - krb5_free_context(ctx); - return retval; + krb5_free_context(ctx); + return retval; } void KRB5_CALLCONV krb5_free_context(krb5_context ctx) { - if (ctx == NULL) - return; - krb5_os_free_context(ctx); - - free(ctx->in_tkt_etypes); - ctx->in_tkt_etypes = NULL; - free(ctx->tgs_etypes); - ctx->tgs_etypes = NULL; - free(ctx->default_realm); - ctx->default_realm = 0; - if (ctx->ser_ctx_count && ctx->ser_ctx) { - free(ctx->ser_ctx); - ctx->ser_ctx = 0; - } - - krb5_clear_error_message(ctx); - - ctx->magic = 0; - free(ctx); + if (ctx == NULL) + return; + krb5_os_free_context(ctx); + + free(ctx->in_tkt_etypes); + ctx->in_tkt_etypes = NULL; + free(ctx->tgs_etypes); + ctx->tgs_etypes = NULL; + free(ctx->default_realm); + ctx->default_realm = 0; + if (ctx->ser_ctx_count && ctx->ser_ctx) { + free(ctx->ser_ctx); + ctx->ser_ctx = 0; + } + + krb5_clear_error_message(ctx); + + ctx->magic = 0; + free(ctx); } /* Copy the zero-terminated enctype list old_list into *new_list. */ static krb5_error_code copy_enctypes(krb5_context context, const krb5_enctype *old_list, - krb5_enctype **new_list) + krb5_enctype **new_list) { unsigned int count; krb5_enctype *list; @@ -288,7 +289,7 @@ copy_enctypes(krb5_context context, const krb5_enctype *old_list, for (count = 0; old_list[count]; count++); list = malloc(sizeof(krb5_enctype) * (count + 1)); if (list == NULL) - return ENOMEM; + return ENOMEM; memcpy(list, old_list, sizeof(krb5_enctype) * (count + 1)); *new_list = list; return 0; @@ -299,25 +300,25 @@ copy_enctypes(krb5_context context, const krb5_enctype *old_list, */ static krb5_error_code set_default_etype_var(krb5_context context, const krb5_enctype *etypes, - krb5_enctype **var) + krb5_enctype **var) { krb5_error_code code; krb5_enctype *list; int i; if (etypes) { - for (i = 0; etypes[i]; i++) { - if (!krb5_c_valid_enctype(etypes[i])) - return KRB5_PROG_ETYPE_NOSUPP; - if (!context->allow_weak_crypto && krb5int_c_weak_enctype(etypes[i])) - return KRB5_PROG_ETYPE_NOSUPP; - } - - code = copy_enctypes(context, etypes, &list); - if (code) - return code; + for (i = 0; etypes[i]; i++) { + if (!krb5_c_valid_enctype(etypes[i])) + return KRB5_PROG_ETYPE_NOSUPP; + if (!context->allow_weak_crypto && krb5int_c_weak_enctype(etypes[i])) + return KRB5_PROG_ETYPE_NOSUPP; + } + + code = copy_enctypes(context, etypes, &list); + if (code) + return code; } else { - list = NULL; + list = NULL; } free(*var); @@ -327,7 +328,7 @@ set_default_etype_var(krb5_context context, const krb5_enctype *etypes, krb5_error_code krb5_set_default_in_tkt_ktypes(krb5_context context, - const krb5_enctype *etypes) + const krb5_enctype *etypes) { return set_default_etype_var(context, etypes, &context->in_tkt_etypes); } @@ -352,26 +353,26 @@ krb5_set_default_tgs_ktypes(krb5_context context, const krb5_enctype *etypes) */ static void mod_list(krb5_enctype etype, krb5_boolean add, krb5_boolean allow_weak, - krb5_enctype *list, unsigned int *count) + krb5_enctype *list, unsigned int *count) { unsigned int i; assert(etype > 0 && etype <= MAX_ENCTYPE); if (!allow_weak && krb5int_c_weak_enctype(etype)) - return; + return; for (i = 0; i < *count; i++) { - if (list[i] == etype) { - if (!add) { - for (; i < *count - 1; i++) - list[i] = list[i + 1]; - (*count)--; - } - return; - } + if (list[i] == etype) { + if (!add) { + for (; i < *count - 1; i++) + list[i] = list[i + 1]; + (*count)--; + } + return; + } } if (add) { - assert(*count < MAX_ENCTYPE); - list[(*count)++] = etype; + assert(*count < MAX_ENCTYPE); + list[(*count)++] = etype; } } @@ -381,7 +382,7 @@ mod_list(krb5_enctype etype, krb5_boolean add, krb5_boolean allow_weak, */ krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr, - krb5_enctype *default_list, krb5_enctype **result) + krb5_enctype *default_list, krb5_enctype **result) { char *token, *delim = " \t\r\n,", *save = NULL; krb5_boolean sel, weak = context->allow_weak_crypto; @@ -392,31 +393,31 @@ krb5int_parse_enctype_list(krb5_context context, char *profstr, /* Walk through the words in profstr. */ for (token = strtok_r(profstr, delim, &save); token; - token = strtok_r(NULL, delim, &save)) { - /* Determine if we are adding or removing enctypes. */ - sel = TRUE; - if (*token == '+' || *token == '-') - sel = (*token++ == '+'); - - if (strcasecmp(token, "DEFAULT") == 0) { - /* Set all enctypes in the default list. */ - for (i = 0; default_list[i]; i++) - mod_list(default_list[i], sel, weak, list, &count); - } else if (strcasecmp(token, "des") == 0) { - mod_list(ENCTYPE_DES_CBC_CRC, sel, weak, list, &count); - mod_list(ENCTYPE_DES_CBC_MD5, sel, weak, list, &count); - mod_list(ENCTYPE_DES_CBC_MD4, sel, weak, list, &count); - } else if (strcasecmp(token, "des3") == 0) { - mod_list(ENCTYPE_DES3_CBC_SHA1, sel, weak, list, &count); - } else if (strcasecmp(token, "aes") == 0) { - mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, list, &count); - mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, list, &count); - } else if (strcasecmp(token, "rc4") == 0) { - mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, list, &count); - } else if (krb5_string_to_enctype(token, &etype) == 0) { - /* Set a specific enctype. */ - mod_list(etype, sel, weak, list, &count); - } + token = strtok_r(NULL, delim, &save)) { + /* Determine if we are adding or removing enctypes. */ + sel = TRUE; + if (*token == '+' || *token == '-') + sel = (*token++ == '+'); + + if (strcasecmp(token, "DEFAULT") == 0) { + /* Set all enctypes in the default list. */ + for (i = 0; default_list[i]; i++) + mod_list(default_list[i], sel, weak, list, &count); + } else if (strcasecmp(token, "des") == 0) { + mod_list(ENCTYPE_DES_CBC_CRC, sel, weak, list, &count); + mod_list(ENCTYPE_DES_CBC_MD5, sel, weak, list, &count); + mod_list(ENCTYPE_DES_CBC_MD4, sel, weak, list, &count); + } else if (strcasecmp(token, "des3") == 0) { + mod_list(ENCTYPE_DES3_CBC_SHA1, sel, weak, list, &count); + } else if (strcasecmp(token, "aes") == 0) { + mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, list, &count); + mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, list, &count); + } else if (strcasecmp(token, "rc4") == 0) { + mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, list, &count); + } else if (krb5_string_to_enctype(token, &etype) == 0) { + /* Set a specific enctype. */ + mod_list(etype, sel, weak, list, &count); + } } list[count] = 0; @@ -433,8 +434,8 @@ krb5int_parse_enctype_list(krb5_context context, char *profstr, */ static krb5_error_code get_profile_etype_list(krb5_context context, krb5_enctype **etypes_ptr, - char *profkey, krb5_enctype *ctx_list, - krb5_enctype *default_list) + char *profkey, krb5_enctype *ctx_list, + krb5_enctype *default_list) { krb5_enctype *etypes; krb5_error_code code; @@ -443,26 +444,26 @@ get_profile_etype_list(krb5_context context, krb5_enctype **etypes_ptr, *etypes_ptr = NULL; if (ctx_list) { - /* Use application defaults. */ - code = copy_enctypes(context, ctx_list, &etypes); - if (code) - return code; + /* Use application defaults. */ + code = copy_enctypes(context, ctx_list, &etypes); + if (code) + return code; } else { - /* Parse profile setting, or "DEFAULT" if not specified. */ - code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, - profkey, NULL, "DEFAULT", &profstr); - if (code) - return code; - code = krb5int_parse_enctype_list(context, profstr, default_list, - &etypes); - profile_release_string(profstr); - if (code) - return code; + /* Parse profile setting, or "DEFAULT" if not specified. */ + code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, + profkey, NULL, "DEFAULT", &profstr); + if (code) + return code; + code = krb5int_parse_enctype_list(context, profstr, default_list, + &etypes); + profile_release_string(profstr); + if (code) + return code; } if (etypes[0] == 0) { - free(etypes); - return KRB5_CONFIG_ETYPE_NOSUPP; + free(etypes); + return KRB5_CONFIG_ETYPE_NOSUPP; } *etypes_ptr = etypes; @@ -473,9 +474,9 @@ krb5_error_code krb5_get_default_in_tkt_ktypes(krb5_context context, krb5_enctype **ktypes) { return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TKT_ENCTYPES, - context->in_tkt_etypes, - default_enctype_list); + KRB5_CONF_DEFAULT_TKT_ENCTYPES, + context->in_tkt_etypes, + default_enctype_list); } void @@ -490,24 +491,24 @@ KRB5_CALLCONV krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes) { if (context->use_conf_ktypes) - /* This one is set *only* by reading the config file; it's not - set by the application. */ - return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TKT_ENCTYPES, NULL, - default_enctype_list); + /* This one is set *only* by reading the config file; it's not + set by the application. */ + return get_profile_etype_list(context, ktypes, + KRB5_CONF_DEFAULT_TKT_ENCTYPES, NULL, + default_enctype_list); else - return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TGS_ENCTYPES, - context->tgs_etypes, - default_enctype_list); + return get_profile_etype_list(context, ktypes, + KRB5_CONF_DEFAULT_TGS_ENCTYPES, + context->tgs_etypes, + default_enctype_list); } krb5_error_code KRB5_CALLCONV krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes) { return get_profile_etype_list(context, ktypes, - KRB5_CONF_PERMITTED_ENCTYPES, - context->tgs_etypes, default_enctype_list); + KRB5_CONF_PERMITTED_ENCTYPES, + context->tgs_etypes, default_enctype_list); } krb5_boolean @@ -517,14 +518,14 @@ krb5_is_permitted_enctype(krb5_context context, krb5_enctype etype) krb5_boolean ret; if (krb5_get_permitted_enctypes(context, &list)) - return(0); + return(0); + - ret = 0; for (ptr = list; *ptr; ptr++) - if (*ptr == etype) - ret = 1; + if (*ptr == etype) + ret = 1; krb5_free_ktypes (context, list); @@ -571,11 +572,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) *nctx_out = NULL; if (ctx == NULL) - return EINVAL; /* XXX */ + return EINVAL; /* XXX */ nctx = malloc(sizeof(*nctx)); if (nctx == NULL) - return ENOMEM; + return ENOMEM; *nctx = *ctx; @@ -600,28 +601,28 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) ret = copy_enctypes(nctx, ctx->in_tkt_etypes, &nctx->in_tkt_etypes); if (ret) - goto errout; + goto errout; ret = copy_enctypes(nctx, ctx->tgs_etypes, &nctx->tgs_etypes); if (ret) - goto errout; + goto errout; if (ctx->os_context.default_ccname != NULL) { - nctx->os_context.default_ccname = - strdup(ctx->os_context.default_ccname); - if (nctx->os_context.default_ccname == NULL) { - ret = ENOMEM; - goto errout; - } + nctx->os_context.default_ccname = + strdup(ctx->os_context.default_ccname); + if (nctx->os_context.default_ccname == NULL) { + ret = ENOMEM; + goto errout; + } } ret = krb5_get_profile(ctx, &nctx->profile); if (ret) - goto errout; + goto errout; errout: if (ret) { - krb5_free_context(nctx); + krb5_free_context(nctx); } else { - *nctx_out = nctx; + *nctx_out = nctx; } return ret; } diff --git a/src/lib/krb5/krb/init_keyblock.c b/src/lib/krb5/krb/init_keyblock.c index 3be842ac8..baf7dabec 100644 --- a/src/lib/krb5/krb/init_keyblock.c +++ b/src/lib/krb5/krb/init_keyblock.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/init_keyblock.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,10 +23,10 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * * - * krb5_init_keyblock- a function to set up + * + * + * krb5_init_keyblock- a function to set up * an empty keyblock */ @@ -34,8 +35,8 @@ #include krb5_error_code KRB5_CALLCONV krb5_init_keyblock - (krb5_context context, krb5_enctype enctype, - size_t length, krb5_keyblock **out) +(krb5_context context, krb5_enctype enctype, + size_t length, krb5_keyblock **out) { - return krb5int_c_init_keyblock (context, enctype, length, out); + return krb5int_c_init_keyblock (context, enctype, length, out); } diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 724e18bf8..081a8a34b 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/int-proto.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Function prototypes for Kerberos V5 library internal functions. */ @@ -32,14 +33,14 @@ #define KRB5_INT_FUNC_PROTO__ krb5_error_code krb5_tgtname - (krb5_context context, - const krb5_data *, - const krb5_data *, - krb5_principal *); +(krb5_context context, + const krb5_data *, + const krb5_data *, + krb5_principal *); krb5_error_code krb5_libdefault_boolean - (krb5_context, const krb5_data *, const char *, - int *); +(krb5_context, const krb5_data *, const char *, + int *); krb5_error_code krb5_ser_authdata_init (krb5_context); krb5_error_code krb5_ser_address_init (krb5_context); @@ -51,40 +52,39 @@ krb5_error_code krb5_ser_authdata_context_init (krb5_context); krb5_error_code krb5_preauth_supply_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value); + krb5_gic_opt_ext *opte, + const char *attr, + const char *value); krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts, int kdcopt); + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts, int kdcopt); krb5_error_code krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields); + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields); #define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew) -#define IS_TGS_PRINC(c, p) \ - (krb5_princ_size((c), (p)) == 2 && \ +#define IS_TGS_PRINC(c, p) \ + (krb5_princ_size((c), (p)) == 2 && \ data_eq_string(*krb5_princ_component((c), (p), 0), KRB5_TGS_NAME)) krb5_error_code krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_pa_data **in_padata, - krb5_creds *in_cred, - krb5_error_code (*gcvt_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *gcvt_data, - krb5_pa_data ***out_padata, - krb5_pa_data ***enc_padata, - krb5_creds **out_cred, - krb5_keyblock **out_subkey); + krb5_flags kdcoptions, krb5_address *const *address, + krb5_pa_data **in_padata, + krb5_creds *in_cred, + krb5_error_code (*gcvt_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *gcvt_data, + krb5_pa_data ***out_padata, + krb5_pa_data ***enc_padata, + krb5_creds **out_cred, + krb5_keyblock **out_subkey); #endif /* KRB5_INT_FUNC_PROTO__ */ - diff --git a/src/lib/krb5/krb/kdc_rep_dc.c b/src/lib/krb5/krb/kdc_rep_dc.c index 42559b2f1..dfd3ba29f 100644 --- a/src/lib/krb5/krb/kdc_rep_dc.c +++ b/src/lib/krb5/krb/kdc_rep_dc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/kdc_rep_dc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kdc_rep_decrypt_proc() */ @@ -45,34 +46,34 @@ krb5_kdc_rep_decrypt_proc(krb5_context context, const krb5_keyblock *key, krb5_c krb5_keyusage usage; if (decryptarg) { - usage = *(const krb5_keyusage *) decryptarg; + usage = *(const krb5_keyusage *) decryptarg; } else { - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; + usage = KRB5_KEYUSAGE_AS_REP_ENCPART; } /* set up scratch decrypt/decode area */ scratch.length = dec_rep->enc_part.ciphertext.length; if (!(scratch.data = malloc(dec_rep->enc_part.ciphertext.length))) { - return(ENOMEM); + return(ENOMEM); } /*dec_rep->enc_part.enctype;*/ if ((retval = krb5_c_decrypt(context, key, usage, 0, &dec_rep->enc_part, - &scratch))) { - free(scratch.data); - return(retval); + &scratch))) { + free(scratch.data); + return(retval); } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* and do the decode */ retval = decode_krb5_enc_kdc_rep_part(&scratch, &local_encpart); clean_scratch(); if (retval) - return retval; + return retval; dec_rep->enc_part2 = local_encpart; diff --git a/src/lib/krb5/krb/kerrs.c b/src/lib/krb5/krb/kerrs.c index 51f1eca97..7525e29a1 100644 --- a/src/lib/krb5/krb/kerrs.c +++ b/src/lib/krb5/krb/kerrs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/kerrs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -38,63 +39,63 @@ static int error_message_debug = 0; #undef krb5_set_error_message void KRB5_CALLCONV_C krb5_set_error_message (krb5_context ctx, krb5_error_code code, - const char *fmt, ...) + const char *fmt, ...) { va_list args; if (ctx == NULL) - return; + return; va_start (args, fmt); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, - "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", - ctx, &ctx->err, (long) code); + fprintf(stderr, + "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", + ctx, &ctx->err, (long) code); #endif krb5int_vset_error (&ctx->err, code, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif va_end (args); } void KRB5_CALLCONV_C krb5_set_error_message_fl (krb5_context ctx, krb5_error_code code, - const char *file, int line, const char *fmt, ...) + const char *file, int line, const char *fmt, ...) { va_list args; if (ctx == NULL) - return; + return; va_start (args, fmt); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, - "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", - ctx, &ctx->err, (long) code); + fprintf(stderr, + "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", + ctx, &ctx->err, (long) code); #endif krb5int_vset_error_fl (&ctx->err, code, file, line, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif va_end (args); } void KRB5_CALLCONV krb5_vset_error_message (krb5_context ctx, krb5_error_code code, - const char *fmt, va_list args) + const char *fmt, va_list args) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_vset_error_message(ctx=%p, code=%ld, ...)\n", - ctx, (long) code); + fprintf(stderr, "krb5_vset_error_message(ctx=%p, code=%ld, ...)\n", + ctx, (long) code); #endif if (ctx == NULL) - return; + return; krb5int_vset_error (&ctx->err, code, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif } @@ -103,12 +104,12 @@ void KRB5_CALLCONV krb5_copy_error_message (krb5_context dest_ctx, krb5_context src_ctx) { if (dest_ctx == src_ctx) - return; + return; if (src_ctx->err.msg) { - krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", - src_ctx->err.msg); + krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", + src_ctx->err.msg); } else { - krb5int_clear_error(&dest_ctx->err); + krb5int_clear_error(&dest_ctx->err); } } @@ -117,10 +118,10 @@ krb5_get_error_message (krb5_context ctx, krb5_error_code code) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_get_error_message(%p, %ld)\n", ctx, (long) code); + fprintf(stderr, "krb5_get_error_message(%p, %ld)\n", ctx, (long) code); #endif if (ctx == NULL) - return error_message(code); + return error_message(code); return krb5int_get_error (&ctx->err, code); } @@ -129,10 +130,10 @@ krb5_free_error_message (krb5_context ctx, const char *msg) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_free_error_message(%p, %p)\n", ctx, msg); + fprintf(stderr, "krb5_free_error_message(%p, %p)\n", ctx, msg); #endif if (ctx == NULL) - return; + return; krb5int_free_error (&ctx->err, msg); } @@ -141,9 +142,9 @@ krb5_clear_error_message (krb5_context ctx) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_clear_error_message(%p)\n", ctx); + fprintf(stderr, "krb5_clear_error_message(%p)\n", ctx); #endif if (ctx == NULL) - return; + return; krb5int_clear_error (&ctx->err); } diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 801eed0da..c372e70b6 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/free/f_addr.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_free_address() */ @@ -60,7 +61,7 @@ void KRB5_CALLCONV krb5_free_address(krb5_context context, krb5_address *val) { if (val == NULL) - return; + return; free(val->contents); free(val); } @@ -71,10 +72,10 @@ krb5_free_addresses(krb5_context context, krb5_address **val) register krb5_address **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -82,18 +83,18 @@ krb5_free_addresses(krb5_context context, krb5_address **val) void KRB5_CALLCONV krb5_free_alt_method(krb5_context context, - krb5_alt_method *alt) + krb5_alt_method *alt) { if (alt) { - free(alt->data); - free(alt); + free(alt->data); + free(alt); } } void KRB5_CALLCONV krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val) { if (val == NULL) - return; + return; free(val->enc_part.ciphertext.data); free(val); } @@ -102,7 +103,7 @@ void KRB5_CALLCONV krb5_free_ap_req(krb5_context context, register krb5_ap_req *val) { if (val == NULL) - return; + return; krb5_free_ticket(context, val->ticket); free(val->authenticator.ciphertext.data); free(val); @@ -112,7 +113,7 @@ void KRB5_CALLCONV krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->subkey); free(val); } @@ -121,7 +122,7 @@ void KRB5_CALLCONV krb5_free_authenticator_contents(krb5_context context, krb5_authenticator *val) { if (val == NULL) - return; + return; krb5_free_checksum(context, val->checksum); val->checksum = 0; krb5_free_principal(context, val->client); @@ -138,10 +139,10 @@ krb5_free_authdata(krb5_context context, krb5_authdata **val) register krb5_authdata **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -150,7 +151,7 @@ void KRB5_CALLCONV krb5_free_authenticator(krb5_context context, krb5_authenticator *val) { if (val == NULL) - return; + return; krb5_free_authenticator_contents(context, val); free(val); } @@ -159,7 +160,7 @@ void KRB5_CALLCONV krb5_free_checksum(krb5_context context, register krb5_checksum *val) { if (val == NULL) - return; + return; krb5_free_checksum_contents(context, val); free(val); } @@ -168,7 +169,7 @@ void KRB5_CALLCONV krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val) { if (val == NULL) - return; + return; free(val->contents); val->contents = NULL; } @@ -177,7 +178,7 @@ void KRB5_CALLCONV krb5_free_cred(krb5_context context, register krb5_cred *val) { if (val == NULL) - return; + return; krb5_free_tickets(context, val->tickets); free(val->enc_part.ciphertext.data); free(val); @@ -185,14 +186,14 @@ krb5_free_cred(krb5_context context, register krb5_cred *val) /* * krb5_free_cred_contents zeros out the session key, and then frees - * the credentials structures + * the credentials structures */ void KRB5_CALLCONV krb5_free_cred_contents(krb5_context context, krb5_creds *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->client); val->client = 0; krb5_free_principal(context, val->server); @@ -208,28 +209,28 @@ krb5_free_cred_contents(krb5_context context, krb5_creds *val) val->authdata = 0; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_free_cred_enc_part(krb5_context context, register krb5_cred_enc_part *val) { register krb5_cred_info **temp; - + if (val == NULL) - return; + return; krb5_free_address(context, val->r_address); val->r_address = 0; krb5_free_address(context, val->s_address); val->s_address = 0; if (val->ticket_info) { - for (temp = val->ticket_info; *temp; temp++) { - krb5_free_keyblock(context, (*temp)->session); - krb5_free_principal(context, (*temp)->client); - krb5_free_principal(context, (*temp)->server); - krb5_free_addresses(context, (*temp)->caddrs); - free(*temp); - } - free(val->ticket_info); - val->ticket_info = 0; + for (temp = val->ticket_info; *temp; temp++) { + krb5_free_keyblock(context, (*temp)->session); + krb5_free_principal(context, (*temp)->client); + krb5_free_principal(context, (*temp)->server); + krb5_free_addresses(context, (*temp)->caddrs); + free(*temp); + } + free(val->ticket_info); + val->ticket_info = 0; } } @@ -238,7 +239,7 @@ void KRB5_CALLCONV krb5_free_creds(krb5_context context, krb5_creds *val) { if (val == NULL) - return; + return; krb5_free_cred_contents(context, val); free(val); } @@ -248,7 +249,7 @@ void KRB5_CALLCONV krb5_free_data(krb5_context context, krb5_data *val) { if (val == NULL) - return; + return; free(val->data); free(val); } @@ -257,10 +258,10 @@ void KRB5_CALLCONV krb5_free_data_contents(krb5_context context, krb5_data *val) { if (val == NULL) - return; + return; if (val->data) { - free(val->data); - val->data = 0; + free(val->data); + val->data = 0; } } @@ -268,7 +269,7 @@ void KRB5_CALLCONV krb5_free_enc_data(krb5_context context, krb5_enc_data *val) { if (val == NULL) - return; + return; krb5_free_data_contents(context, &val->ciphertext); free(val); } @@ -278,21 +279,21 @@ void krb5_free_etype_info(krb5_context context, krb5_etype_info info) int i; if (info == NULL) - return; + return; for (i=0; info[i] != NULL; i++) { - free(info[i]->salt); - krb5_free_data_contents(context, &info[i]->s2kparams); - free(info[i]); + free(info[i]->salt); + krb5_free_data_contents(context, &info[i]->s2kparams); + free(info[i]); } free(info); } - + void KRB5_CALLCONV krb5_free_enc_kdc_rep_part(krb5_context context, register krb5_enc_kdc_rep_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->session); krb5_free_last_req(context, val->last_req); krb5_free_principal(context, val->server); @@ -305,7 +306,7 @@ void KRB5_CALLCONV krb5_free_enc_tkt_part(krb5_context context, krb5_enc_tkt_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->session); krb5_free_principal(context, val->client); free(val->transited.tr_contents.data); @@ -319,7 +320,7 @@ void KRB5_CALLCONV krb5_free_error(krb5_context context, register krb5_error *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->client); krb5_free_principal(context, val->server); free(val->text.data); @@ -331,7 +332,7 @@ void KRB5_CALLCONV krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *val) { if (val == NULL) - return; + return; krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); krb5_free_ticket(context, val->ticket); @@ -345,7 +346,7 @@ void KRB5_CALLCONV krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val) { if (val == NULL) - return; + return; assert( val->kdc_state == NULL); krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); @@ -378,9 +379,9 @@ krb5_free_last_req(krb5_context context, krb5_last_req_entry **val) register krb5_last_req_entry **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) - free(*temp); + free(*temp); free(val); } @@ -390,10 +391,10 @@ krb5_free_pa_data(krb5_context context, krb5_pa_data **val) register krb5_pa_data **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -404,13 +405,13 @@ krb5_free_principal(krb5_context context, krb5_principal val) register krb5_int32 i; if (!val) - return; - + return; + if (val->data) { - i = krb5_princ_size(context, val); - while(--i >= 0) - free(krb5_princ_component(context, val, i)->data); - free(val->data); + i = krb5_princ_size(context, val); + while(--i >= 0) + free(krb5_princ_component(context, val, i)->data); + free(val->data); } free(val->realm.data); free(val); @@ -420,7 +421,7 @@ void KRB5_CALLCONV krb5_free_priv(krb5_context context, register krb5_priv *val) { if (val == NULL) - return; + return; free(val->enc_part.ciphertext.data); free(val); } @@ -429,7 +430,7 @@ void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context context, register krb5_priv_enc_part *val) { if (val == NULL) - return; + return; free(val->user_data.data); krb5_free_address(context, val->r_address); krb5_free_address(context, val->s_address); @@ -440,7 +441,7 @@ void KRB5_CALLCONV krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) { if (val == NULL) - return; + return; krb5_free_pwd_sequences(context, val->element); free(val); } @@ -448,10 +449,10 @@ krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) void KRB5_CALLCONV krb5_free_passwd_phrase_element(krb5_context context, - passwd_phrase_element *val) + passwd_phrase_element *val) { if (val == NULL) - return; + return; krb5_free_data(context, val->passwd); val->passwd = NULL; krb5_free_data(context, val->phrase); @@ -466,9 +467,9 @@ krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val) register passwd_phrase_element **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) - krb5_free_passwd_phrase_element(context, *temp); + krb5_free_passwd_phrase_element(context, *temp); free(val); } @@ -477,7 +478,7 @@ void KRB5_CALLCONV krb5_free_safe(krb5_context context, register krb5_safe *val) { if (val == NULL) - return; + return; free(val->user_data.data); krb5_free_address(context, val->r_address); krb5_free_address(context, val->s_address); @@ -490,7 +491,7 @@ void KRB5_CALLCONV krb5_free_ticket(krb5_context context, krb5_ticket *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->server); free(val->enc_part.ciphertext.data); krb5_free_enc_tkt_part(context, val->enc_part2); @@ -503,7 +504,7 @@ krb5_free_tickets(krb5_context context, krb5_ticket **val) register krb5_ticket **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) krb5_free_ticket(context, *temp); free(val); @@ -515,9 +516,9 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts) { register krb5_creds **tgtpp; if (tgts == NULL) - return; + return; for (tgtpp = tgts; *tgtpp; tgtpp++) - krb5_free_creds(context, *tgtpp); + krb5_free_creds(context, *tgtpp); free(tgts); } @@ -525,7 +526,7 @@ void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context context, krb5_tkt_authent *val) { if (val == NULL) - return; + return; krb5_free_ticket(context, val->ticket); krb5_free_authenticator(context, val->authenticator); free(val); @@ -535,14 +536,14 @@ void KRB5_CALLCONV krb5_free_unparsed_name(krb5_context context, char *val) { if (val != NULL) - free(val); + free(val); } void KRB5_CALLCONV krb5_free_sam_challenge(krb5_context ctx, krb5_sam_challenge *sc) { if (!sc) - return; + return; krb5_free_sam_challenge_contents(ctx, sc); free(sc); } @@ -551,7 +552,7 @@ void KRB5_CALLCONV krb5_free_sam_challenge_2(krb5_context ctx, krb5_sam_challenge_2 *sc2) { if (!sc2) - return; + return; krb5_free_sam_challenge_2_contents(ctx, sc2); free(sc2); } @@ -560,79 +561,79 @@ void KRB5_CALLCONV krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge *sc) { if (!sc) - return; + return; if (sc->sam_type_name.data) - krb5_free_data_contents(ctx, &sc->sam_type_name); + krb5_free_data_contents(ctx, &sc->sam_type_name); if (sc->sam_track_id.data) - krb5_free_data_contents(ctx, &sc->sam_track_id); + krb5_free_data_contents(ctx, &sc->sam_track_id); if (sc->sam_challenge_label.data) - krb5_free_data_contents(ctx, &sc->sam_challenge_label); + krb5_free_data_contents(ctx, &sc->sam_challenge_label); if (sc->sam_challenge.data) - krb5_free_data_contents(ctx, &sc->sam_challenge); + krb5_free_data_contents(ctx, &sc->sam_challenge); if (sc->sam_response_prompt.data) - krb5_free_data_contents(ctx, &sc->sam_response_prompt); + krb5_free_data_contents(ctx, &sc->sam_response_prompt); if (sc->sam_pk_for_sad.data) - krb5_free_data_contents(ctx, &sc->sam_pk_for_sad); + krb5_free_data_contents(ctx, &sc->sam_pk_for_sad); free(sc->sam_cksum.contents); sc->sam_cksum.contents = 0; } void KRB5_CALLCONV krb5_free_sam_challenge_2_contents(krb5_context ctx, - krb5_sam_challenge_2 *sc2) + krb5_sam_challenge_2 *sc2) { krb5_checksum **cksump; if (!sc2) - return; + return; if (sc2->sam_challenge_2_body.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge_2_body); + krb5_free_data_contents(ctx, &sc2->sam_challenge_2_body); if (sc2->sam_cksum) { - cksump = sc2->sam_cksum; - while (*cksump) { - krb5_free_checksum(ctx, *cksump); - cksump++; - } - free(sc2->sam_cksum); - sc2->sam_cksum = 0; + cksump = sc2->sam_cksum; + while (*cksump) { + krb5_free_checksum(ctx, *cksump); + cksump++; + } + free(sc2->sam_cksum); + sc2->sam_cksum = 0; } } void KRB5_CALLCONV krb5_free_sam_challenge_2_body(krb5_context ctx, - krb5_sam_challenge_2_body *sc2) + krb5_sam_challenge_2_body *sc2) { if (!sc2) - return; + return; krb5_free_sam_challenge_2_body_contents(ctx, sc2); free(sc2); } void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents(krb5_context ctx, - krb5_sam_challenge_2_body *sc2) + krb5_sam_challenge_2_body *sc2) { if (!sc2) - return; - if (sc2->sam_type_name.data) - krb5_free_data_contents(ctx, &sc2->sam_type_name); + return; + if (sc2->sam_type_name.data) + krb5_free_data_contents(ctx, &sc2->sam_type_name); if (sc2->sam_track_id.data) - krb5_free_data_contents(ctx, &sc2->sam_track_id); + krb5_free_data_contents(ctx, &sc2->sam_track_id); if (sc2->sam_challenge_label.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge_label); + krb5_free_data_contents(ctx, &sc2->sam_challenge_label); if (sc2->sam_challenge.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge); + krb5_free_data_contents(ctx, &sc2->sam_challenge); if (sc2->sam_response_prompt.data) - krb5_free_data_contents(ctx, &sc2->sam_response_prompt); + krb5_free_data_contents(ctx, &sc2->sam_response_prompt); if (sc2->sam_pk_for_sad.data) - krb5_free_data_contents(ctx, &sc2->sam_pk_for_sad); + krb5_free_data_contents(ctx, &sc2->sam_pk_for_sad); } void KRB5_CALLCONV krb5_free_sam_response(krb5_context ctx, krb5_sam_response *sr) { if (!sr) - return; + return; krb5_free_sam_response_contents(ctx, sr); free(sr); } @@ -641,7 +642,7 @@ void KRB5_CALLCONV krb5_free_sam_response_2(krb5_context ctx, krb5_sam_response_2 *sr2) { if (!sr2) - return; + return; krb5_free_sam_response_2_contents(ctx, sr2); free(sr2); } @@ -650,95 +651,95 @@ void KRB5_CALLCONV krb5_free_sam_response_contents(krb5_context ctx, krb5_sam_response *sr) { if (!sr) - return; + return; if (sr->sam_track_id.data) - krb5_free_data_contents(ctx, &sr->sam_track_id); + krb5_free_data_contents(ctx, &sr->sam_track_id); if (sr->sam_enc_key.ciphertext.data) - krb5_free_data_contents(ctx, &sr->sam_enc_key.ciphertext); + krb5_free_data_contents(ctx, &sr->sam_enc_key.ciphertext); if (sr->sam_enc_nonce_or_ts.ciphertext.data) - krb5_free_data_contents(ctx, &sr->sam_enc_nonce_or_ts.ciphertext); + krb5_free_data_contents(ctx, &sr->sam_enc_nonce_or_ts.ciphertext); } void KRB5_CALLCONV krb5_free_sam_response_2_contents(krb5_context ctx, krb5_sam_response_2 *sr2) { if (!sr2) - return; + return; if (sr2->sam_track_id.data) - krb5_free_data_contents(ctx, &sr2->sam_track_id); + krb5_free_data_contents(ctx, &sr2->sam_track_id); if (sr2->sam_enc_nonce_or_sad.ciphertext.data) - krb5_free_data_contents(ctx, &sr2->sam_enc_nonce_or_sad.ciphertext); + krb5_free_data_contents(ctx, &sr2->sam_enc_nonce_or_sad.ciphertext); } void KRB5_CALLCONV krb5_free_predicted_sam_response(krb5_context ctx, - krb5_predicted_sam_response *psr) + krb5_predicted_sam_response *psr) { if (!psr) - return; + return; krb5_free_predicted_sam_response_contents(ctx, psr); free(psr); } void KRB5_CALLCONV krb5_free_predicted_sam_response_contents(krb5_context ctx, - krb5_predicted_sam_response *psr) + krb5_predicted_sam_response *psr) { if (!psr) - return; + return; if (psr->sam_key.contents) - krb5_free_keyblock_contents(ctx, &psr->sam_key); + krb5_free_keyblock_contents(ctx, &psr->sam_key); krb5_free_principal(ctx, psr->client); psr->client = 0; if (psr->msd.data) - krb5_free_data_contents(ctx, &psr->msd); + krb5_free_data_contents(ctx, &psr->msd); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc(krb5_context ctx, - krb5_enc_sam_response_enc *esre) + krb5_enc_sam_response_enc *esre) { if (!esre) - return; + return; krb5_free_enc_sam_response_enc_contents(ctx, esre); free(esre); } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2(krb5_context ctx, - krb5_enc_sam_response_enc_2 *esre2) + krb5_enc_sam_response_enc_2 *esre2) { if (!esre2) - return; + return; krb5_free_enc_sam_response_enc_2_contents(ctx, esre2); free(esre2); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents(krb5_context ctx, - krb5_enc_sam_response_enc *esre) + krb5_enc_sam_response_enc *esre) { if (!esre) - return; + return; if (esre->sam_sad.data) - krb5_free_data_contents(ctx, &esre->sam_sad); + krb5_free_data_contents(ctx, &esre->sam_sad); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents(krb5_context ctx, - krb5_enc_sam_response_enc_2 *esre2) + krb5_enc_sam_response_enc_2 *esre2) { if (!esre2) - return; + return; if (esre2->sam_sad.data) - krb5_free_data_contents(ctx, &esre2->sam_sad); + krb5_free_data_contents(ctx, &esre2->sam_sad); } void KRB5_CALLCONV krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts *pa_enc_ts) { if (!pa_enc_ts) - return; + return; free(pa_enc_ts); } @@ -746,7 +747,7 @@ void KRB5_CALLCONV krb5_free_pa_for_user(krb5_context context, krb5_pa_for_user *req) { if (req == NULL) - return; + return; krb5_free_principal(context, req->user); req->user = NULL; krb5_free_checksum_contents(context, &req->cksum); @@ -758,7 +759,7 @@ void KRB5_CALLCONV krb5_free_s4u_userid_contents(krb5_context context, krb5_s4u_userid *user_id) { if (user_id == NULL) - return; + return; user_id->nonce = 0; krb5_free_principal(context, user_id->user); user_id->user = NULL; @@ -772,7 +773,7 @@ void KRB5_CALLCONV krb5_free_pa_s4u_x509_user(krb5_context context, krb5_pa_s4u_x509_user *req) { if (req == NULL) - return; + return; krb5_free_s4u_userid_contents(context, &req->user_id); krb5_free_checksum_contents(context, &req->cksum); free(req); @@ -780,26 +781,26 @@ krb5_free_pa_s4u_x509_user(krb5_context context, krb5_pa_s4u_x509_user *req) void KRB5_CALLCONV krb5_free_pa_server_referral_data(krb5_context context, - krb5_pa_server_referral_data *ref) + krb5_pa_server_referral_data *ref) { if (ref == NULL) - return; + return; krb5_free_data(context, ref->referred_realm); ref->referred_realm = NULL; krb5_free_principal(context, ref->true_principal_name); ref->true_principal_name = NULL; krb5_free_principal(context, ref->requested_principal_name); ref->requested_principal_name = NULL; - krb5_free_checksum_contents(context, &ref->rep_cksum); + krb5_free_checksum_contents(context, &ref->rep_cksum); free(ref); } void KRB5_CALLCONV krb5_free_pa_svr_referral_data(krb5_context context, - krb5_pa_svr_referral_data *ref) + krb5_pa_svr_referral_data *ref) { if (ref == NULL) - return; + return; krb5_free_principal(context, ref->principal); ref->principal = NULL; free(ref); @@ -807,79 +808,79 @@ krb5_free_pa_svr_referral_data(krb5_context context, void KRB5_CALLCONV krb5_free_pa_pac_req(krb5_context context, - krb5_pa_pac_req *req) + krb5_pa_pac_req *req) { free(req); } void KRB5_CALLCONV krb5_free_etype_list(krb5_context context, - krb5_etype_list *etypes) + krb5_etype_list *etypes) { if (etypes != NULL) { - free(etypes->etypes); - free(etypes); + free(etypes->etypes); + free(etypes); } } void krb5_free_fast_req(krb5_context context, krb5_fast_req *val) { - if (val == NULL) - return; - krb5_free_kdc_req(context, val->req_body); - free(val); + if (val == NULL) + return; + krb5_free_kdc_req(context, val->req_body); + free(val); } void krb5_free_fast_armor(krb5_context context, krb5_fast_armor *val) { - if (val == NULL) - return; - krb5_free_data_contents(context, &val->armor_value); - free(val); + if (val == NULL) + return; + krb5_free_data_contents(context, &val->armor_value); + free(val); } void krb5_free_fast_response(krb5_context context, krb5_fast_response *val) { - if (!val) - return; - krb5_free_pa_data(context, val->padata); - krb5_free_fast_finished(context, val->finished); - krb5_free_keyblock(context, val->strengthen_key); - free(val); + if (!val) + return; + krb5_free_pa_data(context, val->padata); + krb5_free_fast_finished(context, val->finished); + krb5_free_keyblock(context, val->strengthen_key); + free(val); } void krb5_free_fast_finished (krb5_context context, krb5_fast_finished *val) { - if (!val) - return; - krb5_free_principal(context, val->client); - krb5_free_checksum_contents(context, &val->ticket_checksum); - free(val); + if (!val) + return; + krb5_free_principal(context, val->client); + krb5_free_checksum_contents(context, &val->ticket_checksum); + free(val); } void krb5_free_typed_data(krb5_context context, krb5_typed_data **in) { - int i = 0; - if (in == NULL) return; - while (in[i] != NULL) { - if (in[i]->data != NULL) - free(in[i]->data); - free(in[i]); - i++; - } - free(in); + int i = 0; + if (in == NULL) return; + while (in[i] != NULL) { + if (in[i]->data != NULL) + free(in[i]->data); + free(in[i]); + i++; + } + free(in); } void krb5_free_fast_armored_req(krb5_context context, - krb5_fast_armored_req *val) + krb5_fast_armored_req *val) { if (val == NULL) - return; + return; if (val->armor) - krb5_free_fast_armor(context, val->armor); + krb5_free_fast_armor(context, val->armor); krb5_free_data_contents(context, &val->enc_part.ciphertext); if (val->req_checksum.contents) - krb5_free_checksum_contents(context, &val->req_checksum); + krb5_free_checksum_contents(context, &val->req_checksum); free(val); } @@ -908,4 +909,3 @@ krb5_free_ad_kdcissued(krb5_context context, krb5_ad_kdcissued *val) krb5_free_authdata(context, val->elements); free(val); } - diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 6ce0e354e..4c95accd0 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -1,7 +1,8 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * NAME * cred.c - * + * * DESCRIPTION * Provide an interface to assemble and disassemble krb5_cred * structures. @@ -20,41 +21,41 @@ /* * encrypt the enc_part of krb5_cred */ -static krb5_error_code +static krb5_error_code encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, - krb5_key pkey, krb5_enc_data *pencdata) + krb5_key pkey, krb5_enc_data *pencdata) { - krb5_error_code retval; - krb5_data * scratch; + krb5_error_code retval; + krb5_data * scratch; /* start by encoding to-be-encrypted part of the message */ if ((retval = encode_krb5_enc_cred_part(pcredpart, &scratch))) - return retval; + return retval; /* * If the keyblock is NULL, just copy the data from the encoded * data to the ciphertext area. */ if (pkey == NULL) { - pencdata->ciphertext.data = scratch->data; - pencdata->ciphertext.length = scratch->length; - free(scratch); - return 0; + pencdata->ciphertext.data = scratch->data; + pencdata->ciphertext.length = scratch->length; + free(scratch); + return 0; } /* call the encryption routine */ retval = krb5_encrypt_keyhelper(context, pkey, - KRB5_KEYUSAGE_KRB_CRED_ENCPART, - scratch, pencdata); + KRB5_KEYUSAGE_KRB_CRED_ENCPART, + scratch, pencdata); if (retval) { - memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length); + memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length); free(pencdata->ciphertext.data); pencdata->ciphertext.length = 0; pencdata->ciphertext.data = 0; } - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); return retval; @@ -64,15 +65,15 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, static krb5_error_code krb5_mk_ncred_basic(krb5_context context, - krb5_creds **ppcreds, krb5_int32 nppcreds, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_cred *pcred) + krb5_creds **ppcreds, krb5_int32 nppcreds, + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_cred *pcred) { - krb5_cred_enc_part credenc; - krb5_error_code retval; - size_t size; - int i; + krb5_cred_enc_part credenc; + krb5_error_code retval; + size_t size; + int i; credenc.magic = KV5M_CRED_ENC_PART; @@ -89,42 +90,42 @@ krb5_mk_ncred_basic(krb5_context context, size = sizeof(krb5_cred_info *) * (nppcreds + 1); credenc.ticket_info = (krb5_cred_info **) calloc(1, size); if (credenc.ticket_info == NULL) - return ENOMEM; + return ENOMEM; /* * For each credential in the list, initialize a cred info * structure and copy the ticket into the ticket list. */ for (i = 0; i < nppcreds; i++) { - credenc.ticket_info[i] = malloc(sizeof(krb5_cred_info)); - if (credenc.ticket_info[i] == NULL) { - retval = ENOMEM; - goto cleanup; - } - credenc.ticket_info[i+1] = NULL; - + credenc.ticket_info[i] = malloc(sizeof(krb5_cred_info)); + if (credenc.ticket_info[i] == NULL) { + retval = ENOMEM; + goto cleanup; + } + credenc.ticket_info[i+1] = NULL; + credenc.ticket_info[i]->magic = KV5M_CRED_INFO; credenc.ticket_info[i]->times = ppcreds[i]->times; credenc.ticket_info[i]->flags = ppcreds[i]->ticket_flags; - if ((retval = decode_krb5_ticket(&ppcreds[i]->ticket, - &pcred->tickets[i]))) - goto cleanup; + if ((retval = decode_krb5_ticket(&ppcreds[i]->ticket, + &pcred->tickets[i]))) + goto cleanup; - if ((retval = krb5_copy_keyblock(context, &ppcreds[i]->keyblock, - &credenc.ticket_info[i]->session))) + if ((retval = krb5_copy_keyblock(context, &ppcreds[i]->keyblock, + &credenc.ticket_info[i]->session))) goto cleanup; if ((retval = krb5_copy_principal(context, ppcreds[i]->client, - &credenc.ticket_info[i]->client))) + &credenc.ticket_info[i]->client))) goto cleanup; - if ((retval = krb5_copy_principal(context, ppcreds[i]->server, - &credenc.ticket_info[i]->server))) + if ((retval = krb5_copy_principal(context, ppcreds[i]->server, + &credenc.ticket_info[i]->server))) goto cleanup; - if ((retval = krb5_copy_addresses(context, ppcreds[i]->addresses, - &credenc.ticket_info[i]->caddrs))) + if ((retval = krb5_copy_addresses(context, ppcreds[i]->addresses, + &credenc.ticket_info[i]->caddrs))) goto cleanup; } @@ -149,18 +150,18 @@ cleanup: */ krb5_error_code KRB5_CALLCONV krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, - krb5_creds **ppcreds, krb5_data **ppdata, - krb5_replay_data *outdata) + krb5_creds **ppcreds, krb5_data **ppdata, + krb5_replay_data *outdata) { krb5_address * premote_fulladdr = NULL; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; - krb5_error_code retval; - krb5_key key; + krb5_error_code retval; + krb5_key key; krb5_replay_data replaydata; - krb5_cred * pcred; - krb5_int32 ncred; + krb5_cred * pcred; + krb5_int32 ncred; krb5_boolean increased_sequence = FALSE; local_fulladdr.contents = 0; @@ -168,94 +169,94 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, memset(&replaydata, 0, sizeof(krb5_replay_data)); if (ppcreds == NULL) - return KRB5KRB_AP_ERR_BADADDR; + return KRB5KRB_AP_ERR_BADADDR; /* * Allocate memory for a NULL terminated list of tickets. */ for (ncred = 0; ppcreds[ncred]; ncred++) - ; + ; - if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL) + if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL) return ENOMEM; - if ((pcred->tickets - = (krb5_ticket **)calloc((size_t)ncred+1, - sizeof(krb5_ticket *))) == NULL) { - retval = ENOMEM; - goto error; + if ((pcred->tickets + = (krb5_ticket **)calloc((size_t)ncred+1, + sizeof(krb5_ticket *))) == NULL) { + retval = ENOMEM; + goto error; } /* Get keyblock */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) { - retval = KRB5_RC_REQUIRED; - goto error; + (auth_context->rcache == NULL)) { + retval = KRB5_RC_REQUIRED; + goto error; } if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - && (outdata == NULL)) { + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && (outdata == NULL)) { /* Need a better error */ - retval = KRB5_RC_REQUIRED; - goto error; + retval = KRB5_RC_REQUIRED; + goto error; } if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - goto error; + &replaydata.usec))) + goto error; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { replaydata.seq = auth_context->local_seq_number++; - increased_sequence = TRUE; + increased_sequence = TRUE; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; } if (auth_context->local_addr) { - if (auth_context->local_port) { + if (auth_context->local_port) { if ((retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) - goto error; - plocal_fulladdr = &local_fulladdr; - } else { + auth_context->local_port, + &local_fulladdr))) + goto error; + plocal_fulladdr = &local_fulladdr; + } else { plocal_fulladdr = auth_context->local_addr; } } if (auth_context->remote_addr) { - if (auth_context->remote_port) { + if (auth_context->remote_port) { if ((retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))) - goto error; - premote_fulladdr = &remote_fulladdr; - } else { + auth_context->remote_port, + &remote_fulladdr))) + goto error; + premote_fulladdr = &remote_fulladdr; + } else { premote_fulladdr = auth_context->remote_addr; } } /* Setup creds structure */ if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, key, - &replaydata, plocal_fulladdr, - premote_fulladdr, pcred))) { - goto error; + &replaydata, plocal_fulladdr, + premote_fulladdr, pcred))) { + goto error; } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_forw", &replay.client))) + "_forw", &replay.client))) goto error; replay.server = ""; /* XXX */ @@ -279,7 +280,7 @@ error: krb5_free_cred(context, pcred); if (retval) { - if (increased_sequence) + if (increased_sequence) auth_context->local_seq_number--; } return retval; @@ -292,23 +293,22 @@ error: */ krb5_error_code KRB5_CALLCONV krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, - krb5_creds *pcreds, krb5_data **ppdata, - krb5_replay_data *outdata) + krb5_creds *pcreds, krb5_data **ppdata, + krb5_replay_data *outdata) { krb5_error_code retval; krb5_creds **ppcreds; if ((ppcreds = (krb5_creds **)malloc(sizeof(*ppcreds) * 2)) == NULL) { - return ENOMEM; + return ENOMEM; } ppcreds[0] = pcreds; ppcreds[1] = NULL; retval = krb5_mk_ncred(context, auth_context, ppcreds, - ppdata, outdata); - + ppdata, outdata); + free(ppcreds); return retval; } - diff --git a/src/lib/krb5/krb/mk_error.c b/src/lib/krb5/krb/mk_error.c index 75cdc9b5b..44fd3b4c2 100644 --- a/src/lib/krb5/krb/mk_error.c +++ b/src/lib/krb5/krb/mk_error.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_error.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_error() routine. */ @@ -30,22 +31,22 @@ #include "k5-int.h" /* - formats the error structure *dec_err into an error buffer *enc_err. + formats the error structure *dec_err into an error buffer *enc_err. - The error buffer storage is allocated, and should be freed by the - caller when finished. + The error buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors - */ + returns system errors +*/ krb5_error_code KRB5_CALLCONV krb5_mk_error(krb5_context context, const krb5_error *dec_err, - krb5_data *enc_err) + krb5_data *enc_err) { krb5_error_code retval; krb5_data *new_enc_err; if ((retval = encode_krb5_error(dec_err, &new_enc_err))) - return(retval); + return(retval); *enc_err = *new_enc_err; free(new_enc_err); return 0; diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 824bfd507..b3cb29722 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_priv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_priv() */ @@ -33,18 +34,18 @@ static krb5_error_code krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_pointer i_vector, krb5_data *outbuf) + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_pointer i_vector, krb5_data *outbuf) { - krb5_enctype enctype = krb5_k_key_enctype(context, key); - krb5_error_code retval; - krb5_priv privmsg; - krb5_priv_enc_part privmsg_enc_part; - krb5_data *scratch1, *scratch2, ivdata; - size_t blocksize, enclen; - - privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ + krb5_enctype enctype = krb5_k_key_enctype(context, key); + krb5_error_code retval; + krb5_priv privmsg; + krb5_priv_enc_part privmsg_enc_part; + krb5_data *scratch1, *scratch2, ivdata; + size_t blocksize, enclen; + + privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ privmsg.enc_part.enctype = enctype; privmsg_enc_part.user_data = *userdata; @@ -53,39 +54,39 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, /* We should check too make sure one exists. */ privmsg_enc_part.timestamp = replaydata->timestamp; - privmsg_enc_part.usec = replaydata->usec; + privmsg_enc_part.usec = replaydata->usec; privmsg_enc_part.seq_number = replaydata->seq; /* start by encoding to-be-encrypted part of the message */ if ((retval = encode_krb5_enc_priv_part(&privmsg_enc_part, &scratch1))) - return retval; + return retval; /* put together an eblock for this encryption */ if ((retval = krb5_c_encrypt_length(context, enctype, - scratch1->length, &enclen))) - goto clean_scratch; + scratch1->length, &enclen))) + goto clean_scratch; privmsg.enc_part.ciphertext.length = enclen; if (!(privmsg.enc_part.ciphertext.data = - malloc(privmsg.enc_part.ciphertext.length))) { + malloc(privmsg.enc_part.ciphertext.length))) { retval = ENOMEM; goto clean_scratch; } /* call the encryption routine */ if (i_vector) { - if ((retval = krb5_c_block_size(context, enctype, &blocksize))) - goto clean_encpart; + if ((retval = krb5_c_block_size(context, enctype, &blocksize))) + goto clean_encpart; - ivdata.length = blocksize; - ivdata.data = i_vector; + ivdata.length = blocksize; + ivdata.data = i_vector; } if ((retval = krb5_k_encrypt(context, key, - KRB5_KEYUSAGE_KRB_PRIV_ENCPART, - i_vector?&ivdata:0, - scratch1, &privmsg.enc_part))) - goto clean_encpart; + KRB5_KEYUSAGE_KRB_PRIV_ENCPART, + i_vector?&ivdata:0, + scratch1, &privmsg.enc_part))) + goto clean_encpart; if ((retval = encode_krb5_priv(&privmsg, &scratch2))) goto clean_encpart; @@ -95,15 +96,15 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, retval = 0; clean_encpart: - memset(privmsg.enc_part.ciphertext.data, 0, - privmsg.enc_part.ciphertext.length); - free(privmsg.enc_part.ciphertext.data); + memset(privmsg.enc_part.ciphertext.data, 0, + privmsg.enc_part.ciphertext.length); + free(privmsg.enc_part.ciphertext.data); privmsg.enc_part.ciphertext.length = 0; privmsg.enc_part.ciphertext.data = 0; clean_scratch: memset(scratch1->data, 0, scratch1->length); - krb5_free_data(context, scratch1); + krb5_free_data(context, scratch1); return retval; } @@ -111,10 +112,10 @@ clean_scratch: krb5_error_code KRB5_CALLCONV krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, - const krb5_data *userdata, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *userdata, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; krb5_replay_data replaydata; @@ -123,113 +124,112 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, /* Get keyblock */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->local_addr) - return KRB5_LOCAL_ADDR_REQUIRED; + return KRB5_LOCAL_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { - if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - return retval; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { + if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, + &replaydata.usec))) + return retval; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + } } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) - outdata->seq = replaydata.seq; - } - -{ - krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) { - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } - } else { - plocal_fulladdr = auth_context->local_addr; - } - - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - goto error; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) + outdata->seq = replaydata.seq; } - if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, - auth_context->i_vector, outbuf))) { - CLEANUP_DONE(); - goto error; + { + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))) { + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + goto error; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + + if (auth_context->remote_addr) { + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } else { + premote_fulladdr = auth_context->remote_addr; + } + } + + if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata, + plocal_fulladdr, premote_fulladdr, + auth_context->i_vector, outbuf))) { + CLEANUP_DONE(); + goto error; + } + + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_priv", &replay.client))) { - free(outbuf); - goto error; - } - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - /* should we really error out here? XXX */ - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, + "_priv", &replay.client))) { + free(outbuf); + goto error; + } + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + /* should we really error out here? XXX */ + free(replay.client); + goto error; + } + free(replay.client); } return 0; error: if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - auth_context->local_seq_number--; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + auth_context->local_seq_number--; return retval; } - diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index a4dbc467f..b50c05765 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_rep.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_rep() */ @@ -58,81 +59,81 @@ #include "auth_con.h" /* - Formats a KRB_AP_REP message into outbuf. + Formats a KRB_AP_REP message into outbuf. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ static krb5_error_code k5_mk_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *outbuf, int dce_style) + krb5_data *outbuf, int dce_style) { - krb5_error_code retval; + krb5_error_code retval; krb5_ap_rep_enc_part repl; - krb5_ap_rep reply; - krb5_data * scratch; - krb5_data * toutbuf; + krb5_ap_rep reply; + krb5_data * scratch; + krb5_data * toutbuf; /* Make the reply */ if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (auth_context->local_seq_number == 0)) { - if ((retval = krb5_generate_seq_number(context, - &auth_context->key->keyblock, - &auth_context->local_seq_number))) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (auth_context->local_seq_number == 0)) { + if ((retval = krb5_generate_seq_number(context, + &auth_context->key->keyblock, + &auth_context->local_seq_number))) return(retval); } if (dce_style) { - krb5_us_timeofday(context, &repl.ctime, &repl.cusec); + krb5_us_timeofday(context, &repl.ctime, &repl.cusec); } else { - repl.ctime = auth_context->authentp->ctime; - repl.cusec = auth_context->authentp->cusec; + repl.ctime = auth_context->authentp->ctime; + repl.cusec = auth_context->authentp->cusec; } if (dce_style) - repl.subkey = NULL; + repl.subkey = NULL; else if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) { - assert(auth_context->negotiated_etype != ENCTYPE_NULL); - - retval = krb5int_generate_and_save_subkey (context, auth_context, - &auth_context->key->keyblock, - auth_context->negotiated_etype); - if (retval) - return retval; - repl.subkey = &auth_context->send_subkey->keyblock; + assert(auth_context->negotiated_etype != ENCTYPE_NULL); + + retval = krb5int_generate_and_save_subkey (context, auth_context, + &auth_context->key->keyblock, + auth_context->negotiated_etype); + if (retval) + return retval; + repl.subkey = &auth_context->send_subkey->keyblock; } else - repl.subkey = auth_context->authentp->subkey; + repl.subkey = auth_context->authentp->subkey; if (dce_style) - repl.seq_number = auth_context->remote_seq_number; + repl.seq_number = auth_context->remote_seq_number; else - repl.seq_number = auth_context->local_seq_number; + repl.seq_number = auth_context->local_seq_number; /* encode it before encrypting */ if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch))) - return retval; + return retval; if ((retval = krb5_encrypt_keyhelper(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, - scratch, &reply.enc_part))) - goto cleanup_scratch; + KRB5_KEYUSAGE_AP_REP_ENCPART, + scratch, &reply.enc_part))) + goto cleanup_scratch; if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) { - *outbuf = *toutbuf; - free(toutbuf); + *outbuf = *toutbuf; + free(toutbuf); } memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); - free(reply.enc_part.ciphertext.data); - reply.enc_part.ciphertext.length = 0; + free(reply.enc_part.ciphertext.data); + reply.enc_part.ciphertext.length = 0; reply.enc_part.ciphertext.data = 0; cleanup_scratch: - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); return retval; diff --git a/src/lib/krb5/krb/mk_req.c b/src/lib/krb5/krb/mk_req.c index 0fc1e7213..ceb60cbf4 100644 --- a/src/lib/krb5/krb/mk_req.c +++ b/src/lib/krb5/krb/mk_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_req.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_req() routine. */ @@ -31,53 +32,53 @@ #include "auth_con.h" /* - Formats a KRB_AP_REQ message into outbuf. + Formats a KRB_AP_REQ message into outbuf. - server specifies the principal of the server to receive the message; if - credentials are not present in the credentials cache for this server, the - TGS request with default parameters is used in an attempt to obtain - such credentials, and they are stored in ccache. + server specifies the principal of the server to receive the message; if + credentials are not present in the credentials cache for this server, the + TGS request with default parameters is used in an attempt to obtain + such credentials, and they are stored in ccache. - kdc_options specifies the options requested for the - ap_req_options specifies the KRB_AP_REQ options desired. + kdc_options specifies the options requested for the + ap_req_options specifies the KRB_AP_REQ options desired. - checksum specifies the checksum to be used in the authenticator. + checksum specifies the checksum to be used in the authenticator. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ krb5_error_code KRB5_CALLCONV krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, char *service, char *hostname, - krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) + krb5_flags ap_req_options, char *service, char *hostname, + krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) { - krb5_error_code retval; - krb5_principal server; - krb5_creds * credsp; - krb5_creds creds; + krb5_error_code retval; + krb5_principal server; + krb5_creds * credsp; + krb5_creds creds; - retval = krb5_sname_to_principal(context, hostname, service, - KRB5_NT_SRV_HST, &server); + retval = krb5_sname_to_principal(context, hostname, service, + KRB5_NT_SRV_HST, &server); if (retval) - return retval; + return retval; /* obtain ticket & session key */ memset(&creds, 0, sizeof(creds)); if ((retval = krb5_copy_principal(context, server, &creds.server))) - goto cleanup_princ; + goto cleanup_princ; if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) - goto cleanup_creds; + goto cleanup_creds; if ((retval = krb5_get_credentials(context, 0, - ccache, &creds, &credsp))) - goto cleanup_creds; + ccache, &creds, &credsp))) + goto cleanup_creds; - retval = krb5_mk_req_extended(context, auth_context, ap_req_options, - in_data, credsp, outbuf); + retval = krb5_mk_req_extended(context, auth_context, ap_req_options, + in_data, credsp, outbuf); krb5_free_creds(context, credsp); diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 4277f1eec..95f04e9a4 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_req_ext.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_req_extended() */ @@ -32,90 +33,90 @@ #include "auth_con.h" /* - Formats a KRB_AP_REQ message into outbuf, with more complete options than - krb_mk_req. + Formats a KRB_AP_REQ message into outbuf, with more complete options than + krb_mk_req. - outbuf, ap_req_options, checksum, and ccache are used in the - same fashion as for krb5_mk_req. + outbuf, ap_req_options, checksum, and ccache are used in the + same fashion as for krb5_mk_req. - creds is used to supply the credentials (ticket and session key) needed - to form the request. + creds is used to supply the credentials (ticket and session key) needed + to form the request. - if creds->ticket has no data (length == 0), then a ticket is obtained - from either the cache or the TGS, passing creds to krb5_get_credentials(). - kdc_options specifies the options requested for the ticket to be used. - If a ticket with appropriate flags is not found in the cache, then these - options are passed on in a request to an appropriate KDC. + if creds->ticket has no data (length == 0), then a ticket is obtained + from either the cache or the TGS, passing creds to krb5_get_credentials(). + kdc_options specifies the options requested for the ticket to be used. + If a ticket with appropriate flags is not found in the cache, then these + options are passed on in a request to an appropriate KDC. - ap_req_options specifies the KRB_AP_REQ options desired. + ap_req_options specifies the KRB_AP_REQ options desired. - if ap_req_options specifies AP_OPTS_USE_SESSION_KEY, then creds->ticket - must contain the appropriate ENC-TKT-IN-SKEY ticket. + if ap_req_options specifies AP_OPTS_USE_SESSION_KEY, then creds->ticket + must contain the appropriate ENC-TKT-IN-SKEY ticket. - checksum specifies the checksum to be used in the authenticator. + checksum specifies the checksum to be used in the authenticator. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - On an error return, the credentials pointed to by creds might have been - augmented with additional fields from the obtained credentials; the entire - credentials should be released by calling krb5_free_creds(). + On an error return, the credentials pointed to by creds might have been + augmented with additional fields from the obtained credentials; the entire + credentials should be released by calling krb5_free_creds(). - returns system errors + returns system errors */ static krb5_error_code make_etype_list(krb5_context context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype, - krb5_authdata ***authdata); + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype, + krb5_authdata ***authdata); -static krb5_error_code +static krb5_error_code krb5_generate_authenticator (krb5_context, - krb5_authenticator *, krb5_principal, - krb5_checksum *, krb5_key, - krb5_ui_4, krb5_authdata **, - krb5_authdata_context ad_context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype); + krb5_authenticator *, krb5_principal, + krb5_checksum *, krb5_key, + krb5_ui_4, krb5_authdata **, + krb5_authdata_context ad_context, + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype); krb5_error_code krb5int_generate_and_save_subkey (krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock, - krb5_enctype enctype) + krb5_auth_context auth_context, + krb5_keyblock *keyblock, + krb5_enctype enctype) { /* Provide some more fodder for random number code. This isn't strong cryptographically; the point here is not to guarantee randomness, but to make it less likely that multiple sessions could pick the same subkey. */ struct { - krb5_int32 sec, usec; + krb5_int32 sec, usec; } rnd_data; krb5_data d; krb5_error_code retval; krb5_keyblock *kb = NULL; if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) { - d.length = sizeof(rnd_data); - d.data = (char *) &rnd_data; - krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); + d.length = sizeof(rnd_data); + d.data = (char *) &rnd_data; + krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); } retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb); if (retval) - return retval; + return retval; retval = krb5_auth_con_setsendsubkey(context, auth_context, kb); if (retval) - goto cleanup; + goto cleanup; retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) { - (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); - (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); + (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); } krb5_free_keyblock(context, kb); return retval; @@ -123,14 +124,14 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, krb5_data *in_data, - krb5_creds *in_creds, krb5_data *outbuf) + krb5_flags ap_req_options, krb5_data *in_data, + krb5_creds *in_creds, krb5_data *outbuf) { - krb5_error_code retval; - krb5_checksum checksum; - krb5_checksum *checksump = 0; - krb5_auth_context new_auth_context; - krb5_enctype *desired_etypes = NULL; + krb5_error_code retval; + krb5_checksum checksum; + krb5_checksum *checksump = 0; + krb5_auth_context new_auth_context; + krb5_enctype *desired_etypes = NULL; krb5_ap_req request; krb5_data *scratch = 0; @@ -139,134 +140,134 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, request.ap_options = ap_req_options & AP_OPTS_WIRE_MASK; request.authenticator.ciphertext.data = NULL; request.ticket = 0; - - if (!in_creds->ticket.length) - return(KRB5_NO_TKT_SUPPLIED); + + if (!in_creds->ticket.length) + return(KRB5_NO_TKT_SUPPLIED); if ((ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) && - !(ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) - return(EINVAL); + !(ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) + return(EINVAL); /* we need a native ticket */ if ((retval = decode_krb5_ticket(&(in_creds)->ticket, &request.ticket))) - return(retval); - + return(retval); + /* verify that the ticket is not expired */ if ((retval = krb5_validate_times(context, &in_creds->times)) != 0) - goto cleanup; + goto cleanup; /* generate auth_context if needed */ if (*auth_context == NULL) { - if ((retval = krb5_auth_con_init(context, &new_auth_context))) - goto cleanup; - *auth_context = new_auth_context; + if ((retval = krb5_auth_con_init(context, &new_auth_context))) + goto cleanup; + *auth_context = new_auth_context; } if ((*auth_context)->key != NULL) { - krb5_k_free_key(context, (*auth_context)->key); - (*auth_context)->key = NULL; + krb5_k_free_key(context, (*auth_context)->key); + (*auth_context)->key = NULL; } /* set auth context keyblock */ if ((retval = krb5_k_create_key(context, &in_creds->keyblock, - &((*auth_context)->key)))) - goto cleanup; + &((*auth_context)->key)))) + goto cleanup; /* generate seq number if needed */ if ((((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - || ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - && ((*auth_context)->local_seq_number == 0)) - if ((retval = krb5_generate_seq_number(context, &in_creds->keyblock, - &(*auth_context)->local_seq_number))) - goto cleanup; - + || ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && ((*auth_context)->local_seq_number == 0)) + if ((retval = krb5_generate_seq_number(context, &in_creds->keyblock, + &(*auth_context)->local_seq_number))) + goto cleanup; + /* generate subkey if needed */ if (!in_data &&(*auth_context)->checksum_func) { - retval = (*auth_context)->checksum_func( context, - *auth_context, - (*auth_context)->checksum_func_data, - &in_data); - if (retval) - goto cleanup; + retval = (*auth_context)->checksum_func( context, + *auth_context, + (*auth_context)->checksum_func_data, + &in_data); + if (retval) + goto cleanup; } if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { - retval = krb5int_generate_and_save_subkey (context, *auth_context, - &in_creds->keyblock, - in_creds->keyblock.enctype); - if (retval) - goto cleanup; + retval = krb5int_generate_and_save_subkey (context, *auth_context, + &in_creds->keyblock, + in_creds->keyblock.enctype); + if (retval) + goto cleanup; } if (in_data) { - if ((*auth_context)->req_cksumtype == 0x8003) { - /* XXX Special hack for GSSAPI */ - checksum.checksum_type = 0x8003; - checksum.length = in_data->length; - checksum.contents = (krb5_octet *) in_data->data; - } else { - krb5_enctype enctype = krb5_k_key_enctype(context, - (*auth_context)->key); - krb5_cksumtype cksumtype; - retval = krb5int_c_mandatory_cksumtype(context, enctype, - &cksumtype); - if (retval) - goto cleanup_cksum; - if ((*auth_context)->req_cksumtype) - cksumtype = (*auth_context)->req_cksumtype; - if ((retval = krb5_k_make_checksum(context, - cksumtype, - (*auth_context)->key, - KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, - in_data, &checksum))) - goto cleanup_cksum; - } - checksump = &checksum; + if ((*auth_context)->req_cksumtype == 0x8003) { + /* XXX Special hack for GSSAPI */ + checksum.checksum_type = 0x8003; + checksum.length = in_data->length; + checksum.contents = (krb5_octet *) in_data->data; + } else { + krb5_enctype enctype = krb5_k_key_enctype(context, + (*auth_context)->key); + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; + if ((*auth_context)->req_cksumtype) + cksumtype = (*auth_context)->req_cksumtype; + if ((retval = krb5_k_make_checksum(context, + cksumtype, + (*auth_context)->key, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + in_data, &checksum))) + goto cleanup_cksum; + } + checksump = &checksum; } /* Generate authenticator */ if (((*auth_context)->authentp = (krb5_authenticator *)malloc(sizeof( - krb5_authenticator))) == NULL) { - retval = ENOMEM; - goto cleanup_cksum; + krb5_authenticator))) == NULL) { + retval = ENOMEM; + goto cleanup_cksum; } if (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) { - if ((*auth_context)->permitted_etypes == NULL) { - retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes); - if (retval) - goto cleanup_cksum; - } else - desired_etypes = (*auth_context)->permitted_etypes; + if ((*auth_context)->permitted_etypes == NULL) { + retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes); + if (retval) + goto cleanup_cksum; + } else + desired_etypes = (*auth_context)->permitted_etypes; } if ((retval = krb5_generate_authenticator(context, - (*auth_context)->authentp, - in_creds->client, checksump, - (*auth_context)->send_subkey, - (*auth_context)->local_seq_number, - in_creds->authdata, - (*auth_context)->ad_context, - desired_etypes, - in_creds->keyblock.enctype))) - goto cleanup_cksum; - + (*auth_context)->authentp, + in_creds->client, checksump, + (*auth_context)->send_subkey, + (*auth_context)->local_seq_number, + in_creds->authdata, + (*auth_context)->ad_context, + desired_etypes, + in_creds->keyblock.enctype))) + goto cleanup_cksum; + /* encode the authenticator */ if ((retval = encode_krb5_authenticator((*auth_context)->authentp, - &scratch))) - goto cleanup_cksum; - + &scratch))) + goto cleanup_cksum; + /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock, - KRB5_KEYUSAGE_AP_REQ_AUTH, - scratch, &request.authenticator))) - goto cleanup_cksum; + KRB5_KEYUSAGE_AP_REQ_AUTH, + scratch, &request.authenticator))) + goto cleanup_cksum; if ((retval = encode_krb5_ap_req(&request, &toutbuf))) - goto cleanup_cksum; + goto cleanup_cksum; *outbuf = *toutbuf; free(toutbuf); @@ -276,39 +277,39 @@ cleanup_cksum: * they were supplied by the caller */ if ((*auth_context)->authentp != NULL) { - (*auth_context)->authentp->client = NULL; - (*auth_context)->authentp->checksum = NULL; + (*auth_context)->authentp->client = NULL; + (*auth_context)->authentp->checksum = NULL; } if (checksump && checksump->checksum_type != 0x8003) - free(checksump->contents); + free(checksump->contents); cleanup: if (desired_etypes && - desired_etypes != (*auth_context)->permitted_etypes) - free(desired_etypes); + desired_etypes != (*auth_context)->permitted_etypes) + free(desired_etypes); if (request.ticket) - krb5_free_ticket(context, request.ticket); + krb5_free_ticket(context, request.ticket); if (request.authenticator.ciphertext.data) { - (void) memset(request.authenticator.ciphertext.data, 0, - request.authenticator.ciphertext.length); - free(request.authenticator.ciphertext.data); + (void) memset(request.authenticator.ciphertext.data, 0, + request.authenticator.ciphertext.length); + free(request.authenticator.ciphertext.data); } if (scratch) { - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); free(scratch->data); - free(scratch); + free(scratch); } return retval; } static krb5_error_code krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, - krb5_principal client, krb5_checksum *cksum, - krb5_key key, krb5_ui_4 seq_number, - krb5_authdata **authorization, - krb5_authdata_context ad_context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype) + krb5_principal client, krb5_checksum *cksum, + krb5_key key, krb5_ui_4 seq_number, + krb5_authdata **authorization, + krb5_authdata_context ad_context, + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype) { krb5_error_code retval; krb5_authdata **ext_authdata = NULL; @@ -316,41 +317,41 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, authent->client = client; authent->checksum = cksum; if (key) { - retval = krb5_k_key_keyblock(context, key, &authent->subkey); - if (retval) - return retval; + retval = krb5_k_key_keyblock(context, key, &authent->subkey); + if (retval) + return retval; } else - authent->subkey = 0; + authent->subkey = 0; authent->seq_number = seq_number; authent->authorization_data = NULL; if (ad_context != NULL) { - retval = krb5_authdata_export_authdata(context, - ad_context, - AD_USAGE_AP_REQ, - &ext_authdata); - if (retval) - return retval; + retval = krb5_authdata_export_authdata(context, + ad_context, + AD_USAGE_AP_REQ, + &ext_authdata); + if (retval) + return retval; } if (authorization != NULL || ext_authdata != NULL) { - retval = krb5_merge_authdata(context, - authorization, - ext_authdata, - &authent->authorization_data); - if (retval) { - krb5_free_authdata(context, ext_authdata); - return retval; - } - krb5_free_authdata(context, ext_authdata); + retval = krb5_merge_authdata(context, + authorization, + ext_authdata, + &authent->authorization_data); + if (retval) { + krb5_free_authdata(context, ext_authdata); + return retval; + } + krb5_free_authdata(context, ext_authdata); } - /* Only send EtypeList if we prefer another enctype to tkt_enctype */ + /* Only send EtypeList if we prefer another enctype to tkt_enctype */ if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) { - retval = make_etype_list(context, desired_etypes, tkt_enctype, - &authent->authorization_data); - if (retval) - return retval; + retval = make_etype_list(context, desired_etypes, tkt_enctype, + &authent->authorization_data); + if (retval) + return retval; } return(krb5_us_timeofday(context, &authent->ctime, &authent->cusec)); @@ -359,9 +360,9 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, /* RFC 4537 */ static krb5_error_code make_etype_list(krb5_context context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype, - krb5_authdata ***authdata) + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype, + krb5_authdata ***authdata) { krb5_error_code code; krb5_etype_list etypes; @@ -373,22 +374,22 @@ make_etype_list(krb5_context context, etypes.etypes = desired_etypes; for (etypes.length = 0; - etypes.etypes[etypes.length] != ENCTYPE_NULL; - etypes.length++) + etypes.etypes[etypes.length] != ENCTYPE_NULL; + etypes.length++) { - /* - * RFC 4537: - * - * If the enctype of the ticket session key is included in the enctype - * list sent by the client, it SHOULD be the last on the list; - */ - if (etypes.length && etypes.etypes[etypes.length - 1] == tkt_enctype) - break; + /* + * RFC 4537: + * + * If the enctype of the ticket session key is included in the enctype + * list sent by the client, it SHOULD be the last on the list; + */ + if (etypes.length && etypes.etypes[etypes.length - 1] == tkt_enctype) + break; } code = encode_krb5_etype_list(&etypes, &enc_etype_list); if (code) { - return code; + return code; } etype_adatum.magic = KV5M_AUTHDATA; @@ -402,33 +403,33 @@ make_etype_list(krb5_context context, /* Wrap in AD-IF-RELEVANT container */ code = encode_krb5_authdata(etype_adata, &ad_if_relevant); if (code) { - krb5_free_data(context, enc_etype_list); - return code; + krb5_free_data(context, enc_etype_list); + return code; } krb5_free_data(context, enc_etype_list); adata = *authdata; if (adata == NULL) { - adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *)); - i = 0; + adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *)); + i = 0; } else { - for (i = 0; adata[i] != NULL; i++) - ; + for (i = 0; adata[i] != NULL; i++) + ; - adata = (krb5_authdata **)realloc(*authdata, - (i + 2) * sizeof(krb5_authdata *)); + adata = (krb5_authdata **)realloc(*authdata, + (i + 2) * sizeof(krb5_authdata *)); } if (adata == NULL) { - krb5_free_data(context, ad_if_relevant); - return ENOMEM; + krb5_free_data(context, ad_if_relevant); + return ENOMEM; } *authdata = adata; adata[i] = (krb5_authdata *)malloc(sizeof(krb5_authdata)); if (adata[i] == NULL) { - krb5_free_data(context, ad_if_relevant); - return ENOMEM; + krb5_free_data(context, ad_if_relevant); + return ENOMEM; } adata[i]->magic = KV5M_AUTHDATA; adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT; @@ -440,4 +441,3 @@ make_etype_list(krb5_context context, return 0; } - diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index f3bfde390..eaa3add82 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_safe.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_safe() */ @@ -32,25 +33,25 @@ #include "auth_con.h" /* - Formats a KRB_SAFE message into outbuf. + Formats a KRB_SAFE message into outbuf. - userdata is formatted as the user data in the message. - sumtype specifies the encryption type; key specifies the key which - might be used to seed the checksum; sender_addr and recv_addr specify - the full addresses (host and port) of the sender and receiver. - The host portion of sender_addr is used to form the addresses used in the - KRB_SAFE message. + userdata is formatted as the user data in the message. + sumtype specifies the encryption type; key specifies the key which + might be used to seed the checksum; sender_addr and recv_addr specify + the full addresses (host and port) of the sender and receiver. + The host portion of sender_addr is used to form the addresses used in the + KRB_SAFE message. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ static krb5_error_code krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_cksumtype sumtype, krb5_data *outbuf) + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_cksumtype sumtype, krb5_data *outbuf) { krb5_error_code retval; krb5_safe safemsg; @@ -59,10 +60,10 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, krb5_data *scratch1, *scratch2; if (!krb5_c_valid_cksumtype(sumtype)) - return KRB5_PROG_SUMTYPE_NOSUPP; + return KRB5_PROG_SUMTYPE_NOSUPP; if (!krb5_c_is_coll_proof_cksum(sumtype) - || !krb5_c_is_keyed_cksum(sumtype)) - return KRB5KRB_AP_ERR_INAPP_CKSUM; + || !krb5_c_is_keyed_cksum(sumtype)) + return KRB5KRB_AP_ERR_INAPP_CKSUM; safemsg.user_data = *userdata; safemsg.s_address = (krb5_address *) local_addr; @@ -73,10 +74,10 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, safemsg.usec = replaydata->usec; safemsg.seq_number = replaydata->seq; - /* + /* * To do the checksum stuff, we need to encode the message with a * zero-length zero-type checksum, then checksum the encoding, then - * re-encode with the checksum. + * re-encode with the checksum. */ safe_checksum.length = 0; @@ -86,16 +87,16 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, safemsg.checksum = &safe_checksum; if ((retval = encode_krb5_safe(&safemsg, &scratch1))) - return retval; + return retval; if ((retval = krb5_k_make_checksum(context, sumtype, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - scratch1, &safe_checksum))) - goto cleanup_checksum; + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + scratch1, &safe_checksum))) + goto cleanup_checksum; safemsg.checksum = &safe_checksum; if ((retval = encode_krb5_safe(&safemsg, &scratch2))) { - goto cleanup_checksum; + goto cleanup_checksum; } *outbuf = *scratch2; free(scratch2); @@ -104,17 +105,17 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, cleanup_checksum: free(safe_checksum.contents); - memset(scratch1->data, 0, scratch1->length); + memset(scratch1->data, 0, scratch1->length); krb5_free_data(context, scratch1); return retval; } krb5_error_code KRB5_CALLCONV krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, - const krb5_data *userdata, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *userdata, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; krb5_replay_data replaydata; @@ -123,140 +124,139 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, /* Get key */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->local_addr) - return KRB5_LOCAL_ADDR_REQUIRED; + return KRB5_LOCAL_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { - if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - return retval; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { + if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, + &replaydata.usec))) + return retval; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + } } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) - outdata->seq = replaydata.seq; - } - -{ - krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - krb5_cksumtype sumtype; - - CLEANUP_INIT(2); - - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } - } else { - plocal_fulladdr = auth_context->local_addr; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) + outdata->seq = replaydata.seq; } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; + { + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + krb5_cksumtype sumtype; + + CLEANUP_INIT(2); + + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - CLEANUP_DONE(); goto error; } - } else { - premote_fulladdr = auth_context->remote_addr; + } else { + plocal_fulladdr = auth_context->local_addr; } - } - { - krb5_enctype enctype = krb5_k_key_enctype(context, key); - unsigned int nsumtypes; - unsigned int i; - krb5_cksumtype *sumtypes; - retval = krb5_c_keyed_checksum_types (context, enctype, - &nsumtypes, &sumtypes); - if (retval) { - CLEANUP_DONE (); - goto error; - } - if (nsumtypes == 0) { - retval = KRB5_BAD_ENCTYPE; - krb5_free_cksumtypes (context, sumtypes); - CLEANUP_DONE (); - goto error; - } - for (i = 0; i < nsumtypes; i++) - if (auth_context->safe_cksumtype == sumtypes[i]) - break; - if (i == nsumtypes) - i = 0; - sumtype = sumtypes[i]; - krb5_free_cksumtypes (context, sumtypes); - } - if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, - sumtype, outbuf))) { - CLEANUP_DONE(); - goto error; - } + if (auth_context->remote_addr) { + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } else { + premote_fulladdr = auth_context->remote_addr; + } + } - CLEANUP_DONE(); -} + { + krb5_enctype enctype = krb5_k_key_enctype(context, key); + unsigned int nsumtypes; + unsigned int i; + krb5_cksumtype *sumtypes; + retval = krb5_c_keyed_checksum_types (context, enctype, + &nsumtypes, &sumtypes); + if (retval) { + CLEANUP_DONE (); + goto error; + } + if (nsumtypes == 0) { + retval = KRB5_BAD_ENCTYPE; + krb5_free_cksumtypes (context, sumtypes); + CLEANUP_DONE (); + goto error; + } + for (i = 0; i < nsumtypes; i++) + if (auth_context->safe_cksumtype == sumtypes[i]) + break; + if (i == nsumtypes) + i = 0; + sumtype = sumtypes[i]; + krb5_free_cksumtypes (context, sumtypes); + } + if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, + plocal_fulladdr, premote_fulladdr, + sumtype, outbuf))) { + CLEANUP_DONE(); + goto error; + } + + CLEANUP_DONE(); + } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_safe", &replay.client))) { - free(outbuf); - goto error; - } - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - /* should we really error out here? XXX */ - free(outbuf); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, + "_safe", &replay.client))) { + free(outbuf); + goto error; + } + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + /* should we really error out here? XXX */ + free(outbuf); + goto error; + } + free(replay.client); } return 0; error: if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - auth_context->local_seq_number--; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + auth_context->local_seq_number--; return retval; } - diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 3fcdaea1c..cda09b255 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/pac.c * @@ -43,16 +44,16 @@ typedef struct _PAC_INFO_BUFFER { krb5_ui_8 Offset; } PAC_INFO_BUFFER; -#define PAC_INFO_BUFFER_LENGTH 16 +#define PAC_INFO_BUFFER_LENGTH 16 /* ulType */ -#define PAC_LOGON_INFO 1 -#define PAC_CREDENTIALS_INFO 2 -#define PAC_SERVER_CHECKSUM 6 -#define PAC_PRIVSVR_CHECKSUM 7 -#define PAC_CLIENT_INFO 10 -#define PAC_DELEGATION_INFO 11 -#define PAC_UPN_DNS_INFO 12 +#define PAC_LOGON_INFO 1 +#define PAC_CREDENTIALS_INFO 2 +#define PAC_SERVER_CHECKSUM 6 +#define PAC_PRIVSVR_CHECKSUM 7 +#define PAC_CLIENT_INFO 10 +#define PAC_DELEGATION_INFO 11 +#define PAC_UPN_DNS_INFO 12 typedef struct _PACTYPE { krb5_ui_4 cBuffers; @@ -60,35 +61,35 @@ typedef struct _PACTYPE { PAC_INFO_BUFFER Buffers[1]; } PACTYPE; -#define PAC_ALIGNMENT 8 -#define PACTYPE_LENGTH 8U +#define PAC_ALIGNMENT 8 +#define PACTYPE_LENGTH 8U #define PAC_SIGNATURE_DATA_LENGTH 4U -#define PAC_CLIENT_INFO_LENGTH 10U +#define PAC_CLIENT_INFO_LENGTH 10U -#define NT_TIME_EPOCH 11644473600LL +#define NT_TIME_EPOCH 11644473600LL struct krb5_pac_data { - PACTYPE *pac; /* PAC header + info buffer array */ - krb5_data data; /* PAC data (including uninitialised header) */ + PACTYPE *pac; /* PAC header + info buffer array */ + krb5_data data; /* PAC data (including uninitialised header) */ krb5_boolean verified; }; static krb5_error_code k5_pac_locate_buffer(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data); + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data); /* * Add a buffer to the provided PAC and update header. */ static krb5_error_code k5_pac_add_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_data *data, - krb5_boolean zerofill, - krb5_data *out_data) + krb5_pac pac, + krb5_ui_4 type, + const krb5_data *data, + krb5_boolean zerofill, + krb5_data *out_data) { PACTYPE *header; size_t header_len, i, pad = 0; @@ -98,37 +99,37 @@ k5_pac_add_buffer(krb5_context context, /* Check there isn't already a buffer of this type */ if (k5_pac_locate_buffer(context, pac, type, NULL) == 0) { - return EEXIST; + return EEXIST; } header = (PACTYPE *)realloc(pac->pac, - sizeof(PACTYPE) + - (pac->pac->cBuffers * sizeof(PAC_INFO_BUFFER))); + sizeof(PACTYPE) + + (pac->pac->cBuffers * sizeof(PAC_INFO_BUFFER))); if (header == NULL) { - return ENOMEM; + return ENOMEM; } pac->pac = header; header_len = PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); if (data->length % PAC_ALIGNMENT) - pad = PAC_ALIGNMENT - (data->length % PAC_ALIGNMENT); + pad = PAC_ALIGNMENT - (data->length % PAC_ALIGNMENT); pac_data = realloc(pac->data.data, - pac->data.length + PAC_INFO_BUFFER_LENGTH + data->length + pad); + pac->data.length + PAC_INFO_BUFFER_LENGTH + data->length + pad); if (pac_data == NULL) { - return ENOMEM; + return ENOMEM; } pac->data.data = pac_data; /* Update offsets of existing buffers */ for (i = 0; i < pac->pac->cBuffers; i++) - pac->pac->Buffers[i].Offset += PAC_INFO_BUFFER_LENGTH; + pac->pac->Buffers[i].Offset += PAC_INFO_BUFFER_LENGTH; /* Make room for new PAC_INFO_BUFFER */ memmove(pac->data.data + header_len + PAC_INFO_BUFFER_LENGTH, - pac->data.data + header_len, - pac->data.length - header_len); + pac->data.data + header_len, + pac->data.length - header_len); memset(pac->data.data + header_len, 0, PAC_INFO_BUFFER_LENGTH); /* Initialise new PAC_INFO_BUFFER */ @@ -139,9 +140,9 @@ k5_pac_add_buffer(krb5_context context, /* Copy in new PAC data and zero padding bytes */ if (zerofill) - memset(pac->data.data + pac->pac->Buffers[i].Offset, 0, data->length); + memset(pac->data.data + pac->pac->Buffers[i].Offset, 0, data->length); else - memcpy(pac->data.data + pac->pac->Buffers[i].Offset, data->data, data->length); + memcpy(pac->data.data + pac->pac->Buffers[i].Offset, data->data, data->length); memset(pac->data.data + pac->pac->Buffers[i].Offset + data->length, 0, pad); @@ -149,8 +150,8 @@ k5_pac_add_buffer(krb5_context context, pac->data.length += PAC_INFO_BUFFER_LENGTH + data->length + pad; if (out_data != NULL) { - out_data->data = pac->data.data + pac->pac->Buffers[i].Offset; - out_data->length = data->length; + out_data->data = pac->data.data + pac->pac->Buffers[i].Offset; + out_data->length = data->length; } pac->verified = FALSE; @@ -160,9 +161,9 @@ k5_pac_add_buffer(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_pac_add_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_data *data) + krb5_pac pac, + krb5_ui_4 type, + const krb5_data *data) { return k5_pac_add_buffer(context, pac, type, data, FALSE, NULL); } @@ -172,49 +173,49 @@ krb5_pac_add_buffer(krb5_context context, */ void KRB5_CALLCONV krb5_pac_free(krb5_context context, - krb5_pac pac) + krb5_pac pac) { if (pac != NULL) { - if (pac->data.data != NULL) { - memset(pac->data.data, 0, pac->data.length); - free(pac->data.data); - } - if (pac->pac != NULL) - free(pac->pac); - memset(pac, 0, sizeof(*pac)); - free(pac); + if (pac->data.data != NULL) { + memset(pac->data.data, 0, pac->data.length); + free(pac->data.data); + } + if (pac->pac != NULL) + free(pac->pac); + memset(pac, 0, sizeof(*pac)); + free(pac); } } static krb5_error_code k5_pac_locate_buffer(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { PAC_INFO_BUFFER *buffer = NULL; size_t i; if (pac == NULL) - return EINVAL; + return EINVAL; for (i = 0; i < pac->pac->cBuffers; i++) { - if (pac->pac->Buffers[i].ulType == type) { - if (buffer == NULL) - buffer = &pac->pac->Buffers[i]; - else - return EINVAL; - } + if (pac->pac->Buffers[i].ulType == type) { + if (buffer == NULL) + buffer = &pac->pac->Buffers[i]; + else + return EINVAL; + } } if (buffer == NULL) - return ENOENT; + return ENOENT; assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); if (data != NULL) { - data->length = buffer->cbBufferSize; - data->data = pac->data.data + buffer->Offset; + data->length = buffer->cbBufferSize; + data->data = pac->data.data + buffer->Offset; } return 0; @@ -225,20 +226,20 @@ k5_pac_locate_buffer(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_get_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { krb5_data d; krb5_error_code ret; ret = k5_pac_locate_buffer(context, pac, type, &d); if (ret != 0) - return ret; + return ret; data->data = malloc(d.length); if (data->data == NULL) - return ENOMEM; + return ENOMEM; data->length = d.length; memcpy(data->data, d.data, d.length); @@ -251,20 +252,20 @@ krb5_pac_get_buffer(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_get_types(krb5_context context, - krb5_pac pac, - size_t *len, - krb5_ui_4 **types) + krb5_pac pac, + size_t *len, + krb5_ui_4 **types) { size_t i; *types = (krb5_ui_4 *)malloc(pac->pac->cBuffers * sizeof(krb5_ui_4)); if (*types == NULL) - return ENOMEM; + return ENOMEM; *len = pac->pac->cBuffers; for (i = 0; i < pac->pac->cBuffers; i++) - (*types)[i] = pac->pac->Buffers[i].ulType; + (*types)[i] = pac->pac->Buffers[i].ulType; return 0; } @@ -274,18 +275,18 @@ krb5_pac_get_types(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_init(krb5_context context, - krb5_pac *ppac) + krb5_pac *ppac) { krb5_pac pac; pac = (krb5_pac)malloc(sizeof(*pac)); if (pac == NULL) - return ENOMEM; + return ENOMEM; pac->pac = (PACTYPE *)malloc(sizeof(PACTYPE)); if (pac->pac == NULL) { - free(pac); - return ENOMEM; + free(pac); + return ENOMEM; } pac->pac->cBuffers = 0; @@ -294,8 +295,8 @@ krb5_pac_init(krb5_context context, pac->data.length = PACTYPE_LENGTH; pac->data.data = calloc(1, pac->data.length); if (pac->data.data == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } pac->verified = FALSE; @@ -307,8 +308,8 @@ krb5_pac_init(krb5_context context, static krb5_error_code k5_pac_copy(krb5_context context, - krb5_pac src, - krb5_pac *dst) + krb5_pac src, + krb5_pac *dst) { size_t header_len; krb5_ui_4 cbuffers; @@ -317,27 +318,27 @@ k5_pac_copy(krb5_context context, cbuffers = src->pac->cBuffers; if (cbuffers != 0) - cbuffers--; + cbuffers--; header_len = sizeof(PACTYPE) + cbuffers * sizeof(PAC_INFO_BUFFER); pac = (krb5_pac)malloc(sizeof(*pac)); if (pac == NULL) - return ENOMEM; + return ENOMEM; pac->pac = (PACTYPE *)malloc(header_len); if (pac->pac == NULL) { - free(pac); - return ENOMEM; + free(pac); + return ENOMEM; } memcpy(pac->pac, src->pac, header_len); code = krb5int_copy_data_contents(context, &src->data, &pac->data); if (code != 0) { - free(pac->pac); - free(pac); - return ENOMEM; + free(pac->pac); + free(pac); + return ENOMEM; } pac->verified = src->verified; @@ -351,9 +352,9 @@ k5_pac_copy(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_parse(krb5_context context, - const void *ptr, - size_t len, - krb5_pac *ppac) + const void *ptr, + size_t len, + krb5_pac *ppac) { krb5_error_code ret; size_t i; @@ -365,7 +366,7 @@ krb5_pac_parse(krb5_context context, *ppac = NULL; if (len < PACTYPE_LENGTH) - return ERANGE; + return ERANGE; cbuffers = load_32_le(p); p += 4; @@ -373,51 +374,51 @@ krb5_pac_parse(krb5_context context, p += 4; if (version != 0) - return EINVAL; + return EINVAL; header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); if (len < header_len) - return ERANGE; + return ERANGE; ret = krb5_pac_init(context, &pac); if (ret != 0) - return ret; + return ret; pac->pac = (PACTYPE *)realloc(pac->pac, - sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER))); + sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER))); if (pac->pac == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } pac->pac->cBuffers = cbuffers; pac->pac->Version = version; for (i = 0; i < pac->pac->cBuffers; i++) { - PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; - - buffer->ulType = load_32_le(p); - p += 4; - buffer->cbBufferSize = load_32_le(p); - p += 4; - buffer->Offset = load_64_le(p); - p += 8; - - if (buffer->Offset % PAC_ALIGNMENT) { - krb5_pac_free(context, pac); - return EINVAL; - } - if (buffer->Offset < header_len || - buffer->Offset + buffer->cbBufferSize > len) { - krb5_pac_free(context, pac); - return ERANGE; - } + PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; + + buffer->ulType = load_32_le(p); + p += 4; + buffer->cbBufferSize = load_32_le(p); + p += 4; + buffer->Offset = load_64_le(p); + p += 8; + + if (buffer->Offset % PAC_ALIGNMENT) { + krb5_pac_free(context, pac); + return EINVAL; + } + if (buffer->Offset < header_len || + buffer->Offset + buffer->cbBufferSize > len) { + krb5_pac_free(context, pac); + return ERANGE; + } } pac->data.data = realloc(pac->data.data, len); if (pac->data.data == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } memcpy(pac->data.data, ptr, len); @@ -430,7 +431,7 @@ krb5_pac_parse(krb5_context context, static krb5_error_code k5_time_to_seconds_since_1970(krb5_int64 ntTime, - krb5_timestamp *elapsedSeconds) + krb5_timestamp *elapsedSeconds) { krb5_ui_8 abstime; @@ -439,7 +440,7 @@ k5_time_to_seconds_since_1970(krb5_int64 ntTime, abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime; if (abstime > KRB5_INT32_MAX) - return ERANGE; + return ERANGE; *elapsedSeconds = abstime; @@ -448,12 +449,12 @@ k5_time_to_seconds_since_1970(krb5_int64 ntTime, static krb5_error_code k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, - krb5_ui_8 *ntTime) + krb5_ui_8 *ntTime) { *ntTime = elapsedSeconds; if (elapsedSeconds > 0) - *ntTime += NT_TIME_EPOCH; + *ntTime += NT_TIME_EPOCH; *ntTime *= 10000000; @@ -462,9 +463,9 @@ k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, static krb5_error_code k5_pac_validate_client(krb5_context context, - const krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal) + const krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal) { krb5_error_code ret; krb5_data client_info; @@ -477,10 +478,10 @@ k5_pac_validate_client(krb5_context context, ret = k5_pac_locate_buffer(context, pac, PAC_CLIENT_INFO, &client_info); if (ret != 0) - return ret; + return ret; if (client_info.length < PAC_CLIENT_INFO_LENGTH) - return ERANGE; + return ERANGE; p = (unsigned char *)client_info.data; pac_nt_authtime = load_64_le(p); @@ -490,31 +491,31 @@ k5_pac_validate_client(krb5_context context, ret = k5_time_to_seconds_since_1970(pac_nt_authtime, &pac_authtime); if (ret != 0) - return ret; + return ret; if (client_info.length < PAC_CLIENT_INFO_LENGTH + pac_princname_length || - pac_princname_length % 2) - return ERANGE; + pac_princname_length % 2) + return ERANGE; ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2, - &pac_princname, NULL); + &pac_princname, NULL); if (ret != 0) - return ret; + return ret; ret = krb5_parse_name_flags(context, pac_princname, 0, &pac_principal); if (ret != 0) { - free(pac_princname); - return ret; + free(pac_princname); + return ret; } free(pac_princname); if (pac_authtime != authtime || - !krb5_principal_compare_flags(context, - pac_principal, - principal, - KRB5_PRINCIPAL_COMPARE_IGNORE_REALM)) - ret = KRB5KRB_AP_WRONG_PRINC; + !krb5_principal_compare_flags(context, + pac_principal, + principal, + KRB5_PRINCIPAL_COMPARE_IGNORE_REALM)) + ret = KRB5KRB_AP_WRONG_PRINC; krb5_free_principal(context, pac_principal); @@ -523,9 +524,9 @@ k5_pac_validate_client(krb5_context context, static krb5_error_code k5_pac_zero_signature(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { PAC_INFO_BUFFER *buffer = NULL; size_t i; @@ -534,33 +535,33 @@ k5_pac_zero_signature(krb5_context context, assert(data->length >= pac->data.length); for (i = 0; i < pac->pac->cBuffers; i++) { - if (pac->pac->Buffers[i].ulType == type) { - buffer = &pac->pac->Buffers[i]; - break; - } + if (pac->pac->Buffers[i].ulType == type) { + buffer = &pac->pac->Buffers[i]; + break; + } } if (buffer == NULL) - return ENOENT; + return ENOENT; if (buffer->Offset + buffer->cbBufferSize > pac->data.length) - return ERANGE; + return ERANGE; if (buffer->cbBufferSize < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; /* Zero out the data portion of the checksum only */ memset(data->data + buffer->Offset + PAC_SIGNATURE_DATA_LENGTH, - 0, - buffer->cbBufferSize - PAC_SIGNATURE_DATA_LENGTH); + 0, + buffer->cbBufferSize - PAC_SIGNATURE_DATA_LENGTH); return 0; } static krb5_error_code k5_pac_verify_server_checksum(krb5_context context, - const krb5_pac pac, - const krb5_keyblock *server) + const krb5_pac pac, + const krb5_keyblock *server) { krb5_error_code ret; krb5_data pac_data; /* PAC with zeroed checksums */ @@ -570,12 +571,12 @@ k5_pac_verify_server_checksum(krb5_context context, krb5_octet *p; ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &checksum_data); + PAC_SERVER_CHECKSUM, &checksum_data); if (ret != 0) - return ret; + return ret; if (checksum_data.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; p = (krb5_octet *)checksum_data.data; checksum.checksum_type = load_32_le(p); @@ -585,45 +586,45 @@ k5_pac_verify_server_checksum(krb5_context context, pac_data.length = pac->data.length; pac_data.data = malloc(pac->data.length); if (pac_data.data == NULL) - return ENOMEM; + return ENOMEM; memcpy(pac_data.data, pac->data.data, pac->data.length); /* Zero out both checksum buffers */ ret = k5_pac_zero_signature(context, pac, - PAC_SERVER_CHECKSUM, &pac_data); + PAC_SERVER_CHECKSUM, &pac_data); if (ret != 0) { - free(pac_data.data); - return ret; + free(pac_data.data); + return ret; } ret = k5_pac_zero_signature(context, pac, - PAC_PRIVSVR_CHECKSUM, &pac_data); + PAC_PRIVSVR_CHECKSUM, &pac_data); if (ret != 0) { - free(pac_data.data); - return ret; + free(pac_data.data); + return ret; } ret = krb5_c_verify_checksum(context, server, - KRB5_KEYUSAGE_APP_DATA_CKSUM, - &pac_data, &checksum, &valid); + KRB5_KEYUSAGE_APP_DATA_CKSUM, + &pac_data, &checksum, &valid); free(pac_data.data); if (ret != 0) { - return ret; + return ret; } if (valid == FALSE) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; return ret; } static krb5_error_code k5_pac_verify_kdc_checksum(krb5_context context, - const krb5_pac pac, - const krb5_keyblock *privsvr) + const krb5_pac pac, + const krb5_keyblock *privsvr) { krb5_error_code ret; krb5_data server_checksum, privsvr_checksum; @@ -632,20 +633,20 @@ k5_pac_verify_kdc_checksum(krb5_context context, krb5_octet *p; ret = k5_pac_locate_buffer(context, pac, - PAC_PRIVSVR_CHECKSUM, &privsvr_checksum); + PAC_PRIVSVR_CHECKSUM, &privsvr_checksum); if (ret != 0) - return ret; + return ret; if (privsvr_checksum.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &server_checksum); + PAC_SERVER_CHECKSUM, &server_checksum); if (ret != 0) - return ret; + return ret; if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; p = (krb5_octet *)privsvr_checksum.data; checksum.checksum_type = load_32_le(p); @@ -656,44 +657,44 @@ k5_pac_verify_kdc_checksum(krb5_context context, server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_verify_checksum(context, privsvr, - KRB5_KEYUSAGE_APP_DATA_CKSUM, - &server_checksum, &checksum, &valid); + KRB5_KEYUSAGE_APP_DATA_CKSUM, + &server_checksum, &checksum, &valid); if (ret != 0) - return ret; + return ret; if (valid == FALSE) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; return ret; } krb5_error_code KRB5_CALLCONV krb5_pac_verify(krb5_context context, - const krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal, - const krb5_keyblock *server, - const krb5_keyblock *privsvr) + const krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server, + const krb5_keyblock *privsvr) { krb5_error_code ret; if (server == NULL) - return EINVAL; + return EINVAL; ret = k5_pac_verify_server_checksum(context, pac, server); if (ret != 0) - return ret; + return ret; if (privsvr != NULL) { - ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); - if (ret != 0) - return ret; + ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); + if (ret != 0) + return ret; } if (principal != NULL) { - ret = k5_pac_validate_client(context, pac, authtime, principal); - if (ret != 0) - return ret; + ret = k5_pac_validate_client(context, pac, authtime, principal); + if (ret != 0) + return ret; } pac->verified = TRUE; @@ -703,9 +704,9 @@ krb5_pac_verify(krb5_context context, static krb5_error_code k5_insert_client_info(krb5_context context, - krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal) + krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal) { krb5_error_code ret; krb5_data client_info; @@ -716,29 +717,29 @@ k5_insert_client_info(krb5_context context, /* If we already have a CLIENT_INFO buffer, then just validate it */ if (k5_pac_locate_buffer(context, pac, - PAC_CLIENT_INFO, &client_info) == 0) { - return k5_pac_validate_client(context, pac, authtime, principal); + PAC_CLIENT_INFO, &client_info) == 0) { + return k5_pac_validate_client(context, pac, authtime, principal); } ret = krb5_unparse_name_flags(context, principal, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &princ_name_utf8); + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_name_utf8); if (ret != 0) - goto cleanup; + goto cleanup; ret = krb5int_utf8s_to_ucs2les(princ_name_utf8, - &princ_name_ucs2, - &princ_name_ucs2_len); + &princ_name_ucs2, + &princ_name_ucs2_len); if (ret != 0) - goto cleanup; + goto cleanup; client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_ucs2_len; client_info.data = NULL; ret = k5_pac_add_buffer(context, pac, PAC_CLIENT_INFO, - &client_info, TRUE, &client_info); + &client_info, TRUE, &client_info); if (ret != 0) - goto cleanup; + goto cleanup; p = (unsigned char *)client_info.data; @@ -756,7 +757,7 @@ k5_insert_client_info(krb5_context context, cleanup: if (princ_name_ucs2 != NULL) - free(princ_name_ucs2); + free(princ_name_ucs2); krb5_free_unparsed_name(context, princ_name_utf8); return ret; @@ -764,10 +765,10 @@ cleanup: static krb5_error_code k5_insert_checksum(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_keyblock *key, - krb5_cksumtype *cksumtype) + krb5_pac pac, + krb5_ui_4 type, + const krb5_keyblock *key, + krb5_cksumtype *cksumtype) { krb5_error_code ret; size_t len; @@ -775,32 +776,32 @@ k5_insert_checksum(krb5_context context, ret = krb5int_c_mandatory_cksumtype(context, key->enctype, cksumtype); if (ret != 0) - return ret; + return ret; ret = krb5_c_checksum_length(context, *cksumtype, &len); if (ret != 0) - return ret; + return ret; ret = k5_pac_locate_buffer(context, pac, type, &cksumdata); if (ret == 0) { - /* - * If we're resigning PAC, make sure we can fit checksum - * into existing buffer - */ - if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len) - return ERANGE; - - memset(cksumdata.data, 0, cksumdata.length); + /* + * If we're resigning PAC, make sure we can fit checksum + * into existing buffer + */ + if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len) + return ERANGE; + + memset(cksumdata.data, 0, cksumdata.length); } else { - /* Add a zero filled buffer */ - cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len; - cksumdata.data = NULL; - - ret = k5_pac_add_buffer(context, pac, - type, &cksumdata, - TRUE, &cksumdata); - if (ret != 0) - return ret; + /* Add a zero filled buffer */ + cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len; + cksumdata.data = NULL; + + ret = k5_pac_add_buffer(context, pac, + type, &cksumdata, + TRUE, &cksumdata); + if (ret != 0) + return ret; } /* Encode checksum type into buffer */ @@ -818,7 +819,7 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) size_t header_len; header_len = PACTYPE_LENGTH + - (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); assert(pac->data.length >= header_len); p = (unsigned char *)pac->data.data; @@ -829,23 +830,23 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) p += 4; for (i = 0; i < pac->pac->cBuffers; i++) { - PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; - - store_32_le(buffer->ulType, p); - p += 4; - store_32_le(buffer->cbBufferSize, p); - p += 4; - store_64_le(buffer->Offset, p); - p += 8; - - assert((buffer->Offset % PAC_ALIGNMENT) == 0); - assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); - assert(buffer->Offset >= header_len); - - if (buffer->Offset % PAC_ALIGNMENT || - buffer->Offset + buffer->cbBufferSize > pac->data.length || - buffer->Offset < header_len) - return ERANGE; + PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; + + store_32_le(buffer->ulType, p); + p += 4; + store_32_le(buffer->cbBufferSize, p); + p += 4; + store_64_le(buffer->Offset, p); + p += 8; + + assert((buffer->Offset % PAC_ALIGNMENT) == 0); + assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); + assert(buffer->Offset >= header_len); + + if (buffer->Offset % PAC_ALIGNMENT || + buffer->Offset + buffer->cbBufferSize > pac->data.length || + buffer->Offset < header_len) + return ERANGE; } return 0; @@ -853,12 +854,12 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) krb5_error_code KRB5_CALLCONV krb5int_pac_sign(krb5_context context, - krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal, - const krb5_keyblock *server_key, - const krb5_keyblock *privsvr_key, - krb5_data *data) + krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server_key, + const krb5_keyblock *privsvr_key, + krb5_data *data) { krb5_error_code ret; krb5_data server_cksum, privsvr_cksum; @@ -869,32 +870,32 @@ krb5int_pac_sign(krb5_context context, data->data = NULL; if (principal != NULL) { - ret = k5_insert_client_info(context, pac, authtime, principal); - if (ret != 0) - return ret; + ret = k5_insert_client_info(context, pac, authtime, principal); + if (ret != 0) + return ret; } /* Create zeroed buffers for both checksums */ ret = k5_insert_checksum(context, pac, PAC_SERVER_CHECKSUM, - server_key, &server_cksumtype); + server_key, &server_cksumtype); if (ret != 0) - return ret; + return ret; ret = k5_insert_checksum(context, pac, PAC_PRIVSVR_CHECKSUM, - privsvr_key, &privsvr_cksumtype); + privsvr_key, &privsvr_cksumtype); if (ret != 0) - return ret; + return ret; /* Now, encode the PAC header so that the checksums will include it */ ret = k5_pac_encode_header(context, pac); if (ret != 0) - return ret; + return ret; /* Generate the server checksum over the entire PAC */ ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &server_cksum); + PAC_SERVER_CHECKSUM, &server_cksum); if (ret != 0) - return ret; + return ret; assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH); @@ -906,16 +907,16 @@ krb5int_pac_sign(krb5_context context, iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_make_checksum_iov(context, server_cksumtype, - server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, - iov, sizeof(iov)/sizeof(iov[0])); + server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, + iov, sizeof(iov)/sizeof(iov[0])); if (ret != 0) - return ret; + return ret; /* Generate the privsvr checksum over the server checksum buffer */ ret = k5_pac_locate_buffer(context, pac, - PAC_PRIVSVR_CHECKSUM, &privsvr_cksum); + PAC_PRIVSVR_CHECKSUM, &privsvr_cksum); if (ret != 0) - return ret; + return ret; assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH); @@ -928,20 +929,20 @@ krb5int_pac_sign(krb5_context context, iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype, - privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, - iov, sizeof(iov)/sizeof(iov[0])); + privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, + iov, sizeof(iov)/sizeof(iov[0])); if (ret != 0) - return ret; + return ret; data->data = malloc(pac->data.length); if (data->data == NULL) - return ENOMEM; + return ENOMEM; data->length = pac->data.length; memcpy(data->data, pac->data.data, pac->data.length); memset(pac->data.data, 0, - PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH)); + PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH)); return 0; } @@ -962,9 +963,9 @@ mspac_init(krb5_context kcontext, void **plugin_context) static void mspac_flags(krb5_context kcontext, - void *plugin_context, - krb5_authdatatype ad_type, - krb5_flags *flags) + void *plugin_context, + krb5_authdatatype ad_type, + krb5_flags *flags) { *flags = AD_USAGE_KDC_ISSUED; } @@ -977,15 +978,15 @@ mspac_fini(krb5_context kcontext, void *plugin_context) static krb5_error_code mspac_request_init(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void **request_context) + krb5_authdata_context context, + void *plugin_context, + void **request_context) { struct mspac_context *pacctx; pacctx = (struct mspac_context *)malloc(sizeof(*pacctx)); if (pacctx == NULL) - return ENOMEM; + return ENOMEM; pacctx->pac = NULL; @@ -996,41 +997,41 @@ mspac_request_init(krb5_context kcontext, static krb5_error_code mspac_import_authdata(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_authdata **authdata, - krb5_boolean kdc_issued, - krb5_const_principal kdc_issuer) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_authdata **authdata, + krb5_boolean kdc_issued, + krb5_const_principal kdc_issuer) { krb5_error_code code; struct mspac_context *pacctx = (struct mspac_context *)request_context; if (kdc_issued) - return EINVAL; + return EINVAL; if (pacctx->pac != NULL) { - krb5_pac_free(kcontext, pacctx->pac); - pacctx->pac = NULL; + krb5_pac_free(kcontext, pacctx->pac); + pacctx->pac = NULL; } assert(authdata[0] != NULL); assert((authdata[0]->ad_type & AD_TYPE_FIELD_TYPE_MASK) == - KRB5_AUTHDATA_WIN2K_PAC); + KRB5_AUTHDATA_WIN2K_PAC); code = krb5_pac_parse(kcontext, authdata[0]->contents, - authdata[0]->length, &pacctx->pac); + authdata[0]->length, &pacctx->pac); return code; } static krb5_error_code mspac_export_authdata(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_flags usage, - krb5_authdata ***out_authdata) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_flags usage, + krb5_authdata ***out_authdata) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1038,23 +1039,23 @@ mspac_export_authdata(krb5_context kcontext, krb5_data data; if (pacctx->pac == NULL) - return 0; + return 0; authdata = calloc(2, sizeof(krb5_authdata *)); if (authdata == NULL) - return ENOMEM; + return ENOMEM; authdata[0] = calloc(1, sizeof(krb5_authdata)); if (authdata[0] == NULL) { - free(authdata); - return ENOMEM; + free(authdata); + return ENOMEM; } authdata[1] = NULL; code = krb5int_copy_data_contents(kcontext, &pacctx->pac->data, &data); if (code != 0) { - krb5_free_authdata(kcontext, authdata); - return code; + krb5_free_authdata(kcontext, authdata); + return code; } authdata[0]->magic = KV5M_AUTHDATA; @@ -1071,25 +1072,25 @@ mspac_export_authdata(krb5_context kcontext, static krb5_error_code mspac_verify(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *req) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *req) { krb5_error_code code; struct mspac_context *pacctx = (struct mspac_context *)request_context; if (pacctx->pac == NULL) - return EINVAL; + return EINVAL; code = krb5_pac_verify(kcontext, - pacctx->pac, - req->ticket->enc_part2->times.authtime, - req->ticket->enc_part2->client, - key, - NULL); + pacctx->pac, + req->ticket->enc_part2->times.authtime, + req->ticket->enc_part2->client, + key, + NULL); #if 0 /* @@ -1097,8 +1098,8 @@ mspac_verify(krb5_context kcontext, * Thoughts? */ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - assert(pacctx->pac->verified == FALSE); - code = 0; + assert(pacctx->pac->verified == FALSE); + code = 0; } #endif @@ -1107,17 +1108,17 @@ mspac_verify(krb5_context kcontext, static void mspac_request_fini(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context) + krb5_authdata_context context, + void *plugin_context, + void *request_context) { struct mspac_context *pacctx = (struct mspac_context *)request_context; if (pacctx != NULL) { - if (pacctx->pac != NULL) - krb5_pac_free(kcontext, pacctx->pac); + if (pacctx->pac != NULL) + krb5_pac_free(kcontext, pacctx->pac); - free(pacctx); + free(pacctx); } } @@ -1127,17 +1128,17 @@ static struct { krb5_ui_4 type; krb5_data attribute; } mspac_attribute_types[] = { - { (krb5_ui_4)-1, { KV5M_DATA, STRLENOF("urn:mspac:"), "urn:mspac:" } }, - { PAC_LOGON_INFO, { KV5M_DATA, STRLENOF("urn:mspac:logon-info"), "urn:mspac:logon-info" } }, - { PAC_CREDENTIALS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:credentials-info"), "urn:mspac:credentials-info" } }, - { PAC_SERVER_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:server-checksum"), "urn:mspac:server-checksum" } }, - { PAC_PRIVSVR_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:privsvr-checksum"), "urn:mspac:privsvr-checksum" } }, - { PAC_CLIENT_INFO, { KV5M_DATA, STRLENOF("urn:mspac:client-info"), "urn:mspac:client-info" } }, - { PAC_DELEGATION_INFO, { KV5M_DATA, STRLENOF("urn:mspac:delegation-info"), "urn:mspac:delegation-info" } }, - { PAC_UPN_DNS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:upn-dns-info"), "urn:mspac:upn-dns-info" } }, + { (krb5_ui_4)-1, { KV5M_DATA, STRLENOF("urn:mspac:"), "urn:mspac:" } }, + { PAC_LOGON_INFO, { KV5M_DATA, STRLENOF("urn:mspac:logon-info"), "urn:mspac:logon-info" } }, + { PAC_CREDENTIALS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:credentials-info"), "urn:mspac:credentials-info" } }, + { PAC_SERVER_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:server-checksum"), "urn:mspac:server-checksum" } }, + { PAC_PRIVSVR_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:privsvr-checksum"), "urn:mspac:privsvr-checksum" } }, + { PAC_CLIENT_INFO, { KV5M_DATA, STRLENOF("urn:mspac:client-info"), "urn:mspac:client-info" } }, + { PAC_DELEGATION_INFO, { KV5M_DATA, STRLENOF("urn:mspac:delegation-info"), "urn:mspac:delegation-info" } }, + { PAC_UPN_DNS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:upn-dns-info"), "urn:mspac:upn-dns-info" } }, }; -#define MSPAC_ATTRIBUTE_COUNT (sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0])) +#define MSPAC_ATTRIBUTE_COUNT (sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0])) static krb5_error_code mspac_type2attr(krb5_ui_4 type, krb5_data *attr) @@ -1145,10 +1146,10 @@ mspac_type2attr(krb5_ui_4 type, krb5_data *attr) unsigned int i; for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) { - if (mspac_attribute_types[i].type == type) { - *attr = mspac_attribute_types[i].attribute; - return 0; - } + if (mspac_attribute_types[i].type == type) { + *attr = mspac_attribute_types[i].attribute; + return 0; + } } return ENOENT; @@ -1160,22 +1161,22 @@ mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type) unsigned int i; for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) { - if (attr->length == mspac_attribute_types[i].attribute.length && - strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) { - *type = mspac_attribute_types[i].type; - return 0; - } + if (attr->length == mspac_attribute_types[i].attribute.length && + strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) { + *type = mspac_attribute_types[i].type; + return 0; + } } if (attr->length > STRLENOF("urn:mspac:") && - strncasecmp(attr->data, "urn:mspac:", STRLENOF("urn:mspac:")) == 0) + strncasecmp(attr->data, "urn:mspac:", STRLENOF("urn:mspac:")) == 0) { - char *p = &attr->data[STRLENOF("urn:mspac:")]; - char *endptr; + char *p = &attr->data[STRLENOF("urn:mspac:")]; + char *endptr; - *type = strtoul(p, &endptr, 10); - if (*type != 0 && *endptr == '\0') - return 0; + *type = strtoul(p, &endptr, 10); + if (*type != 0 && *endptr == '\0') + return 0; } return ENOENT; @@ -1183,10 +1184,10 @@ mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type) static krb5_error_code mspac_get_attribute_types(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_data **out_attrs) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_data **out_attrs) { struct mspac_context *pacctx = (struct mspac_context *)request_context; unsigned int i, j; @@ -1194,45 +1195,45 @@ mspac_get_attribute_types(krb5_context kcontext, krb5_error_code code; if (pacctx->pac == NULL) - return ENOENT; + return ENOENT; attrs = calloc(1 + pacctx->pac->pac->cBuffers + 1, sizeof(krb5_data)); if (attrs == NULL) - return ENOMEM; + return ENOMEM; j = 0; /* The entire PAC */ code = krb5int_copy_data_contents(kcontext, - &mspac_attribute_types[0].attribute, - &attrs[j++]); + &mspac_attribute_types[0].attribute, + &attrs[j++]); if (code != 0) { - free(attrs); - return code; + free(attrs); + return code; } /* PAC buffers */ for (i = 0; i < pacctx->pac->pac->cBuffers; i++) { - krb5_data attr; - - code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr); - if (code == 0) { - code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]); - if (code != 0) { - krb5int_free_data_list(kcontext, attrs); - return code; - } - } else { - int length; - - length = asprintf(&attrs[j].data, "urn:mspac:%d", - pacctx->pac->pac->Buffers[i].ulType); - if (length < 0) { - krb5int_free_data_list(kcontext, attrs); - return ENOMEM; - } - attrs[j++].length = length; - } + krb5_data attr; + + code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr); + if (code == 0) { + code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]); + if (code != 0) { + krb5int_free_data_list(kcontext, attrs); + return code; + } + } else { + int length; + + length = asprintf(&attrs[j].data, "urn:mspac:%d", + pacctx->pac->pac->Buffers[i].ulType); + if (length < 0) { + krb5int_free_data_list(kcontext, attrs); + return ENOMEM; + } + attrs[j++].length = length; + } } attrs[j].data = NULL; attrs[j].length = 0; @@ -1244,49 +1245,49 @@ mspac_get_attribute_types(krb5_context kcontext, static krb5_error_code mspac_get_attribute(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - const krb5_data *attribute, - krb5_boolean *authenticated, - krb5_boolean *complete, - krb5_data *value, - krb5_data *display_value, - int *more) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_data *attribute, + krb5_boolean *authenticated, + krb5_boolean *complete, + krb5_data *value, + krb5_data *display_value, + int *more) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; krb5_ui_4 type; if (display_value != NULL) { - display_value->data = NULL; - display_value->length = 0; + display_value->data = NULL; + display_value->length = 0; } if (*more != -1 || pacctx->pac == NULL) - return ENOENT; + return ENOENT; code = mspac_attr2type(attribute, &type); if (code != 0) - return code; + return code; /* -1 is a magic type that refers to the entire PAC */ if (type == (krb5_ui_4)-1) { - if (value != NULL) - code = krb5int_copy_data_contents(kcontext, - &pacctx->pac->data, - value); - else - code = 0; + if (value != NULL) + code = krb5int_copy_data_contents(kcontext, + &pacctx->pac->data, + value); + else + code = 0; } else { - if (value != NULL) - code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value); - else - code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL); + if (value != NULL) + code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value); + else + code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL); } if (code == 0) { - *authenticated = pacctx->pac->verified; - *complete = TRUE; + *authenticated = pacctx->pac->verified; + *complete = TRUE; } *more = 0; @@ -1296,36 +1297,36 @@ mspac_get_attribute(krb5_context kcontext, static krb5_error_code mspac_set_attribute(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_boolean complete, - const krb5_data *attribute, - const krb5_data *value) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_boolean complete, + const krb5_data *attribute, + const krb5_data *value) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; krb5_ui_4 type; if (pacctx->pac == NULL) - return ENOENT; + return ENOENT; code = mspac_attr2type(attribute, &type); if (code != 0) - return code; + return code; /* -1 is a magic type that refers to the entire PAC */ if (type == (krb5_ui_4)-1) { - krb5_pac newpac; + krb5_pac newpac; - code = krb5_pac_parse(kcontext, value->data, value->length, &newpac); - if (code != 0) - return code; + code = krb5_pac_parse(kcontext, value->data, value->length, &newpac); + if (code != 0) + return code; - krb5_pac_free(kcontext, pacctx->pac); - pacctx->pac = newpac; + krb5_pac_free(kcontext, pacctx->pac); + pacctx->pac = newpac; } else { - code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value); + code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value); } return code; @@ -1333,11 +1334,11 @@ mspac_set_attribute(krb5_context kcontext, static krb5_error_code mspac_export_internal(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_boolean restrict_authenticated, - void **ptr) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_boolean restrict_authenticated, + void **ptr) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1346,16 +1347,16 @@ mspac_export_internal(krb5_context kcontext, *ptr = NULL; if (pacctx->pac == NULL) - return 0; + return 0; if (restrict_authenticated && (pacctx->pac->verified) == FALSE) - return 0; + return 0; code = krb5_pac_parse(kcontext, pacctx->pac->data.data, - pacctx->pac->data.length, &pac); + pacctx->pac->data.length, &pac); if (code == 0) { - pac->verified = pacctx->pac->verified; - *ptr = pac; + pac->verified = pacctx->pac->verified; + *ptr = pac; } return code; @@ -1363,30 +1364,30 @@ mspac_export_internal(krb5_context kcontext, static void mspac_free_internal(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - void *ptr) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + void *ptr) { if (ptr != NULL) - krb5_pac_free(kcontext, (krb5_pac)ptr); + krb5_pac_free(kcontext, (krb5_pac)ptr); return; } static krb5_error_code mspac_size(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - size_t *sizep) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + size_t *sizep) { struct mspac_context *pacctx = (struct mspac_context *)request_context; *sizep += sizeof(krb5_int32); if (pacctx->pac != NULL) - *sizep += pacctx->pac->data.length; + *sizep += pacctx->pac->data.length; *sizep += sizeof(krb5_int32); @@ -1395,11 +1396,11 @@ mspac_size(krb5_context kcontext, static krb5_error_code mspac_externalize(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_octet **buffer, - size_t *lenremain) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) { krb5_error_code code = 0; struct mspac_context *pacctx = (struct mspac_context *)request_context; @@ -1411,23 +1412,23 @@ mspac_externalize(krb5_context kcontext, remain = *lenremain; if (pacctx->pac != NULL) { - mspac_size(kcontext, context, plugin_context, - request_context, &required); - - if (required <= remain) { - krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length, - &bp, &remain); - krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data, - (size_t)pacctx->pac->data.length, - &bp, &remain); - krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified, - &bp, &remain); - } else { - code = ENOMEM; - } + mspac_size(kcontext, context, plugin_context, + request_context, &required); + + if (required <= remain) { + krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length, + &bp, &remain); + krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data, + (size_t)pacctx->pac->data.length, + &bp, &remain); + krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified, + &bp, &remain); + } else { + code = ENOMEM; + } } else { - krb5_ser_pack_int32(0, &bp, &remain); /* length */ - krb5_ser_pack_int32(0, &bp, &remain); /* verified */ + krb5_ser_pack_int32(0, &bp, &remain); /* length */ + krb5_ser_pack_int32(0, &bp, &remain); /* verified */ } *buffer = bp; @@ -1438,11 +1439,11 @@ mspac_externalize(krb5_context kcontext, static krb5_error_code mspac_internalize(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_octet **buffer, - size_t *lenremain) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1457,30 +1458,30 @@ mspac_internalize(krb5_context kcontext, /* length */ code = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (code != 0) - return code; + return code; if (ibuf != 0) { - code = krb5_pac_parse(kcontext, bp, ibuf, &pac); - if (code != 0) - return code; + code = krb5_pac_parse(kcontext, bp, ibuf, &pac); + if (code != 0) + return code; - bp += ibuf; - remain -= ibuf; + bp += ibuf; + remain -= ibuf; } /* verified */ code = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (code != 0) { - krb5_pac_free(kcontext, pac); - return code; + krb5_pac_free(kcontext, pac); + return code; } if (pac != NULL) { - pac->verified = (ibuf != 0); + pac->verified = (ibuf != 0); } if (pacctx->pac != NULL) { - krb5_pac_free(kcontext, pacctx->pac); + krb5_pac_free(kcontext, pacctx->pac); } pacctx->pac = pac; @@ -1493,11 +1494,11 @@ mspac_internalize(krb5_context kcontext, static krb5_error_code mspac_copy(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - void *dst_plugin_context, - void *dst_request_context) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + void *dst_plugin_context, + void *dst_request_context) { struct mspac_context *srcctx = (struct mspac_context *)request_context; struct mspac_context *dstctx = (struct mspac_context *)dst_request_context; @@ -1507,7 +1508,7 @@ mspac_copy(krb5_context kcontext, assert(dstctx->pac == NULL); if (srcctx->pac != NULL) - code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac); + code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac); return code; } @@ -1536,4 +1537,3 @@ krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable = { mspac_internalize, mspac_copy }; - diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index 5dd29fb43..b78cc4311 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/parse.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_parse_name() routine. * @@ -37,27 +38,27 @@ * converts a single-string representation of the name to the * multi-part principal format used in the protocols. * - * principal will point to allocated storage which should be freed by + * principal will point to allocated storage which should be freed by * the caller (using krb5_free_principal) after use. - * + * * Conventions: / is used to separate components. If @ is present in the * string, then the rest of the string after it represents the realm name. * Otherwise the local realm name is used. - * + * * error return: - * KRB5_PARSE_MALFORMED badly formatted string + * KRB5_PARSE_MALFORMED badly formatted string * * also returns system errors: - * ENOMEM malloc failed/out of memory + * ENOMEM malloc failed/out of memory * * get_default_realm() is called; it may return other errors. */ -#define REALM_SEP '@' -#define COMPONENT_SEP '/' -#define QUOTECHAR '\\' +#define REALM_SEP '@' +#define COMPONENT_SEP '/' +#define QUOTECHAR '\\' -#define FCOMPNUM 10 +#define FCOMPNUM 10 /* * May the fleas of a thousand camels infest the ISO, they who think @@ -65,276 +66,276 @@ */ static krb5_error_code k5_parse_name(krb5_context context, const char *name, - int flags, krb5_principal *nprincipal) + int flags, krb5_principal *nprincipal) { - register const char *cp; - register char *q; - register int i,c,size; - int components = 0; - const char *parsed_realm = NULL; - int fcompsize[FCOMPNUM]; - unsigned int realmsize = 0; - char *default_realm = NULL; - int default_realm_size = 0; - char *tmpdata; - krb5_principal principal; - krb5_error_code retval; - unsigned int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE); - int first_at; + register const char *cp; + register char *q; + register int i,c,size; + int components = 0; + const char *parsed_realm = NULL; + int fcompsize[FCOMPNUM]; + unsigned int realmsize = 0; + char *default_realm = NULL; + int default_realm_size = 0; + char *tmpdata; + krb5_principal principal; + krb5_error_code retval; + unsigned int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE); + int first_at; - *nprincipal = NULL; + *nprincipal = NULL; - /* - * Pass 1. Find out how many components there are to the name, - * and get string sizes for the first FCOMPNUM components. For - * enterprise principal names (UPNs), there is only a single - * component. - */ - size = 0; - for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - if (!(c = *cp)) - /* - * QUOTECHAR can't be at the last - * character of the name! - */ - return(KRB5_PARSE_MALFORMED); - size++; - continue; - } else if (c == COMPONENT_SEP && !enterprise) { - if (parsed_realm) - /* - * Shouldn't see a component separator - * after we've parsed out the realm name! - */ - return(KRB5_PARSE_MALFORMED); - if (i < FCOMPNUM) { - fcompsize[i] = size; - } - size = 0; - i++; - } else if (c == REALM_SEP && (!enterprise || !first_at)) { - if (parsed_realm) - /* - * Multiple realm separaters - * not allowed; zero-length realms are. - */ - return(KRB5_PARSE_MALFORMED); - parsed_realm = cp + 1; - if (i < FCOMPNUM) { - fcompsize[i] = size; - } - size = 0; - } else { - if (c == REALM_SEP && enterprise && first_at) - first_at = 0; + /* + * Pass 1. Find out how many components there are to the name, + * and get string sizes for the first FCOMPNUM components. For + * enterprise principal names (UPNs), there is only a single + * component. + */ + size = 0; + for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + if (!(c = *cp)) + /* + * QUOTECHAR can't be at the last + * character of the name! + */ + return(KRB5_PARSE_MALFORMED); + size++; + continue; + } else if (c == COMPONENT_SEP && !enterprise) { + if (parsed_realm) + /* + * Shouldn't see a component separator + * after we've parsed out the realm name! + */ + return(KRB5_PARSE_MALFORMED); + if (i < FCOMPNUM) { + fcompsize[i] = size; + } + size = 0; + i++; + } else if (c == REALM_SEP && (!enterprise || !first_at)) { + if (parsed_realm) + /* + * Multiple realm separaters + * not allowed; zero-length realms are. + */ + return(KRB5_PARSE_MALFORMED); + parsed_realm = cp + 1; + if (i < FCOMPNUM) { + fcompsize[i] = size; + } + size = 0; + } else { + if (c == REALM_SEP && enterprise && first_at) + first_at = 0; - size++; - } - } - if (parsed_realm != NULL) - realmsize = size; - else if (i < FCOMPNUM) - fcompsize[i] = size; - components = i + 1; - /* - * Now, we allocate the principal structure and all of its - * component pieces - */ - principal = (krb5_principal)malloc(sizeof(krb5_principal_data)); - if (principal == NULL) { - return(ENOMEM); - } - principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components); - if (principal->data == NULL) { - free(principal); - return ENOMEM; - } - principal->length = components; + size++; + } + } + if (parsed_realm != NULL) + realmsize = size; + else if (i < FCOMPNUM) + fcompsize[i] = size; + components = i + 1; + /* + * Now, we allocate the principal structure and all of its + * component pieces + */ + principal = (krb5_principal)malloc(sizeof(krb5_principal_data)); + if (principal == NULL) { + return(ENOMEM); + } + principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components); + if (principal->data == NULL) { + free(principal); + return ENOMEM; + } + principal->length = components; - /* - * If a realm was not found, then use the default realm, unless - * KRB5_PRINCIPAL_PARSE_NO_REALM was specified in which case the - * realm will be empty. - */ - if (!parsed_realm) { - if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { - krb5_set_error_message(context, KRB5_PARSE_MALFORMED, - "Principal %s is missing required realm", name); - free(principal->data); - free(principal); - return KRB5_PARSE_MALFORMED; - } - if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) { - retval = krb5_get_default_realm(context, &default_realm); - if (retval) { - free(principal->data); - free(principal); - return(retval); - } - default_realm_size = strlen(default_realm); - } - realmsize = default_realm_size; - } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { - krb5_set_error_message(context, KRB5_PARSE_MALFORMED, - "Principal %s has realm present", name); - free(principal->data); - free(principal); - return KRB5_PARSE_MALFORMED; - } + /* + * If a realm was not found, then use the default realm, unless + * KRB5_PRINCIPAL_PARSE_NO_REALM was specified in which case the + * realm will be empty. + */ + if (!parsed_realm) { + if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { + krb5_set_error_message(context, KRB5_PARSE_MALFORMED, + "Principal %s is missing required realm", name); + free(principal->data); + free(principal); + return KRB5_PARSE_MALFORMED; + } + if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) { + retval = krb5_get_default_realm(context, &default_realm); + if (retval) { + free(principal->data); + free(principal); + return(retval); + } + default_realm_size = strlen(default_realm); + } + realmsize = default_realm_size; + } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { + krb5_set_error_message(context, KRB5_PARSE_MALFORMED, + "Principal %s has realm present", name); + free(principal->data); + free(principal); + return KRB5_PARSE_MALFORMED; + } - /* - * Pass 2. Happens only if there were more than FCOMPNUM - * component; if this happens, someone should be shot - * immediately. Nevertheless, we will attempt to handle said - * case..... - */ - if (components >= FCOMPNUM) { - size = 0; - parsed_realm = NULL; - for (i=0,cp = name; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - size++; - } else if (c == COMPONENT_SEP) { - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - size = 0; - i++; - } else if (c == REALM_SEP) { - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - size = 0; - parsed_realm = cp+1; - } else - size++; - } - if (parsed_realm) - krb5_princ_realm(context, principal)->length = size; - else - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - if (i + 1 != components) { + /* + * Pass 2. Happens only if there were more than FCOMPNUM + * component; if this happens, someone should be shot + * immediately. Nevertheless, we will attempt to handle said + * case..... + */ + if (components >= FCOMPNUM) { + size = 0; + parsed_realm = NULL; + for (i=0,cp = name; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + size++; + } else if (c == COMPONENT_SEP) { + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + size = 0; + i++; + } else if (c == REALM_SEP) { + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + size = 0; + parsed_realm = cp+1; + } else + size++; + } + if (parsed_realm) + krb5_princ_realm(context, principal)->length = size; + else + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + if (i + 1 != components) { #if !defined(_WIN32) - fprintf(stderr, - "Programming error in krb5_parse_name!"); + fprintf(stderr, + "Programming error in krb5_parse_name!"); #endif - assert(i + 1 == components); - abort(); - } - } else { - /* - * If there were fewer than FCOMPSIZE components (the - * usual case), then just copy the sizes to the - * principal structure - */ - for (i=0; i < components; i++) - krb5_princ_component(context, principal, i)->length = fcompsize[i]; - } - /* - * Now, we need to allocate the space for the strings themselves..... - */ - tmpdata = malloc(realmsize + 1); - if (tmpdata == 0) { - free(principal->data); - free(principal); - free(default_realm); - return ENOMEM; - } - krb5_princ_set_realm_length(context, principal, realmsize); - krb5_princ_set_realm_data(context, principal, tmpdata); - for (i=0; i < components; i++) { - char *tmpdata2 = - malloc(krb5_princ_component(context, principal, i)->length + 1); - if (tmpdata2 == NULL) { - for (i--; i >= 0; i--) - free(krb5_princ_component(context, principal, i)->data); - free(krb5_princ_realm(context, principal)->data); - free(principal->data); - free(principal); - free(default_realm); - return(ENOMEM); - } - krb5_princ_component(context, principal, i)->data = tmpdata2; - krb5_princ_component(context, principal, i)->magic = KV5M_DATA; - } - - /* - * Pass 3. Now we go through the string a *third* time, this - * time filling in the krb5_principal structure which we just - * allocated. - */ - q = krb5_princ_component(context, principal, 0)->data; - for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - switch (c = *cp) { - case 'n': - *q++ = '\n'; - break; - case 't': - *q++ = '\t'; - break; - case 'b': - *q++ = '\b'; - break; - case '0': - *q++ = '\0'; - break; - default: - *q++ = c; - break; - } - } else if (c == COMPONENT_SEP && !enterprise) { - i++; - *q++ = '\0'; - q = krb5_princ_component(context, principal, i)->data; - } else if (c == REALM_SEP && (!enterprise || !first_at)) { - i++; - *q++ = '\0'; - q = krb5_princ_realm(context, principal)->data; - } else { - if (c == REALM_SEP && enterprise && first_at) - first_at = 0; + assert(i + 1 == components); + abort(); + } + } else { + /* + * If there were fewer than FCOMPSIZE components (the + * usual case), then just copy the sizes to the + * principal structure + */ + for (i=0; i < components; i++) + krb5_princ_component(context, principal, i)->length = fcompsize[i]; + } + /* + * Now, we need to allocate the space for the strings themselves..... + */ + tmpdata = malloc(realmsize + 1); + if (tmpdata == 0) { + free(principal->data); + free(principal); + free(default_realm); + return ENOMEM; + } + krb5_princ_set_realm_length(context, principal, realmsize); + krb5_princ_set_realm_data(context, principal, tmpdata); + for (i=0; i < components; i++) { + char *tmpdata2 = + malloc(krb5_princ_component(context, principal, i)->length + 1); + if (tmpdata2 == NULL) { + for (i--; i >= 0; i--) + free(krb5_princ_component(context, principal, i)->data); + free(krb5_princ_realm(context, principal)->data); + free(principal->data); + free(principal); + free(default_realm); + return(ENOMEM); + } + krb5_princ_component(context, principal, i)->data = tmpdata2; + krb5_princ_component(context, principal, i)->magic = KV5M_DATA; + } + + /* + * Pass 3. Now we go through the string a *third* time, this + * time filling in the krb5_principal structure which we just + * allocated. + */ + q = krb5_princ_component(context, principal, 0)->data; + for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + switch (c = *cp) { + case 'n': + *q++ = '\n'; + break; + case 't': + *q++ = '\t'; + break; + case 'b': + *q++ = '\b'; + break; + case '0': + *q++ = '\0'; + break; + default: + *q++ = c; + break; + } + } else if (c == COMPONENT_SEP && !enterprise) { + i++; + *q++ = '\0'; + q = krb5_princ_component(context, principal, i)->data; + } else if (c == REALM_SEP && (!enterprise || !first_at)) { + i++; + *q++ = '\0'; + q = krb5_princ_realm(context, principal)->data; + } else { + if (c == REALM_SEP && enterprise && first_at) + first_at = 0; - *q++ = c; - } - } - *q++ = '\0'; - if (!parsed_realm) { - if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) - (krb5_princ_realm(context, principal)->data)[0] = '\0'; - else - strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize+1); - } - /* - * Alright, we're done. Now stuff a pointer to this monstrosity - * into the return variable, and let's get out of here. - */ - if (enterprise) - krb5_princ_type(context, principal) = KRB5_NT_ENTERPRISE_PRINCIPAL; - else - krb5_princ_type(context, principal) = KRB5_NT_PRINCIPAL; - principal->magic = KV5M_PRINCIPAL; - principal->realm.magic = KV5M_DATA; - *nprincipal = principal; + *q++ = c; + } + } + *q++ = '\0'; + if (!parsed_realm) { + if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) + (krb5_princ_realm(context, principal)->data)[0] = '\0'; + else + strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize+1); + } + /* + * Alright, we're done. Now stuff a pointer to this monstrosity + * into the return variable, and let's get out of here. + */ + if (enterprise) + krb5_princ_type(context, principal) = KRB5_NT_ENTERPRISE_PRINCIPAL; + else + krb5_princ_type(context, principal) = KRB5_NT_PRINCIPAL; + principal->magic = KV5M_PRINCIPAL; + principal->realm.magic = KV5M_DATA; + *nprincipal = principal; - if (default_realm != NULL) - free(default_realm); + if (default_realm != NULL) + free(default_realm); - return(0); + return(0); } krb5_error_code KRB5_CALLCONV krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincipal) { - return k5_parse_name(context, name, 0, nprincipal); + return k5_parse_name(context, name, 0, nprincipal); } krb5_error_code KRB5_CALLCONV krb5_parse_name_flags(krb5_context context, const char *name, - int flags, krb5_principal *nprincipal) + int flags, krb5_principal *nprincipal) { - return k5_parse_name(context, name, flags, nprincipal); + return k5_parse_name(context, name, flags, nprincipal); } diff --git a/src/lib/krb5/krb/pkinit_apple_asn1.c b/src/lib/krb5/krb/pkinit_apple_asn1.c index 9082a314b..12b5215be 100644 --- a/src/lib/krb5/krb/pkinit_apple_asn1.c +++ b/src/lib/krb5/krb/pkinit_apple_asn1.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -60,32 +61,32 @@ static void **pkiNssNullArray( #pragma mark ----- pkAuthenticator ----- -/* +/* * There is a unique error code for "missing paChecksum", so we mark it here - * as optional so the decoder can process a pkAuthenticator without the + * as optional so the decoder can process a pkAuthenticator without the * checksum; caller must verify that paChecksum.Data != NULL. */ typedef struct { - CSSM_DATA cusec; /* INTEGER, microseconds */ - CSSM_DATA kctime; /* UTC time (with trailing 'Z') */ - CSSM_DATA nonce; /* INTEGER */ - CSSM_DATA paChecksum; /* OCTET STRING */ + CSSM_DATA cusec; /* INTEGER, microseconds */ + CSSM_DATA kctime; /* UTC time (with trailing 'Z') */ + CSSM_DATA nonce; /* INTEGER */ + CSSM_DATA paChecksum; /* OCTET STRING */ } KRB5_PKAuthenticator; static const SecAsn1Template KRB5_PKAuthenticatorTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PKAuthenticator) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_PKAuthenticator,cusec), + offsetof(KRB5_PKAuthenticator,cusec), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PKAuthenticator,kctime), + offsetof(KRB5_PKAuthenticator,kctime), kSecAsn1GeneralizedTimeTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 2, - offsetof(KRB5_PKAuthenticator,nonce), + offsetof(KRB5_PKAuthenticator,nonce), kSecAsn1IntegerTemplate }, - { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | - SEC_ASN1_OPTIONAL | 3, - offsetof(KRB5_PKAuthenticator,paChecksum), + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_OPTIONAL | 3, + offsetof(KRB5_PKAuthenticator,paChecksum), &kSecAsn1OctetStringTemplate }, { 0 } }; @@ -93,25 +94,25 @@ static const SecAsn1Template KRB5_PKAuthenticatorTemplate[] = { #pragma mark ----- AuthPack ----- typedef struct { - KRB5_PKAuthenticator pkAuth; - CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *pubKeyInfo; /* OPTIONAL */ - CSSM_X509_ALGORITHM_IDENTIFIER **supportedCMSTypes;/* OPTIONAL */ - CSSM_DATA *clientDHNonce; /* OPTIONAL */ + KRB5_PKAuthenticator pkAuth; + CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *pubKeyInfo; /* OPTIONAL */ + CSSM_X509_ALGORITHM_IDENTIFIER **supportedCMSTypes;/* OPTIONAL */ + CSSM_DATA *clientDHNonce; /* OPTIONAL */ } KRB5_AuthPack; -/* +/* * These are copied from keyTemplates.c in the libsecurity_asn1 project; * they aren't public API. */ - + /* AlgorithmIdentifier : CSSM_X509_ALGORITHM_IDENTIFIER */ static const SecAsn1Template AlgorithmIDTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER) }, + 0, NULL, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER) }, { SEC_ASN1_OBJECT_ID, - offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,algorithm), }, + offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,algorithm), }, { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, - offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,parameters), }, + offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,parameters), }, { 0, } }; @@ -119,12 +120,12 @@ static const SecAsn1Template AlgorithmIDTemplate[] = { /* SubjectPublicKeyInfo : CSSM_X509_SUBJECT_PUBLIC_KEY_INFO */ static const SecAsn1Template SubjectPublicKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO) }, + 0, NULL, sizeof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO) }, { SEC_ASN1_INLINE, - offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,algorithm), - AlgorithmIDTemplate }, + offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,algorithm), + AlgorithmIDTemplate }, { SEC_ASN1_BIT_STRING, - offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,subjectPublicKey), }, + offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,subjectPublicKey), }, { 0, } }; @@ -137,34 +138,34 @@ static const SecAsn1Template kSecAsn1SequenceOfAlgIdTemplate[] = { static const SecAsn1Template KRB5_AuthPackTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_AuthPack) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_AuthPack,pkAuth), + offsetof(KRB5_AuthPack,pkAuth), KRB5_PKAuthenticatorTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 1, - offsetof(KRB5_AuthPack,pubKeyInfo), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 1, + offsetof(KRB5_AuthPack,pubKeyInfo), SubjectPublicKeyInfoTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 2, - offsetof(KRB5_AuthPack,supportedCMSTypes), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 2, + offsetof(KRB5_AuthPack,supportedCMSTypes), kSecAsn1SequenceOfAlgIdTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 3, - offsetof(KRB5_AuthPack,clientDHNonce), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 3, + offsetof(KRB5_AuthPack,clientDHNonce), kSecAsn1OctetStringTemplate }, { 0 } }; -/* +/* * Encode AuthPack, public key version (no Diffie-Hellman components). */ krb5_error_code krb5int_pkinit_auth_pack_encode( - krb5_timestamp kctime, - krb5_int32 cusec, /* microseconds */ - krb5_ui_4 nonce, - const krb5_checksum *pa_checksum, - const krb5int_algorithm_id *cms_types, /* optional */ - krb5_ui_4 num_cms_types, - krb5_data *auth_pack) /* mallocd and RETURNED */ + krb5_timestamp kctime, + krb5_int32 cusec, /* microseconds */ + krb5_ui_4 nonce, + const krb5_checksum *pa_checksum, + const krb5int_algorithm_id *cms_types, /* optional */ + krb5_ui_4 num_cms_types, + krb5_data *auth_pack) /* mallocd and RETURNED */ { KRB5_AuthPack localAuthPack; SecAsn1CoderRef coder; @@ -173,65 +174,65 @@ krb5_error_code krb5int_pkinit_auth_pack_encode( CSSM_DATA ber = {0, NULL}; OSStatus ortn; char *timeStr = NULL; - + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&localAuthPack, 0, sizeof(localAuthPack)); if(pkiKrbTimestampToStr(kctime, &timeStr)) { - ourRtn = -1; - goto errOut; + ourRtn = -1; + goto errOut; } localAuthPack.pkAuth.kctime.Data = (uint8 *)timeStr; localAuthPack.pkAuth.kctime.Length = strlen(timeStr); if(pkiIntToData(cusec, &localAuthPack.pkAuth.cusec, coder)) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } if(pkiIntToData(nonce, &localAuthPack.pkAuth.nonce, coder)) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } cksum->Data = (uint8 *)pa_checksum->contents; cksum->Length = pa_checksum->length; - + if((cms_types != NULL) && (num_cms_types != 0)) { - unsigned dex; - CSSM_X509_ALGORITHM_IDENTIFIER **algIds; - - /* build a NULL_terminated array of CSSM_X509_ALGORITHM_IDENTIFIERs */ - localAuthPack.supportedCMSTypes = (CSSM_X509_ALGORITHM_IDENTIFIER **) - SecAsn1Malloc(coder, - (num_cms_types + 1) * sizeof(CSSM_X509_ALGORITHM_IDENTIFIER *)); - algIds = localAuthPack.supportedCMSTypes; - for(dex=0; dexalgorithm, coder); - if(cms_types[dex].parameters.data != NULL) { - pkiKrb5DataToCssm(&cms_types[dex].parameters, - &algIds[dex]->parameters, coder); - } - else { - algIds[dex]->parameters.Data = NULL; - algIds[dex]->parameters.Length = 0; - } - } - algIds[num_cms_types] = NULL; + unsigned dex; + CSSM_X509_ALGORITHM_IDENTIFIER **algIds; + + /* build a NULL_terminated array of CSSM_X509_ALGORITHM_IDENTIFIERs */ + localAuthPack.supportedCMSTypes = (CSSM_X509_ALGORITHM_IDENTIFIER **) + SecAsn1Malloc(coder, + (num_cms_types + 1) * sizeof(CSSM_X509_ALGORITHM_IDENTIFIER *)); + algIds = localAuthPack.supportedCMSTypes; + for(dex=0; dexalgorithm, coder); + if(cms_types[dex].parameters.data != NULL) { + pkiKrb5DataToCssm(&cms_types[dex].parameters, + &algIds[dex]->parameters, coder); + } + else { + algIds[dex]->parameters.Data = NULL; + algIds[dex]->parameters.Length = 0; + } + } + algIds[num_cms_types] = NULL; } ortn = SecAsn1EncodeItem(coder, &localAuthPack, KRB5_AuthPackTemplate, &ber); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } - + if(pkiCssmDataToKrb5Data(&ber, auth_pack)) { - ourRtn = ENOMEM; + ourRtn = ENOMEM; } else { - auth_pack->magic = KV5M_AUTHENTICATOR; - ourRtn = 0; + auth_pack->magic = KV5M_AUTHENTICATOR; + ourRtn = 0; } errOut: SecAsn1CoderRelease(coder); @@ -242,102 +243,102 @@ errOut: * Decode AuthPack, public key version (no Diffie-Hellman components). */ krb5_error_code krb5int_pkinit_auth_pack_decode( - const krb5_data *auth_pack, /* DER encoded */ - krb5_timestamp *kctime, /* RETURNED */ - krb5_ui_4 *cusec, /* microseconds, RETURNED */ - krb5_ui_4 *nonce, /* RETURNED */ - krb5_checksum *pa_checksum, /* contents mallocd and RETURNED */ - krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ - krb5_ui_4 *num_cms_types) /* optionally RETURNED */ + const krb5_data *auth_pack, /* DER encoded */ + krb5_timestamp *kctime, /* RETURNED */ + krb5_ui_4 *cusec, /* microseconds, RETURNED */ + krb5_ui_4 *nonce, /* RETURNED */ + krb5_checksum *pa_checksum, /* contents mallocd and RETURNED */ + krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ + krb5_ui_4 *num_cms_types) /* optionally RETURNED */ { KRB5_AuthPack localAuthPack; SecAsn1CoderRef coder; CSSM_DATA der = {0, NULL}; krb5_error_code ourRtn = 0; CSSM_DATA *cksum = &localAuthPack.pkAuth.paChecksum; - + /* Decode --> localAuthPack */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(auth_pack, &der); memset(&localAuthPack, 0, sizeof(localAuthPack)); if(SecAsn1DecodeData(coder, &der, KRB5_AuthPackTemplate, &localAuthPack)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + /* optionally Convert KRB5_AuthPack to caller's params */ if(kctime) { - if((ourRtn = pkiTimeStrToKrbTimestamp((char *)localAuthPack.pkAuth.kctime.Data, - localAuthPack.pkAuth.kctime.Length, kctime))) { - goto errOut; - } + if((ourRtn = pkiTimeStrToKrbTimestamp((char *)localAuthPack.pkAuth.kctime.Data, + localAuthPack.pkAuth.kctime.Length, kctime))) { + goto errOut; + } } if(cusec) { - if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.cusec, (krb5_int32 *)cusec))) { - goto errOut; - } + if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.cusec, (krb5_int32 *)cusec))) { + goto errOut; + } } if(nonce) { - if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.nonce, (krb5_int32 *)nonce))) { - goto errOut; - } + if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.nonce, (krb5_int32 *)nonce))) { + goto errOut; + } } if(pa_checksum) { - if(cksum->Length == 0) { - /* This is the unique error for "no paChecksum" */ - ourRtn = KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; - goto errOut; - } - else { - pa_checksum->contents = (krb5_octet *)malloc(cksum->Length); - if(pa_checksum->contents == NULL) { - ourRtn = ENOMEM; - goto errOut; - } - pa_checksum->length = cksum->Length; - memmove(pa_checksum->contents, cksum->Data, pa_checksum->length); - pa_checksum->magic = KV5M_CHECKSUM; - /* This used to be encoded with the checksum but no more... */ - pa_checksum->checksum_type = CKSUMTYPE_NIST_SHA; - } + if(cksum->Length == 0) { + /* This is the unique error for "no paChecksum" */ + ourRtn = KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; + goto errOut; + } + else { + pa_checksum->contents = (krb5_octet *)malloc(cksum->Length); + if(pa_checksum->contents == NULL) { + ourRtn = ENOMEM; + goto errOut; + } + pa_checksum->length = cksum->Length; + memmove(pa_checksum->contents, cksum->Data, pa_checksum->length); + pa_checksum->magic = KV5M_CHECKSUM; + /* This used to be encoded with the checksum but no more... */ + pa_checksum->checksum_type = CKSUMTYPE_NIST_SHA; + } } if(cms_types) { - if(localAuthPack.supportedCMSTypes == NULL) { - *cms_types = NULL; - *num_cms_types = 0; - } - else { - /* - * Convert NULL-terminated array of CSSM-style algIds to - * krb5int_algorithm_ids. - */ - unsigned dex; - unsigned num_types = 0; - CSSM_X509_ALGORITHM_IDENTIFIER **alg_ids; - krb5int_algorithm_id *kalg_ids; - - for(alg_ids=localAuthPack.supportedCMSTypes; - *alg_ids; - alg_ids++) { - num_types++; - } - *cms_types = kalg_ids = (krb5int_algorithm_id *)calloc(num_types, - sizeof(krb5int_algorithm_id)); - *num_cms_types = num_types; - alg_ids = localAuthPack.supportedCMSTypes; - for(dex=0; dexalgorithm.Data) { - pkiCssmDataToKrb5Data(&alg_ids[dex]->algorithm, - &kalg_ids[dex].algorithm); - } - if(alg_ids[dex]->parameters.Data) { - pkiCssmDataToKrb5Data(&alg_ids[dex]->parameters, - &kalg_ids[dex].parameters); - } - } - } + if(localAuthPack.supportedCMSTypes == NULL) { + *cms_types = NULL; + *num_cms_types = 0; + } + else { + /* + * Convert NULL-terminated array of CSSM-style algIds to + * krb5int_algorithm_ids. + */ + unsigned dex; + unsigned num_types = 0; + CSSM_X509_ALGORITHM_IDENTIFIER **alg_ids; + krb5int_algorithm_id *kalg_ids; + + for(alg_ids=localAuthPack.supportedCMSTypes; + *alg_ids; + alg_ids++) { + num_types++; + } + *cms_types = kalg_ids = (krb5int_algorithm_id *)calloc(num_types, + sizeof(krb5int_algorithm_id)); + *num_cms_types = num_types; + alg_ids = localAuthPack.supportedCMSTypes; + for(dex=0; dexalgorithm.Data) { + pkiCssmDataToKrb5Data(&alg_ids[dex]->algorithm, + &kalg_ids[dex].algorithm); + } + if(alg_ids[dex]->parameters.Data) { + pkiCssmDataToKrb5Data(&alg_ids[dex]->parameters, + &kalg_ids[dex].parameters); + } + } + } } ourRtn = 0; errOut: @@ -352,8 +353,8 @@ errOut: * CL in DER-encoded state. */ typedef struct { - CSSM_DATA derIssuer; - CSSM_DATA serialNumber; + CSSM_DATA derIssuer; + CSSM_DATA serialNumber; } KRB5_IssuerAndSerial; static const SecAsn1Template KRB5_IssuerAndSerialTemplate[] = { @@ -364,11 +365,11 @@ static const SecAsn1Template KRB5_IssuerAndSerialTemplate[] = { }; /* - * Given DER-encoded issuer and serial number, create an encoded + * Given DER-encoded issuer and serial number, create an encoded * IssuerAndSerialNumber. */ krb5_error_code krb5int_pkinit_issuer_serial_encode( - const krb5_data *issuer, /* DER encoded */ + const krb5_data *issuer, /* DER encoded */ const krb5_data *serial_num, krb5_data *issuer_and_serial) /* content mallocd and RETURNED */ { @@ -378,14 +379,14 @@ krb5_error_code krb5int_pkinit_issuer_serial_encode( OSStatus ortn; if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(issuer, &issuerSerial.derIssuer); PKI_KRB_TO_CSSM_DATA(serial_num, &issuerSerial.serialNumber); ortn = SecAsn1EncodeItem(coder, &issuerSerial, KRB5_IssuerAndSerialTemplate, &ber); if(ortn) { - ortn = ENOMEM; - goto errOut; + ortn = ENOMEM; + goto errOut; } ortn = pkiCssmDataToKrb5Data(&ber, issuer_and_serial); errOut: @@ -398,31 +399,31 @@ errOut: */ krb5_error_code krb5int_pkinit_issuer_serial_decode( const krb5_data *issuer_and_serial, /* DER encoded */ - krb5_data *issuer, /* DER encoded, RETURNED */ - krb5_data *serial_num) /* RETURNED */ + krb5_data *issuer, /* DER encoded, RETURNED */ + krb5_data *serial_num) /* RETURNED */ { KRB5_IssuerAndSerial issuerSerial; SecAsn1CoderRef coder; CSSM_DATA der = {issuer_and_serial->length, (uint8 *)issuer_and_serial->data}; krb5_error_code ourRtn = 0; - + /* Decode --> issuerSerial */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&issuerSerial, 0, sizeof(issuerSerial)); if(SecAsn1DecodeData(coder, &der, KRB5_IssuerAndSerialTemplate, &issuerSerial)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + /* Convert KRB5_IssuerAndSerial to caller's params */ if((ourRtn = pkiCssmDataToKrb5Data(&issuerSerial.derIssuer, issuer))) { - goto errOut; + goto errOut; } if((ourRtn = pkiCssmDataToKrb5Data(&issuerSerial.serialNumber, serial_num))) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } errOut: @@ -432,29 +433,29 @@ errOut: #pragma mark ----- ExternalPrincipalIdentifier ----- -/* - * Shown here for completeness; this module only implements the - * issuerAndSerialNumber option. +/* + * Shown here for completeness; this module only implements the + * issuerAndSerialNumber option. */ typedef struct { - CSSM_DATA subjectName; /* [0] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded Name */ - CSSM_DATA issuerAndSerialNumber; /* [1] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded Issuer&Serial */ - CSSM_DATA subjectKeyIdentifier; /* [2] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded subjectKeyIdentifier extension */ + CSSM_DATA subjectName; /* [0] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded Name */ + CSSM_DATA issuerAndSerialNumber; /* [1] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded Issuer&Serial */ + CSSM_DATA subjectKeyIdentifier; /* [2] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded subjectKeyIdentifier extension */ } KRB5_ExternalPrincipalIdentifier; static const SecAsn1Template KRB5_ExternalPrincipalIdentifierTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_ExternalPrincipalIdentifier) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 0, - offsetof(KRB5_ExternalPrincipalIdentifier, subjectName), + offsetof(KRB5_ExternalPrincipalIdentifier, subjectName), kSecAsn1OctetStringTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 1, - offsetof(KRB5_ExternalPrincipalIdentifier, issuerAndSerialNumber), + offsetof(KRB5_ExternalPrincipalIdentifier, issuerAndSerialNumber), kSecAsn1OctetStringTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 2, - offsetof(KRB5_ExternalPrincipalIdentifier, subjectKeyIdentifier), + offsetof(KRB5_ExternalPrincipalIdentifier, subjectKeyIdentifier), kSecAsn1OctetStringTemplate }, { 0 } }; @@ -466,30 +467,30 @@ static const SecAsn1Template KRB5_SequenceOfExternalPrincipalIdentifierTemplate[ #pragma mark ----- PA-PK-AS-REQ ----- /* - * Top-level PA-PK-AS-REQ. All fields except for trusted_CAs are pre-encoded - * before we encode this and are still DER-encoded after we decode. + * Top-level PA-PK-AS-REQ. All fields except for trusted_CAs are pre-encoded + * before we encode this and are still DER-encoded after we decode. * The signedAuthPack and kdcPkId fields are wrapped in OCTET STRINGs - * during encode; we strip off the OCTET STRING wrappers during decode. + * during encode; we strip off the OCTET STRING wrappers during decode. */ typedef struct { - CSSM_DATA signedAuthPack; /* ContentInfo, SignedData */ - /* Content is KRB5_AuthPack */ + CSSM_DATA signedAuthPack; /* ContentInfo, SignedData */ + /* Content is KRB5_AuthPack */ KRB5_ExternalPrincipalIdentifier - **trusted_CAs; /* optional */ - CSSM_DATA kdcPkId; /* optional */ + **trusted_CAs; /* optional */ + CSSM_DATA kdcPkId; /* optional */ } KRB5_PA_PK_AS_REQ; static const SecAsn1Template KRB5_PA_PK_AS_REQTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PA_PK_AS_REQ) }, { SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(KRB5_PA_PK_AS_REQ, signedAuthPack), + offsetof(KRB5_PA_PK_AS_REQ, signedAuthPack), kSecAsn1OctetStringTemplate }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PA_PK_AS_REQ, trusted_CAs), + offsetof(KRB5_PA_PK_AS_REQ, trusted_CAs), KRB5_SequenceOfExternalPrincipalIdentifierTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2, - offsetof(KRB5_PA_PK_AS_REQ, kdcPkId), + offsetof(KRB5_PA_PK_AS_REQ, kdcPkId), kSecAsn1AnyTemplate }, { 0 } }; @@ -499,58 +500,58 @@ static const SecAsn1Template KRB5_PA_PK_AS_REQTemplate[] = { */ krb5_error_code krb5int_pkinit_pa_pk_as_req_encode( const krb5_data *signed_auth_pack, /* DER encoded ContentInfo */ - const krb5_data *trusted_CAs, /* optional: trustedCertifiers. Contents are - * DER-encoded issuer/serialNumbers. */ - krb5_ui_4 num_trusted_CAs, - const krb5_data *kdc_cert, /* optional kdcPkId, DER encoded issuer/serial */ - krb5_data *pa_pk_as_req) /* mallocd and RETURNED */ + const krb5_data *trusted_CAs, /* optional: trustedCertifiers. Contents are + * DER-encoded issuer/serialNumbers. */ + krb5_ui_4 num_trusted_CAs, + const krb5_data *kdc_cert, /* optional kdcPkId, DER encoded issuer/serial */ + krb5_data *pa_pk_as_req) /* mallocd and RETURNED */ { KRB5_PA_PK_AS_REQ req; SecAsn1CoderRef coder; CSSM_DATA ber = {0, NULL}; OSStatus ortn; unsigned dex; - + assert(signed_auth_pack != NULL); assert(pa_pk_as_req != NULL); if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } - + /* krb5_data ==> CSSM format */ - + memset(&req, 0, sizeof(req)); PKI_KRB_TO_CSSM_DATA(signed_auth_pack, &req.signedAuthPack); if(num_trusted_CAs) { - /* - * Set up a NULL-terminated array of KRB5_ExternalPrincipalIdentifier - * pointers. We malloc the actual KRB5_ExternalPrincipalIdentifiers as - * a contiguous array; it's in temp SecAsn1CoderRef memory. The referents - * are just dropped in from the caller's krb5_datas. - */ - KRB5_ExternalPrincipalIdentifier *cas = - (KRB5_ExternalPrincipalIdentifier *)SecAsn1Malloc(coder, - num_trusted_CAs * sizeof(KRB5_ExternalPrincipalIdentifier)); - req.trusted_CAs = - (KRB5_ExternalPrincipalIdentifier **) - pkiNssNullArray(num_trusted_CAs, coder); - for(dex=0; dex KRB5_PA_PK_AS_REQ */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(pa_pk_as_req, &der); memset(&asReq, 0, sizeof(asReq)); if(SecAsn1DecodeData(coder, &der, KRB5_PA_PK_AS_REQTemplate, &asReq)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } /* Convert decoded results to caller's args; each is optional */ if(signed_auth_pack != NULL) { - if((ourRtn = pkiCssmDataToKrb5Data(&asReq.signedAuthPack, signed_auth_pack))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(&asReq.signedAuthPack, signed_auth_pack))) { + goto errOut; + } } if(asReq.trusted_CAs && (trusted_CAs != NULL)) { - /* NULL-terminated array of CSSM_DATA ptrs */ - unsigned numCas = pkiNssArraySize((const void **)asReq.trusted_CAs); - unsigned dex; - krb5_data *kdcCas; - - kdcCas = (krb5_data *)malloc(sizeof(krb5_data) * numCas); - if(kdcCas == NULL) { - ourRtn = ENOMEM; - goto errOut; - } - for(dex=0; dexissuerAndSerialNumber.Data) { - /* the only variant we support */ - pkiCssmDataToKrb5Data(&epi->issuerAndSerialNumber, &kdcCas[dex]); - } - } - *trusted_CAs = kdcCas; - *num_trusted_CAs = numCas; + /* NULL-terminated array of CSSM_DATA ptrs */ + unsigned numCas = pkiNssArraySize((const void **)asReq.trusted_CAs); + unsigned dex; + krb5_data *kdcCas; + + kdcCas = (krb5_data *)malloc(sizeof(krb5_data) * numCas); + if(kdcCas == NULL) { + ourRtn = ENOMEM; + goto errOut; + } + for(dex=0; dexissuerAndSerialNumber.Data) { + /* the only variant we support */ + pkiCssmDataToKrb5Data(&epi->issuerAndSerialNumber, &kdcCas[dex]); + } + } + *trusted_CAs = kdcCas; + *num_trusted_CAs = numCas; } if(asReq.kdcPkId.Data && kdc_cert) { - if((ourRtn = pkiCssmDataToKrb5Data(&asReq.kdcPkId, kdc_cert))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(&asReq.kdcPkId, kdc_cert))) { + goto errOut; + } } errOut: SecAsn1CoderRelease(coder); - return ourRtn; + return ourRtn; } #pragma mark ====== begin PA-PK-AS-REP components ====== typedef struct { CSSM_DATA subjectPublicKey; /* BIT STRING */ - CSSM_DATA nonce; /* from KRB5_PKAuthenticator.nonce */ - CSSM_DATA *expiration; /* optional UTC time */ + CSSM_DATA nonce; /* from KRB5_PKAuthenticator.nonce */ + CSSM_DATA *expiration; /* optional UTC time */ } KRB5_KDC_DHKeyInfo; typedef struct { - CSSM_DATA keyType; - CSSM_DATA keyValue; + CSSM_DATA keyType; + CSSM_DATA keyValue; } KRB5_EncryptionKey; static const SecAsn1Template KRB5_EncryptionKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_EncryptionKey) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_EncryptionKey, keyType), + offsetof(KRB5_EncryptionKey, keyType), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_EncryptionKey, keyValue), + offsetof(KRB5_EncryptionKey, keyValue), kSecAsn1OctetStringTemplate }, { 0 } }; #pragma mark ----- Checksum ----- - + typedef struct { CSSM_DATA checksumType; CSSM_DATA checksum; @@ -662,37 +663,37 @@ typedef struct { static const SecAsn1Template KRB5_ChecksumTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_Checksum) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_Checksum,checksumType), + offsetof(KRB5_Checksum,checksumType), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_Checksum,checksum), + offsetof(KRB5_Checksum,checksum), kSecAsn1OctetStringTemplate }, { 0 } }; typedef struct { KRB5_EncryptionKey encryptionKey; - KRB5_Checksum asChecksum; + KRB5_Checksum asChecksum; } KRB5_ReplyKeyPack; static const SecAsn1Template KRB5_ReplyKeyPackTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_ReplyKeyPack) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_ReplyKeyPack, encryptionKey), + offsetof(KRB5_ReplyKeyPack, encryptionKey), KRB5_EncryptionKeyTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_ReplyKeyPack,asChecksum), + offsetof(KRB5_ReplyKeyPack,asChecksum), KRB5_ChecksumTemplate }, { 0 } }; -/* +/* * Encode a ReplyKeyPack. The result is used as the Content of a SignedData. */ krb5_error_code krb5int_pkinit_reply_key_pack_encode( const krb5_keyblock *key_block, const krb5_checksum *checksum, - krb5_data *reply_key_pack) /* mallocd and RETURNED */ + krb5_data *reply_key_pack) /* mallocd and RETURNED */ { KRB5_ReplyKeyPack repKeyPack; SecAsn1CoderRef coder; @@ -701,28 +702,28 @@ krb5_error_code krb5int_pkinit_reply_key_pack_encode( OSStatus ortn; KRB5_EncryptionKey *encryptKey = &repKeyPack.encryptionKey; KRB5_Checksum *cksum = &repKeyPack.asChecksum; - + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&repKeyPack, 0, sizeof(repKeyPack)); - + if((ourRtn = pkiIntToData(key_block->enctype, &encryptKey->keyType, coder))) { - goto errOut; + goto errOut; } encryptKey->keyValue.Length = key_block->length, - encryptKey->keyValue.Data = (uint8 *)key_block->contents; - + encryptKey->keyValue.Data = (uint8 *)key_block->contents; + if((ourRtn = pkiIntToData(checksum->checksum_type, &cksum->checksumType, coder))) { - goto errOut; + goto errOut; } cksum->checksum.Data = (uint8 *)checksum->contents; cksum->checksum.Length = checksum->length; ortn = SecAsn1EncodeItem(coder, &repKeyPack, KRB5_ReplyKeyPackTemplate, &der); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } ourRtn = pkiCssmDataToKrb5Data(&der, reply_key_pack); errOut: @@ -730,13 +731,13 @@ errOut: return ourRtn; } -/* +/* * Decode a ReplyKeyPack. */ krb5_error_code krb5int_pkinit_reply_key_pack_decode( - const krb5_data *reply_key_pack, + const krb5_data *reply_key_pack, krb5_keyblock *key_block, /* RETURNED */ - krb5_checksum *checksum) /* contents mallocd and RETURNED */ + krb5_checksum *checksum) /* contents mallocd and RETURNED */ { KRB5_ReplyKeyPack repKeyPack; SecAsn1CoderRef coder; @@ -745,33 +746,33 @@ krb5_error_code krb5int_pkinit_reply_key_pack_decode( CSSM_DATA der = {reply_key_pack->length, (uint8 *)reply_key_pack->data}; krb5_data tmpData; KRB5_Checksum *cksum = &repKeyPack.asChecksum; - + /* Decode --> KRB5_ReplyKeyPack */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&repKeyPack, 0, sizeof(repKeyPack)); if(SecAsn1DecodeData(coder, &der, KRB5_ReplyKeyPackTemplate, &repKeyPack)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + if((ourRtn = pkiDataToInt(&encryptKey->keyType, (krb5_int32 *)&key_block->enctype))) { - goto errOut; + goto errOut; } if((ourRtn = pkiCssmDataToKrb5Data(&encryptKey->keyValue, &tmpData))) { - goto errOut; + goto errOut; } key_block->contents = (krb5_octet *)tmpData.data; key_block->length = tmpData.length; - + if((ourRtn = pkiDataToInt(&cksum->checksumType, &checksum->checksum_type))) { - goto errOut; + goto errOut; } checksum->contents = (krb5_octet *)malloc(cksum->checksum.Length); if(checksum->contents == NULL) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } checksum->length = cksum->checksum.Length; memmove(checksum->contents, cksum->checksum.Data, checksum->length); @@ -788,58 +789,58 @@ errOut: * Top-level PA-PK-AS-REP. Exactly one of the optional fields must be present. */ typedef struct { - CSSM_DATA *dhSignedData; /* ContentInfo, SignedData */ - /* Content is KRB5_KDC_DHKeyInfo */ - CSSM_DATA *encKeyPack; /* ContentInfo, SignedData */ - /* Content is ReplyKeyPack */ + CSSM_DATA *dhSignedData; /* ContentInfo, SignedData */ + /* Content is KRB5_KDC_DHKeyInfo */ + CSSM_DATA *encKeyPack; /* ContentInfo, SignedData */ + /* Content is ReplyKeyPack */ } KRB5_PA_PK_AS_REP; - + static const SecAsn1Template KRB5_PA_PK_AS_REPTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PA_PK_AS_REP) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_PA_PK_AS_REP, dhSignedData), + offsetof(KRB5_PA_PK_AS_REP, dhSignedData), kSecAsn1PointerToAnyTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PA_PK_AS_REP, encKeyPack), + offsetof(KRB5_PA_PK_AS_REP, encKeyPack), kSecAsn1PointerToAnyTemplate }, { 0 } }; -/* +/* * Encode a KRB5_PA_PK_AS_REP. */ krb5_error_code krb5int_pkinit_pa_pk_as_rep_encode( - const krb5_data *dh_signed_data, - const krb5_data *enc_key_pack, + const krb5_data *dh_signed_data, + const krb5_data *enc_key_pack, krb5_data *pa_pk_as_rep) /* mallocd and RETURNED */ { KRB5_PA_PK_AS_REP asRep; SecAsn1CoderRef coder; krb5_error_code ourRtn = 0; - CSSM_DATA der = {0, NULL}; - OSStatus ortn; - CSSM_DATA dhSignedData; - CSSM_DATA encKeyPack; - + CSSM_DATA der = {0, NULL}; + OSStatus ortn; + CSSM_DATA dhSignedData; + CSSM_DATA encKeyPack; + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&asRep, 0, sizeof(asRep)); if(dh_signed_data) { - PKI_KRB_TO_CSSM_DATA(dh_signed_data, &dhSignedData); - asRep.dhSignedData = &dhSignedData; + PKI_KRB_TO_CSSM_DATA(dh_signed_data, &dhSignedData); + asRep.dhSignedData = &dhSignedData; } if(enc_key_pack) { - PKI_KRB_TO_CSSM_DATA(enc_key_pack, &encKeyPack); - asRep.encKeyPack = &encKeyPack; + PKI_KRB_TO_CSSM_DATA(enc_key_pack, &encKeyPack); + asRep.encKeyPack = &encKeyPack; } ortn = SecAsn1EncodeItem(coder, &asRep, KRB5_PA_PK_AS_REPTemplate, &der); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } ourRtn = pkiCssmDataToKrb5Data(&der, pa_pk_as_rep); @@ -848,38 +849,38 @@ errOut: return ourRtn; } -/* +/* * Decode a KRB5_PA_PK_AS_REP. */ krb5_error_code krb5int_pkinit_pa_pk_as_rep_decode( const krb5_data *pa_pk_as_rep, - krb5_data *dh_signed_data, + krb5_data *dh_signed_data, krb5_data *enc_key_pack) { KRB5_PA_PK_AS_REP asRep; SecAsn1CoderRef coder; CSSM_DATA der = {pa_pk_as_rep->length, (uint8 *)pa_pk_as_rep->data}; krb5_error_code ourRtn = 0; - + /* Decode --> KRB5_PA_PK_AS_REP */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&asRep, 0, sizeof(asRep)); if(SecAsn1DecodeData(coder, &der, KRB5_PA_PK_AS_REPTemplate, &asRep)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + if(asRep.dhSignedData) { - if((ourRtn = pkiCssmDataToKrb5Data(asRep.dhSignedData, dh_signed_data))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(asRep.dhSignedData, dh_signed_data))) { + goto errOut; + } } if(asRep.encKeyPack) { - ourRtn = pkiCssmDataToKrb5Data(asRep.encKeyPack, enc_key_pack); + ourRtn = pkiCssmDataToKrb5Data(asRep.encKeyPack, enc_key_pack); } - + errOut: SecAsn1CoderRelease(coder); return ourRtn; @@ -904,51 +905,51 @@ krb5_error_code krb5int_pkinit_get_issuer_serial( krb5_data krb_issuer; uint32 numFields; krb5_error_code ourRtn = 0; - + CSSM_CL_HANDLE clHand = pkiClStartup(); if(clHand == 0) { - return CSSMERR_CSSM_ADDIN_LOAD_FAILED; + return CSSMERR_CSSM_ADDIN_LOAD_FAILED; } /* subsequent errors to errOut: */ - + crtn = CSSM_CL_CertCache(clHand, &certData, &cacheHand); if(crtn) { - pkiCssmErr("CSSM_CL_CertCache", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertCache", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } - + /* obtain the two fields; issuer is DER encoded */ crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand, - &CSSMOID_X509V1IssuerNameStd, &resultHand, &numFields, &derIssuer); + &CSSMOID_X509V1IssuerNameStd, &resultHand, &numFields, &derIssuer); if(crtn) { - pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(issuer)", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(issuer)", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand, - &CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &serial); + &CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &serial); if(crtn) { - pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(serial)", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(serial)", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } PKI_CSSM_TO_KRB_DATA(derIssuer, &krb_issuer); PKI_CSSM_TO_KRB_DATA(serial, &krb_serial); ourRtn = krb5int_pkinit_issuer_serial_encode(&krb_issuer, &krb_serial, issuer_and_serial); - + errOut: if(derIssuer) { - CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerNameStd, derIssuer); + CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerNameStd, derIssuer); } if(serial) { - CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, serial); + CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, serial); } if(cacheHand) { - CSSM_CL_CertAbortCache(clHand, cacheHand); + CSSM_CL_CertAbortCache(clHand, cacheHand); } if(clHand) { - pkiClDetachUnload(clHand); + pkiClDetachUnload(clHand); } return ourRtn; } diff --git a/src/lib/krb5/krb/pkinit_apple_cert_store.c b/src/lib/krb5/krb/pkinit_apple_cert_store.c index 449f1cc99..2bcbd4458 100644 --- a/src/lib/krb5/krb/pkinit_apple_cert_store.c +++ b/src/lib/krb5/krb/pkinit_apple_cert_store.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -24,12 +25,12 @@ */ /* - * pkinit_apple_cert_store.c - PKINIT certificate storage/retrieval utilities, - * MAC OS X version + * pkinit_apple_cert_store.c - PKINIT certificate storage/retrieval utilities, + * MAC OS X version * * Created 26 May 2004 by Doug Mitchell at Apple. */ - + #if APPLE_PKINIT #include "pkinit_cert_store.h" @@ -49,24 +50,24 @@ * key = kPkinitClientCertKey * appID = kPkinitClientCertApp * username = kCFPreferencesCurrentUser - * hostname = kCFPreferencesAnyHost + * hostname = kCFPreferencesAnyHost * * The stored property list is a CFDictionary. Keys in the dictionary are - * principal names (e.g. foobar@REALM.LOCAL). + * principal names (e.g. foobar@REALM.LOCAL). * * Values in the dictionary are raw data containing the DER-encoded issuer and - * serial number of the certificate. + * serial number of the certificate. * * When obtaining a PKINIT cert, if an entry in the CFDictionary for the specified * principal is not found, the entry for the default will be used if it's there. */ -/* - * NOTE: ANSI C code requires an Apple-Custom -fconstant-cfstrings CFLAGS to - * use CFSTR in a const declaration so we just declare the C strings here. +/* + * NOTE: ANSI C code requires an Apple-Custom -fconstant-cfstrings CFLAGS to + * use CFSTR in a const declaration so we just declare the C strings here. */ -#define kPkinitClientCertKey "KRBClientCert" -#define kPkinitClientCertApp "edu.mit.Kerberos.pkinit" +#define kPkinitClientCertKey "KRBClientCert" +#define kPkinitClientCertApp "edu.mit.Kerberos.pkinit" /* * KDC cert stored in this keychain. It's linked to systemkeychain so that if @@ -74,43 +75,43 @@ */ #define KDC_KEYCHAIN "/var/db/krb5kdc/kdc.keychain" -/* +/* * Given a certificate, obtain the DER-encoded issuer and serial number. Result - * is mallocd and must be freed by caller. + * is mallocd and must be freed by caller. */ static OSStatus pkinit_get_cert_issuer_sn( - SecCertificateRef certRef, - CSSM_DATA *issuerSerial) /* mallocd and RETURNED */ + SecCertificateRef certRef, + CSSM_DATA *issuerSerial) /* mallocd and RETURNED */ { OSStatus ortn; CSSM_DATA certData; krb5_data INIT_KDATA(issuerSerialKrb); krb5_data certDataKrb; krb5_error_code krtn; - + assert(certRef != NULL); assert(issuerSerial != NULL); - + ortn = SecCertificateGetData(certRef, &certData); if(ortn) { - pkiCssmErr("SecCertificateGetData", ortn); - return ortn; + pkiCssmErr("SecCertificateGetData", ortn); + return ortn; } PKI_CSSM_TO_KRB_DATA(&certData, &certDataKrb); krtn = krb5int_pkinit_get_issuer_serial(&certDataKrb, &issuerSerialKrb); if(krtn) { - return CSSMERR_CL_INVALID_DATA; + return CSSMERR_CL_INVALID_DATA; } PKI_KRB_TO_CSSM_DATA(&issuerSerialKrb, issuerSerial); return noErr; } -/* +/* * Determine if specified identity's cert's issuer and serial number match the * provided issuer and serial number. Returns nonzero on match, else returns zero. */ static int pkinit_issuer_sn_match( - SecIdentityRef idRef, + SecIdentityRef idRef, const CSSM_DATA *matchIssuerSerial) { OSStatus ortn; @@ -120,87 +121,87 @@ static int pkinit_issuer_sn_match( assert(idRef != NULL); assert(matchIssuerSerial != NULL); - + /* Get this cert's issuer/serial number */ ortn = SecIdentityCopyCertificate(idRef, &certRef); if(ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - return 0; + pkiCssmErr("SecIdentityCopyCertificate", ortn); + return 0; } /* subsequent errors to errOut: */ ortn = pkinit_get_cert_issuer_sn(certRef, &certIssuerSerial); if(ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - goto errOut; + pkiCssmErr("SecIdentityCopyCertificate", ortn); + goto errOut; } ourRtn = pkiCompareCssmData(matchIssuerSerial, &certIssuerSerial) ? 1 : 0; errOut: if(certRef != NULL) { - CFRelease(certRef); + CFRelease(certRef); } if(certIssuerSerial.Data != NULL) { - free(certIssuerSerial.Data); + free(certIssuerSerial.Data); } return ourRtn; } /* * Search specified keychain/array/NULL (NULL meaning the default search list) for - * an Identity matching specified key usage and optional Issuer/Serial number. + * an Identity matching specified key usage and optional Issuer/Serial number. * If issuer/serial is specified and no identities match, or if no identities found * matching specified Key usage, errSecItemNotFound is returned. * - * Caller must CFRelease a non-NULL returned idRef. + * Caller must CFRelease a non-NULL returned idRef. */ static OSStatus pkinit_search_ident( - CFTypeRef keychainOrArray, - CSSM_KEYUSE keyUsage, + CFTypeRef keychainOrArray, + CSSM_KEYUSE keyUsage, const CSSM_DATA *issuerSerial, /* optional */ - SecIdentityRef *foundId) /* RETURNED */ + SecIdentityRef *foundId) /* RETURNED */ { OSStatus ortn; SecIdentityRef idRef = NULL; SecIdentitySearchRef srchRef = NULL; - + ortn = SecIdentitySearchCreate(keychainOrArray, keyUsage, &srchRef); if(ortn) { - pkiCssmErr("SecIdentitySearchCreate", ortn); - return ortn; + pkiCssmErr("SecIdentitySearchCreate", ortn); + return ortn; } do { - ortn = SecIdentitySearchCopyNext(srchRef, &idRef); - if(ortn != noErr) { - break; - } - if(issuerSerial == NULL) { - /* no match needed, we're done - this is the KDC cert case */ - break; - } - else if(pkinit_issuer_sn_match(idRef, issuerSerial)) { - /* match, we're done */ - break; - } - /* finished with this one */ - CFRelease(idRef); - idRef = NULL; + ortn = SecIdentitySearchCopyNext(srchRef, &idRef); + if(ortn != noErr) { + break; + } + if(issuerSerial == NULL) { + /* no match needed, we're done - this is the KDC cert case */ + break; + } + else if(pkinit_issuer_sn_match(idRef, issuerSerial)) { + /* match, we're done */ + break; + } + /* finished with this one */ + CFRelease(idRef); + idRef = NULL; } while(ortn == noErr); - + CFRelease(srchRef); if(idRef == NULL) { - return errSecItemNotFound; + return errSecItemNotFound; } else { - *foundId = idRef; - return noErr; + *foundId = idRef; + return noErr; } } /* - * In Mac OS terms, get the keychain on which a given identity resides. + * In Mac OS terms, get the keychain on which a given identity resides. */ static krb5_error_code pkinit_cert_to_db( krb5_pkinit_signing_cert_t idRef, - krb5_pkinit_cert_db_t *dbRef) + krb5_pkinit_cert_db_t *dbRef) { SecKeychainRef kcRef = NULL; SecKeyRef keyRef = NULL; @@ -209,38 +210,38 @@ static krb5_error_code pkinit_cert_to_db( /* that's an identity - get the associated key's keychain */ ortn = SecIdentityCopyPrivateKey((SecIdentityRef)idRef, &keyRef); if(ortn) { - pkiCssmErr("SecIdentityCopyPrivateKey", ortn); - return ortn; + pkiCssmErr("SecIdentityCopyPrivateKey", ortn); + return ortn; } ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)keyRef, &kcRef); if(ortn) { - pkiCssmErr("SecKeychainItemCopyKeychain", ortn); + pkiCssmErr("SecKeychainItemCopyKeychain", ortn); } else { - *dbRef = (krb5_pkinit_cert_db_t)kcRef; + *dbRef = (krb5_pkinit_cert_db_t)kcRef; } CFRelease(keyRef); return ortn; } -/* - * Obtain the CFDictionary representing this user's PKINIT client cert prefs, if it - * exists. Returns noErr or errSecItemNotFound as appropriate. +/* + * Obtain the CFDictionary representing this user's PKINIT client cert prefs, if it + * exists. Returns noErr or errSecItemNotFound as appropriate. */ static OSStatus pkinit_get_pref_dict( CFDictionaryRef *dict) { CFDictionaryRef theDict; theDict = (CFDictionaryRef)CFPreferencesCopyValue(CFSTR(kPkinitClientCertKey), - CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); if(theDict == NULL) { - pkiDebug("pkinit_get_pref_dict: no kPkinitClientCertKey\n"); - return errSecItemNotFound; + pkiDebug("pkinit_get_pref_dict: no kPkinitClientCertKey\n"); + return errSecItemNotFound; } if(CFGetTypeID(theDict) != CFDictionaryGetTypeID()) { - pkiDebug("pkinit_get_pref_dict: bad kPkinitClientCertKey pref\n"); - CFRelease(theDict); - return errSecItemNotFound; + pkiDebug("pkinit_get_pref_dict: bad kPkinitClientCertKey pref\n"); + CFRelease(theDict); + return errSecItemNotFound; } *dict = theDict; return noErr; @@ -249,12 +250,12 @@ static OSStatus pkinit_get_pref_dict( #pragma mark --- Public client side functions --- /* - * Obtain signing cert for specified principal. On successful return, + * Obtain signing cert for specified principal. On successful return, * caller must eventually release the cert with krb5_pkinit_release_cert(). */ krb5_error_code krb5_pkinit_get_client_cert( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t *client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t *client_cert) { CFDataRef issuerSerial = NULL; CSSM_DATA issuerSerialData; @@ -263,74 +264,74 @@ krb5_error_code krb5_pkinit_get_client_cert( CFDictionaryRef theDict = NULL; CFStringRef cfPrinc = NULL; krb5_error_code ourRtn = 0; - + if(principal == NULL) { - return KRB5_PRINC_NOMATCH; + return KRB5_PRINC_NOMATCH; } - + /* Is there a stored preference for PKINIT certs for this user? */ ortn = pkinit_get_pref_dict(&theDict); if(ortn) { - return KRB5_PRINC_NOMATCH; + return KRB5_PRINC_NOMATCH; } - + /* Entry in the dictionary for specified principal? */ - cfPrinc = CFStringCreateWithCString(NULL, principal, + cfPrinc = CFStringCreateWithCString(NULL, principal, kCFStringEncodingASCII); issuerSerial = (CFDataRef)CFDictionaryGetValue(theDict, cfPrinc); CFRelease(cfPrinc); if(issuerSerial == NULL) { - pkiDebug("krb5_pkinit_get_client_cert: no identity found\n"); - ourRtn = KRB5_PRINC_NOMATCH; - goto errOut; + pkiDebug("krb5_pkinit_get_client_cert: no identity found\n"); + ourRtn = KRB5_PRINC_NOMATCH; + goto errOut; } if(CFGetTypeID(issuerSerial) != CFDataGetTypeID()) { - pkiDebug("krb5_pkinit_get_client_cert: bad kPkinitClientCertKey value\n"); - ourRtn = KRB5_PRINC_NOMATCH; - goto errOut; + pkiDebug("krb5_pkinit_get_client_cert: bad kPkinitClientCertKey value\n"); + ourRtn = KRB5_PRINC_NOMATCH; + goto errOut; } - + issuerSerialData.Data = (uint8 *)CFDataGetBytePtr(issuerSerial); issuerSerialData.Length = CFDataGetLength(issuerSerial); - + /* find a cert with that issuer/serial number in default search list */ - ortn = pkinit_search_ident(NULL, CSSM_KEYUSE_SIGN | CSSM_KEYUSE_ENCRYPT, - &issuerSerialData, &idRef); + ortn = pkinit_search_ident(NULL, CSSM_KEYUSE_SIGN | CSSM_KEYUSE_ENCRYPT, + &issuerSerialData, &idRef); if(ortn) { - pkiDebug("krb5_pkinit_get_client_cert: no identity found!\n"); - pkiCssmErr("pkinit_search_ident", ortn); - ourRtn = KRB5_PRINC_NOMATCH; + pkiDebug("krb5_pkinit_get_client_cert: no identity found!\n"); + pkiCssmErr("pkinit_search_ident", ortn); + ourRtn = KRB5_PRINC_NOMATCH; } else { - *client_cert = (krb5_pkinit_signing_cert_t)idRef; + *client_cert = (krb5_pkinit_signing_cert_t)idRef; } errOut: if(theDict) { - CFRelease(theDict); + CFRelease(theDict); } return ourRtn; } -/* +/* * Determine if the specified client has a signing cert. Returns TRUE * if so, else returns FALSE. */ krb5_boolean krb5_pkinit_have_client_cert( - const char *principal) /* full principal string */ + const char *principal) /* full principal string */ { krb5_pkinit_signing_cert_t signing_cert = NULL; krb5_error_code krtn; - + krtn = krb5_pkinit_get_client_cert(principal, &signing_cert); if(krtn) { - return FALSE; + return FALSE; } if(signing_cert != NULL) { - krb5_pkinit_release_cert(signing_cert); - return TRUE; + krb5_pkinit_release_cert(signing_cert); + return TRUE; } else { - return FALSE; + return FALSE; } } @@ -341,8 +342,8 @@ krb5_boolean krb5_pkinit_have_client_cert( * in the cert storage. */ krb5_error_code krb5_pkinit_set_client_cert_from_signing_cert( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t client_cert) { SecIdentityRef idRef = (SecIdentityRef)client_cert; SecCertificateRef certRef = NULL; @@ -350,22 +351,22 @@ krb5_error_code krb5_pkinit_set_client_cert_from_signing_cert( krb5_error_code ourRtn = 0; if (NULL != idRef) { - if (CFGetTypeID(idRef) != SecIdentityGetTypeID()) { - ourRtn = KRB5KRB_ERR_GENERIC; - goto fin; - } - /* Get the cert */ - ortn = SecIdentityCopyCertificate(idRef, &certRef); - if (ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - ourRtn = KRB5KRB_ERR_GENERIC; - goto fin; - } + if (CFGetTypeID(idRef) != SecIdentityGetTypeID()) { + ourRtn = KRB5KRB_ERR_GENERIC; + goto fin; + } + /* Get the cert */ + ortn = SecIdentityCopyCertificate(idRef, &certRef); + if (ortn) { + pkiCssmErr("SecIdentityCopyCertificate", ortn); + ourRtn = KRB5KRB_ERR_GENERIC; + goto fin; + } } ourRtn = krb5_pkinit_set_client_cert(principal, (krb5_pkinit_cert_t)certRef); fin: if (certRef) - CFRelease(certRef); + CFRelease(certRef); return ourRtn; } @@ -377,8 +378,8 @@ fin: * in the cert storage. */ krb5_error_code krb5_pkinit_set_client_cert( - const char *principal, /* full principal string */ - krb5_pkinit_cert_t client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_cert_t client_cert) { SecCertificateRef certRef = (SecCertificateRef)client_cert; OSStatus ortn; @@ -388,108 +389,108 @@ krb5_error_code krb5_pkinit_set_client_cert( CFMutableDictionaryRef newDict = NULL; CFStringRef keyStr = NULL; krb5_error_code ourRtn = 0; - + if(certRef != NULL) { - if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) { - return KRB5KRB_ERR_GENERIC; - } - - /* Cook up DER-encoded issuer/serial number */ - ortn = pkinit_get_cert_issuer_sn(certRef, &issuerSerial); - if(ortn) { - ourRtn = KRB5KRB_ERR_GENERIC; - goto errOut; - } - } - - /* + if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) { + return KRB5KRB_ERR_GENERIC; + } + + /* Cook up DER-encoded issuer/serial number */ + ortn = pkinit_get_cert_issuer_sn(certRef, &issuerSerial); + if(ortn) { + ourRtn = KRB5KRB_ERR_GENERIC; + goto errOut; + } + } + + /* * Obtain the existing pref for kPkinitClientCertKey as a CFDictionary, or - * cook up a new one. + * cook up a new one. */ ortn = pkinit_get_pref_dict(&existDict); if(ortn == noErr) { - /* dup to a mutable dictionary */ - newDict = CFDictionaryCreateMutableCopy(NULL, 0, existDict); + /* dup to a mutable dictionary */ + newDict = CFDictionaryCreateMutableCopy(NULL, 0, existDict); } else { - if(certRef == NULL) { - /* no existing entry, nothing to delete, we're done */ - return 0; - } - newDict = CFDictionaryCreateMutable(NULL, 0, - &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if(certRef == NULL) { + /* no existing entry, nothing to delete, we're done */ + return 0; + } + newDict = CFDictionaryCreateMutable(NULL, 0, + &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); } if(newDict == NULL) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } /* issuer / serial number ==> that dictionary */ keyStr = CFStringCreateWithCString(NULL, principal, kCFStringEncodingASCII); if(certRef == NULL) { - CFDictionaryRemoveValue(newDict, keyStr); + CFDictionaryRemoveValue(newDict, keyStr); } else { - cfIssuerSerial = CFDataCreate(NULL, issuerSerial.Data, issuerSerial.Length); - CFDictionarySetValue(newDict, keyStr, cfIssuerSerial); + cfIssuerSerial = CFDataCreate(NULL, issuerSerial.Data, issuerSerial.Length); + CFDictionarySetValue(newDict, keyStr, cfIssuerSerial); } - + /* dictionary ==> prefs */ - CFPreferencesSetValue(CFSTR(kPkinitClientCertKey), newDict, - CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); - if(CFPreferencesSynchronize(CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, - kCFPreferencesAnyHost)) { - ourRtn = 0; + CFPreferencesSetValue(CFSTR(kPkinitClientCertKey), newDict, + CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + if(CFPreferencesSynchronize(CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, + kCFPreferencesAnyHost)) { + ourRtn = 0; } else { - ourRtn = EACCES; /* any better ideas? */ + ourRtn = EACCES; /* any better ideas? */ } errOut: if(cfIssuerSerial) { - CFRelease(cfIssuerSerial); + CFRelease(cfIssuerSerial); } if(issuerSerial.Data) { - free(issuerSerial.Data); + free(issuerSerial.Data); } if(existDict) { - CFRelease(existDict); + CFRelease(existDict); } if(newDict) { - CFRelease(newDict); + CFRelease(newDict); } if(keyStr) { - CFRelease(keyStr); + CFRelease(keyStr); } return ourRtn; } -/* +/* * Obtain a reference to the client's cert database. Specify either principal * name or client_cert as obtained from krb5_pkinit_get_client_cert(). */ krb5_error_code krb5_pkinit_get_client_cert_db( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t client_cert, /* optional, from krb5_pkinit_get_client_cert() */ - krb5_pkinit_cert_db_t *client_cert_db)/* RETURNED */ + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t client_cert, /* optional, from krb5_pkinit_get_client_cert() */ + krb5_pkinit_cert_db_t *client_cert_db)/* RETURNED */ { krb5_error_code krtn; krb5_pkinit_signing_cert_t local_cert; - + assert((client_cert != NULL) || (principal != NULL)); if(client_cert == NULL) { - /* caller didn't provide, look it up */ - krtn = krb5_pkinit_get_client_cert(principal, &local_cert); - if(krtn) { - return krtn; - } + /* caller didn't provide, look it up */ + krtn = krb5_pkinit_get_client_cert(principal, &local_cert); + if(krtn) { + return krtn; + } } else { - /* easy case */ - local_cert = client_cert; + /* easy case */ + local_cert = client_cert; } krtn = pkinit_cert_to_db(local_cert, client_cert_db); if(client_cert == NULL) { - krb5_pkinit_release_cert(local_cert); + krb5_pkinit_release_cert(local_cert); } return krtn; } @@ -503,28 +504,28 @@ krb5_error_code krb5_pkinit_get_client_cert_db( * The client_spec argument is typically provided by the client as kdcPkId. */ krb5_error_code krb5_pkinit_get_kdc_cert( - krb5_ui_4 num_trusted_CAs, /* sizeof *trusted_CAs */ - krb5_data *trusted_CAs, /* optional */ - krb5_data *client_spec, /* optional */ + krb5_ui_4 num_trusted_CAs, /* sizeof *trusted_CAs */ + krb5_data *trusted_CAs, /* optional */ + krb5_data *client_spec, /* optional */ krb5_pkinit_signing_cert_t *kdc_cert) { SecIdentityRef idRef = NULL; OSStatus ortn; krb5_error_code ourRtn = 0; - + /* OS X: trusted_CAs and client_spec ignored */ - + ortn = SecIdentityCopySystemIdentity(kSecIdentityDomainKerberosKDC, - &idRef, NULL); + &idRef, NULL); if(ortn) { - pkiCssmErr("SecIdentityCopySystemIdentity", ortn); - return KRB5_PRINC_NOMATCH; + pkiCssmErr("SecIdentityCopySystemIdentity", ortn); + return KRB5_PRINC_NOMATCH; } *kdc_cert = (krb5_pkinit_signing_cert_t)idRef; return ourRtn; } -/* +/* * Obtain a reference to the KDC's cert database. */ krb5_error_code krb5_pkinit_get_kdc_cert_db( @@ -532,10 +533,10 @@ krb5_error_code krb5_pkinit_get_kdc_cert_db( { krb5_pkinit_signing_cert_t kdcCert = NULL; krb5_error_code krtn; - + krtn = krb5_pkinit_get_kdc_cert(0, NULL, NULL, &kdcCert); if(krtn) { - return krtn; + return krtn; } krtn = pkinit_cert_to_db(kdcCert, kdc_cert_db); krb5_pkinit_release_cert(kdcCert); @@ -550,7 +551,7 @@ void krb5_pkinit_release_cert( krb5_pkinit_signing_cert_t cert) { if(cert == NULL) { - return; + return; } CFRelease((CFTypeRef)cert); } @@ -560,18 +561,18 @@ void krb5_pkinit_release_cert( * krb5_pkinit_get_kdc_cert_db(). */ extern void krb5_pkinit_release_cert_db( - krb5_pkinit_cert_db_t cert_db) + krb5_pkinit_cert_db_t cert_db) { if(cert_db == NULL) { - return; + return; } CFRelease((CFTypeRef)cert_db); } -/* - * Obtain a mallocd C-string representation of a certificate's SHA1 digest. - * Only error is a NULL return indicating memory failure. +/* + * Obtain a mallocd C-string representation of a certificate's SHA1 digest. + * Only error is a NULL return indicating memory failure. * Caller must free the returned string. */ char *krb5_pkinit_cert_hash_str( @@ -582,37 +583,37 @@ char *krb5_pkinit_cert_hash_str( char *cpOut; unsigned char digest[CC_SHA1_DIGEST_LENGTH]; unsigned dex; - + assert(cert != NULL); CC_SHA1_Init(&ctx); CC_SHA1_Update(&ctx, cert->data, cert->length); CC_SHA1_Final(digest, &ctx); - + outstr = (char *)malloc((2 * CC_SHA1_DIGEST_LENGTH) + 1); if(outstr == NULL) { - return NULL; + return NULL; } cpOut = outstr; for(dex=0; dex #include -/* - * Custom OIDS to specify as eContentType +/* + * Custom OIDS to specify as eContentType */ -#define OID_PKINIT 0x2B, 6, 1, 5, 2, 3 -#define OID_PKINIT_LEN 6 +#define OID_PKINIT 0x2B, 6, 1, 5, 2, 3 +#define OID_PKINIT_LEN 6 -static const uint8 OID_PKINIT_AUTH_DATA[] = {OID_PKINIT, 1}; -static const uint8 OID_PKINIT_RKEY_DATA[] = {OID_PKINIT, 3}; +static const uint8 OID_PKINIT_AUTH_DATA[] = {OID_PKINIT, 1}; +static const uint8 OID_PKINIT_RKEY_DATA[] = {OID_PKINIT, 3}; /* these may go public so keep these symbols private */ -static const CSSM_OID _CSSMOID_PKINIT_AUTH_DATA = - {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA}; -static const CSSM_OID _CSSMOID_PKINIT_RKEY_DATA = - {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA}; +static const CSSM_OID _CSSMOID_PKINIT_AUTH_DATA = +{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA}; +static const CSSM_OID _CSSMOID_PKINIT_RKEY_DATA = +{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA}; #pragma mark ----- CMS utilities ---- @@ -69,26 +70,26 @@ static krb5int_cert_sig_status pkiCertSigStatus( OSStatus certStatus) { switch(certStatus) { - case CSSM_OK: - return pki_cs_good; - case CSSMERR_CSP_VERIFY_FAILED: - return pki_cs_sig_verify_fail; - case CSSMERR_TP_NOT_TRUSTED: - return pki_cs_no_root; - case CSSMERR_TP_INVALID_ANCHOR_CERT: - return pki_cs_unknown_root; - case CSSMERR_TP_CERT_EXPIRED: - return pki_cs_expired; - case CSSMERR_TP_CERT_NOT_VALID_YET: - return pki_cs_not_valid_yet; - case CSSMERR_TP_CERT_REVOKED: - return pki_cs_revoked; - case KRB5_KDB_UNAUTH: - return pki_cs_untrusted; - case CSSMERR_TP_INVALID_CERTIFICATE: - return pki_cs_bad_leaf; - default: - return pki_cs_other_err; + case CSSM_OK: + return pki_cs_good; + case CSSMERR_CSP_VERIFY_FAILED: + return pki_cs_sig_verify_fail; + case CSSMERR_TP_NOT_TRUSTED: + return pki_cs_no_root; + case CSSMERR_TP_INVALID_ANCHOR_CERT: + return pki_cs_unknown_root; + case CSSMERR_TP_CERT_EXPIRED: + return pki_cs_expired; + case CSSMERR_TP_CERT_NOT_VALID_YET: + return pki_cs_not_valid_yet; + case CSSMERR_TP_CERT_REVOKED: + return pki_cs_revoked; + case KRB5_KDB_UNAUTH: + return pki_cs_untrusted; + case CSSMERR_TP_INVALID_CERTIFICATE: + return pki_cs_bad_leaf; + default: + return pki_cs_other_err; } } @@ -99,24 +100,24 @@ static krb5int_cert_sig_status pkiCertSigStatus( */ static krb5int_cert_sig_status pkiInferSigStatus( CMSSignerStatus cms_status, - OSStatus tp_status) + OSStatus tp_status) { switch(cms_status) { - case kCMSSignerUnsigned: - return pki_not_signed; - case kCMSSignerValid: - return pki_cs_good; - case kCMSSignerNeedsDetachedContent: - return pki_bad_cms; - case kCMSSignerInvalidSignature: - return pki_cs_sig_verify_fail; - case kCMSSignerInvalidCert: - /* proceed with TP status */ - break; - default: - return pki_cs_other_err; + case kCMSSignerUnsigned: + return pki_not_signed; + case kCMSSignerValid: + return pki_cs_good; + case kCMSSignerNeedsDetachedContent: + return pki_bad_cms; + case kCMSSignerInvalidSignature: + return pki_cs_sig_verify_fail; + case kCMSSignerInvalidCert: + /* proceed with TP status */ + break; + default: + return pki_cs_other_err; } - + /* signature good, infer end status from TP verify */ return pkiCertSigStatus(tp_status); } @@ -130,15 +131,15 @@ static OSStatus pkiKrb5DataToSecCert( { CSSM_DATA certData; OSStatus ortn; - + assert((rawCert != NULL) && (secCert != NULL)); - + certData.Data = (uint8 *)rawCert->data; certData.Length = rawCert->length; - ortn = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, - CSSM_CERT_ENCODING_DER, secCert); + ortn = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, + CSSM_CERT_ENCODING_DER, secCert); if(ortn) { - pkiCssmErr("SecCertificateCreateFromData", ortn); + pkiCssmErr("SecCertificateCreateFromData", ortn); } return ortn; } @@ -148,52 +149,52 @@ static OSStatus pkiKrb5DataToSecCert( */ static krb5_error_code pkiCertArrayToKrb5Data( CFArrayRef cf_certs, - unsigned *num_all_certs, - krb5_data **all_certs) + unsigned *num_all_certs, + krb5_data **all_certs) { CFIndex num_certs; krb5_data *allCerts = NULL; krb5_error_code krtn = 0; CFIndex dex; - + if(cf_certs == NULL) { - *all_certs = NULL; - return 0; + *all_certs = NULL; + return 0; } num_certs = CFArrayGetCount(cf_certs); *num_all_certs = (unsigned)num_certs; if(num_certs == 0) { - *all_certs = NULL; - return 0; + *all_certs = NULL; + return 0; } allCerts = (krb5_data *)malloc(sizeof(krb5_data) * num_certs); if(allCerts == NULL) { - return ENOMEM; + return ENOMEM; } - for(dex=0; dexdata, content->length, - &cf_content); + eContentOid, + FALSE, /* detachedContent */ + kCMSAttrNone, /* no signed attributes that I know of */ + content->data, content->length, + &cf_content); if(ortn) { - pkiCssmErr("CMSEncode", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("CMSEncode", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } krtn = pkiCfDataToKrb5Data(cf_content, content_info); errOut: @@ -285,22 +286,22 @@ errOut: /* * Parse a ContentInfo as best we can. All return fields are optional. - * If signer_cert_status is NULL on entry, NO signature or cert evaluation - * will be performed. + * If signer_cert_status is NULL on entry, NO signature or cert evaluation + * will be performed. */ krb5_error_code krb5int_pkinit_parse_cms_msg( - const krb5_data *content_info, - krb5_pkinit_cert_db_t cert_db, /* may be required for SignedData */ - krb5_boolean is_client_msg, /* TRUE : msg is from client */ - krb5_boolean *is_signed, /* RETURNED */ - krb5_boolean *is_encrypted, /* RETURNED */ - krb5_data *raw_data, /* RETURNED */ + const krb5_data *content_info, + krb5_pkinit_cert_db_t cert_db, /* may be required for SignedData */ + krb5_boolean is_client_msg, /* TRUE : msg is from client */ + krb5_boolean *is_signed, /* RETURNED */ + krb5_boolean *is_encrypted, /* RETURNED */ + krb5_data *raw_data, /* RETURNED */ krb5int_cms_content_type *inner_content_type,/* Returned, ContentType of */ - /* EncapsulatedData */ - krb5_data *signer_cert, /* RETURNED */ + /* EncapsulatedData */ + krb5_data *signer_cert, /* RETURNED */ krb5int_cert_sig_status *signer_cert_status,/* RETURNED */ - unsigned *num_all_certs, /* size of *all_certs RETURNED */ - krb5_data **all_certs) /* entire cert chain RETURNED */ + unsigned *num_all_certs, /* size of *all_certs RETURNED */ + krb5_data **all_certs) /* entire cert chain RETURNED */ { SecPolicySearchRef policy_search = NULL; SecPolicyRef policy = NULL; @@ -312,219 +313,219 @@ krb5_error_code krb5int_pkinit_parse_cms_msg( OSStatus cert_verify_status; CFArrayRef cf_all_certs = NULL; int msg_is_signed = 0; - + if(content_info == NULL) { - pkiDebug("krb5int_pkinit_parse_cms_msg: no ContentInfo\n"); - return KRB5_CRYPTO_INTERNAL; + pkiDebug("krb5int_pkinit_parse_cms_msg: no ContentInfo\n"); + return KRB5_CRYPTO_INTERNAL; } - + ortn = CMSDecoderCreate(&decoder); if(ortn) { - return ENOMEM; + return ENOMEM; } ortn = CMSDecoderUpdateMessage(decoder, content_info->data, content_info->length); if(ortn) { - /* no verify yet, must be bad message */ - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + /* no verify yet, must be bad message */ + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } ortn = CMSDecoderFinalizeMessage(decoder); if(ortn) { - pkiCssmErr("CMSDecoderFinalizeMessage", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + pkiCssmErr("CMSDecoderFinalizeMessage", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } /* expect zero or one signers */ ortn = CMSDecoderGetNumSigners(decoder, &num_signers); switch(num_signers) { - case 0: - msg_is_signed = 0; - break; - case 1: - msg_is_signed = 1; - break; - default: - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + case 0: + msg_is_signed = 0; + break; + case 1: + msg_is_signed = 1; + break; + default: + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } /* - * We need a cert verify policy even if we're not actually evaluating + * We need a cert verify policy even if we're not actually evaluating * the cert due to requirements in libsecurity_smime. */ ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3, - is_client_msg ? &CSSMOID_APPLE_TP_PKINIT_CLIENT : &CSSMOID_APPLE_TP_PKINIT_SERVER, - NULL, &policy_search); + is_client_msg ? &CSSMOID_APPLE_TP_PKINIT_CLIENT : &CSSMOID_APPLE_TP_PKINIT_SERVER, + NULL, &policy_search); if(ortn) { - pkiCssmErr("SecPolicySearchCreate", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("SecPolicySearchCreate", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } ortn = SecPolicySearchCopyNext(policy_search, &policy); if(ortn) { - pkiCssmErr("SecPolicySearchCopyNext", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("SecPolicySearchCopyNext", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } - + /* get some basic status that doesn't need heavyweight evaluation */ if(msg_is_signed) { - if(is_signed) { - *is_signed = TRUE; - } - if(inner_content_type) { - CSSM_OID ec_oid = {0, NULL}; - CFDataRef ec_data = NULL; - - krb5int_cms_content_type ctype; - - ortn = CMSDecoderCopyEncapsulatedContentType(decoder, &ec_data); - if(ortn || (ec_data == NULL)) { - pkiCssmErr("CMSDecoderCopyEncapsulatedContentType", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - ec_oid.Data = (uint8 *)CFDataGetBytePtr(ec_data); - ec_oid.Length = CFDataGetLength(ec_data); - if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_Data)) { - ctype = ECT_Data; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_SignedData)) { - ctype = ECT_SignedData; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EnvelopedData)) { - ctype = ECT_EnvelopedData; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EncryptedData)) { - ctype = ECT_EncryptedData; - } - else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_AUTH_DATA)) { - ctype = ECT_PkAuthData; - } - else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_RKEY_DATA)) { - ctype = ECT_PkReplyKeyKata; - } - else { - ctype = ECT_Other; - } - *inner_content_type = ctype; - CFRelease(ec_data); - } - - /* - * Get SignedData's certs if the caller wants them - */ - if(all_certs) { - ortn = CMSDecoderCopyAllCerts(decoder, &cf_all_certs); - if(ortn) { - pkiCssmErr("CMSDecoderCopyAllCerts", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - krtn = pkiCertArrayToKrb5Data(cf_all_certs, num_all_certs, all_certs); - if(krtn) { - goto errOut; - } - } - - /* optional signer cert */ - if(signer_cert) { - SecCertificateRef sec_signer_cert = NULL; - CSSM_DATA cert_data; - - ortn = CMSDecoderCopySignerCert(decoder, 0, &sec_signer_cert); - if(ortn) { - /* should never happen if it's signed */ - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - ortn = SecCertificateGetData(sec_signer_cert, &cert_data); - if(ortn) { - pkiCssmErr("SecCertificateGetData", ortn); - CFRelease(sec_signer_cert); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - krtn = pkiDataToKrb5Data(cert_data.Data, cert_data.Length, signer_cert); - CFRelease(sec_signer_cert); - if(krtn) { - goto errOut; - } - } + if(is_signed) { + *is_signed = TRUE; + } + if(inner_content_type) { + CSSM_OID ec_oid = {0, NULL}; + CFDataRef ec_data = NULL; + + krb5int_cms_content_type ctype; + + ortn = CMSDecoderCopyEncapsulatedContentType(decoder, &ec_data); + if(ortn || (ec_data == NULL)) { + pkiCssmErr("CMSDecoderCopyEncapsulatedContentType", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + ec_oid.Data = (uint8 *)CFDataGetBytePtr(ec_data); + ec_oid.Length = CFDataGetLength(ec_data); + if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_Data)) { + ctype = ECT_Data; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_SignedData)) { + ctype = ECT_SignedData; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EnvelopedData)) { + ctype = ECT_EnvelopedData; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EncryptedData)) { + ctype = ECT_EncryptedData; + } + else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_AUTH_DATA)) { + ctype = ECT_PkAuthData; + } + else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_RKEY_DATA)) { + ctype = ECT_PkReplyKeyKata; + } + else { + ctype = ECT_Other; + } + *inner_content_type = ctype; + CFRelease(ec_data); + } + + /* + * Get SignedData's certs if the caller wants them + */ + if(all_certs) { + ortn = CMSDecoderCopyAllCerts(decoder, &cf_all_certs); + if(ortn) { + pkiCssmErr("CMSDecoderCopyAllCerts", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + krtn = pkiCertArrayToKrb5Data(cf_all_certs, num_all_certs, all_certs); + if(krtn) { + goto errOut; + } + } + + /* optional signer cert */ + if(signer_cert) { + SecCertificateRef sec_signer_cert = NULL; + CSSM_DATA cert_data; + + ortn = CMSDecoderCopySignerCert(decoder, 0, &sec_signer_cert); + if(ortn) { + /* should never happen if it's signed */ + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + ortn = SecCertificateGetData(sec_signer_cert, &cert_data); + if(ortn) { + pkiCssmErr("SecCertificateGetData", ortn); + CFRelease(sec_signer_cert); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + krtn = pkiDataToKrb5Data(cert_data.Data, cert_data.Length, signer_cert); + CFRelease(sec_signer_cert); + if(krtn) { + goto errOut; + } + } } else { - /* not signed */ - if(is_signed) { - *is_signed = FALSE; - } - if(inner_content_type) { - *inner_content_type = ECT_Other; - } - if(signer_cert) { - signer_cert->data = NULL; - signer_cert->length = 0; - } - if(signer_cert_status) { - *signer_cert_status = pki_not_signed; - } - if(num_all_certs) { - *num_all_certs = 0; - } - if(all_certs) { - *all_certs = NULL; - } + /* not signed */ + if(is_signed) { + *is_signed = FALSE; + } + if(inner_content_type) { + *inner_content_type = ECT_Other; + } + if(signer_cert) { + signer_cert->data = NULL; + signer_cert->length = 0; + } + if(signer_cert_status) { + *signer_cert_status = pki_not_signed; + } + if(num_all_certs) { + *num_all_certs = 0; + } + if(all_certs) { + *all_certs = NULL; + } } if(is_encrypted) { - Boolean bencr; - ortn = CMSDecoderIsContentEncrypted(decoder, &bencr); - if(ortn) { - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - *is_encrypted = bencr ? TRUE : FALSE; + Boolean bencr; + ortn = CMSDecoderIsContentEncrypted(decoder, &bencr); + if(ortn) { + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + *is_encrypted = bencr ? TRUE : FALSE; } - - /* + + /* * Verify signature and cert. The actual verify operation is optional, * per our signer_cert_status argument, but we do this anyway if we need * to get the signer cert. */ if((signer_cert_status != NULL) || (signer_cert != NULL)) { - - ortn = CMSDecoderCopySignerStatus(decoder, - 0, /* signerIndex */ - policy, - signer_cert_status ? TRUE : FALSE, /* evaluateSecTrust */ - &signer_status, - NULL, /* secTrust - not needed */ - &cert_verify_status); - if(ortn) { - /* gross error - subsequent processing impossible */ - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; - } + + ortn = CMSDecoderCopySignerStatus(decoder, + 0, /* signerIndex */ + policy, + signer_cert_status ? TRUE : FALSE, /* evaluateSecTrust */ + &signer_status, + NULL, /* secTrust - not needed */ + &cert_verify_status); + if(ortn) { + /* gross error - subsequent processing impossible */ + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; + } } /* obtain & return status */ if(signer_cert_status) { - *signer_cert_status = pkiInferSigStatus(signer_status, cert_verify_status); + *signer_cert_status = pkiInferSigStatus(signer_status, cert_verify_status); } - + /* finally, the payload */ if(raw_data) { - CFDataRef cf_content = NULL; - - ortn = CMSDecoderCopyContent(decoder, &cf_content); - if(ortn) { - pkiCssmErr("CMSDecoderCopyContent", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; - } - krtn = pkiCfDataToKrb5Data(cf_content, raw_data); - CFRELEASE(cf_content); + CFDataRef cf_content = NULL; + + ortn = CMSDecoderCopyContent(decoder, &cf_content); + if(ortn) { + pkiCssmErr("CMSDecoderCopyContent", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; + } + krtn = pkiCfDataToKrb5Data(cf_content, raw_data); + CFRELEASE(cf_content); } errOut: CFRELEASE(policy_search); @@ -535,8 +536,8 @@ errOut: } krb5_error_code krb5int_pkinit_get_cms_types( - krb5int_algorithm_id **supported_cms_types, /* RETURNED */ - krb5_ui_4 *num_supported_cms_types) /* RETURNED */ + krb5int_algorithm_id **supported_cms_types, /* RETURNED */ + krb5_ui_4 *num_supported_cms_types) /* RETURNED */ { /* no preference */ *supported_cms_types = NULL; @@ -546,12 +547,12 @@ krb5_error_code krb5int_pkinit_get_cms_types( krb5_error_code krb5int_pkinit_free_cms_types( krb5int_algorithm_id *supported_cms_types, - krb5_ui_4 num_supported_cms_types) + krb5_ui_4 num_supported_cms_types) { - /* + /* * We don't return anything from krb5int_pkinit_get_cms_types(), and * if we did, it would be a pointer to a statically declared array, - * so this is a nop. + * so this is a nop. */ return 0; } diff --git a/src/lib/krb5/krb/pkinit_apple_utils.c b/src/lib/krb5/krb/pkinit_apple_utils.c index f539693fd..83b592218 100644 --- a/src/lib/krb5/krb/pkinit_apple_utils.c +++ b/src/lib/krb5/krb/pkinit_apple_utils.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -28,7 +29,7 @@ * * Created 19 May 2004 by Doug Mitchell at Apple. */ - + #if APPLE_PKINIT #include "pkinit_apple_utils.h" @@ -41,7 +42,7 @@ #include #include -/* +/* * Cruft needed to attach to a module */ static CSSM_VERSION vers = {2, 0}; @@ -51,28 +52,28 @@ static const CSSM_GUID testGuid = { 0xFADE, 0, 0, { 1,2,3,4,5,6,7,0 }}; * Standard app-level memory functions required by CDSA. */ static void * cuAppMalloc (CSSM_SIZE size, void *allocRef) { - return( malloc(size) ); + return( malloc(size) ); } static void cuAppFree (void *mem_ptr, void *allocRef) { - free(mem_ptr); - return; + free(mem_ptr); + return; } static void * cuAppRealloc (void *ptr, CSSM_SIZE size, void *allocRef) { - return( realloc( ptr, size ) ); + return( realloc( ptr, size ) ); } static void * cuAppCalloc (uint32 num, CSSM_SIZE size, void *allocRef) { - return( calloc( num, size ) ); + return( calloc( num, size ) ); } static CSSM_API_MEMORY_FUNCS memFuncs = { - cuAppMalloc, - cuAppFree, - cuAppRealloc, - cuAppCalloc, - NULL + cuAppMalloc, + cuAppFree, + cuAppRealloc, + cuAppCalloc, + NULL }; /* @@ -84,23 +85,23 @@ static CSSM_BOOL cuCssmStartup() { CSSM_RETURN crtn; CSSM_PVC_MODE pvcPolicy = CSSM_PVC_NONE; - + if(cssmInitd) { - return CSSM_TRUE; - } - crtn = CSSM_Init (&vers, - CSSM_PRIVILEGE_SCOPE_NONE, - &testGuid, - CSSM_KEY_HIERARCHY_NONE, - &pvcPolicy, - NULL /* reserved */); - if(crtn != CSSM_OK) + return CSSM_TRUE; + } + crtn = CSSM_Init (&vers, + CSSM_PRIVILEGE_SCOPE_NONE, + &testGuid, + CSSM_KEY_HIERARCHY_NONE, + &pvcPolicy, + NULL /* reserved */); + if(crtn != CSSM_OK) { - return CSSM_FALSE; + return CSSM_FALSE; } else { - cssmInitd = CSSM_TRUE; - return CSSM_TRUE; + cssmInitd = CSSM_TRUE; + return CSSM_TRUE; } } @@ -108,42 +109,42 @@ CSSM_CL_HANDLE pkiClStartup(void) { CSSM_CL_HANDLE clHand; CSSM_RETURN crtn; - + if(cuCssmStartup() == CSSM_FALSE) { - return 0; + return 0; } crtn = CSSM_ModuleLoad(&gGuidAppleX509CL, - CSSM_KEY_HIERARCHY_NONE, - NULL, /* eventHandler */ - NULL); /* AppNotifyCallbackCtx */ + CSSM_KEY_HIERARCHY_NONE, + NULL, /* eventHandler */ + NULL); /* AppNotifyCallbackCtx */ if(crtn) { - return 0; + return 0; } crtn = CSSM_ModuleAttach (&gGuidAppleX509CL, - &vers, - &memFuncs, /* memFuncs */ - 0, /* SubserviceID */ - CSSM_SERVICE_CL, /* SubserviceFlags - Where is this used? */ - 0, /* AttachFlags */ - CSSM_KEY_HIERARCHY_NONE, - NULL, /* FunctionTable */ - 0, /* NumFuncTable */ - NULL, /* reserved */ - &clHand); + &vers, + &memFuncs, /* memFuncs */ + 0, /* SubserviceID */ + CSSM_SERVICE_CL, /* SubserviceFlags - Where is this used? */ + 0, /* AttachFlags */ + CSSM_KEY_HIERARCHY_NONE, + NULL, /* FunctionTable */ + 0, /* NumFuncTable */ + NULL, /* reserved */ + &clHand); if(crtn) { - return 0; + return 0; } else { - return clHand; + return clHand; } } CSSM_RETURN pkiClDetachUnload( - CSSM_CL_HANDLE clHand) + CSSM_CL_HANDLE clHand) { CSSM_RETURN crtn = CSSM_ModuleDetach(clHand); if(crtn) { - return crtn; + return crtn; } return CSSM_ModuleUnload(&gGuidAppleX509CL, NULL, NULL); } @@ -152,33 +153,33 @@ CSSM_RETURN pkiClDetachUnload( * CSSM_DATA <--> krb5_ui_4 */ krb5_error_code pkiDataToInt( - const CSSM_DATA *cdata, - krb5_int32 *i) /* RETURNED */ + const CSSM_DATA *cdata, + krb5_int32 *i) /* RETURNED */ { krb5_ui_4 len; krb5_int32 rtn = 0; krb5_ui_4 dex; uint8 *cp = NULL; - + if((cdata->Length == 0) || (cdata->Data == NULL)) { - *i = 0; - return 0; + *i = 0; + return 0; } len = cdata->Length; if(len > sizeof(krb5_int32)) { - return ASN1_BAD_LENGTH; + return ASN1_BAD_LENGTH; } - + cp = cdata->Data; for(dex=0; dexData[len - 1]; for(i=0; i>= 8; + *cp-- = unum & 0xff; + unum >>= 8; } return 0; } @@ -222,14 +223,14 @@ krb5_error_code pkiDataToKrb5Data( assert(kd != NULL); kd->data = (char *)malloc(dataLen); if(kd->data == NULL) { - return ENOMEM; + return ENOMEM; } kd->length = dataLen; memmove(kd->data, data, dataLen); return 0; } -/* +/* * CSSM_DATA <--> krb5_data * * CSSM_DATA data is managed by a SecAsn1CoderRef; krb5_data data is mallocd. @@ -237,7 +238,7 @@ krb5_error_code pkiDataToKrb5Data( * Both return nonzero on error. */ krb5_error_code pkiCssmDataToKrb5Data( - const CSSM_DATA *cd, + const CSSM_DATA *cd, krb5_data *kd) { assert(cd != NULL); @@ -251,20 +252,20 @@ krb5_error_code pkiKrb5DataToCssm( { assert((cd != NULL) && (kd != NULL)); if(SecAsn1AllocCopy(coder, kd->data, kd->length, cd)) { - return ENOMEM; + return ENOMEM; } return 0; } -/* +/* * CFDataRef --> krb5_data, mallocing the destination contents. */ krb5_error_code pkiCfDataToKrb5Data( - CFDataRef cfData, - krb5_data *kd) /* content mallocd and RETURNED */ + CFDataRef cfData, + krb5_data *kd) /* content mallocd and RETURNED */ { return pkiDataToKrb5Data(CFDataGetBytePtr(cfData), - CFDataGetLength(cfData), kd); + CFDataGetLength(cfData), kd); } krb5_boolean pkiCompareCssmData( @@ -272,79 +273,79 @@ krb5_boolean pkiCompareCssmData( const CSSM_DATA *d2) { if((d1 == NULL) || (d2 == NULL)) { - return FALSE; + return FALSE; } if(d1->Length != d2->Length) { - return FALSE; + return FALSE; } if(memcmp(d1->Data, d2->Data, d1->Length)) { - return FALSE; + return FALSE; } else { - return TRUE; + return TRUE; } } -/* +/* * krb5_timestamp --> a mallocd string in generalized format */ krb5_error_code pkiKrbTimestampToStr( krb5_timestamp kts, - char **str) /* mallocd and RETURNED */ + char **str) /* mallocd and RETURNED */ { char *outStr = NULL; time_t gmt_time = kts; struct tm *utc = gmtime(&gmt_time); if (utc == NULL || - utc->tm_year > 8099 || utc->tm_mon > 11 || - utc->tm_mday > 31 || utc->tm_hour > 23 || - utc->tm_min > 59 || utc->tm_sec > 59) { - return ASN1_BAD_GMTIME; + utc->tm_year > 8099 || utc->tm_mon > 11 || + utc->tm_mday > 31 || utc->tm_hour > 23 || + utc->tm_min > 59 || utc->tm_sec > 59) { + return ASN1_BAD_GMTIME; } if (asprintf(&outStr, "%04d%02d%02d%02d%02d%02dZ", - utc->tm_year + 1900, utc->tm_mon + 1, - utc->tm_mday, utc->tm_hour, utc->tm_min, utc->tm_sec) < 0) { - return ENOMEM; + utc->tm_year + 1900, utc->tm_mon + 1, + utc->tm_mday, utc->tm_hour, utc->tm_min, utc->tm_sec) < 0) { + return ENOMEM; } *str = outStr; return 0; } krb5_error_code pkiTimeStrToKrbTimestamp( - const char *str, - unsigned len, + const char *str, + unsigned len, krb5_timestamp *kts) /* RETURNED */ { - char szTemp[5]; - unsigned x; - unsigned i; - char *cp; - struct tm tmp; + char szTemp[5]; + unsigned x; + unsigned i; + char *cp; + struct tm tmp; time_t t; - + if(len != 15) { - return ASN1_BAD_LENGTH; + return ASN1_BAD_LENGTH; } if((str == NULL) || (kts == NULL)) { - return KRB5_CRYPTO_INTERNAL; + return KRB5_CRYPTO_INTERNAL; } - + cp = (char *)str; memset(&tmp, 0, sizeof(tmp)); - + /* check that all characters except last are digits */ for(i=0; i<(len - 1); i++) { - if ( !(isdigit(cp[i])) ) { - return ASN1_BAD_TIMEFORMAT; - } + if ( !(isdigit(cp[i])) ) { + return ASN1_BAD_TIMEFORMAT; + } } /* check last character is a 'Z' */ - if(cp[len - 1] != 'Z' ) { - return ASN1_BAD_TIMEFORMAT; + if(cp[len - 1] != 'Z' ) { + return ASN1_BAD_TIMEFORMAT; } - + /* YEAR */ szTemp[0] = *cp++; szTemp[1] = *cp++; @@ -362,7 +363,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( x = atoi( szTemp ); /* in the string, months are from 1 to 12 */ if((x > 12) || (x <= 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } /* in a tm, 0 to 11 */ tmp.tm_mon = x - 1; @@ -374,7 +375,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( x = atoi( szTemp ); /* 1..31 */ if((x > 31) || (x <= 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_mday = x; @@ -384,7 +385,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 23) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_hour = x; @@ -394,7 +395,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 59) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_min = x; @@ -404,12 +405,12 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 59) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_sec = x; t = timegm(&tmp); if(t == -1) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } *kts = t; return 0; @@ -423,9 +424,9 @@ unsigned pkiNssArraySize( { unsigned count = 0; if (array) { - while (*array++) { - count++; - } + while (*array++) { + count++; + } } return count; } diff --git a/src/lib/krb5/krb/pr_to_salt.c b/src/lib/krb5/krb/pr_to_salt.c index 545d86fb1..5d57bc599 100644 --- a/src/lib/krb5/krb/pr_to_salt.c +++ b/src/lib/krb5/krb/pr_to_salt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/pr_to_salt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_principal2salt() */ @@ -30,7 +31,7 @@ #include "k5-int.h" static krb5_error_code krb5_principal2salt_internal - (krb5_context, krb5_const_principal, krb5_data *ret, int); +(krb5_context, krb5_const_principal, krb5_data *ret, int); /* * Convert a krb5_principal into the default salt for that principal. @@ -43,32 +44,32 @@ krb5_principal2salt_internal(krb5_context context, register krb5_const_principal register int i; if (pr == 0) { - ret->length = 0; - ret->data = 0; - return 0; + ret->length = 0; + ret->data = 0; + return 0; } nelem = krb5_princ_size(context, pr); if (use_realm) - size += krb5_princ_realm(context, pr)->length; + size += krb5_princ_realm(context, pr)->length; for (i = 0; i < (int) nelem; i++) - size += krb5_princ_component(context, pr, i)->length; + size += krb5_princ_component(context, pr, i)->length; ret->length = size; if (!(ret->data = malloc (size))) - return ENOMEM; + return ENOMEM; if (use_realm) { - offset = krb5_princ_realm(context, pr)->length; - memcpy(ret->data, krb5_princ_realm(context, pr)->data, offset); + offset = krb5_princ_realm(context, pr)->length; + memcpy(ret->data, krb5_princ_realm(context, pr)->data, offset); } for (i = 0; i < (int) nelem; i++) { - memcpy(&ret->data[offset], krb5_princ_component(context, pr, i)->data, - krb5_princ_component(context, pr, i)->length); - offset += krb5_princ_component(context, pr, i)->length; + memcpy(&ret->data[offset], krb5_princ_component(context, pr, i)->data, + krb5_princ_component(context, pr, i)->length); + offset += krb5_princ_component(context, pr, i)->length; } return 0; } @@ -76,11 +77,11 @@ krb5_principal2salt_internal(krb5_context context, register krb5_const_principal krb5_error_code krb5_principal2salt(krb5_context context, register krb5_const_principal pr, krb5_data *ret) { - return krb5_principal2salt_internal(context, pr, ret, 1); + return krb5_principal2salt_internal(context, pr, ret, 1); } krb5_error_code krb5_principal2salt_norealm(krb5_context context, register krb5_const_principal pr, krb5_data *ret) { - return krb5_principal2salt_internal(context, pr, ret, 0); + return krb5_principal2salt_internal(context, pr, ret, 0); } diff --git a/src/lib/krb5/krb/preauth.c b/src/lib/krb5/krb/preauth.c index 06b2f50b8..9061aa9b6 100644 --- a/src/lib/krb5/krb/preauth.c +++ b/src/lib/krb5/krb/preauth.c @@ -25,7 +25,7 @@ /* * This file contains routines for establishing, verifying, and any other - * necessary functions, for utilizing the pre-authentication field of the + * necessary functions, for utilizing the pre-authentication field of the * kerberos kdc request, with various hardware/software verification devices. */ @@ -72,7 +72,7 @@ static krb5_error_code obtain_sam_padata (krb5_context, krb5_pa_data *, krb5_etype_info, - krb5_keyblock *, + krb5_keyblock *, krb5_error_code ( * )(krb5_context, const krb5_enctype, krb5_data *, @@ -179,24 +179,24 @@ krb5_error_code krb5_obtain_padata(krb5_context context, krb5_pa_data **preauth_ if (etype_info) { enctype = etype_info[0]->etype; salt.data = (char *) etype_info[0]->salt; - if(etype_info[0]->length == KRB5_ETYPE_NO_SALT) + if(etype_info[0]->length == KRB5_ETYPE_NO_SALT) salt.length = SALT_TYPE_NO_LENGTH; /* XXX */ - else + else salt.length = etype_info[0]->length; } if (salt.length == SALT_TYPE_NO_LENGTH) { /* - * This will set the salt length + * This will set the salt length */ if ((retval = krb5_principal2salt(context, request->client, &salt))) goto cleanup; f_salt = 1; } - + if ((retval = (*key_proc)(context, enctype, &salt, key_seed, &def_enc_key))) goto cleanup; - + for (pa = preauth_to_use; *pa; pa++) { if (find_pa_system((*pa)->pa_type, &ops)) @@ -204,7 +204,7 @@ krb5_error_code krb5_obtain_padata(krb5_context context, krb5_pa_data **preauth_ if (ops->obtain == 0) continue; - + retval = ((ops)->obtain)(context, *pa, etype_info, def_enc_key, key_proc, key_seed, creds, request, send_pa); @@ -233,7 +233,7 @@ cleanup: if (def_enc_key) krb5_free_keyblock(context, def_enc_key); return retval; - + } krb5_error_code @@ -243,7 +243,7 @@ krb5_process_padata(krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *a const krb5_preauth_ops * ops; krb5_pa_data ** pa; krb5_int32 done = 0; - + *do_more = 0; /* By default, we don't need to repeat... */ if (as_reply->padata == 0) return 0; @@ -254,7 +254,7 @@ krb5_process_padata(krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *a if (ops->process == 0) continue; - + retval = ((ops)->process)(context, *pa, request, as_reply, key_proc, keyseed, decrypt_proc, decrypt_key, creds, do_more, &done); @@ -298,7 +298,7 @@ obtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_i krb5_free_data(context, scratch); scratch = 0; - + if ((retval = encode_krb5_enc_data(&enc_data, &scratch)) != 0) goto cleanup; @@ -318,7 +318,7 @@ obtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_i scratch = 0; retval = 0; - + cleanup: if (scratch) krb5_free_data(context, scratch); @@ -332,14 +332,14 @@ process_pw_salt(krb5_context context, krb5_pa_data *padata, krb5_kdc_req *reques { krb5_error_code retval; krb5_data salt; - + if (*decrypt_key != 0) return 0; salt.data = (char *) padata->contents; - salt.length = + salt.length = (padata->pa_type == KRB5_PADATA_AFS3_SALT)?(SALT_TYPE_AFS_LENGTH):(padata->length); - + if ((retval = (*key_proc)(context, as_reply->enc_part.enctype, &salt, keyseed, decrypt_key))) { *decrypt_key = 0; @@ -348,19 +348,19 @@ process_pw_salt(krb5_context context, krb5_pa_data *padata, krb5_kdc_req *reques return 0; } - + static krb5_error_code find_pa_system(krb5_preauthtype type, const krb5_preauth_ops **preauth) { const krb5_preauth_ops *ap = preauth_systems; - + while ((ap->type != -1) && (ap->type != type)) ap++; if (ap->type == -1) return(KRB5_PREAUTH_BAD_TYPE); *preauth = ap; return 0; -} +} extern const char *krb5_default_pwd_prompt1; @@ -381,14 +381,14 @@ sam_get_pass_from_user(krb5_context context, krb5_etype_info etype_info, git_key krb5_data newpw; newpw.data = 0; newpw.length = 0; /* we don't keep the new password, just the key... */ - retval = (*key_proc)(context, enctype, 0, + retval = (*key_proc)(context, enctype, 0, (krb5_const_pointer)&newpw, new_enc_key); free(newpw.data); } krb5_default_pwd_prompt1 = oldprompt; return retval; } -static +static char *handle_sam_labels(krb5_sam_challenge *sc) { char *label = sc->sam_challenge_label.data; @@ -433,7 +433,7 @@ char *handle_sam_labels(krb5_sam_challenge *sc) /* example: Challenge for Digital Pathways mechanism: [134591] - Passcode: + Passcode: */ krb5int_buf_init_dynamic(&buf); if (challenge_len) { @@ -511,7 +511,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info retval = ENOMEM; goto cleanup; } - retval = sam_get_pass_from_user(context, etype_info, key_proc, + retval = sam_get_pass_from_user(context, etype_info, key_proc, key_seed, request, &sam_use_key, prompt); if (retval) @@ -524,15 +524,15 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info } /* so at this point, either sam_use_key is generated from the passcode - * or enc_sam_response_enc.sam_sad is set to it, and we use + * or enc_sam_response_enc.sam_sad is set to it, and we use * def_enc_key instead. */ /* encode the encoded part of the response */ if ((retval = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, &scratch)) != 0) goto cleanup; - if ((retval = krb5_encrypt_data(context, - sam_use_key?sam_use_key:def_enc_key, + if ((retval = krb5_encrypt_data(context, + sam_use_key?sam_use_key:def_enc_key, 0, scratch, &sam_response.sam_enc_nonce_or_ts))) goto cleanup; @@ -552,7 +552,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info if ((retval = encode_krb5_sam_response(&sam_response, &scratch)) != 0) goto cleanup; - + if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) { retval = ENOMEM; goto cleanup; @@ -567,7 +567,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info *out_padata = pa; retval = 0; - + cleanup: krb5_free_data(context, scratch); krb5_free_sam_challenge(context, sam_challenge); diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 996cbfd36..7ee086037 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1995, 2003, 2008 by the Massachusetts Institute of Technology. All * Rights Reserved. @@ -25,7 +26,7 @@ /* * This file contains routines for establishing, verifying, and any other - * necessary functions, for utilizing the pre-authentication field of the + * necessary functions, for utilizing the pre-authentication field of the * kerberos kdc request, with various hardware/software verification devices. */ @@ -50,17 +51,17 @@ static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL }; #endif typedef krb5_error_code (*pa_function)(krb5_context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter_fct, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data); - + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter_fct, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data); + typedef struct _pa_types_t { krb5_preauthtype type; pa_function fct; @@ -85,27 +86,27 @@ krb5_init_preauth_context(krb5_context kcontext) /* Only do this once for each krb5_context */ if (kcontext->preauth_context != NULL) - return; + return; /* load the plugins for the current context */ if (PLUGIN_DIR_OPEN(&kcontext->preauth_plugins) == 0) { - if (krb5int_open_plugin_dirs(objdirs, NULL, - &kcontext->preauth_plugins, - &kcontext->err) != 0) { - return; - } + if (krb5int_open_plugin_dirs(objdirs, NULL, + &kcontext->preauth_plugins, + &kcontext->err) != 0) { + return; + } } /* pull out the module function tables for all of the modules */ tables = NULL; if (krb5int_get_plugin_dir_data(&kcontext->preauth_plugins, - "preauthentication_client_1", - &tables, - &kcontext->err) != 0) { - return; + "preauthentication_client_1", + &tables, + &kcontext->err) != 0) { + return; } if (tables == NULL) { - return; + return; } /* count how many modules we ended up loading, and how many preauth @@ -114,23 +115,23 @@ krb5_init_preauth_context(krb5_context kcontext) for (n_tables = 0; (tables != NULL) && (tables[n_tables] != NULL); n_tables++) { - table = tables[n_tables]; - if ((table->pa_type_list != NULL) && (table->process != NULL)) { - for (j = 0; table->pa_type_list[j] > 0; j++) { - n_modules++; - } - } + table = tables[n_tables]; + if ((table->pa_type_list != NULL) && (table->process != NULL)) { + for (j = 0; table->pa_type_list[j] > 0; j++) { + n_modules++; + } + } } /* allocate the space we need */ context = malloc(sizeof(*context)); if (context == NULL) { - krb5int_free_plugin_dir_data(tables); + krb5int_free_plugin_dir_data(tables); return; } context->modules = calloc(n_modules, sizeof(context->modules[0])); if (context->modules == NULL) { - krb5int_free_plugin_dir_data(tables); + krb5int_free_plugin_dir_data(tables); free(context); return; } @@ -141,64 +142,64 @@ krb5_init_preauth_context(krb5_context kcontext) for (i = 0; i < n_tables; i++) { table = tables[i]; if ((table->pa_type_list != NULL) && (table->process != NULL)) { - plugin_context = NULL; - if ((table->init != NULL) && - ((*table->init)(kcontext, &plugin_context) != 0)) { + plugin_context = NULL; + if ((table->init != NULL) && + ((*table->init)(kcontext, &plugin_context) != 0)) { #ifdef DEBUG - fprintf (stderr, "init err, skipping module \"%s\"\n", - table->name); + fprintf (stderr, "init err, skipping module \"%s\"\n", + table->name); #endif - continue; - } - - rcpp = NULL; - for (j = 0; table->pa_type_list[j] > 0; j++) { - pa_type = table->pa_type_list[j]; - context->modules[k].pa_type = pa_type; - context->modules[k].enctypes = table->enctype_list; - context->modules[k].plugin_context = plugin_context; - /* Only call client_fini once per plugin */ - if (j == 0) - context->modules[k].client_fini = table->fini; - else - context->modules[k].client_fini = NULL; - context->modules[k].ftable = table; - context->modules[k].name = table->name; - context->modules[k].flags = (*table->flags)(kcontext, pa_type); - context->modules[k].use_count = 0; - context->modules[k].client_process = table->process; - context->modules[k].client_tryagain = table->tryagain; - if (j == 0) - context->modules[k].client_supply_gic_opts = table->gic_opts; - else - context->modules[k].client_supply_gic_opts = NULL; - context->modules[k].request_context = NULL; - /* - * Only call request_init and request_fini once per plugin. - * Only the first module within each plugin will ever - * have request_context filled in. Every module within - * the plugin will have its request_context_pp pointing - * to that entry's request_context. That way all the - * modules within the plugin share the same request_context - */ - if (j == 0) { - context->modules[k].client_req_init = table->request_init; - context->modules[k].client_req_fini = table->request_fini; - rcpp = &context->modules[k].request_context; - } else { - context->modules[k].client_req_init = NULL; - context->modules[k].client_req_fini = NULL; - } - context->modules[k].request_context_pp = rcpp; + continue; + } + + rcpp = NULL; + for (j = 0; table->pa_type_list[j] > 0; j++) { + pa_type = table->pa_type_list[j]; + context->modules[k].pa_type = pa_type; + context->modules[k].enctypes = table->enctype_list; + context->modules[k].plugin_context = plugin_context; + /* Only call client_fini once per plugin */ + if (j == 0) + context->modules[k].client_fini = table->fini; + else + context->modules[k].client_fini = NULL; + context->modules[k].ftable = table; + context->modules[k].name = table->name; + context->modules[k].flags = (*table->flags)(kcontext, pa_type); + context->modules[k].use_count = 0; + context->modules[k].client_process = table->process; + context->modules[k].client_tryagain = table->tryagain; + if (j == 0) + context->modules[k].client_supply_gic_opts = table->gic_opts; + else + context->modules[k].client_supply_gic_opts = NULL; + context->modules[k].request_context = NULL; + /* + * Only call request_init and request_fini once per plugin. + * Only the first module within each plugin will ever + * have request_context filled in. Every module within + * the plugin will have its request_context_pp pointing + * to that entry's request_context. That way all the + * modules within the plugin share the same request_context + */ + if (j == 0) { + context->modules[k].client_req_init = table->request_init; + context->modules[k].client_req_fini = table->request_fini; + rcpp = &context->modules[k].request_context; + } else { + context->modules[k].client_req_init = NULL; + context->modules[k].client_req_fini = NULL; + } + context->modules[k].request_context_pp = rcpp; #ifdef DEBUG - fprintf (stderr, "init module \"%s\", pa_type %d, flag %d\n", - context->modules[k].name, - context->modules[k].pa_type, - context->modules[k].flags); + fprintf (stderr, "init module \"%s\", pa_type %d, flag %d\n", + context->modules[k].name, + context->modules[k].pa_type, + context->modules[k].flags); #endif - k++; - } - } + k++; + } + } } krb5int_free_plugin_dir_data(tables); @@ -214,9 +215,9 @@ krb5_clear_preauth_context_use_counts(krb5_context context) { int i; if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - context->preauth_context->modules[i].use_count = 0; - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + context->preauth_context->modules[i].use_count = 0; + } } } @@ -226,9 +227,9 @@ krb5_clear_preauth_context_use_counts(krb5_context context) */ krb5_error_code krb5_preauth_supply_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value) + krb5_gic_opt_ext *opte, + const char *attr, + const char *value) { krb5_error_code retval = 0; int i; @@ -236,13 +237,13 @@ krb5_preauth_supply_preauth_data(krb5_context context, const char *emsg = NULL; if (context->preauth_context == NULL) - krb5_init_preauth_context(context); + krb5_init_preauth_context(context); if (context->preauth_context == NULL) { - retval = EINVAL; - krb5int_set_error(&context->err, retval, - "krb5_preauth_supply_preauth_data: " - "Unable to initialize preauth context"); - return retval; + retval = EINVAL; + krb5int_set_error(&context->err, retval, + "krb5_preauth_supply_preauth_data: " + "Unable to initialize preauth context"); + return retval; } /* @@ -250,19 +251,19 @@ krb5_preauth_supply_preauth_data(krb5_context context, * attribute/value pair. */ for (i = 0; i < context->preauth_context->n_modules; i++) { - if (context->preauth_context->modules[i].client_supply_gic_opts == NULL) - continue; - pctx = context->preauth_context->modules[i].plugin_context; - retval = (*context->preauth_context->modules[i].client_supply_gic_opts) - (context, pctx, - (krb5_get_init_creds_opt *)opte, attr, value); - if (retval) { - emsg = krb5_get_error_message(context, retval); - krb5int_set_error(&context->err, retval, "Preauth plugin %s: %s", - context->preauth_context->modules[i].name, emsg); - krb5_free_error_message(context, emsg); - break; - } + if (context->preauth_context->modules[i].client_supply_gic_opts == NULL) + continue; + pctx = context->preauth_context->modules[i].plugin_context; + retval = (*context->preauth_context->modules[i].client_supply_gic_opts) + (context, pctx, + (krb5_get_init_creds_opt *)opte, attr, value); + if (retval) { + emsg = krb5_get_error_message(context, retval); + krb5int_set_error(&context->err, retval, "Preauth plugin %s: %s", + context->preauth_context->modules[i].name, emsg); + krb5_free_error_message(context, emsg); + break; + } } return retval; } @@ -276,20 +277,20 @@ krb5_free_preauth_context(krb5_context context) int i; void *pctx; if (context && context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - if (context->preauth_context->modules[i].client_fini != NULL) { - (*context->preauth_context->modules[i].client_fini)(context, pctx); - } - memset(&context->preauth_context->modules[i], 0, - sizeof(context->preauth_context->modules[i])); - } - if (context->preauth_context->modules != NULL) { - free(context->preauth_context->modules); - context->preauth_context->modules = NULL; - } - free(context->preauth_context); - context->preauth_context = NULL; + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + if (context->preauth_context->modules[i].client_fini != NULL) { + (*context->preauth_context->modules[i].client_fini)(context, pctx); + } + memset(&context->preauth_context->modules[i], 0, + sizeof(context->preauth_context->modules[i])); + } + if (context->preauth_context->modules != NULL) { + free(context->preauth_context->modules); + context->preauth_context->modules = NULL; + } + free(context->preauth_context); + context->preauth_context = NULL; } } @@ -303,15 +304,15 @@ krb5_preauth_request_context_init(krb5_context context) /* Limit this to only one attempt per context? */ if (context->preauth_context == NULL) - krb5_init_preauth_context(context); + krb5_init_preauth_context(context); if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - if (context->preauth_context->modules[i].client_req_init != NULL) { - rctx = context->preauth_context->modules[i].request_context_pp; - (*context->preauth_context->modules[i].client_req_init) (context, pctx, rctx); - } - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + if (context->preauth_context->modules[i].client_req_init != NULL) { + rctx = context->preauth_context->modules[i].request_context_pp; + (*context->preauth_context->modules[i].client_req_init) (context, pctx, rctx); + } + } } } @@ -323,16 +324,16 @@ krb5_preauth_request_context_fini(krb5_context context) int i; void *rctx, *pctx; if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - rctx = context->preauth_context->modules[i].request_context; - if (rctx != NULL) { - if (context->preauth_context->modules[i].client_req_fini != NULL) { - (*context->preauth_context->modules[i].client_req_fini)(context, pctx, rctx); - } - context->preauth_context->modules[i].request_context = NULL; - } - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + rctx = context->preauth_context->modules[i].request_context; + if (rctx != NULL) { + if (context->preauth_context->modules[i].client_req_fini != NULL) { + (*context->preauth_context->modules[i].client_req_fini)(context, pctx, rctx); + } + context->preauth_context->modules[i].request_context = NULL; + } + } } } @@ -343,18 +344,18 @@ grow_ktypes(krb5_enctype **out_ktypes, int *out_nktypes, krb5_enctype ktype) int i; krb5_enctype *ktypes; for (i = 0; i < *out_nktypes; i++) { - if ((*out_ktypes)[i] == ktype) - return; + if ((*out_ktypes)[i] == ktype) + return; } ktypes = malloc((*out_nktypes + 2) * sizeof(ktype)); if (ktypes) { - for (i = 0; i < *out_nktypes; i++) - ktypes[i] = (*out_ktypes)[i]; - ktypes[i++] = ktype; - ktypes[i] = 0; - free(*out_ktypes); - *out_ktypes = ktypes; - *out_nktypes = i; + for (i = 0; i < *out_nktypes; i++) + ktypes[i] = (*out_ktypes)[i]; + ktypes[i++] = ktype; + ktypes[i] = 0; + free(*out_ktypes); + *out_ktypes = ktypes; + *out_nktypes = i; } } @@ -364,42 +365,42 @@ grow_ktypes(krb5_enctype **out_ktypes, int *out_nktypes, krb5_enctype ktype) */ static int grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size, - krb5_pa_data **addition, int num_addition) + krb5_pa_data **addition, int num_addition) { krb5_pa_data **pa_list; int i, j; if (out_pa_list == NULL || addition == NULL) { - return EINVAL; + return EINVAL; } if (*out_pa_list == NULL) { - /* Allocate room for the new additions and a NULL terminator. */ - pa_list = malloc((num_addition + 1) * sizeof(krb5_pa_data *)); - if (pa_list == NULL) - return ENOMEM; - for (i = 0; i < num_addition; i++) - pa_list[i] = addition[i]; - pa_list[i] = NULL; - *out_pa_list = pa_list; - *out_pa_list_size = num_addition; + /* Allocate room for the new additions and a NULL terminator. */ + pa_list = malloc((num_addition + 1) * sizeof(krb5_pa_data *)); + if (pa_list == NULL) + return ENOMEM; + for (i = 0; i < num_addition; i++) + pa_list[i] = addition[i]; + pa_list[i] = NULL; + *out_pa_list = pa_list; + *out_pa_list_size = num_addition; } else { - /* - * Allocate room for the existing entries plus - * the new additions and a NULL terminator. - */ - pa_list = malloc((*out_pa_list_size + num_addition + 1) - * sizeof(krb5_pa_data *)); - if (pa_list == NULL) - return ENOMEM; - for (i = 0; i < *out_pa_list_size; i++) - pa_list[i] = (*out_pa_list)[i]; - for (j = 0; j < num_addition;) - pa_list[i++] = addition[j++]; - pa_list[i] = NULL; - free(*out_pa_list); - *out_pa_list = pa_list; - *out_pa_list_size = i; + /* + * Allocate room for the existing entries plus + * the new additions and a NULL terminator. + */ + pa_list = malloc((*out_pa_list_size + num_addition + 1) + * sizeof(krb5_pa_data *)); + if (pa_list == NULL) + return ENOMEM; + for (i = 0; i < *out_pa_list_size; i++) + pa_list[i] = (*out_pa_list)[i]; + for (j = 0; j < num_addition;) + pa_list[i++] = addition[j++]; + pa_list[i] = NULL; + free(*out_pa_list); + *out_pa_list = pa_list; + *out_pa_list_size = i; } return 0; } @@ -416,81 +417,81 @@ grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size, static krb5_error_code client_data_proc(krb5_context kcontext, - krb5_preauth_client_rock *rock, - krb5_int32 request_type, - krb5_data **retdata) + krb5_preauth_client_rock *rock, + krb5_int32 request_type, + krb5_data **retdata) { krb5_data *ret; krb5_error_code retval; char *data; if (rock->magic != CLIENT_ROCK_MAGIC) - return EINVAL; + return EINVAL; if (retdata == NULL) - return EINVAL; + return EINVAL; switch (request_type) { case krb5plugin_preauth_client_get_etype: - { - krb5_enctype *eptr; - ret = malloc(sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - data = malloc(sizeof(krb5_enctype)); - if (data == NULL) { - free(ret); - return ENOMEM; - } - ret->data = data; - ret->length = sizeof(krb5_enctype); - eptr = (krb5_enctype *)data; - *eptr = *rock->etype; - *retdata = ret; - return 0; - } - break; + { + krb5_enctype *eptr; + ret = malloc(sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + data = malloc(sizeof(krb5_enctype)); + if (data == NULL) { + free(ret); + return ENOMEM; + } + ret->data = data; + ret->length = sizeof(krb5_enctype); + eptr = (krb5_enctype *)data; + *eptr = *rock->etype; + *retdata = ret; + return 0; + } + break; case krb5plugin_preauth_client_free_etype: - ret = *retdata; - if (ret == NULL) - return 0; - if (ret->data) - free(ret->data); - free(ret); - return 0; - break; + ret = *retdata; + if (ret == NULL) + return 0; + if (ret->data) + free(ret->data); + free(ret); + return 0; + break; case krb5plugin_preauth_client_fast_armor: { - krb5_keyblock *key = NULL; - ret = calloc(1, sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - retval = 0; - if (rock->fast_state->armor_key) - retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, - &key); - if (retval == 0) { - ret->data = (char *) key; - ret->length = key?sizeof(krb5_keyblock):0; - key = NULL; - } - if (retval == 0) { - *retdata = ret; - ret = NULL; - } - if (ret) - free(ret); - return retval; + krb5_keyblock *key = NULL; + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + retval = 0; + if (rock->fast_state->armor_key) + retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, + &key); + if (retval == 0) { + ret->data = (char *) key; + ret->length = key?sizeof(krb5_keyblock):0; + key = NULL; + } + if (retval == 0) { + *retdata = ret; + ret = NULL; + } + if (ret) + free(ret); + return retval; } case krb5plugin_preauth_client_free_fast_armor: - ret = *retdata; - if (ret) { - if (ret->data) - krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); - free(ret); - *retdata = NULL; - } - return 0; - default: - return EINVAL; + ret = *retdata; + if (ret) { + if (ret->data) + krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); + free(ret); + *retdata = NULL; + } + return 0; + default: + return EINVAL; } } @@ -499,25 +500,25 @@ client_data_proc(krb5_context kcontext, * involved things. */ void KRB5_CALLCONV krb5_preauth_prepare_request(krb5_context kcontext, - krb5_gic_opt_ext *opte, - krb5_kdc_req *request) + krb5_gic_opt_ext *opte, + krb5_kdc_req *request) { int i, j; if (kcontext->preauth_context == NULL) { - return; + return; } /* Add the module-specific enctype list to the request, but only if * it's something we can safely modify. */ if (!(opte && (opte->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST))) { - for (i = 0; i < kcontext->preauth_context->n_modules; i++) { - if (kcontext->preauth_context->modules[i].enctypes == NULL) - continue; - for (j = 0; kcontext->preauth_context->modules[i].enctypes[j] != 0; j++) { - grow_ktypes(&request->ktype, &request->nktypes, - kcontext->preauth_context->modules[i].enctypes[j]); - } - } + for (i = 0; i < kcontext->preauth_context->n_modules; i++) { + if (kcontext->preauth_context->modules[i].enctypes == NULL) + continue; + for (j = 0; kcontext->preauth_context->modules[i].enctypes[j] != 0; j++) { + grow_ktypes(&request->ktype, &request->nktypes, + kcontext->preauth_context->modules[i].enctypes[j]); + } + } } } @@ -526,24 +527,24 @@ krb5_preauth_prepare_request(krb5_context kcontext, * they don't generate preauth data), and run it. */ static krb5_error_code krb5_run_preauth_plugins(krb5_context kcontext, - int module_required_flags, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *in_padata, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - krb5_data *salt, - krb5_data *s2kparams, - void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_keyblock *as_key, - krb5_pa_data ***out_pa_list, - int *out_pa_list_size, - int *module_ret, - int *module_flags, - krb5_gic_opt_ext *opte) + int module_required_flags, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *in_padata, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + krb5_data *salt, + krb5_data *s2kparams, + void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_keyblock *as_key, + krb5_pa_data ***out_pa_list, + int *out_pa_list_size, + int *module_ret, + int *module_flags, + krb5_gic_opt_ext *opte) { int i; krb5_pa_data **out_pa_data; @@ -551,64 +552,64 @@ krb5_run_preauth_plugins(krb5_context kcontext, struct _krb5_preauth_context_module *module; if (kcontext->preauth_context == NULL) { - return ENOENT; + return ENOENT; } /* iterate over all loaded modules */ for (i = 0; i < kcontext->preauth_context->n_modules; i++) { - module = &kcontext->preauth_context->modules[i]; - /* skip over those which don't match the preauth type */ - if (module->pa_type != in_padata->pa_type) - continue; - /* skip over those which don't match the flags (INFO vs REAL, mainly) */ - if ((module->flags & module_required_flags) == 0) - continue; - /* if it's a REAL module, try to call it only once per library call */ - if (module_required_flags & PA_REAL) { - if (module->use_count > 0) { + module = &kcontext->preauth_context->modules[i]; + /* skip over those which don't match the preauth type */ + if (module->pa_type != in_padata->pa_type) + continue; + /* skip over those which don't match the flags (INFO vs REAL, mainly) */ + if ((module->flags & module_required_flags) == 0) + continue; + /* if it's a REAL module, try to call it only once per library call */ + if (module_required_flags & PA_REAL) { + if (module->use_count > 0) { #ifdef DEBUG - fprintf(stderr, "skipping already-used module \"%s\"(%d)\n", - module->name, module->pa_type); + fprintf(stderr, "skipping already-used module \"%s\"(%d)\n", + module->name, module->pa_type); #endif - continue; - } - module->use_count++; - } - /* run the module's callback function */ - out_pa_data = NULL; + continue; + } + module->use_count++; + } + /* run the module's callback function */ + out_pa_data = NULL; #ifdef DEBUG - fprintf(stderr, "using module \"%s\" (%d), flags = %d\n", - module->name, module->pa_type, module->flags); + fprintf(stderr, "using module \"%s\" (%d), flags = %d\n", + module->name, module->pa_type, module->flags); #endif - ret = module->client_process(kcontext, - module->plugin_context, - *module->request_context_pp, - (krb5_get_init_creds_opt *)opte, - client_data_proc, - get_data_rock, - request, - encoded_request_body, - encoded_previous_request, - in_padata, - prompter, prompter_data, - gak_fct, gak_data, salt, s2kparams, - as_key, - &out_pa_data); - /* Make note of the module's flags and status. */ - *module_flags = module->flags; - *module_ret = ret; - /* Save the new preauth data item. */ - if (out_pa_data != NULL) { - int j; - for (j = 0; out_pa_data[j] != NULL; j++); - ret = grow_pa_list(out_pa_list, out_pa_list_size, out_pa_data, j); - free(out_pa_data); - if (ret != 0) - return ret; - } - break; + ret = module->client_process(kcontext, + module->plugin_context, + *module->request_context_pp, + (krb5_get_init_creds_opt *)opte, + client_data_proc, + get_data_rock, + request, + encoded_request_body, + encoded_previous_request, + in_padata, + prompter, prompter_data, + gak_fct, gak_data, salt, s2kparams, + as_key, + &out_pa_data); + /* Make note of the module's flags and status. */ + *module_flags = module->flags; + *module_ret = ret; + /* Save the new preauth data item. */ + if (out_pa_data != NULL) { + int j; + for (j = 0; out_pa_data[j] != NULL; j++); + ret = grow_pa_list(out_pa_list, out_pa_list_size, out_pa_data, j); + free(out_pa_data); + if (ret != 0) + return ret; + } + break; } if (i >= kcontext->preauth_context->n_modules) { - return ENOENT; + return ENOENT; } return 0; } @@ -625,14 +626,14 @@ padata2data(krb5_pa_data p) static krb5_error_code pa_salt(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { krb5_data tmp; krb5_error_code retval; @@ -641,36 +642,36 @@ krb5_error_code pa_salt(krb5_context context, krb5_free_data_contents(context, salt); retval = krb5int_copy_data_contents(context, &tmp, salt); if (retval) - return retval; + return retval; if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT) - salt->length = SALT_TYPE_AFS_LENGTH; + salt->length = SALT_TYPE_AFS_LENGTH; return(0); } static krb5_error_code pa_fx_cookie(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data)); krb5_octet *contents; if (pa == NULL) - return ENOMEM; + return ENOMEM; contents = malloc(in_padata->length); if (contents == NULL) { - free(pa); - return ENOMEM; + free(pa); + return ENOMEM; } *pa = *in_padata; pa->contents = contents; @@ -681,68 +682,68 @@ krb5_error_code pa_fx_cookie(krb5_context context, static krb5_error_code pa_enc_timestamp(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { krb5_error_code ret; krb5_pa_enc_ts pa_enc; krb5_data *tmp; krb5_enc_data enc_data; krb5_pa_data *pa; - + if (as_key->length == 0) { #ifdef DEBUG - fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__, - salt->length); - if ((int) salt->length > 0) - fprintf (stderr, " '%.*s'", salt->length, salt->data); - fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n", - *etype, request->ktype[0]); + fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__, + salt->length); + if ((int) salt->length > 0) + fprintf (stderr, " '%.*s'", salt->length, salt->data); + fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n", + *etype, request->ktype[0]); #endif - if ((ret = ((*gak_fct)(context, request->client, - *etype ? *etype : request->ktype[0], - prompter, prompter_data, - salt, s2kparams, as_key, gak_data)))) - return(ret); + if ((ret = ((*gak_fct)(context, request->client, + *etype ? *etype : request->ktype[0], + prompter, prompter_data, + salt, s2kparams, as_key, gak_data)))) + return(ret); } /* now get the time of day, and encrypt it accordingly */ if ((ret = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec))) - return(ret); + return(ret); if ((ret = encode_krb5_pa_enc_ts(&pa_enc, &tmp))) - return(ret); + return(ret); #ifdef DEBUG fprintf (stderr, "key type %d bytes %02x %02x ...\n", - as_key->enctype, - as_key->contents[0], as_key->contents[1]); + as_key->enctype, + as_key->contents[0], as_key->contents[1]); #endif ret = krb5_encrypt_helper(context, as_key, - KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, - tmp, &enc_data); + KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, + tmp, &enc_data); #ifdef DEBUG fprintf (stderr, "enc data { type=%d kvno=%d data=%02x %02x ... }\n", - enc_data.enctype, enc_data.kvno, - 0xff & enc_data.ciphertext.data[0], - 0xff & enc_data.ciphertext.data[1]); + enc_data.enctype, enc_data.kvno, + 0xff & enc_data.ciphertext.data[0], + 0xff & enc_data.ciphertext.data[1]); #endif krb5_free_data(context, tmp); if (ret) { - free(enc_data.ciphertext.data); - return(ret); + free(enc_data.ciphertext.data); + return(ret); } ret = encode_krb5_enc_data(&enc_data, &tmp); @@ -750,11 +751,11 @@ krb5_error_code pa_enc_timestamp(krb5_context context, free(enc_data.ciphertext.data); if (ret) - return(ret); + return(ret); if ((pa = (krb5_pa_data *) malloc(sizeof(krb5_pa_data))) == NULL) { - krb5_free_data(context, tmp); - return(ENOMEM); + krb5_free_data(context, tmp); + return(ENOMEM); } pa->magic = KV5M_PA_DATA; @@ -769,38 +770,38 @@ krb5_error_code pa_enc_timestamp(krb5_context context, return(0); } -static +static char *sam_challenge_banner(krb5_int32 sam_type) { char *label; switch (sam_type) { - case PA_SAM_TYPE_ENIGMA: /* Enigma Logic */ - label = "Challenge for Enigma Logic mechanism"; - break; + case PA_SAM_TYPE_ENIGMA: /* Enigma Logic */ + label = "Challenge for Enigma Logic mechanism"; + break; case PA_SAM_TYPE_DIGI_PATH: /* Digital Pathways */ case PA_SAM_TYPE_DIGI_PATH_HEX: /* Digital Pathways */ - label = "Challenge for Digital Pathways mechanism"; - break; + label = "Challenge for Digital Pathways mechanism"; + break; case PA_SAM_TYPE_ACTIVCARD_DEC: /* Digital Pathways */ case PA_SAM_TYPE_ACTIVCARD_HEX: /* Digital Pathways */ - label = "Challenge for Activcard mechanism"; - break; - case PA_SAM_TYPE_SKEY_K0: /* S/key where KDC has key 0 */ - label = "Challenge for Enhanced S/Key mechanism"; - break; - case PA_SAM_TYPE_SKEY: /* Traditional S/Key */ - label = "Challenge for Traditional S/Key mechanism"; - break; - case PA_SAM_TYPE_SECURID: /* Security Dynamics */ - label = "Challenge for Security Dynamics mechanism"; - break; - case PA_SAM_TYPE_SECURID_PREDICT: /* predictive Security Dynamics */ - label = "Challenge for Security Dynamics mechanism"; - break; + label = "Challenge for Activcard mechanism"; + break; + case PA_SAM_TYPE_SKEY_K0: /* S/key where KDC has key 0 */ + label = "Challenge for Enhanced S/Key mechanism"; + break; + case PA_SAM_TYPE_SKEY: /* Traditional S/Key */ + label = "Challenge for Traditional S/Key mechanism"; + break; + case PA_SAM_TYPE_SECURID: /* Security Dynamics */ + label = "Challenge for Security Dynamics mechanism"; + break; + case PA_SAM_TYPE_SECURID_PREDICT: /* predictive Security Dynamics */ + label = "Challenge for Security Dynamics mechanism"; + break; default: - label = "Challenge from authentication server"; - break; + label = "Challenge from authentication server"; + break; } return(label); @@ -808,12 +809,12 @@ char *sam_challenge_banner(krb5_int32 sam_type) /* this macro expands to the int,ptr necessary for "%.*s" in an sprintf */ -#define SAMDATA(kdata, str, maxsize) \ - (int)((kdata.length)? \ - ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \ - strlen(str)), \ - (kdata.length)? \ - ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str) +#define SAMDATA(kdata, str, maxsize) \ + (int)((kdata.length)? \ + ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \ + strlen(str)), \ + (kdata.length)? \ + ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str) /* XXX Danger! This code is not in sync with the kerberos-password-02 draft. This draft cannot be implemented as written. This code is @@ -821,82 +822,82 @@ char *sam_challenge_banner(krb5_int32 sam_type) static krb5_error_code pa_sam(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { - krb5_error_code ret; - krb5_data tmpsam; - char name[100], banner[100]; - char prompt[100], response[100]; - krb5_data response_data; - krb5_prompt kprompt; - krb5_prompt_type prompt_type; - krb5_data defsalt; - krb5_sam_challenge *sam_challenge = 0; - krb5_sam_response sam_response; + krb5_error_code ret; + krb5_data tmpsam; + char name[100], banner[100]; + char prompt[100], response[100]; + krb5_data response_data; + krb5_prompt kprompt; + krb5_prompt_type prompt_type; + krb5_data defsalt; + krb5_sam_challenge *sam_challenge = 0; + krb5_sam_response sam_response; /* these two get encrypted and stuffed in to sam_response */ - krb5_enc_sam_response_enc enc_sam_response_enc; - krb5_data * scratch; - krb5_pa_data * pa; + krb5_enc_sam_response_enc enc_sam_response_enc; + krb5_data * scratch; + krb5_pa_data * pa; if (prompter == NULL) - return EIO; + return EIO; tmpsam.length = in_padata->length; tmpsam.data = (char *) in_padata->contents; if ((ret = decode_krb5_sam_challenge(&tmpsam, &sam_challenge))) - return(ret); + return(ret); if (sam_challenge->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - krb5_free_sam_challenge(context, sam_challenge); - return(KRB5_SAM_UNSUPPORTED); + krb5_free_sam_challenge(context, sam_challenge); + return(KRB5_SAM_UNSUPPORTED); } - /* If we need the password from the user (USE_SAD_AS_KEY not set), */ - /* then get it here. Exception for "old" KDCs with CryptoCard */ - /* support which uses the USE_SAD_AS_KEY flag, but still needs pwd */ + /* If we need the password from the user (USE_SAD_AS_KEY not set), */ + /* then get it here. Exception for "old" KDCs with CryptoCard */ + /* support which uses the USE_SAD_AS_KEY flag, but still needs pwd */ if (!(sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) || - (sam_challenge->sam_type == PA_SAM_TYPE_CRYPTOCARD)) { + (sam_challenge->sam_type == PA_SAM_TYPE_CRYPTOCARD)) { - /* etype has either been set by caller or by KRB5_PADATA_ETYPE_INFO */ - /* message from the KDC. If it is not set, pick an enctype that we */ - /* think the KDC will have for us. */ + /* etype has either been set by caller or by KRB5_PADATA_ETYPE_INFO */ + /* message from the KDC. If it is not set, pick an enctype that we */ + /* think the KDC will have for us. */ - if (*etype == 0) - *etype = ENCTYPE_DES_CBC_CRC; + if (*etype == 0) + *etype = ENCTYPE_DES_CBC_CRC; - if ((ret = (gak_fct)(context, request->client, *etype, prompter, - prompter_data, salt, s2kparams, as_key, - gak_data))) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if ((ret = (gak_fct)(context, request->client, *etype, prompter, + prompter_data, salt, s2kparams, as_key, + gak_data))) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } } snprintf(name, sizeof(name), "%.*s", - SAMDATA(sam_challenge->sam_type_name, "SAM Authentication", - sizeof(name) - 1)); + SAMDATA(sam_challenge->sam_type_name, "SAM Authentication", + sizeof(name) - 1)); snprintf(banner, sizeof(banner), "%.*s", - SAMDATA(sam_challenge->sam_challenge_label, - sam_challenge_banner(sam_challenge->sam_type), - sizeof(banner)-1)); + SAMDATA(sam_challenge->sam_challenge_label, + sam_challenge_banner(sam_challenge->sam_type), + sizeof(banner)-1)); /* sprintf(prompt, "Challenge is [%s], %s: ", challenge, prompt); */ snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", - sam_challenge->sam_challenge.length?"Challenge is [":"", - SAMDATA(sam_challenge->sam_challenge, "", 20), - sam_challenge->sam_challenge.length?"], ":"", - SAMDATA(sam_challenge->sam_response_prompt, "passcode", 55)); + sam_challenge->sam_challenge.length?"Challenge is [":"", + SAMDATA(sam_challenge->sam_challenge, "", 20), + sam_challenge->sam_challenge.length?"], ":"", + SAMDATA(sam_challenge->sam_response_prompt, "passcode", 55)); response_data.data = response; response_data.length = sizeof(response); @@ -909,115 +910,115 @@ krb5_error_code pa_sam(krb5_context context, /* PROMPTER_INVOCATION */ krb5int_set_prompt_types(context, &prompt_type); if ((ret = ((*prompter)(context, prompter_data, name, - banner, 1, &kprompt)))) { - krb5_free_sam_challenge(context, sam_challenge); - krb5int_set_prompt_types(context, 0); - return(ret); + banner, 1, &kprompt)))) { + krb5_free_sam_challenge(context, sam_challenge); + krb5int_set_prompt_types(context, 0); + return(ret); } krb5int_set_prompt_types(context, 0); enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce; if (sam_challenge->sam_nonce == 0) { - if ((ret = krb5_us_timeofday(context, - &enc_sam_response_enc.sam_timestamp, - &enc_sam_response_enc.sam_usec))) { - krb5_free_sam_challenge(context,sam_challenge); - return(ret); - } + if ((ret = krb5_us_timeofday(context, + &enc_sam_response_enc.sam_timestamp, + &enc_sam_response_enc.sam_usec))) { + krb5_free_sam_challenge(context,sam_challenge); + return(ret); + } - sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; + sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; } /* XXX What if more than one flag is set? */ if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { - /* Most of this should be taken care of before we get here. We */ - /* will need the user's password and as_key to encrypt the SAD */ - /* and we want to preserve ordering of user prompts (first */ - /* password, then SAM data) so that user's won't be confused. */ + /* Most of this should be taken care of before we get here. We */ + /* will need the user's password and as_key to encrypt the SAD */ + /* and we want to preserve ordering of user prompts (first */ + /* password, then SAM data) so that user's won't be confused. */ - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } - /* generate a salt using the requested principal */ + /* generate a salt using the requested principal */ - if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if ((ret = krb5_principal2salt(context, request->client, - &defsalt))) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { + if ((ret = krb5_principal2salt(context, request->client, + &defsalt))) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - salt = &defsalt; - } else { - defsalt.length = 0; - } + salt = &defsalt; + } else { + defsalt.length = 0; + } - /* generate a key using the supplied password */ + /* generate a key using the supplied password */ - ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, - (krb5_data *)gak_data, salt, as_key); + ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, + (krb5_data *)gak_data, salt, as_key); - if (defsalt.length) - free(defsalt.data); + if (defsalt.length) + free(defsalt.data); - if (ret) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if (ret) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - /* encrypt the passcode with the key from above */ + /* encrypt the passcode with the key from above */ - enc_sam_response_enc.sam_sad = response_data; + enc_sam_response_enc.sam_sad = response_data; } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) { - /* process the key as password */ + /* process the key as password */ - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } #if 0 - if ((salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if (ret = krb5_principal2salt(context, request->client, - &defsalt)) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } - - salt = &defsalt; - } else { - defsalt.length = 0; - } + if ((salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { + if (ret = krb5_principal2salt(context, request->client, + &defsalt)) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } + + salt = &defsalt; + } else { + defsalt.length = 0; + } #else - defsalt.length = 0; - salt = NULL; + defsalt.length = 0; + salt = NULL; #endif - - /* XXX As of the passwords-04 draft, no enctype is specified, - the server uses ENCTYPE_DES_CBC_MD5. In the future the - server should send a PA-SAM-ETYPE-INFO containing the enctype. */ - ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, - &response_data, salt, as_key); + /* XXX As of the passwords-04 draft, no enctype is specified, + the server uses ENCTYPE_DES_CBC_MD5. In the future the + server should send a PA-SAM-ETYPE-INFO containing the enctype. */ + + ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, + &response_data, salt, as_key); - if (defsalt.length) - free(defsalt.data); + if (defsalt.length) + free(defsalt.data); - if (ret) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if (ret) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - enc_sam_response_enc.sam_sad.length = 0; + enc_sam_response_enc.sam_sad.length = 0; } else { - /* Eventually, combine SAD with long-term key to get - encryption key. */ - krb5_free_sam_challenge(context, sam_challenge); - return KRB5_PREAUTH_BAD_TYPE; + /* Eventually, combine SAD with long-term key to get + encryption key. */ + krb5_free_sam_challenge(context, sam_challenge); + return KRB5_PREAUTH_BAD_TYPE; } /* copy things from the challenge */ @@ -1031,26 +1032,26 @@ krb5_error_code pa_sam(krb5_context context, /* encode the encoded part of the response */ if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, - &scratch))) - return(ret); + &scratch))) + return(ret); ret = krb5_encrypt_data(context, as_key, 0, scratch, - &sam_response.sam_enc_nonce_or_ts); + &sam_response.sam_enc_nonce_or_ts); krb5_free_data(context, scratch); if (ret) - return(ret); + return(ret); /* sam_enc_key is reserved for future use */ sam_response.sam_enc_key.ciphertext.length = 0; if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) - return(ENOMEM); + return(ENOMEM); if ((ret = encode_krb5_sam_response(&sam_response, &scratch))) { - free(pa); - return(ret); + free(pa); + return(ret); } pa->magic = KV5M_PA_DATA; @@ -1066,7 +1067,7 @@ krb5_error_code pa_sam(krb5_context context, } #if APPLE_PKINIT -/* +/* * PKINIT. One function to generate AS-REQ, one to parse AS-REP */ #define PKINIT_DEBUG 0 @@ -1081,32 +1082,32 @@ static krb5_error_code pa_pkinit_gen_req( krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, - krb5_prompter_fct prompter, + krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { - krb5_error_code krtn; - krb5_data out_data = {0, 0, NULL}; - krb5_timestamp kctime = 0; - krb5_int32 cusec = 0; - krb5_ui_4 nonce = 0; - krb5_checksum cksum; - krb5_pkinit_signing_cert_t client_cert; - krb5_data *der_req = NULL; - char *client_principal = NULL; - char *server_principal = NULL; - unsigned char nonce_bytes[4]; - krb5_data nonce_data = {0, 4, (char *)nonce_bytes}; - int dex; - - /* + krb5_error_code krtn; + krb5_data out_data = {0, 0, NULL}; + krb5_timestamp kctime = 0; + krb5_int32 cusec = 0; + krb5_ui_4 nonce = 0; + krb5_checksum cksum; + krb5_pkinit_signing_cert_t client_cert; + krb5_data *der_req = NULL; + char *client_principal = NULL; + char *server_principal = NULL; + unsigned char nonce_bytes[4]; + krb5_data nonce_data = {0, 4, (char *)nonce_bytes}; + int dex; + + /* * Trusted CA list and specific KC cert optionally obtained via - * krb5_pkinit_get_server_certs(). All are DER-encoded certs. + * krb5_pkinit_get_server_certs(). All are DER-encoded certs. */ krb5_data *trusted_CAs = NULL; krb5_ui_4 num_trusted_CAs; @@ -1116,72 +1117,72 @@ static krb5_error_code pa_pkinit_gen_req( /* If we don't have a client cert, we're done */ if(request->client == NULL) { - kdcPkinitDebug("No request->client; aborting PKINIT\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("No request->client; aborting PKINIT\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } krtn = krb5_unparse_name(context, request->client, &client_principal); if(krtn) { - return krtn; + return krtn; } krtn = krb5_pkinit_get_client_cert(client_principal, &client_cert); free(client_principal); if(krtn) { - kdcPkinitDebug("No client cert; aborting PKINIT\n"); - return krtn; + kdcPkinitDebug("No client cert; aborting PKINIT\n"); + return krtn; } - + /* optional platform-dependent CA list and KDC cert */ krtn = krb5_unparse_name(context, request->server, &server_principal); if(krtn) { - goto cleanup; + goto cleanup; } krtn = krb5_pkinit_get_server_certs(client_principal, server_principal, - &trusted_CAs, &num_trusted_CAs, &kdc_cert); + &trusted_CAs, &num_trusted_CAs, &kdc_cert); if(krtn) { - goto cleanup; + goto cleanup; } - + /* checksum of the encoded KDC-REQ-BODY */ krtn = encode_krb5_kdc_req_body(request, &der_req); if(krtn) { - kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); + goto cleanup; } krtn = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, der_req, &cksum); if(krtn) { - goto cleanup; + goto cleanup; } krtn = krb5_us_timeofday(context, &kctime, &cusec); if(krtn) { - goto cleanup; + goto cleanup; } - + /* cook up a random 4-byte nonce */ krtn = krb5_c_random_make_octets(context, &nonce_data); if(krtn) { - goto cleanup; + goto cleanup; } for(dex=0; dex<4; dex++) { - nonce <<= 8; - nonce |= nonce_bytes[dex]; + nonce <<= 8; + nonce |= nonce_bytes[dex]; } - krtn = krb5int_pkinit_as_req_create(context, - kctime, cusec, nonce, &cksum, - client_cert, - trusted_CAs, num_trusted_CAs, - (kdc_cert.data ? &kdc_cert : NULL), - &out_data); + krtn = krb5int_pkinit_as_req_create(context, + kctime, cusec, nonce, &cksum, + client_cert, + trusted_CAs, num_trusted_CAs, + (kdc_cert.data ? &kdc_cert : NULL), + &out_data); if(krtn) { - kdcPkinitDebug("error %d on pkinit_as_req_create; aborting PKINIT\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("error %d on pkinit_as_req_create; aborting PKINIT\n", (int)krtn); + goto cleanup; } *out_padata = (krb5_pa_data *)malloc(sizeof(krb5_pa_data)); if(*out_padata == NULL) { - krtn = ENOMEM; - free(out_data.data); - goto cleanup; + krtn = ENOMEM; + free(out_data.data); + goto cleanup; } (*out_padata)->magic = KV5M_PA_DATA; (*out_padata)->pa_type = KRB5_PADATA_PK_AS_REQ; @@ -1190,27 +1191,27 @@ static krb5_error_code pa_pkinit_gen_req( krtn = 0; cleanup: if(client_cert) { - krb5_pkinit_release_cert(client_cert); + krb5_pkinit_release_cert(client_cert); } if(cksum.contents) { - free(cksum.contents); + free(cksum.contents); } if (der_req) { - krb5_free_data(context, der_req); + krb5_free_data(context, der_req); } if(server_principal) { - free(server_principal); + free(server_principal); } /* free data mallocd by krb5_pkinit_get_server_certs() */ if(trusted_CAs) { - unsigned udex; - for(udex=0; udexrealm.length <= sizeof(lkdcprefix) || 0 != memcmp(lkdcprefix, client->realm.data, sizeof(lkdcprefix)-1)) - return match; + return match; realm_hash = &client->realm.data[sizeof(lkdcprefix)-1]; realm_hash_len = client->realm.length - sizeof(lkdcprefix) + 1; kdcPkinitDebug("checking realm versus certificate hash\n"); if (NULL != (cert_hash = krb5_pkinit_cert_hash_str(signer_cert))) { - kdcPkinitDebug("hash = %s\n", cert_hash); - cert_hash_len = strlen(cert_hash); - if (cert_hash_len == realm_hash_len && - 0 == memcmp(cert_hash, realm_hash, cert_hash_len)) - match = TRUE; - free(cert_hash); + kdcPkinitDebug("hash = %s\n", cert_hash); + cert_hash_len = strlen(cert_hash); + if (cert_hash_len == realm_hash_len && + 0 == memcmp(cert_hash, realm_hash, cert_hash_len)) + match = TRUE; + free(cert_hash); } kdcPkinitDebug("result: %s\n", match ? "matches" : "does not match"); return match; @@ -1255,125 +1256,125 @@ static krb5_error_code pa_pkinit_parse_rep( krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, - krb5_prompter_fct prompter, + krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { - krb5int_cert_sig_status sig_status = (krb5int_cert_sig_status)-999; - krb5_error_code krtn; - krb5_data asRep; - krb5_keyblock local_key = {0}; - krb5_pkinit_signing_cert_t client_cert; - char *princ_name = NULL; - krb5_checksum as_req_checksum_rcd = {0}; /* received checksum */ - krb5_checksum as_req_checksum_gen = {0}; /* calculated checksum */ - krb5_data *encoded_as_req = NULL; - krb5_data signer_cert = {0}; + krb5int_cert_sig_status sig_status = (krb5int_cert_sig_status)-999; + krb5_error_code krtn; + krb5_data asRep; + krb5_keyblock local_key = {0}; + krb5_pkinit_signing_cert_t client_cert; + char *princ_name = NULL; + krb5_checksum as_req_checksum_rcd = {0}; /* received checksum */ + krb5_checksum as_req_checksum_gen = {0}; /* calculated checksum */ + krb5_data *encoded_as_req = NULL; + krb5_data signer_cert = {0}; *out_padata = NULL; kdcPkinitDebug("pa_pkinit_parse_rep\n"); if((in_padata == NULL) || (in_padata->length== 0)) { - kdcPkinitDebug("pa_pkinit_parse_rep: no in_padata\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("pa_pkinit_parse_rep: no in_padata\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } /* If we don't have a client cert, we're done */ if(request->client == NULL) { - kdcPkinitDebug("No request->client; aborting PKINIT\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("No request->client; aborting PKINIT\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } krtn = krb5_unparse_name(context, request->client, &princ_name); if(krtn) { - return krtn; + return krtn; } krtn = krb5_pkinit_get_client_cert(princ_name, &client_cert); free(princ_name); if(krtn) { - kdcPkinitDebug("No client cert; aborting PKINIT\n"); - return krtn; + kdcPkinitDebug("No client cert; aborting PKINIT\n"); + return krtn; } - + memset(&local_key, 0, sizeof(local_key)); asRep.data = (char *)in_padata->contents; asRep.length = in_padata->length; - krtn = krb5int_pkinit_as_rep_parse(context, &asRep, client_cert, - &local_key, &as_req_checksum_rcd, &sig_status, - &signer_cert, NULL, NULL); + krtn = krb5int_pkinit_as_rep_parse(context, &asRep, client_cert, + &local_key, &as_req_checksum_rcd, &sig_status, + &signer_cert, NULL, NULL); if(krtn) { - kdcPkinitDebug("pkinit_as_rep_parse returned %d\n", (int)krtn); - return krtn; + kdcPkinitDebug("pkinit_as_rep_parse returned %d\n", (int)krtn); + return krtn; } switch(sig_status) { - case pki_cs_good: - break; - case pki_cs_unknown_root: - if (local_kdc_cert_match(context, &signer_cert, request->client)) - break; - /* FALLTHROUGH */ - default: - kdcPkinitDebug("pa_pkinit_parse_rep: bad cert/sig status %d\n", - (int)sig_status); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto error_out; - } - - /* calculate checksum of incoming AS-REQ using the decryption key + case pki_cs_good: + break; + case pki_cs_unknown_root: + if (local_kdc_cert_match(context, &signer_cert, request->client)) + break; + /* FALLTHROUGH */ + default: + kdcPkinitDebug("pa_pkinit_parse_rep: bad cert/sig status %d\n", + (int)sig_status); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto error_out; + } + + /* calculate checksum of incoming AS-REQ using the decryption key * we just got from the ReplyKeyPack */ krtn = encode_krb5_as_req(request, &encoded_as_req); if(krtn) { - goto error_out; + goto error_out; } - krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, - &local_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - encoded_as_req, &as_req_checksum_gen); + krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, + &local_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + encoded_as_req, &as_req_checksum_gen); if(krtn) { - goto error_out; + goto error_out; } if((as_req_checksum_gen.length != as_req_checksum_rcd.length) || memcmp(as_req_checksum_gen.contents, - as_req_checksum_rcd.contents, - as_req_checksum_gen.length)) { - kdcPkinitDebug("pa_pkinit_parse_rep: checksum miscompare\n"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto error_out; + as_req_checksum_rcd.contents, + as_req_checksum_gen.length)) { + kdcPkinitDebug("pa_pkinit_parse_rep: checksum miscompare\n"); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto error_out; } - + /* We have the key; transfer to caller */ if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); + krb5_free_keyblock_contents(context, as_key); } *as_key = local_key; - - #if PKINIT_DEBUG + +#if PKINIT_DEBUG fprintf(stderr, "pa_pkinit_parse_rep: SUCCESS\n"); fprintf(stderr, "enctype %d keylen %d keydata %02x %02x %02x %02x...\n", - (int)as_key->enctype, (int)as_key->length, - as_key->contents[0], as_key->contents[1], - as_key->contents[2], as_key->contents[3]); - #endif - + (int)as_key->enctype, (int)as_key->length, + as_key->contents[0], as_key->contents[1], + as_key->contents[2], as_key->contents[3]); +#endif + krtn = 0; - + error_out: if (signer_cert.data) { - free(signer_cert.data); + free(signer_cert.data); } if(as_req_checksum_rcd.contents) { - free(as_req_checksum_rcd.contents); + free(as_req_checksum_rcd.contents); } if(as_req_checksum_gen.contents) { - free(as_req_checksum_gen.contents); + free(as_req_checksum_gen.contents); } if(encoded_as_req) { - krb5_free_data(context, encoded_as_req); + krb5_free_data(context, encoded_as_req); } if(krtn && (local_key.contents != NULL)) { - krb5_free_keyblock_contents(context, &local_key); + krb5_free_keyblock_contents(context, &local_key); } return krtn; } @@ -1381,329 +1382,329 @@ error_out: static krb5_error_code pa_sam_2(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) { - - krb5_error_code retval; - krb5_sam_challenge_2 *sc2 = NULL; - krb5_sam_challenge_2_body *sc2b = NULL; - krb5_data tmp_data; - krb5_data response_data; - char name[100], banner[100], prompt[100], response[100]; - krb5_prompt kprompt; - krb5_prompt_type prompt_type; - krb5_data defsalt; - krb5_checksum **cksum; - krb5_data *scratch = NULL; - krb5_boolean valid_cksum = 0; - krb5_enc_sam_response_enc_2 enc_sam_response_enc_2; - krb5_sam_response_2 sr2; - size_t ciph_len; - krb5_pa_data *sam_padata; - - if (prompter == NULL) - return KRB5_LIBOS_CANTREADPWD; - - tmp_data.length = in_padata->length; - tmp_data.data = (char *)in_padata->contents; - - if ((retval = decode_krb5_sam_challenge_2(&tmp_data, &sc2))) - return(retval); - - retval = decode_krb5_sam_challenge_2_body(&sc2->sam_challenge_2_body, &sc2b); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - return(retval); - } - - if (!sc2->sam_cksum || ! *sc2->sam_cksum) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_NO_CHECKSUM); - } - - if (sc2b->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_UNSUPPORTED); - } - - if (!krb5_c_valid_enctype(sc2b->sam_etype)) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_INVALID_ETYPE); - } - - /* All of the above error checks are KDC-specific, that is, they */ - /* assume a failure in the KDC reply. By returning anything other */ - /* than KRB5_KDC_UNREACH, KRB5_PREAUTH_FAILED, */ - /* KRB5_LIBOS_PWDINTR, or KRB5_REALM_CANT_RESOLVE, the client will */ - /* most likely go on to try the AS_REQ against master KDC */ - - if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { - /* We will need the password to obtain the key used for */ - /* the checksum, and encryption of the sam_response. */ - /* Go ahead and get it now, preserving the ordering of */ - /* prompts for the user. */ - - retval = (gak_fct)(context, request->client, - sc2b->sam_etype, prompter, - prompter_data, salt, s2kparams, as_key, gak_data); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - } - - snprintf(name, sizeof(name), "%.*s", - SAMDATA(sc2b->sam_type_name, "SAM Authentication", - sizeof(name) - 1)); - - snprintf(banner, sizeof(banner), "%.*s", - SAMDATA(sc2b->sam_challenge_label, - sam_challenge_banner(sc2b->sam_type), - sizeof(banner)-1)); - - snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", - sc2b->sam_challenge.length?"Challenge is [":"", - SAMDATA(sc2b->sam_challenge, "", 20), - sc2b->sam_challenge.length?"], ":"", - SAMDATA(sc2b->sam_response_prompt, "passcode", 55)); - - response_data.data = response; - response_data.length = sizeof(response); - kprompt.prompt = prompt; - kprompt.hidden = 1; - kprompt.reply = &response_data; - - prompt_type = KRB5_PROMPT_TYPE_PREAUTH; - krb5int_set_prompt_types(context, &prompt_type); - - if ((retval = ((*prompter)(context, prompter_data, name, - banner, 1, &kprompt)))) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5int_set_prompt_types(context, 0); - return(retval); - } - - krb5int_set_prompt_types(context, (krb5_prompt_type *)NULL); - - /* Generate salt used by string_to_key() */ - if ((salt->length == -1) && (salt->data == NULL)) { - if ((retval = - krb5_principal2salt(context, request->client, &defsalt))) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - salt = &defsalt; - } else { - defsalt.length = 0; - } - - /* Get encryption key to be used for checksum and sam_response */ - if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { - /* as_key = string_to_key(password) */ - - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } - - /* generate a key using the supplied password */ - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - (krb5_data *)gak_data, salt, as_key); + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - - if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { - /* as_key = combine_key (as_key, string_to_key(SAD)) */ - krb5_keyblock tmp_kb; - - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - &response_data, salt, &tmp_kb); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - - /* This should be a call to the crypto library some day */ - /* key types should already match the sam_etype */ - retval = krb5int_c_combine_keys(context, as_key, &tmp_kb, as_key); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - krb5_free_keyblock_contents(context, &tmp_kb); - } - - if (defsalt.length) - free(defsalt.data); - - } else { - /* as_key = string_to_key(SAD) */ - - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } - - /* generate a key using the supplied password */ - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - &response_data, salt, as_key); - - if (defsalt.length) - free(defsalt.data); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - } - - /* Now we have a key, verify the checksum on the sam_challenge */ - - cksum = sc2->sam_cksum; - - while (*cksum) { - /* Check this cksum */ - retval = krb5_c_verify_checksum(context, as_key, - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, - &sc2->sam_challenge_2_body, - *cksum, &valid_cksum); - if (retval) { - krb5_free_data(context, scratch); - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - if (valid_cksum) - break; - cksum++; - } - - if (!valid_cksum) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - /* - * Note: We return AP_ERR_BAD_INTEGRITY so upper-level applications - * can interpret that as "password incorrect", which is probably - * the best error we can return in this situation. - */ - return(KRB5KRB_AP_ERR_BAD_INTEGRITY); - } - - /* fill in enc_sam_response_enc_2 */ - enc_sam_response_enc_2.magic = KV5M_ENC_SAM_RESPONSE_ENC_2; - enc_sam_response_enc_2.sam_nonce = sc2b->sam_nonce; - if (sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { - enc_sam_response_enc_2.sam_sad = response_data; - } else { - enc_sam_response_enc_2.sam_sad.data = NULL; - enc_sam_response_enc_2.sam_sad.length = 0; - } - - /* encode and encrypt enc_sam_response_enc_2 with as_key */ - retval = encode_krb5_enc_sam_response_enc_2(&enc_sam_response_enc_2, - &scratch); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - - /* Fill in sam_response_2 */ - memset(&sr2, 0, sizeof(sr2)); - sr2.sam_type = sc2b->sam_type; - sr2.sam_flags = sc2b->sam_flags; - sr2.sam_track_id = sc2b->sam_track_id; - sr2.sam_nonce = sc2b->sam_nonce; - - /* Now take care of sr2.sam_enc_nonce_or_sad by encrypting encoded */ - /* enc_sam_response_enc_2 from above */ - - retval = krb5_c_encrypt_length(context, as_key->enctype, scratch->length, - &ciph_len); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - return(retval); - } - sr2.sam_enc_nonce_or_sad.ciphertext.length = ciph_len; - - sr2.sam_enc_nonce_or_sad.ciphertext.data = - (char *)malloc(sr2.sam_enc_nonce_or_sad.ciphertext.length); - - if (!sr2.sam_enc_nonce_or_sad.ciphertext.data) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - return(ENOMEM); - } - - retval = krb5_c_encrypt(context, as_key, KRB5_KEYUSAGE_PA_SAM_RESPONSE, - NULL, scratch, &sr2.sam_enc_nonce_or_sad); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); - return(retval); - } - krb5_free_data(context, scratch); - scratch = NULL; - - /* Encode the sam_response_2 */ - retval = encode_krb5_sam_response_2(&sr2, &scratch); - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); - - if (retval) { - return (retval); - } - - /* Almost there, just need to make padata ! */ - sam_padata = malloc(sizeof(krb5_pa_data)); - if (sam_padata == NULL) { - krb5_free_data(context, scratch); - return(ENOMEM); - } - - sam_padata->magic = KV5M_PA_DATA; - sam_padata->pa_type = KRB5_PADATA_SAM_RESPONSE_2; - sam_padata->length = scratch->length; - sam_padata->contents = (krb5_octet *) scratch->data; - free(scratch); - - *out_padata = sam_padata; - - return(0); + krb5_error_code retval; + krb5_sam_challenge_2 *sc2 = NULL; + krb5_sam_challenge_2_body *sc2b = NULL; + krb5_data tmp_data; + krb5_data response_data; + char name[100], banner[100], prompt[100], response[100]; + krb5_prompt kprompt; + krb5_prompt_type prompt_type; + krb5_data defsalt; + krb5_checksum **cksum; + krb5_data *scratch = NULL; + krb5_boolean valid_cksum = 0; + krb5_enc_sam_response_enc_2 enc_sam_response_enc_2; + krb5_sam_response_2 sr2; + size_t ciph_len; + krb5_pa_data *sam_padata; + + if (prompter == NULL) + return KRB5_LIBOS_CANTREADPWD; + + tmp_data.length = in_padata->length; + tmp_data.data = (char *)in_padata->contents; + + if ((retval = decode_krb5_sam_challenge_2(&tmp_data, &sc2))) + return(retval); + + retval = decode_krb5_sam_challenge_2_body(&sc2->sam_challenge_2_body, &sc2b); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + return(retval); + } + + if (!sc2->sam_cksum || ! *sc2->sam_cksum) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_NO_CHECKSUM); + } + + if (sc2b->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_UNSUPPORTED); + } + + if (!krb5_c_valid_enctype(sc2b->sam_etype)) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_INVALID_ETYPE); + } + + /* All of the above error checks are KDC-specific, that is, they */ + /* assume a failure in the KDC reply. By returning anything other */ + /* than KRB5_KDC_UNREACH, KRB5_PREAUTH_FAILED, */ + /* KRB5_LIBOS_PWDINTR, or KRB5_REALM_CANT_RESOLVE, the client will */ + /* most likely go on to try the AS_REQ against master KDC */ + + if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { + /* We will need the password to obtain the key used for */ + /* the checksum, and encryption of the sam_response. */ + /* Go ahead and get it now, preserving the ordering of */ + /* prompts for the user. */ + + retval = (gak_fct)(context, request->client, + sc2b->sam_etype, prompter, + prompter_data, salt, s2kparams, as_key, gak_data); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + } + + snprintf(name, sizeof(name), "%.*s", + SAMDATA(sc2b->sam_type_name, "SAM Authentication", + sizeof(name) - 1)); + + snprintf(banner, sizeof(banner), "%.*s", + SAMDATA(sc2b->sam_challenge_label, + sam_challenge_banner(sc2b->sam_type), + sizeof(banner)-1)); + + snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", + sc2b->sam_challenge.length?"Challenge is [":"", + SAMDATA(sc2b->sam_challenge, "", 20), + sc2b->sam_challenge.length?"], ":"", + SAMDATA(sc2b->sam_response_prompt, "passcode", 55)); + + response_data.data = response; + response_data.length = sizeof(response); + kprompt.prompt = prompt; + kprompt.hidden = 1; + kprompt.reply = &response_data; + + prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + krb5int_set_prompt_types(context, &prompt_type); + + if ((retval = ((*prompter)(context, prompter_data, name, + banner, 1, &kprompt)))) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5int_set_prompt_types(context, 0); + return(retval); + } + + krb5int_set_prompt_types(context, (krb5_prompt_type *)NULL); + + /* Generate salt used by string_to_key() */ + if ((salt->length == -1) && (salt->data == NULL)) { + if ((retval = + krb5_principal2salt(context, request->client, &defsalt))) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + salt = &defsalt; + } else { + defsalt.length = 0; + } + + /* Get encryption key to be used for checksum and sam_response */ + if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { + /* as_key = string_to_key(password) */ + + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } + + /* generate a key using the supplied password */ + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + (krb5_data *)gak_data, salt, as_key); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + + if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { + /* as_key = combine_key (as_key, string_to_key(SAD)) */ + krb5_keyblock tmp_kb; + + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + &response_data, salt, &tmp_kb); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + + /* This should be a call to the crypto library some day */ + /* key types should already match the sam_etype */ + retval = krb5int_c_combine_keys(context, as_key, &tmp_kb, as_key); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + krb5_free_keyblock_contents(context, &tmp_kb); + } + + if (defsalt.length) + free(defsalt.data); + + } else { + /* as_key = string_to_key(SAD) */ + + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } + + /* generate a key using the supplied password */ + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + &response_data, salt, as_key); + + if (defsalt.length) + free(defsalt.data); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + } + + /* Now we have a key, verify the checksum on the sam_challenge */ + + cksum = sc2->sam_cksum; + + while (*cksum) { + /* Check this cksum */ + retval = krb5_c_verify_checksum(context, as_key, + KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, + &sc2->sam_challenge_2_body, + *cksum, &valid_cksum); + if (retval) { + krb5_free_data(context, scratch); + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + if (valid_cksum) + break; + cksum++; + } + + if (!valid_cksum) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + /* + * Note: We return AP_ERR_BAD_INTEGRITY so upper-level applications + * can interpret that as "password incorrect", which is probably + * the best error we can return in this situation. + */ + return(KRB5KRB_AP_ERR_BAD_INTEGRITY); + } + + /* fill in enc_sam_response_enc_2 */ + enc_sam_response_enc_2.magic = KV5M_ENC_SAM_RESPONSE_ENC_2; + enc_sam_response_enc_2.sam_nonce = sc2b->sam_nonce; + if (sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { + enc_sam_response_enc_2.sam_sad = response_data; + } else { + enc_sam_response_enc_2.sam_sad.data = NULL; + enc_sam_response_enc_2.sam_sad.length = 0; + } + + /* encode and encrypt enc_sam_response_enc_2 with as_key */ + retval = encode_krb5_enc_sam_response_enc_2(&enc_sam_response_enc_2, + &scratch); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + + /* Fill in sam_response_2 */ + memset(&sr2, 0, sizeof(sr2)); + sr2.sam_type = sc2b->sam_type; + sr2.sam_flags = sc2b->sam_flags; + sr2.sam_track_id = sc2b->sam_track_id; + sr2.sam_nonce = sc2b->sam_nonce; + + /* Now take care of sr2.sam_enc_nonce_or_sad by encrypting encoded */ + /* enc_sam_response_enc_2 from above */ + + retval = krb5_c_encrypt_length(context, as_key->enctype, scratch->length, + &ciph_len); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + return(retval); + } + sr2.sam_enc_nonce_or_sad.ciphertext.length = ciph_len; + + sr2.sam_enc_nonce_or_sad.ciphertext.data = + (char *)malloc(sr2.sam_enc_nonce_or_sad.ciphertext.length); + + if (!sr2.sam_enc_nonce_or_sad.ciphertext.data) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + return(ENOMEM); + } + + retval = krb5_c_encrypt(context, as_key, KRB5_KEYUSAGE_PA_SAM_RESPONSE, + NULL, scratch, &sr2.sam_enc_nonce_or_sad); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); + return(retval); + } + krb5_free_data(context, scratch); + scratch = NULL; + + /* Encode the sam_response_2 */ + retval = encode_krb5_sam_response_2(&sr2, &scratch); + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); + + if (retval) { + return (retval); + } + + /* Almost there, just need to make padata ! */ + sam_padata = malloc(sizeof(krb5_pa_data)); + if (sam_padata == NULL) { + krb5_free_data(context, scratch); + return(ENOMEM); + } + + sam_padata->magic = KV5M_PA_DATA; + sam_padata->pa_type = KRB5_PADATA_SAM_RESPONSE_2; + sam_padata->length = scratch->length; + sam_padata->contents = (krb5_octet *) scratch->data; + free(scratch); + + *out_padata = sam_padata; + + return(0); } static krb5_error_code pa_s4u_x509_user( @@ -1728,32 +1729,32 @@ static krb5_error_code pa_s4u_x509_user( *out_padata = NULL; if (userid == NULL) - return EINVAL; + return EINVAL; code = krb5_copy_principal(context, request->client, &client); if (code != 0) - return code; + return code; if (userid->user != NULL) - krb5_free_principal(context, userid->user); + krb5_free_principal(context, userid->user); userid->user = client; if (userid->subject_cert.length != 0) { - s4u_padata = malloc(sizeof(*s4u_padata)); - if (s4u_padata == NULL) - return ENOMEM; + s4u_padata = malloc(sizeof(*s4u_padata)); + if (s4u_padata == NULL) + return ENOMEM; - s4u_padata->magic = KV5M_PA_DATA; - s4u_padata->pa_type = KRB5_PADATA_S4U_X509_USER; - s4u_padata->contents = malloc(userid->subject_cert.length); - if (s4u_padata->contents == NULL) { - free(s4u_padata); - return ENOMEM; - } - memcpy(s4u_padata->contents, userid->subject_cert.data, userid->subject_cert.length); - s4u_padata->length = userid->subject_cert.length; + s4u_padata->magic = KV5M_PA_DATA; + s4u_padata->pa_type = KRB5_PADATA_S4U_X509_USER; + s4u_padata->contents = malloc(userid->subject_cert.length); + if (s4u_padata->contents == NULL) { + free(s4u_padata); + return ENOMEM; + } + memcpy(s4u_padata->contents, userid->subject_cert.data, userid->subject_cert.length); + s4u_padata->length = userid->subject_cert.length; - *out_padata = s4u_padata; + *out_padata = s4u_padata; } return 0; @@ -1762,56 +1763,56 @@ static krb5_error_code pa_s4u_x509_user( /* FIXME - order significant? */ static const pa_types_t pa_types[] = { { - KRB5_PADATA_PW_SALT, - pa_salt, - PA_INFO, + KRB5_PADATA_PW_SALT, + pa_salt, + PA_INFO, }, { - KRB5_PADATA_AFS3_SALT, - pa_salt, - PA_INFO, + KRB5_PADATA_AFS3_SALT, + pa_salt, + PA_INFO, }, #if APPLE_PKINIT { - KRB5_PADATA_PK_AS_REQ, - pa_pkinit_gen_req, - PA_INFO, + KRB5_PADATA_PK_AS_REQ, + pa_pkinit_gen_req, + PA_INFO, }, { - KRB5_PADATA_PK_AS_REP, - pa_pkinit_parse_rep, - PA_REAL, + KRB5_PADATA_PK_AS_REP, + pa_pkinit_parse_rep, + PA_REAL, }, #endif /* APPLE_PKINIT */ { - KRB5_PADATA_ENC_TIMESTAMP, - pa_enc_timestamp, - PA_REAL, + KRB5_PADATA_ENC_TIMESTAMP, + pa_enc_timestamp, + PA_REAL, }, { - KRB5_PADATA_SAM_CHALLENGE_2, - pa_sam_2, - PA_REAL, + KRB5_PADATA_SAM_CHALLENGE_2, + pa_sam_2, + PA_REAL, }, { - KRB5_PADATA_SAM_CHALLENGE, - pa_sam, - PA_REAL, + KRB5_PADATA_SAM_CHALLENGE, + pa_sam, + PA_REAL, }, { - KRB5_PADATA_FX_COOKIE, - pa_fx_cookie, - PA_INFO, + KRB5_PADATA_FX_COOKIE, + pa_fx_cookie, + PA_INFO, }, { - KRB5_PADATA_S4U_X509_USER, - pa_s4u_x509_user, - PA_INFO, + KRB5_PADATA_S4U_X509_USER, + pa_s4u_x509_user, + PA_INFO, }, { - -1, - NULL, - 0, + -1, + NULL, + 0, }, }; @@ -1822,19 +1823,19 @@ static const pa_types_t pa_types[] = { */ krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain(krb5_context kcontext, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data **padata, - krb5_pa_data ***return_padata, - krb5_error *err_reply, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_gic_opt_ext *opte) + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data **padata, + krb5_pa_data ***return_padata, + krb5_error *err_reply, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_gic_opt_ext *opte) { krb5_error_code ret; krb5_pa_data **out_padata; @@ -1845,65 +1846,65 @@ krb5_do_preauth_tryagain(krb5_context kcontext, ret = KRB5KRB_ERR_GENERIC; if (kcontext->preauth_context == NULL) { - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } context = kcontext->preauth_context; if (context == NULL) { - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } for (i = 0; padata[i] != NULL && padata[i]->pa_type != 0; i++) { - out_padata = NULL; - for (j = 0; j < context->n_modules; j++) { - module = &context->modules[j]; - if (module->pa_type != padata[i]->pa_type) { - continue; - } - if (module->client_tryagain == NULL) { - continue; - } - if ((*module->client_tryagain)(kcontext, - module->plugin_context, - *module->request_context_pp, - (krb5_get_init_creds_opt *)opte, - client_data_proc, - get_data_rock, - request, - encoded_request_body, - encoded_previous_request, - padata[i], - err_reply, - prompter, prompter_data, - gak_fct, gak_data, salt, s2kparams, - as_key, - &out_padata) == 0) { - if (out_padata != NULL) { - int k; - for (k = 0; out_padata[k] != NULL; k++); - grow_pa_list(return_padata, &out_pa_list_size, - out_padata, k); - free(out_padata); - return 0; - } - } - } + out_padata = NULL; + for (j = 0; j < context->n_modules; j++) { + module = &context->modules[j]; + if (module->pa_type != padata[i]->pa_type) { + continue; + } + if (module->client_tryagain == NULL) { + continue; + } + if ((*module->client_tryagain)(kcontext, + module->plugin_context, + *module->request_context_pp, + (krb5_get_init_creds_opt *)opte, + client_data_proc, + get_data_rock, + request, + encoded_request_body, + encoded_previous_request, + padata[i], + err_reply, + prompter, prompter_data, + gak_fct, gak_data, salt, s2kparams, + as_key, + &out_padata) == 0) { + if (out_padata != NULL) { + int k; + for (k = 0; out_padata[k] != NULL; k++); + grow_pa_list(return_padata, &out_pa_list_size, + out_padata, k); + free(out_padata); + return 0; + } + } + } } return ret; } krb5_error_code KRB5_CALLCONV krb5_do_preauth(krb5_context context, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_gic_opt_ext *opte) + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data **in_padata, krb5_pa_data ***out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_gic_opt_ext *opte) { unsigned int h; int i, j, out_pa_list_size; @@ -1916,17 +1917,17 @@ krb5_do_preauth(krb5_context context, int realdone; if (in_padata == NULL) { - *out_padata = NULL; - return(0); + *out_padata = NULL; + return(0); } #ifdef DEBUG fprintf (stderr, "salt len=%d", (int) salt->length); if ((int) salt->length > 0) - fprintf (stderr, " '%.*s'", salt->length, salt->data); + fprintf (stderr, " '%.*s'", salt->length, salt->data); fprintf (stderr, "; preauth data types:"); for (i = 0; in_padata[i]; i++) { - fprintf (stderr, " %d", in_padata[i]->pa_type); + fprintf (stderr, " %d", in_padata[i]->pa_type); } fprintf (stderr, "\n"); #endif @@ -1937,202 +1938,202 @@ krb5_do_preauth(krb5_context context, /* first do all the informational preauths, then the first real one */ for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) { - realdone = 0; - for (i=0; in_padata[i] && !realdone; i++) { - int k, l, etype_found, valid_etype_found; - /* - * This is really gross, but is necessary to prevent - * lossage when talking to a 1.0.x KDC, which returns an - * erroneous PA-PW-SALT when it returns a KRB-ERROR - * requiring additional preauth. - */ - switch (in_padata[i]->pa_type) { - case KRB5_PADATA_ETYPE_INFO: - case KRB5_PADATA_ETYPE_INFO2: - { - krb5_preauthtype pa_type = in_padata[i]->pa_type; - if (etype_info) { - if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) - continue; - if (pa_type == KRB5_PADATA_ETYPE_INFO2) { - krb5_free_etype_info( context, etype_info); - etype_info = NULL; - } - } - - scratch.length = in_padata[i]->length; - scratch.data = (char *) in_padata[i]->contents; - if (pa_type == KRB5_PADATA_ETYPE_INFO2) { - seen_etype_info2++; - ret = decode_krb5_etype_info2(&scratch, &etype_info); - } - else ret = decode_krb5_etype_info(&scratch, &etype_info); - if (ret) { - ret = 0; /*Ignore error and etype_info element*/ - if (etype_info) - krb5_free_etype_info( context, etype_info); - etype_info = NULL; - continue; - } - if (etype_info[0] == NULL) { - krb5_free_etype_info(context, etype_info); - etype_info = NULL; - break; - } - /* - * Select first etype in our request which is also in - * etype-info (preferring client request ktype order). - */ - for (etype_found = 0, valid_etype_found = 0, k = 0; - !etype_found && k < request->nktypes; k++) { - for (l = 0; etype_info[l]; l++) { - if (etype_info[l]->etype == request->ktype[k]) { - etype_found++; - break; - } - /* check if program has support for this etype for more - * precise error reporting. - */ - if (krb5_c_valid_enctype(etype_info[l]->etype)) - valid_etype_found++; - } - } - if (!etype_found) { - if (valid_etype_found) { - /* supported enctype but not requested */ - ret = KRB5_CONFIG_ETYPE_NOSUPP; - goto cleanup; - } - else { - /* unsupported enctype */ - ret = KRB5_PROG_ETYPE_NOSUPP; - goto cleanup; - } - - } - scratch.data = (char *) etype_info[l]->salt; - scratch.length = etype_info[l]->length; - krb5_free_data_contents(context, salt); - if (scratch.length == KRB5_ETYPE_NO_SALT) - salt->data = NULL; - else - if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0) - goto cleanup; - *etype = etype_info[l]->etype; - krb5_free_data_contents(context, s2kparams); - if ((ret = krb5int_copy_data_contents(context, - &etype_info[l]->s2kparams, - s2kparams)) != 0) - goto cleanup; + realdone = 0; + for (i=0; in_padata[i] && !realdone; i++) { + int k, l, etype_found, valid_etype_found; + /* + * This is really gross, but is necessary to prevent + * lossage when talking to a 1.0.x KDC, which returns an + * erroneous PA-PW-SALT when it returns a KRB-ERROR + * requiring additional preauth. + */ + switch (in_padata[i]->pa_type) { + case KRB5_PADATA_ETYPE_INFO: + case KRB5_PADATA_ETYPE_INFO2: + { + krb5_preauthtype pa_type = in_padata[i]->pa_type; + if (etype_info) { + if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) + continue; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + } + } + + scratch.length = in_padata[i]->length; + scratch.data = (char *) in_padata[i]->contents; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + seen_etype_info2++; + ret = decode_krb5_etype_info2(&scratch, &etype_info); + } + else ret = decode_krb5_etype_info(&scratch, &etype_info); + if (ret) { + ret = 0; /*Ignore error and etype_info element*/ + if (etype_info) + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + continue; + } + if (etype_info[0] == NULL) { + krb5_free_etype_info(context, etype_info); + etype_info = NULL; + break; + } + /* + * Select first etype in our request which is also in + * etype-info (preferring client request ktype order). + */ + for (etype_found = 0, valid_etype_found = 0, k = 0; + !etype_found && k < request->nktypes; k++) { + for (l = 0; etype_info[l]; l++) { + if (etype_info[l]->etype == request->ktype[k]) { + etype_found++; + break; + } + /* check if program has support for this etype for more + * precise error reporting. + */ + if (krb5_c_valid_enctype(etype_info[l]->etype)) + valid_etype_found++; + } + } + if (!etype_found) { + if (valid_etype_found) { + /* supported enctype but not requested */ + ret = KRB5_CONFIG_ETYPE_NOSUPP; + goto cleanup; + } + else { + /* unsupported enctype */ + ret = KRB5_PROG_ETYPE_NOSUPP; + goto cleanup; + } + + } + scratch.data = (char *) etype_info[l]->salt; + scratch.length = etype_info[l]->length; + krb5_free_data_contents(context, salt); + if (scratch.length == KRB5_ETYPE_NO_SALT) + salt->data = NULL; + else + if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0) + goto cleanup; + *etype = etype_info[l]->etype; + krb5_free_data_contents(context, s2kparams); + if ((ret = krb5int_copy_data_contents(context, + &etype_info[l]->s2kparams, + s2kparams)) != 0) + goto cleanup; #ifdef DEBUG - for (j = 0; etype_info[j]; j++) { - krb5_etype_info_entry *e = etype_info[j]; - fprintf (stderr, "etype info %d: etype %d salt len=%d", - j, e->etype, e->length); - if (e->length > 0 && e->length != KRB5_ETYPE_NO_SALT) - fprintf (stderr, " '%.*s'", e->length, e->salt); - fprintf (stderr, "\n"); - } + for (j = 0; etype_info[j]; j++) { + krb5_etype_info_entry *e = etype_info[j]; + fprintf (stderr, "etype info %d: etype %d salt len=%d", + j, e->etype, e->length); + if (e->length > 0 && e->length != KRB5_ETYPE_NO_SALT) + fprintf (stderr, " '%.*s'", e->length, e->salt); + fprintf (stderr, "\n"); + } #endif - break; - } - case KRB5_PADATA_PW_SALT: - case KRB5_PADATA_AFS3_SALT: - if (etype_info) - continue; - break; - default: - ; - } - /* Try the internally-provided preauth type list. */ - if (!realdone) for (j=0; pa_types[j].type >= 0; j++) { - if ((in_padata[i]->pa_type == pa_types[j].type) && - (pa_types[j].flags & paorder[h])) { + break; + } + case KRB5_PADATA_PW_SALT: + case KRB5_PADATA_AFS3_SALT: + if (etype_info) + continue; + break; + default: + ; + } + /* Try the internally-provided preauth type list. */ + if (!realdone) for (j=0; pa_types[j].type >= 0; j++) { + if ((in_padata[i]->pa_type == pa_types[j].type) && + (pa_types[j].flags & paorder[h])) { #ifdef DEBUG - fprintf (stderr, "calling internal function for pa_type " - "%d, flag %d\n", pa_types[j].type, paorder[h]); + fprintf (stderr, "calling internal function for pa_type " + "%d, flag %d\n", pa_types[j].type, paorder[h]); #endif - out_pa = NULL; - - if ((ret = ((*pa_types[j].fct)(context, request, - in_padata[i], &out_pa, - salt, s2kparams, etype, as_key, - prompter, prompter_data, - gak_fct, gak_data)))) { - if (paorder[h] == PA_INFO) { + out_pa = NULL; + + if ((ret = ((*pa_types[j].fct)(context, request, + in_padata[i], &out_pa, + salt, s2kparams, etype, as_key, + prompter, prompter_data, + gak_fct, gak_data)))) { + if (paorder[h] == PA_INFO) { #ifdef DEBUG - fprintf (stderr, - "internal function for type %d, flag %d " - "failed with err %d\n", - in_padata[i]->pa_type, paorder[h], ret); + fprintf (stderr, + "internal function for type %d, flag %d " + "failed with err %d\n", + in_padata[i]->pa_type, paorder[h], ret); #endif - ret = 0; - continue; /* PA_INFO type failed, ignore */ + ret = 0; + continue; /* PA_INFO type failed, ignore */ + } + + goto cleanup; } - - goto cleanup; - } - - ret = grow_pa_list(&out_pa_list, &out_pa_list_size, - &out_pa, 1); - if (ret != 0) { - goto cleanup; - } - if (paorder[h] == PA_REAL) - realdone = 1; - } - } - - /* Try to use plugins now. */ - if (!realdone) { - krb5_init_preauth_context(context); - if (context->preauth_context != NULL) { - int module_ret = 0, module_flags; + + ret = grow_pa_list(&out_pa_list, &out_pa_list_size, + &out_pa, 1); + if (ret != 0) { + goto cleanup; + } + if (paorder[h] == PA_REAL) + realdone = 1; + } + } + + /* Try to use plugins now. */ + if (!realdone) { + krb5_init_preauth_context(context); + if (context->preauth_context != NULL) { + int module_ret = 0, module_flags; #ifdef DEBUG - fprintf (stderr, "trying modules for pa_type %d, flag %d\n", - in_padata[i]->pa_type, paorder[h]); + fprintf (stderr, "trying modules for pa_type %d, flag %d\n", + in_padata[i]->pa_type, paorder[h]); #endif - ret = krb5_run_preauth_plugins(context, - paorder[h], - request, - encoded_request_body, - encoded_previous_request, - in_padata[i], - prompter, - prompter_data, - gak_fct, - salt, s2kparams, - gak_data, - get_data_rock, - as_key, - &out_pa_list, - &out_pa_list_size, - &module_ret, - &module_flags, - opte); - if (ret == 0) { - if (module_ret == 0) { - if (paorder[h] == PA_REAL) { - realdone = 1; - } - } - } - } - } - } + ret = krb5_run_preauth_plugins(context, + paorder[h], + request, + encoded_request_body, + encoded_previous_request, + in_padata[i], + prompter, + prompter_data, + gak_fct, + salt, s2kparams, + gak_data, + get_data_rock, + as_key, + &out_pa_list, + &out_pa_list_size, + &module_ret, + &module_flags, + opte); + if (ret == 0) { + if (module_ret == 0) { + if (paorder[h] == PA_REAL) { + realdone = 1; + } + } + } + } + } + } } *out_padata = out_pa_list; if (etype_info) - krb5_free_etype_info(context, etype_info); - + krb5_free_etype_info(context, etype_info); + return(0); - cleanup: +cleanup: if (out_pa_list) { - out_pa_list[out_pa_list_size++] = NULL; - krb5_free_pa_data(context, out_pa_list); + out_pa_list[out_pa_list_size++] = NULL; + krb5_free_pa_data(context, out_pa_list); } if (etype_info) - krb5_free_etype_info(context, etype_info); + krb5_free_etype_info(context, etype_info); return (ret); } diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c index 367c11e3d..3565f2c82 100644 --- a/src/lib/krb5/krb/princ_comp.c +++ b/src/lib/krb5/krb/princ_comp.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/princ_comp.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * compare two principals, returning a krb5_boolean true if equal, false if * not. @@ -33,19 +34,19 @@ static krb5_boolean realm_compare_flags(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2, - int flags) + krb5_const_principal princ1, + krb5_const_principal princ2, + int flags) { const krb5_data *realm1 = krb5_princ_realm(context, princ1); const krb5_data *realm2 = krb5_princ_realm(context, princ2); if (realm1->length != realm2->length) - return FALSE; + return FALSE; return (flags & KRB5_PRINCIPAL_COMPARE_CASEFOLD) ? - (strncasecmp(realm1->data, realm2->data, realm2->length) == 0) : - (memcmp(realm1->data, realm2->data, realm2->length) == 0); + (strncasecmp(realm1->data, realm2->data, realm2->length) == 0) : + (memcmp(realm1->data, realm2->data, realm2->length) == 0); } krb5_boolean KRB5_CALLCONV @@ -56,18 +57,18 @@ krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const static krb5_error_code upn_to_principal(krb5_context context, - krb5_const_principal princ, - krb5_principal *upn) + krb5_const_principal princ, + krb5_principal *upn) { char *unparsed_name; krb5_error_code code; code = krb5_unparse_name_flags(context, princ, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &unparsed_name); + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &unparsed_name); if (code) { - *upn = NULL; - return code; + *upn = NULL; + return code; } code = krb5_parse_name(context, unparsed_name, upn); @@ -79,9 +80,9 @@ upn_to_principal(krb5_context context, krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2, - int flags) + krb5_const_principal princ1, + krb5_const_principal princ2, + int flags) { register int i; krb5_int32 nelem; @@ -92,50 +93,50 @@ krb5_principal_compare_flags(krb5_context context, krb5_boolean ret = FALSE; if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { - /* Treat UPNs as if they were real principals */ - if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { - if (upn_to_principal(context, princ1, &upn1) == 0) - princ1 = upn1; - } - if (krb5_princ_type(context, princ2) == KRB5_NT_ENTERPRISE_PRINCIPAL) { - if (upn_to_principal(context, princ2, &upn2) == 0) - princ2 = upn2; - } + /* Treat UPNs as if they were real principals */ + if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (upn_to_principal(context, princ1, &upn1) == 0) + princ1 = upn1; + } + if (krb5_princ_type(context, princ2) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (upn_to_principal(context, princ2, &upn2) == 0) + princ2 = upn2; + } } nelem = krb5_princ_size(context, princ1); if (nelem != krb5_princ_size(context, princ2)) - goto out; + goto out; if ((flags & KRB5_PRINCIPAL_COMPARE_IGNORE_REALM) == 0 && - !realm_compare_flags(context, princ1, princ2, flags)) - goto out; + !realm_compare_flags(context, princ1, princ2, flags)) + goto out; for (i = 0; i < (int) nelem; i++) { - const krb5_data *p1 = krb5_princ_component(context, princ1, i); - const krb5_data *p2 = krb5_princ_component(context, princ2, i); - krb5_boolean eq; - - if (casefold) { - if (utf8) - eq = (krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD) == 0); - else - eq = (p1->length == p2->length - && strncasecmp(p1->data, p2->data, p2->length) == 0); - } else - eq = data_eq(*p1, *p2); - - if (!eq) - goto out; + const krb5_data *p1 = krb5_princ_component(context, princ1, i); + const krb5_data *p2 = krb5_princ_component(context, princ2, i); + krb5_boolean eq; + + if (casefold) { + if (utf8) + eq = (krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD) == 0); + else + eq = (p1->length == p2->length + && strncasecmp(p1->data, p2->data, p2->length) == 0); + } else + eq = data_eq(*p1, *p2); + + if (!eq) + goto out; } ret = TRUE; out: if (upn1 != NULL) - krb5_free_principal(context, upn1); + krb5_free_principal(context, upn1); if (upn2 != NULL) - krb5_free_principal(context, upn2); + krb5_free_principal(context, upn2); return ret; } @@ -150,7 +151,7 @@ krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *r) #ifdef DEBUG_REFERRALS #if 0 printf("krb5_is_ref_realm: checking <%s> for referralness: %s\n", - r->data,(r->length==0)?"true":"false"); + r->data,(r->length==0)?"true":"false"); #endif #endif assert(strlen(KRB5_REFERRAL_REALM)==0); @@ -162,17 +163,16 @@ krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *r) krb5_boolean KRB5_CALLCONV krb5_principal_compare(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) + krb5_const_principal princ1, + krb5_const_principal princ2) { return krb5_principal_compare_flags(context, princ1, princ2, 0); } krb5_boolean KRB5_CALLCONV krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) + krb5_const_principal princ1, + krb5_const_principal princ2) { return krb5_principal_compare_flags(context, princ1, princ2, KRB5_PRINCIPAL_COMPARE_IGNORE_REALM); } - diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index a5d00dc4e..30ce4255f 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "cleanup.h" #include "auth_con.h" @@ -11,38 +12,38 @@ /* * decrypt the enc_part of a krb5_cred */ -static krb5_error_code +static krb5_error_code decrypt_credencdata(krb5_context context, krb5_cred *pcred, - krb5_key pkey, krb5_cred_enc_part *pcredenc) + krb5_key pkey, krb5_cred_enc_part *pcredenc) { krb5_cred_enc_part * ppart = NULL; - krb5_error_code retval; - krb5_data scratch; + krb5_error_code retval; + krb5_data scratch; scratch.length = pcred->enc_part.ciphertext.length; - if (!(scratch.data = (char *)malloc(scratch.length))) - return ENOMEM; + if (!(scratch.data = (char *)malloc(scratch.length))) + return ENOMEM; if (pkey != NULL) { - if ((retval = krb5_k_decrypt(context, pkey, - KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, - &pcred->enc_part, &scratch))) - goto cleanup; + if ((retval = krb5_k_decrypt(context, pkey, + KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, + &pcred->enc_part, &scratch))) + goto cleanup; } else { - memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); + memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); } /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart))) - goto cleanup; + goto cleanup; *pcredenc = *ppart; retval = 0; cleanup: if (ppart != NULL) { - memset(ppart, 0, sizeof(*ppart)); - free(ppart); + memset(ppart, 0, sizeof(*ppart)); + free(ppart); } memset(scratch.data, 0, scratch.length); free(scratch.data); @@ -51,40 +52,40 @@ cleanup: } /*----------------------- krb5_rd_cred_basic -----------------------*/ -static krb5_error_code +static krb5_error_code krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, - krb5_key pkey, krb5_replay_data *replaydata, - krb5_creds ***pppcreds) + krb5_key pkey, krb5_replay_data *replaydata, + krb5_creds ***pppcreds) { krb5_error_code retval; - krb5_cred * pcred; - krb5_int32 ncreds; - krb5_int32 i = 0; - krb5_cred_enc_part encpart; + krb5_cred * pcred; + krb5_int32 ncreds; + krb5_int32 i = 0; + krb5_cred_enc_part encpart; /* decode cred message */ if ((retval = decode_krb5_cred(pcreddata, &pcred))) - return retval; + return retval; memset(&encpart, 0, sizeof(encpart)); if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart))) - goto cleanup_cred; + goto cleanup_cred; replaydata->timestamp = encpart.timestamp; replaydata->usec = encpart.usec; replaydata->seq = encpart.nonce; - /* - * Allocate the list of creds. The memory is allocated so that - * krb5_free_tgt_creds can be used to free the list. - */ + /* + * Allocate the list of creds. The memory is allocated so that + * krb5_free_tgt_creds can be used to free the list. + */ for (ncreds = 0; pcred->tickets[ncreds]; ncreds++); - - if ((*pppcreds = - (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) * - (ncreds + 1)))) == NULL) { + + if ((*pppcreds = + (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) * + (ncreds + 1)))) == NULL) { retval = ENOMEM; goto cleanup_cred; } @@ -95,13 +96,13 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, * credentials and copy the information. */ while (i < ncreds) { - krb5_cred_info * pinfo; - krb5_creds * pcur; - krb5_data * pdata; + krb5_cred_info * pinfo; + krb5_creds * pcur; + krb5_data * pdata; if ((pcur = (krb5_creds *)calloc(1, sizeof(krb5_creds))) == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } (*pppcreds)[i] = pcur; @@ -109,26 +110,26 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, pinfo = encpart.ticket_info[i++]; if ((retval = krb5_copy_principal(context, pinfo->client, - &pcur->client))) - goto cleanup; + &pcur->client))) + goto cleanup; if ((retval = krb5_copy_principal(context, pinfo->server, - &pcur->server))) - goto cleanup; + &pcur->server))) + goto cleanup; - if ((retval = krb5_copy_keyblock_contents(context, pinfo->session, - &pcur->keyblock))) - goto cleanup; + if ((retval = krb5_copy_keyblock_contents(context, pinfo->session, + &pcur->keyblock))) + goto cleanup; - if ((retval = krb5_copy_addresses(context, pinfo->caddrs, - &pcur->addresses))) - goto cleanup; + if ((retval = krb5_copy_addresses(context, pinfo->caddrs, + &pcur->addresses))) + goto cleanup; if ((retval = encode_krb5_ticket(pcred->tickets[i - 1], &pdata))) - goto cleanup; + goto cleanup; - pcur->ticket = *pdata; - free(pdata); + pcur->ticket = *pdata; + free(pdata); pcur->is_skey = FALSE; @@ -146,7 +147,7 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, cleanup: if (retval) - krb5_free_tgt_creds(context, *pppcreds); + krb5_free_tgt_creds(context, *pppcreds); cleanup_cred: krb5_free_cred(context, pcred); @@ -163,8 +164,8 @@ cleanup_cred: */ krb5_error_code KRB5_CALLCONV krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, - krb5_data *pcreddata, krb5_creds ***pppcreds, - krb5_replay_data *outdata) + krb5_data *pcreddata, krb5_creds ***pppcreds, + krb5_replay_data *outdata) { krb5_error_code retval; krb5_key key; @@ -172,16 +173,16 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) /* Need a better error */ return KRB5_RC_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) + (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; @@ -191,12 +192,12 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, * that. */ if ((retval = krb5_rd_cred_basic(context, pcreddata, key, - &replaydata, pppcreds))) { - if ((retval = krb5_rd_cred_basic(context, pcreddata, - auth_context->key, - &replaydata, pppcreds))) { - return retval; - } + &replaydata, pppcreds))) { + if ((retval = krb5_rd_cred_basic(context, pcreddata, + auth_context->key, + &replaydata, pppcreds))) { + return retval; + } } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { @@ -206,7 +207,7 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_forw", &replay.client))) + "_forw", &replay.client))) goto error; replay.server = ""; /* XXX */ @@ -229,7 +230,7 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { outdata->timestamp = replaydata.timestamp; outdata->usec = replaydata.usec; outdata->seq = replaydata.seq; @@ -237,9 +238,8 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, error:; if (retval) { - krb5_free_tgt_creds(context, *pppcreds); - *pppcreds = NULL; + krb5_free_tgt_creds(context, *pppcreds); + *pppcreds = NULL; } return retval; } - diff --git a/src/lib/krb5/krb/rd_error.c b/src/lib/krb5/krb/rd_error.c index 2c617154b..39d9acdeb 100644 --- a/src/lib/krb5/krb/rd_error.c +++ b/src/lib/krb5/krb/rd_error.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_error.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_error() routine */ @@ -35,16 +36,15 @@ * * Upon return dec_error will point to allocated storage which the * caller should free when finished. - * + * * returns system errors */ krb5_error_code KRB5_CALLCONV krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf, - krb5_error **dec_error) + krb5_error **dec_error) { if (!krb5_is_krb_error(enc_errbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; return(decode_krb5_error(enc_errbuf, dec_error)); } - diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 9b84ad87a..a6c79300c 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_priv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_priv() */ @@ -33,97 +34,97 @@ /* -Parses a KRB_PRIV message from inbuf, placing the confidential user -data in *outbuf. + Parses a KRB_PRIV message from inbuf, placing the confidential user + data in *outbuf. + + key specifies the key to be used for decryption of the message. -key specifies the key to be used for decryption of the message. - -remote_addr and local_addr specify the full -addresses (host and port) of the sender and receiver. + remote_addr and local_addr specify the full + addresses (host and port) of the sender and receiver. -outbuf points to allocated storage which the caller should -free when finished. + outbuf points to allocated storage which the caller should + free when finished. -i_vector is used as an initialization vector for the -encryption, and if non-NULL its contents are replaced with the last -block of the encrypted data upon exit. + i_vector is used as an initialization vector for the + encryption, and if non-NULL its contents are replaced with the last + block of the encrypted data upon exit. -Returns system errors, integrity errors. + Returns system errors, integrity errors. */ static krb5_error_code krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, - const krb5_key key, const krb5_address *local_addr, - const krb5_address *remote_addr, krb5_pointer i_vector, - krb5_replay_data *replaydata, krb5_data *outbuf) + const krb5_key key, const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_pointer i_vector, + krb5_replay_data *replaydata, krb5_data *outbuf) { - krb5_error_code retval; - krb5_priv * privmsg; - krb5_data scratch; + krb5_error_code retval; + krb5_priv * privmsg; + krb5_data scratch; krb5_priv_enc_part * privmsg_enc_part; - size_t blocksize; - krb5_data ivdata; - krb5_enctype enctype; + size_t blocksize; + krb5_data ivdata; + krb5_enctype enctype; if (!krb5_is_krb_priv(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* decode private message */ if ((retval = decode_krb5_priv(inbuf, &privmsg))) - return retval; - + return retval; + if (i_vector) { - enctype = krb5_k_key_enctype(context, key); - if ((retval = krb5_c_block_size(context, enctype, &blocksize))) - goto cleanup_privmsg; + enctype = krb5_k_key_enctype(context, key); + if ((retval = krb5_c_block_size(context, enctype, &blocksize))) + goto cleanup_privmsg; - ivdata.length = blocksize; - ivdata.data = i_vector; + ivdata.length = blocksize; + ivdata.data = i_vector; } scratch.length = privmsg->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { - retval = ENOMEM; - goto cleanup_privmsg; + retval = ENOMEM; + goto cleanup_privmsg; } if ((retval = krb5_k_decrypt(context, key, - KRB5_KEYUSAGE_KRB_PRIV_ENCPART, - i_vector?&ivdata:0, - &privmsg->enc_part, &scratch))) - goto cleanup_scratch; + KRB5_KEYUSAGE_KRB_PRIV_ENCPART, + i_vector?&ivdata:0, + &privmsg->enc_part, &scratch))) + goto cleanup_scratch; /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_priv_part(&scratch, &privmsg_enc_part))) goto cleanup_scratch; if (!krb5_address_compare(context,remote_addr,privmsg_enc_part->s_address)){ - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; } - + if (privmsg_enc_part->r_address) { - if (local_addr) { - if (!krb5_address_compare(context, local_addr, - privmsg_enc_part->r_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; - } - } else { - krb5_address **our_addrs; - - if ((retval = krb5_os_localaddr(context, &our_addrs))) { - goto cleanup_data; - } - if (!krb5_address_search(context, privmsg_enc_part->r_address, - our_addrs)) { - krb5_free_addresses(context, our_addrs); - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; - } - krb5_free_addresses(context, our_addrs); - } + if (local_addr) { + if (!krb5_address_compare(context, local_addr, + privmsg_enc_part->r_address)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; + } + } else { + krb5_address **our_addrs; + + if ((retval = krb5_os_localaddr(context, &our_addrs))) { + goto cleanup_data; + } + if (!krb5_address_search(context, privmsg_enc_part->r_address, + our_addrs)) { + krb5_free_addresses(context, our_addrs); + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; + } + krb5_free_addresses(context, our_addrs); + } } replaydata->timestamp = privmsg_enc_part->timestamp; @@ -136,15 +137,15 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, cleanup_data:; if (retval == 0) - privmsg_enc_part->user_data.data = 0; + privmsg_enc_part->user_data.data = 0; krb5_free_priv_enc_part(context, privmsg_enc_part); cleanup_scratch:; - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); free(scratch.data); cleanup_privmsg:; - free(privmsg->enc_part.ciphertext.data); + free(privmsg->enc_part.ciphertext.data); free(privmsg); return retval; @@ -152,116 +153,116 @@ cleanup_privmsg:; krb5_error_code KRB5_CALLCONV krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *inbuf, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; - krb5_replay_data replaydata; + krb5_replay_data replaydata; /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->remote_addr) - return KRB5_REMOTE_ADDR_REQUIRED; + return KRB5_REMOTE_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; + + { + krb5_address * premote_fulladdr; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + } -{ - krb5_address * premote_fulladdr; - krb5_address * plocal_fulladdr = NULL; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - return retval; + CLEANUP_DONE(); + return retval; } - } else { - plocal_fulladdr = auth_context->local_addr; + } else { + premote_fulladdr = auth_context->remote_addr; } - } - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - return retval; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + memset(&replaydata, 0, sizeof(replaydata)); + if ((retval = krb5_rd_priv_basic(context, inbuf, key, + plocal_fulladdr, + premote_fulladdr, + auth_context->i_vector, + &replaydata, outbuf))) { + CLEANUP_DONE(); + return retval; + } - memset(&replaydata, 0, sizeof(replaydata)); - if ((retval = krb5_rd_priv_basic(context, inbuf, key, - plocal_fulladdr, - premote_fulladdr, - auth_context->i_vector, - &replaydata, outbuf))) { - CLEANUP_DONE(); - return retval; + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) - goto error; - - if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_priv", &replay.client))) - goto error; - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + goto error; + + if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, + "_priv", &replay.client))) + goto error; + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + free(replay.client); + goto error; + } + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (!krb5int_auth_con_chkseqnum(context, auth_context, - replaydata.seq)) { - retval = KRB5KRB_AP_ERR_BADORDER; - goto error; - } - auth_context->remote_seq_number++; + if (!krb5int_auth_con_chkseqnum(context, auth_context, + replaydata.seq)) { + retval = KRB5KRB_AP_ERR_BADORDER; + goto error; + } + auth_context->remote_seq_number++; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - outdata->seq = replaydata.seq; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + outdata->seq = replaydata.seq; } - + /* everything is ok - return data to the user */ return 0; @@ -272,4 +273,3 @@ error:; return retval; } - diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 6e9cb0808..45c990187 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_rep.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_rep() */ @@ -59,74 +60,74 @@ /* * Parses a KRB_AP_REP message, returning its contents. - * + * * repl is filled in with with a pointer to allocated memory containing - * the fields from the encrypted response. - * + * the fields from the encrypted response. + * * the key in kblock is used to decrypt the message. - * + * * returns system errors, encryption errors, replay errors */ krb5_error_code KRB5_CALLCONV krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) + const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) { - krb5_error_code retval; - krb5_ap_rep *reply = NULL; + krb5_error_code retval; + krb5_ap_rep *reply = NULL; krb5_ap_rep_enc_part *enc = NULL; - krb5_data scratch; + krb5_data scratch; *repl = NULL; if (!krb5_is_ap_rep(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* Decode inbuf. */ retval = decode_krb5_ap_rep(inbuf, &reply); if (retval) - return retval; + return retval; /* Put together an eblock for this encryption. */ scratch.length = reply->enc_part.ciphertext.length; scratch.data = malloc(scratch.length); if (scratch.data == NULL) { - retval = ENOMEM; - goto clean_scratch; + retval = ENOMEM; + goto clean_scratch; } retval = krb5_k_decrypt(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, 0, - &reply->enc_part, &scratch); + KRB5_KEYUSAGE_AP_REP_ENCPART, 0, + &reply->enc_part, &scratch); if (retval) - goto clean_scratch; + goto clean_scratch; /* Now decode the decrypted stuff. */ retval = decode_krb5_ap_rep_enc_part(&scratch, &enc); if (retval) - goto clean_scratch; + goto clean_scratch; /* Check reply fields. */ if ((enc->ctime != auth_context->authentp->ctime) - || (enc->cusec != auth_context->authentp->cusec)) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + || (enc->cusec != auth_context->authentp->cusec)) { + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } /* Set auth subkey. */ if (enc->subkey) { - retval = krb5_auth_con_setrecvsubkey(context, auth_context, - enc->subkey); - if (retval) - goto clean_scratch; - retval = krb5_auth_con_setsendsubkey(context, auth_context, - enc->subkey); - if (retval) { - (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); - goto clean_scratch; - } - /* Not used for anything yet. */ - auth_context->negotiated_etype = enc->subkey->enctype; + retval = krb5_auth_con_setrecvsubkey(context, auth_context, + enc->subkey); + if (retval) + goto clean_scratch; + retval = krb5_auth_con_setsendsubkey(context, auth_context, + enc->subkey); + if (retval) { + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); + goto clean_scratch; + } + /* Not used for anything yet. */ + auth_context->negotiated_etype = enc->subkey->enctype; } /* Get remote sequence number. */ @@ -137,7 +138,7 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, clean_scratch: if (scratch.data) - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); free(scratch.data); krb5_free_ap_rep(context, reply); krb5_free_ap_rep_enc_part(context, enc); @@ -146,56 +147,56 @@ clean_scratch: krb5_error_code KRB5_CALLCONV krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_ui_4 *nonce) + const krb5_data *inbuf, krb5_ui_4 *nonce) { - krb5_error_code retval; - krb5_ap_rep * reply; - krb5_data scratch; + krb5_error_code retval; + krb5_ap_rep * reply; + krb5_data scratch; krb5_ap_rep_enc_part *repl = NULL; if (!krb5_is_ap_rep(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* decode it */ if ((retval = decode_krb5_ap_rep(inbuf, &reply))) - return retval; + return retval; /* put together an eblock for this encryption */ scratch.length = reply->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { - krb5_free_ap_rep(context, reply); - return(ENOMEM); + krb5_free_ap_rep(context, reply); + return(ENOMEM); } if ((retval = krb5_k_decrypt(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, 0, - &reply->enc_part, &scratch))) - goto clean_scratch; + KRB5_KEYUSAGE_AP_REP_ENCPART, 0, + &reply->enc_part, &scratch))) + goto clean_scratch; /* now decode the decrypted stuff */ retval = decode_krb5_ap_rep_enc_part(&scratch, &repl); if (retval) - goto clean_scratch; + goto clean_scratch; *nonce = repl->seq_number; if (*nonce != auth_context->local_seq_number) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } /* Must be NULL to prevent echoing for client AP-REP */ if (repl->subkey != NULL) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } clean_scratch: - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); if (repl != NULL) - krb5_free_ap_rep_enc_part(context, repl); + krb5_free_ap_rep_enc_part(context, repl); krb5_free_ap_rep(context, reply); free(scratch.data); return retval; diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index 50c3a9011..4e12e5b36 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_req.c * @@ -47,33 +48,33 @@ krb5_error_code KRB5_CALLCONV krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, - const krb5_data *inbuf, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket) + const krb5_data *inbuf, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket) { - krb5_error_code retval; - krb5_ap_req * request; - krb5_auth_context new_auth_context; + krb5_error_code retval; + krb5_ap_req * request; + krb5_auth_context new_auth_context; krb5_keytab new_keytab = NULL; if (!krb5_is_ap_req(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; #ifndef LEAN_CLIENT if ((retval = decode_krb5_ap_req(inbuf, &request))) { - switch (retval) { - case KRB5_BADMSGTYPE: - return KRB5KRB_AP_ERR_BADVERSION; - default: - return(retval); - } + switch (retval) { + case KRB5_BADMSGTYPE: + return KRB5KRB_AP_ERR_BADVERSION; + default: + return(retval); + } } #endif /* LEAN_CLIENT */ /* Get an auth context if necessary. */ new_auth_context = NULL; if (*auth_context == NULL) { - if ((retval = krb5_auth_con_init(context, &new_auth_context))) - goto cleanup_request; + if ((retval = krb5_auth_con_init(context, &new_auth_context))) + goto cleanup_request; *auth_context = new_auth_context; } @@ -81,14 +82,14 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, #ifndef LEAN_CLIENT /* Get a keytab if necessary. */ if (keytab == NULL) { - if ((retval = krb5_kt_default(context, &new_keytab))) - goto cleanup_auth_context; - keytab = new_keytab; + if ((retval = krb5_kt_default(context, &new_keytab))) + goto cleanup_auth_context; + keytab = new_keytab; } #endif /* LEAN_CLIENT */ retval = krb5_rd_req_decoded(context, auth_context, request, server, - keytab, ap_req_options, ticket); + keytab, ap_req_options, ticket); #ifndef LEAN_CLIENT if (new_keytab != NULL) @@ -97,12 +98,11 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, cleanup_auth_context: if (new_auth_context && retval) { - krb5_auth_con_free(context, new_auth_context); - *auth_context = NULL; + krb5_auth_con_free(context, new_auth_context); + *auth_context = NULL; } cleanup_request: krb5_free_ap_req(context, request); return retval; } - diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 8516c7e43..adfa4de66 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_req_dec.c * @@ -9,7 +10,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -24,7 +25,7 @@ * CyberSAFE Corporation make any representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_req_decoded() */ @@ -40,43 +41,43 @@ */ /* * Parses a KRB_AP_REQ message, returning its contents. - * + * * server specifies the expected server's name for the ticket; if NULL, then * any server will be accepted if the key can be found, and the caller should * verify that the principal is something it trusts. - * + * * rcache specifies a replay detection cache used to store authenticators and * server names - * + * * keyproc specifies a procedure to generate a decryption key for the * ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result * used as a decryption key. If keyproc is NULL, then fetchfrom is checked; * if it is non-NULL, it specifies a parameter name from which to retrieve the * decryption key. If fetchfrom is NULL, then the default key store is * consulted. - * + * * authdat is set to point at allocated storage structures; the caller - * should free them when finished. - * + * should free them when finished. + * * returns system errors, encryption errors, replay errors */ static krb5_error_code decrypt_authenticator - (krb5_context, const krb5_ap_req *, krb5_authenticator **, - int); +(krb5_context, const krb5_ap_req *, krb5_authenticator **, + int); static krb5_error_code decode_etype_list(krb5_context context, - const krb5_authenticator *authp, - krb5_enctype **desired_etypes, - int *desired_etypes_len); + const krb5_authenticator *authp, + krb5_enctype **desired_etypes, + int *desired_etypes_len); static krb5_error_code negotiate_etype(krb5_context context, - const krb5_enctype *desired_etypes, - int desired_etypes_len, - int mandatory_etypes_index, - const krb5_enctype *permitted_etypes, - int permitted_etypes_len, - krb5_enctype *negotiated_etype); + const krb5_enctype *desired_etypes, + int desired_etypes_len, + int mandatory_etypes_index, + const krb5_enctype *permitted_etypes, + int permitted_etypes_len, + krb5_enctype *negotiated_etype); krb5_error_code krb5int_check_clockskew(krb5_context context, krb5_timestamp date) @@ -86,86 +87,86 @@ krb5int_check_clockskew(krb5_context context, krb5_timestamp date) retval = krb5_timeofday(context, ¤ttime); if (retval) - return retval; + return retval; if (!(labs((date)-currenttime) < context->clockskew)) - return KRB5KRB_AP_ERR_SKEW; + return KRB5KRB_AP_ERR_SKEW; return 0; } static krb5_error_code krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, - krb5_const_principal server, krb5_keytab keytab, - krb5_keyblock *key) + krb5_const_principal server, krb5_keytab keytab, + krb5_keyblock *key) { - krb5_error_code retval; - krb5_keytab_entry ktent; + krb5_error_code retval; + krb5_keytab_entry ktent; retval = KRB5_KT_NOTFOUND; -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT if (server != NULL || keytab->ops->start_seq_get == NULL) { - retval = krb5_kt_get_entry(context, keytab, - server != NULL ? server : req->ticket->server, - req->ticket->enc_part.kvno, - req->ticket->enc_part.enctype, &ktent); - if (retval == 0) { - retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket); - if (retval == 0 && key != NULL) - retval = krb5_copy_keyblock_contents(context, &ktent.key, key); - - (void) krb5_free_keytab_entry_contents(context, &ktent); - } + retval = krb5_kt_get_entry(context, keytab, + server != NULL ? server : req->ticket->server, + req->ticket->enc_part.kvno, + req->ticket->enc_part.enctype, &ktent); + if (retval == 0) { + retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket); + if (retval == 0 && key != NULL) + retval = krb5_copy_keyblock_contents(context, &ktent.key, key); + + (void) krb5_free_keytab_entry_contents(context, &ktent); + } } else { - krb5_error_code code; - krb5_kt_cursor cursor; - - code = krb5_kt_start_seq_get(context, keytab, &cursor); - if (code != 0) { - retval = code; - goto map_error; - } - - while ((code = krb5_kt_next_entry(context, keytab, - &ktent, &cursor)) == 0) { - if (ktent.key.enctype != req->ticket->enc_part.enctype) - continue; - - retval = krb5_decrypt_tkt_part(context, &ktent.key, - req->ticket); - - if (retval == 0) { - krb5_principal tmp = NULL; - - /* - * We overwrite ticket->server to be the principal - * that we match in the keytab. The reason for doing - * this is that GSS-API and other consumers look at - * that principal to make authorization decisions - * about whether the appropriate server is contacted. - * It might be cleaner to create a new API and store - * the server in the auth_context, but doing so would - * probably miss existing uses of the server. Instead, - * perhaps an API should be created to retrieve the - * server as it appeared in the ticket. - */ - retval = krb5_copy_principal(context, ktent.principal, &tmp); - if (retval == 0 && key != NULL) - retval = krb5_copy_keyblock_contents(context, &ktent.key, key); - if (retval == 0) { - krb5_free_principal(context, req->ticket->server); - req->ticket->server = tmp; - } else { - krb5_free_principal(context, tmp); - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - break; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - } - - code = krb5_kt_end_seq_get(context, keytab, &cursor); - if (code != 0) - retval = code; + krb5_error_code code; + krb5_kt_cursor cursor; + + code = krb5_kt_start_seq_get(context, keytab, &cursor); + if (code != 0) { + retval = code; + goto map_error; + } + + while ((code = krb5_kt_next_entry(context, keytab, + &ktent, &cursor)) == 0) { + if (ktent.key.enctype != req->ticket->enc_part.enctype) + continue; + + retval = krb5_decrypt_tkt_part(context, &ktent.key, + req->ticket); + + if (retval == 0) { + krb5_principal tmp = NULL; + + /* + * We overwrite ticket->server to be the principal + * that we match in the keytab. The reason for doing + * this is that GSS-API and other consumers look at + * that principal to make authorization decisions + * about whether the appropriate server is contacted. + * It might be cleaner to create a new API and store + * the server in the auth_context, but doing so would + * probably miss existing uses of the server. Instead, + * perhaps an API should be created to retrieve the + * server as it appeared in the ticket. + */ + retval = krb5_copy_principal(context, ktent.principal, &tmp); + if (retval == 0 && key != NULL) + retval = krb5_copy_keyblock_contents(context, &ktent.key, key); + if (retval == 0) { + krb5_free_principal(context, req->ticket->server); + req->ticket->server = tmp; + } else { + krb5_free_principal(context, tmp); + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + break; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + } + + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code != 0) + retval = code; } #endif /* LEAN_CLIENT */ @@ -174,10 +175,10 @@ map_error: case KRB5_KT_KVNONOTFOUND: case KRB5_KT_NOTFOUND: case KRB5KRB_AP_ERR_BAD_INTEGRITY: - retval = KRB5KRB_AP_WRONG_PRINC; - break; + retval = KRB5KRB_AP_WRONG_PRINC; + break; default: - break; + break; } return retval; @@ -189,16 +190,16 @@ static void debug_log_authz_data(const char *which, krb5_authdata **a) { if (a) { - syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); - while (*a) { - syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", - (*a)->ad_type, (*a)->length, (*a)->length, - (char *) (*a)->contents); - a++; - } - syslog(LOG_ERR|LOG_DAEMON, " [end]"); + syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); + while (*a) { + syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", + (*a)->ad_type, (*a)->length, (*a)->length, + (char *) (*a)->contents); + a++; + } + syslog(LOG_ERR|LOG_DAEMON, " [end]"); } else - syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); + syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); } #else static void @@ -209,91 +210,91 @@ debug_log_authz_data(const char *which, krb5_authdata **a) static krb5_error_code krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, - const krb5_ap_req *req, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket, int check_valid_flag) + const krb5_ap_req *req, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket, int check_valid_flag) { - krb5_error_code retval = 0; - krb5_principal_data princ_data; - krb5_enctype *desired_etypes = NULL; - int desired_etypes_len = 0; - int rfc4537_etypes_len = 0; - krb5_enctype *permitted_etypes = NULL; - int permitted_etypes_len = 0; - krb5_keyblock decrypt_key; + krb5_error_code retval = 0; + krb5_principal_data princ_data; + krb5_enctype *desired_etypes = NULL; + int desired_etypes_len = 0; + int rfc4537_etypes_len = 0; + krb5_enctype *permitted_etypes = NULL; + int permitted_etypes_len = 0; + krb5_keyblock decrypt_key; decrypt_key.enctype = ENCTYPE_NULL; decrypt_key.contents = NULL; - + req->ticket->enc_part2 = NULL; if (server && krb5_is_referral_realm(&server->realm)) { - char *realm; - princ_data = *server; - server = &princ_data; - retval = krb5_get_default_realm(context, &realm); - if (retval) - return retval; - princ_data.realm.data = realm; - princ_data.realm.length = strlen(realm); + char *realm; + princ_data = *server; + server = &princ_data; + retval = krb5_get_default_realm(context, &realm); + if (retval) + return retval; + princ_data.realm.data = realm; + princ_data.realm.length = strlen(realm); } /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) - do we need special processing here ? */ + do we need special processing here ? */ /* decrypt the ticket */ if ((*auth_context)->key) { /* User to User authentication */ - if ((retval = krb5_decrypt_tkt_part(context, - &(*auth_context)->key->keyblock, - req->ticket))) - goto cleanup; - if (check_valid_flag) { - decrypt_key = (*auth_context)->key->keyblock; - (*auth_context)->key->keyblock.contents = NULL; - } - krb5_k_free_key(context, (*auth_context)->key); - (*auth_context)->key = NULL; + if ((retval = krb5_decrypt_tkt_part(context, + &(*auth_context)->key->keyblock, + req->ticket))) + goto cleanup; + if (check_valid_flag) { + decrypt_key = (*auth_context)->key->keyblock; + (*auth_context)->key->keyblock.contents = NULL; + } + krb5_k_free_key(context, (*auth_context)->key); + (*auth_context)->key = NULL; } else { - if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, - server, keytab, - check_valid_flag ? &decrypt_key : NULL))) - goto cleanup; + if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, + server, keytab, + check_valid_flag ? &decrypt_key : NULL))) + goto cleanup; } - /* XXX this is an evil hack. check_valid_flag is set iff the call + /* XXX this is an evil hack. check_valid_flag is set iff the call is not from inside the kdc. we can use this to determine which key usage to use */ #ifndef LEAN_CLIENT - if ((retval = decrypt_authenticator(context, req, - &((*auth_context)->authentp), - check_valid_flag))) - goto cleanup; + if ((retval = decrypt_authenticator(context, req, + &((*auth_context)->authentp), + check_valid_flag))) + goto cleanup; #endif if (!krb5_principal_compare(context, (*auth_context)->authentp->client, - req->ticket->enc_part2->client)) { - retval = KRB5KRB_AP_ERR_BADMATCH; - goto cleanup; + req->ticket->enc_part2->client)) { + retval = KRB5KRB_AP_ERR_BADMATCH; + goto cleanup; } - if ((*auth_context)->remote_addr && - !krb5_address_search(context, (*auth_context)->remote_addr, - req->ticket->enc_part2->caddrs)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; + if ((*auth_context)->remote_addr && + !krb5_address_search(context, (*auth_context)->remote_addr, + req->ticket->enc_part2->caddrs)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; } if (!server) { - server = req->ticket->server; + server = req->ticket->server; } /* Get an rcache if necessary. */ if (((*auth_context)->rcache == NULL) - && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) - && server) { - if ((retval = krb5_get_server_rcache(context, - krb5_princ_component(context, - server,0), - &(*auth_context)->rcache))) - goto cleanup; + && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) + && server) { + if ((retval = krb5_get_server_rcache(context, + krb5_princ_component(context, + server,0), + &(*auth_context)->rcache))) + goto cleanup; } /* okay, now check cross-realm policy */ @@ -301,60 +302,60 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, /* Single hop cross-realm tickets only */ - { - krb5_transited *trans = &(req->ticket->enc_part2->transited); + { + krb5_transited *trans = &(req->ticket->enc_part2->transited); - /* If the transited list is empty, then we have at most one hop */ - if (trans->tr_contents.data && trans->tr_contents.data[0]) - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + /* If the transited list is empty, then we have at most one hop */ + if (trans->tr_contents.data && trans->tr_contents.data[0]) + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; } #elif defined(_NO_CROSS_REALM) /* No cross-realm tickets */ - { - char * lrealm; - krb5_data * realm; - krb5_transited * trans; - - realm = krb5_princ_realm(context, req->ticket->enc_part2->client); - trans = &(req->ticket->enc_part2->transited); - - /* - * If the transited list is empty, then we have at most one hop - * So we also have to check that the client's realm is the local one - */ - krb5_get_default_realm(context, &lrealm); - if ((trans->tr_contents.data && trans->tr_contents.data[0]) || - !data_eq_string(*realm, lrealm)) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - } - free(lrealm); + { + char * lrealm; + krb5_data * realm; + krb5_transited * trans; + + realm = krb5_princ_realm(context, req->ticket->enc_part2->client); + trans = &(req->ticket->enc_part2->transited); + + /* + * If the transited list is empty, then we have at most one hop + * So we also have to check that the client's realm is the local one + */ + krb5_get_default_realm(context, &lrealm); + if ((trans->tr_contents.data && trans->tr_contents.data[0]) || + !data_eq_string(*realm, lrealm)) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + } + free(lrealm); } #else /* Hierarchical Cross-Realm */ - + { - krb5_data * realm; - krb5_transited * trans; - - realm = krb5_princ_realm(context, req->ticket->enc_part2->client); - trans = &(req->ticket->enc_part2->transited); - - /* - * If the transited list is not empty, then check that all realms - * transited are within the hierarchy between the client's realm - * and the local realm. - */ - if (trans->tr_contents.data && trans->tr_contents.data[0]) { - retval = krb5_check_transited_list(context, &(trans->tr_contents), - realm, - krb5_princ_realm (context, - server)); - } + krb5_data * realm; + krb5_transited * trans; + + realm = krb5_princ_realm(context, req->ticket->enc_part2->client); + trans = &(req->ticket->enc_part2->transited); + + /* + * If the transited list is not empty, then check that all realms + * transited are within the hierarchy between the client's realm + * and the local realm. + */ + if (trans->tr_contents.data && trans->tr_contents.data[0]) { + retval = krb5_check_transited_list(context, &(trans->tr_contents), + realm, + krb5_princ_realm (context, + server)); + } } #endif @@ -365,69 +366,69 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, may not be able to use replay caches (such as datagram servers) */ if ((*auth_context)->rcache) { - krb5_donot_replay rep; - krb5_tkt_authent tktauthent; - - tktauthent.ticket = req->ticket; - tktauthent.authenticator = (*auth_context)->authentp; - if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) { - retval = krb5_rc_hash_message(context, - &req->authenticator.ciphertext, - &rep.msghash); - if (!retval) { - retval = krb5_rc_store(context, (*auth_context)->rcache, &rep); - free(rep.msghash); - } - free(rep.server); - free(rep.client); - } - - if (retval) - goto cleanup; + krb5_donot_replay rep; + krb5_tkt_authent tktauthent; + + tktauthent.ticket = req->ticket; + tktauthent.authenticator = (*auth_context)->authentp; + if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) { + retval = krb5_rc_hash_message(context, + &req->authenticator.ciphertext, + &rep.msghash); + if (!retval) { + retval = krb5_rc_store(context, (*auth_context)->rcache, &rep); + free(rep.msghash); + } + free(rep.server); + free(rep.client); + } + + if (retval) + goto cleanup; } retval = krb5_validate_times(context, &req->ticket->enc_part2->times); if (retval != 0) - goto cleanup; + goto cleanup; if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime))) - goto cleanup; + goto cleanup; if (check_valid_flag) { - if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { - retval = KRB5KRB_AP_ERR_TKT_INVALID; - goto cleanup; - } - - if ((retval = krb5_authdata_context_init(context, - &(*auth_context)->ad_context))) - goto cleanup; - if ((retval = krb5int_authdata_verify(context, - (*auth_context)->ad_context, - AD_USAGE_MASK, - auth_context, - &decrypt_key, - req))) - goto cleanup; + if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto cleanup; + } + + if ((retval = krb5_authdata_context_init(context, + &(*auth_context)->ad_context))) + goto cleanup; + if ((retval = krb5int_authdata_verify(context, + (*auth_context)->ad_context, + AD_USAGE_MASK, + auth_context, + &decrypt_key, + req))) + goto cleanup; } /* read RFC 4537 etype list from sender */ retval = decode_etype_list(context, - (*auth_context)->authentp, - &desired_etypes, - &rfc4537_etypes_len); + (*auth_context)->authentp, + &desired_etypes, + &rfc4537_etypes_len); if (retval != 0) - goto cleanup; + goto cleanup; if (desired_etypes == NULL) - desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype)); + desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype)); else - desired_etypes = (krb5_enctype *)realloc(desired_etypes, - (rfc4537_etypes_len + 4) * - sizeof(krb5_enctype)); + desired_etypes = (krb5_enctype *)realloc(desired_etypes, + (rfc4537_etypes_len + 4) * + sizeof(krb5_enctype)); if (desired_etypes == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } desired_etypes_len = rfc4537_etypes_len; @@ -457,105 +458,105 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, */ if ((*auth_context)->authentp->subkey != NULL) { - desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; + desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; } desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype; desired_etypes[desired_etypes_len] = ENCTYPE_NULL; if (((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) == 0) { - if ((*auth_context)->permitted_etypes != NULL) { - permitted_etypes = (*auth_context)->permitted_etypes; - } else { - retval = krb5_get_permitted_enctypes(context, &permitted_etypes); - if (retval != 0) - goto cleanup; - } - for (permitted_etypes_len = 0; - permitted_etypes[permitted_etypes_len] != ENCTYPE_NULL; - permitted_etypes_len++) - ; + if ((*auth_context)->permitted_etypes != NULL) { + permitted_etypes = (*auth_context)->permitted_etypes; + } else { + retval = krb5_get_permitted_enctypes(context, &permitted_etypes); + if (retval != 0) + goto cleanup; + } + for (permitted_etypes_len = 0; + permitted_etypes[permitted_etypes_len] != ENCTYPE_NULL; + permitted_etypes_len++) + ; } else { - permitted_etypes = NULL; - permitted_etypes_len = 0; + permitted_etypes = NULL; + permitted_etypes_len = 0; } /* check if the various etypes are permitted */ retval = negotiate_etype(context, - desired_etypes, desired_etypes_len, - rfc4537_etypes_len, - permitted_etypes, permitted_etypes_len, - &(*auth_context)->negotiated_etype); + desired_etypes, desired_etypes_len, + rfc4537_etypes_len, + permitted_etypes, permitted_etypes_len, + &(*auth_context)->negotiated_etype); if (retval != 0) - goto cleanup; + goto cleanup; assert((*auth_context)->negotiated_etype != ENCTYPE_NULL); (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number; if ((*auth_context)->authentp->subkey) { - if ((retval = krb5_k_create_key(context, - (*auth_context)->authentp->subkey, - &((*auth_context)->recv_subkey)))) - goto cleanup; - retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey, - &((*auth_context)->send_subkey)); - if (retval) { - krb5_k_free_key(context, (*auth_context)->recv_subkey); - (*auth_context)->recv_subkey = NULL; - goto cleanup; - } + if ((retval = krb5_k_create_key(context, + (*auth_context)->authentp->subkey, + &((*auth_context)->recv_subkey)))) + goto cleanup; + retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey, + &((*auth_context)->send_subkey)); + if (retval) { + krb5_k_free_key(context, (*auth_context)->recv_subkey); + (*auth_context)->recv_subkey = NULL; + goto cleanup; + } } else { - (*auth_context)->recv_subkey = 0; - (*auth_context)->send_subkey = 0; + (*auth_context)->recv_subkey = 0; + (*auth_context)->send_subkey = 0; } if ((retval = krb5_k_create_key(context, req->ticket->enc_part2->session, - &((*auth_context)->key)))) - goto cleanup; + &((*auth_context)->key)))) + goto cleanup; debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data); /* - * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used + * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used * then the default sequence number is the one's complement of the * sequence number sent ot us. */ - if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) && - (*auth_context)->remote_seq_number) { - (*auth_context)->local_seq_number ^= - (*auth_context)->remote_seq_number; + if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) && + (*auth_context)->remote_seq_number) { + (*auth_context)->local_seq_number ^= + (*auth_context)->remote_seq_number; } if (ticket) - if ((retval = krb5_copy_ticket(context, req->ticket, ticket))) - goto cleanup; + if ((retval = krb5_copy_ticket(context, req->ticket, ticket))) + goto cleanup; if (ap_req_options) { - *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK; - if (rfc4537_etypes_len != 0) - *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; - if ((*auth_context)->negotiated_etype != - krb5_k_key_enctype(context, (*auth_context)->key)) - *ap_req_options |= AP_OPTS_USE_SUBKEY; + *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK; + if (rfc4537_etypes_len != 0) + *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; + if ((*auth_context)->negotiated_etype != + krb5_k_key_enctype(context, (*auth_context)->key)) + *ap_req_options |= AP_OPTS_USE_SUBKEY; } retval = 0; - + cleanup: if (desired_etypes != NULL) - free(desired_etypes); + free(desired_etypes); if (permitted_etypes != NULL && - permitted_etypes != (*auth_context)->permitted_etypes) - free(permitted_etypes); + permitted_etypes != (*auth_context)->permitted_etypes) + free(permitted_etypes); if (server == &princ_data) - krb5_free_default_realm(context, princ_data.realm.data); + krb5_free_default_realm(context, princ_data.realm.data); if (retval) { - /* only free if we're erroring out...otherwise some - applications will need the output. */ - if (req->ticket->enc_part2) - krb5_free_enc_tkt_part(context, req->ticket->enc_part2); - req->ticket->enc_part2 = NULL; + /* only free if we're erroring out...otherwise some + applications will need the output. */ + if (req->ticket->enc_part2) + krb5_free_enc_tkt_part(context, req->ticket->enc_part2); + req->ticket->enc_part2 = NULL; } if (check_valid_flag) - krb5_free_keyblock_contents(context, &decrypt_key); + krb5_free_keyblock_contents(context, &decrypt_key); return retval; } @@ -566,12 +567,12 @@ krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) { - krb5_error_code retval; - retval = krb5_rd_req_decoded_opt(context, auth_context, - req, server, keytab, - ap_req_options, ticket, - 1); /* check_valid_flag */ - return retval; + krb5_error_code retval; + retval = krb5_rd_req_decoded_opt(context, auth_context, + req, server, keytab, + ap_req_options, ticket, + 1); /* check_valid_flag */ + return retval; } krb5_error_code @@ -581,18 +582,18 @@ krb5_rd_req_decoded_anyflag(krb5_context context, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) { - krb5_error_code retval; - retval = krb5_rd_req_decoded_opt(context, auth_context, - req, server, keytab, - ap_req_options, ticket, - 0); /* don't check_valid_flag */ - return retval; + krb5_error_code retval; + retval = krb5_rd_req_decoded_opt(context, auth_context, + req, server, keytab, + ap_req_options, ticket, + 0); /* don't check_valid_flag */ + return retval; } #ifndef LEAN_CLIENT static krb5_error_code decrypt_authenticator(krb5_context context, const krb5_ap_req *request, - krb5_authenticator **authpp, int is_ap_req) + krb5_authenticator **authpp, int is_ap_req) { krb5_authenticator *local_auth; krb5_error_code retval; @@ -603,23 +604,23 @@ decrypt_authenticator(krb5_context context, const krb5_ap_req *request, scratch.length = request->authenticator.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) - return(ENOMEM); + return(ENOMEM); if ((retval = krb5_c_decrypt(context, sesskey, - is_ap_req?KRB5_KEYUSAGE_AP_REQ_AUTH: - KRB5_KEYUSAGE_TGS_REQ_AUTH, 0, - &request->authenticator, &scratch))) { - free(scratch.data); - return(retval); + is_ap_req?KRB5_KEYUSAGE_AP_REQ_AUTH: + KRB5_KEYUSAGE_TGS_REQ_AUTH, 0, + &request->authenticator, &scratch))) { + free(scratch.data); + return(retval); } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* now decode the decrypted stuff */ if (!(retval = decode_krb5_authenticator(&scratch, &local_auth))) { - *authpp = local_auth; - debug_log_authz_data("authenticator", local_auth->authorization_data); + *authpp = local_auth; + debug_log_authz_data("authenticator", local_auth->authorization_data); } clean_scratch(); return retval; @@ -628,12 +629,12 @@ free(scratch.data);} static krb5_error_code negotiate_etype(krb5_context context, - const krb5_enctype *desired_etypes, - int desired_etypes_len, - int mandatory_etypes_index, - const krb5_enctype *permitted_etypes, - int permitted_etypes_len, - krb5_enctype *negotiated_etype) + const krb5_enctype *desired_etypes, + int desired_etypes_len, + int mandatory_etypes_index, + const krb5_enctype *permitted_etypes, + int permitted_etypes_len, + krb5_enctype *negotiated_etype) { int i, j; @@ -641,26 +642,26 @@ negotiate_etype(krb5_context context, /* mandatory segment of desired_etypes must be permitted */ for (i = mandatory_etypes_index; i < desired_etypes_len; i++) { - krb5_boolean permitted = FALSE; - - for (j = 0; j < permitted_etypes_len; j++) { - if (desired_etypes[i] == permitted_etypes[j]) { - permitted = TRUE; - break; - } - } - - if (permitted == FALSE) { - char enctype_name[30]; - - if (krb5_enctype_to_string(desired_etypes[i], - enctype_name, - sizeof(enctype_name)) == 0) - krb5_set_error_message(context, KRB5_NOPERM_ETYPE, - "Encryption type %s not permitted", - enctype_name); - return KRB5_NOPERM_ETYPE; - } + krb5_boolean permitted = FALSE; + + for (j = 0; j < permitted_etypes_len; j++) { + if (desired_etypes[i] == permitted_etypes[j]) { + permitted = TRUE; + break; + } + } + + if (permitted == FALSE) { + char enctype_name[30]; + + if (krb5_enctype_to_string(desired_etypes[i], + enctype_name, + sizeof(enctype_name)) == 0) + krb5_set_error_message(context, KRB5_NOPERM_ETYPE, + "Encryption type %s not permitted", + enctype_name); + return KRB5_NOPERM_ETYPE; + } } /* @@ -668,12 +669,12 @@ negotiate_etype(krb5_context context, * find first desired_etype that matches. */ for (j = 0; j < permitted_etypes_len; j++) { - for (i = 0; i < desired_etypes_len; i++) { - if (desired_etypes[i] == permitted_etypes[j]) { - *negotiated_etype = permitted_etypes[j]; - return 0; - } - } + for (i = 0; i < desired_etypes_len; i++) { + if (desired_etypes[i] == permitted_etypes[j]) { + *negotiated_etype = permitted_etypes[j]; + return 0; + } + } } /*NOTREACHED*/ @@ -682,9 +683,9 @@ negotiate_etype(krb5_context context, static krb5_error_code decode_etype_list(krb5_context context, - const krb5_authenticator *authp, - krb5_enctype **desired_etypes, - int *desired_etypes_len) + const krb5_authenticator *authp, + krb5_enctype **desired_etypes, + int *desired_etypes_len) { krb5_error_code code; krb5_authdata **ad_if_relevant = NULL; @@ -696,59 +697,58 @@ decode_etype_list(krb5_context context, *desired_etypes = NULL; if (authp->authorization_data == NULL) - return 0; + return 0; /* * RFC 4537 says that ETYPE_NEGOTIATION auth data should be wrapped * in AD_IF_RELEVANT, but we handle the case where it is mandatory. */ for (i = 0; authp->authorization_data[i] != NULL; i++) { - switch (authp->authorization_data[i]->ad_type) { - case KRB5_AUTHDATA_IF_RELEVANT: - code = krb5_decode_authdata_container(context, - KRB5_AUTHDATA_IF_RELEVANT, - authp->authorization_data[i], - &ad_if_relevant); - if (code != 0) - continue; - - for (j = 0; ad_if_relevant[j] != NULL; j++) { - if (ad_if_relevant[j]->ad_type == KRB5_AUTHDATA_ETYPE_NEGOTIATION) { - etype_adata = ad_if_relevant[j]; - break; - } - } - if (etype_adata == NULL) { - krb5_free_authdata(context, ad_if_relevant); - ad_if_relevant = NULL; - } - break; - case KRB5_AUTHDATA_ETYPE_NEGOTIATION: - etype_adata = authp->authorization_data[i]; - break; - default: - break; - } - if (etype_adata != NULL) - break; + switch (authp->authorization_data[i]->ad_type) { + case KRB5_AUTHDATA_IF_RELEVANT: + code = krb5_decode_authdata_container(context, + KRB5_AUTHDATA_IF_RELEVANT, + authp->authorization_data[i], + &ad_if_relevant); + if (code != 0) + continue; + + for (j = 0; ad_if_relevant[j] != NULL; j++) { + if (ad_if_relevant[j]->ad_type == KRB5_AUTHDATA_ETYPE_NEGOTIATION) { + etype_adata = ad_if_relevant[j]; + break; + } + } + if (etype_adata == NULL) { + krb5_free_authdata(context, ad_if_relevant); + ad_if_relevant = NULL; + } + break; + case KRB5_AUTHDATA_ETYPE_NEGOTIATION: + etype_adata = authp->authorization_data[i]; + break; + default: + break; + } + if (etype_adata != NULL) + break; } if (etype_adata == NULL) - return 0; + return 0; data.data = (char *)etype_adata->contents; data.length = etype_adata->length; code = decode_krb5_etype_list(&data, &etype_list); if (code == 0) { - *desired_etypes = etype_list->etypes; - *desired_etypes_len = etype_list->length; - free(etype_list); + *desired_etypes = etype_list->etypes; + *desired_etypes_len = etype_list->length; + free(etype_list); } if (ad_if_relevant != NULL) - krb5_free_authdata(context, ad_if_relevant); + krb5_free_authdata(context, ad_if_relevant); return code; } - diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 68c13317c..924cb9fc2 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_safe.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_safe() */ @@ -32,27 +33,27 @@ #include "auth_con.h" /* - parses a KRB_SAFE message from inbuf, placing the integrity-protected user - data in *outbuf. + parses a KRB_SAFE message from inbuf, placing the integrity-protected user + data in *outbuf. - key specifies the key to be used for decryption of the message. - - sender_addr and recv_addr specify the full addresses (host and port) of - the sender and receiver. + key specifies the key to be used for decryption of the message. - outbuf points to allocated storage which the caller should free when finished. + sender_addr and recv_addr specify the full addresses (host and port) of + the sender and receiver. - returns system errors, integrity errors - */ + outbuf points to allocated storage which the caller should free when finished. + + returns system errors, integrity errors +*/ static krb5_error_code krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, - krb5_key key, - const krb5_address *recv_addr, - const krb5_address *sender_addr, - krb5_replay_data *replaydata, krb5_data *outbuf) + krb5_key key, + const krb5_address *recv_addr, + const krb5_address *sender_addr, + krb5_replay_data *replaydata, krb5_data *outbuf) { - krb5_error_code retval; - krb5_safe * message; + krb5_error_code retval; + krb5_safe * message; krb5_data safe_body; krb5_checksum our_cksum, *his_cksum; krb5_octet zero_octet = 0; @@ -61,45 +62,45 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, struct krb5_safe_with_body swb; if (!krb5_is_krb_safe(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; if ((retval = decode_krb5_safe_with_body(inbuf, &message, &safe_body))) - return retval; + return retval; if (!krb5_c_valid_cksumtype(message->checksum->checksum_type)) { - retval = KRB5_PROG_SUMTYPE_NOSUPP; - goto cleanup; + retval = KRB5_PROG_SUMTYPE_NOSUPP; + goto cleanup; } if (!krb5_c_is_coll_proof_cksum(message->checksum->checksum_type) || - !krb5_c_is_keyed_cksum(message->checksum->checksum_type)) { - retval = KRB5KRB_AP_ERR_INAPP_CKSUM; - goto cleanup; + !krb5_c_is_keyed_cksum(message->checksum->checksum_type)) { + retval = KRB5KRB_AP_ERR_INAPP_CKSUM; + goto cleanup; } if (!krb5_address_compare(context, sender_addr, message->s_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; } if (message->r_address) { - if (recv_addr) { - if (!krb5_address_compare(context, recv_addr, message->r_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; - } - } else { - krb5_address **our_addrs; - - if ((retval = krb5_os_localaddr(context, &our_addrs))) - goto cleanup; - - if (!krb5_address_search(context, message->r_address, our_addrs)) { - krb5_free_addresses(context, our_addrs); - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; - } - krb5_free_addresses(context, our_addrs); - } + if (recv_addr) { + if (!krb5_address_compare(context, recv_addr, message->r_address)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; + } + } else { + krb5_address **our_addrs; + + if ((retval = krb5_os_localaddr(context, &our_addrs))) + goto cleanup; + + if (!krb5_address_search(context, message->r_address, our_addrs)) { + krb5_free_addresses(context, our_addrs); + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; + } + krb5_free_addresses(context, our_addrs); + } } /* verify the checksum */ @@ -122,27 +123,27 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, retval = encode_krb5_safe_with_body(&swb, &scratch); message->checksum = his_cksum; if (retval) - goto cleanup; + goto cleanup; retval = krb5_k_verify_checksum(context, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - scratch, his_cksum, &valid); + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + scratch, his_cksum, &valid); (void) memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); - + if (!valid) { - /* - * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in - * case someone actually implements it correctly. - */ - retval = krb5_k_verify_checksum(context, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - &safe_body, his_cksum, &valid); - if (!valid) { - retval = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; - } + /* + * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in + * case someone actually implements it correctly. + */ + retval = krb5_k_verify_checksum(context, key, + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + &safe_body, his_cksum, &valid); + if (!valid) { + retval = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } } replaydata->timestamp = message->timestamp; @@ -152,7 +153,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, *outbuf = message->user_data; message->user_data.data = NULL; retval = 0; - + cleanup: krb5_free_safe(context, message); return retval; @@ -160,114 +161,114 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *inbuf, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; - krb5_key key; - krb5_replay_data replaydata; + krb5_error_code retval; + krb5_key key; + krb5_replay_data replaydata; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (!auth_context->remote_addr) - return KRB5_REMOTE_ADDR_REQUIRED; + return KRB5_REMOTE_ADDR_REQUIRED; /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; + + { + krb5_address * premote_fulladdr; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + } -{ - krb5_address * premote_fulladdr; - krb5_address * plocal_fulladdr = NULL; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - return retval; + return retval; } - } else { - plocal_fulladdr = auth_context->local_addr; + } else { + premote_fulladdr = auth_context->remote_addr; } - } - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - return retval; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + memset(&replaydata, 0, sizeof(replaydata)); + if ((retval = krb5_rd_safe_basic(context, inbuf, key, + plocal_fulladdr, premote_fulladdr, + &replaydata, outbuf))) { + CLEANUP_DONE(); + return retval; + } - memset(&replaydata, 0, sizeof(replaydata)); - if ((retval = krb5_rd_safe_basic(context, inbuf, key, - plocal_fulladdr, premote_fulladdr, - &replaydata, outbuf))) { - CLEANUP_DONE(); - return retval; + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) - goto error; - - if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_safe", &replay.client))) - goto error; - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + goto error; + + if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, + "_safe", &replay.client))) + goto error; + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + free(replay.client); + goto error; + } + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (!krb5int_auth_con_chkseqnum(context, auth_context, - replaydata.seq)) { - retval = KRB5KRB_AP_ERR_BADORDER; - goto error; - } - auth_context->remote_seq_number++; + if (!krb5int_auth_con_chkseqnum(context, auth_context, + replaydata.seq)) { + retval = KRB5KRB_AP_ERR_BADORDER; + goto error; + } + auth_context->remote_seq_number++; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - outdata->seq = replaydata.seq; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + outdata->seq = replaydata.seq; } - + /* everything is ok - return data to the user */ return 0; @@ -276,4 +277,3 @@ error: return retval; } - diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c index 611546aa5..90746ba5c 100644 --- a/src/lib/krb5/krb/recvauth.c +++ b/src/lib/krb5/krb/recvauth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/recvauth.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * convenience sendauth/recvauth functions */ @@ -38,79 +39,79 @@ static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0"; static krb5_error_code recvauth_common(krb5_context context, - krb5_auth_context * auth_context, - /* IN */ - krb5_pointer fd, - char *appl_version, - krb5_principal server, - krb5_int32 flags, - krb5_keytab keytab, - /* OUT */ - krb5_ticket ** ticket, - krb5_data *version) + krb5_auth_context * auth_context, + /* IN */ + krb5_pointer fd, + char *appl_version, + krb5_principal server, + krb5_int32 flags, + krb5_keytab keytab, + /* OUT */ + krb5_ticket ** ticket, + krb5_data *version) { - krb5_auth_context new_auth_context; - krb5_flags ap_option = 0; - krb5_error_code retval, problem; - krb5_data inbuf; - krb5_data outbuf; - krb5_rcache rcache = 0; - krb5_octet response; - krb5_data null_server; + krb5_auth_context new_auth_context; + krb5_flags ap_option = 0; + krb5_error_code retval, problem; + krb5_data inbuf; + krb5_data outbuf; + krb5_rcache rcache = 0; + krb5_octet response; + krb5_data null_server; int need_error_free = 0; - int local_rcache = 0, local_authcon = 0; - - /* - * Zero out problem variable. If problem is set at the end of - * the intial version negotiation section, it means that we - * need to send an error code back to the client application - * and exit. - */ - problem = 0; - response = 0; - - if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) { - /* - * First read the sendauth version string and check it. - */ - if ((retval = krb5_read_message(context, fd, &inbuf))) - return(retval); - if (strcmp(inbuf.data, sendauth_version)) { - problem = KRB5_SENDAUTH_BADAUTHVERS; - response = 1; - } - free(inbuf.data); - } - if (flags & KRB5_RECVAUTH_BADAUTHVERS) { - problem = KRB5_SENDAUTH_BADAUTHVERS; - response = 1; - } - - /* - * Do the same thing for the application version string. - */ - if ((retval = krb5_read_message(context, fd, &inbuf))) - return(retval); - if (appl_version && strcmp(inbuf.data, appl_version)) { - if (!problem) { - problem = KRB5_SENDAUTH_BADAPPLVERS; - response = 2; - } - } - if (version && !problem) - *version = inbuf; - else - free(inbuf.data); - - /* - * Now we actually write the response. If the response is non-zero, - * exit with a return value of problem - */ - if ((krb5_net_write(context, *((int *)fd), (char *)&response, 1)) < 0) { - return(problem); /* We'll return the top-level problem */ - } - if (problem) - return(problem); + int local_rcache = 0, local_authcon = 0; + + /* + * Zero out problem variable. If problem is set at the end of + * the intial version negotiation section, it means that we + * need to send an error code back to the client application + * and exit. + */ + problem = 0; + response = 0; + + if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) { + /* + * First read the sendauth version string and check it. + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); + if (strcmp(inbuf.data, sendauth_version)) { + problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } + free(inbuf.data); + } + if (flags & KRB5_RECVAUTH_BADAUTHVERS) { + problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } + + /* + * Do the same thing for the application version string. + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); + if (appl_version && strcmp(inbuf.data, appl_version)) { + if (!problem) { + problem = KRB5_SENDAUTH_BADAPPLVERS; + response = 2; + } + } + if (version && !problem) + *version = inbuf; + else + free(inbuf.data); + + /* + * Now we actually write the response. If the response is non-zero, + * exit with a return value of problem + */ + if ((krb5_net_write(context, *((int *)fd), (char *)&response, 1)) < 0) { + return(problem); /* We'll return the top-level problem */ + } + if (problem) + return(problem); /* We are clear of errors here */ @@ -121,9 +122,9 @@ recvauth_common(krb5_context context, return retval; if (*auth_context == NULL) { - problem = krb5_auth_con_init(context, &new_auth_context); - *auth_context = new_auth_context; - local_authcon = 1; + problem = krb5_auth_con_init(context, &new_auth_context); + *auth_context = new_auth_context; + local_authcon = 1; } krb5_auth_con_getrcache(context, *auth_context, &rcache); if ((!problem) && rcache == NULL) { @@ -131,93 +132,93 @@ recvauth_common(krb5_context context, * Setup the replay cache. */ if (server) { - problem = krb5_get_server_rcache(context, - krb5_princ_component(context, server, 0), &rcache); + problem = krb5_get_server_rcache(context, + krb5_princ_component(context, server, 0), &rcache); } else { - null_server.length = 7; - null_server.data = "default"; - problem = krb5_get_server_rcache(context, &null_server, &rcache); + null_server.length = 7; + null_server.data = "default"; + problem = krb5_get_server_rcache(context, &null_server, &rcache); } - if (!problem) - problem = krb5_auth_con_setrcache(context, *auth_context, rcache); - local_rcache = 1; + if (!problem) + problem = krb5_auth_con_setrcache(context, *auth_context, rcache); + local_rcache = 1; } if (!problem) { - problem = krb5_rd_req(context, auth_context, &inbuf, server, - keytab, &ap_option, ticket); - free(inbuf.data); + problem = krb5_rd_req(context, auth_context, &inbuf, server, + keytab, &ap_option, ticket); + free(inbuf.data); } - + /* * If there was a problem, send back a krb5_error message, * preceeded by the length of the krb5_error message. If * everything's ok, send back 0 for the length. */ if (problem) { - krb5_error error; - const char *message; - - memset(&error, 0, sizeof(error)); - krb5_us_timeofday(context, &error.stime, &error.susec); - if(server) - error.server = server; - else { - /* If this fails - ie. ENOMEM we are hosed - we cannot even send the error if we wanted to... */ - (void) krb5_parse_name(context, "????", &error.server); - need_error_free = 1; - } - - error.error = problem - ERROR_TABLE_BASE_krb5; - if (error.error > 127) - error.error = KRB_ERR_GENERIC; - message = error_message(problem); - error.text.length = strlen(message) + 1; - error.text.data = strdup(message); - if (!error.text.data) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_mk_error(context, &error, &outbuf))) { - free(error.text.data); - goto cleanup; - } - free(error.text.data); - if(need_error_free) - krb5_free_principal(context, error.server); + krb5_error error; + const char *message; + + memset(&error, 0, sizeof(error)); + krb5_us_timeofday(context, &error.stime, &error.susec); + if(server) + error.server = server; + else { + /* If this fails - ie. ENOMEM we are hosed + we cannot even send the error if we wanted to... */ + (void) krb5_parse_name(context, "????", &error.server); + need_error_free = 1; + } + + error.error = problem - ERROR_TABLE_BASE_krb5; + if (error.error > 127) + error.error = KRB_ERR_GENERIC; + message = error_message(problem); + error.text.length = strlen(message) + 1; + error.text.data = strdup(message); + if (!error.text.data) { + retval = ENOMEM; + goto cleanup; + } + if ((retval = krb5_mk_error(context, &error, &outbuf))) { + free(error.text.data); + goto cleanup; + } + free(error.text.data); + if(need_error_free) + krb5_free_principal(context, error.server); } else { - outbuf.length = 0; - outbuf.data = 0; + outbuf.length = 0; + outbuf.data = 0; } retval = krb5_write_message(context, fd, &outbuf); if (outbuf.data) { - free(outbuf.data); - /* We sent back an error, we need cleanup then return */ - retval = problem; - goto cleanup; + free(outbuf.data); + /* We sent back an error, we need cleanup then return */ + retval = problem; + goto cleanup; } if (retval) - goto cleanup; + goto cleanup; /* Here lies the mutual authentication stuff... */ if ((ap_option & AP_OPTS_MUTUAL_REQUIRED)) { - if ((retval = krb5_mk_rep(context, *auth_context, &outbuf))) { - return(retval); - } - retval = krb5_write_message(context, fd, &outbuf); - free(outbuf.data); + if ((retval = krb5_mk_rep(context, *auth_context, &outbuf))) { + return(retval); + } + retval = krb5_write_message(context, fd, &outbuf); + free(outbuf.data); } cleanup:; if (retval) { - if (local_authcon) { - krb5_auth_con_free(context, *auth_context); - } else if (local_rcache && rcache != NULL) { - krb5_rc_close(context, rcache); - krb5_auth_con_setrcache(context, *auth_context, NULL); - } + if (local_authcon) { + krb5_auth_con_free(context, *auth_context); + } else if (local_rcache && rcache != NULL) { + krb5_rc_close(context, rcache); + krb5_auth_con_setrcache(context, *auth_context, NULL); + } } return retval; } @@ -226,21 +227,21 @@ krb5_error_code KRB5_CALLCONV krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket) { return recvauth_common (context, auth_context, fd, appl_version, - server, flags, keytab, ticket, 0); + server, flags, keytab, ticket, 0); } krb5_error_code KRB5_CALLCONV krb5_recvauth_version(krb5_context context, - krb5_auth_context *auth_context, - /* IN */ - krb5_pointer fd, - krb5_principal server, - krb5_int32 flags, - krb5_keytab keytab, - /* OUT */ - krb5_ticket **ticket, - krb5_data *version) + krb5_auth_context *auth_context, + /* IN */ + krb5_pointer fd, + krb5_principal server, + krb5_int32 flags, + krb5_keytab keytab, + /* OUT */ + krb5_ticket **ticket, + krb5_data *version) { return recvauth_common (context, auth_context, fd, 0, - server, flags, keytab, ticket, version); + server, flags, keytab, ticket, version); } diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index a7e519902..473386576 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/s4u_creds.c * @@ -79,7 +79,7 @@ s4u_identify_user(krb5_context context, if (in_creds->client != NULL && krb5_princ_type(context, in_creds->client) != - KRB5_NT_ENTERPRISE_PRINCIPAL) + KRB5_NT_ENTERPRISE_PRINCIPAL) /* we already know the realm of the user */ return krb5_copy_principal(context, in_creds->client, canon_user); @@ -420,7 +420,7 @@ verify_s4u2self_reply(krb5_context context, if (not_newer) { if (enc_s4u_padata == NULL) { if (rep_s4u_user->user_id.options & - KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) { + KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) { code = KRB5_KDCREP_MODIFIED; goto cleanup; } diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index eee47ed57..398855009 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/send_tgs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_send_tgs() */ @@ -30,27 +31,27 @@ #include "k5-int.h" /* -Constructs a TGS request - options is used for the options in the KRB_TGS_REQ. - timestruct values are used for from, till, rtime " " " - enctype is used for enctype " " ", and to encrypt the authorization data, - sname is used for sname " " " - addrs, if non-NULL, is used for addresses " " " - authorization_dat, if non-NULL, is used for authorization_dat " " " - second_ticket, if required by options, is used for the 2nd ticket in the req. - in_cred is used for the ticket & session key in the KRB_AP_REQ header " " " - (the KDC realm is extracted from in_cred->server's realm) - - The response is placed into *rep. - rep->response.data is set to point at allocated storage which should be - freed by the caller when finished. - - returns system errors - */ -static krb5_error_code + Constructs a TGS request + options is used for the options in the KRB_TGS_REQ. + timestruct values are used for from, till, rtime " " " + enctype is used for enctype " " ", and to encrypt the authorization data, + sname is used for sname " " " + addrs, if non-NULL, is used for addresses " " " + authorization_dat, if non-NULL, is used for authorization_dat " " " + second_ticket, if required by options, is used for the 2nd ticket in the req. + in_cred is used for the ticket & session key in the KRB_AP_REQ header " " " + (the KDC realm is extracted from in_cred->server's realm) + + The response is placed into *rep. + rep->response.data is set to point at allocated storage which should be + freed by the caller when finished. + + returns system errors +*/ +static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, - krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) -{ + krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) +{ krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; @@ -70,19 +71,19 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, case ENCTYPE_DES_CBC_MD5: case ENCTYPE_ARCFOUR_HMAC: case ENCTYPE_ARCFOUR_HMAC_EXP: - cksumtype = context->kdc_req_sumtype; - break; + cksumtype = context->kdc_req_sumtype; + break; default: - retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); - if (retval) - goto cleanup; + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; } /* Generate checksum */ if ((retval = krb5_c_make_checksum(context, cksumtype, - &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - in_data, &checksum))) { + &in_cred->keyblock, + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + in_data, &checksum))) { free(checksum.contents); goto cleanup; } @@ -94,7 +95,7 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, authent.client = in_cred->client; authent.authorization_data = in_cred->authdata; if ((retval = krb5_us_timeofday(context, &authent.ctime, - &authent.cusec))) + &authent.cusec))) goto cleanup; @@ -110,10 +111,10 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, /* Cleanup scratch and scratch data */ goto cleanup; - /* call the encryption routine */ + /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH, - scratch, &request.authenticator))) + KRB5_KEYUSAGE_TGS_REQ_AUTH, + scratch, &request.authenticator))) goto cleanup; if (!(retval = encode_krb5_ap_req(&request, &toutbuf))) { @@ -132,7 +133,7 @@ cleanup: if (request.ticket) krb5_free_ticket(context, request.ticket); - if (scratch != NULL && scratch->data != NULL) { + if (scratch != NULL && scratch->data != NULL) { zap(scratch->data, scratch->length); free(scratch->data); } @@ -148,17 +149,17 @@ cleanup: */ krb5_error_code krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, - const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, - krb5_const_principal sname, krb5_address *const *addrs, - krb5_authdata *const *authorization_data, - krb5_pa_data *const *padata, const krb5_data *second_ticket, - krb5_creds *in_cred, - krb5_error_code (*pacb_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *pacb_data, - krb5_response *rep, krb5_keyblock **subkey) + const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, + krb5_const_principal sname, krb5_address *const *addrs, + krb5_authdata *const *authorization_data, + krb5_pa_data *const *padata, const krb5_data *second_ticket, + krb5_creds *in_cred, + krb5_error_code (*pacb_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *pacb_data, + krb5_response *rep, krb5_keyblock **subkey) { krb5_error_code retval; krb5_kdc_req tgsreq; @@ -174,7 +175,7 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, assert (subkey != NULL); *subkey = NULL; - /* + /* * in_creds MUST be a valid credential NOT just a partially filled in * place holder for us to get credentials for the caller. */ @@ -196,31 +197,31 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; rep->request_time = time_now; rep->message_type = KRB5_ERROR; /*caller only uses the response - * element on successful return*/ + * element on successful return*/ tgsreq.addresses = (krb5_address **) addrs; /* Generate subkey*/ if ((retval = krb5_generate_subkey( context, &in_cred->keyblock, - &local_subkey)) != 0) + &local_subkey)) != 0) return retval; if (authorization_data) { - /* need to encrypt it in the request */ + /* need to encrypt it in the request */ - if ((retval = encode_krb5_authdata(authorization_data, &scratch))) - goto send_tgs_error_1; + if ((retval = encode_krb5_authdata(authorization_data, &scratch))) + goto send_tgs_error_1; - if ((retval = krb5_encrypt_helper(context, local_subkey, - KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, - scratch, - &tgsreq.authorization_data))) { - free(tgsreq.authorization_data.ciphertext.data); - krb5_free_data(context, scratch); - goto send_tgs_error_1; - } + if ((retval = krb5_encrypt_helper(context, local_subkey, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, + scratch, + &tgsreq.authorization_data))) { + free(tgsreq.authorization_data.ciphertext.data); + krb5_free_data(context, scratch); + goto send_tgs_error_1; + } - krb5_free_data(context, scratch); + krb5_free_data(context, scratch); } /* Get the encryption types list */ @@ -255,7 +256,7 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, /* * Get an ap_req. */ - if ((retval = tgs_construct_tgsreq(context, scratch, in_cred, + if ((retval = tgs_construct_tgsreq(context, scratch, in_cred, &scratch2, local_subkey))) { krb5_free_data(context, scratch); goto send_tgs_error_2; @@ -332,41 +333,41 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, send_again: use_master = 0; - retval = krb5_sendto_kdc(context, scratch, - krb5_princ_realm(context, sname), - &rep->response, &use_master, tcp_only); + retval = krb5_sendto_kdc(context, scratch, + krb5_princ_realm(context, sname), + &rep->response, &use_master, tcp_only); if (retval == 0) { if (krb5_is_krb_error(&rep->response)) { if (!tcp_only) { krb5_error *err_reply; retval = decode_krb5_error(&rep->response, &err_reply); - if (retval) - goto send_tgs_error_3; - if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { - tcp_only = 1; + if (retval) + goto send_tgs_error_3; + if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { + tcp_only = 1; + krb5_free_error(context, err_reply); + free(rep->response.data); + rep->response.data = NULL; + goto send_again; + } krb5_free_error(context, err_reply); - free(rep->response.data); - rep->response.data = NULL; - goto send_again; - } - krb5_free_error(context, err_reply); send_tgs_error_3: ; - } - rep->message_type = KRB5_ERROR; - } else if (krb5_is_tgs_rep(&rep->response)) { - rep->message_type = KRB5_TGS_REP; - *subkey = local_subkey; - } else /* XXX: assume it's an error */ - rep->message_type = KRB5_ERROR; + } + rep->message_type = KRB5_ERROR; + } else if (krb5_is_tgs_rep(&rep->response)) { + rep->message_type = KRB5_TGS_REP; + *subkey = local_subkey; + } else /* XXX: assume it's an error */ + rep->message_type = KRB5_ERROR; } krb5_free_data(context, scratch); - + send_tgs_error_2:; if (tgsreq.padata) krb5_free_pa_data(context, tgsreq.padata); - if (sec_ticket) + if (sec_ticket) krb5_free_ticket(context, sec_ticket); send_tgs_error_1:; @@ -374,13 +375,12 @@ send_tgs_error_1:; free(tgsreq.ktype); if (tgsreq.authorization_data.ciphertext.data) { memset(tgsreq.authorization_data.ciphertext.data, 0, - tgsreq.authorization_data.ciphertext.length); + tgsreq.authorization_data.ciphertext.length); free(tgsreq.authorization_data.ciphertext.data); } if (rep->message_type != KRB5_TGS_REP && local_subkey){ krb5_free_keyblock(context, *subkey); - } + } return retval; } - diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c index 67b9adde0..30b72b937 100644 --- a/src/lib/krb5/krb/sendauth.c +++ b/src/lib/krb5/krb/sendauth.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/sendauth.c * diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c index 65b7e2729..ccd1e2df7 100644 --- a/src/lib/krb5/krb/ser_actx.c +++ b/src/lib/krb5/krb/ser_actx.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_actx.c * @@ -32,26 +33,26 @@ #include "int-proto.h" #include "auth_con.h" -#define TOKEN_RADDR 950916 -#define TOKEN_RPORT 950917 -#define TOKEN_LADDR 950918 -#define TOKEN_LPORT 950919 -#define TOKEN_KEYBLOCK 950920 -#define TOKEN_LSKBLOCK 950921 -#define TOKEN_RSKBLOCK 950922 +#define TOKEN_RADDR 950916 +#define TOKEN_RPORT 950917 +#define TOKEN_LADDR 950918 +#define TOKEN_LPORT 950919 +#define TOKEN_KEYBLOCK 950920 +#define TOKEN_LSKBLOCK 950921 +#define TOKEN_RSKBLOCK 950922 /* * Routines to deal with externalizing the krb5_auth_context: - * krb5_auth_context_size(); - * krb5_auth_context_externalize(); - * krb5_auth_context_internalize(); + * krb5_auth_context_size(); + * krb5_auth_context_externalize(); + * krb5_auth_context_internalize(); */ static krb5_error_code krb5_auth_context_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_auth_context_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_auth_context_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Other metadata serialization initializers. @@ -59,289 +60,289 @@ static krb5_error_code krb5_auth_context_internalize /* Local data */ static const krb5_ser_entry krb5_auth_context_ser_entry = { - KV5M_AUTH_CONTEXT, /* Type */ - krb5_auth_context_size, /* Sizer routine */ - krb5_auth_context_externalize, /* Externalize routine */ - krb5_auth_context_internalize /* Internalize routine */ + KV5M_AUTH_CONTEXT, /* Type */ + krb5_auth_context_size, /* Sizer routine */ + krb5_auth_context_externalize, /* Externalize routine */ + krb5_auth_context_internalize /* Internalize routine */ }; /* - * krb5_auth_context_size() - Determine the size required to externalize - * the krb5_auth_context. + * krb5_auth_context_size() - Determine the size required to externalize + * the krb5_auth_context. */ static krb5_error_code krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_auth_context auth_context; - size_t required; - krb5_enctype enctype; + krb5_error_code kret; + krb5_auth_context auth_context; + size_t required; + krb5_enctype enctype; /* * krb5_auth_context requires at minimum: - * krb5_int32 for KV5M_AUTH_CONTEXT - * krb5_int32 for auth_context_flags - * krb5_int32 for remote_seq_number - * krb5_int32 for local_seq_number - * krb5_int32 for req_cksumtype - * krb5_int32 for safe_cksumtype - * krb5_int32 for size of i_vector - * krb5_int32 for KV5M_AUTH_CONTEXT + * krb5_int32 for KV5M_AUTH_CONTEXT + * krb5_int32 for auth_context_flags + * krb5_int32 for remote_seq_number + * krb5_int32 for local_seq_number + * krb5_int32 for req_cksumtype + * krb5_int32 for safe_cksumtype + * krb5_int32 for size of i_vector + * krb5_int32 for KV5M_AUTH_CONTEXT */ kret = EINVAL; if ((auth_context = (krb5_auth_context) arg)) { - kret = 0; - - /* Calculate size required by i_vector - ptooey */ - if (auth_context->i_vector && auth_context->key) { - enctype = krb5_k_key_enctype(kcontext, auth_context->key); - kret = krb5_c_block_size(kcontext, enctype, &required); - } else { - required = 0; - } - - required += sizeof(krb5_int32)*8; - - /* Calculate size required by remote_addr, if appropriate */ - if (!kret && auth_context->remote_addr) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->remote_addr, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by remote_port, if appropriate */ - if (!kret && auth_context->remote_port) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->remote_port, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by local_addr, if appropriate */ - if (!kret && auth_context->local_addr) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->local_addr, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by local_port, if appropriate */ - if (!kret && auth_context->local_port) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->local_port, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by key, if appropriate */ - if (!kret && auth_context->key) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->key->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by send_subkey, if appropriate */ - if (!kret && auth_context->send_subkey) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->send_subkey->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by recv_subkey, if appropriate */ - if (!kret && auth_context->recv_subkey) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->recv_subkey->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by authentp, if appropriate */ - if (!kret && auth_context->authentp) - kret = krb5_size_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer) auth_context->authentp, - &required); + kret = 0; + + /* Calculate size required by i_vector - ptooey */ + if (auth_context->i_vector && auth_context->key) { + enctype = krb5_k_key_enctype(kcontext, auth_context->key); + kret = krb5_c_block_size(kcontext, enctype, &required); + } else { + required = 0; + } + + required += sizeof(krb5_int32)*8; + + /* Calculate size required by remote_addr, if appropriate */ + if (!kret && auth_context->remote_addr) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->remote_addr, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by remote_port, if appropriate */ + if (!kret && auth_context->remote_port) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->remote_port, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by local_addr, if appropriate */ + if (!kret && auth_context->local_addr) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->local_addr, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by local_port, if appropriate */ + if (!kret && auth_context->local_port) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->local_port, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by key, if appropriate */ + if (!kret && auth_context->key) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->key->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by send_subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->send_subkey->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by recv_subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->recv_subkey->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by authentp, if appropriate */ + if (!kret && auth_context->authentp) + kret = krb5_size_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer) auth_context->authentp, + &required); } if (!kret) - *sizep += required; + *sizep += required; return(kret); } /* - * krb5_auth_context_externalize() - Externalize the krb5_auth_context. + * krb5_auth_context_externalize() - Externalize the krb5_auth_context. */ static krb5_error_code krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_auth_context auth_context; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_auth_context auth_context; + size_t required; + krb5_octet *bp; + size_t remain; size_t obuf; - krb5_int32 obuf32; - krb5_enctype enctype; + krb5_int32 obuf32; + krb5_enctype enctype; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((auth_context = (krb5_auth_context) arg)) { - kret = ENOMEM; - if (!krb5_auth_context_size(kcontext, arg, &required) && - (required <= remain)) { - - /* Write fixed portion */ - (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->auth_context_flags, - &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->remote_seq_number, - &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->local_seq_number, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) auth_context->req_cksumtype, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) auth_context->safe_cksumtype, - &bp, &remain); - - kret = 0; - - /* Now figure out the number of bytes for i_vector and write it */ - if (auth_context->i_vector) { - enctype = krb5_k_key_enctype(kcontext, auth_context->key); - kret = krb5_c_block_size(kcontext, enctype, &obuf); - } else { - obuf = 0; - } - - /* Convert to signed 32 bit integer */ - obuf32 = obuf; - if (kret == 0 && obuf != obuf32) - kret = EINVAL; - if (!kret) - (void) krb5_ser_pack_int32(obuf32, &bp, &remain); - - /* Now copy i_vector */ - if (!kret && auth_context->i_vector) - (void) krb5_ser_pack_bytes(auth_context->i_vector, - obuf, - &bp, &remain); - - /* Now handle remote_addr, if appropriate */ - if (!kret && auth_context->remote_addr) { - (void) krb5_ser_pack_int32(TOKEN_RADDR, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->remote_addr, - &bp, - &remain); - } - - /* Now handle remote_port, if appropriate */ - if (!kret && auth_context->remote_port) { - (void) krb5_ser_pack_int32(TOKEN_RPORT, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->remote_addr, - &bp, - &remain); - } - - /* Now handle local_addr, if appropriate */ - if (!kret && auth_context->local_addr) { - (void) krb5_ser_pack_int32(TOKEN_LADDR, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->local_addr, - &bp, - &remain); - } - - /* Now handle local_port, if appropriate */ - if (!kret && auth_context->local_port) { - (void) krb5_ser_pack_int32(TOKEN_LPORT, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->local_addr, - &bp, - &remain); - } - - /* Now handle keyblock, if appropriate */ - if (!kret && auth_context->key) { - (void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - &auth_context->key->keyblock, - &bp, - &remain); - } - - /* Now handle subkey, if appropriate */ - if (!kret && auth_context->send_subkey) { - (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) &auth_context-> - send_subkey->keyblock, - &bp, - &remain); - } - - /* Now handle subkey, if appropriate */ - if (!kret && auth_context->recv_subkey) { - (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) &auth_context-> - recv_subkey->keyblock, - &bp, - &remain); - } - - /* Now handle authentp, if appropriate */ - if (!kret && auth_context->authentp) - kret = krb5_externalize_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer) - auth_context->authentp, - &bp, - &remain); - - /* - * If we were successful, write trailer then update the pointer and - * remaining length; - */ - if (!kret) { - /* Write our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + kret = ENOMEM; + if (!krb5_auth_context_size(kcontext, arg, &required) && + (required <= remain)) { + + /* Write fixed portion */ + (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->auth_context_flags, + &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->remote_seq_number, + &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->local_seq_number, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) auth_context->req_cksumtype, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) auth_context->safe_cksumtype, + &bp, &remain); + + kret = 0; + + /* Now figure out the number of bytes for i_vector and write it */ + if (auth_context->i_vector) { + enctype = krb5_k_key_enctype(kcontext, auth_context->key); + kret = krb5_c_block_size(kcontext, enctype, &obuf); + } else { + obuf = 0; + } + + /* Convert to signed 32 bit integer */ + obuf32 = obuf; + if (kret == 0 && obuf != obuf32) + kret = EINVAL; + if (!kret) + (void) krb5_ser_pack_int32(obuf32, &bp, &remain); + + /* Now copy i_vector */ + if (!kret && auth_context->i_vector) + (void) krb5_ser_pack_bytes(auth_context->i_vector, + obuf, + &bp, &remain); + + /* Now handle remote_addr, if appropriate */ + if (!kret && auth_context->remote_addr) { + (void) krb5_ser_pack_int32(TOKEN_RADDR, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->remote_addr, + &bp, + &remain); + } + + /* Now handle remote_port, if appropriate */ + if (!kret && auth_context->remote_port) { + (void) krb5_ser_pack_int32(TOKEN_RPORT, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->remote_addr, + &bp, + &remain); + } + + /* Now handle local_addr, if appropriate */ + if (!kret && auth_context->local_addr) { + (void) krb5_ser_pack_int32(TOKEN_LADDR, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->local_addr, + &bp, + &remain); + } + + /* Now handle local_port, if appropriate */ + if (!kret && auth_context->local_port) { + (void) krb5_ser_pack_int32(TOKEN_LPORT, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->local_addr, + &bp, + &remain); + } + + /* Now handle keyblock, if appropriate */ + if (!kret && auth_context->key) { + (void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + &auth_context->key->keyblock, + &bp, + &remain); + } + + /* Now handle subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { + (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) &auth_context-> + send_subkey->keyblock, + &bp, + &remain); + } + + /* Now handle subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { + (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) &auth_context-> + recv_subkey->keyblock, + &bp, + &remain); + } + + /* Now handle authentp, if appropriate */ + if (!kret && auth_context->authentp) + kret = krb5_externalize_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer) + auth_context->authentp, + &bp, + &remain); + + /* + * If we were successful, write trailer then update the pointer and + * remaining length; + */ + if (!kret) { + /* Write our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } @@ -354,195 +355,195 @@ intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp) krb5_error_code ret; ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK, - (krb5_pointer *) &keyblock, bp, sp); + (krb5_pointer *) &keyblock, bp, sp); if (ret != 0) - return ret; + return ret; ret = krb5_k_create_key(ctx, keyblock, key); krb5_free_keyblock(ctx, keyblock); return ret; } /* - * krb5_auth_context_internalize() - Internalize the krb5_auth_context. + * krb5_auth_context_internalize() - Internalize the krb5_auth_context. */ static krb5_error_code krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_auth_context auth_context; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - krb5_int32 ivlen; - krb5_int32 tag; + krb5_error_code kret; + krb5_auth_context auth_context; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + krb5_int32 ivlen; + krb5_int32 tag; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTH_CONTEXT) { - kret = ENOMEM; - - /* Get memory for the auth_context */ - if ((remain >= (5*sizeof(krb5_int32))) && - (auth_context = (krb5_auth_context) - calloc(1, sizeof(struct _krb5_auth_context)))) { - - /* Get auth_context_flags */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->auth_context_flags = ibuf; - - /* Get remote_seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->remote_seq_number = ibuf; - - /* Get local_seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->local_seq_number = ibuf; - - /* Get req_cksumtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->req_cksumtype = (krb5_cksumtype) ibuf; - - /* Get safe_cksumtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->safe_cksumtype = (krb5_cksumtype) ibuf; - - /* Get length of i_vector */ - (void) krb5_ser_unpack_int32(&ivlen, &bp, &remain); - - if (ivlen) { - if ((auth_context->i_vector = - (krb5_pointer) malloc((size_t)ivlen))) - kret = krb5_ser_unpack_bytes(auth_context->i_vector, - (size_t) ivlen, - &bp, - &remain); - else - kret = ENOMEM; - } - else - kret = 0; - - /* Peek at next token */ - tag = 0; - if (!kret) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - - /* This is the remote_addr */ - if (!kret && (tag == TOKEN_RADDR)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - remote_addr, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the remote_port */ - if (!kret && (tag == TOKEN_RPORT)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - remote_port, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the local_addr */ - if (!kret && (tag == TOKEN_LADDR)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - local_addr, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the local_port */ - if (!kret && (tag == TOKEN_LPORT)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - local_port, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the keyblock */ - if (!kret && (tag == TOKEN_KEYBLOCK)) { - if (!(kret = intern_key(kcontext, - &auth_context->key, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the send_subkey */ - if (!kret && (tag == TOKEN_LSKBLOCK)) { - if (!(kret = intern_key(kcontext, - &auth_context->send_subkey, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the recv_subkey */ - if (!kret) { - if (tag == TOKEN_RSKBLOCK) { - kret = intern_key(kcontext, - &auth_context->recv_subkey, - &bp, - &remain); - } - else { - /* - * We read the next tag, but it's not of any use here, so - * we effectively 'unget' it here. - */ - bp -= sizeof(krb5_int32); - remain += sizeof(krb5_int32); - } - } - - /* Now find the authentp */ - if (!kret) { - if ((kret = krb5_internalize_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer *) - &auth_context->authentp, - &bp, - &remain))) { - if (kret == EINVAL) - kret = 0; - } - } - - /* Finally, find the trailer */ - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf != KV5M_AUTH_CONTEXT)) - kret = EINVAL; - } - if (!kret) { - *buffer = bp; - *lenremain = remain; - auth_context->magic = KV5M_AUTH_CONTEXT; - *argp = (krb5_pointer) auth_context; - } - else - krb5_auth_con_free(kcontext, auth_context); - } + kret = ENOMEM; + + /* Get memory for the auth_context */ + if ((remain >= (5*sizeof(krb5_int32))) && + (auth_context = (krb5_auth_context) + calloc(1, sizeof(struct _krb5_auth_context)))) { + + /* Get auth_context_flags */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->auth_context_flags = ibuf; + + /* Get remote_seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->remote_seq_number = ibuf; + + /* Get local_seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->local_seq_number = ibuf; + + /* Get req_cksumtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->req_cksumtype = (krb5_cksumtype) ibuf; + + /* Get safe_cksumtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->safe_cksumtype = (krb5_cksumtype) ibuf; + + /* Get length of i_vector */ + (void) krb5_ser_unpack_int32(&ivlen, &bp, &remain); + + if (ivlen) { + if ((auth_context->i_vector = + (krb5_pointer) malloc((size_t)ivlen))) + kret = krb5_ser_unpack_bytes(auth_context->i_vector, + (size_t) ivlen, + &bp, + &remain); + else + kret = ENOMEM; + } + else + kret = 0; + + /* Peek at next token */ + tag = 0; + if (!kret) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + + /* This is the remote_addr */ + if (!kret && (tag == TOKEN_RADDR)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + remote_addr, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the remote_port */ + if (!kret && (tag == TOKEN_RPORT)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + remote_port, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the local_addr */ + if (!kret && (tag == TOKEN_LADDR)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + local_addr, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the local_port */ + if (!kret && (tag == TOKEN_LPORT)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + local_port, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the keyblock */ + if (!kret && (tag == TOKEN_KEYBLOCK)) { + if (!(kret = intern_key(kcontext, + &auth_context->key, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the send_subkey */ + if (!kret && (tag == TOKEN_LSKBLOCK)) { + if (!(kret = intern_key(kcontext, + &auth_context->send_subkey, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the recv_subkey */ + if (!kret) { + if (tag == TOKEN_RSKBLOCK) { + kret = intern_key(kcontext, + &auth_context->recv_subkey, + &bp, + &remain); + } + else { + /* + * We read the next tag, but it's not of any use here, so + * we effectively 'unget' it here. + */ + bp -= sizeof(krb5_int32); + remain += sizeof(krb5_int32); + } + } + + /* Now find the authentp */ + if (!kret) { + if ((kret = krb5_internalize_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer *) + &auth_context->authentp, + &bp, + &remain))) { + if (kret == EINVAL) + kret = 0; + } + } + + /* Finally, find the trailer */ + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf != KV5M_AUTH_CONTEXT)) + kret = EINVAL; + } + if (!kret) { + *buffer = bp; + *lenremain = remain; + auth_context->magic = KV5M_AUTH_CONTEXT; + *argp = (krb5_pointer) auth_context; + } + else + krb5_auth_con_free(kcontext, auth_context); + } } return(kret); } @@ -553,23 +554,23 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init(krb5_context kcontext) { - krb5_error_code kret; + krb5_error_code kret; kret = krb5_register_serializer(kcontext, &krb5_auth_context_ser_entry); if (!kret) - kret = krb5_ser_authdata_init(kcontext); + kret = krb5_ser_authdata_init(kcontext); if (!kret) - kret = krb5_ser_address_init(kcontext); + kret = krb5_ser_address_init(kcontext); #ifndef LEAN_CLIENT if (!kret) - kret = krb5_ser_authenticator_init(kcontext); + kret = krb5_ser_authenticator_init(kcontext); #endif if (!kret) - kret = krb5_ser_checksum_init(kcontext); + kret = krb5_ser_checksum_init(kcontext); if (!kret) - kret = krb5_ser_keyblock_init(kcontext); + kret = krb5_ser_keyblock_init(kcontext); if (!kret) - kret = krb5_ser_principal_init(kcontext); + kret = krb5_ser_principal_init(kcontext); if (!kret) - kret = krb5_ser_authdata_context_init(kcontext); + kret = krb5_ser_authdata_context_init(kcontext); return(kret); } diff --git a/src/lib/krb5/krb/ser_adata.c b/src/lib/krb5/krb/ser_adata.c index 82d04dce1..77a76fdae 100644 --- a/src/lib/krb5/krb/ser_adata.c +++ b/src/lib/krb5/krb/ser_adata.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_adata.c * @@ -33,157 +34,157 @@ /* * Routines to deal with externalizing the krb5_authdata: - * krb5_authdata_size(); - * krb5_authdata_externalize(); - * krb5_authdata_internalize(); + * krb5_authdata_size(); + * krb5_authdata_externalize(); + * krb5_authdata_internalize(); */ static krb5_error_code krb5_authdata_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_authdata_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_authdata_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_authdata_ser_entry = { - KV5M_AUTHDATA, /* Type */ - krb5_authdata_size, /* Sizer routine */ - krb5_authdata_externalize, /* Externalize routine */ - krb5_authdata_internalize /* Internalize routine */ + KV5M_AUTHDATA, /* Type */ + krb5_authdata_size, /* Sizer routine */ + krb5_authdata_externalize, /* Externalize routine */ + krb5_authdata_internalize /* Internalize routine */ }; /* - * krb5_authdata_esize() - Determine the size required to externalize - * the krb5_authdata. + * krb5_authdata_esize() - Determine the size required to externalize + * the krb5_authdata. */ static krb5_error_code krb5_authdata_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_authdata *authdata; + krb5_error_code kret; + krb5_authdata *authdata; /* * krb5_authdata requires: - * krb5_int32 for KV5M_AUTHDATA - * krb5_int32 for ad_type - * krb5_int32 for length - * authdata->length for contents - * krb5_int32 for KV5M_AUTHDATA + * krb5_int32 for KV5M_AUTHDATA + * krb5_int32 for ad_type + * krb5_int32 for length + * authdata->length for contents + * krb5_int32 for KV5M_AUTHDATA */ kret = EINVAL; if ((authdata = (krb5_authdata *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) authdata->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) authdata->length); + kret = 0; } return(kret); } /* - * krb5_authdata_externalize() - Externalize the krb5_authdata. + * krb5_authdata_externalize() - Externalize the krb5_authdata. */ static krb5_error_code krb5_authdata_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authdata *authdata; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_authdata *authdata; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((authdata = (krb5_authdata *) arg)) { - kret = ENOMEM; - if (!krb5_authdata_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - - /* Our ad_type */ - (void) krb5_ser_pack_int32((krb5_int32) authdata->ad_type, - &bp, &remain); + kret = ENOMEM; + if (!krb5_authdata_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) authdata->length, - &bp, &remain); + /* Our ad_type */ + (void) krb5_ser_pack_int32((krb5_int32) authdata->ad_type, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(authdata->contents, - (size_t) authdata->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) authdata->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Our contents */ + (void) krb5_ser_pack_bytes(authdata->contents, + (size_t) authdata->length, + &bp, &remain); + + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_authdata_internalize() - Internalize the krb5_authdata. + * krb5_authdata_internalize() - Internalize the krb5_authdata. */ static krb5_error_code krb5_authdata_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authdata *authdata; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_authdata *authdata; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTHDATA) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a authdata */ - if ((remain >= (2*sizeof(krb5_int32))) && - (authdata = (krb5_authdata *) calloc(1, sizeof(krb5_authdata)))) { + /* Get a authdata */ + if ((remain >= (2*sizeof(krb5_int32))) && + (authdata = (krb5_authdata *) calloc(1, sizeof(krb5_authdata)))) { - /* Get the ad_type */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authdata->ad_type = (krb5_authdatatype) ibuf; + /* Get the ad_type */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authdata->ad_type = (krb5_authdatatype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authdata->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authdata->length = (int) ibuf; - /* Get the string */ - if ((authdata->contents = (krb5_octet *) - malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(authdata->contents, - (size_t) ibuf, - &bp, &remain))) { - if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) - ibuf = 0; - if (ibuf == KV5M_AUTHDATA) { - authdata->magic = KV5M_AUTHDATA; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) authdata; - } - else - kret = EINVAL; - } - if (kret) { - if (authdata->contents) - free(authdata->contents); - free(authdata); - } - } + /* Get the string */ + if ((authdata->contents = (krb5_octet *) + malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(authdata->contents, + (size_t) ibuf, + &bp, &remain))) { + if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) + ibuf = 0; + if (ibuf == KV5M_AUTHDATA) { + authdata->magic = KV5M_AUTHDATA; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) authdata; + } + else + kret = EINVAL; + } + if (kret) { + if (authdata->contents) + free(authdata->contents); + free(authdata); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_addr.c b/src/lib/krb5/krb/ser_addr.c index 11b7f6abf..e7b642130 100644 --- a/src/lib/krb5/krb/ser_addr.c +++ b/src/lib/krb5/krb/ser_addr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_addr.c * @@ -33,161 +34,161 @@ /* * Routines to deal with externalizing the krb5_address: - * krb5_address_size(); - * krb5_address_externalize(); - * krb5_address_internalize(); + * krb5_address_size(); + * krb5_address_externalize(); + * krb5_address_internalize(); */ static krb5_error_code krb5_address_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_address_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_address_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_address_ser_entry = { - KV5M_ADDRESS, /* Type */ - krb5_address_size, /* Sizer routine */ - krb5_address_externalize, /* Externalize routine */ - krb5_address_internalize /* Internalize routine */ + KV5M_ADDRESS, /* Type */ + krb5_address_size, /* Sizer routine */ + krb5_address_externalize, /* Externalize routine */ + krb5_address_internalize /* Internalize routine */ }; /* - * krb5_address_size() - Determine the size required to externalize - * the krb5_address. + * krb5_address_size() - Determine the size required to externalize + * the krb5_address. */ static krb5_error_code krb5_address_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_address *address; + krb5_error_code kret; + krb5_address *address; /* * krb5_address requires: - * krb5_int32 for KV5M_ADDRESS - * krb5_int32 for addrtype - * krb5_int32 for length - * address->length for contents - * krb5_int32 for KV5M_ADDRESS + * krb5_int32 for KV5M_ADDRESS + * krb5_int32 for addrtype + * krb5_int32 for length + * address->length for contents + * krb5_int32 for KV5M_ADDRESS */ kret = EINVAL; if ((address = (krb5_address *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) address->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) address->length); + kret = 0; } return(kret); } /* - * krb5_address_externalize() - Externalize the krb5_address. + * krb5_address_externalize() - Externalize the krb5_address. */ static krb5_error_code krb5_address_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_address *address; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_address *address; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((address = (krb5_address *) arg)) { - kret = ENOMEM; - if (!krb5_address_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); - - /* Our addrtype */ - (void) krb5_ser_pack_int32((krb5_int32) address->addrtype, - &bp, &remain); - - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) address->length, - &bp, &remain); - - /* Our contents */ - (void) krb5_ser_pack_bytes(address->contents, - (size_t) address->length, - &bp, &remain); - - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); - - kret = 0; - *buffer = bp; - *lenremain = remain; - } + kret = ENOMEM; + if (!krb5_address_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); + + /* Our addrtype */ + (void) krb5_ser_pack_int32((krb5_int32) address->addrtype, + &bp, &remain); + + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) address->length, + &bp, &remain); + + /* Our contents */ + (void) krb5_ser_pack_bytes(address->contents, + (size_t) address->length, + &bp, &remain); + + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_address_internalize() - Internalize the krb5_address. + * krb5_address_internalize() - Internalize the krb5_address. */ static krb5_error_code krb5_address_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_address *address; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_address *address; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_ADDRESS) { - kret = ENOMEM; - - /* Get a address */ - if ((remain >= (2*sizeof(krb5_int32))) && - (address = (krb5_address *) calloc(1, sizeof(krb5_address)))) { - - address->magic = KV5M_ADDRESS; - - /* Get the addrtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - address->addrtype = (krb5_addrtype) ibuf; - - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - address->length = (int) ibuf; - - /* Get the string */ - if ((address->contents = (krb5_octet *) malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(address->contents, - (size_t) ibuf, - &bp, &remain))) { - /* Get the trailer */ - if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) - ibuf = 0; - - if (!kret && (ibuf == KV5M_ADDRESS)) { - address->magic = KV5M_ADDRESS; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) address; - } - else - kret = EINVAL; - } - if (kret) { - if (address->contents) - free(address->contents); - free(address); - } - } + kret = ENOMEM; + + /* Get a address */ + if ((remain >= (2*sizeof(krb5_int32))) && + (address = (krb5_address *) calloc(1, sizeof(krb5_address)))) { + + address->magic = KV5M_ADDRESS; + + /* Get the addrtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + address->addrtype = (krb5_addrtype) ibuf; + + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + address->length = (int) ibuf; + + /* Get the string */ + if ((address->contents = (krb5_octet *) malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(address->contents, + (size_t) ibuf, + &bp, &remain))) { + /* Get the trailer */ + if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) + ibuf = 0; + + if (!kret && (ibuf == KV5M_ADDRESS)) { + address->magic = KV5M_ADDRESS; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) address; + } + else + kret = EINVAL; + } + if (kret) { + if (address->contents) + free(address->contents); + free(address); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_auth.c b/src/lib/krb5/krb/ser_auth.c index 6951f92fa..23b9b5745 100644 --- a/src/lib/krb5/krb/ser_auth.c +++ b/src/lib/krb5/krb/ser_auth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_auth.c * @@ -36,305 +37,305 @@ /* * Routines to deal with externalizing the krb5_authenticator: - * krb5_authenticator_size(); - * krb5_authenticator_externalize(); - * krb5_authenticator_internalize(); + * krb5_authenticator_size(); + * krb5_authenticator_externalize(); + * krb5_authenticator_internalize(); */ static krb5_error_code krb5_authenticator_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_authenticator_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_authenticator_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_authenticator_ser_entry = { - KV5M_AUTHENTICATOR, /* Type */ - krb5_authenticator_size, /* Sizer routine */ - krb5_authenticator_externalize, /* Externalize routine */ - krb5_authenticator_internalize /* Internalize routine */ + KV5M_AUTHENTICATOR, /* Type */ + krb5_authenticator_size, /* Sizer routine */ + krb5_authenticator_externalize, /* Externalize routine */ + krb5_authenticator_internalize /* Internalize routine */ }; /* - * krb5_authenticator_size() - Determine the size required to externalize - * the krb5_authenticator. + * krb5_authenticator_size() - Determine the size required to externalize + * the krb5_authenticator. */ static krb5_error_code krb5_authenticator_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_authenticator *authenticator; - size_t required; + krb5_error_code kret; + krb5_authenticator *authenticator; + size_t required; /* * krb5_authenticator requires at minimum: - * krb5_int32 for KV5M_AUTHENTICATOR - * krb5_int32 for seconds - * krb5_int32 for cusec - * krb5_int32 for seq_number - * krb5_int32 for number in authorization_data array. - * krb5_int32 for KV5M_AUTHENTICATOR + * krb5_int32 for KV5M_AUTHENTICATOR + * krb5_int32 for seconds + * krb5_int32 for cusec + * krb5_int32 for seq_number + * krb5_int32 for number in authorization_data array. + * krb5_int32 for KV5M_AUTHENTICATOR */ kret = EINVAL; if ((authenticator = (krb5_authenticator *) arg)) { - required = sizeof(krb5_int32)*6; - - /* Calculate size required by client, if appropriate */ - if (authenticator->client) - kret = krb5_size_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) authenticator->client, - &required); - else - kret = 0; - - /* Calculate size required by checksum, if appropriate */ - if (!kret && authenticator->checksum) - kret = krb5_size_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer) authenticator->checksum, - &required); - - /* Calculate size required by subkey, if appropriate */ - if (!kret && authenticator->subkey) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) authenticator->subkey, - &required); - - /* Calculate size required by authorization_data, if appropriate */ - if (!kret && authenticator->authorization_data) { - int i; - - for (i=0; !kret && authenticator->authorization_data[i]; i++) { - kret = krb5_size_opaque(kcontext, - KV5M_AUTHDATA, - (krb5_pointer) authenticator-> - authorization_data[i], - &required); - } - } + required = sizeof(krb5_int32)*6; + + /* Calculate size required by client, if appropriate */ + if (authenticator->client) + kret = krb5_size_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) authenticator->client, + &required); + else + kret = 0; + + /* Calculate size required by checksum, if appropriate */ + if (!kret && authenticator->checksum) + kret = krb5_size_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer) authenticator->checksum, + &required); + + /* Calculate size required by subkey, if appropriate */ + if (!kret && authenticator->subkey) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) authenticator->subkey, + &required); + + /* Calculate size required by authorization_data, if appropriate */ + if (!kret && authenticator->authorization_data) { + int i; + + for (i=0; !kret && authenticator->authorization_data[i]; i++) { + kret = krb5_size_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer) authenticator-> + authorization_data[i], + &required); + } + } } if (!kret) - *sizep += required; + *sizep += required; return(kret); } /* - * krb5_authenticator_externalize() - Externalize the krb5_authenticator. + * krb5_authenticator_externalize() - Externalize the krb5_authenticator. */ static krb5_error_code krb5_authenticator_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authenticator *authenticator; - size_t required; - krb5_octet *bp; - size_t remain; - int i; + krb5_error_code kret; + krb5_authenticator *authenticator; + size_t required; + krb5_octet *bp; + size_t remain; + int i; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((authenticator = (krb5_authenticator *) arg)) { - kret = ENOMEM; - if (!krb5_authenticator_size(kcontext, arg, &required) && - (required <= remain)) { - /* First write our magic number */ - (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); - - /* Now ctime */ - (void) krb5_ser_pack_int32((krb5_int32) authenticator->ctime, - &bp, &remain); - - /* Now cusec */ - (void) krb5_ser_pack_int32((krb5_int32) authenticator->cusec, - &bp, &remain); - - /* Now seq_number */ - (void) krb5_ser_pack_int32(authenticator->seq_number, - &bp, &remain); - - /* Now handle client, if appropriate */ - if (authenticator->client) - kret = krb5_externalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) - authenticator->client, - &bp, - &remain); - else - kret = 0; - - /* Now handle checksum, if appropriate */ - if (!kret && authenticator->checksum) - kret = krb5_externalize_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer) - authenticator->checksum, - &bp, - &remain); - - /* Now handle subkey, if appropriate */ - if (!kret && authenticator->subkey) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - authenticator->subkey, - &bp, - &remain); - - /* Now handle authorization_data, if appropriate */ - if (!kret) { - if (authenticator->authorization_data) - for (i=0; authenticator->authorization_data[i]; i++); - else - i = 0; - (void) krb5_ser_pack_int32((krb5_int32) i, &bp, &remain); - - /* Now pound out the authorization_data */ - if (authenticator->authorization_data) { - for (i=0; !kret && authenticator->authorization_data[i]; - i++) - kret = krb5_externalize_opaque(kcontext, - KV5M_AUTHDATA, - (krb5_pointer) - authenticator-> - authorization_data[i], - &bp, - &remain); - } - } - - /* - * If we were successful, write trailer then update the pointer and - * remaining length; - */ - if (!kret) { - /* Write our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + kret = ENOMEM; + if (!krb5_authenticator_size(kcontext, arg, &required) && + (required <= remain)) { + /* First write our magic number */ + (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); + + /* Now ctime */ + (void) krb5_ser_pack_int32((krb5_int32) authenticator->ctime, + &bp, &remain); + + /* Now cusec */ + (void) krb5_ser_pack_int32((krb5_int32) authenticator->cusec, + &bp, &remain); + + /* Now seq_number */ + (void) krb5_ser_pack_int32(authenticator->seq_number, + &bp, &remain); + + /* Now handle client, if appropriate */ + if (authenticator->client) + kret = krb5_externalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) + authenticator->client, + &bp, + &remain); + else + kret = 0; + + /* Now handle checksum, if appropriate */ + if (!kret && authenticator->checksum) + kret = krb5_externalize_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer) + authenticator->checksum, + &bp, + &remain); + + /* Now handle subkey, if appropriate */ + if (!kret && authenticator->subkey) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + authenticator->subkey, + &bp, + &remain); + + /* Now handle authorization_data, if appropriate */ + if (!kret) { + if (authenticator->authorization_data) + for (i=0; authenticator->authorization_data[i]; i++); + else + i = 0; + (void) krb5_ser_pack_int32((krb5_int32) i, &bp, &remain); + + /* Now pound out the authorization_data */ + if (authenticator->authorization_data) { + for (i=0; !kret && authenticator->authorization_data[i]; + i++) + kret = krb5_externalize_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer) + authenticator-> + authorization_data[i], + &bp, + &remain); + } + } + + /* + * If we were successful, write trailer then update the pointer and + * remaining length; + */ + if (!kret) { + /* Write our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } /* - * krb5_authenticator_internalize() - Internalize the krb5_authenticator. + * krb5_authenticator_internalize() - Internalize the krb5_authenticator. */ static krb5_error_code krb5_authenticator_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authenticator *authenticator; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - int i; - krb5_int32 nadata; - size_t len; + krb5_error_code kret; + krb5_authenticator *authenticator; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + int i; + krb5_int32 nadata; + size_t len; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTHENTICATOR) { - kret = ENOMEM; - - /* Get memory for the authenticator */ - if ((remain >= (3*sizeof(krb5_int32))) && - (authenticator = (krb5_authenticator *) - calloc(1, sizeof(krb5_authenticator)))) { - - /* Get ctime */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->ctime = (krb5_timestamp) ibuf; - - /* Get cusec */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->cusec = ibuf; - - /* Get seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->seq_number = ibuf; - - kret = 0; - - /* Attempt to read in the client */ - kret = krb5_internalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer *) - &authenticator->client, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - - /* Attempt to read in the checksum */ - if (!kret) { - kret = krb5_internalize_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer *) - &authenticator->checksum, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - } - - /* Attempt to read in the subkey */ - if (!kret) { - kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &authenticator->subkey, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - } - - /* Attempt to read in the authorization data count */ - if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) { - nadata = ibuf; - len = (size_t) (nadata + 1); - - /* Get memory for the authorization data pointers */ - if ((authenticator->authorization_data = (krb5_authdata **) - calloc(len, sizeof(krb5_authdata *)))) { - for (i=0; !kret && (i - authorization_data[i], - &bp, - &remain); - } - - /* Finally, find the trailer */ - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_AUTHENTICATOR)) - authenticator->magic = KV5M_AUTHENTICATOR; - else - kret = EINVAL; - } - } - } - if (!kret) { - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) authenticator; - } - else - krb5_free_authenticator(kcontext, authenticator); - } + kret = ENOMEM; + + /* Get memory for the authenticator */ + if ((remain >= (3*sizeof(krb5_int32))) && + (authenticator = (krb5_authenticator *) + calloc(1, sizeof(krb5_authenticator)))) { + + /* Get ctime */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->ctime = (krb5_timestamp) ibuf; + + /* Get cusec */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->cusec = ibuf; + + /* Get seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->seq_number = ibuf; + + kret = 0; + + /* Attempt to read in the client */ + kret = krb5_internalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer *) + &authenticator->client, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + + /* Attempt to read in the checksum */ + if (!kret) { + kret = krb5_internalize_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer *) + &authenticator->checksum, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + } + + /* Attempt to read in the subkey */ + if (!kret) { + kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) + &authenticator->subkey, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + } + + /* Attempt to read in the authorization data count */ + if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) { + nadata = ibuf; + len = (size_t) (nadata + 1); + + /* Get memory for the authorization data pointers */ + if ((authenticator->authorization_data = (krb5_authdata **) + calloc(len, sizeof(krb5_authdata *)))) { + for (i=0; !kret && (i + authorization_data[i], + &bp, + &remain); + } + + /* Finally, find the trailer */ + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_AUTHENTICATOR)) + authenticator->magic = KV5M_AUTHENTICATOR; + else + kret = EINVAL; + } + } + } + if (!kret) { + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) authenticator; + } + else + krb5_free_authenticator(kcontext, authenticator); + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_cksum.c b/src/lib/krb5/krb/ser_cksum.c index 8d2870249..4d194c7d0 100644 --- a/src/lib/krb5/krb/ser_cksum.c +++ b/src/lib/krb5/krb/ser_cksum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_cksum.c * @@ -33,159 +34,159 @@ /* * Routines to deal with externalizing the krb5_checksum: - * krb5_checksum_esize(); - * krb5_checksum_externalize(); - * krb5_checksum_internalize(); + * krb5_checksum_esize(); + * krb5_checksum_externalize(); + * krb5_checksum_internalize(); */ static krb5_error_code krb5_checksum_esize - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_checksum_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_checksum_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_checksum_ser_entry = { - KV5M_CHECKSUM, /* Type */ - krb5_checksum_esize, /* Sizer routine */ - krb5_checksum_externalize, /* Externalize routine */ - krb5_checksum_internalize /* Internalize routine */ + KV5M_CHECKSUM, /* Type */ + krb5_checksum_esize, /* Sizer routine */ + krb5_checksum_externalize, /* Externalize routine */ + krb5_checksum_internalize /* Internalize routine */ }; /* - * krb5_checksum_esize() - Determine the size required to externalize - * the krb5_checksum. + * krb5_checksum_esize() - Determine the size required to externalize + * the krb5_checksum. */ static krb5_error_code krb5_checksum_esize(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_checksum *checksum; + krb5_error_code kret; + krb5_checksum *checksum; /* * krb5_checksum requires: - * krb5_int32 for KV5M_CHECKSUM - * krb5_int32 for checksum_type - * krb5_int32 for length - * krb5_int32 for KV5M_CHECKSUM - * checksum->length for contents + * krb5_int32 for KV5M_CHECKSUM + * krb5_int32 for checksum_type + * krb5_int32 for length + * krb5_int32 for KV5M_CHECKSUM + * checksum->length for contents */ kret = EINVAL; if ((checksum = (krb5_checksum *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) checksum->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) checksum->length); + kret = 0; } return(kret); } /* - * krb5_checksum_externalize() - Externalize the krb5_checksum. + * krb5_checksum_externalize() - Externalize the krb5_checksum. */ static krb5_error_code krb5_checksum_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_checksum *checksum; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_checksum *checksum; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((checksum = (krb5_checksum *) arg)) { - kret = ENOMEM; - if (!krb5_checksum_esize(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); - - /* Our checksum_type */ - (void) krb5_ser_pack_int32((krb5_int32) checksum->checksum_type, - &bp, &remain); + kret = ENOMEM; + if (!krb5_checksum_esize(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) checksum->length, - &bp, &remain); + /* Our checksum_type */ + (void) krb5_ser_pack_int32((krb5_int32) checksum->checksum_type, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(checksum->contents, - (size_t) checksum->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) checksum->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); + /* Our contents */ + (void) krb5_ser_pack_bytes(checksum->contents, + (size_t) checksum->length, + &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_checksum_internalize() - Internalize the krb5_checksum. + * krb5_checksum_internalize() - Internalize the krb5_checksum. */ static krb5_error_code krb5_checksum_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_checksum *checksum; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_checksum *checksum; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_CHECKSUM) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a checksum */ - if ((remain >= (2*sizeof(krb5_int32))) && - (checksum = (krb5_checksum *) calloc(1, sizeof(krb5_checksum)))) { - /* Get the checksum_type */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - checksum->checksum_type = (krb5_cksumtype) ibuf; + /* Get a checksum */ + if ((remain >= (2*sizeof(krb5_int32))) && + (checksum = (krb5_checksum *) calloc(1, sizeof(krb5_checksum)))) { + /* Get the checksum_type */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + checksum->checksum_type = (krb5_cksumtype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - checksum->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + checksum->length = (int) ibuf; - /* Get the string */ - if (!ibuf || - ((checksum->contents = (krb5_octet *) - malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(checksum->contents, - (size_t) ibuf, - &bp, &remain)))) { + /* Get the string */ + if (!ibuf || + ((checksum->contents = (krb5_octet *) + malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(checksum->contents, + (size_t) ibuf, + &bp, &remain)))) { - /* Get the trailer */ - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_CHECKSUM)) { - checksum->magic = KV5M_CHECKSUM; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) checksum; - } - else - kret = EINVAL; - } - if (kret) { - if (checksum->contents) - free(checksum->contents); - free(checksum); - } - } + /* Get the trailer */ + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_CHECKSUM)) { + checksum->magic = KV5M_CHECKSUM; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) checksum; + } + else + kret = EINVAL; + } + if (kret) { + if (checksum->contents) + free(checksum->contents); + free(checksum); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c index c8f673b77..b632ff02c 100644 --- a/src/lib/krb5/krb/ser_ctx.c +++ b/src/lib/krb5/krb/ser_ctx.c @@ -36,7 +36,7 @@ * krb5_context_size(); * krb5_context_externalize(); * krb5_context_internalize(); - * + * * Routines to deal with externalizing the krb5_os_context: * krb5_oscontext_size(); * krb5_oscontext_externalize(); @@ -197,23 +197,23 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b if (required > remain) return (ENOMEM); - + /* First write our magic number */ kret = krb5_ser_pack_int32(KV5M_CONTEXT, &bp, &remain); if (kret) return (kret); - + /* Now sizeof default realm */ kret = krb5_ser_pack_int32((context->default_realm) ? (krb5_int32) strlen(context->default_realm) : 0, &bp, &remain); if (kret) return (kret); - + /* Now default_realm bytes */ if (context->default_realm) { kret = krb5_ser_pack_bytes((krb5_octet *) context->default_realm, - strlen(context->default_realm), + strlen(context->default_realm), &bp, &remain); if (kret) return (kret); @@ -239,7 +239,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b kret = krb5_ser_pack_int32(etypes_len(context->tgs_etypes), &bp, &remain); if (kret) return (kret); - + /* Now serialize ktypes */ if (context->tgs_etypes) { for (i = 0; context->tgs_etypes[i]; i++) { @@ -248,19 +248,19 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b return (kret); } } - + /* Now allowable clockskew */ kret = krb5_ser_pack_int32((krb5_int32) context->clockskew, &bp, &remain); if (kret) return (kret); - + /* Now kdc_req_sumtype */ kret = krb5_ser_pack_int32((krb5_int32) context->kdc_req_sumtype, &bp, &remain); if (kret) return (kret); - + /* Now default ap_req_sumtype */ kret = krb5_ser_pack_int32((krb5_int32) context->default_ap_req_sumtype, &bp, &remain); @@ -284,7 +284,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b &bp, &remain); if (kret) return (kret); - + /* Now profile_secure */ kret = krb5_ser_pack_int32((krb5_int32) context->profile_secure, &bp, &remain); @@ -321,7 +321,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b if (kret) return (kret); } - + /* * If we were successful, write trailer then update the pointer and * remaining length; @@ -329,7 +329,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b kret = krb5_ser_pack_int32(KV5M_CONTEXT, &bp, &remain); if (kret) return (kret); - + *buffer = bp; *lenremain = remain; @@ -379,10 +379,10 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * (size_t) ibuf, &bp, &remain); if (kret) goto cleanup; - + context->default_realm[ibuf] = '\0'; } - + /* Get the in_tkt_etypes */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -425,17 +425,17 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->clockskew = (krb5_deltat) ibuf; - + /* kdc_req_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->kdc_req_sumtype = (krb5_cksumtype) ibuf; - + /* default ap_req_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->default_ap_req_sumtype = (krb5_cksumtype) ibuf; - + /* default_safe_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -484,14 +484,14 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * &bp, &remain); if (kret && (kret != EINVAL) && (kret != ENOENT)) goto cleanup; - + /* Attempt to read in the profile */ kret = krb5_internalize_opaque(kcontext, PROF_MAGIC_PROFILE, (krb5_pointer *) &context->profile, &bp, &remain); if (kret && (kret != EINVAL) && (kret != ENOENT)) goto cleanup; - + /* Finally, find the trailer */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -590,7 +590,7 @@ krb5_oscontext_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet kret = ENOMEM; /* Get memory for the context */ - if ((os_ctx = (krb5_os_context) + if ((os_ctx = (krb5_os_context) calloc(1, sizeof(struct _krb5_os_context))) && (remain >= 4*sizeof(krb5_int32))) { os_ctx->magic = KV5M_OS_CONTEXT; diff --git a/src/lib/krb5/krb/ser_eblk.c b/src/lib/krb5/krb/ser_eblk.c index 8bce41cf1..894a43e77 100644 --- a/src/lib/krb5/krb/ser_eblk.c +++ b/src/lib/krb5/krb/ser_eblk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_eblk.c * @@ -34,211 +35,211 @@ /* * Routines to deal with externalizing the krb5_encrypt_block: - * krb5_encrypt_block_size(); - * krb5_encrypt_block_externalize(); - * krb5_encrypt_block_internalize(); + * krb5_encrypt_block_size(); + * krb5_encrypt_block_externalize(); + * krb5_encrypt_block_internalize(); */ static krb5_error_code krb5_encrypt_block_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_encrypt_block_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_encrypt_block_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_encrypt_block_ser_entry = { - KV5M_ENCRYPT_BLOCK, /* Type */ - krb5_encrypt_block_size, /* Sizer routine */ - krb5_encrypt_block_externalize, /* Externalize routine */ - krb5_encrypt_block_internalize /* Internalize routine */ + KV5M_ENCRYPT_BLOCK, /* Type */ + krb5_encrypt_block_size, /* Sizer routine */ + krb5_encrypt_block_externalize, /* Externalize routine */ + krb5_encrypt_block_internalize /* Internalize routine */ }; /* - * krb5_encrypt_block_size() - Determine the size required to externalize - * the krb5_encrypt_block. + * krb5_encrypt_block_size() - Determine the size required to externalize + * the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_size(kcontext, arg, sizep) - krb5_context kcontext; - krb5_pointer arg; - size_t *sizep; + krb5_context kcontext; + krb5_pointer arg; + size_t *sizep; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - size_t required; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + size_t required; /* * NOTE: This ASSuMES that enctype are sufficient to recreate * the _krb5_cryptosystem_entry. If this is not true, then something else * had better be encoded here. - * + * * krb5_encrypt_block base requirements: - * krb5_int32 for KV5M_ENCRYPT_BLOCK - * krb5_int32 for enctype - * krb5_int32 for private length - * encrypt_block->priv_size for private contents - * krb5_int32 for KV5M_ENCRYPT_BLOCK + * krb5_int32 for KV5M_ENCRYPT_BLOCK + * krb5_int32 for enctype + * krb5_int32 for private length + * encrypt_block->priv_size for private contents + * krb5_int32 for KV5M_ENCRYPT_BLOCK */ kret = EINVAL; if ((encrypt_block = (krb5_encrypt_block *) arg)) { - required = (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) encrypt_block->priv_size); - if (encrypt_block->key) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) encrypt_block->key, - &required); - else - kret = 0; - if (!kret) - *sizep += required; + required = (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) encrypt_block->priv_size); + if (encrypt_block->key) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) encrypt_block->key, + &required); + else + kret = 0; + if (!kret) + *sizep += required; } return(kret); } /* - * krb5_encrypt_block_externalize() - Externalize the krb5_encrypt_block. + * krb5_encrypt_block_externalize() - Externalize the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_externalize(kcontext, arg, buffer, lenremain) - krb5_context kcontext; - krb5_pointer arg; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer arg; + krb5_octet **buffer; + size_t *lenremain; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((encrypt_block = (krb5_encrypt_block *) arg)) { - kret = ENOMEM; - if (!krb5_encrypt_block_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - - /* Our enctype */ - (void) krb5_ser_pack_int32((krb5_int32) encrypt_block-> - crypto_entry->proto_enctype, - &bp, &remain); + kret = ENOMEM; + if (!krb5_encrypt_block_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) encrypt_block->priv_size, - &bp, &remain); + /* Our enctype */ + (void) krb5_ser_pack_int32((krb5_int32) encrypt_block-> + crypto_entry->proto_enctype, + &bp, &remain); - /* Our private data */ - (void) krb5_ser_pack_bytes(encrypt_block->priv, - (size_t) encrypt_block->priv_size, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) encrypt_block->priv_size, + &bp, &remain); - /* Finally, the key data */ - if (encrypt_block->key) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - encrypt_block->key, - &bp, - &remain); - else - kret = 0; + /* Our private data */ + (void) krb5_ser_pack_bytes(encrypt_block->priv, + (size_t) encrypt_block->priv_size, + &bp, &remain); - if (!kret) { - /* Write trailer */ - (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + /* Finally, the key data */ + if (encrypt_block->key) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + encrypt_block->key, + &bp, + &remain); + else + kret = 0; + + if (!kret) { + /* Write trailer */ + (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } /* - * krb5_encrypt_block_internalize() - Internalize the krb5_encrypt_block. + * krb5_encrypt_block_internalize() - Internalize the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_internalize(kcontext, argp, buffer, lenremain) - krb5_context kcontext; - krb5_pointer *argp; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer *argp; + krb5_octet **buffer; + size_t *lenremain; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - krb5_int32 ibuf; - krb5_enctype ktype; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + krb5_int32 ibuf; + krb5_enctype ktype; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_ENCRYPT_BLOCK) { - kret = ENOMEM; + kret = ENOMEM; - /* Get an encrypt_block */ - if ((remain >= (3*sizeof(krb5_int32))) && - (encrypt_block = (krb5_encrypt_block *) - calloc(1, sizeof(krb5_encrypt_block)))) { - /* Get the enctype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ktype = (krb5_enctype) ibuf; + /* Get an encrypt_block */ + if ((remain >= (3*sizeof(krb5_int32))) && + (encrypt_block = (krb5_encrypt_block *) + calloc(1, sizeof(krb5_encrypt_block)))) { + /* Get the enctype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ktype = (krb5_enctype) ibuf; - /* Use the ktype to determine the crypto_system entry. */ - krb5_use_enctype(kcontext, encrypt_block, ktype); + /* Use the ktype to determine the crypto_system entry. */ + krb5_use_enctype(kcontext, encrypt_block, ktype); - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - encrypt_block->priv_size = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + encrypt_block->priv_size = (int) ibuf; - /* Get the string */ - if (!ibuf || - ((encrypt_block->priv = (void *) malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes((krb5_octet *) - encrypt_block->priv, - (size_t) - encrypt_block->priv_size, - &bp, &remain)))) { - kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &encrypt_block->key, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; + /* Get the string */ + if (!ibuf || + ((encrypt_block->priv = (void *) malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes((krb5_octet *) + encrypt_block->priv, + (size_t) + encrypt_block->priv_size, + &bp, &remain)))) { + kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) + &encrypt_block->key, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_ENCRYPT_BLOCK)) { - *buffer = bp; - *lenremain = remain; - encrypt_block->magic = KV5M_ENCRYPT_BLOCK; - *argp = (krb5_pointer) encrypt_block; - } - else - kret = EINVAL; - } - } - if (kret) { - if (encrypt_block->priv) - free(encrypt_block->priv); - free(encrypt_block); - } - } + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_ENCRYPT_BLOCK)) { + *buffer = bp; + *lenremain = remain; + encrypt_block->magic = KV5M_ENCRYPT_BLOCK; + *argp = (krb5_pointer) encrypt_block; + } + else + kret = EINVAL; + } + } + if (kret) { + if (encrypt_block->priv) + free(encrypt_block->priv); + free(encrypt_block); + } + } } return(kret); } @@ -248,7 +249,7 @@ krb5_encrypt_block_internalize(kcontext, argp, buffer, lenremain) */ krb5_error_code krb5_ser_encrypt_block_init(kcontext) - krb5_context kcontext; + krb5_context kcontext; { return(krb5_register_serializer(kcontext, &krb5_encrypt_block_ser_entry)); } diff --git a/src/lib/krb5/krb/ser_key.c b/src/lib/krb5/krb/ser_key.c index 25522de7b..f441e986f 100644 --- a/src/lib/krb5/krb/ser_key.c +++ b/src/lib/krb5/krb/ser_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_key.c * @@ -33,157 +34,157 @@ /* * Routines to deal with externalizing the krb5_keyblock: - * krb5_keyblock_size(); - * krb5_keyblock_externalize(); - * krb5_keyblock_internalize(); + * krb5_keyblock_size(); + * krb5_keyblock_externalize(); + * krb5_keyblock_internalize(); */ static krb5_error_code krb5_keyblock_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_keyblock_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_keyblock_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_keyblock_ser_entry = { - KV5M_KEYBLOCK, /* Type */ - krb5_keyblock_size, /* Sizer routine */ - krb5_keyblock_externalize, /* Externalize routine */ - krb5_keyblock_internalize /* Internalize routine */ + KV5M_KEYBLOCK, /* Type */ + krb5_keyblock_size, /* Sizer routine */ + krb5_keyblock_externalize, /* Externalize routine */ + krb5_keyblock_internalize /* Internalize routine */ }; /* - * krb5_keyblock_size() - Determine the size required to externalize - * the krb5_keyblock. + * krb5_keyblock_size() - Determine the size required to externalize + * the krb5_keyblock. */ static krb5_error_code krb5_keyblock_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_keyblock *keyblock; + krb5_error_code kret; + krb5_keyblock *keyblock; /* * krb5_keyblock requires: - * krb5_int32 for KV5M_KEYBLOCK - * krb5_int32 for enctype - * krb5_int32 for length - * keyblock->length for contents - * krb5_int32 for KV5M_KEYBLOCK + * krb5_int32 for KV5M_KEYBLOCK + * krb5_int32 for enctype + * krb5_int32 for length + * keyblock->length for contents + * krb5_int32 for KV5M_KEYBLOCK */ kret = EINVAL; if ((keyblock = (krb5_keyblock *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) keyblock->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) keyblock->length); + kret = 0; } return(kret); } /* - * krb5_keyblock_externalize() - Externalize the krb5_keyblock. + * krb5_keyblock_externalize() - Externalize the krb5_keyblock. */ static krb5_error_code krb5_keyblock_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keyblock *keyblock; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_keyblock *keyblock; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((keyblock = (krb5_keyblock *) arg)) { - kret = ENOMEM; - if (!krb5_keyblock_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); - - /* Our enctype */ - (void) krb5_ser_pack_int32((krb5_int32) keyblock->enctype, - &bp, &remain); + kret = ENOMEM; + if (!krb5_keyblock_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) keyblock->length, - &bp, &remain); + /* Our enctype */ + (void) krb5_ser_pack_int32((krb5_int32) keyblock->enctype, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(keyblock->contents, - (size_t) keyblock->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) keyblock->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); + /* Our contents */ + (void) krb5_ser_pack_bytes(keyblock->contents, + (size_t) keyblock->length, + &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_keyblock_internalize() - Internalize the krb5_keyblock. + * krb5_keyblock_internalize() - Internalize the krb5_keyblock. */ static krb5_error_code krb5_keyblock_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keyblock *keyblock; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_keyblock *keyblock; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_KEYBLOCK) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a keyblock */ - if ((remain >= (3*sizeof(krb5_int32))) && - (keyblock = (krb5_keyblock *) calloc(1, sizeof(krb5_keyblock)))) { - /* Get the enctype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - keyblock->enctype = (krb5_enctype) ibuf; + /* Get a keyblock */ + if ((remain >= (3*sizeof(krb5_int32))) && + (keyblock = (krb5_keyblock *) calloc(1, sizeof(krb5_keyblock)))) { + /* Get the enctype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + keyblock->enctype = (krb5_enctype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - keyblock->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + keyblock->length = (int) ibuf; - /* Get the string */ - if ((keyblock->contents = (krb5_octet *) malloc((size_t) (ibuf)))&& - !(kret = krb5_ser_unpack_bytes(keyblock->contents, - (size_t) ibuf, - &bp, &remain))) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_KEYBLOCK)) { - kret = 0; - *buffer = bp; - *lenremain = remain; - keyblock->magic = KV5M_KEYBLOCK; - *argp = (krb5_pointer) keyblock; - } - else - kret = EINVAL; - } - if (kret) { - if (keyblock->contents) - free(keyblock->contents); - free(keyblock); - } - } + /* Get the string */ + if ((keyblock->contents = (krb5_octet *) malloc((size_t) (ibuf)))&& + !(kret = krb5_ser_unpack_bytes(keyblock->contents, + (size_t) ibuf, + &bp, &remain))) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_KEYBLOCK)) { + kret = 0; + *buffer = bp; + *lenremain = remain; + keyblock->magic = KV5M_KEYBLOCK; + *argp = (krb5_pointer) keyblock; + } + else + kret = EINVAL; + } + if (kret) { + if (keyblock->contents) + free(keyblock->contents); + free(keyblock); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_princ.c b/src/lib/krb5/krb/ser_princ.c index cb90154ff..d93fbbe7a 100644 --- a/src/lib/krb5/krb/ser_princ.c +++ b/src/lib/krb5/krb/ser_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_princ.c * @@ -33,103 +34,103 @@ /* * Routines to deal with externalizing the krb5_principal: - * krb5_principal_size(); - * krb5_principal_externalize(); - * krb5_principal_internalize(); + * krb5_principal_size(); + * krb5_principal_externalize(); + * krb5_principal_internalize(); */ static krb5_error_code krb5_principal_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_principal_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_principal_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_principal_ser_entry = { - KV5M_PRINCIPAL, /* Type */ - krb5_principal_size, /* Sizer routine */ - krb5_principal_externalize, /* Externalize routine */ - krb5_principal_internalize /* Internalize routine */ + KV5M_PRINCIPAL, /* Type */ + krb5_principal_size, /* Sizer routine */ + krb5_principal_externalize, /* Externalize routine */ + krb5_principal_internalize /* Internalize routine */ }; /* - * krb5_principal_size() - Determine the size required to externalize - * the krb5_principal. + * krb5_principal_size() - Determine the size required to externalize + * the krb5_principal. */ static krb5_error_code krb5_principal_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_principal principal; - char *fname; + krb5_error_code kret; + krb5_principal principal; + char *fname; /* * krb5_principal requires: - * krb5_int32 for KV5M_PRINCIPAL - * krb5_int32 for flattened name size - * strlen(name) for name. - * krb5_int32 for KV5M_PRINCIPAL + * krb5_int32 for KV5M_PRINCIPAL + * krb5_int32 for flattened name size + * strlen(name) for name. + * krb5_int32 for KV5M_PRINCIPAL */ kret = EINVAL; if ((principal = (krb5_principal) arg) && - !(kret = krb5_unparse_name(kcontext, principal, &fname))) { - *sizep += (3*sizeof(krb5_int32)) + strlen(fname); - free(fname); + !(kret = krb5_unparse_name(kcontext, principal, &fname))) { + *sizep += (3*sizeof(krb5_int32)) + strlen(fname); + free(fname); } return(kret); } /* - * krb5_principal_externalize() - Externalize the krb5_principal. + * krb5_principal_externalize() - Externalize the krb5_principal. */ static krb5_error_code krb5_principal_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_principal principal; - size_t required; - krb5_octet *bp; - size_t remain; - char *fname; + krb5_error_code kret; + krb5_principal principal; + size_t required; + krb5_octet *bp; + size_t remain; + char *fname; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((principal = (krb5_principal) arg)) { - kret = ENOMEM; - if (!krb5_principal_size(kcontext, arg, &required) && - (required <= remain)) { - if (!(kret = krb5_unparse_name(kcontext, principal, &fname))) { + kret = ENOMEM; + if (!krb5_principal_size(kcontext, arg, &required) && + (required <= remain)) { + if (!(kret = krb5_unparse_name(kcontext, principal, &fname))) { - (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) strlen(fname), - &bp, &remain); - (void) krb5_ser_pack_bytes((krb5_octet *) fname, - strlen(fname), &bp, &remain); - (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); - *buffer = bp; - *lenremain = remain; + (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) strlen(fname), + &bp, &remain); + (void) krb5_ser_pack_bytes((krb5_octet *) fname, + strlen(fname), &bp, &remain); + (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); + *buffer = bp; + *lenremain = remain; - free(fname); - } - } + free(fname); + } + } } return(kret); } /* - * krb5_principal_internalize() - Internalize the krb5_principal. + * krb5_principal_internalize() - Internalize the krb5_principal. */ static krb5_error_code krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_principal principal = NULL; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - char *tmpname = NULL; + krb5_error_code kret; + krb5_principal principal = NULL; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + char *tmpname = NULL; *argp = NULL; bp = *buffer; @@ -137,28 +138,28 @@ krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_PRINCIPAL) - return EINVAL; + return EINVAL; /* Read the principal name */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; tmpname = malloc(ibuf + 1); kret = krb5_ser_unpack_bytes((krb5_octet *) tmpname, (size_t) ibuf, - &bp, &remain); + &bp, &remain); if (kret) - goto cleanup; + goto cleanup; tmpname[ibuf] = '\0'; /* Parse the name to a principal structure */ kret = krb5_parse_name(kcontext, tmpname, &principal); if (kret) - goto cleanup; + goto cleanup; /* Read the trailing magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_PRINCIPAL) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } *buffer = bp; @@ -166,7 +167,7 @@ krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet *argp = principal; cleanup: if (kret) - krb5_free_principal(kcontext, principal); + krb5_free_principal(kcontext, principal); free(tmpname); return kret; } diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c index d1edcf239..4e08aa93e 100644 --- a/src/lib/krb5/krb/serialize.c +++ b/src/lib/krb5/krb/serialize.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/serialize.c * @@ -31,94 +32,94 @@ #include "k5-int.h" /* - * krb5_find_serializer() - See if a particular type is registered. + * krb5_find_serializer() - See if a particular type is registered. */ krb5_ser_handle krb5_find_serializer(krb5_context kcontext, krb5_magic odtype) { - krb5_ser_handle res; - krb5_ser_handle sctx; - int i; + krb5_ser_handle res; + krb5_ser_handle sctx; + int i; res = (krb5_ser_handle) NULL; sctx = (krb5_ser_handle) kcontext->ser_ctx; for (i=0; iser_ctx_count; i++) { - if (sctx[i].odtype == odtype) { - res = &sctx[i]; - break; - } + if (sctx[i].odtype == odtype) { + res = &sctx[i]; + break; + } } return(res); } /* - * krb5_register_serializer() - Register a particular serializer. + * krb5_register_serializer() - Register a particular serializer. */ krb5_error_code krb5_register_serializer(krb5_context kcontext, const krb5_ser_entry *entry) { - krb5_error_code kret; - krb5_ser_entry * stable; + krb5_error_code kret; + krb5_ser_entry * stable; kret = 0; /* See if it's already there, if so, we're good to go. */ if (!(stable = (krb5_ser_entry *)krb5_find_serializer(kcontext, - entry->odtype))) { - /* - * Can't find our type. Create a new entry. - */ - if ((stable = (krb5_ser_entry *) malloc(sizeof(krb5_ser_entry) * - (kcontext->ser_ctx_count+1)))) { - /* Copy in old table */ - if (kcontext->ser_ctx_count) - memcpy(stable, kcontext->ser_ctx, - sizeof(krb5_ser_entry) * kcontext->ser_ctx_count); - /* Copy in new entry */ - memcpy(&stable[kcontext->ser_ctx_count], entry, - sizeof(krb5_ser_entry)); - if (kcontext->ser_ctx) free(kcontext->ser_ctx); - kcontext->ser_ctx = (void *) stable; - kcontext->ser_ctx_count++; - } - else - kret = ENOMEM; + entry->odtype))) { + /* + * Can't find our type. Create a new entry. + */ + if ((stable = (krb5_ser_entry *) malloc(sizeof(krb5_ser_entry) * + (kcontext->ser_ctx_count+1)))) { + /* Copy in old table */ + if (kcontext->ser_ctx_count) + memcpy(stable, kcontext->ser_ctx, + sizeof(krb5_ser_entry) * kcontext->ser_ctx_count); + /* Copy in new entry */ + memcpy(&stable[kcontext->ser_ctx_count], entry, + sizeof(krb5_ser_entry)); + if (kcontext->ser_ctx) free(kcontext->ser_ctx); + kcontext->ser_ctx = (void *) stable; + kcontext->ser_ctx_count++; + } + else + kret = ENOMEM; } else - *stable = *entry; + *stable = *entry; return(kret); } /* - * krb5_size_opaque() - Determine the size necessary to serialize a given - * piece of opaque data. + * krb5_size_opaque() - Determine the size necessary to serialize a given + * piece of opaque data. */ krb5_error_code KRB5_CALLCONV krb5_size_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->sizer) ? (*shandle->sizer)(kcontext, arg, sizep) : 0; + kret = (shandle->sizer) ? (*shandle->sizer)(kcontext, arg, sizep) : 0; return(kret); } /* - * krb5_externalize_opaque() - Externalize a piece of opaque data. + * krb5_externalize_opaque() - Externalize a piece of opaque data. */ krb5_error_code KRB5_CALLCONV krb5_externalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer arg, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->externalizer) ? - (*shandle->externalizer)(kcontext, arg, bufpp, sizep) : 0; + kret = (shandle->externalizer) ? + (*shandle->externalizer)(kcontext, arg, bufpp, sizep) : 0; return(kret); } @@ -128,146 +129,146 @@ krb5_externalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer a krb5_error_code krb5_externalize_data(krb5_context kcontext, krb5_pointer arg, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_magic *mp; - krb5_octet *buffer, *bp; - size_t bufsize, bsize; + krb5_error_code kret; + krb5_magic *mp; + krb5_octet *buffer, *bp; + size_t bufsize, bsize; mp = (krb5_magic *) arg; bufsize = 0; if (!(kret = krb5_size_opaque(kcontext, *mp, arg, &bufsize))) { - if ((buffer = (krb5_octet *) malloc(bufsize))) { - bp = buffer; - bsize = bufsize; - if (!(kret = krb5_externalize_opaque(kcontext, - *mp, - arg, - &bp, - &bsize))) { - if (bsize != 0) - bufsize -= bsize; - *bufpp = buffer; - *sizep = bufsize; - } - } - else - kret = ENOMEM; + if ((buffer = (krb5_octet *) malloc(bufsize))) { + bp = buffer; + bsize = bufsize; + if (!(kret = krb5_externalize_opaque(kcontext, + *mp, + arg, + &bp, + &bsize))) { + if (bsize != 0) + bufsize -= bsize; + *bufpp = buffer; + *sizep = bufsize; + } + } + else + kret = ENOMEM; } return(kret); } /* - * krb5_internalize_opaque() - Convert external representation into a data - * structure. + * krb5_internalize_opaque() - Convert external representation into a data + * structure. */ krb5_error_code KRB5_CALLCONV krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer *argp, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->internalizer) ? - (*shandle->internalizer)(kcontext, argp, bufpp, sizep) : 0; + kret = (shandle->internalizer) ? + (*shandle->internalizer)(kcontext, argp, bufpp, sizep) : 0; return(kret); } /* - * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available. - * Update buffer pointer and remaining space. + * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available. + * Update buffer pointer and remaining space. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int32)) { - store_32_be(iarg, *bufp); - *bufp += sizeof(krb5_int32); - *remainp -= sizeof(krb5_int32); - return(0); + store_32_be(iarg, *bufp); + *bufp += sizeof(krb5_int32); + *remainp -= sizeof(krb5_int32); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available. - * Update buffer pointer and remaining space. + * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available. + * Update buffer pointer and remaining space. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int64)) { - store_64_be(iarg, (unsigned char *)*bufp); - *bufp += sizeof(krb5_int64); - *remainp -= sizeof(krb5_int64); - return(0); + store_64_be(iarg, (unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_pack_bytes() - Pack a string of bytes. + * krb5_ser_pack_bytes() - Pack a string of bytes. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes(krb5_octet *ostring, size_t osize, krb5_octet **bufp, size_t *remainp) { if (*remainp >= osize) { - memcpy(*bufp, ostring, osize); - *bufp += osize; - *remainp -= osize; - return(0); + memcpy(*bufp, ostring, osize); + *bufp += osize; + *remainp -= osize; + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_int32() - Unpack a 4-byte integer if it's there. + * krb5_ser_unpack_int32() - Unpack a 4-byte integer if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int32)) { - *intp = load_32_be(*bufp); - *bufp += sizeof(krb5_int32); - *remainp -= sizeof(krb5_int32); - return(0); + *intp = load_32_be(*bufp); + *bufp += sizeof(krb5_int32); + *remainp -= sizeof(krb5_int32); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there. + * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int64)) { - *intp = load_64_be((unsigned char *)*bufp); - *bufp += sizeof(krb5_int64); - *remainp -= sizeof(krb5_int64); - return(0); + *intp = load_64_be((unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_bytes() - Unpack a byte string if it's there. + * krb5_ser_unpack_bytes() - Unpack a byte string if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes(krb5_octet *istring, size_t isize, krb5_octet **bufp, size_t *remainp) { if (*remainp >= isize) { - memcpy(istring, *bufp, isize); - *bufp += isize; - *remainp -= isize; - return(0); + memcpy(istring, *bufp, isize); + *bufp += isize; + *remainp -= isize; + return(0); } else - return(ENOMEM); + return(ENOMEM); } diff --git a/src/lib/krb5/krb/set_realm.c b/src/lib/krb5/krb/set_realm.c index 9a96cd1ca..0128f6cb1 100644 --- a/src/lib/krb5/krb/set_realm.c +++ b/src/lib/krb5/krb/set_realm.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/set_realm.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -29,23 +30,21 @@ krb5_error_code KRB5_CALLCONV krb5_set_principal_realm(krb5_context context, krb5_principal principal, const char *realm) { - size_t length; - char *newrealm; - - if (!realm || !*realm) - return -EINVAL; + size_t length; + char *newrealm; - length = strlen(realm); - newrealm = strdup(realm); - if (!newrealm) - return -ENOMEM; - - (void) free(krb5_princ_realm(context,principal)->data); + if (!realm || !*realm) + return -EINVAL; - krb5_princ_realm(context, principal)->length = length; - krb5_princ_realm(context, principal)->data = newrealm; + length = strlen(realm); + newrealm = strdup(realm); + if (!newrealm) + return -ENOMEM; - return 0; -} + (void) free(krb5_princ_realm(context,principal)->data); + krb5_princ_realm(context, principal)->length = length; + krb5_princ_realm(context, principal)->data = newrealm; + return 0; +} diff --git a/src/lib/krb5/krb/srv_dec_tkt.c b/src/lib/krb5/krb/srv_dec_tkt.c index 0934e27e1..f266fa5e9 100644 --- a/src/lib/krb5/krb/srv_dec_tkt.c +++ b/src/lib/krb5/krb/srv_dec_tkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/srv_dec_tkt.c * @@ -24,7 +25,7 @@ * or implied warranty. * * - * Server decrypt ticket via keytab or keyblock. + * Server decrypt ticket via keytab or keyblock. * * Different from krb5_rd_req_decoded. (krb5/src/lib/krb5/krb/rd_req_dec.c) * - No krb5_principal_compare or KRB5KRB_AP_ERR_BADMATCH error. @@ -33,94 +34,94 @@ * - No address checking or KRB5KRB_AP_ERR_BADADDR error. * - No time validation. * - No permitted enctype validation or KRB5_NOPERM_ETYPE error. - * - Does not free ticket->enc_part2 on error. + * - Does not free ticket->enc_part2 on error. */ #include -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT krb5_error_code KRB5_CALLCONV krb5int_server_decrypt_ticket_keyblock(krb5_context context, - const krb5_keyblock *key, - krb5_ticket *ticket) + const krb5_keyblock *key, + krb5_ticket *ticket) { krb5_error_code retval; krb5_data *realm; krb5_transited *trans; retval = krb5_decrypt_tkt_part(context, key, ticket); - if (retval) - goto done; + if (retval) + goto done; trans = &ticket->enc_part2->transited; realm = &ticket->enc_part2->client->realm; if (trans->tr_contents.data && *trans->tr_contents.data) { - retval = krb5_check_transited_list(context, &trans->tr_contents, - realm, &ticket->server->realm); - goto done; + retval = krb5_check_transited_list(context, &trans->tr_contents, + realm, &ticket->server->realm); + goto done; } - if (ticket->enc_part2->flags & TKT_FLG_INVALID) { /* ie, KDC_OPT_POSTDATED */ - retval = KRB5KRB_AP_ERR_TKT_INVALID; - goto done; + if (ticket->enc_part2->flags & TKT_FLG_INVALID) { /* ie, KDC_OPT_POSTDATED */ + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto done; } - done: +done: return retval; } krb5_error_code KRB5_CALLCONV krb5_server_decrypt_ticket_keytab(krb5_context context, - const krb5_keytab keytab, - krb5_ticket *ticket) + const krb5_keytab keytab, + krb5_ticket *ticket) { - krb5_error_code retval; - krb5_keytab_entry ktent; + krb5_error_code retval; + krb5_keytab_entry ktent; retval = KRB5_KT_NOTFOUND; if (keytab->ops->start_seq_get == NULL) { - retval = krb5_kt_get_entry(context, keytab, - ticket->server, - ticket->enc_part.kvno, - ticket->enc_part.enctype, &ktent); - if (retval == 0) { - retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); - - (void) krb5_free_keytab_entry_contents(context, &ktent); - } + retval = krb5_kt_get_entry(context, keytab, + ticket->server, + ticket->enc_part.kvno, + ticket->enc_part.enctype, &ktent); + if (retval == 0) { + retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); + + (void) krb5_free_keytab_entry_contents(context, &ktent); + } } else { - krb5_error_code code; - krb5_kt_cursor cursor; - - retval = krb5_kt_start_seq_get(context, keytab, &cursor); - if (retval != 0) - goto map_error; - - while ((code = krb5_kt_next_entry(context, keytab, - &ktent, &cursor)) == 0) { - if (ktent.key.enctype != ticket->enc_part.enctype) - continue; - - retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); - if (retval == 0) { - krb5_principal tmp; - - retval = krb5_copy_principal(context, ktent.principal, &tmp); - if (retval == 0) { - krb5_free_principal(context, ticket->server); - ticket->server = tmp; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - break; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - } - - code = krb5_kt_end_seq_get(context, keytab, &cursor); - if (code != 0) - retval = code; + krb5_error_code code; + krb5_kt_cursor cursor; + + retval = krb5_kt_start_seq_get(context, keytab, &cursor); + if (retval != 0) + goto map_error; + + while ((code = krb5_kt_next_entry(context, keytab, + &ktent, &cursor)) == 0) { + if (ktent.key.enctype != ticket->enc_part.enctype) + continue; + + retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); + if (retval == 0) { + krb5_principal tmp; + + retval = krb5_copy_principal(context, ktent.principal, &tmp); + if (retval == 0) { + krb5_free_principal(context, ticket->server); + ticket->server = tmp; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + break; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + } + + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code != 0) + retval = code; } map_error: @@ -128,13 +129,12 @@ map_error: case KRB5_KT_KVNONOTFOUND: case KRB5_KT_NOTFOUND: case KRB5KRB_AP_ERR_BAD_INTEGRITY: - retval = KRB5KRB_AP_WRONG_PRINC; - break; + retval = KRB5KRB_AP_WRONG_PRINC; + break; default: - break; + break; } return retval; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index 7d6b68a7e..6730748f3 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/srv_rcache.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Allocate & prepare a default replay cache for a server. */ @@ -35,7 +36,7 @@ #define isvalidrcname(x) ((!ispunct(x))&&isgraph(x)) krb5_error_code KRB5_CALLCONV krb5_get_server_rcache(krb5_context context, const krb5_data *piece, - krb5_rcache *rcptr) + krb5_rcache *rcptr) { krb5_rcache rcache = 0; char *cachename = 0, *cachetype; @@ -45,22 +46,22 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, #ifdef HAVE_GETEUID unsigned long uid = geteuid(); #endif - + if (piece == NULL) - return ENOMEM; - + return ENOMEM; + cachetype = krb5_rc_default_type(context); krb5int_buf_init_dynamic(&buf); krb5int_buf_add(&buf, cachetype); krb5int_buf_add(&buf, ":"); for (i = 0; i < piece->length; i++) { - if (piece->data[i] == '-') - krb5int_buf_add(&buf, "--"); - else if (!isvalidrcname((int) piece->data[i])) - krb5int_buf_add_fmt(&buf, "-%03o", piece->data[i]); - else - krb5int_buf_add_len(&buf, &piece->data[i], 1); + if (piece->data[i] == '-') + krb5int_buf_add(&buf, "--"); + else if (!isvalidrcname((int) piece->data[i])) + krb5int_buf_add_fmt(&buf, "-%03o", piece->data[i]); + else + krb5int_buf_add_len(&buf, &piece->data[i], 1); } #ifdef HAVE_GETEUID krb5int_buf_add_fmt(&buf, "_%lu", uid); @@ -68,16 +69,16 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, cachename = krb5int_buf_data(&buf); if (cachename == NULL) - return ENOMEM; + return ENOMEM; retval = krb5_rc_resolve_full(context, &rcache, cachename); if (retval) - goto cleanup; + goto cleanup; retval = krb5_rc_recover_or_initialize(context, rcache, - context->clockskew); + context->clockskew); if (retval) - goto cleanup; + goto cleanup; *rcptr = rcache; rcache = 0; @@ -85,8 +86,8 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, cleanup: if (rcache) - krb5_rc_close(context, rcache); + krb5_rc_close(context, rcache); if (cachename) - free(cachename); + free(cachename); return retval; } diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c index 531eba126..1f2edcc66 100644 --- a/src/lib/krb5/krb/str_conv.c +++ b/src/lib/krb5/krb/str_conv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm/str_conv.c * @@ -34,16 +35,16 @@ * * String decoding: * ---------------- - * krb5_string_to_salttype() - Convert string to salttype (krb5_int32) - * krb5_string_to_timestamp() - Convert string to krb5_timestamp. - * krb5_string_to_deltat() - Convert string to krb5_deltat. + * krb5_string_to_salttype() - Convert string to salttype (krb5_int32) + * krb5_string_to_timestamp() - Convert string to krb5_timestamp. + * krb5_string_to_deltat() - Convert string to krb5_deltat. * * String encoding: * ---------------- - * krb5_salttype_to_string() - Convert salttype (krb5_int32) to string. - * krb5_timestamp_to_string() - Convert krb5_timestamp to string. - * krb5_timestamp_to_sfstring() - Convert krb5_timestamp to short filled string - * krb5_deltat_to_string() - Convert krb5_deltat to string. + * krb5_salttype_to_string() - Convert salttype (krb5_int32) to string. + * krb5_timestamp_to_string() - Convert krb5_timestamp to string. + * krb5_timestamp_to_sfstring() - Convert krb5_timestamp to short filled string + * krb5_deltat_to_string() - Convert krb5_deltat to string. */ #include "k5-int.h" @@ -55,9 +56,9 @@ * Local data structures. */ struct salttype_lookup_entry { - krb5_int32 stt_enctype; /* Salt type */ - const char * stt_specifier; /* How to recognize it */ - const char * stt_output; /* How to spit it out */ + krb5_int32 stt_enctype; /* Salt type */ + const char * stt_specifier; /* How to recognize it */ + const char * stt_output; /* How to spit it out */ }; /* @@ -66,20 +67,20 @@ struct salttype_lookup_entry { #include "kdb.h" static const struct salttype_lookup_entry salttype_table[] = { -/* salt type input specifier output string */ -/*----------------------------- --------------- ---------------*/ -{ KRB5_KDB_SALTTYPE_NORMAL, "normal", "Version 5" }, -{ KRB5_KDB_SALTTYPE_V4, "v4", "Version 4" }, -{ KRB5_KDB_SALTTYPE_NOREALM, "norealm", "Version 5 - No Realm" }, -{ KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" }, -{ KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" }, -{ KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" }, +/* salt type input specifier output string */ +/*----------------------------- --------------- ---------------*/ + { KRB5_KDB_SALTTYPE_NORMAL, "normal", "Version 5" }, + { KRB5_KDB_SALTTYPE_V4, "v4", "Version 4" }, + { KRB5_KDB_SALTTYPE_NOREALM, "norealm", "Version 5 - No Realm" }, + { KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" }, + { KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" }, + { KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" }, #if PKINIT_APPLE -{ KRB5_KDB_SALTTYPE_CERTHASH, "certhash", "PKINIT Cert Hash" } + { KRB5_KDB_SALTTYPE_CERTHASH, "certhash", "PKINIT Cert Hash" } #endif /* PKINIT_APPLE */ }; static const int salttype_table_nents = sizeof(salttype_table)/ - sizeof(salttype_table[0]); + sizeof(salttype_table[0]); krb5_error_code KRB5_CALLCONV krb5_string_to_salttype(char *string, krb5_int32 *salttypep) @@ -89,11 +90,11 @@ krb5_string_to_salttype(char *string, krb5_int32 *salttypep) found = 0; for (i=0; i= buflen) - return(ENOMEM); - return(0); + if (strlcpy(buffer, out, buflen) >= buflen) + return(ENOMEM); + return(0); } else - return(EINVAL); + return(EINVAL); } /* (absolute) time conversions */ @@ -137,7 +138,7 @@ static size_t strftime (char *, size_t, const char *, const struct tm *); #ifdef HAVE_STRPTIME #ifdef NEED_STRPTIME_PROTO extern char *strptime (const char *, const char *, - struct tm *) + struct tm *) #ifdef __cplusplus throw() #endif @@ -155,7 +156,7 @@ localtime_r(const time_t *t, struct tm *buf) { struct tm *tm = localtime(t); if (tm == NULL) - return NULL; + return NULL; *buf = *tm; return buf; } @@ -169,47 +170,47 @@ krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp) time_t now, ret_time; char *s; static const char * const atime_format_table[] = { - "%Y%m%d%H%M%S", /* yyyymmddhhmmss */ - "%Y.%m.%d.%H.%M.%S", /* yyyy.mm.dd.hh.mm.ss */ - "%y%m%d%H%M%S", /* yymmddhhmmss */ - "%y.%m.%d.%H.%M.%S", /* yy.mm.dd.hh.mm.ss */ - "%y%m%d%H%M", /* yymmddhhmm */ - "%H%M%S", /* hhmmss */ - "%H%M", /* hhmm */ - "%T", /* hh:mm:ss */ - "%R", /* hh:mm */ - /* The following not really supported unless native strptime present */ - "%x:%X", /* locale-dependent short format */ - "%d-%b-%Y:%T", /* dd-month-yyyy:hh:mm:ss */ - "%d-%b-%Y:%R" /* dd-month-yyyy:hh:mm */ + "%Y%m%d%H%M%S", /* yyyymmddhhmmss */ + "%Y.%m.%d.%H.%M.%S", /* yyyy.mm.dd.hh.mm.ss */ + "%y%m%d%H%M%S", /* yymmddhhmmss */ + "%y.%m.%d.%H.%M.%S", /* yy.mm.dd.hh.mm.ss */ + "%y%m%d%H%M", /* yymmddhhmm */ + "%H%M%S", /* hhmmss */ + "%H%M", /* hhmm */ + "%T", /* hh:mm:ss */ + "%R", /* hh:mm */ + /* The following not really supported unless native strptime present */ + "%x:%X", /* locale-dependent short format */ + "%d-%b-%Y:%T", /* dd-month-yyyy:hh:mm:ss */ + "%d-%b-%Y:%R" /* dd-month-yyyy:hh:mm */ }; static const int atime_format_table_nents = - sizeof(atime_format_table)/sizeof(atime_format_table[0]); + sizeof(atime_format_table)/sizeof(atime_format_table[0]); now = time((time_t *) NULL); if (localtime_r(&now, &timebuf2) == NULL) - return EINVAL; + return EINVAL; for (i=0; i= sftime_default_len) { - snprintf(buffer, buflen, "%02d/%02d/%4d %02d:%02d", - tmp->tm_mday, tmp->tm_mon+1, 1900+tmp->tm_year, - tmp->tm_hour, tmp->tm_min); - ndone = strlen(buffer); - } +#define sftime_default_len 2+1+2+1+4+1+2+1+2+1 + if (buflen >= sftime_default_len) { + snprintf(buffer, buflen, "%02d/%02d/%4d %02d:%02d", + tmp->tm_mday, tmp->tm_mon+1, 1900+tmp->tm_year, + tmp->tm_hour, tmp->tm_min); + ndone = strlen(buffer); + } } if (ndone && pad) { - for (i=ndone; i 1) ? "days" : "day", - hours, minutes, seconds); + snprintf(buffer, buflen, "%d %s %02d:%02d:%02d", days, + (days > 1) ? "days" : "day", + hours, minutes, seconds); else - snprintf(buffer, buflen, "%d %s", days, - (days > 1) ? "days" : "day"); + snprintf(buffer, buflen, "%d %s", days, + (days > 1) ? "days" : "day"); if (tmpbuf[sizeof(tmpbuf)-1] != 0) - /* Something must be very wrong with my math above, or the - assumptions going into it... */ - abort (); + /* Something must be very wrong with my math above, or the + assumptions going into it... */ + abort (); if (strlen (tmpbuf) > buflen) - return ENOMEM; + return ENOMEM; else - strncpy (buffer, tmpbuf, buflen); + strncpy (buffer, tmpbuf, buflen); return 0; } @@ -348,10 +349,10 @@ struct dummy_locale_info_t { char am_pm[2][3]; }; static const struct dummy_locale_info_t dummy_locale_info = { - "%a %b %d %X %Y", /* %c */ - "%I:%M:%S %p", /* %r */ - "%H:%M:%S", /* %X */ - "%m/%d/%y", /* %x */ + "%a %b %d %X %Y", /* %c */ + "%I:%M:%S %p", /* %r */ + "%H:%M:%S", /* %X */ + "%m/%d/%y", /* %x */ { "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday" }, { "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" }, @@ -373,7 +374,7 @@ static const struct dummy_locale_info_t dummy_locale_info = { #undef DAYSPERWEEK #define DAYSPERWEEK 7 #undef isleap -#define isleap(N) ((N % 4) == 0 && (N % 100 != 0 || N % 400 == 0)) +#define isleap(N) ((N % 4) == 0 && (N % 100 != 0 || N % 400 == 0)) #undef tzname #define tzname my_tzname static const char *const tzname[2] = { 0, 0 }; diff --git a/src/lib/krb5/krb/strptime.c b/src/lib/krb5/krb/strptime.c index ac52d5c22..ffe90d4c9 100644 --- a/src/lib/krb5/krb/strptime.c +++ b/src/lib/krb5/krb/strptime.c @@ -82,7 +82,7 @@ strptime(buf, fmt, tm) fmt++; continue; } - + if ((c = *fmt++) != '%') goto literal; @@ -107,7 +107,7 @@ literal: LEGAL_ALT(0); alt_format |= ALT_O; goto again; - + /* * "Complex" conversion rules, implemented through recursion. */ diff --git a/src/lib/krb5/krb/t_ad_fx_armor.c b/src/lib/krb5/krb/t_ad_fx_armor.c index 74d7e5f1a..73dbb3a6f 100644 --- a/src/lib/krb5/krb/t_ad_fx_armor.c +++ b/src/lib/krb5/krb/t_ad_fx_armor.c @@ -1,13 +1,14 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include -#define test(x) do {retval = (x); \ - if(retval != 0) { \ - const char *errmsg = krb5_get_error_message(context, retval); \ - fprintf(stderr, "Error message: %s\n", errmsg); \ - abort(); } \ - } while(0); +#define test(x) do {retval = (x); \ + if(retval != 0) { \ + const char *errmsg = krb5_get_error_message(context, retval); \ + fprintf(stderr, "Error message: %s\n", errmsg); \ + abort(); } \ + } while(0); krb5_authdata ad_fx_armor = {0, KRB5_AUTHDATA_FX_ARMOR, 1, ""}; krb5_authdata *array[] = {&ad_fx_armor, NULL}; @@ -32,5 +33,5 @@ int main( int argc, char **argv) test(krb5_cc_store_cred(context, ccache, out_creds)); test(krb5_cc_close(context,ccache)); return 0; - -} + +} diff --git a/src/lib/krb5/krb/t_authdata.c b/src/lib/krb5/krb/t_authdata.c index 86838cead..ed847dfbd 100644 --- a/src/lib/krb5/krb/t_authdata.c +++ b/src/lib/krb5/krb/t_authdata.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/t_authdata.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * Test authorization data search */ @@ -34,25 +35,25 @@ #include krb5_authdata ad1 = { - KV5M_AUTHDATA, - 22, - 4, - (unsigned char *) "abcd"}; + KV5M_AUTHDATA, + 22, + 4, + (unsigned char *) "abcd"}; krb5_authdata ad2 = { - KV5M_AUTHDATA, - 23, - 5, - (unsigned char *) "abcde" + KV5M_AUTHDATA, + 23, + 5, + (unsigned char *) "abcde" }; krb5_authdata ad3= { - KV5M_AUTHDATA, - 22, - 3, - (unsigned char *) "ab" + KV5M_AUTHDATA, + 22, + 3, + (unsigned char *) "ab" }; /* we want three results in the return from krb5int_find_authdata so -it has to grow its list. + it has to grow its list. */ krb5_authdata ad4 = { KV5M_AUTHDATA, @@ -73,12 +74,12 @@ krb5_keyblock key = { }; static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) { - assert(adc1->ad_type == adc2->ad_type); - assert(adc1->length == adc2->length); - assert(memcmp(adc1->contents, adc2->contents, adc1->length) == 0); + assert(adc1->ad_type == adc2->ad_type); + assert(adc1->length == adc2->length); + assert(memcmp(adc1->contents, adc2->contents, adc1->length) == 0); } -int main() +int main() { krb5_context context; krb5_authdata **results; @@ -98,7 +99,7 @@ int main() container[1] = NULL; assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0); assert(krb5int_find_authdata(context, - adseq1, container_out, 22, &results) == 0); + adseq1, container_out, 22, &results) == 0); compare_authdata(&ad1, results[0]); compare_authdata( results[1], &ad4); compare_authdata( results[2], &ad3); diff --git a/src/lib/krb5/krb/t_deltat.c b/src/lib/krb5/krb/t_deltat.c index a07ba4232..dcf14af67 100644 --- a/src/lib/krb5/krb/t_deltat.c +++ b/src/lib/krb5/krb/t_deltat.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/t_deltat.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include "k5-int.h" @@ -31,9 +32,9 @@ int main (void) { struct { - char *string; - krb5_deltat expected; - int is_error; + char *string; + krb5_deltat expected; + int is_error; #define GOOD(STR,VAL) { STR, VAL, 0 } #define BAD(STR) { STR, 0, 1 } #define DAY (24 * 3600) @@ -43,116 +44,116 @@ main (void) #endif #define MIN 60 } values[] = { - /* d-h-m-s patterns */ - GOOD ("3d", 3*DAY), - GOOD ("3h", 3*HOUR), - GOOD ("3m", 3*MIN), - GOOD ("3s", 3), - BAD ("3dd"), - GOOD ("3d4m 42s", 3 * DAY + 4 * MIN + 42), - GOOD ("3d-1h", 3 * DAY - 1 * HOUR), - GOOD ("3d -1h", 3 * DAY - HOUR), - GOOD ("3d4h5m6s", 3 * DAY + 4 * HOUR + 5 * MIN + 6), - BAD ("3d4m5h"), - GOOD ("12345s", 12345), - GOOD ("1m 12345s", MIN + 12345), - GOOD ("1m12345s", MIN + 12345), - GOOD ("3d 0m", 3 * DAY), - GOOD ("3d 0m ", 3 * DAY), - GOOD ("3d \n\t 0m ", 3 * DAY), - /* colon patterns */ - GOOD ("42-13:42:47", 42 * DAY + 13 * HOUR + 42 * MIN + 47), - BAD ("3: 4"), - BAD ("13:0003"), - GOOD ("12:34", 12 * HOUR + 34 * MIN), - GOOD ("1:02:03", 1 * HOUR + 2 * MIN + 3), - BAD ("3:-4"), - /* XX We might want to require exactly two digits after a colon? */ - GOOD ("3:4", 3 * HOUR + 4 * MIN), - /* misc */ - GOOD ("42", 42), - BAD ("1-2"), - /* Test overflow limitations */ - GOOD ("2147483647s", 2147483647), - BAD ("2147483648s"), - GOOD ("24855d", 24855 * DAY), - BAD ("24856d"), - BAD ("24855d 100000000h"), - GOOD ("24855d 3h", 24855 * DAY + 3 * HOUR), - BAD ("24855d 4h"), - GOOD ("24855d 11647s", 24855 * DAY + 11647), - BAD ("24855d 11648s"), - GOOD ("24855d 194m 7s", 24855 * DAY + 194 * MIN + 7), - BAD ("24855d 194m 8s"), - BAD ("24855d 195m"), - BAD ("24855d 19500000000m"), - GOOD ("24855d 3h 14m 7s", 24855 * DAY + 3 * HOUR + 14 * MIN + 7), - BAD ("24855d 3h 14m 8s"), - GOOD ("596523h", 596523 * HOUR), - BAD ("596524h"), - GOOD ("596523h 847s", 596523 * HOUR + 847), - BAD ("596523h 848s"), - GOOD ("596523h 14m 7s", 596523 * HOUR + 14 * MIN + 7), - BAD ("596523h 14m 8s"), - GOOD ("35791394m", 35791394 * MIN), - GOOD ("35791394m7s", 35791394 * MIN + 7), - BAD ("35791394m8s"), - /* Test underflow */ - GOOD ("-2147483647s", -2147483647), - /* This should be valid, but isn't */ - /*BAD ("-2147483648s"),*/ - GOOD ("-24855d", -24855 * DAY), - BAD ("-24856d"), - BAD ("-24855d -100000000h"), - GOOD ("-24855d -3h", -24855 * DAY - 3 * HOUR), - BAD ("-24855d -4h"), - GOOD ("-24855d -11647s", -24855 * DAY - 11647), - BAD ("-24855d -11649s"), - GOOD ("-24855d -194m -7s", -24855 * DAY - 194 * MIN - 7), - BAD ("-24855d -194m -9s"), - BAD ("-24855d -195m"), - BAD ("-24855d -19500000000m"), - GOOD ("-24855d -3h -14m -7s", -24855 * DAY - 3 * HOUR - 14 * MIN - 7), - BAD ("-24855d -3h -14m -9s"), - GOOD ("-596523h", -596523 * HOUR), - BAD ("-596524h"), - GOOD ("-596523h -847s", -596523 * HOUR - 847), - GOOD ("-596523h -848s", -596523 * HOUR - 848), - BAD ("-596523h -849s"), - GOOD ("-596523h -14m -8s", -596523 * HOUR - 14 * MIN - 8), - BAD ("-596523h -14m -9s"), - GOOD ("-35791394m", -35791394 * MIN), - GOOD ("-35791394m7s", -35791394 * MIN + 7), - BAD ("-35791394m-9s"), - + /* d-h-m-s patterns */ + GOOD ("3d", 3*DAY), + GOOD ("3h", 3*HOUR), + GOOD ("3m", 3*MIN), + GOOD ("3s", 3), + BAD ("3dd"), + GOOD ("3d4m 42s", 3 * DAY + 4 * MIN + 42), + GOOD ("3d-1h", 3 * DAY - 1 * HOUR), + GOOD ("3d -1h", 3 * DAY - HOUR), + GOOD ("3d4h5m6s", 3 * DAY + 4 * HOUR + 5 * MIN + 6), + BAD ("3d4m5h"), + GOOD ("12345s", 12345), + GOOD ("1m 12345s", MIN + 12345), + GOOD ("1m12345s", MIN + 12345), + GOOD ("3d 0m", 3 * DAY), + GOOD ("3d 0m ", 3 * DAY), + GOOD ("3d \n\t 0m ", 3 * DAY), + /* colon patterns */ + GOOD ("42-13:42:47", 42 * DAY + 13 * HOUR + 42 * MIN + 47), + BAD ("3: 4"), + BAD ("13:0003"), + GOOD ("12:34", 12 * HOUR + 34 * MIN), + GOOD ("1:02:03", 1 * HOUR + 2 * MIN + 3), + BAD ("3:-4"), + /* XX We might want to require exactly two digits after a colon? */ + GOOD ("3:4", 3 * HOUR + 4 * MIN), + /* misc */ + GOOD ("42", 42), + BAD ("1-2"), + /* Test overflow limitations */ + GOOD ("2147483647s", 2147483647), + BAD ("2147483648s"), + GOOD ("24855d", 24855 * DAY), + BAD ("24856d"), + BAD ("24855d 100000000h"), + GOOD ("24855d 3h", 24855 * DAY + 3 * HOUR), + BAD ("24855d 4h"), + GOOD ("24855d 11647s", 24855 * DAY + 11647), + BAD ("24855d 11648s"), + GOOD ("24855d 194m 7s", 24855 * DAY + 194 * MIN + 7), + BAD ("24855d 194m 8s"), + BAD ("24855d 195m"), + BAD ("24855d 19500000000m"), + GOOD ("24855d 3h 14m 7s", 24855 * DAY + 3 * HOUR + 14 * MIN + 7), + BAD ("24855d 3h 14m 8s"), + GOOD ("596523h", 596523 * HOUR), + BAD ("596524h"), + GOOD ("596523h 847s", 596523 * HOUR + 847), + BAD ("596523h 848s"), + GOOD ("596523h 14m 7s", 596523 * HOUR + 14 * MIN + 7), + BAD ("596523h 14m 8s"), + GOOD ("35791394m", 35791394 * MIN), + GOOD ("35791394m7s", 35791394 * MIN + 7), + BAD ("35791394m8s"), + /* Test underflow */ + GOOD ("-2147483647s", -2147483647), + /* This should be valid, but isn't */ + /*BAD ("-2147483648s"),*/ + GOOD ("-24855d", -24855 * DAY), + BAD ("-24856d"), + BAD ("-24855d -100000000h"), + GOOD ("-24855d -3h", -24855 * DAY - 3 * HOUR), + BAD ("-24855d -4h"), + GOOD ("-24855d -11647s", -24855 * DAY - 11647), + BAD ("-24855d -11649s"), + GOOD ("-24855d -194m -7s", -24855 * DAY - 194 * MIN - 7), + BAD ("-24855d -194m -9s"), + BAD ("-24855d -195m"), + BAD ("-24855d -19500000000m"), + GOOD ("-24855d -3h -14m -7s", -24855 * DAY - 3 * HOUR - 14 * MIN - 7), + BAD ("-24855d -3h -14m -9s"), + GOOD ("-596523h", -596523 * HOUR), + BAD ("-596524h"), + GOOD ("-596523h -847s", -596523 * HOUR - 847), + GOOD ("-596523h -848s", -596523 * HOUR - 848), + BAD ("-596523h -849s"), + GOOD ("-596523h -14m -8s", -596523 * HOUR - 14 * MIN - 8), + BAD ("-596523h -14m -9s"), + GOOD ("-35791394m", -35791394 * MIN), + GOOD ("-35791394m7s", -35791394 * MIN + 7), + BAD ("-35791394m-9s"), + }; int fail = 0; int i; for (i = 0; i < sizeof(values)/sizeof(values[0]); i++) { - krb5_deltat result; - krb5_error_code code; + krb5_deltat result; + krb5_error_code code; - code = krb5_string_to_deltat (values[i].string, &result); - if (code && !values[i].is_error) { - fprintf (stderr, "unexpected error for `%s'\n", values[i].string); - fail++; - } else if (!code && values[i].is_error) { - fprintf (stderr, "expected but didn't get error for `%s'\n", - values[i].string); - fail++; - } else if (code && values[i].is_error) { - /* do nothing */ - } else if (result != values[i].expected) { - fprintf (stderr, "got %ld instead of expected %ld for `%s'\n", - (long) result, (long) values[i].expected, - values[i].string); - fail++; - } + code = krb5_string_to_deltat (values[i].string, &result); + if (code && !values[i].is_error) { + fprintf (stderr, "unexpected error for `%s'\n", values[i].string); + fail++; + } else if (!code && values[i].is_error) { + fprintf (stderr, "expected but didn't get error for `%s'\n", + values[i].string); + fail++; + } else if (code && values[i].is_error) { + /* do nothing */ + } else if (result != values[i].expected) { + fprintf (stderr, "got %ld instead of expected %ld for `%s'\n", + (long) result, (long) values[i].expected, + values[i].string); + fail++; + } } if (fail == 0) - printf ("Passed all %d tests.\n", i); + printf ("Passed all %d tests.\n", i); else - printf ("Failed %d of %d tests.\n", fail, i); + printf ("Failed %d of %d tests.\n", fail, i); return fail; } diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c index 0d89fd0af..4af7918e5 100644 --- a/src/lib/krb5/krb/t_etypes.c +++ b/src/lib/krb5/krb/t_etypes.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * t_etypes.c -- test program for krb5int_parse_enctype_list * @@ -201,4 +201,3 @@ main(int argc, char **argv) return 0; } - diff --git a/src/lib/krb5/krb/t_expand.c b/src/lib/krb5/krb/t_expand.c index a8b2757df..b108e4bbd 100644 --- a/src/lib/krb5/krb/t_expand.c +++ b/src/lib/krb5/krb/t_expand.c @@ -1,2 +1,3 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #define TEST #include "chk_trans.c" diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c index 8627922b2..465282561 100644 --- a/src/lib/krb5/krb/t_kerb.c +++ b/src/lib/krb5/krb/t_kerb.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * This driver routine is used to test many of the standard Kerberos library * routines. @@ -26,14 +27,14 @@ void usage (char *); void test_string_to_timestamp(krb5_context ctx, char *ktime) { - krb5_timestamp timestamp; - time_t t; - krb5_error_code retval; + krb5_timestamp timestamp; + time_t t; + krb5_error_code retval; retval = krb5_string_to_timestamp(ktime, ×tamp); if (retval) { - com_err("krb5_string_to_timestamp", retval, 0); - return; + com_err("krb5_string_to_timestamp", retval, 0); + return; } t = (time_t) timestamp; printf("Parsed time was %s", ctime(&t)); @@ -41,22 +42,22 @@ void test_string_to_timestamp(krb5_context ctx, char *ktime) void test_425_conv_principal(krb5_context ctx, char *name, char *inst, char *realm) { - krb5_error_code retval; - krb5_principal princ; - char *out_name; + krb5_error_code retval; + krb5_principal princ; + char *out_name; retval = krb5_425_conv_principal(ctx, name, inst, realm, &princ); if (retval) { - com_err("krb5_425_conv_principal", retval, 0); - return; + com_err("krb5_425_conv_principal", retval, 0); + return; } retval = krb5_unparse_name(ctx, princ, &out_name); if (retval) { - com_err("krb5_unparse_name", retval, 0); - return; + com_err("krb5_unparse_name", retval, 0); + return; } printf("425_converted principal(%s, %s, %s): '%s'\n", - name, inst, realm, out_name); + name, inst, realm, out_name); free(out_name); krb5_free_principal(ctx, princ); } @@ -73,98 +74,98 @@ void test_524_conv_principal(krb5_context ctx, char *name) aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0; retval = krb5_parse_name(ctx, name, &princ); if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; + com_err("krb5_parse_name", retval, 0); + goto fail; } retval = krb5_524_conv_principal(ctx, princ, aname, inst, realm); if (retval) { - com_err("krb5_524_conv_principal", retval, 0); - goto fail; + com_err("krb5_524_conv_principal", retval, 0); + goto fail; } printf("524_converted_principal(%s): '%s' '%s' '%s'\n", - name, aname, inst, realm); - fail: + name, aname, inst, realm); +fail: if (princ) - krb5_free_principal (ctx, princ); + krb5_free_principal (ctx, princ); } void test_parse_name(krb5_context ctx, const char *name) { - krb5_error_code retval; - krb5_principal princ = 0, princ2 = 0; - char *outname = 0; - - retval = krb5_parse_name(ctx, name, &princ); - if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; - } - retval = krb5_copy_principal(ctx, princ, &princ2); - if (retval) { - com_err("krb5_copy_principal", retval, 0); - goto fail; - } - retval = krb5_unparse_name(ctx, princ2, &outname); - if (retval) { - com_err("krb5_unparse_name", retval, 0); - goto fail; - } - printf("parsed (and unparsed) principal(%s): ", name); - if (strcmp(name, outname) == 0) - printf("MATCH\n"); - else - printf("'%s'\n", outname); + krb5_error_code retval; + krb5_principal princ = 0, princ2 = 0; + char *outname = 0; + + retval = krb5_parse_name(ctx, name, &princ); + if (retval) { + com_err("krb5_parse_name", retval, 0); + goto fail; + } + retval = krb5_copy_principal(ctx, princ, &princ2); + if (retval) { + com_err("krb5_copy_principal", retval, 0); + goto fail; + } + retval = krb5_unparse_name(ctx, princ2, &outname); + if (retval) { + com_err("krb5_unparse_name", retval, 0); + goto fail; + } + printf("parsed (and unparsed) principal(%s): ", name); + if (strcmp(name, outname) == 0) + printf("MATCH\n"); + else + printf("'%s'\n", outname); fail: - if (outname) - free(outname); - if (princ) - krb5_free_principal(ctx, princ); - if (princ2) - krb5_free_principal(ctx, princ2); + if (outname) + free(outname); + if (princ) + krb5_free_principal(ctx, princ); + if (princ2) + krb5_free_principal(ctx, princ2); } void test_set_realm(krb5_context ctx, const char *name, const char *realm) { - krb5_error_code retval; - krb5_principal princ = 0; - char *outname = 0; - - retval = krb5_parse_name(ctx, name, &princ); - if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; - } - retval = krb5_set_principal_realm(ctx, princ, realm); - if (retval) { - com_err("krb5_set_principal_realm", retval, 0); - goto fail; - } - retval = krb5_unparse_name(ctx, princ, &outname); - if (retval) { - com_err("krb5_unparse_name", retval, 0); - goto fail; - } - printf("old principal: %s, modified principal: %s\n", name, - outname); + krb5_error_code retval; + krb5_principal princ = 0; + char *outname = 0; + + retval = krb5_parse_name(ctx, name, &princ); + if (retval) { + com_err("krb5_parse_name", retval, 0); + goto fail; + } + retval = krb5_set_principal_realm(ctx, princ, realm); + if (retval) { + com_err("krb5_set_principal_realm", retval, 0); + goto fail; + } + retval = krb5_unparse_name(ctx, princ, &outname); + if (retval) { + com_err("krb5_unparse_name", retval, 0); + goto fail; + } + printf("old principal: %s, modified principal: %s\n", name, + outname); fail: - if (outname) - free(outname); - if (princ) - krb5_free_principal(ctx, princ); + if (outname) + free(outname); + if (princ) + krb5_free_principal(ctx, princ); } void usage(char *progname) { - fprintf(stderr, "%s: Usage: %s 425_conv_principal \n", progname); - fprintf(stderr, "\t%s parse_name \n", progname); - fprintf(stderr, "\t%s set_realm \n", progname); - fprintf(stderr, "\t%s string_to_timestamp